diff mbox series

[RFC,1/1] selinux-testsuite: Reduce sctp test runtime

Message ID 20201104164913.11536-2-richard_c_haines@btinternet.com (mailing list archive)
State Under Review
Delegated to: Ondrej Mosnáček
Headers show
Series selinux-testsuite: Reduce sctp test runtime | expand

Commit Message

Richard Haines Nov. 4, 2020, 4:49 p.m. UTC 
Use the Linux audit services to look for specific events and trigger
the correct test exit code.

This is useful for tests that fail on a socket timeout where they
hang around for x seconds before exiting. The audit service will detect
the event as it occurred based on AVC entry scontext= and optionally, a
regex (e.g. "denied.*\\{ recv \\}") entry.

Without this patch sctp tests take ~2.6 min, with patch ~4 secs.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 README.md                              |  5 +-
 policy/test_sctp.te                    |  1 +
 tests/sctp/Makefile                    |  2 +-
 tests/sctp/sctp_asconf_params_client.c | 51 ++++++++++++-
 tests/sctp/sctp_client.c               | 52 ++++++++++++--
 tests/sctp/sctp_common.c               | 99 ++++++++++++++++++++++++++
 tests/sctp/sctp_common.h               | 11 +++
 tests/sctp/test                        | 50 ++++++-------
 travis-ci/run-testsuite.sh             |  1 +
 9 files changed, 237 insertions(+), 35 deletions(-)

Comments

Ondrej Mosnacek Nov. 5, 2020, 9:56 a.m. UTC | #1 
On Wed, Nov 4, 2020 at 5:49 PM Richard Haines
<richard_c_haines@btinternet.com> wrote:
>
> Use the Linux audit services to look for specific events and trigger
> the correct test exit code.
>
> This is useful for tests that fail on a socket timeout where they
> hang around for x seconds before exiting. The audit service will detect
> the event as it occurred based on AVC entry scontext= and optionally, a
> regex (e.g. "denied.*\\{ recv \\}") entry.

I have mixed feelings about this approach, because then the tests
won't be able to detect a bug where an audit record would be produced,
but the message would be delivered anyway (a few moments later). OTOH
the massive speedup is very tempting... :)

One possible alternative could be to calibrate how long it takes
between sending and receiving an SCTP message on the given system at
the beginning of the test, multiply the max value by some factor (1.5?
2?), and use it as the timeout. But then this wouldn't help in cases
where the latency just spikes very high occasionally... (which I think
is what happens in cases of the random failures we have been seeing
sometimes)

Another option would be to run the tests asynchronously, but that
comes with its own set of problems...

Paul, Stephen, any thoughts?

>
> Without this patch sctp tests take ~2.6 min, with patch ~4 secs.
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
>  README.md                              |  5 +-
>  policy/test_sctp.te                    |  1 +
>  tests/sctp/Makefile                    |  2 +-
>  tests/sctp/sctp_asconf_params_client.c | 51 ++++++++++++-
>  tests/sctp/sctp_client.c               | 52 ++++++++++++--
>  tests/sctp/sctp_common.c               | 99 ++++++++++++++++++++++++++
>  tests/sctp/sctp_common.h               | 11 +++
>  tests/sctp/test                        | 50 ++++++-------
>  travis-ci/run-testsuite.sh             |  1 +
>  9 files changed, 237 insertions(+), 35 deletions(-)
[...]
diff mbox series

Patch

diff --git a/README.md b/README.md
index 4a22389..7d8d567 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,7 @@  similar dependencies):
 * jfsutils _(used by the jfs filesystem tests)_
 * dosfstools _(used by the vfat filesystem tests)_
 * nftables _(used by inet_socket and sctp tests if ver >= 9.3 for secmark testing )_
+* audit-libs-devel _(used by inet_socket and sctp tests to reduce run time )_
 
 On a modern Fedora system you can install these dependencies with the
 following command (NOTE: On Fedora 32 and below you need to remove
@@ -88,6 +89,7 @@  following command (NOTE: On Fedora 32 and below you need to remove
 		jfsutils \
 		dosfstools \
 		nftables \
+		audit-libs-devel \
 		kernel-devel-$(uname -r) \
 		kernel-modules-$(uname -r)
 
@@ -134,7 +136,8 @@  command:
 		e2fsprogs \
 		jfsutils \
 		dosfstools \
-		nftables
+		nftables \
+		audit-libs-devel
 
 On Debian, you need to build and install netlabel_tools manually since
 it is not yet packaged for Debian
diff --git a/policy/test_sctp.te b/policy/test_sctp.te
index 363e3c5..c691db9 100644
--- a/policy/test_sctp.te
+++ b/policy/test_sctp.te
@@ -4,6 +4,7 @@ 
 
 attribute sctpsocketdomain;
 
+logging_read_audit_log(sctpsocketdomain)
 #
 ######################## NetLabel labels ############################
 #
diff --git a/tests/sctp/Makefile b/tests/sctp/Makefile
index dd151fb..bd8ba72 100644
--- a/tests/sctp/Makefile
+++ b/tests/sctp/Makefile
@@ -4,7 +4,7 @@  TARGETS = sctp_client sctp_server sctp_bind sctp_bindx sctp_connectx \
 DEPS = sctp_common.c sctp_common.h
 CFLAGS ?= -Wall
 
-LDLIBS += -lselinux -lsctp
+LDLIBS += -lselinux -lsctp -lauparse -pthread
 
 all: $(TARGETS)
 
diff --git a/tests/sctp/sctp_asconf_params_client.c b/tests/sctp/sctp_asconf_params_client.c
index 48403ae..d85b337 100644
--- a/tests/sctp/sctp_asconf_params_client.c
+++ b/tests/sctp/sctp_asconf_params_client.c
@@ -41,6 +41,12 @@  static void usage(char *progname)
 		"   same type (IPv4 or IPv6).\n\t"
 		"2) IPv6 link-local addresses require the %%<if_name> to\n\t"
 		"   obtain scopeid. e.g. fe80::7629:afff:fe0f:8e5d%%wlp6s0\n");
+
+	fprintf(stderr, "\nTo use the audit system to detect an AVC entry:\n\t"
+		"-s      A specific 'scontext=' AVC entry to search for.\n\t"
+		"        If not present the client context will be used.\n\t"
+		"-r      An optional regex entry to be used in the search.\n\t"
+		"-z      Mandatory exit code, called when a match is found.\n");
 	exit(1);
 }
 
@@ -119,14 +125,30 @@  int main(int argc, char **argv)
 	socklen_t sinlen = sizeof(sin);
 	struct timeval tm;
 	bool verbose = false;
-	char buffer[512];
+	char buffer[512], *context;
 	char msg[] = "Send peer address";
 	char *rcv_new_addr_buf = NULL;
+	pthread_t thread;
+
+	audit_verbose = false;
+	event_scontext = NULL;
+	event_regex = NULL;
+	event_exit = 0;
 
-	while ((opt = getopt(argc, argv, "v")) != -1) {
+	while ((opt = getopt(argc, argv, "vs:r:z:")) != -1) {
 		switch (opt) {
 		case 'v':
 			verbose = true;
+			audit_verbose = true;
+			break;
+		case 's':
+			event_scontext = optarg;
+			break;
+		case 'r':
+			event_regex = optarg;
+			break;
+		case 'z':
+			event_exit = atoi(optarg);
 			break;
 		default:
 			usage(argv[0]);
@@ -136,6 +158,31 @@  int main(int argc, char **argv)
 	if ((argc - optind) != 2)
 		usage(argv[0]);
 
