We have the following PR for zabbix SELinux policy:
https://src.fedoraproject.org/rpms/zabbix/pull-request/10
and we're getting some test failures, but I can't really interpret them.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Unsound/dangerous policy practices ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -lfull | grep zabbix' :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -lfull | grep zabbix' (Expected 0, got 0) :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -X 200 --cil -E zabbix' :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -X 200 --cil -E zabbix' (Expected 0, got 0) :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'python3 test.py zabbix.cil policy/zabbix.te' /var/str/DSP_test/test.py:64: SyntaxWarning: invalid escape sequence '(' out = subprocess.run(['grep', '-E', '[A-Za-z_]+(.*)', te_source_file], capture_output=True, text=True) :: [ 21:15:27 ] :: [ FAIL ] :: Command 'python3 test.py zabbix.cil policy/zabbix.te' (Expected 0, got 4) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 2 good, 1 bad :: RESULT: FAIL (Unsound/dangerous policy practices)
This seems like it might be a python error in the test.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: SELint static analysis ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:27 ] :: [ BEGIN ] :: Running 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' :: [ 21:15:27 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' (Expected 0, got 0) :: [ 21:15:27 ] :: [ BEGIN ] :: Running 'grep -v 'F-002' '/tmp/tmp.DVGZL996ny'' :: [ 21:15:27 ] :: [ FAIL ] :: Command 'grep -v 'F-002' '/tmp/tmp.DVGZL996ny'' (Expected 1, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 0s :: Assertions: 1 good, 1 bad :: RESULT: FAIL (SELint static analysis)
No idea about this.
In the installability teest:
BAD install: zabbix-1:6.0.30-1.fc41.x86_64 (selinux AVCs) ---- type=AVC msg=audit(05/28/2024 21:15:28.247:957) : avc: denied { map_read map_write } for pid=4601 comm=selinux-autorel scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 ---- type=AVC msg=audit(05/28/2024 21:15:28.254:958) : avc: denied { map_read map_write } for pid=4605 comm=systemd-fstab-g scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 ---- type=AVC msg=audit(05/28/2024 21:15:28.261:959) : avc: denied { map_read map_write } for pid=4609 comm=systemd-gpt-aut scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 ---- type=AVC msg=audit(05/28/2024 21:15:28.273:960) : avc: denied { map_read map_write } for pid=4613 comm=systemd-rc-loca scontext=system_u:system_r:systemd_rc_local_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0 ---- type=AVC msg=audit(05/28/2024 21:15:28.281:961) : avc: denied { read } for pid=4615 comm=systemd-ssh-gen name=vsock dev="devtmpfs" ino=388 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0 ---- type=AVC msg=audit(05/28/2024 21:15:28.284:962) : avc: denied { map_read map_write } for pid=4619 comm=systemd-sysv-ge scontext=system_u:system_r:systemd_sysv_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
and more, but these seem unrelated to the zabbix package.
Hi, sorry about that. I just fixed the syntax warning, but it seems there is another issue with selint not liking a filetrans_pattern use in virt.if. Feel free to ignore the latter as well as the AVCs. Zdenek is working on fixing them.
Vit
On 5/30/24 00:14, Orion Poplawski wrote:
We have the following PR for zabbix SELinux policy:
https://src.fedoraproject.org/rpms/zabbix/pull-request/10
and we're getting some test failures, but I can't really interpret them.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Unsound/dangerous policy practices ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -lfull | grep zabbix' :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -lfull | grep zabbix' (Expected 0, got 0) :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -X 200 --cil -E zabbix' :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -X 200 --cil -E zabbix' (Expected 0, got 0) :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'python3 test.py zabbix.cil policy/zabbix.te' /var/str/DSP_test/test.py:64: SyntaxWarning: invalid escape sequence '(' out = subprocess.run(['grep', '-E', '[A-Za-z_]+(.*)', te_source_file], capture_output=True, text=True) :: [ 21:15:27 ] :: [ FAIL ] :: Command 'python3 test.py zabbix.cil policy/zabbix.te' (Expected 0, got 4) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 2 good, 1 bad :: RESULT: FAIL (Unsound/dangerous policy practices)
This seems like it might be a python error in the test.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: SELint static analysis ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:27 ] :: [ BEGIN ] :: Running 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' :: [ 21:15:27 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' (Expected 0, got 0) :: [ 21:15:27 ] :: [ BEGIN ] :: Running 'grep -v 'F-002' '/tmp/tmp.DVGZL996ny'' :: [ 21:15:27 ] :: [ FAIL ] :: Command 'grep -v 'F-002' '/tmp/tmp.DVGZL996ny'' (Expected 1, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 0s :: Assertions: 1 good, 1 bad :: RESULT: FAIL (SELint static analysis)
No idea about this.
