On Wed, Jan 13, 2021 at 1:26 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > /proc/sys/kernel/modprobe is labeled as usermode_helper_t on Fedora and > all domains are allowed to read that type now [1] so that crash handling > can proceed without denials. > > While the underlying issue might be a kernel bug (I suspect these files > should be read under kernel credentials, not the crashing process), > let's use a different sysctl for testing for now. > > Since vm.swappiness will be more strict about what values can be set, > rework the test a bit so that it works correctly regardless of the > original value and restores the original setting at the end. > > [1] https://github.com/fedora-selinux/selinux-policy/pull/528 > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > --- > tests/sysctl/test | 15 ++++++++++++--- > 1 file changed, 12 insertions(+), 3 deletions(-) Now applied: https://github.com/SELinuxProject/selinux-testsuite/commit/24bb5c0090710767ff187f1682e5bf355166caa3 > > diff --git a/tests/sysctl/test b/tests/sysctl/test > index a726e96..d6f8c0f 100755 > --- a/tests/sysctl/test > +++ b/tests/sysctl/test > @@ -3,21 +3,30 @@ > use Test; > BEGIN { plan tests => 4 } > > -$sysctl = "kernel.modprobe"; > +$sysctl = "vm.swappiness"; > +$val1 = "20"; > +$val2 = "21"; > +$val3 = "22"; > $oldval = `/sbin/sysctl -n $sysctl`; > > +# set to a known value > +system "/sbin/sysctl -w $sysctl=$val1"; > + > $result = system "runcon -t test_sysctl_t -- /sbin/sysctl -n $sysctl 2>&1"; > ok( $result, 0 ); > > $result = > - system "runcon -t test_sysctl_t -- /sbin/sysctl -w $sysctl=$oldval 2>&1"; > + system "runcon -t test_sysctl_t -- /sbin/sysctl -w $sysctl=$val2 2>&1"; > ok( $result, 0 ); > > $result = system "runcon -t test_nosysctl_t -- /sbin/sysctl -n $sysctl 2>&1"; > ok($result); > > $result = > - system "runcon -t test_nosysctl_t -- /sbin/sysctl -w $sysctl=foobar 2>&1"; > + system "runcon -t test_nosysctl_t -- /sbin/sysctl -w $sysctl=$val3 2>&1"; > ok($result); > > +# restore original value > +system "/sbin/sysctl -w $sysctl=$oldval"; > + > exit; > -- > 2.29.2 > -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.
