[PATCH v4 testsuite 00/15] Update to work on Debian

[PATCH v4 testsuite 00/15] Update to work on Debian

[Stephen Smalley]

Update the selinux testsuite to work on Debian and provide
instructions for building and running it there.

v4 splits the patch into one patch per logical change, updates
some of the descriptions, drops an unnecessary constraint
(only appear to need the peer recv constraint from Fedora for
the current tests, not the packet/SECMARK constraint), cleans up
the Makefile, and updates the test for noexec dev to match
any "/dev .*noexec" instead of just devtmpfs since not everyone
uses devtmpfs.

Stephen Smalley (15):
  test_capable_net.te: remove corenet_tcp/udp_sendrecv_all_ports()
  test_execute_no_trans.te: stop using mmap_file_perms
  test_ibendport.te: use dev_rw_infiniband_mgmt_dev()
  test_global.te: allow test domains to statfs selinuxfs
  test_inet_socket.te: switch from generic_port to
    _all_unreserved_ports()
  test_sctp.te: make netlabel_peer_t a MCS-constrained type
  test_policy.if: use ptynode instead of unconfined_devpts_t
  test_overlayfs.te: allow test_overlay_mounter_t to read user tmp files
  policy: Add MCS constraint on peer recv
  policy: Add defaultrange rules for overlay tests
  test_filesystem.te,tests/{fs_}filesystem: do not force user identity
    to system_u
  policy/Makefile: conditionalize setting of allow_domain_fd_use
  tests/cap_userns: set /proc/sys/kernel/unprivileged_userns_clone if
    needed
  tests/mmap: skip /dev/zero tests if /dev is noexec
  README.md: Add instructions for Debian

 README.md                            | 66 +++++++++++++++++++++++++++-
 policy/Makefile                      | 23 +++++++---
 policy/test_capable_net.te           |  2 -
 policy/test_execute_no_trans.te      |  3 +-
 policy/test_filesystem.te            |  1 +
 policy/test_global.te                |  1 +
 policy/test_ibendport.te             |  9 ++--
 policy/test_inet_socket.te           | 22 +++++-----
 policy/test_mlsconstrain.cil         |  2 +
 policy/test_overlay_defaultrange.cil |  7 +++
 policy/test_overlayfs.te             |  1 +
 policy/test_policy.if                |  4 +-
 policy/test_sctp.te                  |  1 +
 tests/cap_userns/test                |  8 ++++
 tests/filesystem/test                |  2 +-
 tests/fs_filesystem/test             |  2 +-
 tests/mmap/test                      | 48 +++++++++++++-------
 17 files changed, 154 insertions(+), 48 deletions(-)
 create mode 100644 policy/test_mlsconstrain.cil
 create mode 100644 policy/test_overlay_defaultrange.cil

-- 
2.23.1

[PATCH v4 testsuite 01/15] test_capable_net.te: remove corenet_tcp/udp_sendrecv_all_ports()

[Stephen Smalley]

Remove obsolete corenet_tcp/udp_sendrecv_all_ports() calls; the interfaces
have been removed from upstream refpolicy since the permissions were
obsolete and unused in upstream kernels.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/test_capable_net.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/test_capable_net.te b/policy/test_capable_net.te
index 80559f6..2255a14 100644
--- a/policy/test_capable_net.te
+++ b/policy/test_capable_net.te
@@ -28,8 +28,6 @@ corenet_raw_sendrecv_generic_if(capabledomain)
 corenet_tcp_sendrecv_all_nodes(capabledomain)
 corenet_udp_sendrecv_all_nodes(capabledomain)
 corenet_raw_sendrecv_all_nodes(capabledomain)
-corenet_tcp_sendrecv_all_ports(capabledomain)
-corenet_udp_sendrecv_all_ports(capabledomain)
 corenet_all_recvfrom_unlabeled(test_ncap_t)
 corenet_all_recvfrom_unlabeled(test_resncap_t)
 corenet_tcp_bind_all_nodes(capabledomain)
-- 
2.23.1

[PATCH v4 testsuite 02/15] test_execute_no_trans.te: stop using mmap_file_perms

[Stephen Smalley]

mmap_file_perms was deprecated in refpolicy in 2017 and is removed
from Debian policy. mmap_exec_file_perms is recommended by refpolicy
but RHEL-7 defined it differently (including execute_no_trans) so we
cannot use it here unconditionally. Just open-code the necessary
permissions and use the existing allow_map() macro defined by the
testsuite to cover map permission if defined.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/test_execute_no_trans.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/test_execute_no_trans.te b/policy/test_execute_no_trans.te
index 79ba868..2c0346a 100644
--- a/policy/test_execute_no_trans.te
+++ b/policy/test_execute_no_trans.te
@@ -24,4 +24,5 @@ userdom_sysadm_entry_spec_domtrans_to(test_execute_notrans_t)
 
 #Allow test_execute_notrans permissions to the allowed type
 can_exec(test_execute_notrans_t,test_execute_notrans_allowed_t)
-allow test_execute_notrans_t test_execute_notrans_denied_t:file mmap_file_perms;
+allow_map(test_execute_notrans_t, test_execute_notrans_denied_t, file)
+allow test_execute_notrans_t test_execute_notrans_denied_t:file { getattr open read };
-- 
2.23.1

[PATCH v4 testsuite 03/15] test_ibendport.te: use dev_rw_infiniband_mgmt_dev()

[Stephen Smalley]

Switch the Infiniband test policy to use the appropriate policy
interface if defined rather than hardcoding a reference to the
type, neither of which exist in Debian policy.  Drop the dead
hardcoded reference on bin_t since it is no longer used anywhere
outside of an interface.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/test_ibendport.te | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
index 2a02c57..b909b4f 100644
--- a/policy/test_ibendport.te
+++ b/policy/test_ibendport.te
@@ -3,11 +3,6 @@
 # Policy for testing Infiniband Pkey access.
 #
 
-gen_require(`
-	type bin_t;
-	type infiniband_mgmt_device_t;
-')
-
 attribute ibendportdomain;
 
 # Domain for process.
@@ -27,7 +22,9 @@ dev_rw_sysfs(test_ibendport_manage_subnet_t)
 
 corecmd_bin_entry_type(test_ibendport_manage_subnet_t)
 
-allow test_ibendport_manage_subnet_t infiniband_mgmt_device_t:chr_file { read write open ioctl};
+ifdef(`dev_rw_infiniband_mgmt_dev', `
+dev_rw_infiniband_mgmt_dev(test_ibendport_manage_subnet_t)
+')
 
 ifdef(`corenet_ib_access_unlabeled_pkeys',`
 corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
-- 
2.23.1

[PATCH v4 testsuite 04/15] test_global.te: allow test domains to statfs selinuxfs

[Stephen Smalley]

libselinux probes for the presence of selinuxfs on /sys/fs/selinux
via statfs(2); this is required for any operations that involve selinuxfs.
Fedora policy allows this to all domains in its base policy but refpolicy
and Debian do not, so explicitly allow it to allow the tests to work.
Otherwise various programs think SELinux is disabled and abort.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/test_global.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/test_global.te b/policy/test_global.te
index c9520ec..d19b4be 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -83,6 +83,7 @@ domain_use_interactive_fds(testdomain)
 seutil_read_config(testdomain)
 
 # can getsecurity
+selinux_getattr_fs(testdomain)
 selinux_validate_context(testdomain)
 selinux_compute_access_vector(testdomain)
 selinux_compute_create_context(testdomain)
-- 
2.23.1

[PATCH v4 testsuite 05/15] test_inet_socket.te: switch from generic_port to _all_unreserved_ports()

[Stephen Smalley]

bind/connect_generic_port() in Fedora policy was allowing access to
ports in the unreserved port range.  In refpolicy and Debian, it only
allows access to ports without a more specific type and one must instead
use bind/connect_all_unreserved_ports().  Switch to the latter since it
works on both Fedora and Debian/refpolicy.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/test_inet_socket.te | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te
index bf839df..0fff2da 100644
--- a/policy/test_inet_socket.te
+++ b/policy/test_inet_socket.te
@@ -26,8 +26,8 @@ typeattribute test_inet_server_t testdomain;
 typeattribute test_inet_server_t inetsocketdomain;
 allow test_inet_server_t self:tcp_socket create_stream_socket_perms;
 allow test_inet_server_t self:udp_socket create_socket_perms;
-corenet_tcp_bind_generic_port(test_inet_server_t)
-corenet_udp_bind_generic_port(test_inet_server_t)
+corenet_tcp_bind_all_unreserved_ports(test_inet_server_t)
+corenet_udp_bind_all_unreserved_ports(test_inet_server_t)
 corenet_tcp_bind_all_nodes(test_inet_server_t)
 corenet_udp_bind_all_nodes(test_inet_server_t)
 corenet_inout_generic_if(test_inet_server_t)
@@ -54,7 +54,7 @@ typeattribute test_inet_client_t testdomain;
 typeattribute test_inet_client_t inetsocketdomain;
 allow test_inet_client_t self:tcp_socket create_stream_socket_perms;
 allow test_inet_client_t self:udp_socket create_socket_perms;
-corenet_tcp_connect_generic_port(test_inet_client_t)
+corenet_tcp_connect_all_unreserved_ports(test_inet_client_t)
 corenet_inout_generic_if(test_inet_client_t)
 corenet_inout_generic_node(test_inet_client_t)
 
@@ -71,7 +71,7 @@ typeattribute test_inet_bad_client_t testdomain;
 typeattribute test_inet_bad_client_t inetsocketdomain;
 allow test_inet_bad_client_t self:tcp_socket create_stream_socket_perms;
 allow test_inet_bad_client_t self:udp_socket create_socket_perms;
-corenet_tcp_connect_generic_port(test_inet_bad_client_t)
+corenet_tcp_connect_all_unreserved_ports(test_inet_bad_client_t)
 corenet_inout_generic_if(test_inet_bad_client_t)
 corenet_inout_generic_node(test_inet_bad_client_t)
 
