test: automation for 5 selinux testcases#460
test: automation for 5 selinux testcases#460Shreya Taware (shreyataware) wants to merge 9 commits into
Conversation
Shreya Taware (shreyataware)
commented
May 15, 2026
- Check Getenforce
- Toggle between Enforcing & Permissive using setenforce cmd
- Check sestatus
- Collect AVC Denials
- Capture systemctl failed services
Srikanth Muppandam (smuppand)
left a comment
There was a problem hiding this comment.
Thanks for adding SELinux validation coverage. The scope is useful and fits under Kernel/Security: getenforce, sestatus, setenforce toggling, AVC denial collection, and failed-service comparison.
please address a few architecture-level concerns below along with fixing the failed workflows.
-
For tests that call setenforce, capture the original SELinux mode before changing it and restore it on every exit path using trap cleanup. The DUT must not be left in a different SELinux mode after the test.
-
Please ensure all scripts reuse existing Runner/utils helpers for logging, dependency checks, result handling, and common setup instead of duplicating logic across the five new run.sh files.
-
Please define clear PASS/FAIL/SKIP semantics for unsupported environments, especially when getenforce, setenforce, sestatus, audit logs, or systemctl are not available.
-
For SystemctlFailedPerVsEnf, please log the failed-service snapshot before and after each SELinux mode transition, and restore the original mode at the end.
-
Please share runtime evidence from target/LAVA execution for all five suites.
-
Please add Readme files for each test
Commit-wise, this can remain one PR because all tests are SELinux/security related, but I recommend splitting into logical commits:
- SELinux status checks
- SELinux mode transition test
- SELinux diagnostics / AVC / failed-service comparison
Current commit message is understandable but generic. Suggested message:
test(security): add SELinux validation suites
Shreya Taware (@shreyataware) It has been a month since the review comments were not addressed. If there is no response, we will mark this PR as stale. |
Will commit new changes today. Validating the fixes. |
Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
Update weston_prepare_runtime() to avoid failing immediately when weston.service is in failed state but a Wayland socket is still available. Some base images can expose an active weston.socket or /run/wayland-* socket while weston.service is failed and no Weston process is running. In this case, a short Wayland client probe can trigger socket activation and recover the runtime. The helper now attempts passive Wayland socket recovery before reporting the runtime as unhealthy. If recovery succeeds, it waits for Weston readiness, adopts the final per-user Wayland socket, and continues validation. This prevents false failures in Weston_Runtime_Preflight while still failing when no usable Weston process or Wayland socket can be recovered. Signed-off-by: Srikanth Muppandam <smuppand@qti.qualcomm.com> Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
Signed-off-by: shreyataware <shreya.taware@gmail.com> Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
Signed-off-by: shreyataware <shreya.taware@gmail.com> Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
…missive and enforcing modes Signed-off-by: shreyataware <shreya.taware@gmail.com> Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
…permissive and check selinux mode Signed-off-by: shreyataware <shreya.taware@gmail.com> Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
Signed-off-by: shreyataware <shreya.taware@gmail.com> Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
9a14f2a to
86f9de8
Compare
Signed-off-by: Shreya Taware <shreya.taware@gmail.com>
Srikanth Muppandam (smuppand)
left a comment
There was a problem hiding this comment.
Could you rebase and update? There are some unwanted commits in this PR.
| log_info "Default selinux mode: $default_mode" | ||
|
|
||
| # Set SELinux to permissive | ||
| setenforce 0 |
There was a problem hiding this comment.
The test changes SELinux mode using setenforce 0 without registering a cleanup trap. If the test exits at line 60/72 or is interrupted, the final restore block may not run. The DUT can be left in Permissive or Enforcing unexpectedly, affecting later tests.
Recommended fix: capture default_mode first, install a trap restore_selinux EXIT INT TERM, and check every setenforce return code.
| fi | ||
|
|
||
| # Get results for permissive mode | ||
| setenforce 0 |
There was a problem hiding this comment.
This test also mutates SELinux mode with setenforce 0/setenforce 1 without a trap and without checking the return code. If setenforce fails or the script exits early, the comparison is invalid and cleanup is not guaranteed. False PASS/FAIL plus possible SELinux state leakage to later tests.
