module_load test fails in integrity lockdown mode

[sindhu-karri]

4 out of 8 module_load tests fail when kernel is in integrity lockdown mode.
Tested in Fedora and AzureLinux as well.

Here's my analysis, supporting test output and code references can be found in the attachments.

Both failing selinux types(domains) have allow_lockdown_integrity set, which is supposed to allow module load in integrity mode. i.e. to bypass the lockdown.

Please note that the tests pass when lockdown is none.
I tried to find whether the lockdown rules are getting applied, but all other lockdown mode tests are removed in an older commit.

I believe that in integrity mode, selinux will not be allowed to bypass lockdown, and that the failure is expected.
If that is the case, then the test can detect lockdown mode. If enabled, "Key rejected by the service" would be the expected error.

selinux_failing_test_output_azLinux.txt
selinuxcode_references.txt

[stephensmalley]

This is expected, so at most we would add a test for lockdown mode to the test and skip it in that situation. Patches welcome!

[sindhu-karri]

Thanks for the confirmation @stephensmalley
Fixed the test to expect "Key rejected error" in lockdown mode.
Attached the patch.

0001-Expect-Key-error-for-module_load-test-in-lockdown-in.patch

[stephensmalley]

Please send to selinux@vger.kernel.org via git send-email.

[sindhu-karri]

Patch sent to selinux@vger.kernel.org using git send-email.