| Message ID | 20210430091119.607754-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | [testsuite] policy: only define anon_inode class if not defined in system policy | expand |
Ondrej Mosnacek <omosnace@redhat.com> writes: > When the system policy already defines this class, loading the test > policy fails with: > > Re-declaration of class anon_inode > Previous declaration of class at /var/lib/selinux/targeted/tmp/modules/100/base/cil:1003 > Bad class declaration at /var/lib/selinux/targeted/tmp/modules/400/test_userfaultfd/cil:2 > /usr/sbin/semodule: Failed! > > Fix this by only including the anon_inode class declarations when it's > not found in the system policy headers. Reference policy does not have a "all_perms.spt" AFAIK. This might only work with Fedora. > > Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test") > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > policy/Makefile | 3 +++ > policy/test_anon_inode_class.cil | 4 ++++ > policy/test_userfaultfd.cil | 5 ----- > 3 files changed, 7 insertions(+), 5 deletions(-) > create mode 100644 policy/test_anon_inode_class.cil > > diff --git a/policy/Makefile b/policy/Makefile > index 91364d5..dee55a2 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -39,6 +39,9 @@ ifeq ($(SUPPORTS_CIL),y) > CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil > # userfaultfd test policy uses also xperms > ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && echo true),true) > +ifneq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo true),true) > +CIL_TARGETS += test_anon_inode_class.cil > +endif > CIL_TARGETS += test_userfaultfd.cil > TARGETS += test_userfaultfd.te > endif > diff --git a/policy/test_anon_inode_class.cil b/policy/test_anon_inode_class.cil > new file mode 100644 > index 0000000..3e36599 > --- /dev/null > +++ b/policy/test_anon_inode_class.cil > @@ -0,0 +1,4 @@ > +; Define new class anon_inode > +(class anon_inode ()) > +(classcommon anon_inode file) > +(classorder (unordered anon_inode)) > diff --git a/policy/test_userfaultfd.cil b/policy/test_userfaultfd.cil > index 18d5f3f..f6a6791 100644 > --- a/policy/test_userfaultfd.cil > +++ b/policy/test_userfaultfd.cil > @@ -1,8 +1,3 @@ > -; Define new class anon_inode > -(class anon_inode ()) > -(classcommon anon_inode file) > -(classorder (unordered anon_inode)) > - > ; Allow all anonymous inodes > (typeattributeset cil_gen_require test_notransition_uffd_t) > (allow test_notransition_uffd_t self (anon_inode (create getattr ioctl read)))
On Fri, Apr 30, 2021 at 1:35 PM Dominick Grift <dominick.grift@defensec.nl> wrote: > Ondrej Mosnacek <omosnace@redhat.com> writes: > > > When the system policy already defines this class, loading the test > > policy fails with: > > > > Re-declaration of class anon_inode > > Previous declaration of class at /var/lib/selinux/targeted/tmp/modules/100/base/cil:1003 > > Bad class declaration at /var/lib/selinux/targeted/tmp/modules/400/test_userfaultfd/cil:2 > > /usr/sbin/semodule: Failed! > > > > Fix this by only including the anon_inode class declarations when it's > > not found in the system policy headers. > > Reference policy does not have a "all_perms.spt" AFAIK. This might only work > with Fedora. Could be, but this pattern is already used elsewhere in the testsuite, so for now this'll have to do... > > > > > Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test") > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > --- > > policy/Makefile | 3 +++ > > policy/test_anon_inode_class.cil | 4 ++++ > > policy/test_userfaultfd.cil | 5 ----- > > 3 files changed, 7 insertions(+), 5 deletions(-) > > create mode 100644 policy/test_anon_inode_class.cil > > > > diff --git a/policy/Makefile b/policy/Makefile > > index 91364d5..dee55a2 100644 > > --- a/policy/Makefile > > +++ b/policy/Makefile > > @@ -39,6 +39,9 @@ ifeq ($(SUPPORTS_CIL),y) > > CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil > > # userfaultfd test policy uses also xperms > > ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && echo true),true) > > +ifneq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo true),true) > > +CIL_TARGETS += test_anon_inode_class.cil > > +endif > > CIL_TARGETS += test_userfaultfd.cil > > TARGETS += test_userfaultfd.te > > endif > > diff --git a/policy/test_anon_inode_class.cil b/policy/test_anon_inode_class.cil > > new file mode 100644 > > index 0000000..3e36599 > > --- /dev/null > > +++ b/policy/test_anon_inode_class.cil > > @@ -0,0 +1,4 @@ > > +; Define new class anon_inode > > +(class anon_inode ()) > > +(classcommon anon_inode file) > > +(classorder (unordered anon_inode)) > > diff --git a/policy/test_userfaultfd.cil b/policy/test_userfaultfd.cil > > index 18d5f3f..f6a6791 100644 > > --- a/policy/test_userfaultfd.cil > > +++ b/policy/test_userfaultfd.cil > > @@ -1,8 +1,3 @@ > > -; Define new class anon_inode > > -(class anon_inode ()) > > -(classcommon anon_inode file) > > -(classorder (unordered anon_inode)) > > - > > ; Allow all anonymous inodes > > (typeattributeset cil_gen_require test_notransition_uffd_t) > > (allow test_notransition_uffd_t self (anon_inode (create getattr ioctl read))) > > -- > gpg --locate-keys dominick.grift@defensec.nl > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 > Dominick Grift >