The full test log (https://artifacts.dev.testing-farm.io/ebf002df-7f59-45c4-9160-bfd693126aff/w...) shows the output of "selint" in this part (grep is filtering out any issues labeled as "F-002" and there should be no others).
In the installability teest:
BAD install: zabbix-1:6.0.30-1.fc41.x86_64 (selinux AVCs)
type=AVC msg=audit(05/28/2024 21:15:28.247:957) : avc: denied { map_read map_write } for pid=4601 comm=selinux-autorel scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.254:958) : avc: denied { map_read map_write } for pid=4605 comm=systemd-fstab-g scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.261:959) : avc: denied { map_read map_write } for pid=4609 comm=systemd-gpt-aut scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.273:960) : avc: denied { map_read map_write } for pid=4613 comm=systemd-rc-loca scontext=system_u:system_r:systemd_rc_local_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.281:961) : avc: denied { read } for pid=4615 comm=systemd-ssh-gen name=vsock dev="devtmpfs" ino=388 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.284:962) : avc: denied { map_read map_write } for pid=4619 comm=systemd-sysv-ge scontext=system_u:system_r:systemd_sysv_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
and more, but these seem unrelated to the zabbix package.
-- _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Looks like the selint complaint about virt.if is still present in current tests, see
https://artifacts.dev.testing-farm.io/bc02eee7-d23b-4327-91b8-059bbbe624e1/
can that get fixed?
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: SELint static analysis ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
base-policy/policy/modules/contrib/virt.if:169: (F): syntax error, unexpected BACKTICK, expecting STRING or SINGLE_QUOTE (F-001) 169 | filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') | ^ base-policy/policy/modules/contrib/virt.if:169: (F): Error: Invalid statement (F-001) 169 | filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Error: Failed to parse files :: [ 04:12:45 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.tqHGzCjvxZ' (Expected 0, got 0) base-policy/policy/modules/contrib/virt.if:169: (F): syntax error, unexpected BACKTICK, expecting STRING or SINGLE_QUOTE (F-001) 169 | filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') | ^ base-policy/policy/modules/contrib/virt.if:169: (F): Error: Invalid statement (F-001) 169 | filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Error: Failed to parse files
virt.if: # This sequence of quotation marks is needed to prevent "interface" # from being interpreted as a keyword and further parsed by m4 macros filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') Thanks.
On 6/6/24 10:03, Vit Mojzis wrote:
Hi, sorry about that. I just fixed the syntax warning, but it seems there is another issue with selint not liking a filetrans_pattern use in virt.if. Feel free to ignore the latter as well as the AVCs. Zdenek is working on fixing them.
Vit
On 5/30/24 00:14, Orion Poplawski wrote:
We have the following PR for zabbix SELinux policy:
https://src.fedoraproject.org/rpms/zabbix/pull-request/10
and we're getting some test failures, but I can't really interpret them.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Unsound/dangerous policy practices ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -lfull | grep zabbix' :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -lfull | grep zabbix' (Expected 0, got 0) :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -X 200 --cil -E zabbix' :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -X 200 --cil -E zabbix' (Expected 0, got 0) :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'python3 test.py zabbix.cil policy/zabbix.te' /var/str/DSP_test/test.py:64: SyntaxWarning: invalid escape sequence '(' out = subprocess.run(['grep', '-E', '[A-Za-z_]+(.*)', te_source_file], capture_output=True, text=True) :: [ 21:15:27 ] :: [ FAIL ] :: Command 'python3 test.py zabbix.cil policy/zabbix.te' (Expected 0, got 4) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 2 good, 1 bad :: RESULT: FAIL (Unsound/dangerous policy practices)
This seems like it might be a python error in the test.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: SELint static analysis ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:27 ] :: [ BEGIN ] :: Running 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' :: [ 21:15:27 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' (Expected 0, got 0) :: [ 21:15:27 ] :: [ BEGIN ] :: Running 'grep -v 'F-002' '/tmp/ tmp.DVGZL996ny'' :: [ 21:15:27 ] :: [ FAIL ] :: Command 'grep -v 'F-002' '/tmp/tmp.DVGZL996ny'' (Expected 1, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 0s :: Assertions: 1 good, 1 bad :: RESULT: FAIL (SELint static analysis)
No idea about this.
