| Message ID | 20210113122609.62703-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | [testsuite] tests/sysctl: use vm.swappiness instead of kernel.modprobe | expand |
On Wed, Jan 13, 2021 at 1:26 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > /proc/sys/kernel/modprobe is labeled as usermode_helper_t on Fedora and > all domains are allowed to read that type now [1] so that crash handling > can proceed without denials. > > While the underlying issue might be a kernel bug (I suspect these files > should be read under kernel credentials, not the crashing process), > let's use a different sysctl for testing for now. > > Since vm.swappiness will be more strict about what values can be set, > rework the test a bit so that it works correctly regardless of the > original value and restores the original setting at the end. > > [1] https://github.com/fedora-selinux/selinux-policy/pull/528 > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > tests/sysctl/test | 15 ++++++++++++--- > 1 file changed, 12 insertions(+), 3 deletions(-) Now applied: https://github.com/SELinuxProject/selinux-testsuite/commit/24bb5c0090710767ff187f1682e5bf355166caa3 > > diff --git a/tests/sysctl/test b/tests/sysctl/test > index a726e96..d6f8c0f 100755 > --- a/tests/sysctl/test > +++ b/tests/sysctl/test > @@ -3,21 +3,30 @@ > use Test; > BEGIN { plan tests => 4 } > > -$sysctl = "kernel.modprobe"; > +$sysctl = "vm.swappiness"; > +$val1 = "20"; > +$val2 = "21"; > +$val3 = "22"; > $oldval = `/sbin/sysctl -n $sysctl`; > > +# set to a known value > +system "/sbin/sysctl -w $sysctl=$val1"; > + > $result = system "runcon -t test_sysctl_t -- /sbin/sysctl -n $sysctl 2>&1"; > ok( $result, 0 ); > > $result = > - system "runcon -t test_sysctl_t -- /sbin/sysctl -w $sysctl=$oldval 2>&1"; > + system "runcon -t test_sysctl_t -- /sbin/sysctl -w $sysctl=$val2 2>&1"; > ok( $result, 0 ); > > $result = system "runcon -t test_nosysctl_t -- /sbin/sysctl -n $sysctl 2>&1"; > ok($result); > > $result = > - system "runcon -t test_nosysctl_t -- /sbin/sysctl -w $sysctl=foobar 2>&1"; > + system "runcon -t test_nosysctl_t -- /sbin/sysctl -w $sysctl=$val3 2>&1"; > ok($result); > > +# restore original value > +system "/sbin/sysctl -w $sysctl=$oldval"; > + > exit; > -- > 2.29.2 >
diff --git a/tests/sysctl/test b/tests/sysctl/test index a726e96..d6f8c0f 100755 --- a/tests/sysctl/test +++ b/tests/sysctl/test @@ -3,21 +3,30 @@ use Test; BEGIN { plan tests => 4 } -$sysctl = "kernel.modprobe"; +$sysctl = "vm.swappiness"; +$val1 = "20"; +$val2 = "21"; +$val3 = "22"; $oldval = `/sbin/sysctl -n $sysctl`; +# set to a known value +system "/sbin/sysctl -w $sysctl=$val1"; + $result = system "runcon -t test_sysctl_t -- /sbin/sysctl -n $sysctl 2>&1"; ok( $result, 0 ); $result = - system "runcon -t test_sysctl_t -- /sbin/sysctl -w $sysctl=$oldval 2>&1"; + system "runcon -t test_sysctl_t -- /sbin/sysctl -w $sysctl=$val2 2>&1"; ok( $result, 0 ); $result = system "runcon -t test_nosysctl_t -- /sbin/sysctl -n $sysctl 2>&1"; ok($result); $result = - system "runcon -t test_nosysctl_t -- /sbin/sysctl -w $sysctl=foobar 2>&1"; + system "runcon -t test_nosysctl_t -- /sbin/sysctl -w $sysctl=$val3 2>&1"; ok($result); +# restore original value +system "/sbin/sysctl -w $sysctl=$oldval"; + exit;
/proc/sys/kernel/modprobe is labeled as usermode_helper_t on Fedora and all domains are allowed to read that type now [1] so that crash handling can proceed without denials. While the underlying issue might be a kernel bug (I suspect these files should be read under kernel credentials, not the crashing process), let's use a different sysctl for testing for now. Since vm.swappiness will be more strict about what values can be set, rework the test a bit so that it works correctly regardless of the original value and restores the original setting at the end. [1] https://github.com/fedora-selinux/selinux-policy/pull/528 Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- tests/sysctl/test | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-)