From Fedora Project Wiki

No edit summary
No edit summary
 
Line 14: Line 14:
#:<pre># pmtd-selinux-test</pre>
#:<pre># pmtd-selinux-test</pre>


If it outputs no AVCs (i.e. AVCs: <no matches>), it is OK. If there are any AVCs, please file appropriate bugs to component [https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&version=18&component=selinux-policy selinux-policy] or at least please upload the output to wiki (''Upload file'' link in the bottom left pane, but please use unique name when uploading) and link the uploaded file from the results table (on the main test day page).
If it outputs no AVCs (i.e. AVCs: <no matches>), it is OK. If there are any AVCs, please file appropriate bugs to component [https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&version=18&component=selinux-policy selinux-policy] (please check for dupes) or at least please upload the output to wiki (''Upload file'' link in the bottom left pane, but please use unique name when uploading) and link the uploaded file from the results table (on the main test day page).


==Troubleshooting==
==Troubleshooting==

Latest revision as of 07:49, 11 October 2012

Description

This test case tests whether SELinux is correctly configured and there are no AVCs.

In order to catch all the possible AVCs, please run this test case as the last test case.

Setup

  1. Check that you have tuned package version 2 or newer installed:
    $ rpm -q tuned
    There must be installed tuned version 2 or newer (but not 1) and tuned-utils subpackage.
    • If not install it:
    # yum install tuned tuned-utils

How to test

  1. Start tuned (via systemd):
    # systemctl start tuned.service
  2. Run the automatic test by:
    # pmtd-selinux-test

If it outputs no AVCs (i.e. AVCs: <no matches>), it is OK. If there are any AVCs, please file appropriate bugs to component selinux-policy (please check for dupes) or at least please upload the output to wiki (Upload file link in the bottom left pane, but please use unique name when uploading) and link the uploaded file from the results table (on the main test day page).

Troubleshooting

In case of trouble, you can try to run the test manually instead of using the pmtd-selinux-test script. Currently the script do the following:

echo -n "AVCs: "
ausearch -m avc -m user_avc -i
setenforce 1
for I in `tuned-adm list | grep "^- " | cut -d ' ' -f 2` ; do
  echo -n > /var/log/audit/audit.log
  tuned-adm active
  echo "* Switching to profile: $I"
  tuned-adm profile $I
  sleep 5
  echo -n "AVCs: "
  ausearch -m avc -m user_avc -i
done

Expected Results

  1. No AVC errors.
  2. In case there are some errors like bellow, please file the bug to component selinux-policy:
    type=SYSCALL msg=audit(10/10/2012 08:11:23.095:165) : arch=x86_64 syscall=statfs success=no exit=-13(Permission denied) ...

.