[PATCH v2 0/2] Selinux tests for Infinfiband

[PATCH v2 0/2] Selinux tests for Infinfiband

[Dan Jurgens]

From: Daniel Jurgens <danielj@mellanox.com>

Implements new tests for Infiniband pkeys and endports. Because infiniband
isn't widely used, and when it is the configuration is site specific,
configuration files are used to enable the tests and set environment
specific settings. When the tests are disable they always show as passed.

If enabled, the tests require correstponding updates to selinux, refpolicy,
and the linux kernel.

---

v1:
- Synchronize intefrace names with changes to refpolicy.
- Change tests to not assume that default pkey is labeled.
- See patches v1 notes for more detail.

v2:
- Use ifdefs around new corenet_ib* interfaces.
- Exclude endport policy if infiniband_endport class is undefined.
- Use a stub makefile in tests/infinband_endport vs a new SUBDIRS_NO_MAKE
  list in the makefile.
- Style cleanup in new pkey test program.
- Updated README for new dependency.

Daniel Jurgens (2):
  selinux-testsuite: Infiniband pkey tests
  selinux-testsuite: Infiniband endport tests

 README                                       |  17 +++-
 policy/Makefile                              |   7 +-
 policy/test_ibendport.te                     |  40 ++++++++
 policy/test_ibpkey.te                        |  30 ++++++
 tests/Makefile                               |   4 +-
 tests/infiniband_endport/Makefile            |   2 +
 tests/infiniband_endport/ibendport_test.conf |  14 +++
 tests/infiniband_endport/test                |  49 ++++++++++
 tests/infiniband_pkey/Makefile               |   7 ++
 tests/infiniband_pkey/create_modify_qp.c     | 136 +++++++++++++++++++++++++++
 tests/infiniband_pkey/ibpkey_test.conf       |  18 ++++
 tests/infiniband_pkey/test                   |  84 +++++++++++++++++
 12 files changed, 404 insertions(+), 4 deletions(-)
 create mode 100644 policy/test_ibendport.te
 create mode 100644 policy/test_ibpkey.te
 create mode 100644 tests/infiniband_endport/Makefile
 create mode 100644 tests/infiniband_endport/ibendport_test.conf
 create mode 100755 tests/infiniband_endport/test
 create mode 100644 tests/infiniband_pkey/Makefile
 create mode 100644 tests/infiniband_pkey/create_modify_qp.c
 create mode 100644 tests/infiniband_pkey/ibpkey_test.conf
 create mode 100755 tests/infiniband_pkey/test

-- 
2.12.2

[PATCH v2 1/2] selinux-testsuite: Infiniband pkey tests

[Dan Jurgens]

From: Daniel Jurgens <danielj@mellanox.com>

New tests for infiniband pkeys. Most users don't have Infiniband
hardware, and if they do the pkey configuration is not standardized.
There is a configuration file for enabling the test and setting
environment specific test configurations. If the tests are disabled they
will always show as passed.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>

---
v1:
- Synchronized interface names with refpolicy changes.
- Changed pkey test to not assume the default pkey is labeled, instead
it take a list of indexes with labeled and unlabeled pkeys.  It checks
that the labeled aren't allowed, unlabeled are allowed, and it labels
the unlabeled ones to make sure they aren't allowed when labeled.

v2:
Stephen Smalley:
- Ifdef around new corenet_ib* interfaces.
- Updated README with libibverbs-devel dependency.
- Ran new test program through astyle with recommended settings.
---
 README                                   |  12 ++-
 policy/Makefile                          |   3 +-
 policy/test_ibpkey.te                    |  30 +++++++
 tests/Makefile                           |   4 +-
 tests/infiniband_pkey/Makefile           |   7 ++
 tests/infiniband_pkey/create_modify_qp.c | 136 +++++++++++++++++++++++++++++++
 tests/infiniband_pkey/ibpkey_test.conf   |  18 ++++
 tests/infiniband_pkey/test               |  84 +++++++++++++++++++
 8 files changed, 290 insertions(+), 4 deletions(-)
 create mode 100644 policy/test_ibpkey.te
 create mode 100644 tests/infiniband_pkey/Makefile
 create mode 100644 tests/infiniband_pkey/create_modify_qp.c
 create mode 100644 tests/infiniband_pkey/ibpkey_test.conf
 create mode 100644 tests/infiniband_pkey/test

diff --git a/README b/README
index deedae5..a4c8ebb 100644
--- a/README
+++ b/README
@@ -68,8 +68,9 @@ libselinux-devel # to build some of the test programs
 net-tools # for ifconfig, used by capable_net/test
 netlabel_tools # to load NetLabel configuration during inet_socket tests
 iptables # to load iptables SECMARK rules during inet_socket tests
+libibverbs-devel # to build ibpkey test program.
 
-yum install perl-Test perl-Test-Harness perl-Test-Simple selinux-policy-devel gcc libselinux-devel net-tools netlabel_tools iptables
+yum install perl-Test perl-Test-Harness perl-Test-Simple selinux-policy-devel gcc libselinux-devel net-tools netlabel_tools iptables libibverbs-devel
 
 The testsuite requires a pre-existing base policy configuration of
 SELinux, using either the old example policy or the reference policy
@@ -195,3 +196,12 @@ establish a base directory (based on the path of the script
 executable).  This won't always be accurate, but will work for this
 test harness/configuration.
 	$basedir = $0;  $basedir =~ s|(.*)/[^/]*|$1|;
+
+INFINIBAND TESTS
+----------------
+Because running Infiniband tests requires specialized hardware you must
+set up a configuration file for these tests. The tests are disabled by
+default.  See comments in the configuration file for info.
+
+Infiniband PKey test conf file:
+tests/infiniband_pkey/ibpkey_test.conf
diff --git a/policy/Makefile b/policy/Makefile
index 7bc7f95..46c9fb5 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -22,7 +22,8 @@ TARGETS = \
 	test_task_create.te test_task_getpgid.te test_task_getsched.te \
 	test_task_getsid.te test_task_setpgid.te test_task_setsched.te \
 	test_transition.te test_inet_socket.te test_unix_socket.te \
-	test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te
+	test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te \
+	test_ibpkey.te
 
 ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true)
 TARGETS += test_bounds.te
diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te
new file mode 100644
index 0000000..373404c
--- /dev/null
+++ b/policy/test_ibpkey.te
@@ -0,0 +1,30 @@
+#################################
+#
+# Policy for testing Infiniband Pkey access.
+#
+
+attribute ibpkeydomain;
+
+# Domain for process.
+type test_ibpkey_access_t;
+domain_type(test_ibpkey_access_t)
+unconfined_runs_test(test_ibpkey_access_t)
+typeattribute test_ibpkey_access_t testdomain;
+typeattribute test_ibpkey_access_t ibpkeydomain;
+
+dev_rw_infiniband_dev(test_ibpkey_access_t)
+dev_rw_sysfs(test_ibpkey_access_t)
+
+# Define a pkey type for labeling pkeys during the test.
+type test_ibpkey_t;
+ifdef(`corenet_ib_pkey',`
+corenet_ib_pkey(test_ibpkey_t)
+')
+
+ifdef(`corenet_ib_access_unlabeled_pkeys',`
+corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t)
+')
+
+# Allow all of these domains to be entered from the sysadm domain.
+miscfiles_domain_entry_test_files(ibpkeydomain)
+userdom_sysadm_entry_spec_domtrans_to(ibpkeydomain)
diff --git a/tests/Makefile b/tests/Makefile
index fb8a0aa..7dfe2a8 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -4,13 +4,13 @@ export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE
 
 DISTRO=$(shell ./os_detect)
 
-SUBDIRS:=domain_trans entrypoint execshare exectrace execute_no_trans \
+SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \
 	fdreceive inherit link mkdir msg open ptrace readlink relabel rename \
 	rxdir sem setattr setnice shm sigkill stat sysctl task_create \
 	task_setnice task_setscheduler task_getscheduler task_getsid \
 	task_getpgid task_setpgid file ioctl capable_file capable_net \
 	capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \
-	overlay checkreqprot mqueue mac_admin
+	overlay checkreqprot mqueue mac_admin infiniband_pkey
 
 ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo true),true)
 ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1)
diff --git a/tests/infiniband_pkey/Makefile b/tests/infiniband_pkey/Makefile
new file mode 100644
index 0000000..60f0d24
--- /dev/null
+++ b/tests/infiniband_pkey/Makefile
@@ -0,0 +1,7 @@
+TARGETS=create_modify_qp
+
+LDLIBS+= -libverbs
+
+all: $(TARGETS)
+clean:
+	rm -f $(TARGETS)
diff --git a/tests/infiniband_pkey/create_modify_qp.c b/tests/infiniband_pkey/create_modify_qp.c
new file mode 100644
index 0000000..0c89e91
--- /dev/null
+++ b/tests/infiniband_pkey/create_modify_qp.c
@@ -0,0 +1,136 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <assert.h>
+#include <unistd.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <infiniband/verbs.h>
+
+struct ibv_qp	   *qp;
+struct ibv_context *context;
+struct ibv_pd      *pd;
+struct ibv_cq      *cq;
+struct ibv_srq     *srq;
+
+void cleanup_ib_rsrc()
+{
+	ibv_destroy_qp(qp);
+	ibv_destroy_srq(srq);
+	ibv_destroy_cq(cq);
+	ibv_dealloc_pd(pd);
+	ibv_close_device(context);
+}
+
+int init_ib_rsrc(char *deviceName)
+{
+	int                 ndev = 0;
+	struct ibv_device  **dlist = ibv_get_device_list(&ndev);
+	struct ibv_device  *device = NULL;;
+	struct ibv_srq_init_attr srqiattr;
+	struct ibv_qp_init_attr qpiattr;
+	int i;
+
+	if (!ndev) {
+		fprintf(stderr, "No IB devices found.\n");
+		exit(1);
+	}
+
+	for (i = 0; i < ndev; i++)
+		if(!strcmp(deviceName, dlist[i]->name))
+			device = dlist[i];
+
+	if (!device) {
+		fprintf(stderr, "Couldn't find device %s\n", deviceName);
+		exit(1);
+	}
+	/* Open context */
+	context = ibv_open_device(device);
+	if (NULL == context) {
+		fprintf(stderr, "Unable to open device.\n");
+		exit(1);
+	}
+
+	/* Allocate PD */
+	pd = ibv_alloc_pd(context);
+	if (!pd) {
+		fprintf(stderr, "Unable to allocate PD.\n");
+		exit(1);
+	}
+
+	/* Create CQ */
+	cq = ibv_create_cq(context, 2048, NULL, NULL, 0);
+	if (!cq) {
+		fprintf(stderr, "Unable to create cq.\n");
+		exit(1);
+	}
+
+	/* Create SRQ */
+	memset(&srqiattr, 0, sizeof(srqiattr));
+	srqiattr.attr.max_wr    = 2048;
+	srqiattr.attr.max_sge   = 4;
+	srqiattr.attr.srq_limit = 1024;
+	srq = ibv_create_srq(pd, &srqiattr);
+	if (NULL == srq) {
+		fprintf(stderr, "Unable to create sreq.\n");
+		exit(1);
+	}
+
+	memset(&qpiattr, 0, sizeof(qpiattr));
+	qpiattr.send_cq = cq;
+	qpiattr.recv_cq = cq;
+	qpiattr.srq     = srq;
+	qpiattr.cap.max_send_wr = 128;
+	qpiattr.cap.max_recv_wr = 4;
+	qpiattr.cap.max_send_sge = 5;
+	qpiattr.cap.max_recv_sge = 4;
+	qpiattr.cap.max_inline_data = 512;
+	qpiattr.qp_type = IBV_QPT_RC;
+	qpiattr.sq_sig_all = 1;
+	qp = ibv_create_qp(pd, &qpiattr);
+
+	if (!qp) {
+		fprintf(stderr, "Unable to create QP %d.\n", i);
+		exit(1);
+	}
+
+	return 0;
+}
+
+int init_rc_qp(uint8_t port, uint16_t pkey_index)
+{
+	struct ibv_qp_attr attr = {
+		.qp_state        = IBV_QPS_INIT,
+		.pkey_index      = pkey_index,
+		.port_num        = port,
+		.qp_access_flags = 0
+	};
+
+	return ibv_modify_qp(qp, &attr,
+			     IBV_QP_STATE |
+			     IBV_QP_PKEY_INDEX |
+			     IBV_QP_PORT |
+			     IBV_QP_ACCESS_FLAGS);
+}
+
+int main(int argc, char *argv[])
+{
+	uint16_t pkey_index;
+	uint8_t port;
+	int ret;
+
+	if (argc != 4) {
+		printf("Please enter <ib device name> <port number> <pkey index>\n");
+		exit(1);
+	}
+	port = atoi(argv[2]);
+	pkey_index = atoi(argv[3]);
+
+	init_ib_rsrc(argv[1]);
+
+	ret = init_rc_qp(port, pkey_index);
+	cleanup_ib_rsrc();
+	exit(ret);
+}
diff --git a/tests/infiniband_pkey/ibpkey_test.conf b/tests/infiniband_pkey/ibpkey_test.conf
new file mode 100644
index 0000000..59f738d
--- /dev/null
+++ b/tests/infiniband_pkey/ibpkey_test.conf
@@ -0,0 +1,18 @@
+# Enable(1)/Disable these tests
+SELINUX_INFINIBAND_PKEY_TEST=0
+
+# Infiniband device to use.
+SELINUX_INFINIBAND_PKEY_TEST_DEV=mlx5_3
+
+# Physical port on the device to use.
+SELINUX_INFINIBAND_PKEY_TEST_PORT=1
+
+# CSV list of pkey table indexes containing labeled PKeys
+# These will not be allowed. 
+SELINUX_INFINIBAND_TEST_LABELED_PKEYS=
+
+# CSV list of pkey table indexes containing unlabelde PKeys
+# This will be allowed, then temporarily labeled to see that
+# they are disallowed.
+SELINUX_INFINIBAND_TEST_UNLABELED_PKEYS=0
+
diff --git a/tests/infiniband_pkey/test b/tests/infiniband_pkey/test
new file mode 100644
index 0000000..d40a1f6
--- /dev/null
+++ b/tests/infiniband_pkey/test
@@ -0,0 +1,84 @@
+#!/usr/bin/perl
+
+use Test;
+
+BEGIN { plan tests => 3}
+
+$basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|;
+
+my %conf;
+$confpath = $basedir."/ibpkey_test.conf";
+open($f, $confpath) or die ("Couldn't open $confpath");
+while($r = <$f>) {
+	if ($r =~ /^\s*#/ || $r =~ /^\s*$/) { next; }
+	chomp $r;
+	($k,$v) = split(/=/, $r);
+	$conf{$k} = $v;
+}
+close($f);
+
+if ($conf{SELINUX_INFINIBAND_PKEY_TEST} eq 1) {
+	$device = $conf{SELINUX_INFINIBAND_PKEY_TEST_DEV};
+	$port = $conf{SELINUX_INFINIBAND_PKEY_TEST_PORT};
+
+	# Read GID 0, to get the subnet prefix.
+	$gid_path = "/sys/class/infiniband/".$device."/ports/".$port."/gids/0";
+	open($f, $gid_path) or die ("Couldn't open $gid_path");
+	$gid = <$f>;
+	close($f);
+	# The gid sysfs shows a fully expanded ipv6 address, just take the
+	# top half.
+	@tmp = unpack('(a20)*', $gid);
+	$subnet_prefix = $tmp[0].":";
+
+	@labeled_pkeys = split(/,/, $conf{SELINUX_INFINIBAND_TEST_LABELED_PKEYS});
+	@unlabeled_pkeys = split(/,/, $conf{SELINUX_INFINIBAND_TEST_UNLABELED_PKEYS});
+
+	foreach (@unlabeled_pkeys) {
+		$result = system "runcon -t test_ibpkey_access_t $basedir/create_modify_qp $device $port $_";
+		if($result ne 0) {
+			last;
+		}
+	}
+	if (@unlabeled_pkeys) {
+		ok($result, 0);
+	} else {
+		ok(1);
+	}
+
+	foreach (@unlabeled_pkeys) {
+		$pkey_path = "/sys/class/infiniband/".$device."/ports/".$port."/pkeys/".$_;
+		open($f, $pkey_path) or die ("Couldn't open $pkey_path");
+		$pkey_val = <$f>;
+		close($f);
+
+		system "semanage ibpkey -a -t test_ibpkey_t -x $subnet_prefix $pkey_val";
+		$result = system "runcon -t test_ibpkey_access_t $basedir/create_modify_qp $device $port $_";
+		system "semanage ibpkey -d -t test_ibpkey_t -x $subnet_prefix $pkey_val";
+		if ($result>>8 ne 13) {
+			last;
+		}
+	}
+	if (@unlabeled_pkeys) {
+		ok($result>>8, 13);
+	} else {
+		ok(1);
+	}
+
+	foreach (@labeled_pkeys) {
+		$result = system "runcon -t test_ibpkey_access_t $basedir/create_modify_qp $device $port $_";
+		if ($result>>8 ne 13) {
+			last;
+		}
+	}
+	if (@labeled_pkeys) {
+		ok($result>>8, 13);
+	} else {
+		ok(1);
+	}
+} else {
+	ok(1);
+	ok(1);
+	ok(1);
+}
+exit;
-- 
2.12.2

[PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Dan Jurgens]

From: Daniel Jurgens <danielj@mellanox.com>

New tests for Infiniband endports. Most users do not have infiniband
hardware, and if they do the device names can vary.  There is a
configuration file for enabling the tests and setting environment
specific configurations.  If the tests are disabled they always show as
passed.

A special test application was unnecessary, a standard diagnostic
application is used instead.  This required a change to the make file
to avoid trying to build an application in the new subdir.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>

---
v1:
- Synchronize interface names with refpolicy changes.
- Allowed access to unlabeled pkeys vs default pkey, default pkey is no
longer labeled in the refpolicy.

v2:
Stephen Smalley:
- Use a stub makefile instead of a SUBDIRS_NO_MAKE directive.
- Use ifdefs around corenet_ib* interfaces.
- Only build the test_ibpendport.te file if the infiniband_endport class
is available.
- use corecmd_bin_entry_type intefrace instead of allow ... bin_t:
---
 README                                       |  7 +++-
 policy/Makefile                              |  4 +++
 policy/test_ibendport.te                     | 40 +++++++++++++++++++++++
 tests/Makefile                               |  2 +-
 tests/infiniband_endport/Makefile            |  2 ++
 tests/infiniband_endport/ibendport_test.conf | 14 ++++++++
 tests/infiniband_endport/test                | 49 ++++++++++++++++++++++++++++
 tests/infiniband_pkey/test                   |  0
 8 files changed, 116 insertions(+), 2 deletions(-)
 create mode 100644 policy/test_ibendport.te
 create mode 100644 tests/infiniband_endport/Makefile
 create mode 100644 tests/infiniband_endport/ibendport_test.conf
 create mode 100755 tests/infiniband_endport/test
 mode change 100644 => 100755 tests/infiniband_pkey/test

diff --git a/README b/README
index a4c8ebb..de50eb4 100644
--- a/README
+++ b/README
@@ -201,7 +201,12 @@ INFINIBAND TESTS
 ----------------
 Because running Infiniband tests requires specialized hardware you must
 set up a configuration file for these tests. The tests are disabled by
-default.  See comments in the configuration file for info.
+default.  See comments in the configuration file for info. The endport
+tests use smpquery, for Fedora it's provided by the infiniband-diags
+package.
 
