From patchwork Mon Jul 31 14:18:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9871883 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C95FB60365 for ; Mon, 31 Jul 2017 14:14:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C3D7A28409 for ; Mon, 31 Jul 2017 14:14:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B8896285C3; Mon, 31 Jul 2017 14:14:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from upbd19pa07.eemsg.mail.mil (upbd19pa07.eemsg.mail.mil [214.24.27.82]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 991EC28409 for ; Mon, 31 Jul 2017 14:14:29 +0000 (UTC) X-EEMSG-Attachment-filename: refpolicy-nnptransition.patch Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.2]) by upbd19pa07.eemsg.mail.mil with ESMTP; 31 Jul 2017 14:14:27 +0000 X-Attachment-Exists: TRUE X-IronPort-AV: E=Sophos;i="5.40,442,1496102400"; d="scan'208";a="583250" IronPort-PHdr: =?us-ascii?q?9a23=3AEqxdjxGRBEuhDhpDVkmddJ1GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ7+r8S8bnLW6fgltlLVR4KTs6sC0LuG9f6/EjBfqb+681k6OKRWUBEEjc?= =?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRo?= =?us-ascii?q?LerpBIHSk9631+ev8JHPfglEnjSwbLdxIRmsrAjctMYajIRgJ60s1hbHv3xEdv?= =?us-ascii?q?hMy2h1P1yThRH85smx/J5n7Stdvu8q+tBDX6vnYak2VKRUAzs6PW874s3rrgTD?= =?us-ascii?q?QhCU5nQASGUWkwFHDBbD4RrnQ5r+qCr6tu562CmHIc37SK0/VDq+46t3ThLjlS?= =?us-ascii?q?kINyQ98GrKlMJ+iqxVqw+lqxBm3YLYfISZOfxjda3fYNwaX3JMUMVRWSJfDI2z?= =?us-ascii?q?bYUPD+0dMuhfoIbzukMOoBmjCQSiGuzv0SRFhnrq0aAgyeksCx3K0Q4mEtkTsH?= =?us-ascii?q?rUttL1NKIKXO6o0KnH0y3Db/NI1jf79YPGbxUhruuIXbJ0b8XQyVQkGgTejlqN?= =?us-ascii?q?sozoJC+V1+QRvGib6OpsT+Svi3U9pA1rrTivwdksh5DPi4kIyV7E7T10zJs6KN?= =?us-ascii?q?C3UkJ2YcOoHIFOuyyVKYd6WN4uTmd1sygg0LIGo4S0fC0SxZQiwB7QduKIfpCT?= =?us-ascii?q?4hLmSOaROTB4hG95eL6nhxa970ygyurkW8moyllKtCtFksTXtnwXyxzS6tSISv?= =?us-ascii?q?t6/ku73zaAyxvT5f1eLUAxlKrbL4Ytwr82lpUNrUTOBjL6lUr5gaOMdkgo5/Kk?= =?us-ascii?q?5/rob7n4vJOQKpd4igTkPaQvnsy/D/44Mg8LX2WD4uSzyrnj/Uz/QLVXgfw6i7?= =?us-ascii?q?LWsJfHJcQduqG2HRRV350/6xe/Ezim0NMYkWMBLFJeYh2LlYfpO1bQIPzgF/ew?= =?us-ascii?q?n0yskCt3x/DBJrDhAJLNLn7Zn7f9fbZy8UhcxRExzdBY4ZJUD6sOIOnvWkDvrt?= =?us-ascii?q?zYFQU1Mwuuw+boEN99zJ8RWXqTAq+FN6PfqV2I5uA1LOaQZ48VozH9K/4k5/7w?= =?us-ascii?q?lnI5l1sdfbSm3JQMdXC4GOhmI1iDbXrrmNcBHn8AvhAiQ+zylF2CTTlTam68Xq?= =?us-ascii?q?I94jE7DZypDZ3YS4CjnrOOwSC7HodMaWBeEFCMFnXoeJuYVPcQci6SJdVhkjMc?= =?us-ascii?q?X7i7V4AhzQ2utBP9y7d/M+Xb5igYtZXl1Nhp+uHejg8y+iJuD8Sc0mCNSGd0kn?= =?us-ascii?q?kORzAowKB1uVZ9xUub0ahkn/xYEsRe6O5VUgggL57R1PB1C9f3Wg3dZNiJU0qm?= =?us-ascii?q?Ts+gAT4vUtI728UObFplG9W+khDD2DKnAr8UlryMApw56afc33zoK8Z8zXbKzq?= =?us-ascii?q?8hgEM8QstMNG2mmLBw+xLVB4HXj0WTj7yqergE3C7R6GeDynKDs1pDXwJ3VaXF?= =?us-ascii?q?XGsfZlfNrdjj/UPNUaOhBa48MgRfzc6CK61KasDmjFhdWPjiOM7eY3+qm2uqCx?= =?us-ascii?q?eH3K+MbJHte2UbxindD1IEkw8L93acKQc+Hjuho37ZDDF2C13ve1nj8fN/qHOg?= =?us-ascii?q?VUI01xuFb1dg17qu4h4VgeaTRO8N0b4evychsTp0Fk6n393KE9qAuxZhfKJEbN?= =?us-ascii?q?Mz+ldIz2TZuBB8Ppy7NK1ig0YecwVus0P12RR3EZ9Mkc8wrHMl1AByM76X0Etd?= =?us-ascii?q?dzOE2pD9Ir7XJXPx/BCodq7bwVLe38yV+qcI9fQ0sVLjvBumFkA66XVoz8FV02?= =?us-ascii?q?eA5pXNFAcdS4/+Ulw29xdkvbHXeTMy6J/R1XF2Nqm0qDDC0cozBOQ50hagY8tf?= =?us-ascii?q?MKScGQ/oDsIVGtOjKOMvm1mmdB4EOv5d9LIsNcO8a/SGwLKrPPpnnD++lmRH7p?= =?us-ascii?q?p90kWX9ypgUePIxJAFw/aW3wuCTTj8ik2tssbploBYfTsSBHawyTD4BI5NYa1/?= =?us-ascii?q?ZYgKBn2qI82r2Np+nYXtVmVG9FG9HVMJw9KpeR+IY1z6xw1Q2lwdoWa7liug0z?= =?us-ascii?q?x0jzYpo7KD3CPT3uvidQAIOmpQSWZ+ilfsJJS7gMoBXEi0dQQpkgWq5VrizahB?= =?us-ascii?q?uKt/N3XTQVtPfyXuKWFiU6+wtr6cbM5U854nqztYUP67YVyATb79uRQa2Tv5H2?= =?us-ascii?q?RC3DA7ay2qupLhkhxkiWKSMGpzrH3Dec1q2Rjf5NvcRfhe3jcdQCl4iD/XCUKm?= =?us-ascii?q?P9mu59mUkI3Dsu+mXWK7SpJTaTXrzZ+HtCaj4W1qAAa/n+yqlt38Dwc61S7719?= =?us-ascii?q?93VSTHtxv8eZHr16W8MeJmYkZoH0Xw68xkFYFiioEwno0f2WAGhpWJ+noKiX3z?= =?us-ascii?q?MdJf2aL6cnUNXyIEw9nb4QX+w01jM26Gx5njWnWa2MthaMGwYnkK1SIl88BKFK?= =?us-ascii?q?CU4aRHnSRrpFq4thncYftjkTcb0vsu7mAVg/0TtAoq1CWdDagYHVNEMiz0ixSI?= =?us-ascii?q?89e+ob1PZGm1bLiw0FRxnci7A7GEvgFTRmz5d4w/HS9r8Mp/KknM3Gfo6oHjZd?= =?us-ascii?q?nQd84cuQOakxfHlehVJ4w+muAMhSV5JWL3pWclxPIjjRxywZG6u5CKK3tr/K2k?