+	if (!event_scontext || verbose) {
+		result = getcon(&context);
+		if (result < 0) {
+			fprintf(stderr, "Client getcon: %s\n",
+				strerror(result));
+			exit(1);
+		}
+		if (!event_scontext)
+			event_scontext = strdup(context);
+
+		if (verbose) {
+			printf("Client process context: %s\n", context);
+			free(context);
+		}
+	}
+
+	if (event_exit) {
+		result = pthread_create(&thread, NULL, &check_au_event, NULL);
+		if (result < 0) {
+			fprintf(stderr, "Client pthread_create: %s\n",
+				strerror(result));
+			exit(1);
+		}
+	}
+
 	memset(&client_hints, 0, sizeof(struct addrinfo));
 	client_hints.ai_socktype = SOCK_SEQPACKET;
 	client_hints.ai_protocol = IPPROTO_SCTP;
diff --git a/tests/sctp/sctp_client.c b/tests/sctp/sctp_client.c
index 2f527ed..5579970 100644
--- a/tests/sctp/sctp_client.c
+++ b/tests/sctp/sctp_client.c
@@ -16,6 +16,12 @@  static void usage(char *progname)
 		"seq     use SCTP 1-to-Many style.\n\t"
 		"addr    IPv4 or IPv6 address (e.g. 127.0.0.1 or ::1).\n\t"
 		"port    Port for accessing server.\n", progname);
+
+	fprintf(stderr, "\nTo use the audit system to detect an AVC entry:\n\t"
+		"-s      A specific 'scontext=' AVC entry to search for.\n\t"
+		"        If not present the client context will be used.\n\t"
+		"-r      An optional regex entry to be used in the search.\n\t"
+		"-z      Mandatory exit code, called when a match is found.\n");
 	exit(1);
 }
 
@@ -29,8 +35,14 @@  int main(int argc, char **argv)
 	bool ipv4 = false, expect_ipopt = false;
 	char *context;
 	struct timeval tm;
+	pthread_t thread;
+
+	audit_verbose = false;
+	event_scontext = NULL;
+	event_regex = NULL;
+	event_exit = 0;
 
-	while ((opt = getopt(argc, argv, "e:vxmni")) != -1) {
+	while ((opt = getopt(argc, argv, "e:vxmnis:r:z:")) != -1) {
 		switch (opt) {
 		case 'e':
 			expected = optarg;
@@ -40,6 +52,7 @@  int main(int argc, char **argv)
 			break;
 		case 'v':
 			verbose = true;
+			audit_verbose = true;
 			break;
 		case 'n':
 			no_connects = true;
@@ -47,6 +60,15 @@  int main(int argc, char **argv)
 		case 'x':
 			connectx = true;
 			break;
+		case 's':
+			event_scontext = optarg;
+			break;
+		case 'r':
+			event_regex = optarg;
+			break;
+		case 'z':
+			event_exit = atoi(optarg);
+			break;
 		default:
 			usage(argv[0]);
 		}
@@ -65,11 +87,29 @@  int main(int argc, char **argv)
 	else
 		usage(argv[0]);
 
-	if (verbose) {
-		if (getcon(&context) < 0)
-			context = strdup("unavailable");
-		printf("Client process context: %s\n", context);
-		free(context);
+	if (!event_scontext || verbose) {
+		result = getcon(&context);
+		if (result < 0) {
+			fprintf(stderr, "Client getcon: %s\n",
+				strerror(result));
+			exit(1);
+		}
+		if (!event_scontext)
+			event_scontext = strdup(context);
+
+		if (verbose) {
+			printf("Client process context: %s\n", context);
+			free(context);
+		}
+	}
+
+	if (event_exit) {
+		result = pthread_create(&thread, NULL, &check_au_event, NULL);
+		if (result < 0) {
+			fprintf(stderr, "Client pthread_create: %s\n",
+				strerror(result));
+			exit(1);
+		}
 	}
 
 	result = getaddrinfo(argv[optind + 1], argv[optind + 2], &hints,
diff --git a/tests/sctp/sctp_common.c b/tests/sctp/sctp_common.c
index 8b65870..82d28a4 100644
--- a/tests/sctp/sctp_common.c
+++ b/tests/sctp/sctp_common.c
@@ -302,3 +302,102 @@  int handle_event(void *buf, char *cmp_addr, sctp_assoc_t *assoc_id,
 