@@ -87,8 +87,8 @@ typeattribute test_inet_bind_t testdomain;
 typeattribute test_inet_bind_t inetsocketdomain;
 allow test_inet_bind_t self:tcp_socket create_stream_socket_perms;
 allow test_inet_bind_t self:udp_socket create_socket_perms;
-corenet_tcp_bind_generic_port(test_inet_bind_t)
-corenet_udp_bind_generic_port(test_inet_bind_t)
+corenet_tcp_bind_all_unreserved_ports(test_inet_bind_t)
+corenet_udp_bind_all_unreserved_ports(test_inet_bind_t)
 corenet_tcp_bind_all_nodes(test_inet_bind_t)
 corenet_udp_bind_all_nodes(test_inet_bind_t)
 
@@ -111,8 +111,8 @@ typeattribute test_inet_no_node_bind_t testdomain;
 typeattribute test_inet_no_node_bind_t inetsocketdomain;
 allow test_inet_no_node_bind_t self:tcp_socket create_stream_socket_perms;
 allow test_inet_no_node_bind_t self:udp_socket create_socket_perms;
-corenet_tcp_bind_generic_port(test_inet_no_node_bind_t)
-corenet_udp_bind_generic_port(test_inet_no_node_bind_t)
+corenet_tcp_bind_all_unreserved_ports(test_inet_no_node_bind_t)
+corenet_udp_bind_all_unreserved_ports(test_inet_no_node_bind_t)
 
 # Domain for a process allowed to connect(2).
 type test_inet_connect_t;
@@ -122,8 +122,8 @@ typeattribute test_inet_connect_t testdomain;
 typeattribute test_inet_connect_t inetsocketdomain;
 allow test_inet_connect_t self:tcp_socket create_stream_socket_perms;
 allow test_inet_connect_t self:udp_socket create_socket_perms;
-corenet_tcp_connect_generic_port(test_inet_connect_t)
-corenet_tcp_bind_generic_port(test_inet_connect_t)
+corenet_tcp_connect_all_unreserved_ports(test_inet_connect_t)
+corenet_tcp_bind_all_unreserved_ports(test_inet_connect_t)
 corenet_tcp_bind_all_nodes(test_inet_connect_t)
 corenet_inout_generic_if(test_inet_connect_t)
 corenet_inout_generic_node(test_inet_connect_t)
@@ -136,7 +136,7 @@ typeattribute test_inet_no_name_connect_t testdomain;
 typeattribute test_inet_no_name_connect_t inetsocketdomain;
 allow test_inet_no_name_connect_t self:tcp_socket create_stream_socket_perms;
 allow test_inet_no_name_connect_t self:udp_socket create_socket_perms;
-corenet_tcp_bind_generic_port(test_inet_no_name_connect_t)
+corenet_tcp_bind_all_unreserved_ports(test_inet_no_name_connect_t)
 corenet_tcp_bind_all_nodes(test_inet_no_name_connect_t)
 corenet_inout_generic_if(test_inet_no_name_connect_t)
 corenet_inout_generic_node(test_inet_no_name_connect_t)
-- 
2.23.1

[PATCH v4 testsuite 06/15] test_sctp.te: make netlabel_peer_t a MCS-constrained type

[Stephen Smalley]

The sctp tests were relying on netlabel_peer_t being subject to
MCS constraints in order to deny access.  refpolicy/Debian do not
currently make netlabel_peer_t a MCS-constrained type, so make it
so in the test policy to provide consistent behavior for testing.
Alternatively (or in addition) we could make test_sctp_server_t
a MCS-constrained type similar to test_inet_server_t.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/test_sctp.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/test_sctp.te b/policy/test_sctp.te
index df8606e..3b16db1 100644
--- a/policy/test_sctp.te
+++ b/policy/test_sctp.te
@@ -25,6 +25,7 @@ allow nfsd_t netlabel_sctp_peer_t:peer recv;
 gen_require(`
 	type netlabel_peer_t;
 ')
+mcs_constrained(netlabel_peer_t)
 
 #
 ############### Declare an attribute that will hold all peers ###############
-- 
2.23.1

[PATCH v4 testsuite 07/15] test_policy.if: use ptynode instead of unconfined_devpts_t

[Stephen Smalley]

refpolicy does not define an unconfined_devpts_t type instead
assigning user_devpts_t to unconfined ptys. Switch to using ptynode
in the test policy to provide compatibility across both refpolicy and
Fedora.  ptynode is an attribute that includes all pty types.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/test_policy.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/test_policy.if b/policy/test_policy.if
index cefc8fb..f0400f5 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -29,7 +29,7 @@
 interface(`unconfined_runs_test',`
 	gen_require(`
 		type unconfined_t;
-               type unconfined_devpts_t;
+               attribute ptynode;
 		role unconfined_r;
 	')
 
@@ -38,7 +38,7 @@ interface(`unconfined_runs_test',`
 	role unconfined_r types $1;
       # Report back from the test domain to the caller.
       allow $1 unconfined_t:fd use;
-      allow $1 unconfined_devpts_t:chr_file { read write ioctl getattr };
+      allow $1 ptynode:chr_file { read write ioctl getattr };
       allow $1 unconfined_t:fifo_file { read write ioctl getattr };
       allow $1 unconfined_t:process { sigchld };
 
