* [PATCH testsuite] policy: only define anon_inode class if not defined in system policy
@ 2021-04-30 9:11 Ondrej Mosnacek
2021-04-30 11:35 ` Dominick Grift
2021-05-01 7:54 ` Ondrej Mosnacek
0 siblings, 2 replies; 4+ messages in thread
From: Ondrej Mosnacek @ 2021-04-30 9:11 UTC (permalink / raw)
To: selinux
When the system policy already defines this class, loading the test
policy fails with:
Re-declaration of class anon_inode
Previous declaration of class at /var/lib/selinux/targeted/tmp/modules/100/base/cil:1003
Bad class declaration at /var/lib/selinux/targeted/tmp/modules/400/test_userfaultfd/cil:2
/usr/sbin/semodule: Failed!
Fix this by only including the anon_inode class declarations when it's
not found in the system policy headers.
Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/Makefile | 3 +++
policy/test_anon_inode_class.cil | 4 ++++
policy/test_userfaultfd.cil | 5 -----
3 files changed, 7 insertions(+), 5 deletions(-)
create mode 100644 policy/test_anon_inode_class.cil
diff --git a/policy/Makefile b/policy/Makefile
index 91364d5..dee55a2 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -39,6 +39,9 @@ ifeq ($(SUPPORTS_CIL),y)
CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil
# userfaultfd test policy uses also xperms
ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && echo true),true)
+ifneq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo true),true)
+CIL_TARGETS += test_anon_inode_class.cil
+endif
CIL_TARGETS += test_userfaultfd.cil
TARGETS += test_userfaultfd.te
endif
diff --git a/policy/test_anon_inode_class.cil b/policy/test_anon_inode_class.cil
new file mode 100644
index 0000000..3e36599
--- /dev/null
+++ b/policy/test_anon_inode_class.cil
@@ -0,0 +1,4 @@
+; Define new class anon_inode
+(class anon_inode ())
+(classcommon anon_inode file)
+(classorder (unordered anon_inode))
diff --git a/policy/test_userfaultfd.cil b/policy/test_userfaultfd.cil
index 18d5f3f..f6a6791 100644
--- a/policy/test_userfaultfd.cil
+++ b/policy/test_userfaultfd.cil
@@ -1,8 +1,3 @@
-; Define new class anon_inode
-(class anon_inode ())
-(classcommon anon_inode file)
-(classorder (unordered anon_inode))
-
; Allow all anonymous inodes
(typeattributeset cil_gen_require test_notransition_uffd_t)
(allow test_notransition_uffd_t self (anon_inode (create getattr ioctl read)))
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH testsuite] policy: only define anon_inode class if not defined in system policy
2021-04-30 9:11 [PATCH testsuite] policy: only define anon_inode class if not defined in system policy Ondrej Mosnacek
@ 2021-04-30 11:35 ` Dominick Grift
2021-04-30 12:39 ` Ondrej Mosnacek
2021-05-01 7:54 ` Ondrej Mosnacek
1 sibling, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2021-04-30 11:35 UTC (permalink / raw)
To: Ondrej Mosnacek; +Cc: selinux
Ondrej Mosnacek <omosnace@redhat.com> writes:
> When the system policy already defines this class, loading the test
> policy fails with:
>
> Re-declaration of class anon_inode
> Previous declaration of class at /var/lib/selinux/targeted/tmp/modules/100/base/cil:1003
> Bad class declaration at /var/lib/selinux/targeted/tmp/modules/400/test_userfaultfd/cil:2
> /usr/sbin/semodule: Failed!
>
> Fix this by only including the anon_inode class declarations when it's
> not found in the system policy headers.
Reference policy does not have a "all_perms.spt" AFAIK. This might only work
with Fedora.