 	return EVENT_OK;
 }
+
+/*
+ * Audit Events
+ *
+ * These routines run in a thread started by the main test program and use
+ * the auparse/ausearch services to search for events. If the event is found,
+ * the program will exit with the specified event_exit code.
+ * The variables hold the following information:
+ *    event_scontext - Contains a mandatory 'scontext=' AVC entry to search for
+ *    event_regex    - Contains an optional regex entry to search for
+ *    event_exit     - Contains a mandatory exit code, executed on a successful
+ *                     search to end the test
+ *    audit_buf      - Holds the next set of audit events to be searched
+ *    audit_verbose  - Set if verbose output is required.
+ *
+ * Should the audit system fail at any point, the error will be reported,
+ * however it will continue to tun. This allows the test to proceed as normal,
+ * usually by a socket call timing out and exiting with the original exit code.
+ * See sctp_client.c for the calling process.
+ */
+char *event_scontext, *event_regex, audit_buf[1024];
+int event_exit;
+bool audit_verbose;
+
+void *check_au_event(void *arg)
+{
+	FILE *fp;
+	size_t len;
+	auparse_state_t *au;
+
+	au = auparse_init(AUSOURCE_FEED, 0);
+	if (!au)
+		perror("auparse_init");
+
+	auparse_add_callback(au, handle_audit_event, NULL, NULL);
+
+	fp = fopen(AUDIT_LOG, "r");
+	if (!fp)
+		fprintf(stderr, "Could not open: %s, %s\n",
+			AUDIT_LOG, strerror(errno));
+
+	if (fseek(fp, 0, SEEK_END) < 0)
+		perror("Audit Log fseek");
+
+	memset(&audit_buf, 0, sizeof(audit_buf));
+
+	while (1) {
+		clearerr(fp);
+		len = fread(audit_buf, 1, sizeof(audit_buf), fp);
+		if (len > 0) {
+			if (audit_verbose)
+				printf("Audit Entry:\n%s\n", audit_buf);
+			auparse_feed(au, audit_buf, len);
+			auparse_flush_feed(au);
+			memset(&audit_buf, 0, sizeof(audit_buf));
+		}
+		if (len < 0)
+			perror("Audit fread");
+	}
+	auparse_destroy(au);
+}
+
+void handle_audit_event(auparse_state_t *au,
+			auparse_cb_event_t cb_event_type,
+			void *user_data)
+{
+	int result;
+
+	if (cb_event_type != AUPARSE_CB_EVENT_READY)
+		return;
+
+	if (ausearch_add_item(au, "scontext", "=", event_scontext,
+			      AUSEARCH_RULE_CLEAR)) {
+		perror("ausearch_add_item");
+		exit(1);
+	}
+
+	if (event_regex) {
+		if (ausearch_add_regex(au, event_regex)) {
+			perror("ausearch_add_regex error");
+			exit(1);
+		}
+	}
+
+	result = ausearch_next_event(au);
+	switch (result) {
+	case -1:
+		perror("ausearch_next_event error");
+		return;
+	case 1:
+		if (audit_verbose)
+			printf("Found Event - Exit with: %d\n", event_exit);
+		exit(event_exit);
+	case 0:
+		if (audit_verbose)
+			printf("Not Requested Event\n");
+		return;
+	}
+}
diff --git a/tests/sctp/sctp_common.h b/tests/sctp/sctp_common.h
index cb69f70..8f98e9a 100644
--- a/tests/sctp/sctp_common.h
+++ b/tests/sctp/sctp_common.h
@@ -18,6 +18,8 @@ 
 #include <stdio.h>
 #include <stdbool.h>
 #include <errno.h>
+#include <pthread.h>
+#include <auparse.h>
 #include <selinux/selinux.h>
 
 enum event_ret {
@@ -34,3 +36,12 @@  void print_ip_option(int fd, bool ipv4, char *text);
 int set_subscr_events(int fd, int data_io, int assoc, int addr, int shutd);
 int handle_event(void *buf, char *cmp_addr, sctp_assoc_t *assoc_id,
 		 bool verbose, char *text);
+
+#define AUDIT_LOG "/var/log/audit/audit.log"
+extern char *event_scontext, *event_regex, audit_buf[1024];
+extern int event_exit;
+extern bool audit_verbose;
+void *check_au_event(void *arg);
+void handle_audit_event(auparse_state_t *au,
+			auparse_cb_event_t cb_event_type,
+			void *user_data);
diff --git a/tests/sctp/test b/tests/sctp/test
index 1170921..6f42a85 100755
--- a/tests/sctp/test
+++ b/tests/sctp/test
@@ -282,7 +282,7 @@  if ($test_asconf) {
 
