Re: [PATCH testsuite] policy: only define anon_inode class if not defined in system policy

From: Ondrej Mosnacek <omosnace@redhat.com>
To: Dominick Grift <dominick.grift@defensec.nl>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH testsuite] policy: only define anon_inode class if not defined in system policy
Date: Fri, 30 Apr 2021 14:39:33 +0200	[thread overview]
Message-ID: <CAFqZXNvnzsfiXxfcgo-pjzi=3iKeN7k0YkFX6C=j2y_8nxkytQ@mail.gmail.com> (raw)
In-Reply-To: <87bl9wyphu.fsf@defensec.nl>

On Fri, Apr 30, 2021 at 1:35 PM Dominick Grift
<dominick.grift@defensec.nl> wrote:
> Ondrej Mosnacek <omosnace@redhat.com> writes:
>
> > When the system policy already defines this class, loading the test
> > policy fails with:
> >
> > Re-declaration of class anon_inode
> > Previous declaration of class at /var/lib/selinux/targeted/tmp/modules/100/base/cil:1003
> > Bad class declaration at /var/lib/selinux/targeted/tmp/modules/400/test_userfaultfd/cil:2
> > /usr/sbin/semodule:  Failed!
> >
> > Fix this by only including the anon_inode class declarations when it's
> > not found in the system policy headers.
>
> Reference policy does not have a "all_perms.spt" AFAIK. This might only work
> with Fedora.

Could be, but this pattern is already used elsewhere in the testsuite,
so for now this'll have to do...

>
> >
> > Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> >  policy/Makefile                  | 3 +++
> >  policy/test_anon_inode_class.cil | 4 ++++
> >  policy/test_userfaultfd.cil      | 5 -----
> >  3 files changed, 7 insertions(+), 5 deletions(-)
> >  create mode 100644 policy/test_anon_inode_class.cil
> >
> > diff --git a/policy/Makefile b/policy/Makefile
> > index 91364d5..dee55a2 100644
> > --- a/policy/Makefile
> > +++ b/policy/Makefile
> > @@ -39,6 +39,9 @@ ifeq ($(SUPPORTS_CIL),y)
> >  CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil
> >  # userfaultfd test policy uses also xperms
> >  ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && echo true),true)
> > +ifneq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo true),true)
> > +CIL_TARGETS += test_anon_inode_class.cil
> > +endif
> >  CIL_TARGETS += test_userfaultfd.cil
> >  TARGETS += test_userfaultfd.te
> >  endif
> > diff --git a/policy/test_anon_inode_class.cil b/policy/test_anon_inode_class.cil
> > new file mode 100644
> > index 0000000..3e36599
> > --- /dev/null
> > +++ b/policy/test_anon_inode_class.cil
> > @@ -0,0 +1,4 @@
> > +; Define new class anon_inode
> > +(class anon_inode ())
> > +(classcommon anon_inode file)
> > +(classorder (unordered anon_inode))
> > diff --git a/policy/test_userfaultfd.cil b/policy/test_userfaultfd.cil
> > index 18d5f3f..f6a6791 100644
> > --- a/policy/test_userfaultfd.cil
> > +++ b/policy/test_userfaultfd.cil
> > @@ -1,8 +1,3 @@
> > -; Define new class anon_inode
> > -(class anon_inode ())
> > -(classcommon anon_inode file)
> > -(classorder (unordered anon_inode))
> > -
> >  ; Allow all anonymous inodes
> >  (typeattributeset cil_gen_require test_notransition_uffd_t)
> >  (allow test_notransition_uffd_t self (anon_inode (create getattr ioctl read)))
>
> --
> gpg --locate-keys dominick.grift@defensec.nl
> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
> Dominick Grift
>

-- 
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.