= =?us-ascii?q?GRNYKDv1aN4T+j33i6ZRgNqW1Zi1Hpp9AjULQIfoTfWwHTIKr/vnKgKOHSYgpX?= =?us-ascii?q?eaBbreHRaT6El8oHLJCZyrMGuXJHYBx9V4WBadPFBfgBwTXDgikJ42DAaqxNDm?= =?us-ascii?q?cEd8/T0R6ED3pQZLyuJyLRb/Sn3fpACqajgqVJefMABa7gZY50faKcae9P58Hz?= =?us-ascii?q?lE/p29qwyAMmmbaB5MDWENREOEG0zjMaO06tTb9eiXGPa+L+DSbrqUsexRSe2E?= =?us-ascii?q?xZSx3Yt65zyMLNmAPmF+D/0n3UpORWp5F97XmjkVTiwYjSbNb8mbpRqn4CJ4ss?= =?us-ascii?q?W//O7sWAL16ouFE6FSPsl3+xCqnaeDMPadhChjKTlGy5wM3mXHyL4D3F4VkCFj?= =?us-ascii?q?bCOiHqgFtSLXS6LQgKBXBQYBayxvLMtI87483g5VNM7dkNP6zKZ4juYuBldLVF?= =?us-ascii?q?zhgNqpZdAEI2G8MlPIHkCLO6iHJTLRx8H7e6S8SadfjO9MrR2/pS6bE1P/PjSE?= =?us-ascii?q?jzTmSguvPv9WgyGUJhxRop+9fw12CWf5T9Lmdwe7P8VtgT0y3L00gGnFNXQFPT?= =?us-ascii?q?hgdENNrb2R7SRCjvV5BWNB8mJvLfOYlCaB8+nYNpEWvONwDSR1mOJa53I6xqBI?= =?us-ascii?q?4y5aX/N1mTHdrth0r1GhiOmPxSJtUABSpTZTmIKLoUJiNL3D+ZlPQ3nE4gwC4H?= =?us-ascii?q?6XCxQSudRlDNjvtLpRytjLj63zLzhD/8jT/csGCMjeMNiHP2Y5MRr1BD7UCxMI?= =?us-ascii?q?TSKsNWHanUBdivaS93yLoZg8sZfsgp0ORaFYVFEuCvwaDUFlE8AYL5dsQjMoi7?= =?us-ascii?q?ibg9AU5XCmthneWN1avozbVvKVGfjvKzaYjb1aaBYTxLP4KooTNoPl1Ex+dll6?= =?us-ascii?q?nIPKG0/OUtxXpC1ucBM0ql1X8HdiVm0zx17lagS17X8VC/G7hBo2hxB9YeQq7z?= =?us-ascii?q?fs/004JlzRpCszkUk9g9Plji6NcDTpNqe/QZlWCzbot0g2Kp77WRh6bRaskkN+?= =?us-ascii?q?LjfLW7JRgqB7emBqkg/TpJxPGfBETa1efhARxeubZ/M23lRAsi+n31NI5fPZCZ?= =?us-ascii?q?t+kwsnaYOjr3VG2wJlcdE6O6jQJKtSw1dKmK2OpCio2vo2wA8EKEYH6HmSdzIQ?= =?us-ascii?q?uEwUKrkmIDKl8fF25gycmjtMZXMMWuEwrfJw7EM9POqBzzn+3LFfN0CxLe2fL7?= =?us-ascii?q?+ZumTak86HXE8w3FsSl0ZZ5bh2zdsjc02MWkAry7uRDQoGNczDKAFSdMdS+37T?= =?us-ascii?q?fTuUveXK25J1MJ23Fvr0Qu+WqKYUnkWkER4yH4sS6sQBH5+s0FzXLMr8MLEFzh?= =?us-ascii?q?At6xjxK1WeEPRFYhSLnykbo8un1p94wZFdJi0BAWV6KSi35azXpw8wj/qFQNc2?= =?us-ascii?q?YmwXXoQDNnIuRMK2gShZsGpcDDOvyOIW1BCC7yPgpiTXFDT8c9tjZPKTZRNwCN?= =?us-ascii?q?G3+S4y/LW3iV/X6JrRPHv2NdJ8td/T8ekavYqIC+tITblhtEfRg5NXR3irU2HT?= =?us-ascii?q?D9G6P53waokqbdzzDHa1SEeyhCk0T8jrOtahN6aIgRzySYZSroabwCgpNdWhGT?= =?us-ascii?q?EGBxdwu+YD6bpnagIdZZo2egTnuBkgN6OhOgeYyc+hQ3ytKDdMSPlf1+q6baRN?= =?us-ascii?q?zyUwdu+61GcgTpYiwum47E4NRZUKjhXAyvamfIRRTDb8FWdcewrVoyo1jW9hNv?= =?us-ascii?q?w9wu0n2hPHrUEcMyyXdOxucGFEpdc8BVKOLnV2DWo4Q0Scg5La7ACxxb4f4yxT?= =?us-ascii?q?ks1I3u1CtXjxooXQYCmwWKCxr5XarTYgZ8A8o6JtKYzjPteGtJTGkzzFVpbQqA?= =?us-ascii?q?qFXzWhGvpGgNhfOjxYT+dMmWEkP8wGto5B6Us+Vsc+O7xPBrMjpqqvaTZ+Cy4d?= =?us-ascii?q?0zMZXZua3DMemue8x6falhCIfZUsKhALrJVCgtoYUy53eCwep7SuV4TImGCaVG?= =?us-ascii?q?cHOgAT7R5D5AgYjI9/Yvjl4JbUTJ9L0zNZueh0UjbNFpVy9Fv2UWCWgVn5SPW9?= =?us-ascii?q?iOOlxwRSw+zw0tMDQh5wFVBdx/pKlksvMLx3Kq8QvpLUvT+Ma0z6uXziyPe8JF?= =?us-ascii?q?hR0sDUcEX4A5TDtWr5SCIc+HkUSpRIyHDQD5gSlBB5aKkzrlVWPI+mYlr+5yAj?= =?us-ascii?q?x4lxELm4T9qkx1A5rXsdRieqFNRAC+d6sFLXRjJlYparqIn7NJVIWGNQ/oOSq0?= =?us-ascii?q?tBmkV3LyG50YZcK91K4jMUQDhPpjCdscCuSMFf3M95FIUAItFhtHfhAKlEIoSe?= =?us-ascii?q?o2UqurzzzX/U4zA8v02gxDqpH6+3UvlU8HAAFQUxP2SRtE0vAPU28mvI9VDNqF?= =?us-ascii?q?909f9BBreTlUVxvCp9HpdWCzZL0nCqMU9+Q2RYvOVBNqvVadBcTOcvahO1PRwx?= =?us-ascii?q?C+Im1VST/U5ohXf5fzBytgxC9i/GUQk7STUZj7XwlTAQscyoJTgaS5dUYjo7dC?= =?us-ascii?q?fFNxiXmSZJsxZDc0tqQYwWAs5Z+7EH2otZ5tDCRlixJiEFRhNiKhk10f5YlU5d?= =?us-ascii?q?rkqUZzzSDQ21evnRqBF3e9merNKxJvTj4AhHkp/nsPw/96gbX32mghGtTsrDoI?= =?us-ascii?q?/grdCKrUyOdLriM+Kgf3DBSiTMjQqqircgFZXK+DLTMAVDIZlg1XUkeYThCXLM?= =?us-ascii?q?PRleO6IbPVRUWr5nZthdv+BaY9NkeLwT9q9zBxKHQRfvF5KzrPVcKVbTXzveJT?= =?us-ascii?q?2b8uOjuYLT8aDdSe/4a8yO3XnHWaV3Pox+6TbhBbfnyope+lfy2vdx90N1VVnG?= =?us-ascii?q?PDqHrNT6PA8L49OidkT6tJ0zATzWGItwkGbqxkxYdcoYWSuq8JoCyJNe9Xn/V/?= =?us-ascii?q?l10lTpv+1U7Llk7pM747Z3xseoPa3SM+hVsVd7AhiIAQVn7pMtAGxkSmBQZO8R?= =?us-ascii?q?Le3dfaUfjcDgseD4DbcX6AGP++xEddTHO1zBmtOhBT2GThxEhggBoyYALgSAz/?= =?us-ascii?q?6Fh7N0ScG9qOj/20Ii/1++Lhocw7B2/4uE+62IpOjMbxvK1rUEX6fnR8zporQr?= =?us-ascii?q?oUOS6uUulKQSdWxtfw2nDO8dW9YByWj6yaAl0zksE9/DHrLn4/NDTG42njP+lJ?= =?us-ascii?q?B7A1UWG+kbEaCN/YtAgmcyg/bZOcEOcqBehmaPEgapErsZyX6u6yaaO2dljQ/T?= =?us-ascii?q?3BH3W2O89kf2rTV/QSvO0djsjlZVWqOwBUdIUCqjIVV4vy+XPAr0qNr3vrw47E?= =?us-ascii?q?M3Mmzhr9+NkXWuObNJEM3lJdycJyY0qEgRjJIvWtylwZobFsalINcN7HF+aePT?= =?us-ascii?q?62KqkiBbuahIm5HT4tqL9fXLA3avk7eWq7KXxDBX0nI4p00w6si8NvHS4N2HW+?