From patchwork Fri May 8 15:41:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11537011 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1164492A for ; Fri, 8 May 2020 15:42:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id ED04A21841 for ; Fri, 8 May 2020 15:42:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="pbTdF9qZ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727995AbgEHPmV (ORCPT ); Fri, 8 May 2020 11:42:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59334 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727777AbgEHPmT (ORCPT ); Fri, 8 May 2020 11:42:19 -0400 Received: from mail-qv1-xf41.google.com (mail-qv1-xf41.google.com [IPv6:2607:f8b0:4864:20::f41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E70A9C061A0C for ; Fri, 8 May 2020 08:42:18 -0700 (PDT) Received: by mail-qv1-xf41.google.com with SMTP id di6so824446qvb.10 for ; Fri, 08 May 2020 08:42:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=by8fACLKcraplFL3iLNX7GLMGBAf9SBuZP9GRoqhlEI=; b=pbTdF9qZVYZVEicg4den/6PPITYbWP9wlYe+N/34hG2ekEpPMi3rOUPQEtGoN1CwG+ /IEPUFKAbRCVfaLTOBr6WNi2ruKIREmwADjWNcGWtHZSYS7Kyy/2g8ZuJZOFqJn2GJ8u 9ch1hYR4HHbZhOvnA+2pi3OC2vHdkUJHj7hFLuPZp+k+I3zMxyUvlf3O1+ZF/TpFRQig mMSxSt/nwnEZQCr+gRd5abk9fUIvz9RXyZ7zsiITnmxAmcuSg59HagCcmWZ69OqbBAki chDCs2KLtd8hEbe5JZmFNP9Wsp7Xlx5EMH180YiQmIaGVb4zTOIKkZpY+asgcDoXzkwU JcQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=by8fACLKcraplFL3iLNX7GLMGBAf9SBuZP9GRoqhlEI=; b=XdjqGDmLxfS7vuHhrgOOFugt4pUwJyqbMQvo+yzxCIKNYZH59dPXorUYsTxf/30/AJ WLFYHi+9hCSm1V2vg0MSabBhDy3oSfMWv8k2j+uxxr9Wq2g1RIpV3QhVnR5jXdbc1i23 GXaxEYhdnih/VK9ZH01laj9rN2+qb1Spf5j89f8WtgOj7fKVzlVmwpe5ntGIi13jwsQY zyCkDBYdU7g6Uur7s8NbY7vG04wU5IRAo2BWoI6EXf+Z9tpCyNuukXTG6fYf8BBdwIim +6IyW0d4vOjBrR/v5pvcYyYRblKsVc//CXqi1O5U/sIlV0PPsw2hiIXBl/A0RbEjel/4 qeTA== X-Gm-Message-State: AGi0PuYzPwRe6hJgAqFqaHkgCPjyr2XZqfowYpjPUfvtxQ4P2g8MImt4 el6TYcFgNiTEcdQKLRsf+WH9LXQI X-Google-Smtp-Source: APiQypJiM5MXCAcLIzBDPzN7BalnUjJnVklglq7ie3aydgXbRtvqZtoyT5Wf/rF5+mzUcgkMIZYohA== X-Received: by 2002:a0c:b651:: with SMTP id q17mr3161796qvf.135.1588952538086; Fri, 08 May 2020 08:42:18 -0700 (PDT) Received: from a-gady2p56i3do.evoforge.org (ec2-52-70-167-183.compute-1.amazonaws.com. [52.70.167.183]) by smtp.gmail.com with ESMTPSA id g5sm309055qkl.114.2020.05.08.08.42.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 May 2020 08:42:17 -0700 (PDT) From: Stephen Smalley To: selinux@vger.kernel.org Cc: omosnace@redhat.com, paul@paul-moore.com, Stephen Smalley Subject: [PATCH v4 testsuite 01/15] test_capable_net.te: remove corenet_tcp/udp_sendrecv_all_ports() Date: Fri, 8 May 2020 11:41:24 -0400 Message-Id: <20200508154138.24217-2-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.23.1 In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com> References: <20200508154138.24217-1-stephen.smalley.work@gmail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Remove obsolete corenet_tcp/udp_sendrecv_all_ports() calls; the interfaces have been removed from upstream refpolicy since the permissions were obsolete and unused in upstream kernels. Signed-off-by: Stephen Smalley --- policy/test_capable_net.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/policy/test_capable_net.te b/policy/test_capable_net.te index 80559f6..2255a14 100644 --- a/policy/test_capable_net.te +++ b/policy/test_capable_net.te @@ -28,8 +28,6 @@ corenet_raw_sendrecv_generic_if(capabledomain) corenet_tcp_sendrecv_all_nodes(capabledomain) corenet_udp_sendrecv_all_nodes(capabledomain) corenet_raw_sendrecv_all_nodes(capabledomain) -corenet_tcp_sendrecv_all_ports(capabledomain) -corenet_udp_sendrecv_all_ports(capabledomain) corenet_all_recvfrom_unlabeled(test_ncap_t) corenet_all_recvfrom_unlabeled(test_resncap_t) corenet_tcp_bind_all_nodes(capabledomain) From patchwork Fri May 8 15:41:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11537013 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 03F111862 for ; Fri, 8 May 2020 15:42:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DFF7D21841 for ; Fri, 8 May 2020 15:42:22 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="vEcSbDsu" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728102AbgEHPmW (ORCPT ); Fri, 8 May 2020 11:42:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59340 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727950AbgEHPmU (ORCPT ); Fri, 8 May 2020 11:42:20 -0400 Received: from mail-qk1-x742.google.com (mail-qk1-x742.google.com [IPv6:2607:f8b0:4864:20::742]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0AF0BC061A0C for ; Fri, 8 May 2020 08:42:20 -0700 (PDT) Received: by mail-qk1-x742.google.com with SMTP id f83so1937521qke.13 for ; Fri, 08 May 2020 08:42:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=wVuynlQlZbktWbEpwb1fylA6YGVqOTCn5M3Q/Mvg3IY=; b=vEcSbDsu1qINO1QVArsMa7pLMtWQ7socp84ZDM5QE1teDZh6X7LOTkNyrMg50KBM0w jVGChVEXcWgarZu6s+riw/3Hp2B14Prv1c6n7/yQ/Uuvaf3nVihE/izrtkHUu1MN4EFL ed3plPv+Dyg4vnSzWohwkZiOKU0w60dNo+qBDLL9BLOx89SGouTvjvHr5fRFadTzfen0 0aWJjUVLf7ITd9tdsR+a2G8Rm2Q1i/xRbSN3yg7ILR6O5yC/cBloEd15vmBI24ZzCh+l b4OzlR6ZyAgx8o8hmV1AN02Yb+IDywWDc1W10NdLVs1VKIXSFVH9YJdmlje0IdQCal/Y 704w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=wVuynlQlZbktWbEpwb1fylA6YGVqOTCn5M3Q/Mvg3IY=; b=CQmUx7syJ3fss9owHPgGH6GaoYgaALyK3/+BLnugHtcOc8gKtuCTTybT3dwsh+oxTl 1Jx/yk70j1dd8xELjZnf2pdBSMQEFhFM+MLryt8K8NsHvuBI9h4iJyc6x6QPjv02rxLy MPiCVJ0xq3MIw5Bj9OoGuzyyhLJ+hIlbhlRT+QOFLSgVB+4FKafTcFCqhetHuJullqgr WPcOoy/Z+HQYxed4SA1au9cJC8gosgXosV0X8pxBDQQFOj/V1yhEoLvJFhm+7LDiVfIz So8D1Ajoan4tTC14gku8nL0yk6pv1bXLuH/MWrDuOsxcbaKxSudpGvzZTc1F73SgooJx l0Jg== X-Gm-Message-State: AGi0PuYHgDVkQtvUldZbGE+uHG1Vsjym6Hl1Q3kerUyXLf4zj1MLoLXW 4hwFUgtpyO/4cD4XuabF6t6EXB2V X-Google-Smtp-Source: APiQypJhZ2aDZKkJWqLQoBS9b0O63JMlyhKDjdIhs4z2AlCGxanak79cQgB532JpZCkMYdMg6FTf9Q== X-Received: by 2002:a05:620a:1316:: with SMTP id o22mr3234881qkj.422.1588952539134; Fri, 08 May 2020 08:42:19 -0700 (PDT) Received: from a-gady2p56i3do.evoforge.org (ec2-52-70-167-183.compute-1.amazonaws.com. [52.70.167.183]) by smtp.gmail.com with ESMTPSA id g5sm309055qkl.114.2020.05.08.08.42.18 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 May 2020 08:42:18 -0700 (PDT) From: Stephen Smalley To: selinux@vger.kernel.org Cc: omosnace@redhat.com, paul@paul-moore.com, Stephen Smalley Subject: [PATCH v4 testsuite 02/15] test_execute_no_trans.te: stop using mmap_file_perms Date: Fri, 8 May 2020 11:41:25 -0400 Message-Id: <20200508154138.24217-3-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.23.1 In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com> References: <20200508154138.24217-1-stephen.smalley.work@gmail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org mmap_file_perms was deprecated in refpolicy in 2017 and is removed from Debian policy. mmap_exec_file_perms is recommended by refpolicy but RHEL-7 defined it differently (including execute_no_trans) so we cannot use it here unconditionally. Just open-code the necessary permissions and use the existing allow_map() macro defined by the testsuite to cover map permission if defined. Signed-off-by: Stephen Smalley --- policy/test_execute_no_trans.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/policy/test_execute_no_trans.te b/policy/test_execute_no_trans.te index 79ba868..2c0346a 100644 --- a/policy/test_execute_no_trans.te +++ b/policy/test_execute_no_trans.te @@ -24,4 +24,5 @@ userdom_sysadm_entry_spec_domtrans_to(test_execute_notrans_t) #Allow test_execute_notrans permissions to the allowed type can_exec(test_execute_notrans_t,test_execute_notrans_allowed_t) -allow test_execute_notrans_t test_execute_notrans_denied_t:file mmap_file_perms; +allow_map(test_execute_notrans_t, test_execute_notrans_denied_t, file) +allow test_execute_notrans_t test_execute_notrans_denied_t:file { getattr open read }; From patchwork Fri May 8 15:41:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11537039 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 341CF1668 for ; Fri, 8 May 2020 15:42:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 18D1321974 for ; Fri, 8 May 2020 15:42:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="E7WLPng7" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727777AbgEHPmV (ORCPT ); Fri, 8 May 2020 11:42:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59342 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727992AbgEHPmV (ORCPT ); Fri, 8 May 2020 11:42:21 -0400 Received: from mail-qk1-x743.google.com (mail-qk1-x743.google.com [IPv6:2607:f8b0:4864:20::743]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B2E83C05BD43 for ; Fri, 8 May 2020 08:42:20 -0700 (PDT) Received: by mail-qk1-x743.google.com with SMTP id g185so1962853qke.7 for ; Fri, 08 May 2020 08:42:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=kVo1mY/DMNLasz0Yg+FHeeNO9TG8+NKwfYFPYdCFNBI=; b=E7WLPng7q0rd3nVybkj53qoi5NgFNYfWDcty5m371O5rAJT7ErUXIjrx5w/smAINjh bp7dRzxIvNdr+mKkKFTzB2KqCe2en9HUTM6jxC2XBT2KSSMa7VWkj9UkJdFAKgKKjHf3 Mz/yXWUkhnkgjAUUyvW4oZ5+QjOXMKhZ/tbiXL7xH+TlSdj7QdrMsWZt149X/2Qx4j7K 4B1rPqGxemrw2XiTx5dad+dzU0SSqZbvqoJWR0j2BBK/4Tg7rxokyaw/CHdNswv+oQUP OR/ZXnihk30PSfNlA4vKt9uaSk5/+gpYOLZEZF4dPJvlzrdO/lFKC2IBNtP1DvVmIg// TI4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=kVo1mY/DMNLasz0Yg+FHeeNO9TG8+NKwfYFPYdCFNBI=; b=G+ZBAILqeoXWV+c2/QgxD1cvSds++IXTwgNCsdGbKI1j57tE4pPVv0vm4/9OAsMQTu 7CKlAV83gukVGoB/6HgOeUAYcY981oofMoNguZHNCbm9/Z2vR4+DGSJw75yvBt8p4hmi n03vFt3eKMIcuu865NsGoHrk3zKIDYZ3AHagSWKq+pOCa4hjXnLMqVJJmbBH0fFeuZ3y hOo7C5TwSOxE/8nSsbD+NdlS3wozwMmtZ2I3ol8X73q8QTe4pX76DkzCNQkKCNnx3V+p m4TGJIZNG5bOdiCHhuOxhLn9CTKlGLjkolm7UWeLD5BJWyN1qLvIfyL/0fR2kmaz+47J DO+Q== X-Gm-Message-State: AGi0Pua81d+npwoUIFr+uk53oh4upXUZ7InCys3UW+Are5yUQhYm+4hp B8Dd0hKR0mdh8KghrAygXLFUauHB X-Google-Smtp-Source: APiQypISyVwF5FCDkqvu8JrA3rzFZTbEpzImOj24ZpXZWG6+4evH9J6RpJZ0s01dYK2yT6w0Guq/SA== X-Received: by 2002:a37:a7c8:: with SMTP id q191mr3354378qke.214.1588952539816; Fri, 08 May 2020 08:42:19 -0700 (PDT) Received: from a-gady2p56i3do.evoforge.org (ec2-52-70-167-183.compute-1.amazonaws.com. [52.70.167.183]) by smtp.gmail.com with ESMTPSA id g5sm309055qkl.114.2020.05.08.08.42.19 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 May 2020 08:42:19 -0700 (PDT) From: Stephen Smalley To: selinux@vger.kernel.org Cc: omosnace@redhat.com, paul@paul-moore.com, Stephen Smalley Subject: [PATCH v4 testsuite 03/15] test_ibendport.te: use dev_rw_infiniband_mgmt_dev() Date: Fri, 8 May 2020 11:41:26 -0400 Message-Id: <20200508154138.24217-4-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.23.1 In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com> References: <20200508154138.24217-1-stephen.smalley.work@gmail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Switch the Infiniband test policy to use the appropriate policy interface if defined rather than hardcoding a reference to the type, neither of which exist in Debian policy. Drop the dead hardcoded reference on bin_t since it is no longer used anywhere outside of an interface. Signed-off-by: Stephen Smalley --- policy/test_ibendport.te | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te index 2a02c57..b909b4f 100644 --- a/policy/test_ibendport.te +++ b/policy/test_ibendport.te @@ -3,11 +3,6 @@ # Policy for testing Infiniband Pkey access. # -gen_require(` - type bin_t; - type infiniband_mgmt_device_t; -') - attribute ibendportdomain; # Domain for process. @@ -27,7 +22,9 @@ dev_rw_sysfs(test_ibendport_manage_subnet_t) corecmd_bin_entry_type(test_ibendport_manage_subnet_t) -allow test_ibendport_manage_subnet_t infiniband_mgmt_device_t:chr_file { read write open ioctl}; +ifdef(`dev_rw_infiniband_mgmt_dev', ` +dev_rw_infiniband_mgmt_dev(test_ibendport_manage_subnet_t) +') ifdef(`corenet_ib_access_unlabeled_pkeys',` corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t) From patchwork Fri May 8 15:41:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11537035 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 196F81668 for ; Fri, 8 May 2020 15:42:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0250324956 for ; Fri, 8 May 2020 15:42:37 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="OhzSVLZm" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728294AbgEHPm0 (ORCPT ); Fri, 8 May 2020 11:42:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59352 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728243AbgEHPmX (ORCPT ); Fri, 8 May 2020 11:42:23 -0400 Received: from mail-qk1-x743.google.com (mail-qk1-x743.google.com [IPv6:2607:f8b0:4864:20::743]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0B548C05BD43 for ; Fri, 8 May 2020 08:42:23 -0700 (PDT) Received: by mail-qk1-x743.google.com with SMTP id 23so961239qkf.0 for ; Fri, 08 May 2020 08:42:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=RG54SSvG29zCrzlGVFlIi3+AD666jCT33pG0JJWSBts=; b=OhzSVLZm9C0CjBhYnBlyWueKQh2pMMv8ZSn27x1UgogVTFknZWUfG0lFq6IAPZq4qg 6iVM7WvQOEk5clTEHieV7e7EzkkYKdK7kmMZkNxScQceeUp49cbZ7wujuG+BYwhhuhH8 V123ZCzdsoyTIsJrquc2pwFkHNf0M4KBTONyxG9f+0BRIS4mDLOO4KjZUqnLBlbZkN1r Kk05fry2rT6PuOpBCr3+C9itcxe0MdraRmNbm1kYNnXd7OULiygO/ffWEwGBPuFcI0Hd ZyhkZWXHwpGVgY03WlTHr+vvM0z3wVCGh0703oY59QCZqVPmXyKM+lhi+WccH5sdYCPD x6Xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RG54SSvG29zCrzlGVFlIi3+AD666jCT33pG0JJWSBts=; b=sKxJrY01Ueg3WYUuksFqAYnqsQxGqMe0vVYTmY6a3lZbIVT2p1uwSesNcR07u5+Hlb hstnkN0M3peWW+N6hX0DcOP3rvnWLEP7CKYXy/5GiwfS4AXCiidVhvECsZGgFQ3gWMRD mb4x2DtnzXzBXBXxXNEQvLQVdmmiMjrQtKTtbu6Cp9Gar4ZGvJucM09ZKRMQBh1cThr5 WMViehCSEq+CPSX9ukRLF8NHLhRrurDHTI6O0HTPNG50U+DK5My+krfWjColHT/UpGo5 2flwBIhDUD54vh50RWX5E8ZcO3eYknVB7qO/Wr0UexM+ABQs28lPWCnEuej6nMdX/OOu jckw== X-Gm-Message-State: AGi0PuYzidWLc9ofTJ+fGvk7PwecaDprTmZRyQlZ8LiY4kEuiSGYeXFc B3aemXbbk8ws/3z09djfIG4bk9hU X-Google-Smtp-Source: APiQypLhq+f6egSzWvPkdQ/JrRAHzfVp1e9CMbn+QVCL9sxYUAzawXbKPraeGPKRPsQdx18Zdh2WcQ== X-Received: by 2002:a37:d287:: with SMTP id f129mr3377534qkj.52.1588952540609; Fri, 08 May 2020 08:42:20 -0700 (PDT) Received: from a-gady2p56i3do.evoforge.org (ec2-52-70-167-183.compute-1.amazonaws.com. [52.70.167.183]) by smtp.gmail.com with ESMTPSA id g5sm309055qkl.114.2020.05.08.08.42.19 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 May 2020 08:42:20 -0700 (PDT) From: Stephen Smalley To: selinux@vger.kernel.org Cc: omosnace@redhat.com, paul@paul-moore.com, Stephen Smalley Subject: [PATCH v4 testsuite 04/15] test_global.te: allow test domains to statfs selinuxfs Date: Fri, 8 May 2020 11:41:27 -0400 Message-Id: <20200508154138.24217-5-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.23.1 In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com> References: <20200508154138.24217-1-stephen.smalley.work@gmail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org libselinux probes for the presence of selinuxfs on /sys/fs/selinux via statfs(2); this is required for any operations that involve selinuxfs. Fedora policy allows this to all domains in its base policy but refpolicy and Debian do not, so explicitly allow it to allow the tests to work. Otherwise various programs think SELinux is disabled and abort. Signed-off-by: Stephen Smalley --- policy/test_global.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/test_global.te b/policy/test_global.te index c9520ec..d19b4be 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -83,6 +83,7 @@ domain_use_interactive_fds(testdomain) seutil_read_config(testdomain) # can getsecurity +selinux_getattr_fs(testdomain) selinux_validate_context(testdomain) selinux_compute_access_vector(testdomain) selinux_compute_create_context(testdomain) From patchwork Fri May 8 15:41:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11537041 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 00AF514B4 for ; Fri, 8 May 2020 15:42:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DD3D321974 for ; Fri, 8 May 2020 15:42:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="I0ee7qp1" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728262AbgEHPmh (ORCPT ); Fri, 8 May 2020 11:42:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59350 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728131AbgEHPmW (ORCPT ); Fri, 8 May 2020 11:42:22 -0400 Received: from mail-qt1-x844.google.com (mail-qt1-x844.google.com [IPv6:2607:f8b0:4864:20::844]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 44881C061A0C for ; Fri, 8 May 2020 08:42:22 -0700 (PDT) Received: by mail-qt1-x844.google.com with SMTP id h26so1577431qtu.8 for ; Fri, 08 May 2020 08:42:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=XqlUQ42EQuHL6hyerrfrKlD9To52zXfk2WGJ3servuU=; b=I0ee7qp12MtI2MJDo3o7H/4isBqPJVuC1SI6SEnqL2Xw4lQ+u6rrw2YfZD+NFylvFS EpqdoYxUsfArwwp7MWBmOepsvYfajuuzN/IUVeubQ+Ko4qDUOO+xMCF6Y1wPKQBxeadM 1iKaK19qSbKV6cmfRC6P1PPIx2pxzx7LtcnEVqvKSDxryvgP99iK9ROM3NqEn9F1kV24 7OZwdB59rlBUlN1ZrCP7/G91E/S01HmEC0h9MemeseRJJWSbG82Vt2TzltEzarcLOOoU zdDzBQ9hFt1F/xZBZb6sLBb8PJDxhdJvIgNY1CETZvKFFldoYxx6+QbCj/zRRU+daXhE j4zA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=XqlUQ42EQuHL6hyerrfrKlD9To52zXfk2WGJ3servuU=; b=kcqM0rrk+NEtxknPfVjiuCUkYMK9fVEl3AKcaAbbO551OrSZmbs3qTJZkUXNL6J/7/ w+BaGiHD+8vaUZxO1t62k/DISpRFtZsJ9WDr0bJPQS9sXxaKUCpdA483YCxyH05rjUBa C4jLfzU7Yl+Gbnyx8d5ZQYT6s6FLb90b6cadrfcAIF1bctVuXuyC6praS7LzWwNJKebA