SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* IB pkey policy problem found via the selinux-testsuite
@ 2019-02-13 21:35 Paul Moore
  2019-02-28 21:58 ` Paul Moore
  0 siblings, 1 reply; 2+ messages in thread
From: Paul Moore @ 2019-02-13 21:35 UTC (permalink / raw)
  To: selinux, selinux-refpolicy; +Cc: Lukas Vrabec, danielj

Hello all,

On a fully up-to-date Rawhide system you need the following line added
to the policy/test_ibpkey.te file to get a clean run of the
selinux-testsuite:

  allow test_ibpkey_access_t self:capability { ipc_lock };

The breakage doesn't appear to be due to a kernel change (previously
working kernels now fail), or a Fedora Rawhide policy change (nothing
relevant changed since the last clean run), but I did notice that my
libibverbs package was updated just prior to the breakage.  I haven't
had the time to dig into the library code, but I expect that to be the
source of the problem.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: IB pkey policy problem found via the selinux-testsuite
  2019-02-13 21:35 IB pkey policy problem found via the selinux-testsuite Paul Moore
@ 2019-02-28 21:58 ` Paul Moore
  0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2019-02-28 21:58 UTC (permalink / raw)
  To: selinux, selinux-refpolicy; +Cc: Lukas Vrabec, danielj

On Wed, Feb 13, 2019 at 4:35 PM Paul Moore <paul@paul-moore.com> wrote:
> Hello all,
>
> On a fully up-to-date Rawhide system you need the following line added
> to the policy/test_ibpkey.te file to get a clean run of the
> selinux-testsuite:
>
>   allow test_ibpkey_access_t self:capability { ipc_lock };
>
> The breakage doesn't appear to be due to a kernel change (previously
> working kernels now fail), or a Fedora Rawhide policy change (nothing
> relevant changed since the last clean run), but I did notice that my
> libibverbs package was updated just prior to the breakage.  I haven't
> had the time to dig into the library code, but I expect that to be the
> source of the problem.

Just to be clear, I don't believe this breakage is limited to the test
suite, I expect any users of the SELinux IB hooks will run into this
problem.  I believe we need to update the upstream and distro
policies.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-13 21:35 IB pkey policy problem found via the selinux-testsuite Paul Moore
2019-02-28 21:58 ` Paul Moore

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox