diff mbox series

[v4,testsuite,09/15] policy: Add MCS constraint on peer recv

Message ID 20200508154138.24217-10-stephen.smalley.work@gmail.com (mailing list archive)
State Accepted
Delegated to: Ondrej Mosnáček
Headers show
Series Update to work on Debian | expand

Commit Message

Stephen Smalley May 8, 2020, 3:41 p.m. UTC 
Some of the inet_socket and sctp tests rely on a MCS constraint on
the peer recv permission that exists in Fedora policy but not
refpolicy and hence not Debian.  Add the constraint to the test policy
to provide consistent behavior.  On Fedora this is merely redundant.
The constraint is defined via a CIL module since constraints are not
supported in .te files for binary modules.  Introduce a SUPPORTS_CIL
variable in the Makefile and disable it automatically on older RHEL
releases that lack CIL support to avoid breaking policy load on them.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/Makefile              | 15 +++++++++++----
 policy/test_mlsconstrain.cil |  2 ++
 2 files changed, 13 insertions(+), 4 deletions(-)
 create mode 100644 policy/test_mlsconstrain.cil
diff mbox series

Patch

diff --git a/policy/Makefile b/policy/Makefile
index dfe601b..8f43427 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -7,6 +7,7 @@  SELINUXFS ?= /sys/fs/selinux
 SEMODULE = $(SBINDIR)/semodule
 CHECKPOLICY = $(BINDIR)/checkpolicy
 CHECKMODULE = $(BINDIR)/checkmodule
+SUPPORTS_CIL ?= y
 
 DISTRO=$(shell ../tests/os_detect)
 
@@ -30,15 +31,21 @@  TARGETS = \
 	test_mmap.te test_overlayfs.te test_mqueue.te \
 	test_ibpkey.te test_atsecure.te test_cgroupfs.te
 
+ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
+SUPPORTS_CIL = n
+endif
 
+ifeq ($(SUPPORTS_CIL),y)
+CIL_TARGETS = test_mlsconstrain.cil
 ifeq ($(shell [[ $(MAX_KERNEL_POLICY) -ge 32 && $(POL_VERS) -ge 32 ]] && echo true),true)
 # If other MLS tests get written this can be moved outside of the glblub test
 ifeq ($(POL_TYPE), MLS)
-CIL_TARGETS = test_glblub.cil
+CIL_TARGETS += test_glblub.cil
 else ifeq ($(POL_TYPE), MCS)
-CIL_TARGETS = test_add_levels.cil test_glblub.cil
-endif
-endif # GLBLUB
+CIL_TARGETS += test_add_levels.cil test_glblub.cil
+endif # POL_TYPE
+endif # MAX_KERNEL_POLICY
+endif # SUPPORTS_CIL
 
 ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true)
 TARGETS += test_bounds.te test_nnp_nosuid.te
diff --git a/policy/test_mlsconstrain.cil b/policy/test_mlsconstrain.cil
new file mode 100644
index 0000000..1412f91
--- /dev/null
+++ b/policy/test_mlsconstrain.cil
@@ -0,0 +1,2 @@ 
+(mlsconstrain (peer (recv)) (or (dom l1 l2) (and (neq t1 mcs_constrained_type) (neq t2 mcs_constrained_type))))
+(mlsconstrain (packet (recv)) (or (dom l1 l2) (and (neq t1 mcs_constrained_type) (neq t2 mcs_constrained_type))))