SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Ondrej Mosnacek <omosnace@redhat.com>, selinux@vger.kernel.org
Cc: Richard Haines <richard_c_haines@btinternet.com>
Subject: Re: [PATCH testsuite v6] policy: use the kernel_request_load_module() interface
Date: Mon, 2 Dec 2019 16:18:02 -0500
Message-ID: <a6ac931f-7a84-cff5-c988-7810c0b0f306@tycho.nsa.gov> (raw)
In-Reply-To: <f8c21ed7-eda6-e63b-7e94-616055852244@tycho.nsa.gov>

On 12/2/19 9:37 AM, Stephen Smalley wrote:
> On 11/28/19 9:08 AM, Ondrej Mosnacek wrote:
>> ...instead of open-coding the rules. Also define a fallback to allow the
>> policy to build even if the interface is not defined.
>>
>> Fixes: f5e5a0b8d005 ("selinux-testsuite: Add key_socket tests")
>> Cc: Richard Haines <richard_c_haines@btinternet.com>
>> Suggested-by: Stephen Smalley <sds@tycho.nsa.gov>
>> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> 
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

Thanks, merged.

> 
>> ---
>>
>> Change in v6: avoid apostrophes in comments
>> Change in v5: call the macro only once for the whole domain
>> Change in v4: fix copy-paste mistakes spotted by Richard
>> Change in v3: use different approach as suggested by Stephen
>> Change in v2: update also tests/Makefile for consistency
>>
>>   policy/test_key_socket.te | 8 +++-----
>>   policy/test_policy.if     | 8 +++++++-
>>   2 files changed, 10 insertions(+), 6 deletions(-)
>>
>> diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te
>> index cde426b..64d2cee 100644
>> --- a/policy/test_key_socket.te
>> +++ b/policy/test_key_socket.te
>> @@ -12,8 +12,6 @@ typeattribute test_key_sock_t keysockdomain;
>>   # key_socket rules:
>>   allow test_key_sock_t self:capability { net_admin };
>>   allow test_key_sock_t self:key_socket { create write read setopt };
>> -# For CONFIG_NET_KEY=m
>> -allow test_key_sock_t kernel_t:system { module_request };
>>   ################## Deny capability { net_admin } 
>> ##########################
>>   #
>> @@ -29,7 +27,6 @@ typeattribute test_key_sock_no_net_admin_t testdomain;
>>   typeattribute test_key_sock_no_net_admin_t keysockdomain;
>>   allow test_key_sock_no_net_admin_t self:key_socket { create write 
>> read setopt };
>> -allow test_key_sock_no_net_admin_t kernel_t:system { module_request };
>>   ####################### Deny key_socket { create } 
>> ##########################
>>   type test_key_sock_no_create_t;
>> @@ -50,7 +47,6 @@ typeattribute test_key_sock_no_write_t keysockdomain;
>>   allow test_key_sock_no_write_t self:capability { net_admin };
>>   allow test_key_sock_no_write_t self:key_socket { create read setopt };
>> -allow test_key_sock_no_write_t kernel_t:system { module_request };
>>   ####################### Deny key_socket { read } 
>> ##########################
>>   type test_key_sock_no_read_t;
>> @@ -61,10 +57,12 @@ typeattribute test_key_sock_no_read_t keysockdomain;
>>   allow test_key_sock_no_read_t self:capability { net_admin };
>>   allow test_key_sock_no_read_t self:key_socket { create write setopt };
>> -allow test_key_sock_no_read_t kernel_t:system { module_request };
>>   #
>>   ########### Allow these domains to be entered from sysadm domain 
>> ############
>>   #
>>   miscfiles_domain_entry_test_files(keysockdomain)
>>   userdom_sysadm_entry_spec_domtrans_to(keysockdomain)
>> +
>> +# For CONFIG_NET_KEY=m
>> +kernel_request_load_module(keysockdomain)
>> diff --git a/policy/test_policy.if b/policy/test_policy.if
>> index e1175e8..cefc8fb 100644
>> --- a/policy/test_policy.if
>> +++ b/policy/test_policy.if
>> @@ -76,9 +76,15 @@ interface(`mount_rw_pid_files', `
>>   ')
>>   ')
>> -# Refpolicy doesn't have admin_home_t - assume /root will be 
>> user_home_dir_t.
>> +# Refpolicy does not have admin_home_t - assume /root will be 
>> user_home_dir_t.
>>   ifdef(`userdom_search_admin_dir', `', ` dnl
>>   interface(`userdom_search_admin_dir', `
>>       userdom_search_user_home_content($1)
>>   ')
>>   ')
>> +
>> +# If the macro is not defined, then most probably module_request 
>> permission
>> +# is just not supported (and relevant operations should be just 
>> allowed).
>> +ifdef(`kernel_request_load_module', `', ` dnl
>> +interface(`kernel_request_load_module', `')
>> +')
>>
> 


      reply index

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-28 14:08 Ondrej Mosnacek
2019-12-02 14:37 ` Stephen Smalley
2019-12-02 21:18   ` Stephen Smalley [this message]

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a6ac931f-7a84-cff5-c988-7810c0b0f306@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=omosnace@redhat.com \
    --cc=richard_c_haines@btinternet.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git