 Infiniband PKey test conf file:
 tests/infiniband_pkey/ibpkey_test.conf
+
+Infiniband Endport test conf file:
+tests/infiniband_endport/ibendport_test.conf
diff --git a/policy/Makefile b/policy/Makefile
index 46c9fb5..c062009 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit $(POLDEV)/include/support/all_perms.spt && echo
 TARGETS += test_prlimit.te
 endif
 
+ifeq ($(shell grep -q infiniband_endport $(POLDEV)/include/support/all_perms.spt && echo true),true)
+TARGETS += test_ibendport.te
+endif
+
 ifeq ($(shell grep -q all_file_perms.*map $(POLDEV)/include/support/all_perms.spt && echo true),true)
 export M4PARAM = -Dmap_permission_defined
 endif
diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
new file mode 100644
index 0000000..2a02c57
--- /dev/null
+++ b/policy/test_ibendport.te
@@ -0,0 +1,40 @@
+#################################
+#
+# Policy for testing Infiniband Pkey access.
+#
+
+gen_require(`
+	type bin_t;
+	type infiniband_mgmt_device_t;
+')
+
+attribute ibendportdomain;
+
+# Domain for process.
+type test_ibendport_manage_subnet_t;
+domain_type(test_ibendport_manage_subnet_t)
+unconfined_runs_test(test_ibendport_manage_subnet_t)
+typeattribute test_ibendport_manage_subnet_t testdomain;
+typeattribute test_ibendport_manage_subnet_t ibendportdomain;
+
+type test_ibendport_t;
+ifdef(`corenet_ib_endport',`
+corenet_ib_endport(test_ibendport_t)
+')
+
+dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
+dev_rw_sysfs(test_ibendport_manage_subnet_t)
+
+corecmd_bin_entry_type(test_ibendport_manage_subnet_t)
+
+allow test_ibendport_manage_subnet_t infiniband_mgmt_device_t:chr_file { read write open ioctl};
+
+ifdef(`corenet_ib_access_unlabeled_pkeys',`
+corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
+')
+
+allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_subnet;
+
+# Allow all of these domains to be entered from the sysadm domain.
+miscfiles_domain_entry_test_files(ibendportdomain)
+userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
diff --git a/tests/Makefile b/tests/Makefile
index 7dfe2a8..369b678 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -10,7 +10,7 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \
 	task_setnice task_setscheduler task_getscheduler task_getsid \
 	task_getpgid task_setpgid file ioctl capable_file capable_net \
 	capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \
-	overlay checkreqprot mqueue mac_admin infiniband_pkey
+	overlay checkreqprot mqueue mac_admin infiniband_pkey infiniband_endport
 
 ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo true),true)
 ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1)
diff --git a/tests/infiniband_endport/Makefile b/tests/infiniband_endport/Makefile
new file mode 100644
index 0000000..e7c006f
--- /dev/null
+++ b/tests/infiniband_endport/Makefile
@@ -0,0 +1,2 @@
+all:
+clean:
diff --git a/tests/infiniband_endport/ibendport_test.conf b/tests/infiniband_endport/ibendport_test.conf
new file mode 100644
index 0000000..601b290
--- /dev/null
+++ b/tests/infiniband_endport/ibendport_test.conf
@@ -0,0 +1,14 @@
+# Enable(1)/Disable these tests.
+SELINUX_INFINIBAND_ENDPORT_TEST=0
+
+# Device/port pair that should allow access.
+# The test uses semanage to allow, because
+# ibendports are all unlabeled by default
+# the reference policy. This allows using
+# the same device and port for both the pass
+# and fail testing as well.
+SELINUX_INFINIBAND_ENDPORT_TEST_ALLOWED=mlx5_3 1
+
+# Device/port pairs that should deny access.
+SELINUX_INFINIBAND_ENDPORT_TEST_DENIED=mlx5_2 1
+
diff --git a/tests/infiniband_endport/test b/tests/infiniband_endport/test
new file mode 100755
index 0000000..b4e553d
--- /dev/null
+++ b/tests/infiniband_endport/test
@@ -0,0 +1,49 @@
+#!/usr/bin/perl
+
+use Test;
+
+BEGIN { plan tests => 2}
+
+$basedir = $0;  $basedir =~ s|(.*)/[^/]*|$1|;
+
+my %conf;
+my $confpath = $basedir."/ibendport_test.conf";
+open($f, $confpath) or die ("Couldn't open ibtest.conf");
+while($r = <$f>) {
+	if ($r =~ /^\s*#/ || $r =~ /^\s*$/) { next; }
+	chomp $r;
+	($k,$v) = split(/=/, $r);
+	$conf{$k} = $v;
+}
+
+if ($conf{SELINUX_INFINIBAND_ENDPORT_TEST} eq 1) {
+	@allowed_device_port = split(/,/, $conf{SELINUX_INFINIBAND_ENDPORT_TEST_ALLOWED});
+	@denied_device_port = split(/,/, $conf{SELINUX_INFINIBAND_ENDPORT_TEST_DENIED});
+
+	foreach (@allowed_device_port) {
+		@dev_port_pair= split(/ /, $_);
+
+		system "semanage ibendport -a -t test_ibendport_t -z $_ 2>/dev/null";
+		$result = system "runcon -t test_ibendport_manage_subnet_t smpquery PKeyTable -C $dev_port_pair[0] -P $dev_port_pair[1] -D 1 2>/dev/null";
+		system "semanage ibendport -d -t test_ibendport_t -z $_ 2>/dev/null";
+		if($result ne 0) {
+			last;
+		}
+	}
+	ok($result, 0);
+
+        foreach (@denied_device_port) {
+	        @dev_port_pair= split(/ /, $_);
+	        $result = system "runcon -t test_ibendport_manage_subnet_t smpquery PKeyTable -C $dev_port_pair[0] -P $dev_port_pair[1] -D 1 2>/dev/null";
+
+		if ($result>>8 eq 0) {
+			last;
+		}
+	}
+
+	ok(int($result>>8) ne 0);
+} else {
+	ok(1);
+	ok(1);
+}
+exit;
diff --git a/tests/infiniband_pkey/test b/tests/infiniband_pkey/test
old mode 100644
new mode 100755
-- 
2.12.2

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Stephen Smalley]

