You can subscribe to this list here.
2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(8) |
Nov
|
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
(8) |
Feb
(23) |
Mar
(11) |
Apr
(8) |
May
(2) |
Jun
|
Jul
|
Aug
(5) |
Sep
|
Oct
|
Nov
|
Dec
|
2011 |
Jan
|
Feb
(23) |
Mar
(140) |
Apr
(35) |
May
(49) |
Jun
(176) |
Jul
(73) |
Aug
(50) |
Sep
(78) |
Oct
(102) |
Nov
(150) |
Dec
(94) |
2012 |
Jan
(120) |
Feb
(77) |
Mar
(29) |
Apr
(4) |
May
(19) |
Jun
|
Jul
(19) |
Aug
(9) |
Sep
|
Oct
(6) |
Nov
(3) |
Dec
|
2013 |
Jan
(4) |
Feb
(28) |
Mar
(5) |
Apr
(69) |
May
(34) |
Jun
(11) |
Jul
(13) |
Aug
(55) |
Sep
(5) |
Oct
(31) |
Nov
|
Dec
(25) |
2014 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(53) |
Aug
(17) |
Sep
(50) |
Oct
(15) |
Nov
|
Dec
|
2015 |
Jan
|
Feb
|
Mar
(3) |
Apr
(9) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2018 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(8) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Paul M. <pau...@hp...> - 2011-03-13 18:03:11
|
On Friday, March 11, 2011 5:13:58 PM Linda Knippers wrote: > >From 3b9fe54684a41c2e59047de2487bd90c2605f57e Mon Sep 17 00:00:00 2001 > > Message-Id: > <3b9fe54684a41c2e59047de2487bd90c2605f57e.1299880722.git.linda.knippers@hp > .com> In-Reply-To: <cov...@hp...> > References: <cov...@hp...> > From: Linda Knippers <lin...@hp...> > Date: Thu, 10 Mar 2011 16:57:45 -0500 > Subject: [PATCH 1/3] Fix ipv6 address manipulation > > The code that extracts ipv6 interfaces and addresses was trying to > only look for interfaces with the appropriate address prefix but > was doing it wrong and not getting the interfaces or the addresses > right. I've only tested this on a system with one active ethernet > interface but it works there and seems to be the right fix for > systems with multiple interfaces. > > Signed-off-by: Linda Knippers <lin...@hp...> > --- > audit/network/addr_filter.bash | 12 ++++++++---- > 1 files changed, 8 insertions(+), 4 deletions(-) > > diff --git a/audit/network/addr_filter.bash > b/audit/network/addr_filter.bash index cc8cf40..b923b73 100755 > --- a/audit/network/addr_filter.bash > +++ b/audit/network/addr_filter.bash > @@ -27,13 +27,15 @@ > function get_ipv6_prefix { > if [[ -n $LBLNET_SVR_IPV6 ]]; then > ip -f inet6 route show to match $LBLNET_SVR_IPV6 | \ > - grep -v default | cut -d'/' -f 1 > + grep -v default | cut -d'/' -f 1 | \ > + awk 'BEGIN { FS = ":" } { print $1":"$2":"$3":" }' | \ > + head -n 1 This change only works for a subset of IPv6 prefixes as the awk command will only print the first six bytes. What problems were you seeing with the original code? -- paul moore linux @ hp |
From: SourceForge.net <no...@so...> - 2011-03-12 00:32:43
|
Bugs item #3207111, was opened at 2011-03-11 19:32 Message generated for change (Tracker Item Submitted) made by lindaknippers You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=841438&aid=3207111&group_id=167060 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: network Group: RHEL 5.6 Status: Open Resolution: None Priority: 5 Private: No Submitted By: Linda Knippers (lindaknippers) Assigned to: Linda Knippers (lindaknippers) Summary: network tests sleep too long on failures Initial Comment: The network/run.conf default_augrok function sleeps way too long waiting for audit records to show up. It looks like it intends to sleep in 5 second increments up to a total of 60 seconds but instead it sleeps for 5 seconds, then 10 seconds, then 15 seconds...then 65 seconds. This causes the tests to take forever when there's a labeled networking failures. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=841438&aid=3207111&group_id=167060 |
From: Linda K. <lin...@hp...> - 2011-03-12 00:23:21
|
Below is the list of patches I've pushed today. I've asked Paul to take a look at my MLS and network patch series before I push it. Once that patchset is in I'll create a branch for any additional RHEL5-related work, although I hope that there isn't any. We still have about 10 networking tests that generate errors but I'm sure they are test issues and at this point I'd rather focus on fixing them on RHEL6. Once I create the RHEL5 branch, I'll reapply Tony's pamtally2_unlock fix for RHEL6 and pull in Ramon's test policy changes. I'm hoping to have all that done by Monday morning. The patches should flow more quickly after that. -- ljk commit 665d21ca7dd9688b5569e5159f536214595ea67d Author: Linda Knippers <lin...@hp...> Date: Fri Mar 11 18:59:14 2011 -0500 Temporarily back out RHEL6 audit record change Backing out this change temporarily until I get a few more of the RHEL5.6 updates in case we ever need a branch. Will reapply Tony's change shortly. Signed-off-by: Linda Knippers <lin...@hp...> commit 649c572bb1627a573209a29e9f93e0cad67a2926 Author: Linda Knippers <lin...@hp...> Date: Fri Mar 11 18:53:13 2011 -0500 Fixed another distro check and added a comment about the fd 63 hack Signed-off-by: Linda Knippers <lin...@hp...> commit 01dc421e0b138b2cb3f9d14ef69247b714dab355 Author: Linda Knippers <lin...@hp...> Date: Mon Mar 7 19:27:11 2011 -0500 Fix makefile to properly check distro flavor and build the test policy Without this the tests for trusted programs that use policy will get errrors Signed-off-by: Linda Knippers <lin...@hp...> commit 51a30c4dee9c401654fc8d6334b0fca64cc61f77 Author: Tony Ernst <te...@sg...> Date: Mon Mar 7 16:06:50 2011 -0600 get libpam tests running on RHEL6 Turns off vsftpd tests on RHEL since they are no longer required. Minor tweaks to audit message formats for tests in libpam/tests (including the vsftpd tests, so they can still be run if desired. Fixes vsftpd test hang similar to the other bash hangs. Signed-off-by: Tony Ernst <te...@sg...> commit 7341066e748b3b3854b752358a2ffece954d951d Author: Tony Ernst <te...@sg...> Date: Mon Mar 7 10:40:27 2011 -0600 Fix fail-safe test hangs This patch fixes the hangs that were happening on RHEL6 with the audit-test/fail-safe tests. Tests are changed to always use the restart_auditd, start_auditd, and stop_auditd functions. The start_auditd function now redirects fd 63 to /dev/null which prevents the test hangs. All fail-safe tests pass with these changes. Signed-off-by: Tony Ernst <te...@sg...> |
From: Linda K. <lin...@hp...> - 2011-03-12 00:04:11
|
>From 5dea8e9ed6550eebba248e3bec18b0c4772af412 Mon Sep 17 00:00:00 2001 From: Linda Knippers <lin...@hp...> Date: Fri, 11 Mar 2011 18:59:14 -0500 Backing out this change temporarily until I get a few more of the RHEL5.6 updates in case we ever need a branch. Will reapply Tony's change shortly. Signed-off-by: Linda Knippers <lin...@hp...> --- audit/libpam/tests/test_pamtally2_unlock.bash | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/audit/libpam/tests/test_pamtally2_unlock.bash b/audit/libpam/tests/test_pamtally2_unlock.bash index 7b5e133..b3a2f90 100755 --- a/audit/libpam/tests/test_pamtally2_unlock.bash +++ b/audit/libpam/tests/test_pamtally2_unlock.bash @@ -47,8 +47,8 @@ expect -c ' } expect {:::$} {close; wait}' -msg_2="acct=\"$TEST_USER\" exe=./usr/sbin/sshd.*terminal=ssh res=success.*" -augrok -q type=CRED_ACQ msg_1=~"PAM:setcred $msg_2" || exit_fail -augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_2" || exit_fail +msg_2="acct=\"*$TEST_USER\"* : exe=./usr/sbin/sshd.*terminal=ssh res=success.*" +augrok -q type=CRED_REFR msg_1=~"PAM: setcred $msg_2" || exit_fail +augrok -q type=USER_ACCT msg_1=~"PAM: accounting $msg_2" || exit_fail exit_pass -- 1.7.4 |
From: Linda K. <lin...@hp...> - 2011-03-11 23:58:17
|
