Project

General

Profile

Actions
Copy link

action #173638

closed

action #166613: Yast default selected LSM changes from Apparmor to SELinux, existing openQA test fails in first_boot

[security][tumbleweed] Test also 'targeted' selinux policy on Tumbleweed

Added by tjyrinki_suse 5 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
favogt
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
8.00 h
Difficulty:
Tags:
selinux

Description

Currently we test targeted policy on SLE Micro, and minimal otherwise. With selinux becoming the new default in Tumbleweed, we should test also targeted in Tumbleweed, not just the minimal.

Acceptance Criteria

  1. Add targeted selinux policy testing to Tumbleweed

Further Information

https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/lib/selinuxtest.pm#L31

https://bugzilla.suse.com/show_bug.cgi?id=1234037

Actions
Copy link
 #1

Updated by tjyrinki_suse 5 months ago

  • Estimated time set to 8.00 h
Actions
Copy link
 #2

Updated by cahu 5 months ago ยท Edited

  • Parent task set to #166613

Please note, when we enable SELinux by default in tumbleweed, the default policy will be in targeted mode and enforcing.

There are a few points:

  • the policy will then already be enabled directly after the installation, so tests for "if enabling works" should only be run for scenarios where it is not yet enabled (e.g. UPGRADE from old tumbleweed and the user wants to switch from apparmor to selinux or UPGRADE from old leap that has apparmor); there we should test if manually switching from apparmor works to selinux targeted enforcing and minimum enforcing (the user guide: https://en.opensuse.org/Portal:SELinux/Setup#Setup_SELinux_on_existing_tumbleweed_systems).
  • in general, ( the most important thing ) when SELinux is enabled the audit log should be checked for AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR entries in the audit log after every test in the whole openQA test set so that we can see if policy changes break the functionality; this is partially already done, so it makes sense to check where it is not the case
  • the toolchain tests should also be done in targeted mode (currently they seem to be done in minimum only)
  • testing switching from targeted to minimum and back should be done (with audit log)

Please let me know if you need more infos :)
Please also refer to the tracker ticket: https://progress.opensuse.org/issues/166613

Actions
Copy link
 #3

Updated by cahu 5 months ago

ah and just to make sure: the apparmor tests should still continue to be run if apparmor is selected in the installer, so please do not drop them

not sure if @dimstar or @jsegitz have any more points

Actions
Copy link
 #4

Updated by jsegitz 4 months ago

we could also add a mechanism to whitelist AVC entries for a certain time. We will have regularly new AVCs, which will require some time to get a fix into the policy. If we would just softfail the test then I fear that this might pile up. Having a mechanism to say "ignore this AVC in this test for one month" would be a nice way to unblock testing, while making sure that this doesn't become permanent

Actions
Copy link
 #5

Updated by favogt 3 months ago

  • Status changed from Workable to Feedback

With the fix for https://progress.opensuse.org/issues/175320, the "selinux" testsuite keeps the distro default of enforcing the targeted policy instead of forcibly installing the minumum policy. Is that enough to view this ticket as implemented?

Actions
Copy link
 #6

Updated by favogt 3 months ago

cahu wrote in #note-2:

There are a few points:

  • the policy will then already be enabled directly after the installation, so tests for "if enabling works" should only be run for scenarios where it is not yet enabled (e.g. UPGRADE from old tumbleweed and the user wants to switch from apparmor to selinux or UPGRADE from old leap that has apparmor); there we should test if manually switching from apparmor works to selinux targeted enforcing and minimum enforcing (the user guide: https://en.opensuse.org/Portal:SELinux/Setup#Setup_SELinux_on_existing_tumbleweed_systems).

Done.

  • in general, ( the most important thing ) when SELinux is enabled the audit log should be checked for AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR entries in the audit log after every test in the whole openQA test set so that we can see if policy changes break the functionality; this is partially already done, so it makes sense to check where it is not the case

This is implemented by printing new entries from audit.log at the end of each openQA module. However, the content is simply displayed but not acted upon. In this state it'll be mostly useful for debugging module failures but not noticing denials that do not immediately cause module failures.

  • the toolchain tests should also be done in targeted mode (currently they seem to be done in minimum only)

Done with https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/21005, which then only uses the targeted policy.

  • testing switching from targeted to minimum and back should be done (with audit log)

Currently not the case, how important is this?

Actions
Copy link
 #7

Updated by cahu 3 months ago

nice thx for working on this :)

  • in general, ( the most important thing ) when SELinux is enabled the audit log should be checked for AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR entries in the audit log after every test in the whole openQA test set so that we can see if policy changes break the functionality; this is partially already done, so it makes sense to check where it is not the case

This is implemented by printing new entries from audit.log at the end of each openQA module. However, the content is simply displayed but not acted upon. In this state it'll be mostly useful for debugging module failures but not noticing denials that do not immediately cause module failures.

how hard is it to implement module failures when permissive=0 is there in the AVC?

  • testing switching from targeted to minimum and back should be done (with audit log)

Currently not the case, how important is this?

imo low prio, but should be done at some point in time

Actions
Copy link
 #8

Updated by favogt 3 months ago

cahu wrote in #note-7:

nice thx for working on this :)

  • in general, ( the most important thing ) when SELinux is enabled the audit log should be checked for AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR entries in the audit log after every test in the whole openQA test set so that we can see if policy changes break the functionality; this is partially already done, so it makes sense to check where it is not the case

This is implemented by printing new entries from audit.log at the end of each openQA module. However, the content is simply displayed but not acted upon. In this state it'll be mostly useful for debugging module failures but not noticing denials that do not immediately cause module failures.

how hard is it to implement module failures when permissive=0 is there in the AVC?

Trivial, but the question is how much work this will cause. It will probably need a whitelist mechanism with more or less temporary entries, just like journal_check.

  • testing switching from targeted to minimum and back should be done (with audit log)

Currently not the case, how important is this?

imo low prio, but should be done at some point in time

Actions
Copy link
 #9

Updated by tjyrinki_suse 3 months ago

  • Status changed from Feedback to Resolved
  • Assignee set to favogt

I think with #note-6 and #note-7 this is done, I think testing targeted (which is the default) only sounds good for TW. New tickets could be filed about any of the remaining topics.

Actions
Copy link

Also available in: Atom PDF