     print "Testing deny SCTP_PARAM_ADD_IP/SCTP_PARAM_SET_PRIMARY\n";
     $result = system
-"runcon -t sctp_asconf_deny_param_add_client_t $basedir/sctp_asconf_params_client $v $ipaddress[0] 1035 2>&1";
+"runcon -t sctp_asconf_deny_param_add_client_t $basedir/sctp_asconf_params_client $v -s unconfined_u:unconfined_r:sctp_asconf_params_server_t:s0-s0:c0.c1023 -r \"denied.*\\{ connect \\}\" -z 11 $ipaddress[0] 1035 2>&1";
     ok( $result >> 8 eq 11 );   # Client error 'Dynamic Address Reconfiguration'
 
     server_end($pid);
@@ -316,7 +316,7 @@  ok( $result eq 0 );
 
 # Verify that a client without peer { recv } permission cannot communicate with the server STREAM->STREAM.
 $result = system
-"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -e system_u:object_r:netlabel_sctp_peer_t:s0 stream 127.0.0.1 1035 2>&1";
+"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -r \"denied.*\\{ recv \\}\" -z 6 -e system_u:object_r:netlabel_sctp_peer_t:s0 stream 127.0.0.1 1035 2>&1";
 ok( $result >> 8 eq 6 );
 
 # Kill the stream server.
@@ -337,17 +337,17 @@  ok( $result eq 0 );
 
 # Verify that a client using connect(2) without peer { recv } permission cannot communicate with the server SEQ->SEQ.
 $result = system
-"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -e system_u:object_r:netlabel_sctp_peer_t:s0 seq ::1 1035 2>&1";
+"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -r \"denied.*\\{ recv \\}\" -z 6 -e system_u:object_r:netlabel_sctp_peer_t:s0 seq ::1 1035 2>&1";
 ok( $result >> 8 eq 6 );
 
 # Verify that a client using sctp_connectx(3) without peer { recv } permission cannot communicate with the server SEQ->SEQ.
 $result = system
-"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -x -e system_u:object_r:netlabel_sctp_peer_t:s0 seq ::1 1035 2>&1";
+"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -r \"denied.*\\{ recv \\}\" -z 6 -x -e system_u:object_r:netlabel_sctp_peer_t:s0 seq ::1 1035 2>&1";
 ok( $result >> 8 eq 6 );
 
 # Verify that a client not using any connect without peer { recv } permission cannot communicate with the server SEQ->SEQ.
 $result = system
-"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -n -e system_u:object_r:netlabel_sctp_peer_t:s0 seq ::1 1035 2>&1";
+"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -r \"denied.*\\{ recv \\}\" -z 13 -n -e system_u:object_r:netlabel_sctp_peer_t:s0 seq ::1 1035 2>&1";
 ok( $result >> 8 eq 13 );
 
 # Kill the seq server.
@@ -372,7 +372,7 @@  ok( $result eq 0 );
 
 # Verify that the server is denied this association as the client will timeout on connect.
 $result = system
-"runcon -t test_sctp_client_t -- $basedir/sctp_client $v -e system_u:object_r:deny_assoc_sctp_peer_t:s0 stream ::1 1035 2>&1";
+"runcon -t test_sctp_client_t -- $basedir/sctp_client $v -s system_u:object_r:netlabel_sctp_peer_t:s0 -r \"denied.*\\{ association \\}\" -z 6 -e system_u:object_r:deny_assoc_sctp_peer_t:s0 stream ::1 1035 2>&1";
 ok( $result >> 8 eq 6 );
 
 # Kill the seq server.
@@ -416,7 +416,7 @@  ok( $result eq 0 );
 # Verify that authorized client cannot communicate with the server using invalid level STREAM->STREAM.
 # Fails with mlsconstrain peer { recv }
 $result = system
-"runcon -t test_sctp_client_t -l s0:c182.c193 -- $basedir/sctp_client $v stream 127.0.0.1 1035 2>&1";
+"runcon -t test_sctp_client_t -l s0:c182.c193 -- $basedir/sctp_client $v -s unconfined_u:unconfined_r:test_sctp_server_t:s0:c182.c192 -r \"denied.*\\{ recv \\}\" -z 6 stream 127.0.0.1 1035 2>&1";
 ok( $result >> 8 eq 6 );
 