On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens <danielj@mellanox.com>
> 
> New tests for Infiniband endports. Most users do not have infiniband
> hardware, and if they do the device names can vary.  There is a
> configuration file for enabling the tests and setting environment
> specific configurations.  If the tests are disabled they always show
> as
> passed.
> 
> A special test application was unnecessary, a standard diagnostic
> application is used instead.  This required a change to the make file
> to avoid trying to build an application in the new subdir.
> 
> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
> 
> ---
> v1:
> - Synchronize interface names with refpolicy changes.
> - Allowed access to unlabeled pkeys vs default pkey, default pkey is
> no
> longer labeled in the refpolicy.
> 
> v2:
> Stephen Smalley:
> - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive.
> - Use ifdefs around corenet_ib* interfaces.
> - Only build the test_ibpendport.te file if the infiniband_endport
> class
> is available.
> - use corecmd_bin_entry_type intefrace instead of allow ... bin_t:
> ---
>  README                                       |  7 +++-
>  policy/Makefile                              |  4 +++
>  policy/test_ibendport.te                     | 40
> +++++++++++++++++++++++
>  tests/Makefile                               |  2 +-
>  tests/infiniband_endport/Makefile            |  2 ++
>  tests/infiniband_endport/ibendport_test.conf | 14 ++++++++
>  tests/infiniband_endport/test                | 49
> ++++++++++++++++++++++++++++
>  tests/infiniband_pkey/test                   |  0
>  8 files changed, 116 insertions(+), 2 deletions(-)
>  create mode 100644 policy/test_ibendport.te
>  create mode 100644 tests/infiniband_endport/Makefile
>  create mode 100644 tests/infiniband_endport/ibendport_test.conf
>  create mode 100755 tests/infiniband_endport/test
>  mode change 100644 => 100755 tests/infiniband_pkey/test
> 
> diff --git a/README b/README
> index a4c8ebb..de50eb4 100644
> --- a/README
> +++ b/README
> @@ -201,7 +201,12 @@ INFINIBAND TESTS
>  ----------------
>  Because running Infiniband tests requires specialized hardware you
> must
>  set up a configuration file for these tests. The tests are disabled
> by
> -default.  See comments in the configuration file for info.
> +default.  See comments in the configuration file for info. The
> endport
> +tests use smpquery, for Fedora it's provided by the infiniband-diags
> +package.
>  
>  Infiniband PKey test conf file:
>  tests/infiniband_pkey/ibpkey_test.conf
> +
> +Infiniband Endport test conf file:
> +tests/infiniband_endport/ibendport_test.conf
> diff --git a/policy/Makefile b/policy/Makefile
> index 46c9fb5..c062009 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit
> $(POLDEV)/include/support/all_perms.spt && echo
>  TARGETS += test_prlimit.te
>  endif
>  
> +ifeq ($(shell grep -q infiniband_endport
> $(POLDEV)/include/support/all_perms.spt && echo true),true)
> +TARGETS += test_ibendport.te
> +endif
> +
>  ifeq ($(shell grep -q all_file_perms.*map
> $(POLDEV)/include/support/all_perms.spt && echo true),true)
>  export M4PARAM = -Dmap_permission_defined
>  endif
> diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
> new file mode 100644
> index 0000000..2a02c57
> --- /dev/null
> +++ b/policy/test_ibendport.te
> @@ -0,0 +1,40 @@
> +#################################
> +#
> +# Policy for testing Infiniband Pkey access.
> +#
> +
> +gen_require(`
> +	type bin_t;
> +	type infiniband_mgmt_device_t;
> +')
> +
> +attribute ibendportdomain;
> +
> +# Domain for process.
> +type test_ibendport_manage_subnet_t;
> +domain_type(test_ibendport_manage_subnet_t)
> +unconfined_runs_test(test_ibendport_manage_subnet_t)
> +typeattribute test_ibendport_manage_subnet_t testdomain;
> +typeattribute test_ibendport_manage_subnet_t ibendportdomain;
> +
> +type test_ibendport_t;
> +ifdef(`corenet_ib_endport',`
> +corenet_ib_endport(test_ibendport_t)
> +')
> +
> +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
> +dev_rw_sysfs(test_ibendport_manage_subnet_t)
> +
> +corecmd_bin_entry_type(test_ibendport_manage_subnet_t)
> +
> +allow test_ibendport_manage_subnet_t
> infiniband_mgmt_device_t:chr_file { read write open ioctl};
> +
> +ifdef(`corenet_ib_access_unlabeled_pkeys',`
> +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
> +')
> +
> +allow test_ibendport_manage_subnet_t
> test_ibendport_t:infiniband_endport manage_subnet;
> +
> +# Allow all of these domains to be entered from the sysadm domain.
> +miscfiles_domain_entry_test_files(ibendportdomain)
> +userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
> diff --git a/tests/Makefile b/tests/Makefile
> index 7dfe2a8..369b678 100644
> --- a/tests/Makefile
> +++ b/tests/Makefile
> @@ -10,7 +10,7 @@ SUBDIRS:= domain_trans entrypoint execshare
> exectrace execute_no_trans \
>  	task_setnice task_setscheduler task_getscheduler task_getsid
> \
>  	task_getpgid task_setpgid file ioctl capable_file
> capable_net \
>  	capable_sys dyntrans dyntrace bounds nnp mmap unix_socket
> inet_socket \
> -	overlay checkreqprot mqueue mac_admin infiniband_pkey
> +	overlay checkreqprot mqueue mac_admin infiniband_pkey
> infiniband_endport
>  
>  ifeq ($(shell grep -q cap_userns
> $(POLDEV)/include/support/all_perms.spt && echo true),true)
>  ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1)
> diff --git a/tests/infiniband_endport/Makefile
> b/tests/infiniband_endport/Makefile
> new file mode 100644
> index 0000000..e7c006f
> --- /dev/null
> +++ b/tests/infiniband_endport/Makefile
> @@ -0,0 +1,2 @@
> +all:
> +clean:
> diff --git a/tests/infiniband_endport/ibendport_test.conf
> b/tests/infiniband_endport/ibendport_test.conf
> new file mode 100644
> index 0000000..601b290
> --- /dev/null
> +++ b/tests/infiniband_endport/ibendport_test.conf
> @@ -0,0 +1,14 @@
> +# Enable(1)/Disable these tests.
> +SELINUX_INFINIBAND_ENDPORT_TEST=0
> +
> +# Device/port pair that should allow access.
> +# The test uses semanage to allow, because
> +# ibendports are all unlabeled by default
> +# the reference policy. This allows using
> +# the same device and port for both the pass
> +# and fail testing as well.
> +SELINUX_INFINIBAND_ENDPORT_TEST_ALLOWED=mlx5_3 1
> +
> +# Device/port pairs that should deny access.
> +SELINUX_INFINIBAND_ENDPORT_TEST_DENIED=mlx5_2 1
> +
> diff --git a/tests/infiniband_endport/test
> b/tests/infiniband_endport/test
> new file mode 100755
> index 0000000..b4e553d
> --- /dev/null
> +++ b/tests/infiniband_endport/test
> @@ -0,0 +1,49 @@
> +#!/usr/bin/perl
> +
> +use Test;
> +
> +BEGIN { plan tests => 2}
> +
> +$basedir = $0;  $basedir =~ s|(.*)/[^/]*|$1|;
> +
> +my %conf;
> +my $confpath = $basedir."/ibendport_test.conf";
> +open($f, $confpath) or die ("Couldn't open ibtest.conf");
> +while($r = <$f>) {
> +	if ($r =~ /^\s*#/ || $r =~ /^\s*$/) { next; }
> +	chomp $r;
> +	($k,$v) = split(/=/, $r);
> +	$conf{$k} = $v;
> +}
> +
> +if ($conf{SELINUX_INFINIBAND_ENDPORT_TEST} eq 1) {
> +	@allowed_device_port = split(/,/,
> $conf{SELINUX_INFINIBAND_ENDPORT_TEST_ALLOWED});
> +	@denied_device_port = split(/,/,
> $conf{SELINUX_INFINIBAND_ENDPORT_TEST_DENIED});
> +
> +	foreach (@allowed_device_port) {
> +		@dev_port_pair= split(/ /, $_);
> +
> +		system "semanage ibendport -a -t test_ibendport_t -z
> $_ 2>/dev/null";
> +		$result = system "runcon -t
> test_ibendport_manage_subnet_t smpquery PKeyTable -C
> $dev_port_pair[0] -P $dev_port_pair[1] -D 1 2>/dev/null";
> +		system "semanage ibendport -d -t test_ibendport_t -z
> $_ 2>/dev/null";
> +		if($result ne 0) {
> +			last;
> +		}
> +	}
> +	ok($result, 0);
> +
> +        foreach (@denied_device_port) {
> +	        @dev_port_pair= split(/ /, $_);
> +	        $result = system "runcon -t
> test_ibendport_manage_subnet_t smpquery PKeyTable -C
> $dev_port_pair[0] -P $dev_port_pair[1] -D 1 2>/dev/null";
> +
> +		if ($result>>8 eq 0) {
> +			last;
> +		}
> +	}
> +
> +	ok(int($result>>8) ne 0);
> +} else {
> +	ok(1);
> +	ok(1);
> +}
> +exit;
> diff --git a/tests/infiniband_pkey/test b/tests/infiniband_pkey/test
> old mode 100644
> new mode 100755

Not a big deal, but it seems odd that this mode change wasn't just
squashed into the first patch.

Otherwise, it looks ok to me, but I don't have hardware to test it on.
Did you confirm that when you run the tests, you get the expected avc
denials in the audit logs?  Also, did you confirm that if you manually
run the tests in permissive mode, that the tests you expect to fail do
so (and the rest do not)?

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Daniel Jurgens]