The full test log (https://artifacts.dev.testing-farm.io/ ebf002df-7f59-45c4-9160-bfd693126aff/work-tests-DSP.ymlwxt4nh1a/tests- y752y75s/FAIL-DSP_test.log) shows the output of "selint" in this part (grep is filtering out any issues labeled as "F-002" and there should be no others).
In the installability teest:
BAD install: zabbix-1:6.0.30-1.fc41.x86_64 (selinux AVCs)
type=AVC msg=audit(05/28/2024 21:15:28.247:957) : avc: denied { map_read map_write } for pid=4601 comm=selinux-autorel scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.254:958) : avc: denied { map_read map_write } for pid=4605 comm=systemd-fstab-g scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.261:959) : avc: denied { map_read map_write } for pid=4609 comm=systemd-gpt-aut scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.273:960) : avc: denied { map_read map_write } for pid=4613 comm=systemd-rc-loca scontext=system_u:system_r:systemd_rc_local_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.281:961) : avc: denied { read } for pid=4615 comm=systemd-ssh-gen name=vsock dev="devtmpfs" ino=388 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.284:962) : avc: denied { map_read map_write } for pid=4619 comm=systemd-sysv-ge scontext=system_u:system_r:systemd_sysv_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
and more, but these seem unrelated to the zabbix package.
-- _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/ code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/ selinux@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora- infrastructure/new_issue
-- _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/ code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/ selinux@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora- infrastructure/new_issue
Orion Poplawski via selinux selinux@lists.fedoraproject.org writes:
Looks like the selint complaint about virt.if is still present in current tests, see
https://artifacts.dev.testing-farm.io/bc02eee7-d23b-4327-91b8-059bbbe624e1/
can that get fixed?
So DSP testsuite seems to use obsoleted selint from vmojzis/SELinux repo. But it would fail even with selint from rawhide.
For this particular problem there's a fix for `selint` upstream and it needs be updated. I'll prepare a PR. In the mean time there's build in my copr repo:
# dnf copr enable plautrba/selint # dnf update selint
But it fails on other issues:
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Unsound/dangerous policy practices ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 07:14:50 ] :: [ BEGIN ] :: Running 'semodule -lfull | grep zabbix' 200 zabbix pp 100 zabbix pp :: [ 07:14:50 ] :: [ PASS ] :: Command 'semodule -lfull | grep zabbix' (Expected 0, got 0) :: [ 07:14:50 ] :: [ BEGIN ] :: Running 'semodule -X 200 --cil -E zabbix' :: [ 07:14:50 ] :: [ PASS ] :: Command 'semodule -X 200 --cil -E zabbix' (Expected 0, got 0) :: [ 07:14:50 ] :: [ BEGIN ] :: Running 'python3 test.py zabbix.cil policy/zabbix.te' Never allow: Access to restricted types: allow zabbix_script_t security_t:file { append getattr write read lock open ioctl } policy management (permissions): allow zabbix_script_t security_t:security { setsecparam } Access to restricted types: allow zabbix_agent_t security_t:file { lock write read append open ioctl getattr } Access to restricted types: allow zabbix_t security_t:file { lock write read append open ioctl getattr } Warnings: Circumventing DAC settings as root (capability): allow zabbix_script_t self:capability { dac_read_search sys_admin sys_ptrace net_broadcast net_raw sys_chroot setgid sys_tty_config fowner chown setpcap mknod fsetid sys_rawio dac_override net_bind_service sys_resource audit_control sys_boot net_admin setfcap linux_immutable setuid kill ipc_lock sys_time audit_write lease sys _pacct sys_nice ipc_owner } Reassociate thread with a namespace (capability): allow zabbix_script_t self:capability { dac_read_search sys_admin sys_ptrace net_broadcast net_raw sys_chroot setgid sys_tty_config fowner chown setpcap mknod fsetid sys_rawio dac_override net_bind_service sys_resource audit_control sys_boot net_admin setfcap linux_immutable setuid kill ipc_lock sys_time audit_write lease sy s_pacct sys_nice ipc_owner } Trace arbitrary process (capability): allow zabbix_script_t