* [PATCH testsuite v6] policy: use the kernel_request_load_module() interface
@ 2019-11-28 14:08 Ondrej Mosnacek
2019-12-02 14:37 ` Stephen Smalley
0 siblings, 1 reply; 3+ messages in thread
From: Ondrej Mosnacek @ 2019-11-28 14:08 UTC (permalink / raw)
To: selinux; +Cc: Richard Haines, Stephen Smalley
...instead of open-coding the rules. Also define a fallback to allow the
policy to build even if the interface is not defined.
Fixes: f5e5a0b8d005 ("selinux-testsuite: Add key_socket tests")
Cc: Richard Haines <richard_c_haines@btinternet.com>
Suggested-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
Change in v6: avoid apostrophes in comments
Change in v5: call the macro only once for the whole domain
Change in v4: fix copy-paste mistakes spotted by Richard
Change in v3: use different approach as suggested by Stephen
Change in v2: update also tests/Makefile for consistency
policy/test_key_socket.te | 8 +++-----
policy/test_policy.if | 8 +++++++-
2 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te
index cde426b..64d2cee 100644
--- a/policy/test_key_socket.te
+++ b/policy/test_key_socket.te
@@ -12,8 +12,6 @@ typeattribute test_key_sock_t keysockdomain;
# key_socket rules:
allow test_key_sock_t self:capability { net_admin };
allow test_key_sock_t self:key_socket { create write read setopt };
-# For CONFIG_NET_KEY=m
-allow test_key_sock_t kernel_t:system { module_request };
################## Deny capability { net_admin } ##########################
#
@@ -29,7 +27,6 @@ typeattribute test_key_sock_no_net_admin_t testdomain;
typeattribute test_key_sock_no_net_admin_t keysockdomain;
allow test_key_sock_no_net_admin_t self:key_socket { create write read setopt };
-allow test_key_sock_no_net_admin_t kernel_t:system { module_request };
####################### Deny key_socket { create } ##########################
type test_key_sock_no_create_t;
@@ -50,7 +47,6 @@ typeattribute test_key_sock_no_write_t keysockdomain;
allow test_key_sock_no_write_t self:capability { net_admin };
allow test_key_sock_no_write_t self:key_socket { create read setopt };
-allow test_key_sock_no_write_t kernel_t:system { module_request };
####################### Deny key_socket { read } ##########################
type test_key_sock_no_read_t;
@@ -61,10 +57,12 @@ typeattribute test_key_sock_no_read_t keysockdomain;
allow test_key_sock_no_read_t self:capability { net_admin };
allow test_key_sock_no_read_t self:key_socket { create write setopt };
-allow test_key_sock_no_read_t kernel_t:system { module_request };
#
########### Allow these domains to be entered from sysadm domain ############
#
miscfiles_domain_entry_test_files(keysockdomain)
userdom_sysadm_entry_spec_domtrans_to(keysockdomain)
+
+# For CONFIG_NET_KEY=m
+kernel_request_load_module(keysockdomain)
diff --git a/policy/test_policy.if b/policy/test_policy.if
index e1175e8..cefc8fb 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -76,9 +76,15 @@ interface(`mount_rw_pid_files', `
')
')
-# Refpolicy doesn't have admin_home_t - assume /root will be user_home_dir_t.
+# Refpolicy does not have admin_home_t - assume /root will be user_home_dir_t.
ifdef(`userdom_search_admin_dir', `', ` dnl
interface(`userdom_search_admin_dir', `
userdom_search_user_home_content($1)
')
')
+
+# If the macro is not defined, then most probably module_request permission
+# is just not supported (and relevant operations should be just allowed).
+ifdef(`kernel_request_load_module', `', ` dnl
+interface(`kernel_request_load_module', `')
+')
--
2.23.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH testsuite v6] policy: use the kernel_request_load_module() interface
2019-11-28 14:08 [PATCH testsuite v6] policy: use the kernel_request_load_module() interface Ondrej Mosnacek
@ 2019-12-02 14:37 ` Stephen Smalley
2019-12-02 21:18 ` Stephen Smalley
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2019-12-02 14:37 UTC (permalink / raw)
To: Ondrej Mosnacek, selinux; +Cc: Richard Haines
On 11/28/19 9:08 AM, Ondrej Mosnacek wrote:
> ...instead of open-coding the rules. Also define a fallback to allow the
> policy to build even if the interface is not defined.