>
> Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
> policy/Makefile | 3 +++
> policy/test_anon_inode_class.cil | 4 ++++
> policy/test_userfaultfd.cil | 5 -----
> 3 files changed, 7 insertions(+), 5 deletions(-)
> create mode 100644 policy/test_anon_inode_class.cil
>
> diff --git a/policy/Makefile b/policy/Makefile
> index 91364d5..dee55a2 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -39,6 +39,9 @@ ifeq ($(SUPPORTS_CIL),y)
> CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil
> # userfaultfd test policy uses also xperms
> ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && echo true),true)
> +ifneq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo true),true)
> +CIL_TARGETS += test_anon_inode_class.cil
> +endif
> CIL_TARGETS += test_userfaultfd.cil
> TARGETS += test_userfaultfd.te
> endif
> diff --git a/policy/test_anon_inode_class.cil b/policy/test_anon_inode_class.cil
> new file mode 100644
> index 0000000..3e36599
> --- /dev/null
> +++ b/policy/test_anon_inode_class.cil
> @@ -0,0 +1,4 @@
> +; Define new class anon_inode
> +(class anon_inode ())
> +(classcommon anon_inode file)
> +(classorder (unordered anon_inode))
> diff --git a/policy/test_userfaultfd.cil b/policy/test_userfaultfd.cil
> index 18d5f3f..f6a6791 100644
> --- a/policy/test_userfaultfd.cil
> +++ b/policy/test_userfaultfd.cil
> @@ -1,8 +1,3 @@
> -; Define new class anon_inode
> -(class anon_inode ())
> -(classcommon anon_inode file)
> -(classorder (unordered anon_inode))
> -
> ; Allow all anonymous inodes
> (typeattributeset cil_gen_require test_notransition_uffd_t)
> (allow test_notransition_uffd_t self (anon_inode (create getattr ioctl read)))
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH testsuite] policy: only define anon_inode class if not defined in system policy
2021-04-30 11:35 ` Dominick Grift
@ 2021-04-30 12:39 ` Ondrej Mosnacek
0 siblings, 0 replies; 4+ messages in thread
From: Ondrej Mosnacek @ 2021-04-30 12:39 UTC (permalink / raw)
To: Dominick Grift; +Cc: SElinux list
On Fri, Apr 30, 2021 at 1:35 PM Dominick Grift
<dominick.grift@defensec.nl> wrote:
> Ondrej Mosnacek <omosnace@redhat.com> writes:
>
> > When the system policy already defines this class, loading the test
> > policy fails with:
> >
> > Re-declaration of class anon_inode
> > Previous declaration of class at /var/lib/selinux/targeted/tmp/modules/100/base/cil:1003
> > Bad class declaration at /var/lib/selinux/targeted/tmp/modules/400/test_userfaultfd/cil:2
> > /usr/sbin/semodule: Failed!
> >
> > Fix this by only including the anon_inode class declarations when it's
> > not found in the system policy headers.
>
> Reference policy does not have a "all_perms.spt" AFAIK. This might only work
> with Fedora.
Could be, but this pattern is already used elsewhere in the testsuite,
so for now this'll have to do...
>
> >
> > Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> > policy/Makefile | 3 +++
> > policy/test_anon_inode_class.cil | 4 ++++
> > policy/test_userfaultfd.cil | 5 -----
> > 3 files changed, 7 insertions(+), 5 deletions(-)
> > create mode 100644 policy/test_anon_inode_class.cil
> >
> > diff --git a/policy/Makefile b/policy/Makefile
> > index 91364d5..dee55a2 100644
> > --- a/policy/Makefile
> > +++ b/policy/Makefile
> > @@ -39,6 +39,9 @@ ifeq ($(SUPPORTS_CIL),y)
> > CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil
> > # userfaultfd test policy uses also xperms
> > ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && echo true),true)
> > +ifneq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo true),true)
> > +CIL_TARGETS += test_anon_inode_class.cil
> > +endif
> > CIL_TARGETS += test_userfaultfd.cil
> > TARGETS += test_userfaultfd.te
> > endif
> > diff --git a/policy/test_anon_inode_class.cil b/policy/test_anon_inode_class.cil
> > new file mode 100644
> > index 0000000..3e36599
> > --- /dev/null
> > +++ b/policy/test_anon_inode_class.cil
> > @@ -0,0 +1,4 @@
