| Message ID | 20230228141247.626736-3-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | Infiniband test fixes/improvements | expand |
On Tue, Feb 28, 2023 at 9:13 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > ibv_get_device_list(3) first tries to get the device list via netlink > and if that fails it falls back to getting it from sysfs. Currently the > policy denies getting it from netlink, generating some denials. Allow > test_ibpkey_access_t the necessary permissions so it can do it the > preferred way and doesn't generate audit AVC noise. > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > policy/test_ibpkey.te | 1 + > 1 file changed, 1 insertion(+) Similar to the other policy issue, it seems like this is a general problem and not specifically a selinux-testsuite issue, right? If that is the case should we fix this in refpol? I think it's okay to put a temporary fix in the test suite, but we should also push to fix this in refpol. > diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te > index 97f0c3c..6835897 100644 > --- a/policy/test_ibpkey.te > +++ b/policy/test_ibpkey.te > @@ -11,6 +11,7 @@ testsuite_domain_type(test_ibpkey_access_t) > typeattribute test_ibpkey_access_t ibpkeydomain; > > allow test_ibpkey_access_t self:capability ipc_lock; > +allow test_ibpkey_access_t self:netlink_rdma_socket create_socket_perms; > > dev_rw_infiniband_dev(test_ibpkey_access_t) > dev_rw_sysfs(test_ibpkey_access_t) > -- > 2.39.2
On Tue, Feb 28, 2023 at 6:01 PM Paul Moore <paul@paul-moore.com> wrote: > On Tue, Feb 28, 2023 at 9:13 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > ibv_get_device_list(3) first tries to get the device list via netlink > > and if that fails it falls back to getting it from sysfs. Currently the > > policy denies getting it from netlink, generating some denials. Allow > > test_ibpkey_access_t the necessary permissions so it can do it the > > preferred way and doesn't generate audit AVC noise. > > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > --- > > policy/test_ibpkey.te | 1 + > > 1 file changed, 1 insertion(+) > > Similar to the other policy issue, it seems like this is a general > problem and not specifically a selinux-testsuite issue, right? If > that is the case should we fix this in refpol? I think it's okay to > put a temporary fix in the test suite, but we should also push to fix > this in refpol. Basically the same as I said in the first paragraph of my reply under patch 1 applies here, just in this case we are talking about users of ibv_get_device_list(3) instead of ibv_create_cq(3).
On Wed, Mar 1, 2023 at 10:25 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > On Tue, Feb 28, 2023 at 6:01 PM Paul Moore <paul@paul-moore.com> wrote: > > On Tue, Feb 28, 2023 at 9:13 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > > > ibv_get_device_list(3) first tries to get the device list via netlink > > > and if that fails it falls back to getting it from sysfs. Currently the > > > policy denies getting it from netlink, generating some denials. Allow > > > test_ibpkey_access_t the necessary permissions so it can do it the > > > preferred way and doesn't generate audit AVC noise. > > > > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > > --- > > > policy/test_ibpkey.te | 1 + > > > 1 file changed, 1 insertion(+) > > > > Similar to the other policy issue, it seems like this is a general > > problem and not specifically a selinux-testsuite issue, right? If > > that is the case should we fix this in refpol? I think it's okay to > > put a temporary fix in the test suite, but we should also push to fix > > this in refpol. > > Basically the same as I said in the first paragraph of my reply under > patch 1 applies here, just in this case we are talking about users of > ibv_get_device_list(3) instead of ibv_create_cq(3). Yeah, let's just tackle this in the other thread, at this point it's a bit silly to duplicate the discussion.
diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te index 97f0c3c..6835897 100644 --- a/policy/test_ibpkey.te +++ b/policy/test_ibpkey.te @@ -11,6 +11,7 @@ testsuite_domain_type(test_ibpkey_access_t) typeattribute test_ibpkey_access_t ibpkeydomain; allow test_ibpkey_access_t self:capability ipc_lock; +allow test_ibpkey_access_t self:netlink_rdma_socket create_socket_perms; dev_rw_infiniband_dev(test_ibpkey_access_t) dev_rw_sysfs(test_ibpkey_access_t)
ibv_get_device_list(3) first tries to get the device list via netlink and if that fails it falls back to getting it from sysfs. Currently the policy denies getting it from netlink, generating some denials. Allow test_ibpkey_access_t the necessary permissions so it can do it the preferred way and doesn't generate audit AVC noise. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- policy/test_ibpkey.te | 1 + 1 file changed, 1 insertion(+)