Message ID | 20231127173534.1080-2-alanwandke.linux@gmail.com (mailing list archive) |
---|---|
State | Accepted |
Delegated to: | Ondrej Mosnáček |
Headers | show |
Series | [testsuite] defconfig: add NF_TABLES dependency for netlink_socket tests to pass | expand |
On Mon, Nov 27, 2023 at 12:36 PM Alan Wandke <alanwandke.linux@gmail.com> wrote: > > In order to support the NETFILTER_NETLINK protocol, either NF_TABLES or IP_SET must be enabled. > Neither are strict dependencies in Kconfig. Fix this by enabling NF_TABLES in the defconfig. > > Before: > ./netlinkcreate: socket(AF_NETLINK, SOCK_DGRAM, netfilter/12): Protocol not supported > not ok 3 > # Test 3 got: "256" (./test at line 25) > # Expected: "0" > # ./test line 25 is: ok( $result, 0 ); > > After: > ok 3 > > Signed-off-by: Alan Wandke <alanwandke.linux@gmail.com> Looks like we could enable it via a number of different config options but we need NF_TABLES regardless for the secmark tests in inet_socket and sctp to run, so adding that to the defconfig makes the most sense. Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com> > --- > defconfig | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/defconfig b/defconfig > index 2783c01..47938c1 100644 > --- a/defconfig > +++ b/defconfig > @@ -55,6 +55,7 @@ CONFIG_IPV6_GRE=m > CONFIG_SCSI_ISCSI_ATTRS=m > CONFIG_NETFILTER_NETLINK=m > CONFIG_CRYPTO_USER=m > +CONFIG_NF_TABLES=m > > # Overlay fs. > # This is enabled to test overlayfs SELinux integration. > -- > 2.42.0 >
On Mon, Nov 27, 2023 at 9:51 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Mon, Nov 27, 2023 at 12:36 PM Alan Wandke <alanwandke.linux@gmail.com> wrote: > > > > In order to support the NETFILTER_NETLINK protocol, either NF_TABLES or IP_SET must be enabled. > > Neither are strict dependencies in Kconfig. Fix this by enabling NF_TABLES in the defconfig. > > > > Before: > > ./netlinkcreate: socket(AF_NETLINK, SOCK_DGRAM, netfilter/12): Protocol not supported > > not ok 3 > > # Test 3 got: "256" (./test at line 25) > > # Expected: "0" > > # ./test line 25 is: ok( $result, 0 ); > > > > After: > > ok 3 > > > > Signed-off-by: Alan Wandke <alanwandke.linux@gmail.com> > > Looks like we could enable it via a number of different config options > but we need NF_TABLES regardless for the secmark tests in inet_socket > and sctp to run, so adding that to the defconfig makes the most sense. > > Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com> Seems reasonable, thanks! The patch is now applied: https://github.com/SELinuxProject/selinux-testsuite/commit/fa65d2f59c4d974ef736bc1cd3bfab75b78ac5f0
diff --git a/defconfig b/defconfig index 2783c01..47938c1 100644 --- a/defconfig +++ b/defconfig @@ -55,6 +55,7 @@ CONFIG_IPV6_GRE=m CONFIG_SCSI_ISCSI_ATTRS=m CONFIG_NETFILTER_NETLINK=m CONFIG_CRYPTO_USER=m +CONFIG_NF_TABLES=m # Overlay fs. # This is enabled to test overlayfs SELinux integration.
In order to support the NETFILTER_NETLINK protocol, either NF_TABLES or IP_SET must be enabled. Neither are strict dependencies in Kconfig. Fix this by enabling NF_TABLES in the defconfig. Before: ./netlinkcreate: socket(AF_NETLINK, SOCK_DGRAM, netfilter/12): Protocol not supported not ok 3 # Test 3 got: "256" (./test at line 25) # Expected: "0" # ./test line 25 is: ok( $result, 0 ); After: ok 3 Signed-off-by: Alan Wandke <alanwandke.linux@gmail.com> --- defconfig | 1 + 1 file changed, 1 insertion(+)