>From 0cc2e02b1db632fcb9a8bb716bfb7e68c7a55257 Mon Sep 17 00:00:00 2001 From: Linda Knippers <lin...@hp...> Date: Fri, 11 Mar 2011 18:53:13 -0500 Subject: [PATCH] Fixed another distro check and added a comment about the fd 63 hack Signed-off-by: Linda Knippers <lin...@hp...> --- audit/libpam/tests/test_vsftpd.bash | 3 +++ audit/utils/functions.bash | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/audit/libpam/tests/test_vsftpd.bash b/audit/libpam/tests/test_vsftpd.bash index f5facd8..412c25c 100755 --- a/audit/libpam/tests/test_vsftpd.bash +++ b/audit/libpam/tests/test_vsftpd.bash @@ -22,12 +22,15 @@ source pam_functions.bash || exit 2 # setup setsebool -P ftp_home_dir=1 +# XXX: fd 63 is left open by something, causing the tests to hang prepend_cleanup "initcall $vsftpd_init restart 63>/dev/null" prepend_cleanup "setsebool -P ftp_home_dir=0" backup "$vsftpd_conf" write_config \ "$vsftpd_conf" \ local_enable=YES + +# XXX: fd 63 is left open by something, causing the tests to hang initcall $vsftpd_init restart 63>/dev/null echo Made it this far diff --git a/audit/utils/functions.bash b/audit/utils/functions.bash index 172d5a9..7dcb0aa 100644 --- a/audit/utils/functions.bash +++ b/audit/utils/functions.bash @@ -160,10 +160,11 @@ fi function start_auditd { declare i if ! pidof auditd &>/dev/null; then - if [ $DISTRO -eq "SUSE" ]; then + if [ $DISTRO = "SUSE" ]; then rcauditd start || return 2 auditctl -e 1 || return 2 else + # XXX: fd 63 is left open by something, causing the tests to hang service auditd start 63>/dev/null || return 2 fi fi @@ -191,7 +192,7 @@ function stop_auditd { declare i auditctl -D &>/dev/null - if [ $DISTRO -eq "SUSE" ]; then + if [ $DISTRO = "SUSE" ]; then rcauditd stop || killall auditd else service auditd stop || killall auditd -- 1.7.4 |
From: Linda K. <lin...@hp...> - 2011-03-11 22:16:01
|
>From 73d54a426fcd256f86bcd5d1662070f89d54294b Mon Sep 17 00:00:00 2001 Message-Id: <73d...@hp...> In-Reply-To: <cov...@hp...> References: <cov...@hp...> From: Linda Knippers <lin...@hp...> Date: Fri, 11 Mar 2011 16:38:48 -0500 Subject: [PATCH 3/3] Cleanup workaround for BZ 234426 and reduce sleep time In RHEL5 GA there was a kernel/audit bug where failing network syscalls had an exit status if -512 instead of an exit status of -EINTR. The test to see if this workaround was needed wasn't correct and since the workaround is no longer needed, let's just yank the code. Also changed an annoyingly long sleep time which I tripped over while troubleshooting this problem. Signed-off-by: Linda Knippers <lin...@hp...> --- audit/network/network_functions.bash | 25 +---- audit/network/run.conf | 175 ++++++++++++++------------------- 2 files changed, 78 insertions(+), 122 deletions(-) diff --git a/audit/network/network_functions.bash b/audit/network/network_functions.bash index 5a09a0a..77d817a 100644 --- a/audit/network/network_functions.bash +++ b/audit/network/network_functions.bash @@ -57,22 +57,18 @@ function check_result { [[ $ext != $err ]] && exit_error "unexpected test error" # audit represents errors as negative numbers so fixup the global # field value - if [[ $RH_BZ_234426 == 0 ]]; then - exitval=-$(get_error_code $err_name) - else - exitval=-$(get_error_code_raw $err_name) - fi + exitval=-$(get_error_code $err_name) ;; esac } -# usage: get_error_code_raw <error_name, e.g. EPERM> +# usage: get_error_code <error_name, e.g. EPERM> # this is a private function and should not be called outside the scope of # this file -function get_error_code_raw { +function get_error_code { case $1 in ERESTARTSYS) - # XXX - this is to workaround a kernel audit ?bug? + # XXX - should never see this, but just in case echo "512" ;; *) @@ -81,19 +77,6 @@ function get_error_code_raw { esac } -# usage: get_error_code <error_name, e.g. EPERM> -function get_error_code { - case $1 in - ERESTARTSYS) - # XXX - this is to workaround a kernel audit ?bug? - get_error_code_raw EINTR - ;; - *) - get_error_code_raw $1 - ;; - esac -} - # usage: get_sockcall_num <syscall, e.g. connect> function get_sockcall_num { gcc -E -dM /usr/include/linux/net.h | grep -i SYS_$1 | awk '{print $3}' diff --git a/audit/network/run.conf b/audit/network/run.conf index 60e2249..549302f 100644 --- a/audit/network/run.conf +++ b/audit/network/run.conf @@ -559,10 +559,10 @@ function augrok_default { # appear in the log (recent distros can lag in recording audit records) sec=0 augrok $params - while [[ $? != 0 && $sec -le 60 ]]; do + while [[ $? != 0 && $sec -le 10 ]]; do sec=$(expr $sec + 5) echo "retrying the audit record search after a pause (${sec}s)" - sleep $sec + sleep 5 augrok $params done } @@ -951,33 +951,6 @@ else die "error: netcat not installed" fi -# _horrible_ hack to work around an audit bug, see RH BZ #234426 -if [[ ${#RH_BZ_234426} == "" ]]; then - export RH_BZ_234426=0 - echo -n "notice: checking for RH BZ #234426 ... " - ( - declare log_mark - declare testres exitval pid - declare expres syscall exitval - - syscall=accept - expres=fail - exitval=ERESTARTSYS - - log_mark=$(stat -c %s $audit_log) - - read testres exitval pid <<< "$(do_accept ipv4 5100)" - augrok_default - if [[ $? != 0 ]]; then - echo "fixed" - RH_BZ_234426=0 - else - echo "not fixed, workaround in place" - RH_BZ_234426=1 - fi - ) -fi - # wait until remote is available while ! verify_remote; do echo "notice: test server is busy, sleeping for 60s ..." @@ -1099,19 +1072,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: local NetLabel IPv4, mac failure (incomp) + accept \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=netlabel op=sendrand_tcp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: local NetLabel IPv4, mac failure (dom) + accept \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=netlabel op=sendrand_tcp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: local NetLabel IPv4, mac failure (domby) + accept \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=netlabel op=sendrand_tcp ipv=ipv4 port=5200 \ '$ipv $port' @@ -1122,19 +1095,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: remote NetLabel IPv4, mac failure (incomp) + accept \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=netlabel op=sendrand_tcp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: remote NetLabel IPv4, mac failure (dom) + accept \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=netlabel op=sendrand_tcp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: remote NetLabel IPv4, mac failure (domby) + accept \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=netlabel op=sendrand_tcp ipv=ipv4 port=5200 \ '$ipv $port' @@ -1145,19 +1118,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: local IPsec IPv4, mac failure (incomp) + accept \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=ipsec op=sendrand_tcp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv4, mac failure (dom) + accept \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=ipsec op=sendrand_tcp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv4, mac failure (domby) + accept \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=ipsec op=sendrand_tcp ipv=ipv4 port=5300 \ '$ipv $port' @@ -1168,19 +1141,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: remote IPsec IPv4, mac failure (incomp) + accept \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=ipsec op=sendrand_tcp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv4, mac failure (dom) + accept \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=ipsec op=sendrand_tcp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv4, mac failure (domby) + accept \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=ipsec op=sendrand_tcp ipv=ipv4 port=5300 \ '$ipv $port' @@ -1191,19 +1164,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: local IPsec IPv6, mac failure (incomp) + accept \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=ipsec op=sendrand_tcp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv6, mac failure (dom) + accept \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=ipsec op=sendrand_tcp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv6, mac failure (domby) + accept \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=ipsec op=sendrand_tcp ipv=ipv6 port=5300 \ '$ipv $port' @@ -1214,19 +1187,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: remote IPsec IPv6, mac failure (incomp) + accept \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=ipsec op=sendrand_tcp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv6, mac failure (dom) + accept \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=ipsec op=sendrand_tcp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv6, mac failure (domby) + accept \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=ipsec op=sendrand_tcp ipv=ipv6 port=5300 \ '$ipv $port' @@ -1439,19 +1412,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: local NetLabel IPv4, mac failure (incomp) + recvfrom \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: local NetLabel IPv4, mac failure (dom) + recvfrom \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: local NetLabel IPv4, mac failure (domby) + recvfrom \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' @@ -1462,19 +1435,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: remote NetLabel IPv4, mac failure (incomp) + recvfrom \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: remote NetLabel IPv4, mac failure (dom) + recvfrom \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: remote NetLabel IPv4, mac failure (domby) + recvfrom \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' @@ -1485,19 +1458,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: local IPsec IPv4, mac failure (incomp) + recvfrom \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv4, mac failure (dom) + recvfrom \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv4, mac failure (domby) + recvfrom \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ host=local type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv4, mac success (eq) @@ -1507,19 +1480,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: remote IPsec IPv4, mac failure (incomp) + recvfrom \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv4, mac failure (dom) + recvfrom \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv4, mac failure (domby) + recvfrom \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ host=remote type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv6, mac success (eq) @@ -1529,19 +1502,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: local IPsec IPv6, mac failure (incomp) + recvfrom \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv6, mac failure (dom) + recvfrom \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv6, mac failure (domby) + recvfrom \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ host=local type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv6, mac success (eq) @@ -1551,19 +1524,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: remote IPsec IPv6, mac failure (incomp) + recvfrom \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv6, mac failure (dom) + recvfrom \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv6, mac failure (domby) + recvfrom \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ host=remote type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' fi @@ -1615,19 +1588,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: local NetLabel IPv4, mac failure (incomp) + recvmsg \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: local NetLabel IPv4, mac failure (dom) + recvmsg \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: local NetLabel IPv4, mac failure (domby) + recvmsg \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' @@ -1638,19 +1611,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: remote NetLabel IPv4, mac failure (incomp) + recvmsg \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: remote NetLabel IPv4, mac failure (dom) + recvmsg \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: remote NetLabel IPv4, mac failure (domby) + recvmsg \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' @@ -1661,19 +1634,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: local IPsec IPv4, mac failure (incomp) + recvmsg \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv4, mac failure (dom) + recvmsg \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv4, mac failure (domby) + recvmsg \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ host=local type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv4, mac success (eq) @@ -1683,19 +1656,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: remote IPsec IPv4, mac failure (incomp) + recvmsg \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv4, mac failure (dom) + recvmsg \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv4, mac failure (domby) + recvmsg \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ host=remote type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv6, mac success (eq) @@ -1705,19 +1678,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: local IPsec IPv6, mac failure (incomp) + recvmsg \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv6, mac failure (dom) + recvmsg \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=local type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv6, mac failure (domby) + recvmsg \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ host=local type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv6, mac success (eq) @@ -1727,19 +1700,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: remote IPsec IPv6, mac failure (incomp) + recvmsg \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv6, mac failure (dom) + recvmsg \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ augrokfunc=augrok_default_inbound_rej \ host=remote type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv6, mac failure (domby) + recvmsg \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ host=remote type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' fi @@ -2036,19 +2009,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: local NetLabel IPv4, mac failure (incomp) + read \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall_inbound_rej \ host=local type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: local NetLabel IPv4, mac failure (dom) + read \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall_inbound_rej \ host=local type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: local NetLabel IPv4, mac failure (domby) + read \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall_inbound_rej \ host=local type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' @@ -2060,19 +2033,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: remote NetLabel IPv4, mac failure (incomp) + read \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall_inbound_rej \ host=remote type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: remote NetLabel IPv4, mac failure (dom) + read \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall_inbound_rej \ host=remote