= =?us-ascii?q?+n12cKTyZxoQTBXR+1qqDDr18OJEyL1FzGl5ANPt5Ew3Y3zFzm5PIkQNIp7gpS?= =?us-ascii?q?DIHAZ+kNpTrrIjv73U6fY84rVimZyzZXBkj6EUVkF6g81mPwu9jJlXTJ910zWI?= =?us-ascii?q?Zwc03nhRpqD4Q3Mk8t8EIYwjYfHggNZxGbC6uoBUf/IYsHS0cDcxKH06a+eqst?= =?us-ascii?q?2k1z2Lyv7vfJbeNgH6oNKupdjgmWkVhHAJIZr6keT6h6e1BD76PYuwniC4fmX/?= =?us-ascii?q?j6j3UwLue6QtpH8cwDsXst/Bq/TQK66Zhf97YblIyIdqlcbJjDps989Vlo5SIP?= =?us-ascii?q?diFWhBh/jg+5Xv4cpO/5/9jbq4Ck6uCwW6YxX+8X7QQ7B3xij5vsh1Auud7X2P?= =?us-ascii?q?laSo3JjoT/9wdBI2WUt4be0hl8L/cOKo2wcbZk6XoHPSgfKGgUMdqQdfY8/zdn?= =?us-ascii?q?MC/P6FxaHsMMedQYMdLRlgBWkELmRKpe+dbcGl+cD4dzdt4n73DryD8r7ZQ8Uv?= =?us-ascii?q?zs6DisJZDQ91tNJe9MjD1wlNLeo+gY2f/SCC8R4XmFZBh63DiPy5yMC/nq++WD?= =?us-ascii?q?1s3UVl0BHi4sUIddPyCO+Qq5SeqpjJ/pSB+b6tfvgJIic0KdXnOxk7gesqZXCO?= =?us-ascii?q?JOlyr10D5fFoDzmvKUvMGh6GRStlJdFoZ88wfJGKJFPpV0IR74jNWkRlBgBivj?= =?us-ascii?q?f8HZbhguuO2WxucK+elxK0v+ZYsGIh0ZyrP66HxVThBtSL73pVuZQ+MRZMV8R/?= =?us-ascii?q?PAs39V6JhsK6kRM1iBvJbqtCtHqEgqAA81b789tj1adlfUkw1TQKv0vKMAhRYd?= =?us-ascii?q?Ud5+ok9AA2WwOHgx5zDfT6RakLGRCOAJ8jWUVqEOUVtnMi1wQxOxw5hvdaGmnf?= =?us-ascii?q?ZZvWNahC99puYl0yB+ThumpSLsv74N2S4n+LyguzUBvXtFT+uAnCfMDVVO1+8K?= =?us-ascii?q?jaAaC3bj9VOwen8DY5Xu4LN/P8Tv6ZEh42gjYRUkZyAGX+SgCiHoj6OPBoyPsc?= =?us-ascii?q?5ciwCWtcXLbL+zMTISOaonxRLkXXh93RDUnAx0/2sTXjWg8NgkKZ2hOcYkwyql?= =?us-ascii?q?AnTbdFcQ7aNKrsTxsUQHTO0oZlN92G9jyNSIRjURRMzTHGY4lg0kaWRHcJJA7h?= =?us-ascii?q?8XDKsojSyLvqlB+AEbfjHUHp6j+obOgcfCwWM9QstyxmLKuq2FgYsn32Z7lNNy?= =?us-ascii?q?8i6Do28Sd+jfU89wHnjzyJlQxvHka/WqqOAHR5NsyK69X/8aLsmj5Wy21Y1yWk?= =?us-ascii?q?+iwrQRBUC5MeEExrffXSeoUmiYWeOMc2iXgTk2LlTy5R6zLl0sacdKqUA9PvHF?= =?us-ascii?q?hp5GmA3rSal0STmIpV/H0GwjNvsXdwwot4ejegwKVPAeavOdJOgvxf0+DUUDb2?= =?us-ascii?q?XNHSRoEeO2tkStnIdjMXV6/Ur6efjt8hzhMNaKFBgECZTarp9t9vOkXW+BPH5g?= =?us-ascii?q?zAFoPEZq7evfEE4xtuBEeZaLgdfQn8h70fICd/p1Ni09vsAcl5l76YmQysiKag?= =?us-ascii?q?3RzpfuKtHJuPiXHePQw14sem5ETroTeRn16JkiPt4lR73TGqNUvRAdBag8XZwg?= =?us-ascii?q?OH799KV1LANobg7Rf6+5gsjwqeKNYZtYvXjW7kg/LC3EoR0M1uS0TRBnb5Ctn3?= =?us-ascii?q?jyO44/RjZAr91rFxtnE4xDFcwcrwqnHZGUgr+0i8er9E5huO8Fr7DwCvbU29S9?= =?us-ascii?q?xIpxQpda6VaMPDbLC6lhml5lgfiqgvfczpnxDtvvedYeW+dnQm7Fa7nGHoKkJz?= =?us-ascii?q?KQO8L8fVBJ87qd0LJ/TxWQazr1X62ctC2rLP9k+1k0ypRkfOrPyzwg97Pb18Hx?= =?us-ascii?q?Z2FcvSiutmOJNJ1D7FzKAuzeQh1USfqZ8Gp/G60Yc5f0/v8UMdM+2Nic/xVz7D?= =?us-ascii?q?Na3cuHJqihqVXM2lh6dZLAN0bp3Tw2WYwULxS+K0cshnXZqnvFC3RGMsekMdVt?= =?us-ascii?q?gMqSDhH1/Elxl2QtaXJAF2frXtqRJ3YU29i/ZAyL8wJLCcwPn+ipdk4k5eWOTr?= =?us-ascii?q?xzN5FEn/i6nKkWmtZubSfUTY5VOD+DAqVxO29qEujXpFUuKiUBurwxV5Z9MYOC?= =?us-ascii?q?O2sbIUyAzmX01gKE3krqIY//nJ2VKTobpy0Uh4nO1iJB8kzj4fs=3D?= X-IPAS-Result: =?us-ascii?q?A2D9AQD7OX9Z/wHyM5BcGQEBAQECAQEBAQgBAQEBFQEBAQE?= =?us-ascii?q?CAQEBAQgBAQEBgwUrgWUTjwCPBYFrmBMHJIkmVwEBAQEBAQEBAgFqKIIzJIJBA?= =?us-ascii?q?QEBAQIBAQIXCVkDCQEBCAINCyYEAgICAQFTGQWICU+BRQUIkGWdZIImIgKLOw+?= =?us-ascii?q?DKIhViAeCYQWJYYhsjSKEMIIejVmLSoZzlXJXgQooCgIfCCIPhRsBQxyCA1qKL?= =?us-ascii?q?wEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 31 Jul 2017 14:14:14 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6VEEBuB001930; Mon, 31 Jul 2017 10:14:11 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v6VEDjdH055106 for ; Mon, 31 Jul 2017 10:13:45 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6VEDali001634; Mon, 31 Jul 2017 10:13:36 -0400 Message-ID: <1501510707.9814.10.camel@tycho.nsa.gov> From: Stephen Smalley To: selinux@tycho.nsa.gov Date: Mon, 31 Jul 2017 10:18:27 -0400 In-Reply-To: <20170731141501.14430-1-sds@tycho.nsa.gov> References: <20170731141501.14430-1-sds@tycho.nsa.gov> Organization: National Security Agency X-Mailer: Evolution 3.22.6 (3.22.6-2.fc25) Mime-Version: 1.0 Subject: Re: [PATCH v2] selinux-testsuite: Add tests for transitions under NNP/nosuid X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP On Mon, 2017-07-31 at 10:15 -0400, Stephen Smalley wrote: > Duplicate the existing tests for transitions under NNP for > transitions on a nosuid mount, and then augment both the NNP > and nosuid tests to also test the new support for allowing > transitions based on nnp_transition and/or nosuid_transition > permission if the nnp_nosuid_transition policy capability is > enabled.  