Skip to content

test: automation for 5 selinux testcases#460

Open
Shreya Taware (shreyataware) wants to merge 9 commits into
qualcomm-linux:mainfrom
shreyataware:security-automations
Open

test: automation for 5 selinux testcases#460
Shreya Taware (shreyataware) wants to merge 9 commits into
qualcomm-linux:mainfrom
shreyataware:security-automations

Conversation

@shreyataware

Copy link
Copy Markdown
  1. Check Getenforce
  2. Toggle between Enforcing & Permissive using setenforce cmd
  3. Check sestatus
  4. Collect AVC Denials
  5. Capture systemctl failed services

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding SELinux validation coverage. The scope is useful and fits under Kernel/Security: getenforce, sestatus, setenforce toggling, AVC denial collection, and failed-service comparison.

please address a few architecture-level concerns below along with fixing the failed workflows.

  1. For tests that call setenforce, capture the original SELinux mode before changing it and restore it on every exit path using trap cleanup. The DUT must not be left in a different SELinux mode after the test.

  2. Please ensure all scripts reuse existing Runner/utils helpers for logging, dependency checks, result handling, and common setup instead of duplicating logic across the five new run.sh files.

  3. Please define clear PASS/FAIL/SKIP semantics for unsupported environments, especially when getenforce, setenforce, sestatus, audit logs, or systemctl are not available.

  4. For SystemctlFailedPerVsEnf, please log the failed-service snapshot before and after each SELinux mode transition, and restore the original mode at the end.

  5. Please share runtime evidence from target/LAVA execution for all five suites.

  6. Please add Readme files for each test

Commit-wise, this can remain one PR because all tests are SELinux/security related, but I recommend splitting into logical commits:

  • SELinux status checks
  • SELinux mode transition test
  • SELinux diagnostics / AVC / failed-service comparison

Current commit message is understandable but generic. Suggested message:
test(security): add SELinux validation suites

@smuppand

Srikanth Muppandam (smuppand) commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Thanks for adding SELinux validation coverage. The scope is useful and fits under Kernel/Security: getenforce, sestatus, setenforce toggling, AVC denial collection, and failed-service comparison.

please address a few architecture-level concerns below along with fixing the failed workflows.

  1. For tests that call setenforce, capture the original SELinux mode before changing it and restore it on every exit path using trap cleanup. The DUT must not be left in a different SELinux mode after the test.
  2. Please ensure all scripts reuse existing Runner/utils helpers for logging, dependency checks, result handling, and common setup instead of duplicating logic across the five new run.sh files.
  3. Please define clear PASS/FAIL/SKIP semantics for unsupported environments, especially when getenforce, setenforce, sestatus, audit logs, or systemctl are not available.
  4. For SystemctlFailedPerVsEnf, please log the failed-service snapshot before and after each SELinux mode transition, and restore the original mode at the end.
  5. Please share runtime evidence from target/LAVA execution for all five suites.
  6. Please add Readme files for each test

Commit-wise, this can remain one PR because all tests are SELinux/security related, but I recommend splitting into logical commits:

  • SELinux status checks
  • SELinux mode transition test
  • SELinux diagnostics / AVC / failed-service comparison

Current commit message is understandable but generic. Suggested message: test(security): add SELinux validation suites

Shreya Taware (@shreyataware) It has been a month since the review comments were not addressed. If there is no response, we will mark this PR as stale.

@shreyataware

Copy link
Copy Markdown
Author

Thanks for adding SELinux validation coverage. The scope is useful and fits under Kernel/Security: getenforce, sestatus, setenforce toggling, AVC denial collection, and failed-service comparison.
please address a few architecture-level concerns below along with fixing the failed workflows.

  1. For tests that call setenforce, capture the original SELinux mode before changing it and restore it on every exit path using trap cleanup. The DUT must not be left in a different SELinux mode after the test.
  2. Please ensure all scripts reuse existing Runner/utils helpers for logging, dependency checks, result handling, and common setup instead of duplicating logic across the five new run.sh files.
  3. Please define clear PASS/FAIL/SKIP semantics for unsupported environments, especially when getenforce, setenforce, sestatus, audit logs, or systemctl are not available.
  4. For SystemctlFailedPerVsEnf, please log the failed-service snapshot before and after each SELinux mode transition, and restore the original mode at the end.
  5. Please share runtime evidence from target/LAVA execution for all five suites.
  6. Please add Readme files for each test

Commit-wise, this can remain one PR because all tests are SELinux/security related, but I recommend splitting into logical commits:

  • SELinux status checks
  • SELinux mode transition test
  • SELinux diagnostics / AVC / failed-service comparison

Current commit message is understandable but generic. Suggested message: test(security): add SELinux validation suites

Shreya Taware (@shreyataware) It has been a month since the review comments were not addressed. If there is no response, we will mark this PR as stale.

Will commit new changes today. Validating the fixes.

@shreyataware Shreya Taware (shreyataware) marked this pull request as draft June 15, 2026 16:43
Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
Update weston_prepare_runtime() to avoid failing immediately when
weston.service is in failed state but a Wayland socket is still available.

Some base images can expose an active weston.socket or /run/wayland-* socket
while weston.service is failed and no Weston process is running. In this
case, a short Wayland client probe can trigger socket activation and recover
the runtime.