 # Kill the stream server.
@@ -446,7 +446,7 @@  ok( $result eq 0 );
 
 # Verify that client cannot communicate with the server using SEQ->SEQ with invalid level.
 $result = system
-"runcon -t test_sctp_client_t -l s0:c19.c100 -- $basedir/sctp_client $v -i seq 127.0.0.1 1035 2>&1";
+"runcon -t test_sctp_client_t -l s0:c19.c100 -- $basedir/sctp_client $v -s unconfined_u:unconfined_r:test_sctp_server_t:s0:c20.c300 -r \"denied.*\\{ recv \\}\" -z 6 -i seq 127.0.0.1 1035 2>&1";
 ok( $result >> 8 eq 6 );
 
 # TAG 1 allows categories 0 to 239 to be sent, if greater then ENOSPC (No space left on device)
@@ -478,7 +478,7 @@  ok( $result eq 0 );
 
 # Verify that client cannot communicate with the server using STREAM->SEQ->peeloff with invalid level.
 $result = system
-"runcon -t test_sctp_client_t -l s0:c0.c11 -- $basedir/sctp_client $v -x -i stream 127.0.0.1 1035 2>&1";
+"runcon -t test_sctp_client_t -l s0:c0.c11 -- $basedir/sctp_client $v -s unconfined_u:unconfined_r:test_sctp_server_t:s0:c0.c10 -r \"denied.*\\{ recv \\}\" -z 6 -x -i stream 127.0.0.1 1035 2>&1";
 ok( $result >> 8 eq 6 );
 
 # Kill the seq server.
@@ -519,7 +519,7 @@  ok( $result eq 0 );
 
 # Verify that authorized client cannot communicate with the server using invalid level STREAM->STREAM.
 $result = system
-"runcon -t test_sctp_client_t -l s0:c1023 -- $basedir/sctp_client $v stream 127.0.0.1 1035 2>&1";
+"runcon -t test_sctp_client_t -l s0:c1023 -- $basedir/sctp_client $v -s unconfined_u:unconfined_r:test_sctp_server_t:s0:c714,c769,c782,c788,c803,c842,c864 -r \"denied.*\\{ recv \\}\" -z 6 stream 127.0.0.1 1035 2>&1";
 ok( $result >> 8 eq 6 );
 
 # Kill the stream server.
@@ -549,7 +549,7 @@  ok( $result eq 0 );
 
 # Verify that client cannot communicate with the server using SEQ->SEQ with invalid level.
 $result = system
-"runcon -t test_sctp_client_t -l s0:c19.c30 -- $basedir/sctp_client $v -i seq 127.0.0.1 1035 2>&1";
+"runcon -t test_sctp_client_t -l s0:c19.c30 -- $basedir/sctp_client $v -s unconfined_u:unconfined_r:test_sctp_server_t:s0:c20.c335 -r \"denied.*\\{ recv \\}\" -z 6 -i seq 127.0.0.1 1035 2>&1";
 ok( $result >> 8 eq 6 );
 
 # TAG 2 allows a maximum of 15 categories in exchange, if greater then ENOSPC (No space left on device)
@@ -581,7 +581,7 @@  ok( $result eq 0 );
 
 # Verify that client cannot communicate with the server using STREAM->SEQ->peeloff with invalid level.
 $result = system
-"runcon -t test_sctp_client_t -l s0:c0.c11 -- $basedir/sctp_client $v -x -i stream 127.0.0.1 1035 2>&1";
+"runcon -t test_sctp_client_t -l s0:c0.c11 -- $basedir/sctp_client $v -s unconfined_u:unconfined_r:test_sctp_server_t:s0:c0.c10 -r \"denied.*\\{ recv \\}\" -z 6 -x -i stream 127.0.0.1 1035 2>&1";
 ok( $result >> 8 eq 6 );
 
 # Kill the seq server.
@@ -622,7 +622,7 @@  ok( $result eq 0 );
 
 # Verify that authorized client cannot communicate with the server using invalid level STREAM->STREAM.
 $result = system
-"runcon -t test_sctp_client_t -l s0:c1023 -- $basedir/sctp_client $v stream 127.0.0.1 1035 2>&1";
+"runcon -t test_sctp_client_t -l s0:c1023 -- $basedir/sctp_client $v -s unconfined_u:unconfined_r:test_sctp_server_t:s0:c714,c769,c782,c788,c803,c842,c864 -r \"denied.*\\{ recv \\}\" -z 6 stream 127.0.0.1 1035 2>&1";
 ok( $result >> 8 eq 6 );
 
 # Kill the stream server.
@@ -652,7 +652,7 @@  ok( $result eq 0 );
 
 # Verify that client cannot communicate with the server using SEQ->SEQ with invalid level.
 $result = system
-"runcon -t test_sctp_client_t -l s0:c20.c51 -- $basedir/sctp_client $v -i seq 127.0.0.1 1035 2>&1";
+"runcon -t test_sctp_client_t -l s0:c20.c51 -- $basedir/sctp_client $v -s unconfined_u:unconfined_r:test_sctp_server_t:s0:c20.c50 -r \"denied.*\\{ recv \\}\" -z 6 -i seq 127.0.0.1 1035 2>&1";
 ok( $result >> 8 eq 6 );
 
 # TAG 2 allows a maximum of 7 ranges in exchange, if greater then ENOSPC (No space left on device)
@@ -684,7 +684,7 @@  ok( $result eq 0 );
 
 # Verify that client cannot communicate with the server using STREAM->SEQ->peeloff with invalid level.
 $result = system
-"runcon -t test_sctp_client_t -l s0:c0.c11 -- $basedir/sctp_client $v -x -i stream 127.0.0.1 1035 2>&1";
+"runcon -t test_sctp_client_t -l s0:c0.c11 -- $basedir/sctp_client $v -s unconfined_u:unconfined_r:test_sctp_server_t:s0:c0.c10 -r \"denied.*\\{ recv \\}\" -z 6 -x -i stream 127.0.0.1 1035 2>&1";
 ok( $result >> 8 eq 6 );
 
 # Kill the seq server.
@@ -710,7 +710,7 @@  ok( $result eq 0 );
 
 # Verify a client without peer { recv } for client/server process cannot communicate with server STREAM->STREAM.
 $result = system
-"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v stream 127.0.0.1 1035 2>&1";
+"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -r \"denied.*\\{ recv \\}\" -z 6 stream 127.0.0.1 1035 2>&1";
 ok( $result >> 8 eq 6 );
 
 # Kill the stream server.
@@ -727,7 +727,7 @@  ok( $result eq 0 );
 
 # Verify that a client without peer { recv } permission cannot communicate with the server SEQ->SEQ.
 $result = system
-"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v seq 127.0.0.1 1035 2>&1";
+"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -r \"denied.*\\{ recv \\}\" -z 6 seq 127.0.0.1 1035 2>&1";
 ok( $result >> 8 eq 6 );
 
 # Kill the seq server.
@@ -772,7 +772,7 @@  if ($test_calipso) {
 
 # Verify that authorized client cannot communicate with the server using invalid level STREAM->STREAM.
     $result = system
-"runcon -t test_sctp_client_t -l s0:c8.c12 -- $basedir/sctp_client $v -i stream ::1 1035 2>&1";
+"runcon -t test_sctp_client_t -l s0:c8.c12 -- $basedir/sctp_client $v -s unconfined_u:unconfined_r:test_sctp_server_t:s0:c0,c12,c24,c28,c36,c42,c44,c128,c138,c152,c158,c246,c290,c318,c330,c354,c368,c392,c414,c516,c534,c570,c594,c610,c622,c634,c648,c662,c686,c698,c712,c714,c726,c740,c769,c782,c788,c803,c820,c832,c842,c856,c864,c896,c924,c936,c950,c960,c986,c1023 -r \"denied.*\\{ recv \\}\" -z 6 -i stream ::1 1035 2>&1";
     ok( $result >> 8 eq 6 );
 