Test NNP and nosuid independently and together. Attached is the refpolicy patch I used for testing. Note that both new permissions are now in the process2 class. > > Signed-off-by: Stephen Smalley > --- > v2 merges the nnp and nosuid tests together since they overlap > significantly in policy and code, and adds new tests for the > case where both NNP and nosuid are enabled. > >  policy/Makefile                      |   6 +- >  policy/test_nnp.te                   |  34 ------- >  policy/test_nnp_nosuid.te            |  85 +++++++++++++++++ >  tests/Makefile                       |  10 +- >  tests/nnp/test                       |  44 --------- >  tests/{nnp => nnp_nosuid}/Makefile   |   0 >  tests/{nnp => nnp_nosuid}/checkcon.c |   0 >  tests/{nnp => nnp_nosuid}/execnnp.c  |  38 ++++++-- >  tests/nnp_nosuid/test                | 179 > +++++++++++++++++++++++++++++++++++ >  9 files changed, 303 insertions(+), 93 deletions(-) >  delete mode 100644 policy/test_nnp.te >  create mode 100644 policy/test_nnp_nosuid.te >  delete mode 100755 tests/nnp/test >  rename tests/{nnp => nnp_nosuid}/Makefile (100%) >  rename tests/{nnp => nnp_nosuid}/checkcon.c (100%) >  rename tests/{nnp => nnp_nosuid}/execnnp.c (62%) >  create mode 100755 tests/nnp_nosuid/test > > diff --git a/policy/Makefile b/policy/Makefile > index b728a9e..1dafc65 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -16,7 +16,7 @@ TARGETS = \ >   test_entrypoint.te test_execshare.te test_exectrace.te \ >   test_execute_no_trans.te test_fdreceive.te test_file.te \ >   test_inherit.te test_ioctl.te test_ipc.te test_link.te > test_mkdir.te \ > - test_nnp.te test_open.te test_ptrace.te test_readlink.te \ > + test_nnp_nosuid.te test_open.te test_ptrace.te > test_readlink.te \ >   test_relabel.te test_rename.te test_rxdir.te test_setattr.te > \ >   test_setnice.te test_sigkill.te test_stat.te test_sysctl.te > \ >   test_task_create.te test_task_getpgid.te > test_task_getsched.te \ > @@ -57,6 +57,10 @@ ifeq ($(shell grep -q all_file_perms.*map > $(POLDEV)/include/support/all_perms.sp >  export M4PARAM = -Dmap_permission_defined >  endif >   > +ifeq ($(shell grep -q nnp_transition > $(POLDEV)/include/support/all_perms.spt && echo true),true) > +export M4PARAM += -Dnnp_nosuid_transition_permission_defined > +endif > + >  ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) >  TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS)) >  endif > diff --git a/policy/test_nnp.te b/policy/test_nnp.te > deleted file mode 100644 > index 54ebfd3..0000000 > --- a/policy/test_nnp.te > +++ /dev/null > @@ -1,34 +0,0 @@ > -################################# > -# > -# Policy for testing NO_NEW_PRIVS transitions. > -# > - > -# A domain bounded by the unconfined domain. > -type test_nnp_bounded_t; > -domain_type(test_nnp_bounded_t) > -typeattribute test_nnp_bounded_t testdomain; > -typebounds unconfined_t test_nnp_bounded_t; > - > -# The entrypoint type for this domain. > -type test_nnp_bounded_exec_t; > -files_type(test_nnp_bounded_exec_t) > -domain_entry_file(test_nnp_bounded_t, test_nnp_bounded_exec_t) > -domain_entry_file(unconfined_t, test_nnp_bounded_exec_t) > - > -# Run it!  This should succeed on v3.18 or later, fail on older > kernels. > -unconfined_runs_test(test_nnp_bounded_t) > -unconfined_run_to(test_nnp_bounded_t, test_nnp_bounded_exec_t) > - > -# A domain that is not bounded by the unconfined domain. > -type test_nnp_notbounded_t; > -domain_type(test_nnp_notbounded_t) > -typeattribute test_nnp_notbounded_t testdomain; > - > -# The entrypoint type for this domain. > -type test_nnp_notbounded_exec_t; > -files_type(test_nnp_notbounded_exec_t) > -domain_entry_file(test_nnp_notbounded_t, test_nnp_notbounded_exec_t) > - > -# Run it!  