type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' ## TESTCASE: remote NetLabel IPv4, mac failure (domby) + read \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall_inbound_rej \ host=remote type=netlabel op=sendrand_udp ipv=ipv4 port=5200 \ '$ipv $port' @@ -2084,19 +2057,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: local IPsec IPv4, mac failure (incomp) + read \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall_inbound_rej \ host=local type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv4, mac failure (dom) + read \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall_inbound_rej \ host=local type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv4, mac failure (domby) + read \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall \ host=local type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' @@ -2108,19 +2081,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: remote IPsec IPv4, mac failure (incomp) + read \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall_inbound_rej \ host=remote type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv4, mac failure (dom) + read \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall_inbound_rej \ host=remote type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv4, mac failure (domby) + read \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall \ host=remote type=ipsec op=sendrand_udp ipv=ipv4 port=5300 \ '$ipv $port' @@ -2132,19 +2105,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: local IPsec IPv6, mac failure (incomp) + read \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall_inbound_rej \ host=local type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv6, mac failure (dom) + read \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall_inbound_rej \ host=local type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: local IPsec IPv6, mac failure (domby) + read \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall \ host=local type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' @@ -2156,19 +2129,19 @@ if [[ $PPROFILE == lspp ]]; then '$ipv $port' ## TESTCASE: remote IPsec IPv6, mac failure (incomp) + read \ - mlsop=incomp expres=fail err=ERESTARTSYS \ + mlsop=incomp expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall_inbound_rej \ host=remote type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv6, mac failure (dom) + read \ - mlsop=dom expres=fail err=ERESTARTSYS \ + mlsop=dom expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall_inbound_rej \ host=remote type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' ## TESTCASE: remote IPsec IPv6, mac failure (domby) + read \ - mlsop=domby expres=fail err=ERESTARTSYS \ + mlsop=domby expres=fail err=EINTR \ auwatchfunc=auwatch_syscall augrokfunc=augrok_syscall \ host=remote type=ipsec op=sendrand_udp ipv=ipv6 port=5300 \ '$ipv $port' -- 1.7.4 |
From: Linda K. <lin...@hp...> - 2011-03-11 22:15:17
|
>From f0cea83ba976df8d1bf0c997cad0478d4b959a8d Mon Sep 17 00:00:00 2001 Message-Id: <f0c...@hp...> In-Reply-To: <cov...@hp...> References: <cov...@hp...> From: Linda Knippers <lin...@hp...> Date: Fri, 11 Mar 2011 14:45:11 -0500 Subject: [PATCH 2/3] Back out unnecessary mls overrides These mls overrides were added at some point after the HP RHEL5 evaluation and appear to do more harm than good. For example, making harness-created tmp files trusted objects causes all the negative mls tests which use tmp files to fail because operations succeed that should fail. The other changes also seem unnecessary, at least with my testing on RHEL5.6. Signed-off-by: Linda Knippers <lin...@hp...> --- audit/utils/selinux-policy/lspp_test.te | 11 ++--------- 1 files changed, 2 insertions(+), 9 deletions(-) diff --git a/audit/utils/selinux-policy/lspp_test.te b/audit/utils/selinux-policy/lspp_test.te index 7241b7f..4a615ac 100644 --- a/audit/utils/selinux-policy/lspp_test.te +++ b/audit/utils/selinux-policy/lspp_test.te @@ -32,7 +32,7 @@ define(`ROLES_ALL',`sysadm_r secadm_r auditadm_r staff_r') # the policy_module() and gen_require() statements. # -policy_module(lspp_test,0.5.7) +policy_module(lspp_test,0.5.8) # we really shouldn't be accessing these policy constructs directly but there # isn't always a policy interface available for what we want to do, so just @@ -149,10 +149,9 @@ allow domain lspp_directories:dir r_dir_perms; # make the log files trusted objects mls_trusted_object(lspp_test_output_t) -# make test harness created objects (i.e. std{in,out,err} fds, temp files, etc) +# make test harness created objects (i.e. std{in,out,err} fds, etc) # trusted objects mls_trusted_object(lspp_harness_t) -mls_trusted_object(lspp_harness_tmp_t) # default file types type_transition lspp_domains lspp_test_harness_dir_t:file lspp_harness_exec_t; @@ -268,9 +267,6 @@ unconfined_domain_noaudit(lspp_test_generic_t) # give the test domain "unconfined" access unconfined_domain_noaudit(lspp_test_netlabel_t) -# allow mls overrides for file "write" access -mls_file_write_down(lspp_test_netlabel_t) - ## # ipsec test domain # @@ -278,8 +274,5 @@ mls_file_write_down(lspp_test_netlabel_t) # give the test domain "unconfined" access unconfined_domain_noaudit(lspp_test_ipsec_t) -# allow mls overrides for file "write" access -mls_file_write_down(lspp_test_ipsec_t) - # give the test domain the ability to match against the SPD entries allow lspp_test_ipsec_t ipsec_spd_t:association polmatch; -- 1.7.4 |
From: Linda K. <lin...@hp...> - 2011-03-11 22:14:23
|
>From 3b9fe54684a41c2e59047de2487bd90c2605f57e Mon Sep 17 00:00:00 2001 Message-Id: <3b9...@hp...> In-Reply-To: <cov...@hp...> References: <cov...@hp...> From: Linda Knippers <lin...@hp...> Date: Thu, 10 Mar 2011 16:57:45 -0500 Subject: [PATCH 1/3] Fix ipv6 address manipulation The code that extracts ipv6 interfaces and addresses was trying to only look for interfaces with the appropriate address prefix but was doing it wrong and not getting the interfaces or the addresses right. I've only tested this on a system with one active ethernet interface but it works there and seems to be the right fix for systems with multiple interfaces. Signed-off-by: Linda Knippers <lin...@hp...> --- audit/network/addr_filter.bash | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) diff --git a/audit/network/addr_filter.bash b/audit/network/addr_filter.bash index cc8cf40..b923b73 100755 --- a/audit/network/addr_filter.bash +++ b/audit/network/addr_filter.bash @@ -27,13 +27,15 @@ function get_ipv6_prefix { if [[ -n $LBLNET_SVR_IPV6 ]]; then ip -f inet6 route show to match $LBLNET_SVR_IPV6 | \ - grep -v default | cut -d'/' -f 1 + grep -v default | cut -d'/' -f 1 | \ + awk 'BEGIN { FS = ":" } { print $1":"$2":"$3":" }' | \ + head -n 1 elif [[ -n $LBLNET_PREFIX_IPV6 ]]; then echo $LBLNET_PREFIX_IPV6 | sed 's/:\/[0-9]*//;s/:0*/:/g;' else ip -o -f inet6 addr show scope global | \ awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' | \ - awk 'BEGIN { FS = ":" } { print $1":"$2":"$3":"$4":" }' | \ + awk 'BEGIN { FS = ":" } { print $1":"$2":"$3":" }' | \ head -n 1 fi } @@ -41,8 +43,9 @@ function get_ipv6_prefix { function get_ipv6_iface { declare prefix=$(get_ipv6_prefix) ip -o -f inet6 addr show scope global | \ + grep $prefix | \ awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $2 }' | \ - grep $prefix | head -n 1 + head -n 1 } function get_ipv4_addr { @@ -53,8 +56,9 @@ function get_ipv4_addr { function get_ipv6_addr { declare prefix=$(get_ipv6_prefix) ip -o -f inet6 addr show scope global | \ + grep $prefix | \ awk 'BEGIN { FS = "[ \t]*|[ \t\\/]+" } { print $4 }' | \ - grep $prefix | head -n 1 + head -n 1 } #### -- 1.7.4 |