self:capability { dac_read_search sys_admin sys_ptrace net_broadcast net_raw sys_chroot setgid sys_tty_config fowner chown setpcap mknod fsetid sys_rawio dac_override net_bind_service sys_resource audit_control sys_boot net_admin setfcap linux_immutable setuid kill ipc_lock sys_time audit_write lease sys_pacct sys_nice ipc_owner } Circumventing DAC settings as root (capability): allow zabbix_agent_t self:capability { dac_read_search setgid sys_resource audit_write setuid chown } Circumventing DAC settings as root (capability): allow zabbix_t self:capability { dac_read_search sys_resource setuid setgid } Attributes allowing excessive write access: typeattributeset files_unconfined_type (zabbix_script_t) Attributes allowing excessive write access: typeattributeset unconfined_domain_type (zabbix_script_t) Attributes allowing excessive access: typeattributeset files_unconfined_type (zabbix_script_t) Attributes allowing excessive access: typeattributeset unconfined_domain_type (zabbix_script_t) Transition to unconfined domain: typetransition zabbix_agent_t lvm_exec_t process lvm_t Transition to unconfined domain: typetransition zabbix_t zabbix_script_exec_t process zabbix_script_t Transition to unconfined domain: typetransition zabbix_agent_t zabbix_script_exec_t process zabbix_script_t :: [ 07:14:51 ] :: [ FAIL ] :: Command 'python3 test.py zabbix.cil policy/zabbix.te' (Expected 0, got 4) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 2 good, 1 bad :: RESULT: FAIL (Unsound/dangerous policy practices)
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: SELint static analysis ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 07:14:51 ] :: [ BEGIN ] :: Running 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.Cl0BMGPq0G' base-policy/policy/modules/system/systemd.te:1400: (F): syntax error, unexpected UNKNOWN_TOKEN (F-001) 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") | ^ base-policy/policy/modules/system/systemd.te:1400: (F): Error: Invalid statement (F-001) 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Error: Failed to parse files :: [ 07:14:51 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.Cl0BMGPq0G' (Expected 0, got 0) :: [ 07:14:51 ] :: [ BEGIN ] :: Running 'grep -v 'F-002' '/tmp/tmp.Cl0BMGPq0G'' base-policy/policy/modules/system/systemd.te:1400: (F): syntax error, unexpected UNKNOWN_TOKEN (F-001) 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") | ^ base-policy/policy/modules/system/systemd.te:1400: (F): Error: Invalid statement (F-001) 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Error: Failed to parse files :: [ 07:14:51 ] :: [ FAIL ] :: Command 'grep -v 'F-002' '/tmp/tmp.Cl0BMGPq0G'' (Expected 1, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 0s :: Assertions: 1 good, 1 bad :: RESULT: FAIL (SELint static analysis)
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: SELint static analysis ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
base-policy/policy/modules/contrib/virt.if:169: (F): syntax error, unexpected BACKTICK, expecting STRING or SINGLE_QUOTE (F-001) 169 | filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') | ^ base-policy/policy/modules/contrib/virt.if:169: (F): Error: Invalid statement (F-001) 169 | filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Error: Failed to parse files :: [ 04:12:45 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.tqHGzCjvxZ' (Expected 0, got 0) base-policy/policy/modules/contrib/virt.if:169: (F): syntax error, unexpected BACKTICK, expecting STRING or SINGLE_QUOTE (F-001) 169 | filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') | ^ base-policy/policy/modules/contrib/virt.if:169: (F): Error: Invalid statement (F-001) 169 | filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Error: Failed to parse files
virt.if: # This sequence of quotation marks is needed to prevent "interface" # from being interpreted as a keyword and further parsed by m4 macros filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') Thanks.
On 6/6/24 10:03, Vit Mojzis wrote:
Hi, sorry about that. I just fixed the syntax warning, but it seems there is another issue with selint not liking a filetrans_pattern use in virt.if. Feel free to ignore the latter as well as the AVCs. Zdenek is working on fixing them.