-- 
2.23.1

Re: [PATCH v4 testsuite 07/15] test_policy.if: use ptynode instead of unconfined_devpts_t

[Ondrej Mosnacek]

On Fri, May 8, 2020 at 5:42 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
> refpolicy does not define an unconfined_devpts_t type instead
> assigning user_devpts_t to unconfined ptys. Switch to using ptynode
> in the test policy to provide compatibility across both refpolicy and
> Fedora.  ptynode is an attribute that includes all pty types.
>
> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> ---
>  policy/test_policy.if | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policy/test_policy.if b/policy/test_policy.if
> index cefc8fb..f0400f5 100644
> --- a/policy/test_policy.if
> +++ b/policy/test_policy.if
> @@ -29,7 +29,7 @@
>  interface(`unconfined_runs_test',`
>         gen_require(`
>                 type unconfined_t;
> -               type unconfined_devpts_t;
> +               attribute ptynode;
>                 role unconfined_r;
>         ')
>
> @@ -38,7 +38,7 @@ interface(`unconfined_runs_test',`
>         role unconfined_r types $1;
>        # Report back from the test domain to the caller.
>        allow $1 unconfined_t:fd use;
> -      allow $1 unconfined_devpts_t:chr_file { read write ioctl getattr };
> +      allow $1 ptynode:chr_file { read write ioctl getattr };

How about using term_use_all_ptys($1) instead? It allows a few extra
permissions (open, append, lock), but it doesn't seem to influence the
tests. It would allow us to remove the 'attribute ptynode' from the
gen_require block.

>        allow $1 unconfined_t:fifo_file { read write ioctl getattr };
>        allow $1 unconfined_t:process { sigchld };
>
> --
> 2.23.1
>

--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.

[PATCH v4 testsuite 08/15] test_overlayfs.te: allow test_overlay_mounter_t to read user tmp files

[Stephen Smalley]

During setup-overlay, a shell is run in test_overlay_mounter_t from
a "here document" i.e. an inline input.  This creates a temporary file
that is inherited by the shell and must be readable.  Allow it.
This is apparently being allowed somehow in the base Fedora policy
for all domains but not in Debian.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/test_overlayfs.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te
index 6f1756e..b29621e 100644
--- a/policy/test_overlayfs.te
+++ b/policy/test_overlayfs.te
@@ -52,6 +52,7 @@ corecmd_exec_bin(test_overlay_mounter_t)
 
 userdom_search_admin_dir(test_overlay_mounter_t)
 userdom_search_user_home_content(test_overlay_mounter_t)
+userdom_read_user_tmp_files(test_overlay_mounter_t)
 
 mount_exec(test_overlay_mounter_t)
 mount_rw_pid_files(test_overlay_mounter_t)
-- 
2.23.1

[PATCH v4 testsuite 09/15] policy: Add MCS constraint on peer recv

[Stephen Smalley]

Some of the inet_socket and sctp tests rely on a MCS constraint on
the peer recv permission that exists in Fedora policy but not
refpolicy and hence not Debian.  Add the constraint to the test policy
to provide consistent behavior.  On Fedora this is merely redundant.
The constraint is defined via a CIL module since constraints are not
supported in .te files for binary modules.  Introduce a SUPPORTS_CIL
variable in the Makefile and disable it automatically on older RHEL
releases that lack CIL support to avoid breaking policy load on them.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/Makefile              | 15 +++++++++++----
 policy/test_mlsconstrain.cil |  2 ++
 2 files changed, 13 insertions(+), 4 deletions(-)
 create mode 100644 policy/test_mlsconstrain.cil

diff --git a/policy/Makefile b/policy/Makefile
index dfe601b..8f43427 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -7,6 +7,7 @@ SELINUXFS ?= /sys/fs/selinux
 SEMODULE = $(SBINDIR)/semodule
 CHECKPOLICY = $(BINDIR)/checkpolicy
 CHECKMODULE = $(BINDIR)/checkmodule
+SUPPORTS_CIL ?= y
 
 DISTRO=$(shell ../tests/os_detect)
 
@@ -30,15 +31,21 @@ TARGETS = \
 	test_mmap.te test_overlayfs.te test_mqueue.te \
 	test_ibpkey.te test_atsecure.te test_cgroupfs.te
 
+ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
+SUPPORTS_CIL = n
+endif
 
+ifeq ($(SUPPORTS_CIL),y)
+CIL_TARGETS = test_mlsconstrain.cil
 ifeq ($(shell [[ $(MAX_KERNEL_POLICY) -ge 32 && $(POL_VERS) -ge 32 ]] && echo true),true)
 # If other MLS tests get written this can be moved outside of the glblub test
 ifeq ($(POL_TYPE), MLS)
-CIL_TARGETS = test_glblub.cil
+CIL_TARGETS += test_glblub.cil
 else ifeq ($(POL_TYPE), MCS)
-CIL_TARGETS = test_add_levels.cil test_glblub.cil
-endif
-endif # GLBLUB
+CIL_TARGETS += test_add_levels.cil test_glblub.cil
+endif # POL_TYPE
+endif # MAX_KERNEL_POLICY
+endif # SUPPORTS_CIL
 
 ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true)
 TARGETS += test_bounds.te test_nnp_nosuid.te
diff --git a/policy/test_mlsconstrain.cil b/policy/test_mlsconstrain.cil
new file mode 100644
index 0000000..1412f91
--- /dev/null
+++ b/policy/test_mlsconstrain.cil
@@ -0,0 +1,2 @@
+(mlsconstrain (peer (recv)) (or (dom l1 l2) (and (neq t1 mcs_constrained_type) (neq t2 mcs_constrained_type))))
+(mlsconstrain (packet (recv)) (or (dom l1 l2) (and (neq t1 mcs_constrained_type) (neq t2 mcs_constrained_type))))
-- 
2.23.1

[PATCH v4 testsuite 10/15] policy: Add defaultrange rules for overlay tests

[Stephen Smalley]

Some of the overlay tests assume that files inherit their MCS/MLS
labels from the parent directory rather than the process.  This is
true on Fedora which defines defaultrange rules for this purpose but
not in refpolicy.  Add the defaultrange rules explicitly to the test
policy as a CIL module to provide consistent behavior on Debian.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/Makefile                      | 2 +-
 policy/test_overlay_defaultrange.cil | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 policy/test_overlay_defaultrange.cil

diff --git a/policy/Makefile b/policy/Makefile
index 8f43427..17e9da3 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -36,7 +36,7 @@ SUPPORTS_CIL = n
 endif
 
 ifeq ($(SUPPORTS_CIL),y)
-CIL_TARGETS = test_mlsconstrain.cil
+CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil
 ifeq ($(shell [[ $(MAX_KERNEL_POLICY) -ge 32 && $(POL_VERS) -ge 32 ]] && echo true),true)
 # If other MLS tests get written this can be moved outside of the glblub test
 ifeq ($(POL_TYPE), MLS)
diff --git a/policy/test_overlay_defaultrange.cil b/policy/test_overlay_defaultrange.cil
new file mode 100644
index 0000000..d1c18db
--- /dev/null
+++ b/policy/test_overlay_defaultrange.cil
@@ -0,0 +1,7 @@
+(defaultrange file target low)
+(defaultrange dir target low)
+(defaultrange lnk_file target low)
+(defaultrange chr_file target low)
+(defaultrange blk_file target low)
+(defaultrange sock_file target low)
+(defaultrange fifo_file target low)
-- 
2.23.1

[PATCH v4 testsuite 11/15] test_filesystem.te,tests/{fs_}filesystem: do not force user identity to system_u

[Stephen Smalley]

Rather than forcing the process user identity to system_u in the
filesystem tests (which broke in Debian due to not being authorized
for unconfined_r), grant the test_filesystem_fscontext_t domain
the ability to create objects in other user identities.  This is
cleaner.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/test_filesystem.te | 1 +
 tests/filesystem/test     | 2 +-
 tests/fs_filesystem/test  | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
index 7d73cbf..4e27134 100644
--- a/policy/test_filesystem.te
+++ b/policy/test_filesystem.te
@@ -350,6 +350,7 @@ allow test_filesystem_fscontext_t test_filesystem_filecon_t:file { getattr open
 allow test_filesystem_fscontext_t test_filesystem_fscontext_fs_t:dir { add_name search write };
 allow test_filesystem_fscontext_t test_filesystem_fscontext_fs_t:file { create getattr open relabelfrom write };
 allow test_filesystem_fscontext_t test_filesystem_fscontext_fs_t:filesystem { mount relabelto unmount };
+domain_obj_id_change_exemption(test_filesystem_fscontext_t)
 fs_relabelfrom_all_fs(test_filesystem_fscontext_t)
 files_search_all(test_filesystem_fscontext_t)
 allow test_filesystem_filecon_t test_filesystem_fscontext_fs_t:filesystem { associate };
diff --git a/tests/filesystem/test b/tests/filesystem/test
index 149cc29..7d4654d 100755
--- a/tests/filesystem/test
+++ b/tests/filesystem/test
@@ -1116,7 +1116,7 @@ if ( not $nfs_enabled ) {
         #   system_u:object_r:test_filesystem_context_file_t:s0 from $test_opts
         print "Creating test file $basedir/mntpoint/mp1/test_file\n";
         $result = system(
-"runcon -u system_u -t test_filesystem_fscontext_t $basedir/create_file -f $basedir/mntpoint/mp1/test_file -e test_filesystem_context_file_t $v"
+"runcon -t test_filesystem_fscontext_t $basedir/create_file -f $basedir/mntpoint/mp1/test_file -e test_filesystem_context_file_t $v"
         );
         ok( $result eq 0 );
 
diff --git a/tests/fs_filesystem/test b/tests/fs_filesystem/test
index 5dcc89d..5dedf83 100755
--- a/tests/fs_filesystem/test
+++ b/tests/fs_filesystem/test
@@ -1145,7 +1145,7 @@ if ( not $nfs_enabled ) {
         #   system_u:object_r:test_filesystem_context_file_t:s0 from $test_opts
         print "Creating test file $basedir/mntpoint/mp1/test_file\n";
         $result = system(
-"runcon -u system_u -t test_filesystem_fscontext_t $filesystem_dir/create_file -f $basedir/mntpoint/mp1/test_file -e test_filesystem_context_file_t $v"
+"runcon -t test_filesystem_fscontext_t $filesystem_dir/create_file -f $basedir/mntpoint/mp1/test_file -e test_filesystem_context_file_t $v"
         );
         ok( $result eq 0 );
 