>
> Fixes: f5e5a0b8d005 ("selinux-testsuite: Add key_socket tests")
> Cc: Richard Haines <richard_c_haines@btinternet.com>
> Suggested-by: Stephen Smalley <sds@tycho.nsa.gov>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>
> Change in v6: avoid apostrophes in comments
> Change in v5: call the macro only once for the whole domain
> Change in v4: fix copy-paste mistakes spotted by Richard
> Change in v3: use different approach as suggested by Stephen
> Change in v2: update also tests/Makefile for consistency
>
> policy/test_key_socket.te | 8 +++-----
> policy/test_policy.if | 8 +++++++-
> 2 files changed, 10 insertions(+), 6 deletions(-)
>
> diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te
> index cde426b..64d2cee 100644
> --- a/policy/test_key_socket.te
> +++ b/policy/test_key_socket.te
> @@ -12,8 +12,6 @@ typeattribute test_key_sock_t keysockdomain;
> # key_socket rules:
> allow test_key_sock_t self:capability { net_admin };
> allow test_key_sock_t self:key_socket { create write read setopt };
> -# For CONFIG_NET_KEY=m
> -allow test_key_sock_t kernel_t:system { module_request };
>
> ################## Deny capability { net_admin } ##########################
> #
> @@ -29,7 +27,6 @@ typeattribute test_key_sock_no_net_admin_t testdomain;
> typeattribute test_key_sock_no_net_admin_t keysockdomain;
>
> allow test_key_sock_no_net_admin_t self:key_socket { create write read setopt };
> -allow test_key_sock_no_net_admin_t kernel_t:system { module_request };
>
> ####################### Deny key_socket { create } ##########################
> type test_key_sock_no_create_t;
> @@ -50,7 +47,6 @@ typeattribute test_key_sock_no_write_t keysockdomain;
>
> allow test_key_sock_no_write_t self:capability { net_admin };
> allow test_key_sock_no_write_t self:key_socket { create read setopt };
> -allow test_key_sock_no_write_t kernel_t:system { module_request };
>
> ####################### Deny key_socket { read } ##########################
> type test_key_sock_no_read_t;
> @@ -61,10 +57,12 @@ typeattribute test_key_sock_no_read_t keysockdomain;
>
> allow test_key_sock_no_read_t self:capability { net_admin };
> allow test_key_sock_no_read_t self:key_socket { create write setopt };
> -allow test_key_sock_no_read_t kernel_t:system { module_request };
>
> #
> ########### Allow these domains to be entered from sysadm domain ############
> #
> miscfiles_domain_entry_test_files(keysockdomain)
> userdom_sysadm_entry_spec_domtrans_to(keysockdomain)
> +
> +# For CONFIG_NET_KEY=m
> +kernel_request_load_module(keysockdomain)
> diff --git a/policy/test_policy.if b/policy/test_policy.if
> index e1175e8..cefc8fb 100644
> --- a/policy/test_policy.if
> +++ b/policy/test_policy.if
> @@ -76,9 +76,15 @@ interface(`mount_rw_pid_files', `
> ')
> ')
>
> -# Refpolicy doesn't have admin_home_t - assume /root will be user_home_dir_t.
> +# Refpolicy does not have admin_home_t - assume /root will be user_home_dir_t.
> ifdef(`userdom_search_admin_dir', `', ` dnl
> interface(`userdom_search_admin_dir', `
> userdom_search_user_home_content($1)
> ')
> ')
> +
> +# If the macro is not defined, then most probably module_request permission
> +# is just not supported (and relevant operations should be just allowed).
> +ifdef(`kernel_request_load_module', `', ` dnl
> +interface(`kernel_request_load_module', `')
> +')
>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH testsuite v6] policy: use the kernel_request_load_module() interface
2019-12-02 14:37 ` Stephen Smalley
@ 2019-12-02 21:18 ` Stephen Smalley
0 siblings, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2019-12-02 21:18 UTC (permalink / raw)
To: Ondrej Mosnacek, selinux; +Cc: Richard Haines
On 12/2/19 9:37 AM, Stephen Smalley wrote:
> On 11/28/19 9:08 AM, Ondrej Mosnacek wrote:
>> ...instead of open-coding the rules. Also define a fallback to allow the
>> policy to build even if the interface is not defined.
