| Message ID | 20191128140807.900061-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [testsuite,v6] policy: use the kernel_request_load_module() interface | expand |
On 11/28/19 9:08 AM, Ondrej Mosnacek wrote: > ...instead of open-coding the rules. Also define a fallback to allow the > policy to build even if the interface is not defined. > > Fixes: f5e5a0b8d005 ("selinux-testsuite: Add key_socket tests") > Cc: Richard Haines <richard_c_haines@btinternet.com> > Suggested-by: Stephen Smalley <sds@tycho.nsa.gov> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > > Change in v6: avoid apostrophes in comments > Change in v5: call the macro only once for the whole domain > Change in v4: fix copy-paste mistakes spotted by Richard > Change in v3: use different approach as suggested by Stephen > Change in v2: update also tests/Makefile for consistency > > policy/test_key_socket.te | 8 +++----- > policy/test_policy.if | 8 +++++++- > 2 files changed, 10 insertions(+), 6 deletions(-) > > diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te > index cde426b..64d2cee 100644 > --- a/policy/test_key_socket.te > +++ b/policy/test_key_socket.te > @@ -12,8 +12,6 @@ typeattribute test_key_sock_t keysockdomain; > # key_socket rules: > allow test_key_sock_t self:capability { net_admin }; > allow test_key_sock_t self:key_socket { create write read setopt }; > -# For CONFIG_NET_KEY=m > -allow test_key_sock_t kernel_t:system { module_request }; > > ################## Deny capability { net_admin } ########################## > # > @@ -29,7 +27,6 @@ typeattribute test_key_sock_no_net_admin_t testdomain; > typeattribute test_key_sock_no_net_admin_t keysockdomain; > > allow test_key_sock_no_net_admin_t self:key_socket { create write read setopt }; > -allow test_key_sock_no_net_admin_t kernel_t:system { module_request }; > > ####################### Deny key_socket { create } ########################## > type test_key_sock_no_create_t; > @@ -50,7 +47,6 @@ typeattribute test_key_sock_no_write_t keysockdomain; > > allow test_key_sock_no_write_t self:capability { net_admin }; > allow test_key_sock_no_write_t self:key_socket { create read setopt }; > -allow test_key_sock_no_write_t kernel_t:system { module_request }; > > ####################### Deny key_socket { read } ########################## > type test_key_sock_no_read_t; > @@ -61,10 +57,12 @@ typeattribute test_key_sock_no_read_t keysockdomain; > > allow test_key_sock_no_read_t self:capability { net_admin }; > allow test_key_sock_no_read_t self:key_socket { create write setopt }; > -allow test_key_sock_no_read_t kernel_t:system { module_request }; > > # > ########### Allow these domains to be entered from sysadm domain ############ > # > miscfiles_domain_entry_test_files(keysockdomain) > userdom_sysadm_entry_spec_domtrans_to(keysockdomain) > + > +# For CONFIG_NET_KEY=m > +kernel_request_load_module(keysockdomain) > diff --git a/policy/test_policy.if b/policy/test_policy.if > index e1175e8..cefc8fb 100644 > --- a/policy/test_policy.if > +++ b/policy/test_policy.if > @@ -76,9 +76,15 @@ interface(`mount_rw_pid_files', ` > ') > ') > > -# Refpolicy doesn't have admin_home_t - assume /root will be user_home_dir_t. > +# Refpolicy does not have admin_home_t - assume /root will be user_home_dir_t. > ifdef(`userdom_search_admin_dir', `', ` dnl > interface(`userdom_search_admin_dir', ` > userdom_search_user_home_content($1) > ') > ') > + > +# If the macro is not defined, then most probably module_request permission > +# is just not supported (and relevant operations should be just allowed). > +ifdef(`kernel_request_load_module', `', ` dnl > +interface(`kernel_request_load_module', `') > +') >
On 12/2/19 9:37 AM, Stephen Smalley wrote: > On 11/28/19 9:08 AM, Ondrej Mosnacek wrote: >> ...instead of open-coding the rules. Also define a fallback to allow the >> policy to build even if the interface is not defined. >> >> Fixes: f5e5a0b8d005 ("selinux-testsuite: Add key_socket tests") >> Cc: Richard Haines <richard_c_haines@btinternet.com> >> Suggested-by: Stephen Smalley <sds@tycho.nsa.gov> >> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Thanks, merged. > >> --- >> >> Change in v6: avoid apostrophes in comments >> Change in v5: call the macro only once for the whole domain >> Change in v4: fix copy-paste mistakes spotted by Richard >> Change in v3: use different approach as suggested by Stephen >> Change in v2: update also tests/Makefile for consistency >> >> policy/test_key_socket.te | 8 +++----- >> policy/test_policy.if | 8 +++++++- >> 2 files changed, 10 insertions(+), 6 deletions(-) >> >> diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te >> index cde426b..64d2cee 100644 >> --- a/policy/test_key_socket.te >> +++ b/policy/test_key_socket.te >> @@ -12,8 +12,6 @@ typeattribute test_key_sock_t keysockdomain; >> # key_socket rules: >> allow test_key_sock_t self:capability { net_admin }; >> allow test_key_sock_t self:key_socket { create write read setopt }; >> -# For CONFIG_NET_KEY=m >> -allow test_key_sock_t kernel_t:system { module_request }; >> ################## Deny capability { net_admin } >> ########################## >> # >> @@ -29,7 +27,6 @@ typeattribute test_key_sock_no_net_admin_t testdomain; >> typeattribute test_key_sock_no_net_admin_t