| Message ID | 20191126154825.754108-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [testsuite,v4] policy: use the kernel_request_load_module() interface | expand |
On 11/26/19 10:48 AM, Ondrej Mosnacek wrote: > ...instead of open-coding the rules. Also define a fallback to allow the > policy to build even if the interface is not defined. > > Fixes: f5e5a0b8d005 ("selinux-testsuite: Add key_socket tests") > Cc: Richard Haines <richard_c_haines@btinternet.com> > Suggested-by: Stephen Smalley <sds@tycho.nsa.gov> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > Change in v4: fix copy-paste mistakes spotted by Richard > Change in v3: use different approach as suggested by Stephen > Change in v2: update also tests/Makefile for consistency > > policy/test_key_socket.te | 8 ++++---- > policy/test_policy.if | 6 ++++++ > 2 files changed, 10 insertions(+), 4 deletions(-) > > diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te > index cde426b..7be8ac0 100644 > --- a/policy/test_key_socket.te > +++ b/policy/test_key_socket.te > @@ -13,7 +13,7 @@ typeattribute test_key_sock_t keysockdomain; > allow test_key_sock_t self:capability { net_admin }; > allow test_key_sock_t self:key_socket { create write read setopt }; > # For CONFIG_NET_KEY=m > -allow test_key_sock_t kernel_t:system { module_request }; > +kernel_request_load_module(test_key_sock_t) > > ################## Deny capability { net_admin } ########################## > # > @@ -29,7 +29,7 @@ typeattribute test_key_sock_no_net_admin_t testdomain; > typeattribute test_key_sock_no_net_admin_t keysockdomain; > > allow test_key_sock_no_net_admin_t self:key_socket { create write read setopt }; > -allow test_key_sock_no_net_admin_t kernel_t:system { module_request }; > +kernel_request_load_module(test_key_sock_no_net_admin_t) > > ####################### Deny key_socket { create } ########################## > type test_key_sock_no_create_t; > @@ -50,7 +50,7 @@ typeattribute test_key_sock_no_write_t keysockdomain; > > allow test_key_sock_no_write_t self:capability { net_admin }; > allow test_key_sock_no_write_t self:key_socket { create read setopt }; > -allow test_key_sock_no_write_t kernel_t:system { module_request }; > +kernel_request_load_module(test_key_sock_no_write_t) > > ####################### Deny key_socket { read } ########################## > type test_key_sock_no_read_t; > @@ -61,7 +61,7 @@ typeattribute test_key_sock_no_read_t keysockdomain; > > allow test_key_sock_no_read_t self:capability { net_admin }; > allow test_key_sock_no_read_t self:key_socket { create write setopt }; > -allow test_key_sock_no_read_t kernel_t:system { module_request }; > +kernel_request_load_module(test_key_sock_no_read_t) > > # > ########### Allow these domains to be entered from sysadm domain ############ > diff --git a/policy/test_policy.if b/policy/test_policy.if > index e1175e8..3f163cb 100644 > --- a/policy/test_policy.if > +++ b/policy/test_policy.if > @@ -82,3 +82,9 @@ interface(`userdom_search_admin_dir', ` > userdom_search_user_home_content($1) > ') > ') > + > +# If the macro isn't defined, then most probably module_request permission > +# is just not supported (and relevant operations should be just allowed). > +ifdef(`kernel_request_load_module', `', ` dnl > +interface(`kernel_request_load_module', `') > +') >
diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te index cde426b..7be8ac0 100644 --- a/policy/test_key_socket.te +++ b/policy/test_key_socket.te @@ -13,7 +13,7 @@ typeattribute test_key_sock_t keysockdomain; allow test_key_sock_t self:capability { net_admin }; allow test_key_sock_t self:key_socket { create write read setopt }; # For CONFIG_NET_KEY=m -allow test_key_sock_t kernel_t:system { module_request }; +kernel_request_load_module(test_key_sock_t) ################## Deny capability { net_admin } ########################## # @@ -29,7 +29,7 @@ typeattribute test_key_sock_no_net_admin_t testdomain; typeattribute test_key_sock_no_net_admin_t keysockdomain; allow test_key_sock_no_net_admin_t self:key_socket { create write read setopt }; -allow test_key_sock_no_net_admin_t kernel_t:system { module_request }; +kernel_request_load_module(test_key_sock_no_net_admin_t) ####################### Deny key_socket { create } ########################## type test_key_sock_no_create_t; @@ -50,7 +50,7 @@ typeattribute test_key_sock_no_write_t keysockdomain; allow test_key_sock_no_write_t self:capability { net_admin }; allow test_key_sock_no_write_t self:key_socket { create read setopt }; -allow test_key_sock_no_write_t kernel_t:system { module_request }; +kernel_request_load_module(test_key_sock_no_write_t) ####################### Deny key_socket { read } ########################## type test_key_sock_no_read_t; @@ -61,7 +61,7 @@ typeattribute test_key_sock_no_read_t keysockdomain; allow test_key_sock_no_read_t self:capability { net_admin }; allow test_key_sock_no_read_t self:key_socket { create write setopt }; -allow test_key_sock_no_read_t kernel_t:system { module_request }; +kernel_request_load_module(test_key_sock_no_read_t) # ########### Allow these domains to be entered from sysadm domain ############ diff --git a/policy/test_policy.if b/policy/test_policy.if index e1175e8..3f163cb 100644 --- a/policy/test_policy.if +++ b/policy/test_policy.if @@ -82,3 +82,9 @@ interface(`userdom_search_admin_dir', ` userdom_search_user_home_content($1) ') ') + +# If the macro isn't defined, then most probably module_request permission +# is just not supported (and relevant operations should be just allowed). +ifdef(`kernel_request_load_module', `', ` dnl +interface(`kernel_request_load_module', `') +')
...instead of open-coding the rules. Also define a fallback to allow the policy to build even if the interface is not defined. Fixes: f5e5a0b8d005 ("selinux-testsuite: Add key_socket tests") Cc: Richard Haines <richard_c_haines@btinternet.com> Suggested-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- Change in v4: fix copy-paste mistakes spotted by Richard Change in v3: use different approach as suggested by Stephen Change in v2: update also tests/Makefile for consistency policy/test_key_socket.te | 8 ++++---- policy/test_policy.if | 6 ++++++ 2 files changed, 10 insertions(+), 4 deletions(-)