     # Kill the stream server.
@@ -802,12 +802,12 @@  if ($test_calipso) {
 
 # Verify that client cannot communicate with the server using SEQ->SEQ with invalid level.
     $result = system
-"runcon -t test_sctp_client_t -l s0:c20.c51 $basedir/sctp_client $v -i seq ::1 1035 2>&1";
+"runcon -t test_sctp_client_t -l s0:c20.c51 $basedir/sctp_client $v -s unconfined_u:unconfined_r:test_sctp_server_t:s0:c20.c50 -r \"denied.*\\{ recv \\}\" -z 6 -i seq ::1 1035 2>&1";
     ok( $result >> 8 eq 6 );
 
 # Verify that client cannot communicate with the server using SEQ->SEQ with invalid level.
     $result = system
-"runcon -t test_sctp_client_t -l s0:c19.c50 -- $basedir/sctp_client $v -i seq ::1 1035 2>&1";
+"runcon -t test_sctp_client_t -l s0:c19.c50 -- $basedir/sctp_client $v -s unconfined_u:unconfined_r:test_sctp_server_t:s0:c20.c50 -r \"denied.*\\{ recv \\}\" -z 6 -i seq ::1 1035 2>&1";
     ok( $result >> 8 eq 6 );
 
     # Kill server.
@@ -834,7 +834,7 @@  if ($test_calipso) {
 
 # Verify that client cannot communicate with the server using STREAM->SEQ->peeloff with invalid level.
     $result = system
-"runcon -t test_sctp_client_t -l s0:c0.c11 -- $basedir/sctp_client $v -x -i stream ::1 1035 2>&1";
+"runcon -t test_sctp_client_t -l s0:c0.c11 -- $basedir/sctp_client $v -s unconfined_u:unconfined_r:test_sctp_server_t:s0:c0.c10 -r \"denied.*\\{ recv \\}\" -z 6 -x -i stream ::1 1035 2>&1";
     ok( $result >> 8 eq 6 );
 
     # Kill the seq server.
@@ -859,7 +859,7 @@  sub test_tables {
 
 # Verify that a client without packet { recv } permission cannot communicate with the server STREAM->STREAM.
     $result = system
-"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -e nopeer stream 127.0.0.1 1035 2>&1";
+"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -r \"denied.*\\{ recv \\}\" -z 6 -e nopeer stream 127.0.0.1 1035 2>&1";
     ok( $result >> 8 eq 6 );
 
  # Verify that authorized client can communicate with the server STREAM->STREAM.
@@ -869,7 +869,7 @@  sub test_tables {
 
 # Verify that a client without packet { recv } permission cannot communicate with the server STREAM->STREAM.
     $result = system
-"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -e nopeer stream ::1 1035 2>&1";
+"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -r \"denied.*\\{ recv \\}\" -z 6 -e nopeer stream ::1 1035 2>&1";
     ok( $result >> 8 eq 6 );
 
     # Kill the stream server.
@@ -886,7 +886,7 @@  sub test_tables {
 
 # Verify that a client without packet { recv } permission cannot communicate with the server SEQ->SEQ.
     $result = system
-"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -e nopeer seq 127.0.0.1 1035 2>&1";
+"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -r \"denied.*\\{ recv \\}\" -z 6 -e nopeer seq 127.0.0.1 1035 2>&1";
     ok( $result >> 8 eq 6 );
 
     # Verify that authorized client can communicate with the server SEQ->SEQ.
@@ -896,7 +896,7 @@  sub test_tables {
 
 # Verify that a client without packet { recv } permission cannot communicate with the server SEQ->SEQ.
     $result = system
-"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -e nopeer seq ::1 1035 2>&1";
+"runcon -t test_sctp_deny_peer_client_t -- $basedir/sctp_client $v -r \"denied.*\\{ recv \\}\" -z 6 -e nopeer seq ::1 1035 2>&1";
     ok( $result >> 8 eq 6 );
 
     # Kill the seq server.
diff --git a/travis-ci/run-testsuite.sh b/travis-ci/run-testsuite.sh
index bd9073c..ecc022f 100755
--- a/travis-ci/run-testsuite.sh
+++ b/travis-ci/run-testsuite.sh
@@ -41,6 +41,7 @@  dnf install -y \
     e2fsprogs \
     jfsutils \
     dosfstools \
+    audit-libs-devel \
     kernel-devel-"$(uname -r)" \
     kernel-modules-"$(uname -r)"