On 5/30/2017 12:05 PM, Stephen Smalley wrote:
> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens <danielj@mellanox.com>
>>
>> New tests for Infiniband endports. Most users do not have infiniband
>> hardware, and if they do the device names can vary.  There is a
>> configuration file for enabling the tests and setting environment
>> specific configurations.  If the tests are disabled they always show
>> as
>> passed.
>>
>> A special test application was unnecessary, a standard diagnostic
>> application is used instead.  This required a change to the make file
>> to avoid trying to build an application in the new subdir.
>>
>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>>
>> ---
>> v1:
>> - Synchronize interface names with refpolicy changes.
>> - Allowed access to unlabeled pkeys vs default pkey, default pkey is
>> no
>> longer labeled in the refpolicy.
>>
>> v2:
>> Stephen Smalley:
>> - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive.
>> - Use ifdefs around corenet_ib* interfaces.
>> - Only build the test_ibpendport.te file if the infiniband_endport
>> class
>> is available.
>> - use corecmd_bin_entry_type intefrace instead of allow ... bin_t:
>> ---
>>  README                                       |  7 +++-
>>  policy/Makefile                              |  4 +++
>>  policy/test_ibendport.te                     | 40
>> +++++++++++++++++++++++
>>  tests/Makefile                               |  2 +-
>>  tests/infiniband_endport/Makefile            |  2 ++
>>  tests/infiniband_endport/ibendport_test.conf | 14 ++++++++
>>  tests/infiniband_endport/test                | 49
>> ++++++++++++++++++++++++++++
>>  tests/infiniband_pkey/test                   |  0
>>  8 files changed, 116 insertions(+), 2 deletions(-)
>>  create mode 100644 policy/test_ibendport.te
>>  create mode 100644 tests/infiniband_endport/Makefile
>>  create mode 100644 tests/infiniband_endport/ibendport_test.conf
>>  create mode 100755 tests/infiniband_endport/test
>>  mode change 100644 => 100755 tests/infiniband_pkey/test
>>
>> diff --git a/README b/README
>> index a4c8ebb..de50eb4 100644
>> --- a/README
>> +++ b/README
>> @@ -201,7 +201,12 @@ INFINIBAND TESTS
>>  ----------------
>>  Because running Infiniband tests requires specialized hardware you
>> must
>>  set up a configuration file for these tests. The tests are disabled
>> by
>> -default.  See comments in the configuration file for info.
>> +default.  See comments in the configuration file for info. The
>> endport
>> +tests use smpquery, for Fedora it's provided by the infiniband-diags
>> +package.
>>  
>>  Infiniband PKey test conf file:
>>  tests/infiniband_pkey/ibpkey_test.conf
>> +
>> +Infiniband Endport test conf file:
>> +tests/infiniband_endport/ibendport_test.conf
>> diff --git a/policy/Makefile b/policy/Makefile
>> index 46c9fb5..c062009 100644
>> --- a/policy/Makefile
>> +++ b/policy/Makefile
>> @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit
>> $(POLDEV)/include/support/all_perms.spt && echo
>>  TARGETS += test_prlimit.te
>>  endif
>>  
>> +ifeq ($(shell grep -q infiniband_endport
>> $(POLDEV)/include/support/all_perms.spt && echo true),true)
>> +TARGETS += test_ibendport.te
>> +endif
>> +
>>  ifeq ($(shell grep -q all_file_perms.*map
>> $(POLDEV)/include/support/all_perms.spt && echo true),true)
>>  export M4PARAM = -Dmap_permission_defined
>>  endif
>> diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
>> new file mode 100644
>> index 0000000..2a02c57
>> --- /dev/null
>> +++ b/policy/test_ibendport.te
>> @@ -0,0 +1,40 @@
>> +#################################
>> +#
>> +# Policy for testing Infiniband Pkey access.
>> +#
>> +
>> +gen_require(`
>> +	type bin_t;
>> +	type infiniband_mgmt_device_t;
>> +')
>> +
>> +attribute ibendportdomain;
>> +
>> +# Domain for process.
>> +type test_ibendport_manage_subnet_t;
>> +domain_type(test_ibendport_manage_subnet_t)
>> +unconfined_runs_test(test_ibendport_manage_subnet_t)
>> +typeattribute test_ibendport_manage_subnet_t testdomain;
>> +typeattribute test_ibendport_manage_subnet_t ibendportdomain;
>> +
>> +type test_ibendport_t;
>> +ifdef(`corenet_ib_endport',`
>> +corenet_ib_endport(test_ibendport_t)
>> +')
>> +
>> +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
>> +dev_rw_sysfs(test_ibendport_manage_subnet_t)
>> +
>> +corecmd_bin_entry_type(test_ibendport_manage_subnet_t)
>> +
>> +allow test_ibendport_manage_subnet_t
>> infiniband_mgmt_device_t:chr_file { read write open ioctl};
>> +
>> +ifdef(`corenet_ib_access_unlabeled_pkeys',`
>> +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
>> +')
>> +
>> +allow test_ibendport_manage_subnet_t
>> test_ibendport_t:infiniband_endport manage_subnet;
>> +
>> +# Allow all of these domains to be entered from the sysadm domain.
>> +miscfiles_domain_entry_test_files(ibendportdomain)
>> +userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
>> diff --git a/tests/Makefile b/tests/Makefile
>> index 7dfe2a8..369b678 100644
>> --- a/tests/Makefile
>> +++ b/tests/Makefile
>> @@ -10,7 +10,7 @@ SUBDIRS:= domain_trans entrypoint execshare
>> exectrace execute_no_trans \
>>  	task_setnice task_setscheduler task_getscheduler task_getsid
>> \
>>  	task_getpgid task_setpgid file ioctl capable_file
>> capable_net \
>>  	capable_sys dyntrans dyntrace bounds nnp mmap unix_socket
>> inet_socket \
>> -	overlay checkreqprot mqueue mac_admin infiniband_pkey
>> +	overlay checkreqprot mqueue mac_admin infiniband_pkey
>> infiniband_endport
>>  
>>  ifeq ($(shell grep -q cap_userns
>> $(POLDEV)/include/support/all_perms.spt && echo true),true)
>>  ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1)
>> diff --git a/tests/infiniband_endport/Makefile
>> b/tests/infiniband_endport/Makefile
>> new file mode 100644
>> index 0000000..e7c006f
>> --- /dev/null
>> +++ b/tests/infiniband_endport/Makefile
>> @@ -0,0 +1,2 @@
>> +all:
>> +clean:
>> diff --git a/tests/infiniband_endport/ibendport_test.conf
>> b/tests/infiniband_endport/ibendport_test.conf
>> new file mode 100644
>> index 0000000..601b290
>> --- /dev/null
>> +++ b/tests/infiniband_endport/ibendport_test.conf
>> @@ -0,0 +1,14 @@
>> +# Enable(1)/Disable these tests.
>> +SELINUX_INFINIBAND_ENDPORT_TEST=0
>> +
>> +# Device/port pair that should allow access.
>> +# The test uses semanage to allow, because
>> +# ibendports are all unlabeled by default
>> +# the reference policy. This allows using
>> +# the same device and port for both the pass
>> +# and fail testing as well.
>> +SELINUX_INFINIBAND_ENDPORT_TEST_ALLOWED=mlx5_3 1
>> +
>> +# Device/port pairs that should deny access.
>> +SELINUX_INFINIBAND_ENDPORT_TEST_DENIED=mlx5_2 1
>> +
>> diff --git a/tests/infiniband_endport/test
>> b/tests/infiniband_endport/test
>> new file mode 100755
>> index 0000000..b4e553d
>> --- /dev/null
>> +++ b/tests/infiniband_endport/test
>> @@ -0,0 +1,49 @@
>> +#!/usr/bin/perl
>> +
>> +use Test;
>> +
>> +BEGIN { plan tests => 2}
>> +
>> +$basedir = $0;  $basedir =~ s|(.*)/[^/]*|$1|;
>> +
>> +my %conf;
>> +my $confpath = $basedir."/ibendport_test.conf";
>> +open($f, $confpath) or die ("Couldn't open ibtest.conf");
>> +while($r = <$f>) {
>> +	if ($r =~ /^\s*#/ || $r =~ /^\s*$/) { next; }
>> +	chomp $r;
>> +	($k,$v) = split(/=/, $r);
>> +	$conf{$k} = $v;
>> +}
>> +
>> +if ($conf{SELINUX_INFINIBAND_ENDPORT_TEST} eq 1) {
>> +	@allowed_device_port = split(/,/,
>> $conf{SELINUX_INFINIBAND_ENDPORT_TEST_ALLOWED});
>> +	@denied_device_port = split(/,/,
>> $conf{SELINUX_INFINIBAND_ENDPORT_TEST_DENIED});
>> +
>> +	foreach (@allowed_device_port) {
>> +		@dev_port_pair= split(/ /, $_);
>> +
>> +		system "semanage ibendport -a -t test_ibendport_t -z
>> $_ 2>/dev/null";
>> +		$result = system "runcon -t
>> test_ibendport_manage_subnet_t smpquery PKeyTable -C
>> $dev_port_pair[0] -P $dev_port_pair[1] -D 1 2>/dev/null";
>> +		system "semanage ibendport -d -t test_ibendport_t -z
>> $_ 2>/dev/null";
>> +		if($result ne 0) {
>> +			last;
>> +		}
>> +	}
>> +	ok($result, 0);
>> +
>> +        foreach (@denied_device_port) {
>> +	        @dev_port_pair= split(/ /, $_);
>> +	        $result = system "runcon -t
>> test_ibendport_manage_subnet_t smpquery PKeyTable -C
>> $dev_port_pair[0] -P $dev_port_pair[1] -D 1 2>/dev/null";
>> +
>> +		if ($result>>8 eq 0) {
>> +			last;
>> +		}
>> +	}
>> +
>> +	ok(int($result>>8) ne 0);
>> +} else {
>> +	ok(1);
>> +	ok(1);
>> +}
>> +exit;
>> diff --git a/tests/infiniband_pkey/test b/tests/infiniband_pkey/test
>> old mode 100644
>> new mode 100755
> Not a big deal, but it seems odd that this mode change wasn't just
> squashed into the first patch.
>
> Otherwise, it looks ok to me, but I don't have hardware to test it on.
> Did you confirm that when you run the tests, you get the expected avc
> denials in the audit logs?  Also, did you confirm that if you manually
> run the tests in permissive mode, that the tests you expect to fail do
> so (and the rest do not)?
>
>
I'm not sure what happened with the mode there.  I didn't change it manually.  I can clean it up if you want.

Regarding testing the test. Yes, I did make sure they fail as expected when in permissive mode.  Also I changed setting in the configuration files to make sure all cases fail when they should where that was possible.

