Hi,
I got fail for TC netns_2children (under kernel/containers/netns) when using
SELinux policy MLS in enforcing mode:
netns_child_2.sh 1 TFAIL : FAIL: Unable to ping Child1NS from Child2NS !
netns_child_1.sh 1 TFAIL : CHILD2 is unable to reach CHILD1
netns_2children 1 TFAIL : netns_two_children_ns.c:125: waitpid() returns
22672, errno 255
..but it passes for permissive mode (setenforce 0), so I can either report bug
on SELinux policy
or we must test this TC in permissive mode. I think reporting bug on SELinux
policy is better solution,
what do you think ?
More details (after test fail):
# ausearch -m avc -ts recent | grep ping
type=SYSCALL msg=audit(1413219951.925:1481): arch=c000003e syscall=46
success=yes exit=64 a0=5 a1=7fc90a490160 a2=0 a3=0 items=0 ppid=21088 pid=21167
auid=995 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
ses=17 comm="ping" exe="/usr/bin/pin "
subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1413219951.925:1481): avc: denied { egress } for
pid=21167 comm= ping" saddr=192.168.0.184 daddr=192.168.0.182 netif=veth0
scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:netif_t:s0-s15:c0.c1023 tclass=netif
# ausearch -m avc -ts recent | grep ping | audit2allow
#============= unlabeled_t ==============
allow unlabeled_t netif_t:netif egress;
Thanks,
Matus Marhefka
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
