security.SELinuxFileLabel failing on /run/chrome/wayland-0, /sys/kernel/config |
|||
Issue descriptionThe new security.SELinuxFileLabel Tast test looks like it's failing consistently: 2018/09/17 00:51:58 Started test security.SELinuxFileLabel 2018/09/17 00:51:59 [00:51:58.131] Error at file_label_utils.go:70: Failed file context check for /run/chrome/wayland-0: got "u:object_r:arc_dir:s0"; want "u:object_r:wayland_socket:s0" 2018/09/17 00:51:59 [00:51:58.131] Stack trace: chromiumos/tast/local/bundles/cros/security/selinux.CheckContext(0x1cc70180, 0xac8467c, 0x15, 0xac8bb48, 0x1c, 0x0, 0xae5bbbc) /build/veyron_minnie/tmp/portage/chromeos-base/tast-local-tests-cros-0.0.1-r175/work/tast-local-tests-cros-0.0.1/src/chromiumos/tast/local/bundles/cros/security/selinux/file_label_utils.go:70 +0x30c chromiumos/tast/local/bundles/cros/security.SELinuxFileLabel(0x1cc70180) /build/veyron_minnie/tmp/portage/chromeos-base/tast-local-tests-cros-0.0.1-r175/work/tast-local-tests-cros-0.0.1/src/chromiumos/tast/local/bundles/cros/security/selinux_file_label.go:57 +0x14c chromiumos/tast/testing.(*Test).Run.func2(0x1cc70180, 0x1cd14400, 0x1cb91540) /build/veyron_minnie/tmp/portage/chromeos-base/tast-local-tests-cros-0.0.1-r175/work/tast-local-tests-cros-0.0.1/tast-base/src/chromiumos/tast/testing/test.go:114 +0x58 created by chromiumos/tast/testing.(*Test).Run /build/veyron_minnie/tmp/portage/chromeos-base/tast-local-tests-cros-0.0.1-r175/work/tast-local-tests-cros-0.0.1/tast-base/src/chromiumos/tast/testing/test.go:106 +0x8c 2018/09/17 00:51:59 [00:51:58.132] Error at file_label_utils.go:70: Failed file context check for /sys/kernel/config: failed to get file context: no such file or directory 2018/09/17 00:51:59 [00:51:58.132] Stack trace: chromiumos/tast/local/bundles/cros/security/selinux.CheckContext(0x1cc70180, 0xac81eee, 0x12, 0xac861a4, 0x16, 0x0, 0xae5bbbc) /build/veyron_minnie/tmp/portage/chromeos-base/tast-local-tests-cros-0.0.1-r175/work/tast-local-tests-cros-0.0.1/src/chromiumos/tast/local/bundles/cros/security/selinux/file_label_utils.go:70 +0x30c chromiumos/tast/local/bundles/cros/security.SELinuxFileLabel(0x1cc70180) /build/veyron_minnie/tmp/portage/chromeos-base/tast-local-tests-cros-0.0.1-r175/work/tast-local-tests-cros-0.0.1/src/chromiumos/tast/local/bundles/cros/security/selinux_file_label.go:57 +0x14c chromiumos/tast/testing.(*Test).Run.func2(0x1cc70180, 0x1cd14400, 0x1cb91540) /build/veyron_minnie/tmp/portage/chromeos-base/tast-local-tests-cros-0.0.1-r175/work/tast-local-tests-cros-0.0.1/tast-base/src/chromiumos/tast/testing/test.go:114 +0x58 created by chromiumos/tast/testing.(*Test).Run /build/veyron_minnie/tmp/portage/chromeos-base/tast-local-tests-cros-0.0.1-r175/work/tast-local-tests-cros-0.0.1/tast-base/src/chromiumos/tast/testing/test.go:106 +0x8c 2018/09/17 00:51:59 Completed test security.SELinuxFileLabel in 303ms with 2 error(s) You can see more results at http://stainless/search?test=%5Etast%5C.security%5C.SELinuxFileLabel%24&view=matrix&first_date=2018-09-15&last_date=2018-09-17 Please consider running http://go/stainless-alert to receive email alerts about failures in this test. (There will hopefully be a better alerting system before too long.)
,
Sep 19
Down to P2 since it's being tested at security_SELinuxTest
,
Sep 19
regarding /sys/kernel/config, it's because CrOS boards with older kernel doesn't have it. we can skip it in the test.
,
Sep 19
Regarding Chrome restarts causing problems, you're referring to the /run/chrome/wayland-0 error, right? Sorry, I don't completely understand. It looks like the context is "u:object_r:arc_dir:s0" instead of "u:object_r:wayland_socket:s0". How is a Chrome restart causing that to happen?
