/proc/sys/kernel/modprobe is labeled as usermode_helper_t on Fedora and all domains are allowed to read that type now [1] so that crash handling can proceed without denials. While the underlying issue might be a kernel bug (I suspect these files should be read under kernel credentials, not the crashing process), let's use a different sysctl for testing for now. Since vm.swappiness will be more strict about what values can be set, rework the test a bit so that it works correctly regardless of the original value and restores the original setting at the end. [1] https://github.com/fedora-selinux/selinux-policy/pull/528 Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> --- tests/sysctl/test | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/tests/sysctl/test b/tests/sysctl/test index a726e96..d6f8c0f 100755 --- a/tests/sysctl/test +++ b/tests/sysctl/test @@ -3,21 +3,30 @@ use Test; BEGIN { plan tests => 4 } -$sysctl = "kernel.modprobe"; +$sysctl = "vm.swappiness"; +$val1 = "20"; +$val2 = "21"; +$val3 = "22"; $oldval = `/sbin/sysctl -n $sysctl`; +# set to a known value +system "/sbin/sysctl -w $sysctl=$val1"; + $result = system "runcon -t test_sysctl_t -- /sbin/sysctl -n $sysctl 2>&1"; ok( $result, 0 ); $result = - system "runcon -t test_sysctl_t -- /sbin/sysctl -w $sysctl=$oldval 2>&1"; + system "runcon -t test_sysctl_t -- /sbin/sysctl -w $sysctl=$val2 2>&1"; ok( $result, 0 ); $result = system "runcon -t test_nosysctl_t -- /sbin/sysctl -n $sysctl 2>&1"; ok($result); $result = - system "runcon -t test_nosysctl_t -- /sbin/sysctl -w $sysctl=foobar 2>&1"; + system "runcon -t test_nosysctl_t -- /sbin/sysctl -w $sysctl=$val3 2>&1"; ok($result); +# restore original value +system "/sbin/sysctl -w $sysctl=$oldval"; + exit; -- 2.29.2
