Re: open_init_pty: Do not make stdin and stdout non-blocking

[Laurent Bigonville]

commit fb081eb64b36a9de5a43f3d69d9e628b6eb1afc7 (HEAD -> master, 
origin/master)

Author: Stephen Smalley 
Date:   Mon Jul 10 13:03:01 2017 -0400

open_init_pty: Do not make stdin and stdout non-blocking

It is unclear why this was being done in the first place, and
it has caused multiple bugs with run_init/open_init_pty usage.

Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863187
Fixes: https://bugs.gentoo.org/show_bug.cgi?id=621062
Signed-off-by: Stephen Smalley 


I see you fixed the issue with run_init/open_init_pty messing up with 
the terminals but I think it's introducing an other issue :/


FTR I found the reason why stdin/stdout were not blocking, it's a fix 
for this: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=474956#10


Apparently if the descriptors are closed, open_init_pty hangs, example:

./open_init_pty bash -c 'echo hello; exec >&- 2>&- <&-; sleep 1; '

Re: [PATCH] Additional tests for long-time supported netlink classes

[Paul Moore]

On Fri, Jul 14, 2017 at 10:53 AM, Stephen Smalley  wrote:
> I don't know if we care about distinguishing at the granularity of
> point releases of RHEL7 (e.g. RHEL7.2 vs RHEL7.3); we just want to
> ensure that the testsuite will pass on the latest release of RHEL7.

I think this is the right way to go about it the way the tests
currently work.  At some point we will probably want to provide some
better infrastructure for specifying different minor releases or
kernel revisions, but right now sticking with the latest minor release
seems reasonable.

-- 
paul moore
www.paul-moore.com

[PATCH] libsepol: Define nnp_nosuid_transition policy capability

[Stephen Smalley]

Define the nnp_nosuid_transition policy capability used to enable
SELinux domain transitions under NNP or nosuid if the
nnp_nosuid_transition permission is allowed between the old and
new contexts. When this capability is not enabled, such transitions
remain limited to bounded transitions as they were prior to the
introduction of this capability.

Signed-off-by: Stephen Smalley 
---
 libsepol/include/sepol/policydb/polcaps.h | 1 +
 libsepol/src/polcaps.c| 1 +
 2 files changed, 2 insertions(+)

diff --git a/libsepol/include/sepol/policydb/polcaps.h 
b/libsepol/include/sepol/policydb/polcaps.h
index 087541d..dc9356a 100644
--- a/libsepol/include/sepol/policydb/polcaps.h
+++ b/libsepol/include/sepol/policydb/polcaps.h
@@ -12,6 +12,7 @@ enum {
POLICYDB_CAPABILITY_EXTSOCKCLASS,
POLICYDB_CAPABILITY_ALWAYSNETWORK,
POLICYDB_CAPABILITY_CGROUPSECLABEL,
+   POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION,
__POLICYDB_CAPABILITY_MAX
 };
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
index 06a868c..b9dc352 100644
--- a/libsepol/src/polcaps.c
+++ b/libsepol/src/polcaps.c
@@ -11,6 +11,7 @@ static const char *polcap_names[] = {
"extended_socket_class",/* POLICYDB_CAPABILITY_EXTSOCKCLASS */
"always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */
"cgroup_seclabel",  /* POLICYDB_CAPABILITY_SECLABEL */
+   "nnp_nosuid_transition",/* 
POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION */
NULL
 };
 
-- 
2.9.4

[PATCH] selinux: Generalize support for NNP/nosuid SELinux domain transitions

[Stephen Smalley]

As systemd ramps up enabling NNP (NoNewPrivileges) for system services,
it is increasingly breaking SELinux domain transitions for those services
and their descendants.  systemd enables NNP not only for services whose
unit files explicitly specify NoNewPrivileges=yes but also for services
whose unit files specify any of the following options in combination with
running without CAP_SYS_ADMIN (e.g. specifying User= or a
CapabilityBoundingSet= without CAP_SYS_ADMIN): SystemCallFilter=,
SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=,
PrivateDevices=, ProtectKernelTunables=, ProtectKernelModules=,
MemoryDenyWriteExecute=, or RestrictRealtime= as per the systemd.exec(5)
man page.

