From Fedora Project Wiki
Description
This test case tests whether SELinux is correctly configured and there are no AVCs.
In order to catch all the possible AVCs, please run this test case as the last test case.
Setup
- Check that you have
tuned package$ rpm -q tuned
- There must be installed tuned version 2 or newer (but not 1) and tuned-utils subpackage.
- If not install it:
# yum install tuned tuned-utils
How to test
- Start tuned (via systemd):
# systemctl start tuned.service
- Run the automatic test by:
# pmtd-selinux-test
If it outputs no AVCs (i.e. AVCs: <no matches>), it is OK. If there are any AVCs, please file appropriate bugs to component selinux-policy or at least please upload the output to wiki (Upload file link in the bottom left pane, but please use unique name when uploading) and link the uploaded file from the results table (on the main test day page).
Troubleshooting
In case of trouble, you can try to run the test manually instead of using the pmtd-selinux-test script. Currently the script do the following:
echo -n "AVCs: " ausearch -m avc -m user_avc -i setenforce 1 for I in `tuned-adm list | grep "^- " | cut -d ' ' -f 2` ; do echo -n > /var/log/audit/audit.log tuned-adm active echo "* Switching to profile: $I" tuned-adm profile $I sleep 5 echo -n "AVCs: " ausearch -m avc -m user_avc -i done
Expected Results
- No AVC errors.
- In case there are some errors like bellow, please file the bug to component selinux-policy:
type=SYSCALL msg=audit(10/10/2012 08:11:23.095:165) : arch=x86_64 syscall=statfs success=no exit=-13(Permission denied) ...
.