CQd2O/yxOzvsLKKGYywGM7f6NqbhCYz00newE9TVNt1OaDK0BiPW7RaM7HYsY+tdaZyH efBlz5uLgQMzfymsLP5dx7iSKdpacWviYuyM0jYVYbVL9+rRsyHrNa7zU0YwMSDW/J3W j5uA== X-Gm-Message-State: AGi0PubjOMHT/Hcuq0ioCT5PViARXfgnxcqmlb7IEgIFRaPdz7Kxr6V9 F1fQgNm/GQvCrzpqKv2f23Lr7rwf X-Google-Smtp-Source: APiQypIR+5TxQGOLk+qYCIt7M0Tke/0xkSjrbOJHkwAH7+ez7Qh6KC357SbRb963dXB2xRTgRFhqCg== X-Received: by 2002:ac8:4f53:: with SMTP id i19mr3784269qtw.195.1588952541276; Fri, 08 May 2020 08:42:21 -0700 (PDT) Received: from a-gady2p56i3do.evoforge.org (ec2-52-70-167-183.compute-1.amazonaws.com. [52.70.167.183]) by smtp.gmail.com with ESMTPSA id g5sm309055qkl.114.2020.05.08.08.42.20 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 May 2020 08:42:20 -0700 (PDT) From: Stephen Smalley To: selinux@vger.kernel.org Cc: omosnace@redhat.com, paul@paul-moore.com, Stephen Smalley Subject: [PATCH v4 testsuite 05/15] test_inet_socket.te: switch from generic_port to _all_unreserved_ports() Date: Fri, 8 May 2020 11:41:28 -0400 Message-Id: <20200508154138.24217-6-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.23.1 In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com> References: <20200508154138.24217-1-stephen.smalley.work@gmail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org bind/connect_generic_port() in Fedora policy was allowing access to ports in the unreserved port range. In refpolicy and Debian, it only allows access to ports without a more specific type and one must instead use bind/connect_all_unreserved_ports(). Switch to the latter since it works on both Fedora and Debian/refpolicy. Signed-off-by: Stephen Smalley --- policy/test_inet_socket.te | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te index bf839df..0fff2da 100644 --- a/policy/test_inet_socket.te +++ b/policy/test_inet_socket.te @@ -26,8 +26,8 @@ typeattribute test_inet_server_t testdomain; typeattribute test_inet_server_t inetsocketdomain; allow test_inet_server_t self:tcp_socket create_stream_socket_perms; allow test_inet_server_t self:udp_socket create_socket_perms; -corenet_tcp_bind_generic_port(test_inet_server_t) -corenet_udp_bind_generic_port(test_inet_server_t) +corenet_tcp_bind_all_unreserved_ports(test_inet_server_t) +corenet_udp_bind_all_unreserved_ports(test_inet_server_t) corenet_tcp_bind_all_nodes(test_inet_server_t) corenet_udp_bind_all_nodes(test_inet_server_t) corenet_inout_generic_if(test_inet_server_t) @@ -54,7 +54,7 @@ typeattribute test_inet_client_t testdomain; typeattribute test_inet_client_t inetsocketdomain; allow test_inet_client_t self:tcp_socket create_stream_socket_perms; allow test_inet_client_t self:udp_socket create_socket_perms; -corenet_tcp_connect_generic_port(test_inet_client_t) +corenet_tcp_connect_all_unreserved_ports(test_inet_client_t) corenet_inout_generic_if(test_inet_client_t) corenet_inout_generic_node(test_inet_client_t) @@ -71,7 +71,7 @@ typeattribute test_inet_bad_client_t testdomain; typeattribute test_inet_bad_client_t inetsocketdomain; allow test_inet_bad_client_t self:tcp_socket create_stream_socket_perms; allow test_inet_bad_client_t self:udp_socket create_socket_perms; -corenet_tcp_connect_generic_port(test_inet_bad_client_t) +corenet_tcp_connect_all_unreserved_ports(test_inet_bad_client_t) corenet_inout_generic_if(test_inet_bad_client_t) corenet_inout_generic_node(test_inet_bad_client_t) @@ -87,8 +87,8 @@ typeattribute test_inet_bind_t testdomain; typeattribute test_inet_bind_t inetsocketdomain; allow test_inet_bind_t self:tcp_socket create_stream_socket_perms; allow test_inet_bind_t self:udp_socket create_socket_perms; -corenet_tcp_bind_generic_port(test_inet_bind_t) -corenet_udp_bind_generic_port(test_inet_bind_t) +corenet_tcp_bind_all_unreserved_ports(test_inet_bind_t) +corenet_udp_bind_all_unreserved_ports(test_inet_bind_t) corenet_tcp_bind_all_nodes(test_inet_bind_t) corenet_udp_bind_all_nodes(test_inet_bind_t) @@ -111,8 +111,8 @@ typeattribute test_inet_no_node_bind_t testdomain; typeattribute test_inet_no_node_bind_t inetsocketdomain; allow test_inet_no_node_bind_t self:tcp_socket create_stream_socket_perms; allow test_inet_no_node_bind_t self:udp_socket create_socket_perms; -corenet_tcp_bind_generic_port(test_inet_no_node_bind_t) -corenet_udp_bind_generic_port(test_inet_no_node_bind_t) +corenet_tcp_bind_all_unreserved_ports(test_inet_no_node_bind_t) +corenet_udp_bind_all_unreserved_ports(test_inet_no_node_bind_t) # Domain for a process allowed to connect(2). type test_inet_connect_t; @@ -122,8 +122,8 @@ typeattribute test_inet_connect_t testdomain; typeattribute test_inet_connect_t inetsocketdomain; allow test_inet_connect_t self:tcp_socket create_stream_socket_perms; allow test_inet_connect_t self:udp_socket create_socket_perms; -corenet_tcp_connect_generic_port(test_inet_connect_t) -corenet_tcp_bind_generic_port(test_inet_connect_t) +corenet_tcp_connect_all_unreserved_ports(test_inet_connect_t) +corenet_tcp_bind_all_unreserved_ports(test_inet_connect_t) corenet_tcp_bind_all_nodes(test_inet_connect_t) corenet_inout_generic_if(test_inet_connect_t) corenet_inout_generic_node(test_inet_connect_t) @@ -136,7 +136,7 @@ typeattribute test_inet_no_name_connect_t testdomain; typeattribute test_inet_no_name_connect_t inetsocketdomain; allow test_inet_no_name_connect_t self:tcp_socket create_stream_socket_perms; allow test_inet_no_name_connect_t self:udp_socket create_socket_perms; -corenet_tcp_bind_generic_port(test_inet_no_name_connect_t) +corenet_tcp_bind_all_unreserved_ports(test_inet_no_name_connect_t) corenet_tcp_bind_all_nodes(test_inet_no_name_connect_t) corenet_inout_generic_if(test_inet_no_name_connect_t) corenet_inout_generic_node(test_inet_no_name_connect_t) From patchwork Fri May 8 15:41:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11537033 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EF93714B4 for ; Fri, 8 May 2020 15:42:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D77F821974 for ; Fri, 8 May 2020 15:42:36 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="vKsOTI6V" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727113AbgEHPm0 (ORCPT ); Fri, 8 May 2020 11:42:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59356 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728188AbgEHPmX (ORCPT ); Fri, 8 May 2020 11:42:23 -0400 Received: from mail-qk1-x744.google.com (mail-qk1-x744.google.com [IPv6:2607:f8b0:4864:20::744]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 39BE2C05BD09 for ; Fri, 8 May 2020 08:42:23 -0700 (PDT) Received: by mail-qk1-x744.google.com with SMTP id 23so961252qkf.0 for ; Fri, 08 May 2020 08:42:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=2rJwx93OFnDwmRjTOOTJKIahXg1v9ScGf+JlIuR9dgI=; b=vKsOTI6VnZGIBJbd8GdaUnOct+9P421t4DQ2Rn0dJhfFOMBn7S4gqMEwtdQ1+d+YwU 2ddt06oy8BoJmtOJQkHUNlsbD3ZMlffll/kQgxAmWPzMEfgl0TIgW+wWWYNyrhVhOerC /Wmdyew0bIunsHAoQTXfe5nu/vVj/C0GbEmLdzYNMFDkcTBLVG7PLxxTusk4+VQHtLzG Z08Pr6i4BEq7UI4A2CvMuzyJ/apN0nkrjQkXsh9/ffPi5IMTCt4pZ8QBKu+JKstLfgEa Qx2PBKrpQuvQxjLW3ryiOGVop1wUzJQeSbnQ9N6kEPMG8BfDcCcYNbkeoIJ/UYiFvJrw ncPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2rJwx93OFnDwmRjTOOTJKIahXg1v9ScGf+JlIuR9dgI=; b=abVczGE+bE6k5DddpL8xEs0ZIRnrz40ZFdeRbX8/d+t251Fdar0eauS91gC/6Z21uI Lzg/UJYlh11euEO2bM1W0vPXPrx8/aHLn80DsMlUmX/BKYf/HapAZC7IcsmY8XHU8LLu 7T8oVb3MfIokXm4s614ZhtxX+QuD2ye2J5rYkmJAnzLwDTE9Vbxm5v/bx+kyp5SZ7s/H oNiFlSbAB+aRAmS493lzQW2FnoXUeVjhEexp84cy03pvNxWx1837DXA0+5k5FSQURFpt 9/Iq40BTyobV//igVrv5UwUy4ri26XDxd0bCmLIZNgENuskap+IrGF1OAKWHMMnWD+Uk 0wGA== X-Gm-Message-State: AGi0Pubnje0D/xitvFM61TOnoe3KD1SFE96UBTchInAz3zkOzHQXl6hI /XHtRYshogqsHJ4ddoKTe5BAc3A4 X-Google-Smtp-Source: APiQypKZc7HGOR/jt1eyVF+4y+huRVrY7lQcSW0BSJMDkzgG5enXQRD3i9+vLQRVBkqLsGDOsn9HNg== X-Received: by 2002:a37:c08:: with SMTP id 8mr3363535qkm.47.1588952542069; Fri, 08 May 2020 08:42:22 -0700 (PDT) Received: from a-gady2p56i3do.evoforge.org (ec2-52-70-167-183.compute-1.amazonaws.com. [52.70.167.183]) by smtp.gmail.com with ESMTPSA id g5sm309055qkl.114.2020.05.08.08.42.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 May 2020 08:42:21 -0700 (PDT) From: Stephen Smalley To: selinux@vger.kernel.org Cc: omosnace@redhat.com, paul@paul-moore.com, Stephen Smalley Subject: [PATCH v4 testsuite 06/15] test_sctp.te: make netlabel_peer_t a MCS-constrained type Date: Fri, 8 May 2020 11:41:29 -0400 Message-Id: <20200508154138.24217-7-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.23.1 In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com> References: <20200508154138.24217-1-stephen.smalley.work@gmail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org The sctp tests were relying on netlabel_peer_t being subject to MCS constraints in order to deny access. refpolicy/Debian do not currently make netlabel_peer_t a MCS-constrained type, so make it so in the test policy to provide consistent behavior for testing. Alternatively (or in addition) we could make test_sctp_server_t a MCS-constrained type similar to test_inet_server_t. Signed-off-by: Stephen Smalley --- policy/test_sctp.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/test_sctp.te b/policy/test_sctp.te index df8606e..3b16db1 100644 --- a/policy/test_sctp.te +++ b/policy/test_sctp.te @@ -25,6 +25,7 @@ allow nfsd_t netlabel_sctp_peer_t:peer recv; gen_require(` type netlabel_peer_t; ') +mcs_constrained(netlabel_peer_t) # ############### Declare an attribute that will hold all peers ############### From patchwork Fri May 8 15:41:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11537017 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C8CAF1668 for ; Fri, 8 May 2020 15:42:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AF97621841 for ; Fri, 8 May 2020 15:42:26 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SwxYu8Gg" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727945AbgEHPm0 (ORCPT ); Fri, 8 May 2020 11:42:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59360 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728273AbgEHPmY (ORCPT ); Fri, 8 May 2020 11:42:24 -0400 Received: from mail-qt1-x842.google.com (mail-qt1-x842.google.com [IPv6:2607:f8b0:4864:20::842]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F2D32C061A0C for ; Fri, 8 May 2020 08:42:23 -0700 (PDT) Received: by mail-qt1-x842.google.com with SMTP id g16so822315qtp.11 for ; Fri, 08 May 2020 08:42:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=dCQhPOYk0XIuwAlcRegLvjccFa+OyAaLY54ehgKIGUI=; b=SwxYu8GgxS8wqG4H6dR9sD/XKuiGADdFv+HnQwTCBD9rNIuqF4rhvWkvntvS0xUH6C I+89jsGY457G3NhAKsSOkAhnGnSOtNQD1l9siPFRQV0VJutmEMMWFEw7VOejdCPT1kXO zUwv8lN2K7eCQ6tu6zrCq1bgWdH3IG33j22sBmRYqR+ACc6HGkzQ4jMzUIggSGcl/kzi gAzYtzu49rJKMLOE0u3A+smbFZUQrIMHQIn9q0TcxH5XlhAf7p9aXGZyLBTGqOl/Ql+e e0vYEfX9OWT73ZrrQOoWBCzpYM1OJuQKaeoBsa9+s4SvQJ/Z1afzSUiG2HLM9CTgxvjd 7IHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=dCQhPOYk0XIuwAlcRegLvjccFa+OyAaLY54ehgKIGUI=; b=qH7TWRoxxohErwXzbR7Ux+Nx4WemZtQwfPXqZHbjVHgASR4JgcNG5jSzSYk8cYXENp j6jtTzZYbhWAfsj0RGf8EHvfFVdl3iv8WjUfPMnFjQqH2GWwgRdJLUKeUlAMvk66hcPu NnbyASdSAUaBO96PfZGfBtfUCHeGXk/KOjWqueF2mlRSHc7uTBNVjX6k2eVH6P9DSvZJ wTy4OerV/ZLpeUYZL/kwXpKqYWV6l8riGJXXi5CCnRFv+wFrqGSH/j/Rf2+Wie+sdDhS dVFzULHvJT3ObNpkANVwAlqCV8n/2KuZfC45AXgzIMb/8+51BuBKpU7sfhHQuMJSBqHp 8T6g== X-Gm-Message-State: AGi0Pub2Q2uHZYdC+fjQgSpP9Ur+sADk47ml4VXpzvgQZmjmZ4pub9/r +CH52sqSOh8WelTgfRSAAPUQVcd6 X-Google-Smtp-Source: APiQypL/KXCLjSUQOwxCOOwa9qxU8b/vC6N/rOR+6aCk1mcqXyDc/J0vOmv/PoBNR8Goi+0mpcfbiw== X-Received: by 2002:ac8:3f19:: with SMTP id c25mr3390206qtk.96.1588952542979; Fri, 08 May 2020 08:42:22 -0700 (PDT) Received: from a-gady2p56i3do.evoforge.org (ec2-52-70-167-183.compute-1.amazonaws.com. [52.70.167.183]) by smtp.gmail.com with ESMTPSA id g5sm309055qkl.114.2020.05.08.08.42.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 May 2020 08:42:22 -0700 (PDT) From: Stephen Smalley To: selinux@vger.kernel.org Cc: omosnace@redhat.com, paul@paul-moore.com, Stephen Smalley Subject: [PATCH v4 testsuite 07/15] test_policy.if: use ptynode instead of unconfined_devpts_t Date: Fri, 8 May 2020 11:41:30 -0400 Message-Id: <20200508154138.24217-8-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.23.1 In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com> References: <20200508154138.24217-1-stephen.smalley.work@gmail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org refpolicy does not define an unconfined_devpts_t type instead assigning user_devpts_t to unconfined ptys. Switch to using ptynode in the test policy to provide compatibility across both refpolicy and Fedora. ptynode is an attribute that includes all pty types. Signed-off-by: Stephen Smalley --- policy/test_policy.if | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/test_policy.if b/policy/test_policy.if index cefc8fb..f0400f5 100644 --- a/policy/test_policy.if +++ b/policy/test_policy.if @@ -29,7 +29,7 @@ interface(`unconfined_runs_test',` gen_require(` type unconfined_t; - type unconfined_devpts_t; + attribute ptynode; role unconfined_r; ') @@ -38,7 +38,7 @@ interface(`unconfined_runs_test',` role unconfined_r types $1; # Report back from the test domain to the caller. allow $1 unconfined_t:fd use; - allow $1 unconfined_devpts_t:chr_file { read write ioctl getattr }; + allow $1 ptynode:chr_file { read write ioctl getattr }; allow $1 unconfined_t:fifo_file { read write ioctl getattr }; allow $1 unconfined_t:process { sigchld }; From patchwork Fri May 8 15:41:31 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11537015 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 51D1092A for ; Fri, 8 May 2020 15:42:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3948521841 for ; Fri, 8 May 2020 15:42:26 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AKBLv7Bu" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726636AbgEHPmZ (ORCPT ); Fri, 8 May 2020 11:42:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59362 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727945AbgEHPmY (ORCPT ); Fri, 8 May 2020 11:42:24 -0400 Received: from mail-qv1-xf44.google.com (mail-qv1-xf44.google.com [IPv6:2607:f8b0:4864:20::f44]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AC79FC061A0C for ; Fri, 8 May 2020 08:42:24 -0700 (PDT) Received: by mail-qv1-xf44.google.com with SMTP id a15so639828qvt.9 for ; Fri, 08 May 2020 08:42:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/dSFmslcQXOudC58cMAMKTWJ6vLqNrwbIYJVeNa97/U=; b=AKBLv7BucSml8vS2Sb3/82zwEa+HL4VjDNnH9Uqx+A20xKuIZVn971r3VVajm5qSy1 JQz5kNAP7j/JgKqmH6M5Lw2PR65ZMVa4MZ+EwkItyg16nFGwj7GL0BPgyEz1014LFVx/ Z2AvRQ5W5qLWA+m9sEzLPS2OtUUOctdOBxF9tXDB5pGY7V/cUuRps8mTiv+k1wl8EW2a yx3vxfGQNgUg7Rnkc+H5RKZMDgwjh7gFqMV8vdIC6z5jM80BlVFQbcm12xIT2FavebQJ PYPEHTDgaF3d62hS1nJGIyBspREzu6S33qX0LoDPGOvSSJNYP6ufOt/26vUmWFbFtRPa ErkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/dSFmslcQXOudC58cMAMKTWJ6vLqNrwbIYJVeNa97/U=; b=obdKyI2B1QS6/H4Rq9t0AVdCAjxgL0ouxKxIC4TcN8XMUXnw630ABxKBdeF85iJsWF oxK46l1slwinpTMBy5CmTd/UpmPSAIAkSNnrV9Fng7eOwfW4S3aMZjB31A00Jop1QUuC V7RYVT/1fVc4TxYrgWHwje4SYyKF17k2Uf4JjxVHl2mVJ1Qb4f5C1tYWqsY86YwYIf81 K6LK3eMKRFM6nYF2XTBWFKIDAX51STnoeUbsnCfTUoJeDYdRCf0NQ8NN70yHQrK3RurL YEZY3iYibawomJ3x2Dpnb1mw3JYsOwnTYgE9h/Y34NbuFDR3qtiQdgFLfxF+ufryEqs8 PiYg== X-Gm-Message-State: AGi0PuYBucEPS2abEKu8++4jmNbNCiL1HFp23TJSnCrxiG6INu7mrCfW 465smmLGmwWHCjDrybLa9arZ+t8o X-Google-Smtp-Source: APiQypKGLaxN4dNwqREsuByEc8NSZOyME0ZAhrRx5hxO6IfgodGTiHgPuJD6rxqWB9RVGGUs1MjoEg== X-Received: by 2002:a0c:b31b:: with SMTP id s27mr3489064qve.158.1588952543879; Fri, 08 May 2020 08:42:23 -0700 (PDT) Received: from a-gady2p56i3do.evoforge.org (ec2-52-70-167-183.compute-1.amazonaws.com. [52.70.167.183]) by smtp.gmail.com with ESMTPSA id g5sm309055qkl.114.2020.05.08.08.42.23 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 May 2020 08:42:23 -0700 (PDT) From: Stephen Smalley To: selinux@vger.kernel.org Cc: omosnace@redhat.com, paul@paul-moore.com, Stephen Smalley Subject: [PATCH v4 testsuite 08/15] test_overlayfs.te: allow test_overlay_mounter_t to read user tmp files Date: Fri, 8 May 2020 11:41:31 -0400 Message-Id: <20200508154138.24217-9-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.23.1 In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com> References: <20200508154138.24217-1-stephen.smalley.work@gmail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org During setup-overlay, a shell is run in test_overlay_mounter_t from a "here document" i.e. an inline input. This creates a temporary file that is inherited by the shell and must be readable. Allow it. This is apparently being allowed somehow in the base Fedora policy for all domains but not in Debian. Signed-off-by: Stephen Smalley --- policy/test_overlayfs.