On Mon, Feb 15, 2021 at 10:19 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > Hello all, > > While tracking down a test failure before sending the SELinux PR to > Linus for v5.12 I noticed that the latest Fedora Rawhide policy update > breaks the selinux-testsuite, specifically the lockdown test. While I > haven't tracked it all the way down to the root cause, I suspect the > additional lockdown permissions added to the policy may be the > problem. Changelog snippet below: > > * Thu Feb 11 2021 Zdenek Pytela <zpytela@xxxxxxxxxx> - 3.14.8-1 > - Bump version as Fedora 34 has been branched off rawhide > - Allow xdm watch its private lib dirs, /etc, /usr > - Allow systemd-importd create /run/systemd/machines.lock file > - Allow rhsmcertd_t read kpatch lib files > - Add integrity lockdown permission into dev_read_raw_memory() > - Add confidentiality lockdown permission into fs_rw_tracefs_files() Yes, it's because of these two ^^ In both cases the corresponding lockdown permission is logically needed to do the given operation, so we added it there. The testsuite kind of naively expects that the interfaces won't grant these permissions and thus the test is failing now :) I think we'll have to open-code the rules in test_lockdown.te or use some broader interfaces that aren't directly related to /dev/mem or tracefs, but allow access to them (minus the lockdown permissions). I have it on my mind to try and fix it, but it'll probably be a while before I get to it... > - Allow gpsd read and write ptp4l_t shared memory. > - Allow colord watch its private lib files and /usr > - Allow init watch_reads mount PID files > - Allow IPsec and Certmonger to use opencryptoki services > > FWIW, reverting to selinux-policy-3.14.7-18 resolves the problem. > > -- > paul moore > www.paul-moore.com -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