keysockdomain; >> allow test_key_sock_no_net_admin_t self:key_socket { create write >> read setopt }; >> -allow test_key_sock_no_net_admin_t kernel_t:system { module_request }; >> ####################### Deny key_socket { create } >> ########################## >> type test_key_sock_no_create_t; >> @@ -50,7 +47,6 @@ typeattribute test_key_sock_no_write_t keysockdomain; >> allow test_key_sock_no_write_t self:capability { net_admin }; >> allow test_key_sock_no_write_t self:key_socket { create read setopt }; >> -allow test_key_sock_no_write_t kernel_t:system { module_request }; >> ####################### Deny key_socket { read } >> ########################## >> type test_key_sock_no_read_t; >> @@ -61,10 +57,12 @@ typeattribute test_key_sock_no_read_t keysockdomain; >> allow test_key_sock_no_read_t self:capability { net_admin }; >> allow test_key_sock_no_read_t self:key_socket { create write setopt }; >> -allow test_key_sock_no_read_t kernel_t:system { module_request }; >> # >> ########### Allow these domains to be entered from sysadm domain >> ############ >> # >> miscfiles_domain_entry_test_files(keysockdomain) >> userdom_sysadm_entry_spec_domtrans_to(keysockdomain) >> + >> +# For CONFIG_NET_KEY=m >> +kernel_request_load_module(keysockdomain) >> diff --git a/policy/test_policy.if b/policy/test_policy.if >> index e1175e8..cefc8fb 100644 >> --- a/policy/test_policy.if >> +++ b/policy/test_policy.if >> @@ -76,9 +76,15 @@ interface(`mount_rw_pid_files', ` >> ') >> ') >> -# Refpolicy doesn't have admin_home_t - assume /root will be >> user_home_dir_t. >> +# Refpolicy does not have admin_home_t - assume /root will be >> user_home_dir_t. >> ifdef(`userdom_search_admin_dir', `', ` dnl >> interface(`userdom_search_admin_dir', ` >> userdom_search_user_home_content($1) >> ') >> ') >> + >> +# If the macro is not defined, then most probably module_request >> permission >> +# is just not supported (and relevant operations should be just >> allowed). >> +ifdef(`kernel_request_load_module', `', ` dnl >> +interface(`kernel_request_load_module', `') >> +') >> >
diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te index cde426b..64d2cee 100644 --- a/policy/test_key_socket.te +++ b/policy/test_key_socket.te @@ -12,8 +12,6 @@ typeattribute test_key_sock_t keysockdomain; # key_socket rules: allow test_key_sock_t self:capability { net_admin }; allow test_key_sock_t self:key_socket { create write read setopt }; -# For CONFIG_NET_KEY=m -allow test_key_sock_t kernel_t:system { module_request }; ################## Deny capability { net_admin } ########################## # @@ -29,7 +27,6 @@ typeattribute test_key_sock_no_net_admin_t testdomain; typeattribute test_key_sock_no_net_admin_t keysockdomain; allow test_key_sock_no_net_admin_t self:key_socket { create write read setopt }; -allow test_key_sock_no_net_admin_t kernel_t:system { module_request }; ####################### Deny key_socket { create } ########################## type test_key_sock_no_create_t; @@ -50,7 +47,6 @@ typeattribute test_key_sock_no_write_t keysockdomain; allow test_key_sock_no_write_t self:capability { net_admin }; allow test_key_sock_no_write_t self:key_socket { create read setopt }; -allow test_key_sock_no_write_t kernel_t:system { module_request }; ####################### Deny key_socket { read } ########################## type test_key_sock_no_read_t; @@ -61,10 +57,12 @@ typeattribute test_key_sock_no_read_t keysockdomain; allow test_key_sock_no_read_t self:capability { net_admin }; allow test_key_sock_no_read_t self:key_socket { create write setopt }; -allow test_key_sock_no_read_t kernel_t:system { module_request }; # ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(keysockdomain) userdom_sysadm_entry_spec_domtrans_to(keysockdomain) + +# For CONFIG_NET_KEY=m +kernel_request_load_module(keysockdomain) diff --git a/policy/test_policy.if b/policy/test_policy.if index e1175e8..cefc8fb 100644 --- a/policy/test_policy.if +++ b/policy/test_policy.if @@ -76,9 +76,15 @@ interface(`mount_rw_pid_files', ` ') ') -# Refpolicy doesn't have admin_home_t - assume /root will be user_home_dir_t. +# Refpolicy does not have admin_home_t - assume /root will be user_home_dir_t. ifdef(`userdom_search_admin_dir', `', ` dnl interface(`userdom_search_admin_dir', ` userdom_search_user_home_content($1) ') ') + +# If the macro is not defined, then most probably module_request permission +# is just not supported (and relevant operations should be just allowed). +ifdef(`kernel_request_load_module', `', ` dnl +interface(`kernel_request_load_module', `') +')
...instead of open-coding the rules. Also define a fallback to allow the policy to build even if the interface is not defined. Fixes: f5e5a0b8d005 ("selinux-testsuite: Add key_socket tests") Cc: Richard Haines <richard_c_haines@btinternet.com> Suggested-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- Change in v6: avoid apostrophes in comments Change in v5: call the macro only once for the whole domain Change in v4: fix copy-paste mistakes spotted by Richard Change in v3: use different approach as suggested by Stephen Change in v2: update also tests/Makefile for consistency policy/test_key_socket.te | 8 +++----- policy/test_policy.if | 8 +++++++- 2 files changed, 10 insertions(+), 6 deletions(-)