Vit
On 5/30/24 00:14, Orion Poplawski wrote:
We have the following PR for zabbix SELinux policy:
https://src.fedoraproject.org/rpms/zabbix/pull-request/10
and we're getting some test failures, but I can't really interpret them.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Unsound/dangerous policy practices ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -lfull | grep zabbix' :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -lfull | grep zabbix' (Expected 0, got 0) :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -X 200 --cil -E zabbix' :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -X 200 --cil -E zabbix' (Expected 0, got 0) :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'python3 test.py zabbix.cil policy/zabbix.te' /var/str/DSP_test/test.py:64: SyntaxWarning: invalid escape sequence '(' out = subprocess.run(['grep', '-E', '[A-Za-z_]+(.*)', te_source_file], capture_output=True, text=True) :: [ 21:15:27 ] :: [ FAIL ] :: Command 'python3 test.py zabbix.cil policy/zabbix.te' (Expected 0, got 4) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 2 good, 1 bad :: RESULT: FAIL (Unsound/dangerous policy practices)
This seems like it might be a python error in the test.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: SELint static analysis ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:27 ] :: [ BEGIN ] :: Running 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' :: [ 21:15:27 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' (Expected 0, got 0) :: [ 21:15:27 ] :: [ BEGIN ] :: Running 'grep -v 'F-002' '/tmp/ tmp.DVGZL996ny'' :: [ 21:15:27 ] :: [ FAIL ] :: Command 'grep -v 'F-002' '/tmp/tmp.DVGZL996ny'' (Expected 1, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 0s :: Assertions: 1 good, 1 bad :: RESULT: FAIL (SELint static analysis)
No idea about this.
The full test log (https://artifacts.dev.testing-farm.io/ ebf002df-7f59-45c4-9160-bfd693126aff/work-tests-DSP.ymlwxt4nh1a/tests- y752y75s/FAIL-DSP_test.log) shows the output of "selint" in this part (grep is filtering out any issues labeled as "F-002" and there should be no others).
In the installability teest:
BAD install: zabbix-1:6.0.30-1.fc41.x86_64 (selinux AVCs)
type=AVC msg=audit(05/28/2024 21:15:28.247:957) : avc: denied { map_read map_write } for pid=4601 comm=selinux-autorel scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.254:958) : avc: denied { map_read map_write } for pid=4605 comm=systemd-fstab-g scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.261:959) : avc: denied { map_read map_write } for pid=4609 comm=systemd-gpt-aut scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.273:960) : avc: denied { map_read map_write } for pid=4613 comm=systemd-rc-loca scontext=system_u:system_r:systemd_rc_local_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.281:961) : avc: denied { read } for pid=4615 comm=systemd-ssh-gen name=vsock dev="devtmpfs" ino=388 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.284:962) : avc: denied { map_read map_write } for pid=4619 comm=systemd-sysv-ge scontext=system_u:system_r:systemd_sysv_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
and more, but these seem unrelated to the zabbix package.
-- _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/ code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/ selinux@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora- infrastructure/new_issue
-- _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/ code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/ selinux@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora- infrastructure/new_issue
-- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/ -- _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Petr Lautrbach via selinux selinux@lists.fedoraproject.org writes:
Orion Poplawski via selinux selinux@lists.fedoraproject.org writes:
Looks like the selint complaint about virt.if is still present in current tests, see
https://artifacts.dev.testing-farm.io/bc02eee7-d23b-4327-91b8-059bbbe624e1/
can that get fixed?
So DSP testsuite seems to use obsoleted selint from vmojzis/SELinux repo. But it would fail even with selint from rawhide.