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Stephen Smalley]

On Tue, 2017-05-30 at 17:40 +0000, Daniel Jurgens wrote:
> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
> > On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
> > > From: Daniel Jurgens <danielj@mellanox.com>
> > > 
> > > New tests for Infiniband endports. Most users do not have
> > > infiniband
> > > hardware, and if they do the device names can vary.  There is a
> > > configuration file for enabling the tests and setting environment
> > > specific configurations.  If the tests are disabled they always
> > > show
> > > as
> > > passed.
> > > 
> > > A special test application was unnecessary, a standard diagnostic
> > > application is used instead.  This required a change to the make
> > > file
> > > to avoid trying to build an application in the new subdir.
> > > 
> > > Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
> > > 
> > > ---
> > > v1:
> > > - Synchronize interface names with refpolicy changes.
> > > - Allowed access to unlabeled pkeys vs default pkey, default pkey
> > > is
> > > no
> > > longer labeled in the refpolicy.
> > > 
> > > v2:
> > > Stephen Smalley:
> > > - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive.
> > > - Use ifdefs around corenet_ib* interfaces.
> > > - Only build the test_ibpendport.te file if the
> > > infiniband_endport
> > > class
> > > is available.
> > > - use corecmd_bin_entry_type intefrace instead of allow ...
> > > bin_t:
> > > ---
> > >  README                                       |  7 +++-
> > >  policy/Makefile                              |  4 +++
> > >  policy/test_ibendport.te                     | 40
> > > +++++++++++++++++++++++
> > >  tests/Makefile                               |  2 +-
> > >  tests/infiniband_endport/Makefile            |  2 ++
> > >  tests/infiniband_endport/ibendport_test.conf | 14 ++++++++
> > >  tests/infiniband_endport/test                | 49
> > > ++++++++++++++++++++++++++++
> > >  tests/infiniband_pkey/test                   |  0
> > >  8 files changed, 116 insertions(+), 2 deletions(-)
> > >  create mode 100644 policy/test_ibendport.te
> > >  create mode 100644 tests/infiniband_endport/Makefile
> > >  create mode 100644 tests/infiniband_endport/ibendport_test.conf
> > >  create mode 100755 tests/infiniband_endport/test
> > >  mode change 100644 => 100755 tests/infiniband_pkey/test
> > > 
> > > diff --git a/README b/README
> > > index a4c8ebb..de50eb4 100644
> > > --- a/README
> > > +++ b/README
> > > @@ -201,7 +201,12 @@ INFINIBAND TESTS
> > >  ----------------
> > >  Because running Infiniband tests requires specialized hardware
> > > you
> > > must
> > >  set up a configuration file for these tests. The tests are
> > > disabled
> > > by
> > > -default.  See comments in the configuration file for info.
> > > +default.  See comments in the configuration file for info. The
> > > endport
> > > +tests use smpquery, for Fedora it's provided by the infiniband-
> > > diags
> > > +package.
> > >  
> > >  Infiniband PKey test conf file:
> > >  tests/infiniband_pkey/ibpkey_test.conf
> > > +
> > > +Infiniband Endport test conf file:
> > > +tests/infiniband_endport/ibendport_test.conf
> > > diff --git a/policy/Makefile b/policy/Makefile
> > > index 46c9fb5..c062009 100644
> > > --- a/policy/Makefile
> > > +++ b/policy/Makefile
> > > @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit
> > > $(POLDEV)/include/support/all_perms.spt && echo
> > >  TARGETS += test_prlimit.te
> > >  endif
> > >  
> > > +ifeq ($(shell grep -q infiniband_endport
> > > $(POLDEV)/include/support/all_perms.spt && echo true),true)
> > > +TARGETS += test_ibendport.te
> > > +endif
> > > +
> > >  ifeq ($(shell grep -q all_file_perms.*map
> > > $(POLDEV)/include/support/all_perms.spt && echo true),true)
> > >  export M4PARAM = -Dmap_permission_defined
> > >  endif
> > > diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
> > > new file mode 100644
> > > index 0000000..2a02c57
> > > --- /dev/null
> > > +++ b/policy/test_ibendport.te
> > > @@ -0,0 +1,40 @@
> > > +#################################
> > > +#
> > > +# Policy for testing Infiniband Pkey access.
> > > +#
> > > +
> > > +gen_require(`
> > > +	type bin_t;
> > > +	type infiniband_mgmt_device_t;
> > > +')
> > > +
> > > +attribute ibendportdomain;
> > > +
> > > +# Domain for process.
> > > +type test_ibendport_manage_subnet_t;
> > > +domain_type(test_ibendport_manage_subnet_t)
> > > +unconfined_runs_test(test_ibendport_manage_subnet_t)
> > > +typeattribute test_ibendport_manage_subnet_t testdomain;
> > > +typeattribute test_ibendport_manage_subnet_t ibendportdomain;
> > > +
> > > +type test_ibendport_t;
> > > +ifdef(`corenet_ib_endport',`
> > > +corenet_ib_endport(test_ibendport_t)
> > > +')
> > > +
> > > +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
> > > +dev_rw_sysfs(test_ibendport_manage_subnet_t)
> > > +
> > > +corecmd_bin_entry_type(test_ibendport_manage_subnet_t)
> > > +
> > > +allow test_ibendport_manage_subnet_t
> > > infiniband_mgmt_device_t:chr_file { read write open ioctl};
> > > +
> > > +ifdef(`corenet_ib_access_unlabeled_pkeys',`
> > > +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t
> > > )
> > > +')
> > > +
> > > +allow test_ibendport_manage_subnet_t
> > > test_ibendport_t:infiniband_endport manage_subnet;
> > > +
> > > +# Allow all of these domains to be entered from the sysadm
> > > domain.
> > > +miscfiles_domain_entry_test_files(ibendportdomain)
> > > +userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
> > > diff --git a/tests/Makefile b/tests/Makefile
> > > index 7dfe2a8..369b678 100644
> > > --- a/tests/Makefile
> > > +++ b/tests/Makefile
> > > @@ -10,7 +10,7 @@ SUBDIRS:= domain_trans entrypoint execshare
> > > exectrace execute_no_trans \
> > >  	task_setnice task_setscheduler task_getscheduler
> > > task_getsid
> > > \
> > >  	task_getpgid task_setpgid file ioctl capable_file
> > > capable_net \
> > >  	capable_sys dyntrans dyntrace bounds nnp mmap
> > > unix_socket
> > > inet_socket \
> > > -	overlay checkreqprot mqueue mac_admin infiniband_pkey
> > > +	overlay checkreqprot mqueue mac_admin infiniband_pkey
> > > infiniband_endport
> > >  
> > >  ifeq ($(shell grep -q cap_userns
> > > $(POLDEV)/include/support/all_perms.spt && echo true),true)
> > >  ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1)
> > > diff --git a/tests/infiniband_endport/Makefile
> > > b/tests/infiniband_endport/Makefile
> > > new file mode 100644
> > > index 0000000..e7c006f
> > > --- /dev/null
> > > +++ b/tests/infiniband_endport/Makefile
> > > @@ -0,0 +1,2 @@
> > > +all:
> > > +clean:
> > > diff --git a/tests/infiniband_endport/ibendport_test.conf
> > > b/tests/infiniband_endport/ibendport_test.conf
> > > new file mode 100644
> > > index 0000000..601b290
> > > --- /dev/null
> > > +++ b/tests/infiniband_endport/ibendport_test.conf
> > > @@ -0,0 +1,14 @@
> > > +# Enable(1)/Disable these tests.
> > > +SELINUX_INFINIBAND_ENDPORT_TEST=0
> > > +
> > > +# Device/port pair that should allow access.
> > > +# The test uses semanage to allow, because
> > > +# ibendports are all unlabeled by default
> > > +# the reference policy. This allows using
> > > +# the same device and port for both the pass
> > > +# and fail testing as well.
> > > +SELINUX_INFINIBAND_ENDPORT_TEST_ALLOWED=mlx5_3 1
> > > +
> > > +# Device/port pairs that should deny access.
> > > +SELINUX_INFINIBAND_ENDPORT_TEST_DENIED=mlx5_2 1
> > > +
> > > diff --git a/tests/infiniband_endport/test
> > > b/tests/infiniband_endport/test
> > > new file mode 100755
> > > index 0000000..b4e553d
> > > --- /dev/null
> > > +++ b/tests/infiniband_endport/test
> > > @@ -0,0 +1,49 @@
> > > +#!/usr/bin/perl
> > > +
> > > +use Test;
> > > +
> > > +BEGIN { plan tests => 2}
> > > +
> > > +$basedir = $0;  $basedir =~ s|(.*)/[^/]*|$1|;
> > > +
> > > +my %conf;
> > > +my $confpath = $basedir."/ibendport_test.conf";
> > > +open($f, $confpath) or die ("Couldn't open ibtest.conf");
> > > +while($r = <$f>) {
> > > +	if ($r =~ /^\s*#/ || $r =~ /^\s*$/) { next; }
> > > +	chomp $r;
> > > +	($k,$v) = split(/=/, $r);
> > > +	$conf{$k} = $v;
> > > +}
> > > +
> > > +if ($conf{SELINUX_INFINIBAND_ENDPORT_TEST} eq 1) {
> > > +	@allowed_device_port = split(/,/,
> > > $conf{SELINUX_INFINIBAND_ENDPORT_TEST_ALLOWED});
> > > +	@denied_device_port = split(/,/,
> > > $conf{SELINUX_INFINIBAND_ENDPORT_TEST_DENIED});
> > > +
> > > +	foreach (@allowed_device_port) {
> > > +		@dev_port_pair= split(/ /, $_);
> > > +
> > > +		system "semanage ibendport -a -t
> > > test_ibendport_t -z
> > > $_ 2>/dev/null";
> > > +		$result = system "runcon -t
> > > test_ibendport_manage_subnet_t smpquery PKeyTable -C
> > > $dev_port_pair[0] -P $dev_port_pair[1] -D 1 2>/dev/null";
> > > +		system "semanage ibendport -d -t
> > > test_ibendport_t -z
> > > $_ 2>/dev/null";
> > > +		if($result ne 0) {
> > > +			last;
> > > +		}
> > > +	}
> > > +	ok($result, 0);
> > > +
> > > +        foreach (@denied_device_port) {
> > > +	        @dev_port_pair= split(/ /, $_);
> > > +	        $result = system "runcon -t
> > > test_ibendport_manage_subnet_t smpquery PKeyTable -C
> > > $dev_port_pair[0] -P $dev_port_pair[1] -D 1 2>/dev/null";
> > > +
> > > +		if ($result>>8 eq 0) {
> > > +			last;
> > > +		}
> > > +	}
> > > +
> > > +	ok(int($result>>8) ne 0);
> > > +} else {
> > > +	ok(1);
> > > +	ok(1);
> > > +}
> > > +exit;
> > > diff --git a/tests/infiniband_pkey/test
> > > b/tests/infiniband_pkey/test
> > > old mode 100644
> > > new mode 100755
> > 
> > Not a big deal, but it seems odd that this mode change wasn't just
> > squashed into the first patch.
> > 
> > Otherwise, it looks ok to me, but I don't have hardware to test it
> > on.
> > Did you confirm that when you run the tests, you get the expected
> > avc
> > denials in the audit logs?  Also, did you confirm that if you
> > manually
> > run the tests in permissive mode, that the tests you expect to fail
> > do
> > so (and the rest do not)?
> > 
> > 
> 
> I'm not sure what happened with the mode there.  I didn't change it
> manually.  I can clean it up if you want.