From: Linda K. <lin...@hp...> - 2011-03-11 22:13:49
|
>From 73d54a426fcd256f86bcd5d1662070f89d54294b Mon Sep 17 00:00:00 2001 Message-Id: <cov...@hp...> From: Linda Knippers <lin...@hp...> Date: Fri, 11 Mar 2011 16:58:42 -0500 Subject: [PATCH 0/3] MLS and network test fixes for RHEL5.6 Before attemping our test suite on RHEL6, I wanted to make sure we have a clean baseline with the existing tests in mls mode. Discovered a little bit of code decay which I have cleaned up here. However, I still have 10 networking tests which get errrors (note failures), including all the remote connect tests (unlabeled, netlabel and ipsec), plus the ipsec remote sendmsg and sendto tests. Linda Knippers (3): Fix ipv6 address manipulation Back out unnecessary mls overrides Cleanup workaround for BZ 234426 and reduce sleep time audit/network/addr_filter.bash | 12 ++- audit/network/network_functions.bash | 25 +---- audit/network/run.conf | 175 +++++++++++++------------------ audit/utils/selinux-policy/lspp_test.te | 11 +-- 4 files changed, 88 insertions(+), 135 deletions(-) -- 1.7.4 |
From: SourceForge.net <no...@so...> - 2011-03-10 15:52:08
|
Bugs item #3205550, was opened at 2011-03-10 10:52 Message generated for change (Tracker Item Submitted) made by lindaknippers You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=841438&aid=3205550&group_id=167060 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: network Group: RHEL 5.6 Status: Open Resolution: None Priority: 5 Private: No Submitted By: Linda Knippers (lindaknippers) Assigned to: Linda Knippers (lindaknippers) Summary: network tests sleep too long on failures Initial Comment: The network/run.conf default_augrok function sleeps way too long waiting for audit records to show up. It looks like it intends to sleep in 5 second increments up to a total of 60 seconds but instead it sleeps for 5 seconds, then 10 seconds, then 15 seconds...then 65 seconds. This causes the tests to take forever when there's a labeled networking failures. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=841438&aid=3205550&group_id=167060 |
From: SourceForge.net <no...@so...> - 2011-03-10 15:44:53
|
Bugs item #3196762, was opened at 2011-03-01 20:40 Message generated for change (Comment added) made by lindaknippers You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=841438&aid=3196762&group_id=167060 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: fail-safe Group: RHEL 5.6 >Status: Pending Resolution: None Priority: 5 Private: No Submitted By: Linda Knippers (lindaknippers) Assigned to: Nobody/Anonymous (nobody) Summary: fail-safe tests hang on completion Initial Comment: This problem has been reported by Jim, Tony and Linda on RHEL5.6 and RHEL6. The fail-safe tests hang at the completion of each test. If you run 'service auditd stop' in a different window then the next test will run and then it too will hang. There is more information on the audit-test-developer mailing list and on this mail thread: https://www.redhat.com/mailman/private/rhel6-cc-external-list/2011-March/msg00007.html ---------------------------------------------------------------------- >Comment By: Linda Knippers (lindaknippers) Date: 2011-03-10 10:44 Message: Tony has submitted workarounds. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=841438&aid=3196762&group_id=167060 |
From: Debora V. <dve...@us...> - 2011-03-09 18:43:29
|
> > Hi, > > I've been setting up to test CIPSO support with RHEL6.1 and thought I would > first verify that it still works with RHEL5.6. I ran into a problem with the > mls tests on 5.6 and I believe I've tracked down the problem to an lspp_test > policy change from a few years ago. > > I'm trying to figure out why the change was made because it just seems wrong > but I'll likely just revert the change. Before I do that, I'd like to know > if anyone else has had a clean run on RHEL5.6 with the current tests. I'm > specifically interested in the mls syscall tests. We haven't had a clean run on RHEL 5.6 in mls mode. All our testing on RHEL5.6 has been in capp mode. -debbie > > Thanks, > > -- ljk > > ------------------------------------------------------------------------------ > Colocation vs. Managed Hosting > A question and answer guide to determining the best fit > for your organization - today and in the future. > http://p.sf.net/sfu/internap-sfd2d > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer |
From: Linda K. <lin...@hp...> - 2011-03-09 17:35:43
|
Hi, I've been setting up to test CIPSO support with RHEL6.1 and thought I would first verify that it still works with RHEL5.6. I ran into a problem with the mls tests on 5.6 and I believe I've tracked down the problem to an lspp_test policy change from a few years ago. I'm trying to figure out why the change was made because it just seems wrong but I'll likely just revert the change. Before I do that, I'd like to know if anyone else has had a clean run on RHEL5.6 with the current tests. I'm specifically interested in the mls syscall tests. Thanks, -- ljk |
From: Linda K. <lin...@hp...> - 2011-03-09 16:20:36
|
Thanks for the patches. I'll pull these in as soon. -- ljk Ramon de Carvalho Valle wrote: > This patch series updates the SELinux policy module to compile on RHEL 6 > with the latest version of selinux-policy RPM package. > > [PATCH 1/7] Replace r_dir_perms > [PATCH 2/7] Replace mls_file_read_up and mls_file_write_down > [PATCH 3/7] Replace authlogin_per_role_template > [PATCH 4/7] Replace selinux-policy-devel > [PATCH 5/7] Replace lspp_harness_tmp_t and lspp_harness_devpts_t > [PATCH 6/7] Remove role dominance definitions > [PATCH 7/7] Update policy module version > > > ------------------------------------------------------------------------------ > What You Don't Know About Data Connectivity CAN Hurt You > This paper provides an overview of data connectivity, details > its effect on application quality, and explores various alternative > solutions. http://p.sf.net/sfu/progress-d2d > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer |
From: Paul M. <pau...@hp...> - 2011-03-08 22:59:01
|
On Monday, March 07, 2011 1:59:43 PM Ramon de Carvalho Valle wrote: > From: Ramon de Carvalho Valle <rc...@br...> > > Replace lspp_harness_tmp_t and lspp_harness_devpts_t types by user_tmp_t > and user devpts_t. The types with _tmp_t and _devpts_t suffix have been > replaced by the user_tmp_t and user_devpts_t types respectively. > The new rules for user_tmp_t are defined in the userdom_manage_tmp_role > interface, which is referenced in userdom_login_user_template, which in > turn is referenced by the userdom_admin_user_template interface. > The new rules for user_devpts_t are defined in the term_create_pty > interface, which is referenced in userdom_base_user_template, referenced > by the userdom_login_user_template interface, which in turn is > referenced by the userdom_admin_user_template. > > Signed-off-by: Ramon de Carvalho Valle <rc...@br...> Acked-by: Paul Moore <pau...@hp...> > --- > audit/utils/selinux-policy/lspp_test.te | 8 ++------ > 1 files changed, 2 insertions(+), 6 deletions(-) > > diff --git a/audit/utils/selinux-policy/lspp_test.te > b/audit/utils/selinux-policy/lspp_test.te index db71532..33a7a87 100644 > --- a/audit/utils/selinux-policy/lspp_test.te > +++ b/audit/utils/selinux-policy/lspp_test.te > @@ -152,7 +152,7 @@ mls_trusted_object(lspp_test_output_t) > # make test harness created objects (i.e. std{in,out,err} fds, temp files, > etc) # trusted objects > mls_trusted_object(lspp_harness_t) > -mls_trusted_object(lspp_harness_tmp_t) > +mls_trusted_object(user_tmp_t) > > # default file types > type_transition lspp_domains lspp_test_harness_dir_t:file > lspp_harness_exec_t; @@ -238,12 +238,8 @@ > logging_run_auditctl(lspp_harness_t,lspp_test_r,{ ttynode ptynode }) > seutil_run_runinit(lspp_harness_t,lspp_test_r,{ ttynode ptynode }) allow > initrc_t lspp_harness_t:fd use; > > -# give the harness domain access to the local login domain > -locallogin_domtrans(lspp_harness_t) > -allow local_login_t lspp_harness_devpts_t:chr_file { read write ioctl > relabelfrom relabelto setattr getattr }; - > # give the harness domain access to the sysadm lpr domain > -allow sysadm_lpr_t lspp_harness_devpts_t:chr_file { read write }; > +allow sysadm_lpr_t user_devpts_t:chr_file { read write }; > > # give the harness domain access to all the other test domain's > associations allow lspp_harness_t lspp_domains:association { setcontext > recvfrom }; -- paul moore linux @ hp |