For this particular problem there's a fix for `selint` upstream and it needs be updated. I'll prepare a PR. In the mean time there's build in my copr repo:
# dnf copr enable plautrba/selint # dnf update selint
But it fails on other issues:
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Unsound/dangerous policy practices ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 07:14:50 ] :: [ BEGIN ] :: Running 'semodule -lfull | grep zabbix' 200 zabbix pp 100 zabbix pp :: [ 07:14:50 ] :: [ PASS ] :: Command 'semodule -lfull | grep zabbix' (Expected 0, got 0) :: [ 07:14:50 ] :: [ BEGIN ] :: Running 'semodule -X 200 --cil -E zabbix' :: [ 07:14:50 ] :: [ PASS ] :: Command 'semodule -X 200 --cil -E zabbix' (Expected 0, got 0) :: [ 07:14:50 ] :: [ BEGIN ] :: Running 'python3 test.py zabbix.cil policy/zabbix.te' Never allow: Access to restricted types: allow zabbix_script_t security_t:file { append getattr write read lock open ioctl } policy management (permissions): allow zabbix_script_t security_t:security { setsecparam } Access to restricted types: allow zabbix_agent_t security_t:file { lock write read append open ioctl getattr } Access to restricted types: allow zabbix_t security_t:file { lock write read append open ioctl getattr } Warnings: Circumventing DAC settings as root (capability): allow zabbix_script_t self:capability { dac_read_search sys_admin sys_ptrace net_broadcast net_raw sys_chroot setgid sys_tty_config fowner chown setpcap mknod fsetid sys_rawio dac_override net_bind_service sys_resource audit_control sys_boot net_admin setfcap linux_immutable setuid kill ipc_lock sys_time audit_write lease sys _pacct sys_nice ipc_owner } Reassociate thread with a namespace (capability): allow zabbix_script_t self:capability { dac_read_search sys_admin sys_ptrace net_broadcast net_raw sys_chroot setgid sys_tty_config fowner chown setpcap mknod fsetid sys_rawio dac_override net_bind_service sys_resource audit_control sys_boot net_admin setfcap linux_immutable setuid kill ipc_lock sys_time audit_write lease sy s_pacct sys_nice ipc_owner } Trace arbitrary process (capability): allow zabbix_script_t self:capability { dac_read_search sys_admin sys_ptrace net_broadcast net_raw sys_chroot setgid sys_tty_config fowner chown setpcap mknod fsetid sys_rawio dac_override net_bind_service sys_resource audit_control sys_boot net_admin setfcap linux_immutable setuid kill ipc_lock sys_time audit_write lease sys_pacct sys_nice ipc_owner } Circumventing DAC settings as root (capability): allow zabbix_agent_t self:capability { dac_read_search setgid sys_resource audit_write setuid chown } Circumventing DAC settings as root (capability): allow zabbix_t self:capability { dac_read_search sys_resource setuid setgid } Attributes allowing excessive write access: typeattributeset files_unconfined_type (zabbix_script_t) Attributes allowing excessive write access: typeattributeset unconfined_domain_type (zabbix_script_t) Attributes allowing excessive access: typeattributeset files_unconfined_type (zabbix_script_t) Attributes allowing excessive access: typeattributeset unconfined_domain_type (zabbix_script_t) Transition to unconfined domain: typetransition zabbix_agent_t lvm_exec_t process lvm_t Transition to unconfined domain: typetransition zabbix_t zabbix_script_exec_t process zabbix_script_t Transition to unconfined domain: typetransition zabbix_agent_t zabbix_script_exec_t process zabbix_script_t :: [ 07:14:51 ] :: [ FAIL ] :: Command 'python3 test.py zabbix.cil policy/zabbix.te' (Expected 0, got 4) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 2 good, 1 bad :: RESULT: FAIL (Unsound/dangerous policy practices)
$ grep -C 2 unconfined_domain zabbix.te
optional_policy(` unconfined_domain(zabbix_script_t) ')
The error bellow is not related to zabbix policy and needs to be fixed (probably) in selint
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: SELint static analysis ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 07:14:51 ] :: [ BEGIN ] :: Running 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.Cl0BMGPq0G' base-policy/policy/modules/system/systemd.te:1400: (F): syntax error, unexpected UNKNOWN_TOKEN (F-001) 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") | ^ base-policy/policy/modules/system/systemd.te:1400: (F): Error: Invalid statement (F-001) 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Error: Failed to parse files :: [ 07:14:51 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.Cl0BMGPq0G' (Expected 0, got 0) :: [ 07:14:51 ] :: [ BEGIN ] :: Running 'grep -v 'F-002' '/tmp/tmp.Cl0BMGPq0G'' base-policy/policy/modules/system/systemd.te:1400: (F): syntax error, unexpected UNKNOWN_TOKEN (F-001) 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") | ^ base-policy/policy/modules/system/systemd.te:1400: (F): Error: Invalid statement (F-001) 1400 | filetrans_pattern(systemd_zram_generator_t, systemd_unit_file_t, systemd_zram_generator_unit_file_t, dir, "systemd-zram-setup@zram0.service.d") | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Error: Failed to parse files :: [ 07:14:51 ] :: [ FAIL ] :: Command 'grep -v 'F-002' '/tmp/tmp.Cl0BMGPq0G'' (Expected 1, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 0s :: Assertions: 1 good, 1 bad :: RESULT: FAIL (SELint static analysis)