Looks like tests/Makefile does a chmod +x */test.
I wouldn't bother re-spinning unless Paul has other comments.

> Regarding testing the test. Yes, I did make sure they fail as
> expected when in permissive mode.  Also I changed setting in the
> configuration files to make sure all cases fail when they should
> where that was possible.

And avc: denied messages are as expected?

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Daniel Jurgens]

On 5/30/2017 12:48 PM, Stephen Smalley wrote:
> On Tue, 2017-05-30 at 17:40 +0000, Daniel Jurgens wrote:
>> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
>>> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
>>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>>
>>>> diff --git a/tests/infiniband_pkey/test
>>>> b/tests/infiniband_pkey/test
>>>> old mode 100644
>>>> new mode 100755
>>> Not a big deal, but it seems odd that this mode change wasn't just
>>> squashed into the first patch.
>>>
>>> Otherwise, it looks ok to me, but I don't have hardware to test it
>>> on.
>>> Did you confirm that when you run the tests, you get the expected
>>> avc
>>> denials in the audit logs?  Also, did you confirm that if you
>>> manually
>>> run the tests in permissive mode, that the tests you expect to fail
>>> do
>>> so (and the rest do not)?
>>>
>>>
>> I'm not sure what happened with the mode there.  I didn't change it
>> manually.  I can clean it up if you want.
> Looks like tests/Makefile does a chmod +x */test.
> I wouldn't bother re-spinning unless Paul has other comments.
>
>> Regarding testing the test. Yes, I did make sure they fail as
>> expected when in permissive mode.  Also I changed setting in the
>> configuration files to make sure all cases fail when they should
>> where that was possible.
> And avc: denied messages are as expected?
>
Yes, here's a sample:

type=AVC msg=audit(1496161222.307:1584): avc:  denied  { manage_subnet } for  pid=21976 comm="smpquery" device=mlx5_2 port_num=1 scontext=unconfined_u:unconfined_r:test_ibendport_manage_subnet_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=infiniband_endport permissive=0

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Paul Moore]

On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Tue, 2017-05-30 at 17:40 +0000, Daniel Jurgens wrote:
>> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
>> > On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
>> > > From: Daniel Jurgens <danielj@mellanox.com>
>> > >
>> > > New tests for Infiniband endports. Most users do not have
>> > > infiniband
>> > > hardware, and if they do the device names can vary.  There is a
>> > > configuration file for enabling the tests and setting environment
>> > > specific configurations.  If the tests are disabled they always
>> > > show
>> > > as
>> > > passed.
>> > >
>> > > A special test application was unnecessary, a standard diagnostic
>> > > application is used instead.  This required a change to the make
>> > > file
>> > > to avoid trying to build an application in the new subdir.
>> > >
>> > > Signed-off-by: Daniel Jurgens <danielj@mellanox.com>

...

> I wouldn't bother re-spinning unless Paul has other comments.

Nothing worthy of a respin.

Daniel, have you run these tests against the kernel, userspace, and
policy code that has been merged?  It would be nice to have a sanity
check that something didn't break while we were merging everything.

[SIDE NOTE: This afternoon I noticed what I think may be a problem
with my COPR kernel builds that affects the test suite, so YMMY at the
moment.]

-- 
paul moore
www.paul-moore.com

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Daniel Jurgens]

On 6/5/2017 5:13 PM, Paul Moore wrote:
> On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On Tue, 2017-05-30 at 17:40 +0000, Daniel Jurgens wrote:
>>> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
>>>> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
>>>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>>>
>>>>> New tests for Infiniband endports. Most users do not have
>>>>> infiniband
>>>>> hardware, and if they do the device names can vary.  There is a
>>>>> configuration file for enabling the tests and setting environment
>>>>> specific configurations.  If the tests are disabled they always
>>>>> show
>>>>> as
>>>>> passed.
>>>>>
>>>>> A special test application was unnecessary, a standard diagnostic
>>>>> application is used instead.  This required a change to the make
>>>>> file
>>>>> to avoid trying to build an application in the new subdir.
>>>>>
>>>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
> ...
>
>> I wouldn't bother re-spinning unless Paul has other comments.
> Nothing worthy of a respin.
>
> Daniel, have you run these tests against the kernel, userspace, and
> policy code that has been merged?  It would be nice to have a sanity
> check that something didn't break while we were merging everything.
>
> [SIDE NOTE: This afternoon I noticed what I think may be a problem
> with my COPR kernel builds that affects the test suite, so YMMY at the
> moment.]
>
I ran them against the merged kernel and selinux code.  But I used the same policy RPMs that I had been using, I didn't try to rebuild the RPMs against the new refpolicy.

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Daniel Jurgens]

On 6/5/2017 5:34 PM, Daniel Jurgens wrote:
> On 6/5/2017 5:13 PM, Paul Moore wrote:
>> On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>> On Tue, 2017-05-30 at 17:40 +0000, Daniel Jurgens wrote:
>>>> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
>>>>> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
>>>>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>>>>
>>>>>> New tests for Infiniband endports. Most users do not have
>>>>>> infiniband
>>>>>> hardware, and if they do the device names can vary.  There is a
>>>>>> configuration file for enabling the tests and setting environment
>>>>>> specific configurations.  If the tests are disabled they always
>>>>>> show
>>>>>> as
>>>>>> passed.
>>>>>>
>>>>>> A special test application was unnecessary, a standard diagnostic
>>>>>> application is used instead.  This required a change to the make
>>>>>> file
>>>>>> to avoid trying to build an application in the new subdir.
>>>>>>
>>>>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>> ...
>>
>>> I wouldn't bother re-spinning unless Paul has other comments.
>> Nothing worthy of a respin.
>>
>> Daniel, have you run these tests against the kernel, userspace, and
>> policy code that has been merged?  It would be nice to have a sanity
>> check that something didn't break while we were merging everything.
>>
>> [SIDE NOTE: This afternoon I noticed what I think may be a problem
>> with my COPR kernel builds that affects the test suite, so YMMY at the
>> moment.]
>>
> I ran them against the merged kernel and selinux code.  But I used the same policy RPMs that I had been using, I didn't try to rebuild the RPMs against the new refpolicy.
>
Are these tests good to go? I haven't gotten any additional comments since v2.

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Paul Moore]

On Fri, Jun 9, 2017 at 10:44 AM, Daniel Jurgens <danielj@mellanox.com> wrote:
> On 6/5/2017 5:34 PM, Daniel Jurgens wrote:
>> On 6/5/2017 5:13 PM, Paul Moore wrote:
>>> On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>> On Tue, 2017-05-30 at 17:40 +0000, Daniel Jurgens wrote:
>>>>> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
>>>>>> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
>>>>>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>>>>>
>>>>>>> New tests for Infiniband endports. Most users do not have
>>>>>>> infiniband
>>>>>>> hardware, and if they do the device names can vary.  There is a
>>>>>>> configuration file for enabling the tests and setting environment
>>>>>>> specific configurations.  If the tests are disabled they always
>>>>>>> show
>>>>>>> as
>>>>>>> passed.
>>>>>>>
>>>>>>> A special test application was unnecessary, a standard diagnostic
>>>>>>> application is used instead.  This required a change to the make
>>>>>>> file
>>>>>>> to avoid trying to build an application in the new subdir.
>>>>>>>
>>>>>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>>> ...
>>>
>>>> I wouldn't bother re-spinning unless Paul has other comments.
>>> Nothing worthy of a respin.
>>>
>>> Daniel, have you run these tests against the kernel, userspace, and
>>> policy code that has been merged?  It would be nice to have a sanity
>>> check that something didn't break while we were merging everything.
>>>
>>> [SIDE NOTE: This afternoon I noticed what I think may be a problem
>>> with my COPR kernel builds that affects the test suite, so YMMY at the
>>> moment.]
>>>
>> I ran them against the merged kernel and selinux code.  But I used the same policy RPMs that I had been using, I didn't try to rebuild the RPMs against the new refpolicy.
>>
> Are these tests good to go? I haven't gotten any additional comments since v2.

Yes, my apologies for not getting back to you sooner; I had hoped to
talk to some of the IB folks at Red Hat to see if they could verify
everything (or at least get access to a IB system so I could verify
it) but I got wrapped in a few audit issues this week and didn't get
to it.

I'll merge these patches later this afternoon.

-- 
paul moore
www.paul-moore.com

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Daniel Jurgens]

On 6/9/2017 9:50 AM, Paul Moore wrote:
> On Fri, Jun 9, 2017 at 10:44 AM, Daniel Jurgens <danielj@mellanox.com> wrote:
>> On 6/5/2017 5:34 PM, Daniel Jurgens wrote:
>>> On 6/5/2017 5:13 PM, Paul Moore wrote:
>>>> On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>>> On Tue, 2017-05-30 at 17:40 +0000, Daniel Jurgens wrote:
>>>>>> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
>>>>>>> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
>>>>>>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>>>>>>
>>>>>>>> New tests for Infiniband endports. Most users do not have
>>>>>>>> infiniband
>>>>>>>> hardware, and if they do the device names can vary.  There is a
>>>>>>>> configuration file for enabling the tests and setting environment
>>>>>>>> specific configurations.  If the tests are disabled they always
>>>>>>>> show
>>>>>>>> as
>>>>>>>> passed.
>>>>>>>>
>>>>>>>> A special test application was unnecessary, a standard diagnostic
>>>>>>>> application is used instead.  This required a change to the make
>>>>>>>> file
>>>>>>>> to avoid trying to build an application in the new subdir.
>>>>>>>>
>>>>>>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>>>> ...
>>>>
>>>>> I wouldn't bother re-spinning unless Paul has other comments.
>>>> Nothing worthy of a respin.
>>>>
>>>> Daniel, have you run these tests against the kernel, userspace, and
>>>> policy code that has been merged?  It would be nice to have a sanity
>>>> check that something didn't break while we were merging everything.
>>>>
>>>> [SIDE NOTE: This afternoon I noticed what I think may be a problem
>>>> with my COPR kernel builds that affects the test suite, so YMMY at the
>>>> moment.]
>>>>
>>> I ran them against the merged kernel and selinux code.  But I used the same policy RPMs that I had been using, I didn't try to rebuild the RPMs against the new refpolicy.
>>>
>> Are these tests good to go? I haven't gotten any additional comments since v2.
> Yes, my apologies for not getting back to you sooner; I had hoped to
> talk to some of the IB folks at Red Hat to see if they could verify
> everything (or at least get access to a IB system so I could verify
> it) but I got wrapped in a few audit issues this week and didn't get
> to it.
>
> I'll merge these patches later this afternoon.
>
No problem, just wanted to make sure I wasn't holding it up in anyway.

I recall you saying you do most of your testing in VMs on a laptop.  But if you have a system with a free pci-e slot we can ship you an HCA if you'd like to be able to run these yourself.

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Paul Moore]

On Fri, Jun 9, 2017 at 10:59 AM, Daniel Jurgens <danielj@mellanox.com> wrote:
> On 6/9/2017 9:50 AM, Paul Moore wrote:
>> On Fri, Jun 9, 2017 at 10:44 AM, Daniel Jurgens <danielj@mellanox.com> wrote:
>>> On 6/5/2017 5:34 PM, Daniel Jurgens wrote:
>>>> On 6/5/2017 5:13 PM, Paul Moore wrote:
>>>>> On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>>>> On Tue, 2017-05-30 at 17:40 +0000, Daniel Jurgens wrote:
>>>>>>> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
>>>>>>>> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
>>>>>>>>> From: Daniel Jurgens <danielj@mellanox.com>
>>>>>>>>>
>>>>>>>>> New tests for Infiniband endports. Most users do not have
>>>>>>>>> infiniband
>>>>>>>>> hardware, and if they do the device names can vary.  There is a
>>>>>>>>> configuration file for enabling the tests and setting environment
>>>>>>>>> specific configurations.  If the tests are disabled they always
>>>>>>>>> show
>>>>>>>>> as
>>>>>>>>> passed.
>>>>>>>>>
>>>>>>>>> A special test application was unnecessary, a standard diagnostic
>>>>>>>>> application is used instead.  This required a change to the make
>>>>>>>>> file
>>>>>>>>> to avoid trying to build an application in the new subdir.
>>>>>>>>>
>>>>>>>>> Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
>>>>> ...
>>>>>
>>>>>> I wouldn't bother re-spinning unless Paul has other comments.
>>>>> Nothing worthy of a respin.
>>>>>
>>>>> Daniel, have you run these tests against the kernel, userspace, and
>>>>> policy code that has been merged?  It would be nice to have a sanity
>>>>> check that something didn't break while we were merging everything.
>>>>>
>>>>> [SIDE NOTE: This afternoon I noticed what I think may be a problem
>>>>> with my COPR kernel builds that affects the test suite, so YMMY at the
>>>>> moment.]
>>>>>
>>>> I ran them against the merged kernel and selinux code.  But I used the same policy RPMs that I had been using, I didn't try to rebuild the RPMs against the new refpolicy.
>>>>
>>> Are these tests good to go? I haven't gotten any additional comments since v2.
>> Yes, my apologies for not getting back to you sooner; I had hoped to
>> talk to some of the IB folks at Red Hat to see if they could verify
>> everything (or at least get access to a IB system so I could verify
>> it) but I got wrapped in a few audit issues this week and didn't get
>> to it.
>>
>> I'll merge these patches later this afternoon.
>>
> No problem, just wanted to make sure I wasn't holding it up in anyway.

Should be all set now, let me know if you notice any problems.  I did
add a separate third commit to munge the style/formatting (see
previous emails); I didn't bother posting it to the list as it is just
style changes, but in case anyone is curious, this is the commit:

  commit 8e0339cef20d0356d3e115c31a133662e9562e65
  Author: Paul Moore <paul@paul-moore.com>
  Date:   Fri Jun 9 15:46:37 2017 -0400

   infiniband: apply style corrections to the infiniband tests

   Patch generated by './tools/check-syntax -f'.

   Signed-off-by: Paul Moore <paul@paul-moore.com>

> I recall you saying you do most of your testing in VMs on a laptop.  But if you have a system with a free pci-e slot we can ship you an HCA if you'd like to be able to run these yourself.

Thank you for the offer, and yes I generally run the tests in a VM,
however we've been working on getting something a bit more automated
in place for upstream testing (more info on that once everything is
sorted out).

Let me think about this a bit (and dust off my somewhat neglected
testing hardware), I generally try to avoid getting tied to specific
hardware, but it is necessary in this case, and I fear that this may
be the easiest way to ensure it gets tested regularly.

-- 
paul moore
www.paul-moore.com

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Daniel Jurgens]

On 6/9/2017 3:01 PM, Paul Moore wrote:
> On Fri, Jun 9, 2017 at 10:59 AM, Daniel Jurgens <danielj@mellanox.com> wrote:
>
> Should be all set now, let me know if you notice any problems.  I did
> add a separate third commit to munge the style/formatting (see
> previous emails); I didn't bother posting it to the list as it is just
> style changes, but in case anyone is curious, this is the commit:
>
>   commit 8e0339cef20d0356d3e115c31a133662e9562e65
>   Author: Paul Moore <paul@paul-moore.com>
>   Date:   Fri Jun 9 15:46:37 2017 -0400
>
>    infiniband: apply style corrections to the infiniband tests
>
>    Patch generated by './tools/check-syntax -f'.
>
>    Signed-off-by: Paul Moore <paul@paul-moore.com>
>
>> I recall you saying you do most of your testing in VMs on a laptop.  But if you have a system with a free pci-e slot we can ship you an HCA if you'd like to be able to run these yourself.
> Thank you for the offer, and yes I generally run the tests in a VM,
> however we've been working on getting something a bit more automated
> in place for upstream testing (more info on that once everything is
> sorted out).
>
> Let me think about this a bit (and dust off my somewhat neglected
> testing hardware), I generally try to avoid getting tied to specific
> hardware, but it is necessary in this case, and I fear that this may
> be the easiest way to ensure it gets tested regularly.
>
OK, just let me know if you want one.  Once the feature works it's way back to mainstream kernel I'll add the tests to our automated regressions too. Thanks for all your help getting this whole thing through review!

How often does the fedora-selinux project switch the base refpolicy? It needs additions to the unconfined user role to allow access.

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Paul Moore]

On Fri, Jun 9, 2017 at 4:23 PM, Daniel Jurgens <danielj@mellanox.com> wrote:
> On 6/9/2017 3:01 PM, Paul Moore wrote:
>> On Fri, Jun 9, 2017 at 10:59 AM, Daniel Jurgens <danielj@mellanox.com> wrote:
>>
>> Should be all set now, let me know if you notice any problems.  I did
>> add a separate third commit to munge the style/formatting (see
>> previous emails); I didn't bother posting it to the list as it is just
>> style changes, but in case anyone is curious, this is the commit:
>>
>>   commit 8e0339cef20d0356d3e115c31a133662e9562e65
>>   Author: Paul Moore <paul@paul-moore.com>
>>   Date:   Fri Jun 9 15:46:37 2017 -0400
>>
>>    infiniband: apply style corrections to the infiniband tests
>>
>>    Patch generated by './tools/check-syntax -f'.
>>
>>    Signed-off-by: Paul Moore <paul@paul-moore.com>
>>
>>> I recall you saying you do most of your testing in VMs on a laptop.  But if you have a system with a free pci-e slot we can ship you an HCA if you'd like to be able to run these yourself.
>> Thank you for the offer, and yes I generally run the tests in a VM,
>> however we've been working on getting something a bit more automated
>> in place for upstream testing (more info on that once everything is
>> sorted out).
>>
>> Let me think about this a bit (and dust off my somewhat neglected
>> testing hardware), I generally try to avoid getting tied to specific
>> hardware, but it is necessary in this case, and I fear that this may
>> be the easiest way to ensure it gets tested regularly.
>>
> OK, just let me know if you want one.  Once the feature works it's way back to mainstream kernel I'll add the tests to our automated regressions too. Thanks for all your help getting this whole thing through review!

FWIW, this was in the pull request I sent up to James, you should see
it arrive in Linus' tree during the upcoming merge window.

> How often does the fedora-selinux project switch the base refpolicy? It needs additions to the unconfined user role to allow access.

My apologies, I just realized I never answered this last question
about Fedora ... the answer is the usual "it depends".  I've added
Lukas Vrabec to this email as he is in charge of the Fedora SELinux
policy.

-- 
paul moore
www.paul-moore.com