[redhat-lspp] NetLabel LTP test results
Paul Moore
paul.moore at hp.com
Fri Nov 3 16:00:11 UTC 2006
Yesterday I ran some of the LTP network tests with the goal of checking for any
regressions caused by NetLabel. In summary, there were no regressions seen with
NetLabel present but not enabled; however, there were some failures with
NetLabel enabled but they were expected (details below).
Test Setup:
o Local Machine
- HP rx2600 (ia64)
- Fedora Rawhide with the lspp.54 kernel
- Targeted policy in permissive mode
o Remote Machine
- HP dc7100 (x86)
- Fedora Rawhide with the lspp.54 kernel
- MLS policy in permissive mode
NetLabel present but not enabled (default lspp.54 configuration):
o network_commands
- All 7 tests PASS
o nfs
- All 8 tests PASS
o tcp_cmds
- All 18 tests PASS
NetLabel present and enabled:
*** NetLabel configuration START ***
# netlabelctl cipsov4 add pass doi:1 tags:1
# netlabelctl map del default
# netlabelctl map add default protocol:cipsov4,1
# netlabelctl unlbl accept off
*** NetLabel configuartion END ***
*** NOTES ***
- Several of the LTP network tests had to be modified to honor the $LTP_RSH
variable so that ssh could be used in place of the "r" commands which did
not work well with CIPSO options (see below).
- In kernel daemons such as NFS are a known problem for SELinux/LSM since
these "daemons" bypass many of the LSM hooks that are required for proper
MAC controls. This is a known problem and has been discussed on the mailing
lists from time to time.
*** NOTES ***
o network_commands
- All 7 tests PASS
o nfs
- Only 2 tests PASS (nfslock01, nfsstat01)
- Remaining 6 tests FAIL
(nfs01, nfs02, nfs03, nfs04, nfsstress, nfsx-linux)
+ Failures are expected due to nfs being handled by the in-kernel daemon
which bypasses many of the LSM hooks responsibile for NetLabel labeling,
allowing unlabeled NetLabel traffic allowed these tests to PASS.
+ Unlabeled NetLabel traffic is enabled by: netlabelctl unlbl accept on
o tcp_cmds
- 12 tests PASS
(arp, echo, finger, ftp, netstat, perf_lan, rsh, sendfile, tcpdump,
telnet, iptables, dhcpd)
- 6 tests FAIL (host, ping, rcp, rdist, rlogin, rwho)
+ The host test failed because my DNS server does not understand CIPSO.
+ The ping test failed because it was trying to manipulate the IP options
(it was using the record route option), normal pings work just fine
with NetLabel enabled.
+ The "r" commands failed because the server tries to remove all the
options from a socket, including the CIPSO option.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list