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te index 6f1756e..b29621e 100644 --- a/policy/test_overlayfs.te +++ b/policy/test_overlayfs.te @@ -52,6 +52,7 @@ corecmd_exec_bin(test_overlay_mounter_t) userdom_search_admin_dir(test_overlay_mounter_t) userdom_search_user_home_content(test_overlay_mounter_t) +userdom_read_user_tmp_files(test_overlay_mounter_t) mount_exec(test_overlay_mounter_t) mount_rw_pid_files(test_overlay_mounter_t) From patchwork Fri May 8 15:41:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11537031 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2B48D1668 for ; Fri, 8 May 2020 15:42:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1409624967 for ; Fri, 8 May 2020 15:42:36 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="RaWUOJrN" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728243AbgEHPm1 (ORCPT ); Fri, 8 May 2020 11:42:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59370 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728286AbgEHPmZ (ORCPT ); Fri, 8 May 2020 11:42:25 -0400 Received: from mail-qv1-xf44.google.com (mail-qv1-xf44.google.com [IPv6:2607:f8b0:4864:20::f44]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A875EC061A0C for ; Fri, 8 May 2020 08:42:25 -0700 (PDT) Received: by mail-qv1-xf44.google.com with SMTP id di6so824616qvb.10 for ; Fri, 08 May 2020 08:42:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=gihP7LPL0o6QJD0dI9kI5bx1Ch9nWO3WbsL6195LayM=; b=RaWUOJrNpNQR2U5EcB+Mr81NKdBLMBgJixrHynQAAGEyZY1lKXFija8iucBDDCIupy YmmK9P8YNjU8Dz6ZfeWVLZS2G8v8uVUR2JJ3YHO1jGUuUMCupejDku+DeTjH7uA2mv4z UuNUpTM8cg87YW8OR4ZjQxs60stnYXMV8TJ9kSMSzziFXO1WlzCYfzHkDoap5ZLIBLZl dr4dQlb8GTdi5xNeoYsIe7HRNiOcy5idUz7gg1bjGmr0JIpMZQzB2e8KF9CUNGSAlpcD 6+wApchaElLA4JVktUln+NtdxLCZNVnFfob/4TepkEnqoaB5KU8tFAj4etFvQMqMBPjg RiYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=gihP7LPL0o6QJD0dI9kI5bx1Ch9nWO3WbsL6195LayM=; b=f73QViXWcOYw1wJV/xIQNEDMKHvFrPShh6bG5RHySv6pIWBVV3yo/6CigKQ6/jPjbK dk5Dnv05mYPkB0hx1SJY/jfY6SlyD8OdY59nJHsXxCZ0MQUZBE2fxzPEqCT4uIKMBfhY Bk6L9ZpuxmdDWSWMlB4sQ3uGOAFpL63TmJslpnR8DIiORpfBLcuhsTTarBJ6t1R/EDlr 6L0J6SfT3MKizoCxFKjqofILAD9G6NfN4s5gh8ogLLQGN/BlAS6y351RqIy/pj0zvc1I bh/Mezzyv/NQXWlF1qj6p3QFXGCkxl4jyHCa6jf/V2RbuT/iW4A+KqvLtTpJ0ap59OUv 9NZQ== X-Gm-Message-State: AGi0PuY5zcxeggqGEJSb8GvJ8M/QSJjIplzAilLoKbs3JnfbllzO3gUm Xudy1bDAkbSNYwju9JdLSMUTJHKU X-Google-Smtp-Source: APiQypLL4qS0Foxihnxkav1PH9ZNoVqAp+Et6iVdCnlycMzGBhhyELlw5PjAguvPycbH5EgmqTuDxg== X-Received: by 2002:ad4:5843:: with SMTP id de3mr3394829qvb.92.1588952544667; Fri, 08 May 2020 08:42:24 -0700 (PDT) Received: from a-gady2p56i3do.evoforge.org (ec2-52-70-167-183.compute-1.amazonaws.com. [52.70.167.183]) by smtp.gmail.com with ESMTPSA id g5sm309055qkl.114.2020.05.08.08.42.23 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 May 2020 08:42:24 -0700 (PDT) From: Stephen Smalley To: selinux@vger.kernel.org Cc: omosnace@redhat.com, paul@paul-moore.com, Stephen Smalley Subject: [PATCH v4 testsuite 09/15] policy: Add MCS constraint on peer recv Date: Fri, 8 May 2020 11:41:32 -0400 Message-Id: <20200508154138.24217-10-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.23.1 In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com> References: <20200508154138.24217-1-stephen.smalley.work@gmail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Some of the inet_socket and sctp tests rely on a MCS constraint on the peer recv permission that exists in Fedora policy but not refpolicy and hence not Debian. Add the constraint to the test policy to provide consistent behavior. On Fedora this is merely redundant. The constraint is defined via a CIL module since constraints are not supported in .te files for binary modules. Introduce a SUPPORTS_CIL variable in the Makefile and disable it automatically on older RHEL releases that lack CIL support to avoid breaking policy load on them. Signed-off-by: Stephen Smalley --- policy/Makefile | 15 +++++++++++---- policy/test_mlsconstrain.cil | 2 ++ 2 files changed, 13 insertions(+), 4 deletions(-) create mode 100644 policy/test_mlsconstrain.cil diff --git a/policy/Makefile b/policy/Makefile index dfe601b..8f43427 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -7,6 +7,7 @@ SELINUXFS ?= /sys/fs/selinux SEMODULE = $(SBINDIR)/semodule CHECKPOLICY = $(BINDIR)/checkpolicy CHECKMODULE = $(BINDIR)/checkmodule +SUPPORTS_CIL ?= y DISTRO=$(shell ../tests/os_detect) @@ -30,15 +31,21 @@ TARGETS = \ test_mmap.te test_overlayfs.te test_mqueue.te \ test_ibpkey.te test_atsecure.te test_cgroupfs.te +ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) +SUPPORTS_CIL = n +endif +ifeq ($(SUPPORTS_CIL),y) +CIL_TARGETS = test_mlsconstrain.cil ifeq ($(shell [[ $(MAX_KERNEL_POLICY) -ge 32 && $(POL_VERS) -ge 32 ]] && echo true),true) # If other MLS tests get written this can be moved outside of the glblub test ifeq ($(POL_TYPE), MLS) -CIL_TARGETS = test_glblub.cil +CIL_TARGETS += test_glblub.cil else ifeq ($(POL_TYPE), MCS) -CIL_TARGETS = test_add_levels.cil test_glblub.cil -endif -endif # GLBLUB +CIL_TARGETS += test_add_levels.cil test_glblub.cil +endif # POL_TYPE +endif # MAX_KERNEL_POLICY +endif # SUPPORTS_CIL ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true) TARGETS += test_bounds.te test_nnp_nosuid.te diff --git a/policy/test_mlsconstrain.cil b/policy/test_mlsconstrain.cil new file mode 100644 index 0000000..1412f91 --- /dev/null +++ b/policy/test_mlsconstrain.cil @@ -0,0 +1,2 @@ +(mlsconstrain (peer (recv)) (or (dom l1 l2) (and (neq t1 mcs_constrained_type) (neq t2 mcs_constrained_type)))) +(mlsconstrain (packet (recv)) (or (dom l1 l2) (and (neq t1 mcs_constrained_type) (neq t2 mcs_constrained_type)))) From patchwork Fri May 8 15:41:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11537037 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B844292A for ; Fri, 8 May 2020 15:42:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A0E9A21974 for ; Fri, 8 May 2020 15:42:37 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="h6Jp5DX7" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727029AbgEHPmh (ORCPT ); Fri, 8 May 2020 11:42:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59372 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728307AbgEHPm0 (ORCPT ); Fri, 8 May 2020 11:42:26 -0400 Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com [IPv6:2607:f8b0:4864:20::841]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 772F6C061A0C for ; Fri, 8 May 2020 08:42:26 -0700 (PDT) Received: by mail-qt1-x841.google.com with SMTP id b1so801788qtt.1 for ; Fri, 08 May 2020 08:42:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=0meoboseqO03Hr9Mio+DICdbqDpITH6inUJXkgltF/0=; b=h6Jp5DX74l184KC0sdwmAP7m05WI4SDjhqBeGuBMAdgoAactDrlqeNzYWkzW3zTTHx AMYo7RVNs1dk+lz8FdOhjpEYU7M9PlxU5xhMiYkIfLtJg7z7eeeFPKxd35T45PXEf6RE 1XRBWiWf4vgyhAHmkcl+QwAReAn57BmVCx443Xf+bd8+HHiwtOor1s3FWh6gYprLFIOr e45xGq/uPkVxQSlnc5q4BIs5RAjSPPn6ef4O36rR2jmbEYsnAEorlCgmViWUV/ZEaXd1 jPZB1IAUjdxlm6gzfqDWGSuoxGggKcXOwp5B/VxPdYNdRmxXelz95FVsft2sHlq723FY 58yA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=0meoboseqO03Hr9Mio+DICdbqDpITH6inUJXkgltF/0=; b=mJwSWpL9ludxX+iuleXZ6gpuBGuhLL9pYa/S4xGl0ermGKo6NQGpgdgYhRupHol+zx 3Df9EssN4N9ap8YyqMvrfNVmMl3BiWGXRtoGTUgg2TxIhgUdS32lBozNAFZzE/Yf6R3m dU2SxK+uSRA208ixrsT1WhSVRfmHIR8WNELVxt+oiEsRuwIz4r8rqg2mBHRZpPU12/Hr Lqiw6x8nbHhxfValFPnJc84euU6caX7jN37m7R0T4vRWzRRUl5vZNo7K+Zr20Xxc/YYm NwD/u2cA892JUhDU8rRU7OZa+lpRv6B3UeRdNPAoItqoCB7zzzlZ6KnW4/ALYvvksZ/7 0itw== X-Gm-Message-State: AGi0PuZyEpLank4ufIETNFlzRjn1bcyRxgg26aebU+il2GGpnBF5asRu Zxs7EYIBZhJW//WhF9XpnSEo+7a6 X-Google-Smtp-Source: APiQypJrEKEQFh5HRTGQ62RlkRVS+Oi+B6RyKDcxSZuJI3Oh4LM8R5FdY3CWb/Ay2epHHWMgEGBVnA== X-Received: by 2002:ac8:4897:: with SMTP id i23mr3772068qtq.184.1588952545588; Fri, 08 May 2020 08:42:25 -0700 (PDT) Received: from a-gady2p56i3do.evoforge.org (ec2-52-70-167-183.compute-1.amazonaws.com. [52.70.167.183]) by smtp.gmail.com with ESMTPSA id g5sm309055qkl.114.2020.05.08.08.42.