Recommended fix: add a cleanup trap, check setenforce return values, and skip cleanly if SELinux is Disabled or mode changes are not permitted.
| # Get results for permissive mode | ||
| setenforce 0 | ||
| failedServices=$(systemctl list-units --state failed) | ||
| echo "$failedServices" | awk '/^\*/ {print $2}' > "$FS_Permissive" |
There was a problem hiding this comment.
The failed-service parsing uses systemctl list-units --state failed and then awk '/^*/ {print $2}'. systemctl failed output is not reliably prefixed with *; on many systems it uses a bullet or no leading marker depending on options. Both permissive and enforcing files can become empty, causing a false PASS even when failed services exist.
Recommended fix: use systemctl --failed --no-legend --plain and extract the first field, or use systemctl list-units --state=failed --no-legend --no-pager. Better to have an common function which can be reused across the scripts rather calling it directly in run.sh
| exit 0 | ||
| fi | ||
|
|
||
| default_mode=$(getenforce) |
There was a problem hiding this comment.
default_mode=$(getenforce) is called even when the earlier path selected /var/log/audit/audit.log and did not verify that getenforce exists. On systems with audit logs but no getenforce, default_mode can be empty and the test can still continue to PASS. The test result no longer accurately reflects SELinux support/state.
Recommended fix: check getenforce explicitly before calling it, or make AVC collection independent from SELinux mode validation and remove this mode check.
| log_info "SELinux is $default_mode. Testcase Unsupported." | ||
| log_skip "$TESTNAME SKIP: selinux disabled" | ||
| echo "$TESTNAME SKIP" > "$RES_FILE" | ||
| exit 1 |
There was a problem hiding this comment.
The script writes SKIP for SELinux disabled but exits with 1. This conflicts with the repo’s LAVA-friendly convention where the .res file carries PASS/FAIL/SKIP and the script exits 0.
Recommended fix: after writing "$TESTNAME SKIP", exit 0.
|
|
||
| # Fetch from dmesg | ||
| if CHECK_DEPS_NO_EXIT=1 check_dependencies dmesg; then | ||
| den=$(dmesg | grep avc) |
There was a problem hiding this comment.
Please use scan_dmesg_errors function from functestlib.sh
| log_info "SELinux is Disabled. Testcase FAIL." | ||
| log_fail "$TESTNAME : FAIL" | ||
| echo "$TESTNAME FAIL" > "$RES_FILE" | ||
| exit 1 |
There was a problem hiding this comment.
Here as well.. it should be exit 0
| rm -f "$RES_FILE" | ||
|
|
||
|
|
||
| if ! CHECK_DEPS_NO_EXIT=1 check_dependencies getenforce sestatus; then |
There was a problem hiding this comment.
The dependency check only includes getenforce and sestatus, but the script later uses grep and awk.
Recommended fix: check getenforce sestatus grep awk, or remove unused getenforce from this test if only sestatus is required.
| @@ -0,0 +1,27 @@ | |||
| metadata: | |||
| format: Lava-Test Test Definition 1.0 | |||
| name: AUSanity | |||
There was a problem hiding this comment.
The plan metadata name is AUSanity and description is Baseline AU Sanity test plan.
Recommended fix: rename to something like Security_Test or SELinux_Security_Test, and update the description accordingly.
| - $PWD/suites/Kernel/Security/AVCDenials/run.sh || true | ||
| - $PWD/utils/send-to-lava.sh $PWD/suites/Kernel/Security/AVCDenials/AVCDenials.res || true | ||
| - $PWD/suites/Kernel/Security/CheckGetenforce/run.sh || true | ||
| - $PWD/utils/send-to-lava.sh $PWD/suites/Kernel/Security/CheckGetenforce/CheckGetenforce.res || true |
There was a problem hiding this comment.
The plan masks send-to-lava.sh failures with || true. If result submission fails, the plan continues and can hide missing or malformed .res files. Impact: LAVA may not reflect actual test results.
Recommended fix: keep || true only on run.sh if needed, but let send-to-lava.sh fail visibly, or explicitly check that each .res exists before submitting.