,
Sep 20
Chrome stops: delete /run/chrome/wayland-0 Chrome starts: create /run/chrome/wayland-0 and inheritance label from /run/chrome Arc-setup: relabel /run/chrome/ to correct label. Standard Chrome OS boot: 1) Chrome starts => wayland-0 labeled same as /run/chrome. 2) Arc-setup => fixes /run/chrome/wayland-0 to u:object_r:wayland_socket:s0 [This is a workaround from mostly Android/ARC++ side to make sure ARC++ can access /run/chrome/wayland-0 as all Chrome OS stuff was not SELinux-aware then] If any test restarts Chrome browser without re-running arc-setup, newly created wayland-0 will inheritance the label from /run/chrome which is u:object_r:arc_dir:s0. Obviously some tests running before security.SELinux* is crashing Chrome browser and restarting it, so it's stably failing.
,
Sep 20
Correction: Arc-setup: relabel /run/chrome/ (recursively) to correct label.
,
Sep 20
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/tast-tests/+/083e0fd2c210df723437d9f2ba351ef4cd759b5d commit 083e0fd2c210df723437d9f2ba351ef4cd759b5d Author: Qijiang Fan <fqj@chromium.org> Date: Thu Sep 20 18:39:44 2018 tast-tests: allow skip se context check for /sys/kernel/config /sys/kernel/config doesn't not exist on some boards with some older kernel. BUG= chromium:884909 TEST=none Change-Id: Iebaccb392c59e090d400978a6c1faaf469599498 Reviewed-on: https://chromium-review.googlesource.com/1235873 Commit-Ready: Qijiang Fan <fqj@google.com> Tested-by: Qijiang Fan <fqj@google.com> Reviewed-by: Kenny Root <kroot@google.com> [modify] https://crrev.com/083e0fd2c210df723437d9f2ba351ef4cd759b5d/src/chromiumos/tast/local/bundles/cros/security/selinux_file_label.go
,
Sep 21
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/c2631436d989176966235787daf4f371836f5f34 commit c2631436d989176966235787daf4f371836f5f34 Author: Qijiang Fan <fqj@chromium.org> Date: Fri Sep 21 10:38:18 2018 init/sepolicy: correctly handle labels for /run and /run/chrome. Label /run at pre-startup stage to cros_run rather than tmpfs. Compile multiple type_transition rule to let kernel to correctly assign labels for /run, /run/chrome, and /run/chrome/wayland-0. BUG=b:116072767,b:80461815, chromium:884909 TEST=boot, kill chrome browser, start again, and monitor labels. Change-Id: I8db509c569f32bd8d4b57c8a4faf816a8b254780 Reviewed-on: https://chromium-review.googlesource.com/1235433 Commit-Ready: Qijiang Fan <fqj@google.com> Tested-by: Qijiang Fan <fqj@google.com> Reviewed-by: Qijiang Fan <fqj@google.com> [modify] https://crrev.com/c2631436d989176966235787daf4f371836f5f34/sepolicy/policy/chromeos/cros_browser.te [modify] https://crrev.com/c2631436d989176966235787daf4f371836f5f34/sepolicy/policy/base/file.te [modify] https://crrev.com/c2631436d989176966235787daf4f371836f5f34/sepolicy/policy/chromeos/file.te [modify] https://crrev.com/c2631436d989176966235787daf4f371836f5f34/sepolicy/file_contexts/chromeos_file_contexts [modify] https://crrev.com/c2631436d989176966235787daf4f371836f5f34/init/upstart/pre-startup.conf
,
Sep 28
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/tast-tests/+/8eb9b1bb4fbd53dfbf41e776ef55e69d395a2ccb commit 8eb9b1bb4fbd53dfbf41e776ef55e69d395a2ccb Author: Qijiang Fan <fqj@chromium.org> Date: Fri Sep 28 02:45:13 2018 tast-tests: move wayland socket check to a separate test. wayland socket depends Chrome on to be started. Some other tests may kill Chrome browser, which deletes this file. Wayland socket is created and owned by chrome browser, if there's no chrome browser running, there won't be such socket. And adding chrome.New to a test that doesn't depends on chrome seems weird. (Currently selinux implies arc, which implies chrome, but things may change in the future). BUG=b:114172200, chromium:884909 TEST=tast run DUT security.SELinux* Change-Id: Icaeb804ca7bb638c3d46876709e13493e2f0c094 Reviewed-on: https://chromium-review.googlesource.com/1245076 Commit-Ready: Qijiang Fan <fqj@google.com> Tested-by: Qijiang Fan <fqj@google.com> Reviewed-by: Qijiang Fan <fqj@google.com> Reviewed-by: Shuhei Takahashi <nya@chromium.org> [modify] https://crrev.com/8eb9b1bb4fbd53dfbf41e776ef55e69d395a2ccb/src/chromiumos/tast/local/bundles/cros/security/selinux_file_label.go [add] https://crrev.com/8eb9b1bb4fbd53dfbf41e776ef55e69d395a2ccb/src/chromiumos/tast/local/bundles/cros/security/selinux_file_label_with_chrome.go
,
Oct 1
|
|||
►
Sign in to add a comment |
|||
Comment 1 by f...@chromium.org
, Sep 19