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 May 2020 08:42:24 -0700 (PDT) From: Stephen Smalley To: selinux@vger.kernel.org Cc: omosnace@redhat.com, paul@paul-moore.com, Stephen Smalley Subject: [PATCH v4 testsuite 10/15] policy: Add defaultrange rules for overlay tests Date: Fri, 8 May 2020 11:41:33 -0400 Message-Id: <20200508154138.24217-11-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.23.1 In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com> References: <20200508154138.24217-1-stephen.smalley.work@gmail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Some of the overlay tests assume that files inherit their MCS/MLS labels from the parent directory rather than the process. This is true on Fedora which defines defaultrange rules for this purpose but not in refpolicy. Add the defaultrange rules explicitly to the test policy as a CIL module to provide consistent behavior on Debian. Signed-off-by: Stephen Smalley --- policy/Makefile | 2 +- policy/test_overlay_defaultrange.cil | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 policy/test_overlay_defaultrange.cil diff --git a/policy/Makefile b/policy/Makefile index 8f43427..17e9da3 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -36,7 +36,7 @@ SUPPORTS_CIL = n endif ifeq ($(SUPPORTS_CIL),y) -CIL_TARGETS = test_mlsconstrain.cil +CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil ifeq ($(shell [[ $(MAX_KERNEL_POLICY) -ge 32 && $(POL_VERS) -ge 32 ]] && echo true),true) # If other MLS tests get written this can be moved outside of the glblub test ifeq ($(POL_TYPE), MLS) diff --git a/policy/test_overlay_defaultrange.cil b/policy/test_overlay_defaultrange.cil new file mode 100644 index 0000000..d1c18db --- /dev/null +++ b/policy/test_overlay_defaultrange.cil @@ -0,0 +1,7 @@ +(defaultrange file target low) +(defaultrange dir target low) +(defaultrange lnk_file target low) +(defaultrange chr_file target low) +(defaultrange blk_file target low) +(defaultrange sock_file target low) +(defaultrange fifo_file target low) From patchwork Fri May 8 15:41:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11537025 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D400592A for ; Fri, 8 May 2020 15:42:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BA9A121974 for ; Fri, 8 May 2020 15:42:33 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="rdMsCd9e" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728282AbgEHPm2 (ORCPT ); Fri, 8 May 2020 11:42:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59378 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728369AbgEHPm1 (ORCPT ); Fri, 8 May 2020 11:42:27 -0400 Received: from mail-qk1-x743.google.com (mail-qk1-x743.google.com [IPv6:2607:f8b0:4864:20::743]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5E903C05BD43 for ; Fri, 8 May 2020 08:42:27 -0700 (PDT) Received: by mail-qk1-x743.google.com with SMTP id s186so124185qkd.4 for ; Fri, 08 May 2020 08:42:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=rNGp7buHWc+wi1QzcrQJU2o4gr6vKLi1sx5XT6PNCWo=; b=rdMsCd9erCCgaTRHrnq1tbAKOJ7Lai3TCfk3XR96Zrubf92ulveQhb3DBq/tTXuQRv +G+vmq5hKWGpcK/Z3bcYFyBg3Qf796y1USyrYqHoMJtADW2+asu23/Ilm75x2aQ4Cril qm0qyOrArTDvRKmJ8wz+CxuCFXv5XwBWaxwsgLiHTMkNHMB4H/Xnmu8iazqIDeEQsKyW B+Kt4uAVYX8fyZDY1Aoj4kOMBAni2GivkkVWTlaTpp5l+e6gvlJjL7rRz18PXyuoS9k8 Yh4RFW77qoAJTqDHS1vTUD96eAFwlaCzN151Y4g3cMyz3WiKsl786twQk3j1+20HqqgE XDJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rNGp7buHWc+wi1QzcrQJU2o4gr6vKLi1sx5XT6PNCWo=; b=AKqxnfS3k6vwyU/dxQ85q3OXM1LnZjJP9yN4N196TRvrrlOQvKmWVWJq+EJlNQTT43 lwJpnkgUj4Lm5YRQBOy5+hGQQRA2i+dp6kOZRE4TR9qvXckzCHjkatdqMkPuIG1mVvVh h/hiuFJdxA8Ggg7zU+QGellwcg9tEeXJgWKyFeeEXp0qv4OrD03fZe5KUlYCtK+WBXJM nzBFNaitDRVB8lhUIGPK61Lu+sRVqrpjaL9bavT8xVDFp98fOQUwN/F0v370SDfJhzby hqnlA3o3iF5KQgrniG2rg/pMEA+2FS6tgdnykPNCU3GW/GVuzT50cIQ8oum1RJ2EksMG 6OxQ== X-Gm-Message-State: AGi0Pub1ZCM8CPdJHpbPQLtoFBP8Q36q4bakJ+ZWwKiELDO04KCUso83 mJAOri+rPGrnUbJDapBb5Q9bEUxk X-Google-Smtp-Source: APiQypKPwCsDFVMfHoCP9T0bzpnllfzRdzPhk3LGVQFpN5dZK4a9V14O2hOtlK3GjgJa1zV7Nyf4Nw== X-Received: by 2002:a37:b3c1:: with SMTP id c184mr3382136qkf.194.1588952546436; Fri, 08 May 2020 08:42:26 -0700 (PDT) Received: from a-gady2p56i3do.evoforge.org (ec2-52-70-167-183.compute-1.amazonaws.com. [52.70.167.183]) by smtp.gmail.com with ESMTPSA id g5sm309055qkl.114.2020.05.08.08.42.25 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 May 2020 08:42:25 -0700 (PDT) From: Stephen Smalley To: selinux@vger.kernel.org Cc: omosnace@redhat.com, paul@paul-moore.com, Stephen Smalley Subject: [PATCH v4 testsuite 11/15] test_filesystem.te,tests/{fs_}filesystem: do not force user identity to system_u Date: Fri, 8 May 2020 11:41:34 -0400 Message-Id: <20200508154138.24217-12-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.23.1 In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com> References: <20200508154138.24217-1-stephen.smalley.work@gmail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Rather than forcing the process user identity to system_u in the filesystem tests (which broke in Debian due to not being authorized for unconfined_r), grant the test_filesystem_fscontext_t domain the ability to create objects in other user identities. This is cleaner. Signed-off-by: Stephen Smalley --- policy/test_filesystem.te | 1 + tests/filesystem/test | 2 +- tests/fs_filesystem/test | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te index 7d73cbf..4e27134 100644 --- a/policy/test_filesystem.te +++ b/policy/test_filesystem.te @@ -350,6 +350,7 @@ allow test_filesystem_fscontext_t test_filesystem_filecon_t:file { getattr open allow test_filesystem_fscontext_t test_filesystem_fscontext_fs_t:dir { add_name search write }; allow test_filesystem_fscontext_t test_filesystem_fscontext_fs_t:file { create getattr open relabelfrom write }; allow test_filesystem_fscontext_t test_filesystem_fscontext_fs_t:filesystem { mount relabelto unmount }; +domain_obj_id_change_exemption(test_filesystem_fscontext_t) fs_relabelfrom_all_fs(test_filesystem_fscontext_t) files_search_all(test_filesystem_fscontext_t) allow test_filesystem_filecon_t test_filesystem_fscontext_fs_t:filesystem { associate }; diff --git a/tests/filesystem/test b/tests/filesystem/test index 149cc29..7d4654d 100755 --- a/tests/filesystem/test +++ b/tests/filesystem/test @@ -1116,7 +1116,7 @@ if ( not $nfs_enabled ) { # system_u:object_r:test_filesystem_context_file_t:s0 from $test_opts print "Creating test file $basedir/mntpoint/mp1/test_file\n"; $result = system( -"runcon -u system_u -t test_filesystem_fscontext_t $basedir/create_file -f $basedir/mntpoint/mp1/test_file -e test_filesystem_context_file_t $v" +"runcon -t test_filesystem_fscontext_t $basedir/create_file -f $basedir/mntpoint/mp1/test_file -e test_filesystem_context_file_t $v" ); ok( $result eq 0 ); diff --git a/tests/fs_filesystem/test b/tests/fs_filesystem/test index 5dcc89d..5dedf83 100755 --- a/tests/fs_filesystem/test +++ b/tests/fs_filesystem/test @@ -1145,7 +1145,7 @@ if ( not $nfs_enabled ) { # system_u:object_r:test_filesystem_context_file_t:s0 from $test_opts print "Creating test file $basedir/mntpoint/mp1/test_file\n"; $result = system( -"runcon -u system_u -t test_filesystem_fscontext_t $filesystem_dir/create_file -f $basedir/mntpoint/mp1/test_file -e test_filesystem_context_file_t $v" +"runcon -t test_filesystem_fscontext_t $filesystem_dir/create_file -f $basedir/mntpoint/mp1/test_file -e test_filesystem_context_file_t $v" ); ok( $result eq 0 ); From patchwork Fri May 8 15:41:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11537029 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BCC3592A for ; Fri, 8 May 2020 15:42:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A2D8F21974 for ; Fri, 8 May 2020 15:42:34 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ikY03yPH" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726736AbgEHPmd (ORCPT ); Fri, 8 May 2020 11:42:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59382 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728380AbgEHPm2 (ORCPT ); Fri, 8 May 2020 11:42:28 -0400 Received: from mail-qk1-x742.google.com (mail-qk1-x742.google.com [IPv6:2607:f8b0:4864:20::742]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 34F04C061A0C for ; Fri, 8 May 2020 08:42:28 -0700 (PDT) Received: by mail-qk1-x742.google.com with SMTP id f83so1937974qke.13 for ; Fri, 08 May 2020 08:42:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=FX//iYGmVjDYI77WwacIatMpaEG+MdxVWLMXm8STdGM=; b=ikY03yPHcD6QoKR8kqQKWJRcnePOlQOlpkcI6mkDW7B1oYbppNeeZy97NjMFx/n2i8 zDX6LrYaGhvODuj0CRgHICFvvD61dkBKPuah4T3tZmcRzgcaJTfmVhcDGCosCksiE0PJ czNxDWliN+WgVQnDHBJPJSPVVq34ArhaIrlVrzWiB+Dvht6E9ACUhYl/x2sRweuwvqmW HDKGj5dvJ2btdQSU3phE4NSb81VQECLjXGbrShsvj1DnXKdlrZ/VVtpXty34Mn25qlPk NPJl+BdJm6vVilA4NzBndQY0jZMz4NNi0KPLuPjMa3qItkf6jzoEWQNWqrwFHKdWdsbr AmZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=FX//iYGmVjDYI77WwacIatMpaEG+MdxVWLMXm8STdGM=; b=sJ5MzVXoKPN8k5I/4pTxUEMYqyxjZclWuosSaD1+6kS/1GYg2EVGYVZwOkzM4tawNm 7upRm6VlfYA31fafH63Q0i8CrK40Q4VUixOPu7SLE9s/tE++Ve2cTIzW05hsyOISc6m8 u6+8doLiSGrgwI2w2bs8Cuayd3AYV3UtVtcbqjrzvBS6nH8nM22/lBjNMEuZasIDJ+Gy 31Od6MphyaMfHiG76PDLaMbQV/2eSPCf6ZrpMtng1YDb1+hBqzgvBRDmbvXuJR/jVnuf 7hoLA6Eiw/rjqdNDU+0ou9Ro7utC44rdZq9KOe1sr2UyUQNmJXEy8xqewTMIqDNlOUsH 9ZZQ== X-Gm-Message-State: AGi0PubGWcnQ4HJVxW+eBPzoErXg6/gaq+2pIQysPn1HtaKoWf3vg+S/ lDglHnhaF89w4KxwvafACca7XPt1 X-Google-Smtp-Source: APiQypLiTgvLQWj5AZv4sdPb1KpS5MJbU0uBDfjMektbEXsfhDn3DyvVomQjbUJhynfuOCBfoenyEQ== X-Received: by 2002:a05:620a:490:: with SMTP id 16mr3292880qkr.203.1588952547230; Fri, 08 May 2020 08:42:27 -0700 (PDT) Received: from a-gady2p56i3do.evoforge.org (ec2-52-70-167-183.compute-1.amazonaws.com. [52.70.167.183]) by smtp.gmail.com with ESMTPSA id g5sm309055qkl.114.2020.05.08.08.42.