From Fedora Project Wiki

No edit summary
No edit summary
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{QA/Test_Case
{{QA/Test_Case
|description=This test case tests tests all profiles enable and try to fing if there happen selinux AVCs in all profiles
|description=This test case tests whether SELinux is correctly configured and there are no AVCs.
{{admon/note|In order to catch all the possible AVCs, please run this test case as the last test case.}}
|setup=
|setup=
# Check that you have {{package|tuned|tuned package}} version 2 or newer installed:
# Check that you have {{package|tuned|tuned package}} version 2 or newer installed:
Line 10: Line 11:
# Start tuned (via systemd):
# Start tuned (via systemd):
#:<pre># systemctl start tuned.service</pre>
#:<pre># systemctl start tuned.service</pre>
# Do test for all available profiles in tuned:
# Run the automatic test by:
#:<pre>for I in `tuned-adm list | grep "^- " | cut -d ' ' -f 2` ; do dd if=/dev/null of=/var/log/audit/audit.log >& /dev/null; tuned-adm active ; tuned-adm profile $I ; sleep 5; ausearch -m avc -m user_avc -i ; done</pre>
#:<pre># pmtd-selinux-test</pre>


If it outputs no AVCs (i.e. AVCs: <no matches>), it is OK. If there are any AVCs, please file appropriate bugs to component [https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&version=18&component=selinux-policy selinux-policy] (please check for dupes) or at least please upload the output to wiki (''Upload file'' link in the bottom left pane, but please use unique name when uploading) and link the uploaded file from the results table (on the main test day page).
==Troubleshooting==
In case of trouble, you can try to run the test manually instead of using the ''pmtd-selinux-test'' script. Currently the script do the following:
<pre>echo -n "AVCs: "
ausearch -m avc -m user_avc -i
setenforce 1
for I in `tuned-adm list | grep "^- " | cut -d ' ' -f 2` ; do
  echo -n > /var/log/audit/audit.log
  tuned-adm active
  echo "* Switching to profile: $I"
  tuned-adm profile $I
  sleep 5
  echo -n "AVCs: "
  ausearch -m avc -m user_avc -i
done</pre>


|results=
|results=
# No AVC errors in profiles.
# No AVC errors.
# In case there are some errors like bellow, please fill the bug:
# In case there are some errors like bellow, please file the bug to component selinux-policy:
#:<pre>type=SYSCALL msg=audit(10/10/2012 08:11:23.095:165) : arch=x86_64 syscall=statfs success=no exit=-13(Permission denied) ...</pre>
#:<pre>type=SYSCALL msg=audit(10/10/2012 08:11:23.095:165) : arch=x86_64 syscall=statfs success=no exit=-13(Permission denied) ...</pre>
.
.

Latest revision as of 07:49, 11 October 2012

Description

This test case tests whether SELinux is correctly configured and there are no AVCs.

In order to catch all the possible AVCs, please run this test case as the last test case.

Setup

  1. Check that you have tuned package version 2 or newer installed:
    $ rpm -q tuned
    There must be installed tuned version 2 or newer (but not 1) and tuned-utils subpackage.
    • If not install it:
    # yum install tuned tuned-utils

How to test

  1. Start tuned (via systemd):
    # systemctl start tuned.service
  2. Run the automatic test by:
    # pmtd-selinux-test

If it outputs no AVCs (i.e. AVCs: <no matches>), it is OK. If there are any AVCs, please file appropriate bugs to component selinux-policy (please check for dupes) or at least please upload the output to wiki (Upload file link in the bottom left pane, but please use unique name when uploading) and link the uploaded file from the results table (on the main test day page).

Troubleshooting

In case of trouble, you can try to run the test manually instead of using the pmtd-selinux-test script. Currently the script do the following:

echo -n "AVCs: "
ausearch -m avc -m user_avc -i
setenforce 1
for I in `tuned-adm list | grep "^- " | cut -d ' ' -f 2` ; do
  echo -n > /var/log/audit/audit.log
  tuned-adm active
  echo "* Switching to profile: $I"
  tuned-adm profile $I
  sleep 5
  echo -n "AVCs: "
  ausearch -m avc -m user_avc -i
done

Expected Results

  1. No AVC errors.
  2. In case there are some errors like bellow, please file the bug to component selinux-policy:
    type=SYSCALL msg=audit(10/10/2012 08:11:23.095:165) : arch=x86_64 syscall=statfs success=no exit=-13(Permission denied) ...

.