From: Stephen Smalley <sds@tycho.nsa.gov>
To: Ondrej Mosnacek <omosnace@redhat.com>, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: Re: [PATCH testsuite v6] policy: use the kernel_request_load_module() interface
Date: Mon, 2 Dec 2019 09:37:56 -0500 [thread overview]
Message-ID: <f8c21ed7-eda6-e63b-7e94-616055852244@tycho.nsa.gov> (raw)
In-Reply-To: <20191128140807.900061-1-omosnace@redhat.com>
On 11/28/19 9:08 AM, Ondrej Mosnacek wrote:
> ...instead of open-coding the rules. Also define a fallback to allow the
> policy to build even if the interface is not defined.
>
> Fixes: f5e5a0b8d005 ("selinux-testsuite: Add key_socket tests")
> Cc: Richard Haines <richard_c_haines@btinternet.com>
> Suggested-by: Stephen Smalley <sds@tycho.nsa.gov>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>
> Change in v6: avoid apostrophes in comments
> Change in v5: call the macro only once for the whole domain
> Change in v4: fix copy-paste mistakes spotted by Richard
> Change in v3: use different approach as suggested by Stephen
> Change in v2: update also tests/Makefile for consistency
>
> policy/test_key_socket.te | 8 +++-----
> policy/test_policy.if | 8 +++++++-
> 2 files changed, 10 insertions(+), 6 deletions(-)
>
> diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te
> index cde426b..64d2cee 100644
> --- a/policy/test_key_socket.te
> +++ b/policy/test_key_socket.te
> @@ -12,8 +12,6 @@ typeattribute test_key_sock_t keysockdomain;
> # key_socket rules:
> allow test_key_sock_t self:capability { net_admin };
> allow test_key_sock_t self:key_socket { create write read setopt };
> -# For CONFIG_NET_KEY=m
> -allow test_key_sock_t kernel_t:system { module_request };
>
> ################## Deny capability { net_admin } ##########################
> #
> @@ -29,7 +27,6 @@ typeattribute test_key_sock_no_net_admin_t testdomain;
> typeattribute test_key_sock_no_net_admin_t keysockdomain;
>
> allow test_key_sock_no_net_admin_t self:key_socket { create write read setopt };
> -allow test_key_sock_no_net_admin_t kernel_t:system { module_request };
>
> ####################### Deny key_socket { create } ##########################
> type test_key_sock_no_create_t;
> @@ -50,7 +47,6 @@ typeattribute test_key_sock_no_write_t keysockdomain;
>
> allow test_key_sock_no_write_t self:capability { net_admin };
> allow test_key_sock_no_write_t self:key_socket { create read setopt };
> -allow test_key_sock_no_write_t kernel_t:system { module_request };
>
> ####################### Deny key_socket { read } ##########################
> type test_key_sock_no_read_t;
> @@ -61,10 +57,12 @@ typeattribute test_key_sock_no_read_t keysockdomain;
>
> allow test_key_sock_no_read_t self:capability { net_admin };
> allow test_key_sock_no_read_t self:key_socket { create write setopt };
> -allow test_key_sock_no_read_t kernel_t:system { module_request };
>
> #
> ########### Allow these domains to be entered from sysadm domain ############
> #
> miscfiles_domain_entry_test_files(keysockdomain)
> userdom_sysadm_entry_spec_domtrans_to(keysockdomain)
> +
> +# For CONFIG_NET_KEY=m
> +kernel_request_load_module(keysockdomain)
> diff --git a/policy/test_policy.if b/policy/test_policy.if
> index e1175e8..cefc8fb 100644
> --- a/policy/test_policy.if
> +++ b/policy/test_policy.if
> @@ -76,9 +76,15 @@ interface(`mount_rw_pid_files', `
> ')
> ')
>
> -# Refpolicy doesn't have admin_home_t - assume /root will be user_home_dir_t.
> +# Refpolicy does not have admin_home_t - assume /root will be user_home_dir_t.
> ifdef(`userdom_search_admin_dir', `', ` dnl
> interface(`userdom_search_admin_dir', `
> userdom_search_user_home_content($1)
> ')
> ')
> +
> +# If the macro is not defined, then most probably module_request permission
> +# is just not supported (and relevant operations should be just allowed).
> +ifdef(`kernel_request_load_module', `', ` dnl
> +interface(`kernel_request_load_module', `')
> +')
>
next prev parent reply other threads:[~2019-12-02 14:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-28 14:08 [PATCH testsuite v6] policy: use the kernel_request_load_module() interface Ondrej Mosnacek
2019-12-02 14:37 ` Stephen Smalley [this message]
2019-12-02 21:18 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f8c21ed7-eda6-e63b-7e94-616055852244@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=omosnace@redhat.com \
--cc=richard_c_haines@btinternet.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).