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: SELint static analysis ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
base-policy/policy/modules/contrib/virt.if:169: (F): syntax error, unexpected BACKTICK, expecting STRING or SINGLE_QUOTE (F-001) 169 | filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') | ^ base-policy/policy/modules/contrib/virt.if:169: (F): Error: Invalid statement (F-001) 169 | filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Error: Failed to parse files :: [ 04:12:45 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.tqHGzCjvxZ' (Expected 0, got 0) base-policy/policy/modules/contrib/virt.if:169: (F): syntax error, unexpected BACKTICK, expecting STRING or SINGLE_QUOTE (F-001) 169 | filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') | ^ base-policy/policy/modules/contrib/virt.if:169: (F): Error: Invalid statement (F-001) 169 | filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Error: Failed to parse files
virt.if: # This sequence of quotation marks is needed to prevent "interface" # from being interpreted as a keyword and further parsed by m4 macros filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'') Thanks.
On 6/6/24 10:03, Vit Mojzis wrote:
Hi, sorry about that. I just fixed the syntax warning, but it seems there is another issue with selint not liking a filetrans_pattern use in virt.if. Feel free to ignore the latter as well as the AVCs. Zdenek is working on fixing them.
Vit
On 5/30/24 00:14, Orion Poplawski wrote:
We have the following PR for zabbix SELinux policy:
https://src.fedoraproject.org/rpms/zabbix/pull-request/10
and we're getting some test failures, but I can't really interpret them.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Unsound/dangerous policy practices ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -lfull | grep zabbix' :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -lfull | grep zabbix' (Expected 0, got 0) :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -X 200 --cil -E zabbix' :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -X 200 --cil -E zabbix' (Expected 0, got 0) :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'python3 test.py zabbix.cil policy/zabbix.te' /var/str/DSP_test/test.py:64: SyntaxWarning: invalid escape sequence '(' out = subprocess.run(['grep', '-E', '[A-Za-z_]+(.*)', te_source_file], capture_output=True, text=True) :: [ 21:15:27 ] :: [ FAIL ] :: Command 'python3 test.py zabbix.cil policy/zabbix.te' (Expected 0, got 4) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 2 good, 1 bad :: RESULT: FAIL (Unsound/dangerous policy practices)
This seems like it might be a python error in the test.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: SELint static analysis ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:27 ] :: [ BEGIN ] :: Running 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' :: [ 21:15:27 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' (Expected 0, got 0) :: [ 21:15:27 ] :: [ BEGIN ] :: Running 'grep -v 'F-002' '/tmp/ tmp.DVGZL996ny'' :: [ 21:15:27 ] :: [ FAIL ] :: Command 'grep -v 'F-002' '/tmp/tmp.DVGZL996ny'' (Expected 1, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 0s :: Assertions: 1 good, 1 bad :: RESULT: FAIL (SELint static analysis)
No idea about this.
The full test log (https://artifacts.dev.testing-farm.io/ ebf002df-7f59-45c4-9160-bfd693126aff/work-tests-DSP.ymlwxt4nh1a/tests- y752y75s/FAIL-DSP_test.log) shows the output of "selint" in this part (grep is filtering out any issues labeled as "F-002" and there should be no others).
In the installability teest:
BAD install: zabbix-1:6.0.30-1.fc41.x86_64 (selinux AVCs)
type=AVC msg=audit(05/28/2024 21:15:28.247:957) : avc: denied { map_read map_write } for pid=4601 comm=selinux-autorel scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.254:958) : avc: denied { map_read map_write } for pid=4605 comm=systemd-fstab-g scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.261:959) : avc: denied { map_read map_write } for pid=4609 comm=systemd-gpt-aut scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.273:960) : avc: denied { map_read map_write } for pid=4613 comm=systemd-rc-loca scontext=system_u:system_r:systemd_rc_local_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.281:961) : avc: denied { read } for pid=4615 comm=systemd-ssh-gen name=vsock dev="devtmpfs" ino=388 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.284:962) : avc: denied { map_read map_write } for pid=4619 comm=systemd-sysv-ge scontext=system_u:system_r:systemd_sysv_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
and more, but these seem unrelated to the zabbix package.
