From Fedora Project Wiki
No edit summary |
No edit summary |
||
| (9 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
{{QA/Test_Case | {{QA/Test_Case | ||
|description=This test case tests | |description=This test case tests whether SELinux is correctly configured and there are no AVCs. | ||
{{admon/note|In order to catch all the possible AVCs, please run this test case as the last test case.}} | |||
|setup= | |setup= | ||
# Check that you have {{package|tuned|tuned package}} version 2 or newer installed: | # Check that you have {{package|tuned|tuned package}} version 2 or newer installed: | ||
| Line 10: | Line 11: | ||
# Start tuned (via systemd): | # Start tuned (via systemd): | ||
#:<pre># systemctl start tuned.service</pre> | #:<pre># systemctl start tuned.service</pre> | ||
# | # Run the automatic test by: | ||
#:<pre> | #:<pre># pmtd-selinux-test</pre> | ||
If it outputs no AVCs (i.e. AVCs: <no matches>), it is OK. If there are any AVCs, please file appropriate bugs to component [https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&version=18&component=selinux-policy selinux-policy] (please check for dupes) or at least please upload the output to wiki (''Upload file'' link in the bottom left pane, but please use unique name when uploading) and link the uploaded file from the results table (on the main test day page). | |||
==Troubleshooting== | |||
In case of trouble, you can try to run the test manually instead of using the ''pmtd-selinux-test'' script. Currently the script do the following: | |||
<pre>echo -n "AVCs: " | |||
ausearch -m avc -m user_avc -i | |||
setenforce 1 | |||
for I in `tuned-adm list | grep "^- " | cut -d ' ' -f 2` ; do | |||
echo -n > /var/log/audit/audit.log | |||
tuned-adm active | |||
echo "* Switching to profile: $I" | |||
tuned-adm profile $I | |||
sleep 5 | |||
echo -n "AVCs: " | |||
ausearch -m avc -m user_avc -i | |||
done</pre> | |||
|results= | |results= | ||
# No AVC errors | # No AVC errors. | ||
# In case there are some errors like bellow, please | # In case there are some errors like bellow, please file the bug to component selinux-policy: | ||
#:<pre>type=SYSCALL msg=audit(10/10/2012 08:11:23.095:165) : arch=x86_64 syscall=statfs success=no exit=-13(Permission denied) ...</pre> | #:<pre>type=SYSCALL msg=audit(10/10/2012 08:11:23.095:165) : arch=x86_64 syscall=statfs success=no exit=-13(Permission denied) ...</pre> | ||
. | . | ||
Latest revision as of 07:49, 11 October 2012
Description
This test case tests whether SELinux is correctly configured and there are no AVCs.
In order to catch all the possible AVCs, please run this test case as the last test case.
Setup
- Check that you have
tuned package$ rpm -q tuned
- There must be installed tuned version 2 or newer (but not 1) and tuned-utils subpackage.
- If not install it:
# yum install tuned tuned-utils
How to test
- Start tuned (via systemd):
# systemctl start tuned.service
- Run the automatic test by:
# pmtd-selinux-test
If it outputs no AVCs (i.e. AVCs: <no matches>), it is OK. If there are any AVCs, please file appropriate bugs to component selinux-policy (please check for dupes) or at least please upload the output to wiki (Upload file link in the bottom left pane, but please use unique name when uploading) and link the uploaded file from the results table (on the main test day page).
Troubleshooting
In case of trouble, you can try to run the test manually instead of using the pmtd-selinux-test script. Currently the script do the following:
echo -n "AVCs: " ausearch -m avc -m user_avc -i setenforce 1 for I in `tuned-adm list | grep "^- " | cut -d ' ' -f 2` ; do echo -n > /var/log/audit/audit.log tuned-adm active echo "* Switching to profile: $I" tuned-adm profile $I sleep 5 echo -n "AVCs: " ausearch -m avc -m user_avc -i done
Expected Results
- No AVC errors.
- In case there are some errors like bellow, please file the bug to component selinux-policy:
type=SYSCALL msg=audit(10/10/2012 08:11:23.095:165) : arch=x86_64 syscall=statfs success=no exit=-13(Permission denied) ...
.