From: Paul M. <pau...@hp...> - 2011-03-08 22:58:42
|
On Tuesday, March 08, 2011 10:33:18 AM Ramon de Carvalho Valle wrote: > Hi Paul, > > On 03/07/2011 03:59 PM, Ramon de Carvalho Valle wrote: > > From: Ramon de Carvalho Valle <rc...@br...> > > > > Replace lspp_harness_tmp_t and lspp_harness_devpts_t types by user_tmp_t > > and user devpts_t. The types with _tmp_t and _devpts_t suffix have been > > replaced by the user_tmp_t and user_devpts_t types respectively. > > The new rules for user_tmp_t are defined in the userdom_manage_tmp_role > > interface, which is referenced in userdom_login_user_template, which in > > turn is referenced by the userdom_admin_user_template interface. > > The new rules for user_devpts_t are defined in the term_create_pty > > interface, which is referenced in userdom_base_user_template, referenced > > by the userdom_login_user_template interface, which in turn is > > referenced by the userdom_admin_user_template. > > > > Signed-off-by: Ramon de Carvalho Valle <rc...@br...> > > --- > > > > audit/utils/selinux-policy/lspp_test.te | 8 ++------ > > 1 files changed, 2 insertions(+), 6 deletions(-) > > > > diff --git a/audit/utils/selinux-policy/lspp_test.te > > b/audit/utils/selinux-policy/lspp_test.te index db71532..33a7a87 100644 > > --- a/audit/utils/selinux-policy/lspp_test.te > > +++ b/audit/utils/selinux-policy/lspp_test.te > > @@ -152,7 +152,7 @@ mls_trusted_object(lspp_test_output_t) > > > > # make test harness created objects (i.e. std{in,out,err} fds, temp > > files, etc) # trusted objects > > mls_trusted_object(lspp_harness_t) > > > > -mls_trusted_object(lspp_harness_tmp_t) > > +mls_trusted_object(user_tmp_t) > > > > # default file types > > type_transition lspp_domains lspp_test_harness_dir_t:file > > lspp_harness_exec_t; > > > > @@ -238,12 +238,8 @@ logging_run_auditctl(lspp_harness_t,lspp_test_r,{ > > ttynode ptynode }) > > > > seutil_run_runinit(lspp_harness_t,lspp_test_r,{ ttynode ptynode }) > > allow initrc_t lspp_harness_t:fd use; > > > > -# give the harness domain access to the local login domain > > -locallogin_domtrans(lspp_harness_t) > > -allow local_login_t lspp_harness_devpts_t:chr_file { read write ioctl > > relabelfrom relabelto setattr getattr }; - > > I might have been mistaken here. I am not sure if it is all covered here > or any other place: > > http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modul > es/system/locallogin.te#l83 > http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modu > les/system/locallogin.te#l84 > http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modu > les/kernel/devices.if#l582 > http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modu > les/kernel/devices.if#l600 These are dontaudit rules, not allow rules. The dontaudit rules do not allow access, they just don't complain when then deny it. > Or the term_ interfaces referenced below: > > http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modul > es/system/locallogin.te#l115 > http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modu > les/kernel/terminal.if#l1361 > > Any thoughts? Well, presumably if the user specific devpts_t types are gone then we shouldn't need lspp_harness_devpts_t types and allow rules. However, I think there are potentially a lot pitfalls that are left to sort out. > > # give the harness domain access to the sysadm lpr domain > > > > -allow sysadm_lpr_t lspp_harness_devpts_t:chr_file { read write }; > > +allow sysadm_lpr_t user_devpts_t:chr_file { read write }; > > I may be wrong, but I believe that this rule is no longer necessary. > Please see: In general, if you've changed the lspp_test policy such that there is no longer a lspp_test specific type in either the subject or object then you should almost certainly delete the rule. > http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modul > es/services/lpd.te#l281 > http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modu > les/system/userdomain.if#l2960 > > lpr_t is an alias to user_lpr_t staff_lpr_t sysadm_lpr_t: > > http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modul > es/services/lpd.te#l41 > > > # give the harness domain access to all the other test domain's > > associations allow lspp_harness_t lspp_domains:association { setcontext > > recvfrom }; -- paul moore linux @ hp |
From: Paul M. <pau...@hp...> - 2011-03-08 22:49:26
|
On Monday, March 07, 2011 1:59:45 PM Ramon de Carvalho Valle wrote: > From: Ramon de Carvalho Valle <rc...@br...> > > Signed-off-by: Ramon de Carvalho Valle <rc...@br...> Acked-by: Paul Moore <pau...@hp...> > --- > audit/utils/selinux-policy/lspp_test.te | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/audit/utils/selinux-policy/lspp_test.te > b/audit/utils/selinux-policy/lspp_test.te index f34a4a2..2a53c3c 100644 > --- a/audit/utils/selinux-policy/lspp_test.te > +++ b/audit/utils/selinux-policy/lspp_test.te > @@ -32,7 +32,7 @@ define(`ROLES_ALL',`sysadm_r secadm_r auditadm_r > staff_r') # the policy_module() and gen_require() statements. > # > > -policy_module(lspp_test,0.5.7) > +policy_module(lspp_test,0.6.0) > > # we really shouldn't be accessing these policy constructs directly but > there # isn't always a policy interface available for what we want to do, > so just -- paul moore linux @ hp |
From: Paul M. <pau...@hp...> - 2011-03-08 22:48:32
|
On Monday, March 07, 2011 1:59:44 PM Ramon de Carvalho Valle wrote: > From: Ramon de Carvalho Valle <rc...@br...> > > Remove role dominance definitions. Role dominance definitions have been > deprecated. According to Chris PeBenito, role dominance was broken in > modular policy, and he can not remember if it was fixed. I saw some > discussion in SELinux mailing list from early 2008 about deprecating > role dominance by role attributes. However, according to Chris, it was > never added. For now, I think it is better remove it and do the > associations as it is needed. > > Signed-off-by: Ramon de Carvalho Valle <rc...@br...> Acked-by: Paul Moore <pau...@hp...> > --- > audit/utils/selinux-policy/lspp_test.te | 8 -------- > 1 files changed, 0 insertions(+), 8 deletions(-) > > diff --git a/audit/utils/selinux-policy/lspp_test.te > b/audit/utils/selinux-policy/lspp_test.te index 33a7a87..f34a4a2 100644 > --- a/audit/utils/selinux-policy/lspp_test.te > +++ b/audit/utils/selinux-policy/lspp_test.te > @@ -117,14 +117,6 @@ files_type(lspp_test_output_t) > # > > role lspp_test_r types domain; > -dominance { > - role lspp_test_r { > - role sysadm_r; > - role secadm_r; > - role auditadm_r; > - role staff_r; > - } > -} > > # add the lspp test types to the generic object role > role system_r types lspp_domains; -- paul moore linux @ hp |