>>
>> Fixes: f5e5a0b8d005 ("selinux-testsuite: Add key_socket tests")
>> Cc: Richard Haines <richard_c_haines@btinternet.com>
>> Suggested-by: Stephen Smalley <sds@tycho.nsa.gov>
>> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Thanks, merged.
>
>> ---
>>
>> Change in v6: avoid apostrophes in comments
>> Change in v5: call the macro only once for the whole domain
>> Change in v4: fix copy-paste mistakes spotted by Richard
>> Change in v3: use different approach as suggested by Stephen
>> Change in v2: update also tests/Makefile for consistency
>>
>> policy/test_key_socket.te | 8 +++-----
>> policy/test_policy.if | 8 +++++++-
>> 2 files changed, 10 insertions(+), 6 deletions(-)
>>
>> diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te
>> index cde426b..64d2cee 100644
>> --- a/policy/test_key_socket.te
>> +++ b/policy/test_key_socket.te
>> @@ -12,8 +12,6 @@ typeattribute test_key_sock_t keysockdomain;
>> # key_socket rules:
>> allow test_key_sock_t self:capability { net_admin };
>> allow test_key_sock_t self:key_socket { create write read setopt };
>> -# For CONFIG_NET_KEY=m
>> -allow test_key_sock_t kernel_t:system { module_request };
>> ################## Deny capability { net_admin }
>> ##########################
>> #
>> @@ -29,7 +27,6 @@ typeattribute test_key_sock_no_net_admin_t testdomain;
>> typeattribute test_key_sock_no_net_admin_t keysockdomain;
>> allow test_key_sock_no_net_admin_t self:key_socket { create write
>> read setopt };
>> -allow test_key_sock_no_net_admin_t kernel_t:system { module_request };
>> ####################### Deny key_socket { create }
>> ##########################
>> type test_key_sock_no_create_t;
>> @@ -50,7 +47,6 @@ typeattribute test_key_sock_no_write_t keysockdomain;
>> allow test_key_sock_no_write_t self:capability { net_admin };
>> allow test_key_sock_no_write_t self:key_socket { create read setopt };
>> -allow test_key_sock_no_write_t kernel_t:system { module_request };
>> ####################### Deny key_socket { read }
>> ##########################
>> type test_key_sock_no_read_t;
>> @@ -61,10 +57,12 @@ typeattribute test_key_sock_no_read_t keysockdomain;
>> allow test_key_sock_no_read_t self:capability { net_admin };
>> allow test_key_sock_no_read_t self:key_socket { create write setopt };
>> -allow test_key_sock_no_read_t kernel_t:system { module_request };
>> #
>> ########### Allow these domains to be entered from sysadm domain
>> ############
>> #
>> miscfiles_domain_entry_test_files(keysockdomain)
>> userdom_sysadm_entry_spec_domtrans_to(keysockdomain)
>> +
>> +# For CONFIG_NET_KEY=m
>> +kernel_request_load_module(keysockdomain)
>> diff --git a/policy/test_policy.if b/policy/test_policy.if
>> index e1175e8..cefc8fb 100644
>> --- a/policy/test_policy.if
>> +++ b/policy/test_policy.if
>> @@ -76,9 +76,15 @@ interface(`mount_rw_pid_files', `
>> ')
>> ')
>> -# Refpolicy doesn't have admin_home_t - assume /root will be
>> user_home_dir_t.
>> +# Refpolicy does not have admin_home_t - assume /root will be
>> user_home_dir_t.
>> ifdef(`userdom_search_admin_dir', `', ` dnl
>> interface(`userdom_search_admin_dir', `
>> userdom_search_user_home_content($1)
>> ')
>> ')
>> +
>> +# If the macro is not defined, then most probably module_request
>> permission
>> +# is just not supported (and relevant operations should be just
>> allowed).
>> +ifdef(`kernel_request_load_module', `', ` dnl
>> +interface(`kernel_request_load_module', `')
>> +')
>>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-12-02 21:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-28 14:08 [PATCH testsuite v6] policy: use the kernel_request_load_module() interface Ondrej Mosnacek
2019-12-02 14:37 ` Stephen Smalley
2019-12-02 21:18 ` Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).