* [PATCH] tests/sctp: reenable the SCTP ASCONF tests
@ 2022-08-09 22:13 Paul Moore
0 siblings, 0 replies; only message in thread
From: Paul Moore @ 2022-08-09 22:13 UTC (permalink / raw)
To: selinux
This patch reenables the SCTP ASCONF tests and makes them conditional
on the newly created sctp_socket/asconf_connect permission. This
ensures that the ASCONF tests will only be run on systems which have
both a properly patched kernel and a policy which enables the new,
correct behavior.
This patch also adds the sctp_socket/bind permission to the
sctp_asconf_deny_param_add_client_t test domain as this is necessary
on patched kernels.
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
policy/test_sctp.te | 5 +----
tests/sctp/test | 12 ++++++------
2 files changed, 7 insertions(+), 10 deletions(-)
diff --git a/policy/test_sctp.te b/policy/test_sctp.te
index 363e3c5..5aec2d3 100644
--- a/policy/test_sctp.te
+++ b/policy/test_sctp.te
@@ -223,14 +223,11 @@ domain_type(sctp_asconf_deny_param_add_client_t)
unconfined_runs_test(sctp_asconf_deny_param_add_client_t)
typeattribute sctp_asconf_deny_param_add_client_t testdomain;
typeattribute sctp_asconf_deny_param_add_client_t sctpsocketdomain;
-allow sctp_asconf_deny_param_add_client_t self:sctp_socket { create connect ioctl read getattr write getopt setopt };
+allow sctp_asconf_deny_param_add_client_t self:sctp_socket { create bind connect ioctl read getattr write getopt setopt };
corenet_sctp_bind_all_nodes(sctp_asconf_deny_param_add_client_t)
corenet_inout_generic_node(sctp_asconf_deny_param_add_client_t)
corenet_inout_generic_if(sctp_asconf_deny_param_add_client_t)
-# net/sctp/sm_make_chunk.c sctp_process_asconf_param() SCTP_PARAM_ADD_IP and SCTP_PARAM_SET_PRIMARY
-# neverallow sctp_asconf_params_server_t sctp_asconf_deny_param_add_client_t:sctp_socket { connect };
-
#
######################### SECMARK-specific policy ############################
#
diff --git a/tests/sctp/test b/tests/sctp/test
index 5626ab8..4eefbea 100755
--- a/tests/sctp/test
+++ b/tests/sctp/test
@@ -56,12 +56,12 @@ BEGIN {
}
}
- if ( $ipaddress[1] ne 0 and $ipaddress[0] ne $ipaddress[1] ) {
-
-# Disable ASCONF tests for now due to a known issue:
-# https://lore.kernel.org/selinux/CAFqZXNsO0HSqP2n3W_Su07LPggUm5_M1tGJBuJDW_VL-pWHOWw@mail.gmail.com/T/
-#$test_count += 3;
-#$test_asconf = 1;
+ if ( $ipaddress[1] ne 0
+ and $ipaddress[0] ne $ipaddress[1]
+ and -e "/sys/fs/selinux/class/sctp_socket/perms/asconf_connect" )
+ {
+ $test_count += 3;
+ $test_asconf = 1;
}
# SCTP client peeloff has been fixed in kernel 5.18+
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-08-09 22:14 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-09 22:13 [PATCH] tests/sctp: reenable the SCTP ASCONF tests Paul Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).