From: Paul M. <pau...@hp...> - 2011-03-08 22:48:19
|
On Monday, March 07, 2011 1:59:42 PM Ramon de Carvalho Valle wrote: > From: Ramon de Carvalho Valle <rc...@br...> > > Replace selinux-policy-devel by selinux-devel. The selinux-policy-devel > RPM package has been merged into selinux-devel in RHEL 6. > > Signed-off-by: Ramon de Carvalho Valle <rc...@br...> Acked-by: Paul Moore <pau...@hp...> > --- > audit/utils/selinux-policy/Makefile | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/audit/utils/selinux-policy/Makefile > b/audit/utils/selinux-policy/Makefile index 6433e33..ba88c74 100644 > --- a/audit/utils/selinux-policy/Makefile > +++ b/audit/utils/selinux-policy/Makefile > @@ -22,7 +22,7 @@ > > SELINUX_POLICY_TYPE := mls > SELINUX_POLICY_RPM := selinux-policy-$(SELINUX_POLICY_TYPE) > -SELINUX_DEV_RPM := selinux-policy-devel > +SELINUX_DEV_RPM := selinux-policy > > SELINUX_POLICY_DEFTYPEFILE := > /etc/selinux/$(SELINUX_POLICY_TYPE)/contexts/default_type > SELINUX_DEV_BASEDIR := /usr/share/selinux/devel -- paul moore linux @ hp |
From: Paul M. <pau...@hp...> - 2011-03-08 22:48:04
|
On Monday, March 07, 2011 1:59:41 PM Ramon de Carvalho Valle wrote: > From: Ramon de Carvalho Valle <rc...@br...> > > Replace authlogin_per_role_template interface by auth_use_pam. At some > point in time this interface was deprecated. However, I could not find > when the change happened, as it seems to predate the Fedora Hosted Git > repository. An implementation of this interface can still be found in > the Certifiable Linux Integration Platform (CLIP) repository at > http://oss.tresys.com/projects/clip/browser/trunk/RHEL5.4/refpolicy/src/ > selinux-policy-clip/policy/modules/system/authlogin.if > > Signed-off-by: Ramon de Carvalho Valle <rc...@br...> Acked-by: Paul Moore <pau...@hp...> > --- > audit/utils/selinux-policy/lspp_test.te | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/audit/utils/selinux-policy/lspp_test.te > b/audit/utils/selinux-policy/lspp_test.te index f26b89f..db71532 100644 > --- a/audit/utils/selinux-policy/lspp_test.te > +++ b/audit/utils/selinux-policy/lspp_test.te > @@ -229,7 +229,7 @@ unconfined_domain_noaudit(lspp_harness_t) > > # give the harness domain newrole access > seutil_run_newrole(lspp_harness_t,lspp_test_r,{ ttynode ptynode }) > -authlogin_per_role_template(lspp_harness,lspp_harness_t,lspp_test_r) > +auth_use_pam(lspp_harness_t) > > # give the harness domain auditctl access > logging_run_auditctl(lspp_harness_t,lspp_test_r,{ ttynode ptynode }) -- paul moore linux @ hp |
From: Paul M. <pau...@hp...> - 2011-03-08 22:47:40
|
On Monday, March 07, 2011 1:59:40 PM Ramon de Carvalho Valle wrote: > From: Ramon de Carvalho Valle <rc...@br...> > > Replace the mls_file_read_up and mls_file_write_down interfaces by > mls_file_read_all_levels and mls_file_write_all_levels. These interfaces > were deprecated in http://git.fedorahosted.org/git/?p=selinux-policy.git > ;a=commit;h=f8233ab7b0154f836ecc81367bf00e0ff976af65 > > Signed-off-by: Ramon de Carvalho Valle <rc...@br...> Acked-by: Paul Moore <pau...@hp...> > --- > audit/utils/selinux-policy/lspp_test.te | 8 ++++---- > 1 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/audit/utils/selinux-policy/lspp_test.te > b/audit/utils/selinux-policy/lspp_test.te index 7754bf3..f26b89f 100644 > --- a/audit/utils/selinux-policy/lspp_test.te > +++ b/audit/utils/selinux-policy/lspp_test.te > @@ -206,8 +206,8 @@ > domain_auto_trans(domain,lspp_harness_exec_t,lspp_harness_t) allow > lspp_harness_t domain:process transition; > > # give the harness domain mls override privleges > -mls_file_read_up(lspp_harness_t) > -mls_file_write_down(lspp_harness_t) > +mls_file_read_all_levels(lspp_harness_t) > +mls_file_write_all_levels(lspp_harness_t) > mls_file_upgrade(lspp_harness_t) > mls_file_downgrade(lspp_harness_t) > mls_fd_use_all_levels(lspp_harness_t) > @@ -269,7 +269,7 @@ unconfined_domain_noaudit(lspp_test_generic_t) > unconfined_domain_noaudit(lspp_test_netlabel_t) > > # allow mls overrides for file "write" access > -mls_file_write_down(lspp_test_netlabel_t) > +mls_file_write_all_levels(lspp_test_netlabel_t) > > ## > # ipsec test domain > @@ -279,7 +279,7 @@ mls_file_write_down(lspp_test_netlabel_t) > unconfined_domain_noaudit(lspp_test_ipsec_t) > > # allow mls overrides for file "write" access > -mls_file_write_down(lspp_test_ipsec_t) > +mls_file_write_all_levels(lspp_test_ipsec_t) > > # give the test domain the ability to match against the SPD entries > allow lspp_test_ipsec_t ipsec_spd_t:association polmatch; -- paul moore linux @ hp |
From: Paul M. <pau...@hp...> - 2011-03-08 22:47:25
|
On Monday, March 07, 2011 1:59:39 PM Ramon de Carvalho Valle wrote: > From: Ramon de Carvalho Valle <rc...@br...> > > Replace the r_dir_perms interface by list_dir_perms. This interface was > deprecated in http://git.fedorahosted.org/git/?p=selinux-policy.git;a=co > mmit;h=ef659a476ef732e46815279ee55aa9f9a05fc002 > > Signed-off-by: Ramon de Carvalho Valle <rc...@br...> Acked-by: Paul Moore <pau...@hp...> > --- > audit/utils/selinux-policy/lspp_test.te | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/audit/utils/selinux-policy/lspp_test.te > b/audit/utils/selinux-policy/lspp_test.te index 7241b7f..7754bf3 100644 > --- a/audit/utils/selinux-policy/lspp_test.te > +++ b/audit/utils/selinux-policy/lspp_test.te > @@ -144,7 +144,7 @@ allow { ROLES_ALL } lspp_test_r; > # > > # allow every domain to read the test directory > -allow domain lspp_directories:dir r_dir_perms; > +allow domain lspp_directories:dir list_dir_perms; > > # make the log files trusted objects > mls_trusted_object(lspp_test_output_t) -- paul moore linux @ hp |
From: Ramon de C. V. <rc...@li...> - 2011-03-08 15:34:53
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Paul, On 03/07/2011 03:59 PM, Ramon de Carvalho Valle wrote: > From: Ramon de Carvalho Valle <rc...@br...> > > Replace lspp_harness_tmp_t and lspp_harness_devpts_t types by user_tmp_t > and user devpts_t. The types with _tmp_t and _devpts_t suffix have been > replaced by the user_tmp_t and user_devpts_t types respectively. > The new rules for user_tmp_t are defined in the userdom_manage_tmp_role > interface, which is referenced in userdom_login_user_template, which in > turn is referenced by the userdom_admin_user_template interface. > The new rules for user_devpts_t are defined in the term_create_pty > interface, which is referenced in userdom_base_user_template, referenced > by the userdom_login_user_template interface, which in turn is > referenced by the userdom_admin_user_template. > > Signed-off-by: Ramon de Carvalho Valle <rc...@br...> > --- > audit/utils/selinux-policy/lspp_test.te | 8 ++------ > 1 files changed, 2 insertions(+), 6 deletions(-) > > diff --git a/audit/utils/selinux-policy/lspp_test.te b/audit/utils/selinux-policy/lspp_test.te > index db71532..33a7a87 100644 > --- a/audit/utils/selinux-policy/lspp_test.te > +++ b/audit/utils/selinux-policy/lspp_test.te > @@ -152,7 +152,7 @@ mls_trusted_object(lspp_test_output_t) > # make test harness created objects (i.e. std{in,out,err} fds, temp files, etc) > # trusted objects > mls_trusted_object(lspp_harness_t) > -mls_trusted_object(lspp_harness_tmp_t) > +mls_trusted_object(user_tmp_t) > > # default file types > type_transition lspp_domains lspp_test_harness_dir_t:file lspp_harness_exec_t; > @@ -238,12 +238,8 @@ logging_run_auditctl(lspp_harness_t,lspp_test_r,{ ttynode ptynode }) > seutil_run_runinit(lspp_harness_t,lspp_test_r,{ ttynode ptynode }) > allow initrc_t lspp_harness_t:fd use; > > -# give the harness domain access to the local login domain > -locallogin_domtrans(lspp_harness_t) > -allow local_login_t lspp_harness_devpts_t:chr_file { read write ioctl relabelfrom relabelto setattr getattr }; > - I might have been mistaken here. I am not sure if it is all covered here or any other place: http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modules/system/locallogin.te#l83 http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modules/system/locallogin.te#l84 http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modules/kernel/devices.if#l582 http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modules/kernel/devices.if#l600 Or the term_ interfaces referenced below: http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modules/system/locallogin.te#l115 http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modules/kernel/terminal.if#l1361 Any thoughts? > # give the harness domain access to the sysadm lpr domain > -allow sysadm_lpr_t lspp_harness_devpts_t:chr_file { read write }; > +allow sysadm_lpr_t user_devpts_t:chr_file { read write }; I may be wrong, but I believe that this rule is no longer necessary. Please see: http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modules/services/lpd.te#l281 http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modules/system/userdomain.if#l2960 lpr_t is an alias to user_lpr_t staff_lpr_t sysadm_lpr_t: http://git.fedorahosted.org/git/?p=selinux-policy.git;a=blob;f=policy/modules/services/lpd.te#l41 > > # give the harness domain access to all the other test domain's associations > allow lspp_harness_t lspp_domains:association { setcontext recvfrom }; - -- Ramon de Carvalho Valle Security Engineer IBM Linux Technology Center rc...@li... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk12TD4ACgkQGIS0iEuhp4NssgCcDv5nYLRQbe6I7mQbyAWXURIV 5+QAn1fmLhdCEGmswwL5EO5rpWNVRvUxiEYEARECAAYFAk12TD4ACgkQkcIYeh81 wLlssgCfby66r/gMimKnWaVWa19c4nHe8GIAnidkE6Omu6rRZ9XJm541N+qgpWOB =Wq7M -----END PGP SIGNATURE----- |
From: Linda K. <lin...@hp...> - 2011-03-08 00:39:58
|
>From 9a1923f5c056243feb54424e7209e21f13b68076 Mon Sep 17 00:00:00 2001 From: Linda Knippers <lin...@hp...> Date: Mon, 7 Mar 2011 19:27:11 -0500 Subject: Fix makefile to properly check distro flavor and build the test policy Without this the tests for trusted programs that use policy will get errrors. Signed-off-by: Linda Knippers <lin...@hp...> --- audit/trustedprograms/tests/Makefile | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/audit/trustedprograms/tests/Makefile b/audit/trustedprograms/tests/Makefile index 1b3c9cc..df3ed31 100644 --- a/audit/trustedprograms/tests/Makefile +++ b/audit/trustedprograms/tests/Makefile @@ -16,9 +16,9 @@ ############################################################################### TOPDIR = ../.. +ifneq ($(DISTRO), SUSE) + SUB_DIRS = policy +endif include $(TOPDIR)/rules.mk -ifneq ($$(DISTRO), "SUSE") - SUBDIR = policy -endif -- 1.7.4 |
From: Tony E. <te...@sg...> - 2011-03-07 22:06:57
|
Turns off vsftpd tests on RHEL since they are no longer required. Minor tweaks to audit message formats for tests in libpam/tests (including the vsftpd tests, so they can still be run if desired. Fixes vsftpd test hang similar to the other bash hangs. Signed-off-by: Tony Ernst <te...@sg...> --- audit/libpam/run.conf | 6 ++++-- audit/libpam/tests/test_pamtally2_unlock.bash | 6 +++--- audit/libpam/tests/test_vsftpd.bash | 10 +++++----- audit/libpam/tests/test_vsftpd_fail.bash | 9 ++++----- 4 files changed, 16 insertions(+), 15 deletions(-) diff -uprN a/audit/libpam/run.conf b/audit/libpam/run.conf --- a/audit/libpam/run.conf 2011-03-07 08:32:16.490237271 -0600 +++ b/audit/libpam/run.conf 2011-03-07 15:35:03.874006045 -0600 @@ -47,8 +47,10 @@ if [[ $DISTRO != "SUSE" ]] ; then + pamtally2_lock + pamtally2_unlock fi -+ vsftpd -+ vsftpd_fail +if [[ $DISTRO != "RHEL" ]] ; then + + vsftpd + + vsftpd_fail +fi if [[ $PPROFILE == "lspp" ]] ; then + mls_default_login diff -uprN a/audit/libpam/tests/test_pamtally2_unlock.bash b/audit/libpam/tests/test_pamtally2_unlock.bash --- a/audit/libpam/tests/test_pamtally2_unlock.bash 2011-03-07 08:32:16.543953480 -0600 +++ b/audit/libpam/tests/test_pamtally2_unlock.bash 2011-03-07 15:35:03.895492532 -0600 @@ -47,8 +47,8 @@ expect -c ' } expect {:::$} {close; wait}' -msg_2="acct=\"*$TEST_USER\"* : exe=./usr/sbin/sshd.*terminal=ssh res=success.*" -augrok -q type=CRED_REFR msg_1=~"PAM: setcred $msg_2" || exit_fail -augrok -q type=USER_ACCT msg_1=~"PAM: accounting $msg_2" || exit_fail +msg_2="acct=\"$TEST_USER\" exe=./usr/sbin/sshd.*terminal=ssh res=success.*" +augrok -q type=CRED_ACQ msg_1=~"PAM:setcred $msg_2" || exit_fail +augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_2" || exit_fail exit_pass diff -uprN a/audit/libpam/tests/test_vsftpd.bash b/audit/libpam/tests/test_vsftpd.bash --- a/audit/libpam/tests/test_vsftpd.bash 2011-03-07 08:32:16.565439964 -0600 +++ b/audit/libpam/tests/test_vsftpd.bash 2011-03-07 15:35:03.939442164 -0600 @@ -22,13 +22,13 @@ source pam_functions.bash || exit 2 # setup setsebool -P ftp_home_dir=1 -prepend_cleanup "initcall $vsftpd_init restart" +prepend_cleanup "initcall $vsftpd_init restart 63>/dev/null" prepend_cleanup "setsebool -P ftp_home_dir=0" backup "$vsftpd_conf" write_config \ "$vsftpd_conf" \ local_enable=YES -initcall $vsftpd_init restart +initcall $vsftpd_init restart 63>/dev/null echo Made it this far @@ -39,8 +39,8 @@ expect -c ' expect -nocase {password:$} {send "$env(TEST_USER_PASSWD)\r"} expect {ftp> $} {send "quit\r"}' -msg_1="acct=\"*$TEST_USER\"*[ :]* exe=./usr/sbin/vsftp.*hostname=(127.0.0.1|localhost.*), addr=127.0.0.1, terminal=ftp res=success.*" -augrok -q type=USER_AUTH msg_1=~"PAM: *authentication $msg_1" || exit_fail -augrok -q type=USER_ACCT msg_1=~"PAM: *accounting $msg_1" || exit_fail +msg_1="acct=\"$TEST_USER\" exe=./usr/sbin/vsftp.*hostname=(127.0.0.1|localhost.*) addr=(::1|127.0.0.1) terminal=ftp res=success.*" +augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail +augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail exit_pass diff -uprN a/audit/libpam/tests/test_vsftpd_fail.bash b/audit/libpam/tests/test_vsftpd_fail.bash --- a/audit/libpam/tests/test_vsftpd_fail.bash 2011-03-07 08:32:16.569346597 -0600 +++ b/audit/libpam/tests/test_vsftpd_fail.bash 2011-03-07 15:35:03.900375825 -0600 @@ -21,12 +21,12 @@ source pam_functions.bash || exit 2 # setup -prepend_cleanup "initcall $vsftpd_init restart" +prepend_cleanup "initcall $vsftpd_init restart 63>/dev/null" backup "$vsftpd_conf" write_config \ "$vsftpd_conf" \ local_enable=YES -initcall $vsftpd_init restart +initcall $vsftpd_init restart 63>/dev/null # test expect -c ' @@ -34,8 +34,7 @@ expect -c ' expect -nocase {name} {send "$env(TEST_USER)\r"} expect -nocase {password:$} {send "badpassword\r"} expect {ftp> $} {send "quit\r"}' - -msg_1="acct=\"*$TEST_USER\"*[ :]* exe=./usr/sbin/vsftp.*hostname=(127.0.0.1|localhost.*), addr=127.0.0.1, terminal=ftp res=failed.*" -augrok -q type=USER_AUTH msg_1=~"PAM: *authentication $msg_1" || exit_fail +msg_1="acct=\"$TEST_USER\" exe=./usr/sbin/vsftp.*hostname=(127.0.0.1|localhost.*) addr=(::1|127.0.0.1) terminal=ftp res=failed.*" +augrok -q type=USER_AUTH msg_1=~"PAM:*authentication $msg_1" || exit_fail exit_pass |