-- 
2.23.1

[PATCH v4 testsuite 12/15] policy/Makefile: conditionalize setting of allow_domain_fd_use

[Stephen Smalley]

allow_domain_fd_use is Fedora-specific so conditionalize the setting
of it to avoid noise on Debian or other distributions.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/Makefile | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/policy/Makefile b/policy/Makefile
index 17e9da3..386bbce 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -168,12 +168,16 @@ build: $(TARGETS)
 
 load: expand_check all
 	# General policy load
-	@-/usr/sbin/setsebool allow_domain_fd_use=0
+	@if /usr/sbin/getsebool allow_domain_fd_use 2> /dev/null; then \
+		/usr/sbin/setsebool allow_domain_fd_use=0; \
+	fi
 	$(SEMODULE) -i test_policy/test_policy.pp $(CIL_TARGETS)
 
 unload:
 	# General policy unload
-	@-/usr/sbin/setsebool allow_domain_fd_use=1
+	@if /usr/sbin/getsebool allow_domain_fd_use 2> /dev/null; then \
+		/usr/sbin/setsebool allow_domain_fd_use=1; \
+	fi
 	$(SEMODULE) -r test_policy $(subst .cil,,$(CIL_TARGETS))
 
 clean:
-- 
2.23.1

[PATCH v4 testsuite 13/15] tests/cap_userns: set /proc/sys/kernel/unprivileged_userns_clone if needed

[Stephen Smalley]

Debian does not allow unprivileged user namespace clones by default,
so update the test to enable it when running the test to avoid requiring
sys_admin permission to the capability class during the cap_userns tests.
The current test is specifically exercising the sys_admin check in the
separate cap_userns class used for capability checks against non-init
user namespaces.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 tests/cap_userns/test | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tests/cap_userns/test b/tests/cap_userns/test
index 9eafba6..917da00 100755
--- a/tests/cap_userns/test
+++ b/tests/cap_userns/test
@@ -6,6 +6,10 @@ BEGIN {
     $basedir = $0;
     $basedir =~ s|(.*)/[^/]*|$1|;
 
+    if ( -e '/proc/sys/kernel/unprivileged_userns_clone' ) {
+        system(
+            "echo 1 > /proc/sys/kernel/unprivileged_userns_clone 2> /dev/null");
+    }
     if ( system("$basedir/userns_child_exec -t -U > /dev/null 2>&1") == 0 ) {
         plan tests => 2;
     }
@@ -27,3 +31,7 @@ $result = system(
 "runcon -t test_no_cap_userns_t -- $basedir/userns_child_exec -p -m -U -M '0 0 1' -G '0 0 1' -- true 2>&1"
 );
 ok($result);
+
+if ( -e '/proc/sys/kernel/unprivileged_userns_clone' ) {
+    system("echo 0 > /proc/sys/kernel/unprivileged_userns_clone 2> /dev/null");
+}
-- 
2.23.1

[PATCH v4 testsuite 14/15] tests/mmap: skip /dev/zero tests if /dev is noexec

[Stephen Smalley]

If /dev is mounted noexec (as in Debian unstable), then
we cannot mmap/mprotect PROT_EXEC /dev/zero regardless of SELinux.
Check for this situation and skip those tests in that case to avoid
extraneous failures.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 tests/mmap/test | 48 +++++++++++++++++++++++++++++++-----------------
 1 file changed, 31 insertions(+), 17 deletions(-)

diff --git a/tests/mmap/test b/tests/mmap/test
index fe6f184..b7cd56a 100755
--- a/tests/mmap/test
+++ b/tests/mmap/test
@@ -3,10 +3,11 @@
 use Test;
 
 BEGIN {
-    $test_count         = 34;
-    $test_hugepages     = 0;
-    $test_exec_checking = 0;
-    $test_map_checking  = 0;
+    $test_count            = 30;
+    $test_hugepages        = 0;
+    $test_exec_checking    = 0;
+    $test_map_checking     = 0;
+    $test_devzero_checking = 0;
 
     system("echo 1 > /proc/sys/vm/nr_hugepages 2> /dev/null");
     if ( system("grep -q 1 /proc/sys/vm/nr_hugepages 2> /dev/null") == 0 ) {
@@ -19,6 +20,12 @@ BEGIN {
         $test_count += 4;
     }
 
