SELinux Regression Test Failing

Question

I have cloned the selinux-testsuite regression tests from: https://github.com/SELinuxProject/selinux-testsuite

I am running the tests in a CentOS Linux release 7.6.1810 (Core) VM. Which I don't believe to be relevant.

SELinux is enforcing using the targeted policy before I install the temporary test policies using:

make -C policy load

sestatus says

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

I believe I have followed the instructions for running the testsuite accurately. However when I run it I see a single failure:

[snipped OK messages]

bounds/test ................. ok     
nnp_nosuid/test ............. ok     
mmap/test ................... 1/47 # Failed test 27 in mmap/test at line 143
#  mmap/test line 143 is:     ok($result);
mmap/test ................... Failed 1/47 subtests 
unix_socket/test ............ ok   
inet_socket/test ............ ok     

[more snipped OK messages]

Test Summary Report
-------------------
mmap/test                 (Wstat: 0 Tests: 47 Failed: 1)
  Failed test:  27
Files=51, Tests=520, 35 wallclock secs ( 0.11 usr  0.04 sys +  0.77 cusr  0.94 csys =  1.86 CPU)
Result: FAIL
Failed 1/51 test programs. 1/520 subtests failed.

I isolated the problematic test from the mmap test group to:

#!/bin/bash

basedir=$(pwd)/tests/mmap

if [ ! -d $basedir ]; then
    printf "Error: missing basedir: $basedir\n"
    exit 1
fi

# Clean up from prior runs.
rm -f $basedir/temp_file

# Create temporary file.
dd if=/dev/zero of=$basedir/temp_file count=8 2>&1 > /dev/null
printf "\ncreate: OK\n"
chcon -t test_mmap_file_t $basedir/temp_file
printf "\nchcon: OK\n"

if [ ! -f $basedir/mmap_file_shared ]; then
    printf "Error - missing executable: $basedir/mmap_file_shared\n"
    exit 1
fi

if [ ! -f $basedir/temp_file ]; then
    printf "Error - missing temp file: $basedir/temp_file\n"
    exit 1
fi

/bin/runcon -t test_no_map_t -- $basedir/mmap_file_shared $basedir/temp_file

Which generates the AVC message in /var/log/audit/audit.log:

type=AVC msg=audit(1556563573.950:2466): avc:  denied  { search } for  pid=16708 comm="mmap_file_share" name="vagrant" dev="dm-0" ino=81922 scontext=unconfined_u:unconfined_r:test_no_map_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0

I'm not entirely sure if this AVC is intended (as a negative testacase) by the testsuite. But I would like to understand this failure.

score 3 · Accepted Answer · answered May 06 '19 at 17:26

Just to close the loop on this the answer was provided by Ondrej Mosnacek of the selinux mailing list:

Quoth Ondrej:

RHEL and CentOS 7.6 have the domain_can_mmap_files SELinux boolean set to "on" by default [1], which basically means that map permissions are not checked, which logically leads to the failure of the test that checks that map permission is denied when it was not allowed by the test policy. When running the testsuite on CentOS/RHEL 7.6, you need to turn off the domain_can_mmap_files boolean during test execution.

To solve it I did:

# Get the original value of the bool
export OLD_MMAP_BOOL=$(getsebool domain_can_mmap_files | awk '{ print $3 }')
# Disable it
sudo setsebool domain_can_mmap_files off
# Run the test suite
make -C tests test
# Restore the previous state
sudo OLD_MMAP_BOOL=$OLD_MMAP_BOOL setsebool domain_can_mmap_files $OLD_MMAP_BOOL

Thank you for providing the detailed answer. – hargut May 06 '19 at 17:55 — hargut, May 06 '19 at 17:55

SELinux Regression Test Failing

1 Answers1