This should fail always. > -unconfined_runs_test(test_nnp_notbounded_t) > -unconfined_run_to(test_nnp_notbounded_t, test_nnp_notbounded_exec_t) > diff --git a/policy/test_nnp_nosuid.te b/policy/test_nnp_nosuid.te > new file mode 100644 > index 0000000..06fe145 > --- /dev/null > +++ b/policy/test_nnp_nosuid.te > @@ -0,0 +1,85 @@ > +################################# > +# > +# Policy for testing NO_NEW_PRIVS and nosuid transitions. > +# > + > +# A domain bounded by the unconfined domain. > +type test_bounded_t; > +domain_type(test_bounded_t) > +typeattribute test_bounded_t testdomain; > +typebounds unconfined_t test_bounded_t; > + > +# The entrypoint type for this domain. > +type test_bounded_exec_t; > +files_type(test_bounded_exec_t) > +domain_entry_file(test_bounded_t, test_bounded_exec_t) > +domain_entry_file(unconfined_t, test_bounded_exec_t) > + > +# Run it!  This should succeed on v3.18 or later, fail on older > kernels. > +unconfined_runs_test(test_bounded_t) > +unconfined_run_to(test_bounded_t, test_bounded_exec_t) > + > +# A domain that is not bounded by the unconfined domain. > +type test_notbounded_t; > +domain_type(test_notbounded_t) > +typeattribute test_notbounded_t testdomain; > + > +# The entrypoint type for this domain. > +type test_notbounded_exec_t; > +files_type(test_notbounded_exec_t) > +domain_entry_file(test_notbounded_t, test_notbounded_exec_t) > + > +# Run it!  This should fail always. > +unconfined_runs_test(test_notbounded_t) > +unconfined_run_to(test_notbounded_t, test_notbounded_exec_t) > + > +# A domain to which the unconfined domain is allowed nnp_transition. > +type test_nnptransition_t; > +domain_type(test_nnptransition_t) > +typeattribute test_nnptransition_t testdomain; > + > +# The entrypoint type for this domain. > +type test_nnptransition_exec_t; > +files_type(test_nnptransition_exec_t) > +domain_entry_file(test_nnptransition_t, test_nnptransition_exec_t) > + > +# Run it!  This should succeed on v4.14 or later. > +unconfined_runs_test(test_nnptransition_t) > +unconfined_run_to(test_nnptransition_t, test_nnptransition_exec_t) > +ifdef(`nnp_nosuid_transition_permission_defined', ` > +allow unconfined_t test_nnptransition_t:process2 nnp_transition; > +') > + > +# A domain to which the unconfined domain is allowed > nosuid_transition. > +type test_nosuidtransition_t; > +domain_type(test_nosuidtransition_t) > +typeattribute test_nosuidtransition_t testdomain; > + > +# The entrypoint type for this domain. > +type test_nosuidtransition_exec_t; > +files_type(test_nosuidtransition_exec_t) > +domain_entry_file(test_nosuidtransition_t, > test_nosuidtransition_exec_t) > + > +# Run it!  This should succeed on v4.14 or later. > +unconfined_runs_test(test_nosuidtransition_t) > +unconfined_run_to(test_nosuidtransition_t, > test_nosuidtransition_exec_t) > +ifdef(`nnp_nosuid_transition_permission_defined', ` > +allow unconfined_t test_nosuidtransition_t:process2 > nosuid_transition; > +') > + > +# A domain to which the unconfined domain is allowed both > nosuid_transition and nnp_transition. > +type test_nnpnosuidtransition_t; > +domain_type(test_nnpnosuidtransition_t) > +typeattribute test_nnpnosuidtransition_t testdomain; > + > +# The entrypoint type for this domain. > +type test_nnpnosuidtransition_exec_t; > +files_type(test_nosuidtransition_exec_t) > +domain_entry_file(test_nnpnosuidtransition_t, > test_nnpnosuidtransition_exec_t) > + > +# Run it!  This should succeed on v4.14 or later. > +unconfined_runs_test(test_nnpnosuidtransition_t) > +unconfined_run_to(test_nosuidtransition_t, > test_nnpnosuidtransition_exec_t) > +ifdef(`nnp_nosuid_transition_permission_defined', ` > +allow unconfined_t test_nnpnosuidtransition_t:process2 { > nnp_transition nosuid_transition }; > +') > diff --git a/tests/Makefile b/tests/Makefile > index f42fe7e..f9cc5ac 100644 > --- a/tests/Makefile > +++ b/tests/Makefile > @@ -9,8 +9,8 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace > execute_no_trans \ >   rxdir sem setattr setnice shm sigkill stat sysctl > task_create \ >   task_setnice task_setscheduler task_getscheduler task_getsid > \ >   task_getpgid task_setpgid file ioctl capable_file > capable_net \ > - capable_sys dyntrans dyntrace bounds nnp mmap unix_socket > inet_socket \ > - overlay checkreqprot mqueue