+    if ( system("grep -q '/dev .*noexec' /proc/self/mounts 2> /dev/null") != 0 )
+    {
+        $test_devzero_checking = 1;
+        $test_count += 4;
+    }
+
     if ( -e '/sys/fs/selinux/class/file/perms/map' ) {
         $test_map_checking = 1;
         $test_count += 1;
@@ -62,13 +69,17 @@ ok( $result, 0 );
 $result = system "runcon -t test_no_execmem_t $basedir/mmap_anon_shared 2>&1";
 ok($result);
 
-# Test success and failure for mmap /dev/zero.
-$result =
-  system "runcon -t test_mmap_dev_zero_t $basedir/mmap_file_shared /dev/zero";
-ok( $result, 0 );
-$result = system
-  "runcon -t test_no_mmap_dev_zero_t $basedir/mmap_file_shared /dev/zero 2>&1";
-ok($result);
+if ($test_devzero_checking) {
+
+    # Test success and failure for mmap /dev/zero.
+    $result =
+      system
+      "runcon -t test_mmap_dev_zero_t $basedir/mmap_file_shared /dev/zero";
+    ok( $result, 0 );
+    $result = system
+"runcon -t test_no_mmap_dev_zero_t $basedir/mmap_file_shared /dev/zero 2>&1";
+    ok($result);
+}
 
 # Test success and failure for mprotect w/ anonymous shared memory.
 # In old kernels, this triggers a tmpfs file execute check.
@@ -80,13 +91,16 @@ $result = system
   "runcon -t test_no_mprotect_anon_shared_t $basedir/mprotect_anon_shared 2>&1";
 ok($result);
 
-# Test success and failure for mprotect /dev/zero.
-$result = system
-  "runcon -t test_mprotect_dev_zero_t $basedir/mprotect_file_shared /dev/zero";
-ok( $result, 0 );
-$result = system
+if ($test_devzero_checking) {
+
+    # Test success and failure for mprotect /dev/zero.
+    $result = system
+"runcon -t test_mprotect_dev_zero_t $basedir/mprotect_file_shared /dev/zero";
+    ok( $result, 0 );
+    $result = system
 "runcon -t test_no_mprotect_dev_zero_t $basedir/mprotect_file_shared /dev/zero 2>&1";
-ok($result);
+    ok($result);
+}
 
 # Test success and failure for execheap, independent of execmem.
 $result = system "runcon -t test_execheap_t $basedir/mprotect_heap";
-- 
2.23.1

[PATCH v4 testsuite 15/15] README.md: Add instructions for Debian

[Stephen Smalley]

Now that the testsuite builds and runs on Debian, add instructions
to the README with the necessary dependencies and steps.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 README.md | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 65 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index b36494e..1f7e5d9 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,8 @@ one primary security module may be active at a time.
 
 ### Userland and Base Policy
 
+#### Fedora or RHEL
+
 On a Fedora/RHEL based system the testsuite has the following userspace
 dependencies beyond a minimal install (other Linux distributions should have
 similar dependencies):
@@ -77,8 +79,70 @@ following command:
 		xfsprogs-devel \
 		libuuid-devel
 
+#### Debian
+
+On Debian, you must first take steps to install and activate SELinux since
+it is not enabled in the default install.  Make sure to backup your system
+first if you care about any local data.
+
+	# apt-get install selinux-basics selinux-policy-default auditd
+	# selinux-activate
+	# reboot
+
+After activating, make sure that your login shell is running in the
+correct context:
+
+	# id -Z
+
+If this shows something other than
+"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023", you will need
+to first fix labeling or policy problems in your base system before
+proceeding.  Make sure that your shell context is correct and you can
+switch to enforcing mode without breaking your system before
+proceeding.
+
+On Debian, you can install the userspace dependencies with the following
+command:
+
+	# apt-get install perl \
+		gcc \
+		selinux-policy-dev \
+		libselinux1-dev \
+		net-tools \
+		iptables \
+		libsctp-dev \
+		attr \
+		libbpf-dev \
+		libkeyutils-dev \
+		linux-headers-$(uname -r) \
+		quota \
+		xfsprogs \
+		xfslibs-dev \
+		uuid-dev
+
+On Debian, you need to build and install netlabel_tools manually since
+it is not yet packaged for Debian
+(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959806):
+
+    # git clone https://github.com/netlabel/netlabel_tools
+    # cd netlabel_tools
+    # sudo apt-get install autotools-dev autoconf automake libtool pkg-config libnl-3-dev libnl-genl-3-dev
+    # ./autogen.sh
+    # ./configure --prefix=/usr
+    # make
+    # sudo make install
+
+Debian further requires reconfiguring the default /bin/sh to be bash
+to support bashisms employed in the testsuite Makefiles and scripts:
+
+    # dpkg-reconfigure dash
+
+Select "No" when asked if you want to use dash as the default system shell.
+
+#### Other Distributions
+
 The testsuite requires a pre-existing base policy configuration of SELinux,
-using either the old example policy or the reference policy as the baseline.
+using the reference policy as the baseline.
 It also requires the core SELinux userland packages (`libsepol`, `checkpolicy`,
 `libselinux`, `policycoreutils`, and if using modular policy, `libsemanage`)
 to be installed.  The test scripts also rely upon the SELinux extensions being
-- 
2.23.1

Re: [PATCH v4 testsuite 00/15] Update to work on Debian

[Stephen Smalley]

On Fri, May 8, 2020 at 11:42 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> Update the selinux testsuite to work on Debian and provide
> instructions for building and running it there.