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 May 2020 08:42:26 -0700 (PDT) From: Stephen Smalley To: selinux@vger.kernel.org Cc: omosnace@redhat.com, paul@paul-moore.com, Stephen Smalley Subject: [PATCH v4 testsuite 12/15] policy/Makefile: conditionalize setting of allow_domain_fd_use Date: Fri, 8 May 2020 11:41:35 -0400 Message-Id: <20200508154138.24217-13-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.23.1 In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com> References: <20200508154138.24217-1-stephen.smalley.work@gmail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org allow_domain_fd_use is Fedora-specific so conditionalize the setting of it to avoid noise on Debian or other distributions. Signed-off-by: Stephen Smalley --- policy/Makefile | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/policy/Makefile b/policy/Makefile index 17e9da3..386bbce 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -168,12 +168,16 @@ build: $(TARGETS) load: expand_check all # General policy load - @-/usr/sbin/setsebool allow_domain_fd_use=0 + @if /usr/sbin/getsebool allow_domain_fd_use 2> /dev/null; then \ + /usr/sbin/setsebool allow_domain_fd_use=0; \ + fi $(SEMODULE) -i test_policy/test_policy.pp $(CIL_TARGETS) unload: # General policy unload - @-/usr/sbin/setsebool allow_domain_fd_use=1 + @if /usr/sbin/getsebool allow_domain_fd_use 2> /dev/null; then \ + /usr/sbin/setsebool allow_domain_fd_use=1; \ + fi $(SEMODULE) -r test_policy $(subst .cil,,$(CIL_TARGETS)) clean: From patchwork Fri May 8 15:41:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11537023 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 30F8D14B4 for ; Fri, 8 May 2020 15:42:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1704C21974 for ; Fri, 8 May 2020 15:42:33 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SeM4+nnU" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728384AbgEHPmc (ORCPT ); Fri, 8 May 2020 11:42:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59384 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728386AbgEHPm3 (ORCPT ); Fri, 8 May 2020 11:42:29 -0400 Received: from mail-qk1-x742.google.com (mail-qk1-x742.google.com [IPv6:2607:f8b0:4864:20::742]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 35945C061A0C for ; Fri, 8 May 2020 08:42:29 -0700 (PDT) Received: by mail-qk1-x742.google.com with SMTP id k81so1972901qke.5 for ; Fri, 08 May 2020 08:42:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=QLk6bzCO68v53IV0tfoA6lxReYaor204Vwv3QlArqY8=; b=SeM4+nnUsDdnV/K2jX9/tkouTYCfmVfuGD97kUcB87X3vsf4hW0AMqgZB/010gPp3s f3vN0+fsAyIZRoCpHs/z6vyh5oye9ZtSiENP/hL3SI/3zfE8SY5VOo1nFB3uKVvtirq0 cko7haSSW0zN6S2xjWq1pDpX6yl7clu4+g2zMZ9eNyj1los+ohGijrkC3iML9NY+8xTy l7t0c63aiDlixFB6mWXD5B2ghFwUpJVaEXIcO2QcoXZAmkgNWm/9zGKss5yyZrFyxe2L Bp/bhF2xPbSPpe2N7rlnJ0H3DpkUkTn+lL52GwmNYGG8PczB9tZWxfhlPXMS+f/ukc3e 3t4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=QLk6bzCO68v53IV0tfoA6lxReYaor204Vwv3QlArqY8=; b=gbQlPmmWqY9Ep0yF8HwLXy6OTRvHpbGXNIJoJu/QA3KEqedqNkKVQ0KEVBJzfAzJsE VH2qqHomxYsSF1dQBXFoZnfcwuVOgXTOFn+aIEiIeGqq2rgrxdtqo7G5qPz1yAGlVSOs KQwLX0v2CXWSyTXDZZi/mtQ6dGZehpiBzgsJmHsPke913aYah2g4muqg8LDSloKzApz+ SmEmkGzEkbd5bH1Yuu4ZV5oOlB5BTMN0l79757XXPjRWgrYTgtxgjtic5M4ADVM82Tyd LJQl0SCrotLUDvzsOpOhffD3rRn76iwYMRgxFPuUWJDL01TBUDmQ6doJaObkvWfstqwu sCzQ== X-Gm-Message-State: AGi0PuaaAW58brMJ/3OIcnMfdsRIaWt02OHWRZ6VjOQk40r7zBdpahR5 tUfBJ8Xuz328DMXnPGvTXkJtQTad X-Google-Smtp-Source: APiQypJFzULxOr0WmYUN4F4pujW2b4VCHP6mvHIiJM3rmDD5rcDTdQHC7Ed89A6eRGYopmKiVENxYQ== X-Received: by 2002:ae9:dcc1:: with SMTP id q184mr3236964qkf.365.1588952548184; Fri, 08 May 2020 08:42:28 -0700 (PDT) Received: from a-gady2p56i3do.evoforge.org (ec2-52-70-167-183.compute-1.amazonaws.com. [52.70.167.183]) by smtp.gmail.com with ESMTPSA id g5sm309055qkl.114.2020.05.08.08.42.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 May 2020 08:42:27 -0700 (PDT) From: Stephen Smalley To: selinux@vger.kernel.org Cc: omosnace@redhat.com, paul@paul-moore.com, Stephen Smalley Subject: [PATCH v4 testsuite 13/15] tests/cap_userns: set /proc/sys/kernel/unprivileged_userns_clone if needed Date: Fri, 8 May 2020 11:41:36 -0400 Message-Id: <20200508154138.24217-14-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.23.1 In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com> References: <20200508154138.24217-1-stephen.smalley.work@gmail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Debian does not allow unprivileged user namespace clones by default, so update the test to enable it when running the test to avoid requiring sys_admin permission to the capability class during the cap_userns tests. The current test is specifically exercising the sys_admin check in the separate cap_userns class used for capability checks against non-init user namespaces. Signed-off-by: Stephen Smalley --- tests/cap_userns/test | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/cap_userns/test b/tests/cap_userns/test index 9eafba6..917da00 100755 --- a/tests/cap_userns/test +++ b/tests/cap_userns/test @@ -6,6 +6,10 @@ BEGIN { $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; + if ( -e '/proc/sys/kernel/unprivileged_userns_clone' ) { + system( + "echo 1 > /proc/sys/kernel/unprivileged_userns_clone 2> /dev/null"); + } if ( system("$basedir/userns_child_exec -t -U > /dev/null 2>&1") == 0 ) { plan tests => 2; } @@ -27,3 +31,7 @@ $result = system( "runcon -t test_no_cap_userns_t -- $basedir/userns_child_exec -p -m -U -M '0 0 1' -G '0 0 1' -- true 2>&1" ); ok($result); + +if ( -e '/proc/sys/kernel/unprivileged_userns_clone' ) { + system("echo 0 > /proc/sys/kernel/unprivileged_userns_clone 2> /dev/null"); +} From patchwork Fri May 8 15:41:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11537021 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EA9D192A for ; Fri, 8 May 2020 15:42:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D25AA21974 for ; Fri, 8 May 2020 15:42:32 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Fdt2fSEg" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728196AbgEHPmb (ORCPT ); Fri, 8 May 2020 11:42:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59394 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726736AbgEHPmb (ORCPT ); Fri, 8 May 2020 11:42:31 -0400 Received: from mail-qt1-x844.google.com (mail-qt1-x844.google.com [IPv6:2607:f8b0:4864:20::844]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E54C3C05BD43 for ; Fri, 8 May 2020 08:42:30 -0700 (PDT) Received: by mail-qt1-x844.google.com with SMTP id q13so1585464qtp.7 for ; Fri, 08 May 2020 08:42:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=g3CfCyomGKkI7j5Zij2KCwJJL94XupDKU7TXHJp/Chc=; b=Fdt2fSEgChKPcvNlrtvxBiLd20uKTb3zCZrBqPic6BhxFTIfHgnhNawRnZdcbt4Ait Z8JvRJ5tR8u4gIC8IdOXuB2ElwVTWlRxHPfzhg3CW6PnJlqiGwk19Z7VZTzhb3oHSLsj 7Y4XiPk2Z5EmddJBjcEN0ZrcD9Ta0FK1tPC/orx0vWYIFuKBMz1OGmpb93uQuqzSj2jL 9Kwo0uldeHclbZyWNOHhXldlkUf/Fzx8kMnaBpXLKQyhxWSWQHPPo4eYZNqZ6X7QA01p dlEffQGBdv75sGK3FFowdnAc0i91oRkpak4BF+GGl/Za4AwyPPsQxOjsMRpMBCAL57JX SoLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=g3CfCyomGKkI7j5Zij2KCwJJL94XupDKU7TXHJp/Chc=; b=IhW6MCr7mge941twxz2FCDOxPENPyW2uHUrYV1PbqsecmVaO2MB8qA23K0vfl5VtoW AUub9iyPxYWhEhYpKiRIbzCgQEKEeuRFnj3AhLtiJypiFLGssv1Dh6u13wrbGtKDMTvn bPRqZwXhXCiIrpHsBqww3gEAuFCTnWYcSfQeGvv0T6Aj9QfCaiX3yrar9wDl8rbe+GxQ sy49r5ySJl9YUOnLZJEFBELDORimHmaE6xaiMdkFf0zO7dfqaOozGQ9Si3x5deHPwFL3 hBR3Pz5ic99ee0+00/22t6TiR+5Dy0/IYr62Qxf/bRnBiXW1a4s+Bx9GM9BLC8rSxvGd KiiA== X-Gm-Message-State: AGi0PuY80dZEnunq/jiXwmCYWGpu2eW7uGDPWMZtx276KuztOIWia5ow AvGk6+u4KkO5lPKNCGm3EI6GIzRt X-Google-Smtp-Source: APiQypIp/vuN7PnIPusDECQ3zVeSTNpulfsezKhKgQsM+5/VF+UrAUtS5gm+tBp9e0xU/0xwxdDYwQ== X-Received: by 2002:aed:308e:: with SMTP id 14mr3680124qtf.146.1588952549885; Fri, 08 May 2020 08:42:29 -0700 (PDT) Received: from a-gady2p56i3do.evoforge.org (ec2-52-70-167-183.compute-1.amazonaws.com. [52.70.167.183]) by smtp.gmail.com with ESMTPSA id g5sm309055qkl.114.2020.05.08.08.42.