On Fri, Apr 30, 2021 at 11:11 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > When the system policy already defines this class, loading the test > policy fails with: > > Re-declaration of class anon_inode > Previous declaration of class at /var/lib/selinux/targeted/tmp/modules/100/base/cil:1003 > Bad class declaration at /var/lib/selinux/targeted/tmp/modules/400/test_userfaultfd/cil:2 > /usr/sbin/semodule: Failed! > > Fix this by only including the anon_inode class declarations when it's > not found in the system policy headers. > > Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test") > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > policy/Makefile | 3 +++ > policy/test_anon_inode_class.cil | 4 ++++ > policy/test_userfaultfd.cil | 5 ----- > 3 files changed, 7 insertions(+), 5 deletions(-) > create mode 100644 policy/test_anon_inode_class.cil > > diff --git a/policy/Makefile b/policy/Makefile > index 91364d5..dee55a2 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -39,6 +39,9 @@ ifeq ($(SUPPORTS_CIL),y) > CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil > # userfaultfd test policy uses also xperms > ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && echo true),true) > +ifneq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo true),true) > +CIL_TARGETS += test_anon_inode_class.cil > +endif > CIL_TARGETS += test_userfaultfd.cil > TARGETS += test_userfaultfd.te > endif > diff --git a/policy/test_anon_inode_class.cil b/policy/test_anon_inode_class.cil > new file mode 100644 > index 0000000..3e36599 > --- /dev/null > +++ b/policy/test_anon_inode_class.cil > @@ -0,0 +1,4 @@ > +; Define new class anon_inode > +(class anon_inode ()) > +(classcommon anon_inode file) > +(classorder (unordered anon_inode)) > diff --git a/policy/test_userfaultfd.cil b/policy/test_userfaultfd.cil > index 18d5f3f..f6a6791 100644 > --- a/policy/test_userfaultfd.cil > +++ b/policy/test_userfaultfd.cil > @@ -1,8 +1,3 @@ > -; Define new class anon_inode > -(class anon_inode ()) > -(classcommon anon_inode file) > -(classorder (unordered anon_inode)) > - > ; Allow all anonymous inodes > (typeattributeset cil_gen_require test_notransition_uffd_t) > (allow test_notransition_uffd_t self (anon_inode (create getattr ioctl read))) > -- > 2.30.2 Now applied: https://github.com/SELinuxProject/selinux-testsuite/commit/9267bc9fbc1b31107eac42b0870075507c5a2e6c
diff --git a/policy/Makefile b/policy/Makefile index 91364d5..dee55a2 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -39,6 +39,9 @@ ifeq ($(SUPPORTS_CIL),y) CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil # userfaultfd test policy uses also xperms ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && echo true),true) +ifneq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo true),true) +CIL_TARGETS += test_anon_inode_class.cil +endif CIL_TARGETS += test_userfaultfd.cil TARGETS += test_userfaultfd.te endif diff --git a/policy/test_anon_inode_class.cil b/policy/test_anon_inode_class.cil new file mode 100644 index 0000000..3e36599 --- /dev/null +++ b/policy/test_anon_inode_class.cil @@ -0,0 +1,4 @@ +; Define new class anon_inode +(class anon_inode ()) +(classcommon anon_inode file) +(classorder (unordered anon_inode)) diff --git a/policy/test_userfaultfd.cil b/policy/test_userfaultfd.cil index 18d5f3f..f6a6791 100644 --- a/policy/test_userfaultfd.cil +++ b/policy/test_userfaultfd.cil @@ -1,8 +1,3 @@ -; Define new class anon_inode -(class anon_inode ()) -(classcommon anon_inode file) -(classorder (unordered anon_inode)) - ; Allow all anonymous inodes (typeattributeset cil_gen_require test_notransition_uffd_t) (allow test_notransition_uffd_t self (anon_inode (create getattr ioctl read)))
When the system policy already defines this class, loading the test policy fails with: Re-declaration of class anon_inode Previous declaration of class at /var/lib/selinux/targeted/tmp/modules/100/base/cil:1003 Bad class declaration at /var/lib/selinux/targeted/tmp/modules/400/test_userfaultfd/cil:2 /usr/sbin/semodule: Failed! Fix this by only including the anon_inode class declarations when it's not found in the system policy headers. Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test") Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- policy/Makefile | 3 +++ policy/test_anon_inode_class.cil | 4 ++++ policy/test_userfaultfd.cil | 5 ----- 3 files changed, 7 insertions(+), 5 deletions(-) create mode 100644 policy/test_anon_inode_class.cil