> > +; Define new class anon_inode
> > +(class anon_inode ())
> > +(classcommon anon_inode file)
> > +(classorder (unordered anon_inode))
> > diff --git a/policy/test_userfaultfd.cil b/policy/test_userfaultfd.cil
> > index 18d5f3f..f6a6791 100644
> > --- a/policy/test_userfaultfd.cil
> > +++ b/policy/test_userfaultfd.cil
> > @@ -1,8 +1,3 @@
> > -; Define new class anon_inode
> > -(class anon_inode ())
> > -(classcommon anon_inode file)
> > -(classorder (unordered anon_inode))
> > -
> > ; Allow all anonymous inodes
> > (typeattributeset cil_gen_require test_notransition_uffd_t)
> > (allow test_notransition_uffd_t self (anon_inode (create getattr ioctl read)))
>
> --
> gpg --locate-keys dominick.grift@defensec.nl
> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
> Dominick Grift
>
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH testsuite] policy: only define anon_inode class if not defined in system policy
2021-04-30 9:11 [PATCH testsuite] policy: only define anon_inode class if not defined in system policy Ondrej Mosnacek
2021-04-30 11:35 ` Dominick Grift
@ 2021-05-01 7:54 ` Ondrej Mosnacek
1 sibling, 0 replies; 4+ messages in thread
From: Ondrej Mosnacek @ 2021-05-01 7:54 UTC (permalink / raw)
To: SElinux list
On Fri, Apr 30, 2021 at 11:11 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> When the system policy already defines this class, loading the test
> policy fails with:
>
> Re-declaration of class anon_inode
> Previous declaration of class at /var/lib/selinux/targeted/tmp/modules/100/base/cil:1003
> Bad class declaration at /var/lib/selinux/targeted/tmp/modules/400/test_userfaultfd/cil:2
> /usr/sbin/semodule: Failed!
>
> Fix this by only including the anon_inode class declarations when it's
> not found in the system policy headers.
>
> Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
> policy/Makefile | 3 +++
> policy/test_anon_inode_class.cil | 4 ++++
> policy/test_userfaultfd.cil | 5 -----
> 3 files changed, 7 insertions(+), 5 deletions(-)
> create mode 100644 policy/test_anon_inode_class.cil
>
> diff --git a/policy/Makefile b/policy/Makefile
> index 91364d5..dee55a2 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -39,6 +39,9 @@ ifeq ($(SUPPORTS_CIL),y)
> CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil
> # userfaultfd test policy uses also xperms
> ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && echo true),true)
> +ifneq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo true),true)
> +CIL_TARGETS += test_anon_inode_class.cil
> +endif
> CIL_TARGETS += test_userfaultfd.cil
> TARGETS += test_userfaultfd.te
> endif
> diff --git a/policy/test_anon_inode_class.cil b/policy/test_anon_inode_class.cil
> new file mode 100644
> index 0000000..3e36599
> --- /dev/null
> +++ b/policy/test_anon_inode_class.cil
> @@ -0,0 +1,4 @@
> +; Define new class anon_inode
> +(class anon_inode ())
> +(classcommon anon_inode file)
> +(classorder (unordered anon_inode))
> diff --git a/policy/test_userfaultfd.cil b/policy/test_userfaultfd.cil
> index 18d5f3f..f6a6791 100644
> --- a/policy/test_userfaultfd.cil
> +++ b/policy/test_userfaultfd.cil
> @@ -1,8 +1,3 @@
> -; Define new class anon_inode
> -(class anon_inode ())
> -(classcommon anon_inode file)
> -(classorder (unordered anon_inode))
> -
> ; Allow all anonymous inodes
> (typeattributeset cil_gen_require test_notransition_uffd_t)
> (allow test_notransition_uffd_t self (anon_inode (create getattr ioctl read)))
> --
> 2.30.2
Now applied:
https://github.com/SELinuxProject/selinux-testsuite/commit/9267bc9fbc1b31107eac42b0870075507c5a2e6c
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-05-01 7:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-30 9:11 [PATCH testsuite] policy: only define anon_inode class if not defined in system policy Ondrej Mosnacek
2021-04-30 11:35 ` Dominick Grift
2021-04-30 12:39 ` Ondrej Mosnacek
2021-05-01 7:54 ` Ondrej Mosnacek
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.