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 May 2020 08:42:28 -0700 (PDT) From: Stephen Smalley To: selinux@vger.kernel.org Cc: omosnace@redhat.com, paul@paul-moore.com, Stephen Smalley Subject: [PATCH v4 testsuite 14/15] tests/mmap: skip /dev/zero tests if /dev is noexec Date: Fri, 8 May 2020 11:41:37 -0400 Message-Id: <20200508154138.24217-15-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.23.1 In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com> References: <20200508154138.24217-1-stephen.smalley.work@gmail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org If /dev is mounted noexec (as in Debian unstable), then we cannot mmap/mprotect PROT_EXEC /dev/zero regardless of SELinux. Check for this situation and skip those tests in that case to avoid extraneous failures. Signed-off-by: Stephen Smalley --- tests/mmap/test | 48 +++++++++++++++++++++++++++++++----------------- 1 file changed, 31 insertions(+), 17 deletions(-) diff --git a/tests/mmap/test b/tests/mmap/test index fe6f184..b7cd56a 100755 --- a/tests/mmap/test +++ b/tests/mmap/test @@ -3,10 +3,11 @@ use Test; BEGIN { - $test_count = 34; - $test_hugepages = 0; - $test_exec_checking = 0; - $test_map_checking = 0; + $test_count = 30; + $test_hugepages = 0; + $test_exec_checking = 0; + $test_map_checking = 0; + $test_devzero_checking = 0; system("echo 1 > /proc/sys/vm/nr_hugepages 2> /dev/null"); if ( system("grep -q 1 /proc/sys/vm/nr_hugepages 2> /dev/null") == 0 ) { @@ -19,6 +20,12 @@ BEGIN { $test_count += 4; } + if ( system("grep -q '/dev .*noexec' /proc/self/mounts 2> /dev/null") != 0 ) + { + $test_devzero_checking = 1; + $test_count += 4; + } + if ( -e '/sys/fs/selinux/class/file/perms/map' ) { $test_map_checking = 1; $test_count += 1; @@ -62,13 +69,17 @@ ok( $result, 0 ); $result = system "runcon -t test_no_execmem_t $basedir/mmap_anon_shared 2>&1"; ok($result); -# Test success and failure for mmap /dev/zero. -$result = - system "runcon -t test_mmap_dev_zero_t $basedir/mmap_file_shared /dev/zero"; -ok( $result, 0 ); -$result = system - "runcon -t test_no_mmap_dev_zero_t $basedir/mmap_file_shared /dev/zero 2>&1"; -ok($result); +if ($test_devzero_checking) { + + # Test success and failure for mmap /dev/zero. + $result = + system + "runcon -t test_mmap_dev_zero_t $basedir/mmap_file_shared /dev/zero"; + ok( $result, 0 ); + $result = system +"runcon -t test_no_mmap_dev_zero_t $basedir/mmap_file_shared /dev/zero 2>&1"; + ok($result); +} # Test success and failure for mprotect w/ anonymous shared memory. # In old kernels, this triggers a tmpfs file execute check. @@ -80,13 +91,16 @@ $result = system "runcon -t test_no_mprotect_anon_shared_t $basedir/mprotect_anon_shared 2>&1"; ok($result); -# Test success and failure for mprotect /dev/zero. -$result = system - "runcon -t test_mprotect_dev_zero_t $basedir/mprotect_file_shared /dev/zero"; -ok( $result, 0 ); -$result = system +if ($test_devzero_checking) { + + # Test success and failure for mprotect /dev/zero. + $result = system +"runcon -t test_mprotect_dev_zero_t $basedir/mprotect_file_shared /dev/zero"; + ok( $result, 0 ); + $result = system "runcon -t test_no_mprotect_dev_zero_t $basedir/mprotect_file_shared /dev/zero 2>&1"; -ok($result); + ok($result); +} # Test success and failure for execheap, independent of execmem. $result = system "runcon -t test_execheap_t $basedir/mprotect_heap"; From patchwork Fri May 8 15:41:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 11537027 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 73B691668 for ; Fri, 8 May 2020 15:42:34 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 564EF24955 for ; Fri, 8 May 2020 15:42:34 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jiS1LIT+" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728386AbgEHPmd (ORCPT ); Fri, 8 May 2020 11:42:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59400 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726736AbgEHPmc (ORCPT ); Fri, 8 May 2020 11:42:32 -0400 Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com [IPv6:2607:f8b0:4864:20::841]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FFC0C061A0C for ; Fri, 8 May 2020 08:42:32 -0700 (PDT) Received: by mail-qt1-x841.google.com with SMTP id p12so1560306qtn.13 for ; Fri, 08 May 2020 08:42:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=3DV1e4NV0jLhKZDsT4mAclKSFgDpKt8QFl5qn3Sey1E=; b=jiS1LIT+kMaPgqtclnbVm703MlU+/XRkQwDcueVyT3E8gSdZFl/csjuD8Si1AbRe+M GlDtumxsMGcDYXMwRFke7t6E2kpGI5AEjva/0+sQB1/rGXFxxqn/NSVsrPZFsQt7zbNY X5SIt/5xWKbMbs+r0enAD/SStNPqR3I7Xgqsm2M5mEHK7A/SewfYVg7tR3ksAPDFP0CG bFvbQR0W41AvZVKMz1WXkeW7YRxxmqAV7YtUgNAsBIODgnusa5imSVW5/UGnMKkdvXnH BIN2BlC1y4I5M6L4LCMbHRlaAwQNiPWmLPO51BF9/T6EIoVOZ2Sb8WWdNC7zlzpHc5W8 QjNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=3DV1e4NV0jLhKZDsT4mAclKSFgDpKt8QFl5qn3Sey1E=; b=KhHXo7JBGjr1xXcJXGmOuYFbZgfkLO2kNy61nVSkjMpbr17H31KGpw5nmbp1kYvKFr LQ4X4ZTZem0bYlgX4BoqBF1qUydhetF9LlvSd0nAqXuCzH5P73sM7ppvXn/su+ZDO7Ih Hxktjt11h8ZjUS6DixzkZ7D3G01Y/xLohzXZX9fNCqOJYxEKYjlRoH8lV5ypuIxHGyYq vwIvswC2wY+qhzcsN7Uqaj9igkTiJoQ6ENbHa/UDjJBj6A98B+tWgMyL6Ni51wArGUtl OR1TbviKS3Hm94WTjnDouKl0g75Ecf17wlyQR1WM9At806vmDNqQ6c2eUYH+bZ3iUfgZ 9b8g== X-Gm-Message-State: AGi0Puas8P9tqqywJc6lgkTsFqxgeQlhH5+9qj6bvHt+kP7Zp5BA0Sr+ ZX7/2sfH87BNBoxQI6Fzzx9DYdmI X-Google-Smtp-Source: APiQypIvWqdbdPSUm6t5FGqNrtV7Jv8T9khohi3RKXpgORQPyTiMTOwF+6TSqY3hLvcY3Oqd206Z+g== X-Received: by 2002:ac8:44d9:: with SMTP id b25mr3608751qto.77.1588952551060; Fri, 08 May 2020 08:42:31 -0700 (PDT) Received: from a-gady2p56i3do.evoforge.org (ec2-52-70-167-183.compute-1.amazonaws.com. [52.70.167.183]) by smtp.gmail.com with ESMTPSA id g5sm309055qkl.114.2020.05.08.08.42.29 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 May 2020 08:42:30 -0700 (PDT) From: Stephen Smalley To: selinux@vger.kernel.org Cc: omosnace@redhat.com, paul@paul-moore.com, Stephen Smalley Subject: [PATCH v4 testsuite 15/15] README.md: Add instructions for Debian Date: Fri, 8 May 2020 11:41:38 -0400 Message-Id: <20200508154138.24217-16-stephen.smalley.work@gmail.com> X-Mailer: git-send-email 2.23.1 In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com> References: <20200508154138.24217-1-stephen.smalley.work@gmail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Now that the testsuite builds and runs on Debian, add instructions to the README with the necessary dependencies and steps. Signed-off-by: Stephen Smalley --- README.md | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 65 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b36494e..1f7e5d9 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,8 @@ one primary security module may be active at a time. ### Userland and Base Policy +#### Fedora or RHEL + On a Fedora/RHEL based system the testsuite has the following userspace dependencies beyond a minimal install (other Linux distributions should have similar dependencies): @@ -77,8 +79,70 @@ following command: xfsprogs-devel \ libuuid-devel +#### Debian + +On Debian, you must first take steps to install and activate SELinux since +it is not enabled in the default install. Make sure to backup your system +first if you care about any local data. + + # apt-get install selinux-basics selinux-policy-default auditd + # selinux-activate + # reboot + +After activating, make sure that your login shell is running in the +correct context: + + # id -Z + +If this shows something other than +"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023", you will need +to first fix labeling or policy problems in your base system before +proceeding. Make sure that your shell context is correct and you can +switch to enforcing mode without breaking your system before +proceeding. + +On Debian, you can install the userspace dependencies with the following +command: + + # apt-get install perl \ + gcc \ + selinux-policy-dev \ + libselinux1-dev \ + net-tools \ + iptables \ + libsctp-dev \ + attr \ + libbpf-dev \ + libkeyutils-dev \ + linux-headers-$(uname -r) \ + quota \ + xfsprogs \ + xfslibs-dev \ + uuid-dev + +On Debian, you need to build and install netlabel_tools manually since +it is not yet packaged for Debian +(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959806): + + # git clone https://github.com/netlabel/netlabel_tools + # cd netlabel_tools + # sudo apt-get install autotools-dev autoconf automake libtool pkg-config libnl-3-dev libnl-genl-3-dev + # ./autogen.sh + # ./configure --prefix=/usr + # make + # sudo make install + +Debian further requires reconfiguring the default /bin/sh to be bash +to support bashisms employed in the testsuite Makefiles and scripts: + + # dpkg-reconfigure dash + +Select "No" when asked if you want to use dash as the default system shell. + +#### Other Distributions + The testsuite requires a pre-existing base policy configuration of SELinux, -using either the old example policy or the reference policy as the baseline. +using the reference policy as the baseline. It also requires the core SELinux userland packages (`libsepol`, `checkpolicy`, `libselinux`, `policycoreutils`, and if using modular policy, `libsemanage`) to be installed. The test scripts also rely upon the SELinux extensions being