mac_admin infiniband_pkey \ > + capable_sys dyntrans dyntrace bounds nnp_nosuid mmap > unix_socket \ > +        inet_socket overlay checkreqprot mqueue mac_admin > infiniband_pkey \ >   infiniband_endport atsecure >   >  ifeq ($(shell grep -q cap_userns > $(POLDEV)/include/support/all_perms.spt && echo true),true) > @@ -32,15 +32,15 @@ SUBDIRS += prlimit >  endif >   >  ifeq ($(DISTRO),RHEL4) > -    SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap > nnp overlay unix_socket, $(SUBDIRS)) > +    SUBDIRS:=$(filter-out bounds dyntrace dyntrans inet_socket mmap > nnp_nosuid overlay unix_socket, $(SUBDIRS)) >  endif >   >  ifeq ($(DISTRO),RHEL5) > -    SUBDIRS:=$(filter-out bounds inet_socket mmap nnp overlay > unix_socket, $(SUBDIRS)) > +    SUBDIRS:=$(filter-out bounds inet_socket mmap nnp_nosuid overlay > unix_socket, $(SUBDIRS)) >  endif >   >  ifeq ($(DISTRO),RHEL6) > -    SUBDIRS:=$(filter-out nnp overlay, $(SUBDIRS)) > +    SUBDIRS:=$(filter-out nnp_nosuid overlay, $(SUBDIRS)) >  endif >   >  ifeq ($(DISTRO),RHEL7) > diff --git a/tests/nnp/test b/tests/nnp/test > deleted file mode 100755 > index 4c7e010..0000000 > --- a/tests/nnp/test > +++ /dev/null > @@ -1,44 +0,0 @@ > -#!/usr/bin/perl > - > -use Test; > -BEGIN { plan tests => 4 } > - > -$basedir = $0; > -$basedir =~ s|(.*)/[^/]*|$1|; > - > -# Remove any leftover programs from prior failed runs. > -system("rm -f $basedir/true"); > - > -# Set entrypoint type for bounded domain. > -system("chcon -t test_nnp_bounded_exec_t $basedir/checkcon"); > - > -# Transition to bounded type via setexec. > -$result = system( > -"$basedir/execnnp runcon -t test_nnp_bounded_t $basedir/checkcon > test_nnp_bounded_t 2>&1" > -); > -ok( $result, 0 );    #this should pass > - > -# Automatic transition to bounded domain via exec. > -$result = system("$basedir/execnnp $basedir/checkcon > test_nnp_bounded_t 2>&1"); > -ok( $result, 0 );    #this should pass > - > -# Use true as an entrypoint program to test ability to exec at all. > -system("cp /bin/true $basedir/true"); > - > -# Set entrypoint type for notbounded domain. > -system("chcon -t test_nnp_notbounded_exec_t $basedir/checkcon > $basedir/true"); > - > -# Transition to notbounded domain via setexec. > -$result = > -  system("$basedir/execnnp runcon -t test_nnp_notbounded_t > $basedir/true 2>&1"); > -ok($result);         #this should fail > - > -# Automatic transition to notbounded domain via exec. > -$result = > -  system("$basedir/execnnp $basedir/checkcon test_nnp_notbounded_t > 2>&1"); > -ok($result);         #this should fail > - > -# Cleanup. > -system("rm -f $basedir/true"); > - > -exit; > diff --git a/tests/nnp/Makefile b/tests/nnp_nosuid/Makefile > similarity index 100% > rename from tests/nnp/Makefile > rename to tests/nnp_nosuid/Makefile > diff --git a/tests/nnp/checkcon.c b/tests/nnp_nosuid/checkcon.c > similarity index 100% > rename from tests/nnp/checkcon.c > rename to tests/nnp_nosuid/checkcon.c > diff --git a/tests/nnp/execnnp.c b/tests/nnp_nosuid/execnnp.c > similarity index 62% > rename from tests/nnp/execnnp.c > rename to tests/nnp_nosuid/execnnp.c > index d8f1986..822336c 100644 > --- a/tests/nnp/execnnp.c > +++ b/tests/nnp_nosuid/execnnp.c > @@ -2,24 +2,42 @@ >  #include >  #include >  #include > +#include >  #include >  #include >  #include >  #include >  #include >   > +static void usage(const char *progname) > +{ > + fprintf(stderr, "usage: %s [-n] command [args...]\n", > progname); > + exit(-1); > +} > + >  int main(int argc, char **argv) >  { >   bool nobounded; >   struct utsname uts; >   pid_t pid; >   int rc, status; > + int opt; > + bool nnp = false; >   > - if (argc < 2) { > - fprintf(stderr, "usage:  %s command [args...]