The helper now attempts passive Wayland socket recovery before reporting the
runtime as unhealthy. If recovery succeeds, it waits for Weston readiness,
adopts the final per-user Wayland socket, and continues validation.

This prevents false failures in Weston_Runtime_Preflight while still failing
when no usable Weston process or Wayland socket can be recovered.

Signed-off-by: Srikanth Muppandam <smuppand@qti.qualcomm.com>
Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
Signed-off-by: shreyataware <shreya.taware@gmail.com>
Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
Signed-off-by: shreyataware <shreya.taware@gmail.com>
Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
…missive and enforcing modes

Signed-off-by: shreyataware <shreya.taware@gmail.com>
Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
…permissive and check selinux mode

Signed-off-by: shreyataware <shreya.taware@gmail.com>
Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
Signed-off-by: shreyataware <shreya.taware@gmail.com>
Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
@shreyataware Shreya Taware (shreyataware) marked this pull request as ready for review July 7, 2026 09:20

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you rebase and update? There are some unwanted commits in this PR.

log_info "Default selinux mode: $default_mode"

# Set SELinux to permissive
setenforce 0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test changes SELinux mode using setenforce 0 without registering a cleanup trap. If the test exits at line 60/72 or is interrupted, the final restore block may not run. The DUT can be left in Permissive or Enforcing unexpectedly, affecting later tests.

Recommended fix: capture default_mode first, install a trap restore_selinux EXIT INT TERM, and check every setenforce return code.

fi

# Get results for permissive mode
setenforce 0

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test also mutates SELinux mode with setenforce 0/setenforce 1 without a trap and without checking the return code. If setenforce fails or the script exits early, the comparison is invalid and cleanup is not guaranteed. False PASS/FAIL plus possible SELinux state leakage to later tests.

Recommended fix: add a cleanup trap, check setenforce return values, and skip cleanly if SELinux is Disabled or mode changes are not permitted.

# Get results for permissive mode
setenforce 0
failedServices=$(systemctl list-units --state failed)
echo "$failedServices" | awk '/^\*/ {print $2}' > "$FS_Permissive"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The failed-service parsing uses systemctl list-units --state failed and then awk '/^*/ {print $2}'. systemctl failed output is not reliably prefixed with *; on many systems it uses a bullet or no leading marker depending on options. Both permissive and enforcing files can become empty, causing a false PASS even when failed services exist.

Recommended fix: use systemctl --failed --no-legend --plain and extract the first field, or use systemctl list-units --state=failed --no-legend --no-pager. Better to have an common function which can be reused across the scripts rather calling it directly in run.sh

exit 0
fi

default_mode=$(getenforce)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

default_mode=$(getenforce) is called even when the earlier path selected /var/log/audit/audit.log and did not verify that getenforce exists. On systems with audit logs but no getenforce, default_mode can be empty and the test can still continue to PASS. The test result no longer accurately reflects SELinux support/state.

Recommended fix: check getenforce explicitly before calling it, or make AVC collection independent from SELinux mode validation and remove this mode check.

log_info "SELinux is $default_mode. Testcase Unsupported."
log_skip "$TESTNAME SKIP: selinux disabled"
echo "$TESTNAME SKIP" > "$RES_FILE"
exit 1

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The script writes SKIP for SELinux disabled but exits with 1. This conflicts with the repo’s LAVA-friendly convention where the .res file carries PASS/FAIL/SKIP and the script exits 0.

Recommended fix: after writing "$TESTNAME SKIP", exit 0.


# Fetch from dmesg
if CHECK_DEPS_NO_EXIT=1 check_dependencies dmesg; then
den=$(dmesg | grep avc)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use scan_dmesg_errors function from functestlib.sh

log_info "SELinux is Disabled. Testcase FAIL."
log_fail "$TESTNAME : FAIL"
echo "$TESTNAME FAIL" > "$RES_FILE"
exit 1

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here as well.. it should be exit 0

rm -f "$RES_FILE"


if ! CHECK_DEPS_NO_EXIT=1 check_dependencies getenforce sestatus; then

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The dependency check only includes getenforce and sestatus, but the script later uses grep and awk.

Recommended fix: check getenforce sestatus grep awk, or remove unused getenforce from this test if only sestatus is required.

@@ -0,0 +1,27 @@
metadata:
format: Lava-Test Test Definition 1.0
name: AUSanity

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The plan metadata name is AUSanity and description is Baseline AU Sanity test plan.

Recommended fix: rename to something like Security_Test or SELinux_Security_Test, and update the description accordingly.

- $PWD/suites/Kernel/Security/AVCDenials/run.sh || true
- $PWD/utils/send-to-lava.sh $PWD/suites/Kernel/Security/AVCDenials/AVCDenials.res || true
- $PWD/suites/Kernel/Security/CheckGetenforce/run.sh || true
- $PWD/utils/send-to-lava.sh $PWD/suites/Kernel/Security/CheckGetenforce/CheckGetenforce.res || true

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The plan masks send-to-lava.sh failures with || true. If result submission fails, the plan continues and can hide missing or malformed .res files. Impact: LAVA may not reflect actual test results.

Recommended fix: keep || true only on run.sh if needed, but let send-to-lava.sh fail visibly, or explicitly check that each .res exists before submitting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants