[redhat-lspp] NetLabel LTP test results

Paul Moore paul.moore at hp.com
Fri Nov 3 16:00:11 UTC 2006 

Yesterday I ran some of the LTP network tests with the goal of checking for any
regressions caused by NetLabel.  In summary, there were no regressions seen with
NetLabel present but not enabled; however, there were some failures with
NetLabel enabled but they were expected (details below).

Test Setup:

 o Local Machine
   - HP rx2600 (ia64)
   - Fedora Rawhide with the lspp.54 kernel
   - Targeted policy in permissive mode

 o Remote Machine
   - HP dc7100 (x86)
   - Fedora Rawhide with the lspp.54 kernel
   - MLS policy in permissive mode

NetLabel present but not enabled (default lspp.54 configuration):

 o network_commands
   - All 7 tests PASS

 o nfs
   - All 8 tests PASS

 o tcp_cmds
   - All 18 tests PASS

NetLabel present and enabled:

 *** NetLabel configuration START ***
 # netlabelctl cipsov4 add pass doi:1 tags:1
 # netlabelctl map del default
 # netlabelctl map add default protocol:cipsov4,1
 # netlabelctl unlbl accept off
 *** NetLabel configuartion END ***

 *** NOTES ***
 - Several of the LTP network tests had to be modified to honor the $LTP_RSH
   variable so that ssh could be used in place of the "r" commands which did
   not work well with CIPSO options (see below).
 - In kernel daemons such as NFS are a known problem for SELinux/LSM since
   these "daemons" bypass many of the LSM hooks that are required for proper
   MAC controls.  This is a known problem and has been discussed on the mailing
   lists from time to time.
 *** NOTES ***

 o network_commands
   - All 7 tests PASS

 o nfs
   - Only 2 tests PASS (nfslock01, nfsstat01)
   - Remaining 6 tests FAIL
     (nfs01, nfs02, nfs03, nfs04, nfsstress, nfsx-linux)
     + Failures are expected due to nfs being handled by the in-kernel daemon
       which bypasses many of the LSM hooks responsibile for NetLabel labeling,
       allowing unlabeled NetLabel traffic allowed these tests to PASS.
     + Unlabeled NetLabel traffic is enabled by: netlabelctl unlbl accept on

 o tcp_cmds
   - 12 tests PASS
     (arp, echo, finger, ftp, netstat, perf_lan, rsh, sendfile, tcpdump,
      telnet, iptables, dhcpd)
   - 6 tests FAIL (host, ping, rcp, rdist, rlogin, rwho)
     + The host test failed because my DNS server does not understand CIPSO.
     + The ping test failed because it was trying to manipulate the IP options
       (it was using the record route option), normal pings work just fine
       with NetLabel enabled.
     + The "r" commands failed because the server tries to remove all the
       options from a socket, including the CIPSO option.

-- 
paul moore
linux security @ hp

More information about the redhat-lspp mailing list