Project

General

Profile

Actions
Copy link

action #174178

open

[security][tumbleweed] Add sealert tests to setroubleshootd

Added by tjyrinki_suse 15 days ago. Updated 15 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Tags:
selinux

Description

Motivation

Test sealert tool on SELinux enabled Tumbleweed.

Acceptance Criteria

  1. Run certain commands testing adding and triggering an alert, an example below. listing of alerts can be done with either -l "*" or -l specific_UUID.

localhost:~ # sealert -l "*" || echo "FAILED"
localhost:~ # touch /tmp/pokusny_kralik && chcon -t httpd_sys_content_t /tmp/pokusny_kralik
localhost:~ # journalctl -u setroubleshootd.service | grep pokusny_kralik
localhost:~ # runcon -u guest_u -r guest_r -t user_tmp_t -- cat /tmp/pokusny_kralik;sleep 10
localhost:~ # sealert_command=$(journalctl -u setroubleshootd.service | grep -m 1 pokusny_kralik|grep -o "sealert.*")
localhost:~ # sealert -l 350d88fb-70f9-4e7a-a1b2-0a06615abfd2
localhost:~ # sealert_command

One should get output something like the following:

SELinux is preventing pokusny_kralik from 'read, write' accesses on the chr_file /dev/pts/0.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that pokusny_kralik should be allowed read write access on the 0 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.

Allow the access for now by executing:
# ausearch -c 'pokusny_kralik' --raw | audit2allow -M my-pokusnykralik
# semodule -X 300 -i my-pokusnykralik.pp

And there should be output:

Additional Information:
Source Context                guest_u:guest_r:user_tmp_t:s0
Target Context                unconfined_u:object_r:devpts_t:s0
Target Objects                /dev/pts/0 [ chr_file ]
Source                        pokusny_kralik
Source Path                   pokusny_kralik
Port                          <Unknown>
...
...
...

After that, one can run:

localhost:~ # analyze log -a 
localhost:~ # ausearch -m AVC > test_output
localhost:~ # jsealert -a

And fix avc using plugin (e.g. boolean is predictable)

localhost:~ # getsebool -a | less (choose some boolean)
localhost:~ # sealert -f UUID
localhost:~ # getsebool -a | grep $choosen

Further Information

See ticket #174175 for the related basic setroubleshootd testing.

Related issues 2 (2 open0 closed)

Related to openQA Tests (public) - action #174175: [security][tumbleweed] Add setroubleshootd testsBlockedamanzini

Actions
Blocks openQA Tests (public) - action #174184: [security][tumbleweed] Add sealert GUI tests to setroubleshootdBlocked

Actions
Actions
Copy link
 #1

Updated by tjyrinki_suse 15 days ago

  • Related to action #174175: [security][tumbleweed] Add setroubleshootd tests added
Actions
Copy link
 #2

Updated by tjyrinki_suse 15 days ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by tjyrinki_suse 15 days ago

  • Description updated (diff)
Actions
Copy link
 #4

Updated by tjyrinki_suse 15 days ago

  • Blocks action #174184: [security][tumbleweed] Add sealert GUI tests to setroubleshootd added
Actions
Copy link

Also available in: Atom PDF