\n", > argv[0]); > - exit(-1); > + while ((opt = getopt(argc, argv, "n")) != -1) { > + switch (opt) { > + case 'n': > + nnp = true; > + break; > + default: > + usage(argv[0]); > + break; > + } >   } >   > + if ((argc - optind) < 2) > + usage(argv[0]); > + >   if (uname(&uts) < 0) { >   perror("uname"); >   exit(-1); > @@ -28,10 +46,12 @@ int main(int argc, char **argv) >   nobounded = ((strcmp(argv[argc - 1], "test_nnp_bounded_t") > == 0) && >        (strverscmp(uts.release, "3.18") < 0)); >   > - rc = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); > - if (rc < 0) { > - perror("prctl PR_SET_NO_NEW_PRIVS"); > - exit(-1); > + if (nnp) { > + rc = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); > + if (rc < 0) { > + perror("prctl PR_SET_NO_NEW_PRIVS"); > + exit(-1); > + } >   } >   >   pid = fork(); > @@ -41,8 +61,8 @@ int main(int argc, char **argv) >   } >   >   if (pid == 0) { > - execvp(argv[1], &argv[1]); > - perror(argv[1]); > + execvp(argv[optind], &argv[optind]); > + perror(argv[optind]); >   exit(-1); >   } >   > diff --git a/tests/nnp_nosuid/test b/tests/nnp_nosuid/test > new file mode 100755 > index 0000000..cf2e6b4 > --- /dev/null > +++ b/tests/nnp_nosuid/test > @@ -0,0 +1,179 @@ > +#!/usr/bin/perl > + > +use Test; > + > +BEGIN { > +    $test_count                 = 8; > +    $test_nnp_nosuid_transition = 0; > + > +    if ( > +        system( > +"grep -q 1 /sys/fs/selinux/policy_capabilities/nnp_nosuid_transition > 2> /dev/null" > +        ) == 0 > +      ) > +    { > +        $test_nnp_nosuid_transition = 1; > +        $test_count += 9; > +    } > + > +    plan tests => $test_count; > +} > + > +$basedir = $0; > +$basedir =~ s|(.*)/[^/]*|$1|; > + > +# Remove any leftover programs from prior failed runs. > +system("rm -f $basedir/true"); > + > +# Set entrypoint type for bounded domain under NNP. > +system("chcon -t test_bounded_exec_t $basedir/checkcon"); > + > +# Create nosuid mount. > +system("mkdir -p $basedir/testdir"); > +system("mount -t tmpfs -o nosuid none $basedir/testdir"); > + > +# Set entrypoint type for bounded domain under nosuid. > +system("cp $basedir/checkcon $basedir/testdir"); > +system("chcon -t test_bounded_exec_t $basedir/testdir/checkcon"); > + > +# Transition under NNP to bounded type via setexec. > +$result = system( > +"$basedir/execnnp -n -- runcon -t test_bounded_t $basedir/checkcon > test_bounded_t 2>&1" > +); > +ok( $result, 0 );    #this should pass > + > +# Transition on nosuid to bounded type via setexec. > +$result = system( > +"$basedir/execnnp -- runcon -t test_bounded_t > $basedir/testdir/checkcon test_bounded_t 2>&1" > +); > +ok( $result, 0 );    #this should pass > + > +# Automatic transition under NNP to bounded domain via exec. > +$result = > +  system("$basedir/execnnp -n -- $basedir/checkcon test_bounded_t > 2>&1"); > +ok( $result, 0 );    #this should pass > + > +# Automatic transition on nosuid to bounded domain via exec. > +$result = > +  system( "$basedir/execnnp -- $basedir/testdir/checkcon > test_bounded_t 2>&1" ); > +ok( $result, 0 );    #this should pass > + > +# Use true as an entrypoint program to test ability to exec at all. > +system("cp /bin/true $basedir/true"); > +system("cp /bin/true $basedir/testdir/true"); > + > +# Set entrypoint type for notbounded domain. > +system( "chcon -t test_notbounded_exec_t $basedir/checkcon > $basedir/true" ); > +system( > +"chcon -t test_notbounded_exec_t $basedir/testdir/checkcon > $basedir/testdir/true" > +); > + > +# Transition under NNP to notbounded domain via setexec. > +$result = > +  system( > +    "$basedir/execnnp -n -- runcon -t test_notbounded_t > $basedir/true 2>&1" ); > +ok($result);    #this should fail > + > +# Transition on nosuid to notbounded domain via setexec. > +$result = > +  system( > +    "$basedir/execnnp -- runcon -t test_notbounded_t > $basedir/testdir/true 2>&1" > +  ); > +ok($result);    #this should fail > + > +# Automatic transition under NNP to notbounded domain via exec. > +$result = > +  system( "$basedir/execnnp -n -- $basedir/checkcon > test_notbounded_t 2>&1" ); > +ok($result);    #this should fail > + > +# Automatic transition on nosuid to notbounded domain via exec. > +$result = > +  system( > +    "$basedir/execnnp -- $basedir/testdir/checkcon test_notbounded_t > 2>&1" ); > +ok($result);    #this should fail > + > +if ($test_nnp_nosuid_transition) { > + > +    # Set entrypoint type for nnptransition domain. > +    system( > +        "chcon -t