NB With this series applied and the separate quotastest fix, I was
able to also run the testsuite on Ubuntu 20.04.
On Ubuntu I had to build upstream libbpf from source because
libbpf-dev was not packaged in Ubuntu unlike Debian
(https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836708).

The Ubuntu kernel had two test failures:
mmap/test                 (Wstat: 0 Tests: 39 Failed: 1)
  Failed test:  2
checkreqprot/test         (Wstat: 0 Tests: 1 Failed: 1)
  Failed test:  1

These were both due to kernel configuration in their stock kernel:
CONFIG_LSM_MMAP_MIN_ADDR=0
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1

The latter isn't too surprising since it used to be the default and
likely just got carried forward in newer kernel configs.
The former is rather odd; not sure how that happened.

Re: [PATCH v4 testsuite 00/15] Update to work on Debian

[Ondrej Mosnacek]

On Fri, May 8, 2020 at 5:42 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
> Update the selinux testsuite to work on Debian and provide
> instructions for building and running it there.
>
> v4 splits the patch into one patch per logical change, updates
> some of the descriptions, drops an unnecessary constraint
> (only appear to need the peer recv constraint from Fedora for
> the current tests, not the packet/SECMARK constraint), cleans up
> the Makefile, and updates the test for noexec dev to match
> any "/dev .*noexec" instead of just devtmpfs since not everyone
> uses devtmpfs.
>
> Stephen Smalley (15):
>   test_capable_net.te: remove corenet_tcp/udp_sendrecv_all_ports()
>   test_execute_no_trans.te: stop using mmap_file_perms
>   test_ibendport.te: use dev_rw_infiniband_mgmt_dev()
>   test_global.te: allow test domains to statfs selinuxfs
>   test_inet_socket.te: switch from generic_port to
>     _all_unreserved_ports()
>   test_sctp.te: make netlabel_peer_t a MCS-constrained type
>   test_policy.if: use ptynode instead of unconfined_devpts_t
>   test_overlayfs.te: allow test_overlay_mounter_t to read user tmp files
>   policy: Add MCS constraint on peer recv
>   policy: Add defaultrange rules for overlay tests
>   test_filesystem.te,tests/{fs_}filesystem: do not force user identity
>     to system_u
>   policy/Makefile: conditionalize setting of allow_domain_fd_use
>   tests/cap_userns: set /proc/sys/kernel/unprivileged_userns_clone if
>     needed
>   tests/mmap: skip /dev/zero tests if /dev is noexec
>   README.md: Add instructions for Debian

With the exception of 07/15, on which I had a small comment:

Acked-by: Ondrej Mosnacek <omosnace@redhat.com>

(No need to respin the whole series in case you are going to respin
07. I can just splice it in before merging or apply on top.)

--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.

Re: [PATCH v4 testsuite 00/15] Update to work on Debian

[Ondrej Mosnacek]

On Tue, May 12, 2020 at 11:43 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Fri, May 8, 2020 at 5:42 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> > Update the selinux testsuite to work on Debian and provide
> > instructions for building and running it there.
> >
> > v4 splits the patch into one patch per logical change, updates
> > some of the descriptions, drops an unnecessary constraint
> > (only appear to need the peer recv constraint from Fedora for
> > the current tests, not the packet/SECMARK constraint), cleans up
> > the Makefile, and updates the test for noexec dev to match
> > any "/dev .*noexec" instead of just devtmpfs since not everyone
> > uses devtmpfs.
> >
> > Stephen Smalley (15):
> >   test_capable_net.te: remove corenet_tcp/udp_sendrecv_all_ports()
> >   test_execute_no_trans.te: stop using mmap_file_perms
> >   test_ibendport.te: use dev_rw_infiniband_mgmt_dev()
> >   test_global.te: allow test domains to statfs selinuxfs
> >   test_inet_socket.te: switch from generic_port to
> >     _all_unreserved_ports()
> >   test_sctp.te: make netlabel_peer_t a MCS-constrained type
> >   test_policy.if: use ptynode instead of unconfined_devpts_t
> >   test_overlayfs.te: allow test_overlay_mounter_t to read user tmp files
> >   policy: Add MCS constraint on peer recv
> >   policy: Add defaultrange rules for overlay tests
> >   test_filesystem.te,tests/{fs_}filesystem: do not force user identity
> >     to system_u
> >   policy/Makefile: conditionalize setting of allow_domain_fd_use
> >   tests/cap_userns: set /proc/sys/kernel/unprivileged_userns_clone if
> >     needed
> >   tests/mmap: skip /dev/zero tests if /dev is noexec
> >   README.md: Add instructions for Debian
>
> With the exception of 07/15, on which I had a small comment:
>
> Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
>
> (No need to respin the whole series in case you are going to respin
> 07. I can just splice it in before merging or apply on top.)

All patches now applied (with v5 of 07/15).

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.