-- _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/ code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/ selinux@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora- infrastructure/new_issue
-- _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/ code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/ selinux@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora- infrastructure/new_issue
-- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/ -- _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Thu, May 30, 2024 at 12:14 AM Orion Poplawski orion@nwra.com wrote:
We have the following PR for zabbix SELinux policy:
https://src.fedoraproject.org/rpms/zabbix/pull-request/10
and we're getting some test failures, but I can't really interpret them.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Unsound/dangerous policy practices
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -lfull | grep zabbix' :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -lfull | grep zabbix' (Expected 0, got 0) :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'semodule -X 200 --cil -E zabbix' :: [ 21:15:26 ] :: [ PASS ] :: Command 'semodule -X 200 --cil -E zabbix' (Expected 0, got 0) :: [ 21:15:26 ] :: [ BEGIN ] :: Running 'python3 test.py zabbix.cil policy/zabbix.te' /var/str/DSP_test/test.py:64: SyntaxWarning: invalid escape sequence '(' out = subprocess.run(['grep', '-E', '[A-Za-z_]+(.*)', te_source_file], capture_output=True, text=True) :: [ 21:15:27 ] :: [ FAIL ] :: Command 'python3 test.py zabbix.cil policy/zabbix.te' (Expected 0, got 4)
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 2 good, 1 bad :: RESULT: FAIL (Unsound/dangerous policy practices)
This seems like it might be a python error in the test.
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: SELint static analysis
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 21:15:27 ] :: [ BEGIN ] :: Running 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' :: [ 21:15:27 ] :: [ PASS ] :: Command 'selint -s -r -d E-005 -d W-004 -d W-005 -d W-010 -d S-001 -d S-010 --context=base-policy policy/zabbix.fc policy/zabbix.te 2>&1 | tee /tmp/tmp.DVGZL996ny' (Expected 0, got 0) :: [ 21:15:27 ] :: [ BEGIN ] :: Running 'grep -v 'F-002' '/tmp/tmp.DVGZL996ny'' :: [ 21:15:27 ] :: [ FAIL ] :: Command 'grep -v 'F-002' '/tmp/tmp.DVGZL996ny'' (Expected 1, got 0)
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 0s :: Assertions: 1 good, 1 bad :: RESULT: FAIL (SELint static analysis)
No idea about this.
In the installability teest:
BAD install: zabbix-1:6.0.30-1.fc41.x86_64 (selinux AVCs)
type=AVC msg=audit(05/28/2024 21:15:28.247:957) : avc: denied { map_read map_write } for pid=4601 comm=selinux-autorel scontext=system_u:system_r:selinux_autorelabel_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.254:958) : avc: denied { map_read map_write } for pid=4605 comm=systemd-fstab-g scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.261:959) : avc: denied { map_read map_write } for pid=4609 comm=systemd-gpt-aut scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.273:960) : avc: denied { map_read map_write } for pid=4613 comm=systemd-rc-loca scontext=system_u:system_r:systemd_rc_local_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.281:961) : avc: denied { read } for pid=4615 comm=systemd-ssh-gen name=vsock dev="devtmpfs" ino=388 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(05/28/2024 21:15:28.284:962) : avc: denied { map_read map_write } for pid=4619 comm=systemd-sysv-ge scontext=system_u:system_r:systemd_sysv_generator_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=bpf permissive=0
and more, but these seem unrelated to the zabbix package.
Hi Orion,
commenting only on the second part: bpf map_read/map_write is a known issue which has been fixed in systemd, using vsock is a feature of ssh generator, new in systemd v256, which was fixed in policy 2 builds ago. Please update your system.
-- Orion Poplawski he/him/his - surely the least important thing about me Manager of IT Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/ -- _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
selinux@lists.fedoraproject.org
-
Orion Poplawski -
Petr Lautrbach -
Vit Mojzis -
Zdenek Pytela