test_nnptransition_exec_t $basedir/checkcon > $basedir/true" ); > + > +    # Set entrypoint type for nosuid domain. > +    system( > +"chcon -t test_nosuidtransition_exec_t $basedir/testdir/checkcon > $basedir/testdir/true" > +    ); > + > +    # Transition under NNP to nnptransition domain via setexec. > +    $result = > +      system( > +"$basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/true > 2>&1" > +      ); > +    ok( $result, 0 );    #this should succeed > + > +    # Transition under NNP+nosuid to nnptransition domain via > setexec. > +    $result = > +      system( > +"$basedir/execnnp -n -- runcon -t test_nnptransition_t > $basedir/testdir/true 2>&1" > +      ); > +    ok($result);         #this should fail > + > +    # Transition on nosuid to nosuid domain via setexec. > +    $result = > +      system( > +"$basedir/execnnp -- runcon -t test_nosuidtransition_t > $basedir/testdir/true 2>&1" > +      ); > +    ok( $result, 0 );    #this should succeed > + > +    # Transition on NNP+nosuid to nosuid domain via setexec. > +    $result = > +      system( > +"$basedir/execnnp -n -- runcon -t test_nosuidtransition_t > $basedir/testdir/true 2>&1" > +      ); > +    ok($result);         #this should fail > + > +    # Automatic transition under NNP to nnptransition domain via > exec. > +    $result = > +      system( > +        "$basedir/execnnp -n -- $basedir/checkcon > test_nnptransition_t 2>&1" ); > +    ok( $result, 0 );    #this should succeed > + > +    # Automatic transition on NNP+nosuid to nnptransition domain via > exec. > +    $result = > +      system( > +"$basedir/execnnp -n -- $basedir/testdir/checkcon > test_nnptransition_t 2>&1" > +      ); > +    ok($result);         #this should fail > + > +    # Automatic transition on nosuid to nosuid domain via exec. > +    $result = > +      system( > +"$basedir/execnnp -- $basedir/testdir/checkcon > test_nosuidtransition_t 2>&1" > +      ); > +    ok( $result, 0 );    #this should succeed > + > +    # Automatic transition on NNP+nosuid to nosuid domain via exec. > +    $result = > +      system( > +"$basedir/execnnp -n -- $basedir/testdir/checkcon > test_nosuidtransition_t 2>&1" > +      ); > +    ok($result);         #this should fail > + > +    # Set entrypoint type for nnpnosuid domain. > +    system( > +"chcon -t test_nnpnosuidtransition_exec_t $basedir/testdir/checkcon > $basedir/testdir/true" > +    ); > + > +    # Transition on NNP+nosuid to nnpnosuid domain via setexec. > +    $result = > +      system( > +"$basedir/execnnp -n -- runcon -t test_nnpnosuidtransition_t > $basedir/testdir/true 2>&1" > +      ); > +    ok( $result, 0 );    #this should succeed > +} > + > +# Cleanup. > +system("rm -f $basedir/true"); > +system("umount $basedir/testdir"); > +system("rmdir $basedir/testdir"); > + > +exit; diff -ru serefpolicy-3.13.1.nnp/policy/flask/access_vectors serefpolicy-3.13.1/policy/flask/access_vectors --- serefpolicy-3.13.1.nnp/policy/flask/access_vectors 2017-07-31 08:38:09.929409063 -0400 +++ serefpolicy-3.13.1/policy/flask/access_vectors 2017-07-31 08:41:49.686047679 -0400 @@ -388,7 +388,6 @@ getrlimit } - # # Define the access vector interpretation for ipc-related objects # @@ -1067,3 +1066,9 @@ class qipcrtr_socket inherits socket + +class process2 +{ + nnp_transition + nosuid_transition +} diff -ru serefpolicy-3.13.1.nnp/policy/flask/security_classes serefpolicy-3.13.1/policy/flask/security_classes --- serefpolicy-3.13.1.nnp/policy/flask/security_classes 2017-07-31 08:38:09.926408906 -0400 +++ serefpolicy-3.13.1/policy/flask/security_classes 2017-07-31 08:41:36.195203513 -0400 @@ -189,4 +189,6 @@ class kcm_socket class qipcrtr_socket +class process2 + # FLASK diff -ru serefpolicy-3.13.1.nnp/policy/policy_capabilities serefpolicy-3.13.1/policy/policy_capabilities --- serefpolicy-3.13.1.nnp/policy/policy_capabilities 2017-07-31 08:38:09.926408906 -0400 +++ serefpolicy-3.13.1/policy/policy_capabilities 2017-07-31 08:42:13.488537078 -0400 @@ -72,3 +72,5 @@ # qipcrtr_socket # policycap extended_socket_class; + +policycap nnp_nosuid_transition;