The end result is bad for the security of both SELinux-disabled and
SELinux-enabled systems.  Packagers have to turn off these
options in the unit files to preserve SELinux domain transitions.  For
users who choose to disable SELinux, this means that they miss out on
at least having the systemd-supported protections.  For users who keep
SELinux enabled, they may still be missing out on some protections
because it isn't necessarily guaranteed that the SELinux policy for
that service provides the same protections in all cases.

commit 7b0d0b40cd78 ("selinux: Permit bounded transitions under
NO_NEW_PRIVS or NOSUID.") allowed bounded transitions under NNP in
order to support limited usage for sandboxing programs.  However,
defining typebounds for all of the affected service domains
is impractical to implement in policy, since typebounds requires us
to ensure that each domain is allowed everything all of its descendant
domains are allowed, and this has to be repeated for the entire chain
of domain transitions.  There is no way to clone all allow rules from
descendants to their ancestors in policy currently, and doing so would
be undesirable even if it were practical, as it requires leaking
permissions to objects and operations into ancestor domains that could
weaken their own security in order to allow them to the descendants
(e.g. if a descendant requires execmem permission, then so do all of
its ancestors; if a descendant requires execute permission to a file,
then so do all of its ancestors; if a descendant requires read to a
symbolic link or temporary file, then so do all of its ancestors...).
SELinux domains are intentionally not hierarchical / bounded in this
manner normally, and making them so would undermine their protections
and least privilege.

We have long had a similar tension with SELinux transitions and nosuid
mounts, albeit not as severe.  Users often have had to choose between
retaining nosuid on a mount and allowing SELinux domain transitions on
files within those mounts.  This likewise leads to unfortunate tradeoffs
in security.

Decouple NNP/nosuid from SELinux transitions, so that we don't have to
make a choice between them. Introduce a nnp_nosuid_transition policy
capability that causes the ability to transition under NNP/nosuid to
be based on a nnp_nosuid_transition permission between the old and new
contexts rather than typebounds.  Domain transitions can then be allowed
in policy without requiring the parent to be a strict superset of all of
its children.

With this change, systemd unit files can be left unmodified from upstream.
SELinux-disabled and SELinux-enabled users will benefit from retaining any
of the systemd-provided protections.  SELinux policy will only need to
be adapted to enable the new policy capability and to allow the
new permission between domain pairs as appropriate.

Signed-off-by: Stephen Smalley 
---
 security/selinux/hooks.c| 41 -
 security/selinux/include/classmap.h |  2 +-
 security/selinux/include/security.h |  2 ++
 security/selinux/ss/services.c  |  7 ++-
 4 files changed, 36 insertions(+), 16 deletions(-)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3a06afb..932b72d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2326,24 +2326,37 @@ static int check_nnp_nosuid(const struct linux_binprm 
*bprm,
return 0; /* No change in credentials */
 
/*
-* The only transitions we permit under NNP or nosuid
-* are transitions to bounded SIDs, i.e. SIDs that are
-* guaranteed to only be allowed a subset of the permissions
-* of the current SID.
+* If the policy enables the nnp_nosuid_transition policy capability,
+* then we permit transitions under NNP or nosuid if the
+* policy explicitly allows nnp_nosuid_transition permission between
+* the old and new contexts.
 */
-   rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
-   if (rc) {
+   if (selinux_policycap_nnp_nosuid_transition) {
+   rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
+ SECCLASS_PROCESS,
+ 

Re: [PATCH] Additional tests for long-time supported netlink classes

[Stephen Smalley]

On Fri, 2017-07-14 at 12:09 -0400, Milos Malik wrote:
> I'm sorry I did have a newer kernel (4.*) on my RHEL-7.3 testing
> machine.
> 
> The netlink tests from the selinux-testsuite fail on a freshly
> installed RHEL-7.3
>  machine (kernel = 3.10.0-514.el7.x86_64).

Ok, so we are seeing consistent results.  I think however that the
tests you are adding would work on RHEL7 (and earlier), unlike the
existing ones, because those classes have been defined for a long time.

>  
> 
> Milos Malik
> 
> - Original Message -
> > On Fri, 2017-07-14 at 03:44 -0400, Milos Malik wrote:
> > > All of the netlink classes currently tested by the selinux-
> > > testsuite
> > > + classes
> > > tested by the attached patch are supported (at the same time by
> > > the
> > > kernel
> > > and by the policy) on RHEL-7.3.
> > 
> > Are you sure?  What kernel did you use?  When I tried, they all
> > failed
> > on 7.3, which is why I disabled them in tests/Makefile for RHEL7.
> > 
> > I don't know if we care about distinguishing at the granularity of
> > point releases of RHEL7 (e.g. RHEL7.2 vs RHEL7.3); we just want to
> > ensure that the testsuite will pass on the latest release of RHEL7.
> > 
> > > 
> > > Unfortunately, selinux-policy for RHEL-6.9 and RHEL-7.2 does not
> > > recognize
> > > following classes:
> > > netlink_connector_socket, netlink_crypto_socket,
> > > netlink_fib_lookup_socket,
> > > netlink_generic_socket, netlink_iscsi_socket,
> > > netlink_netfilter_socket,
> > > netlink_rdma_socket, netlink_scsitransport_socket.
> > > 
> > > Based on my RHEL-7.3 and RHEL-7.4 test results, the netlink tests
> > > can
> > > be safely executed on RHEL-7.3 and higher.
> > > 
> > > You're right about splitting the netlink tests into at least 2
> > > subsets:
> > > RHEL<7.3 (which also covers RHEL-6) and RHEL>=7.3. I will take a
> > > look
> > > at the commits you provided and let you know.
> > > 
> > > Milos Malik
> > > 
> > > - Original Message -
> > > > On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote:
> > > > > This patch contains tests for classes which are already
> > > > > supported
> > > > > for
> > > > > a
> > > > > long time but are not tested by the selinux-testsuite yet.
> > > > > These
> > > > > tests
> > > > > involve classes like: netlink_route_socket,
> > > > > netlink_xfrm_socket,
> > > > > netlink_selinux_socket, netlink_audit_socket,
> > > > > netlink_kobject_uevent_socket, netlink_connector_socket,
> > > > > netlink_scsitransport_socket, netlink_fib_lookup_socket.
> > > > 
> > > > These look fine (aside from a whitespace issue which git am
> > > > complained
> > > > about) and ran successfully for me on Fedora, but I did have
> > > > one
> > > > question:
> > > > 
> > > > policy/Makefile and tests/Makefile only enable the
> > > > netlink_socket
> > > > tests
> > > > if the new netlink socket classes are defined by the base
> > > > policy,
> > > > and
> > > > tests/Makefile further excludes them from running on RHEL7
> > > > because
> > > > RHEL7.3 back-ported the policy change defining the new classes
> > > > but
> > > > not
> > > > the kernel support.  In contrast, the tests you are adding
> > > > could be
> > > > run
> > > > on RHEL7 (and earlier).  If we want them to be run on RHEL7 or
> > > > earlier,
> > > > then you need to split them into their own test policy and test
> > > > case
> > > > that can be separately enabled, or otherwise wrap the current
> > > > ones
> > > > to
> > > > allow use on RHEL7.  You can see examples in other test
> > > > policies
> > > > and
> > > > scripts of such conditional inclusion of subsets of the
> > > > tests/policies
> > > > (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit
> > > > b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to
> > > > be
> > > > tested on RHEL7 or earlier?
> > > > 
> > > > > 
> > > > > Signed-off-by: Milos Malik 
> > > > > ---
> > > > >  policy/test_netlink_socket.te |  8 
> > > > >  tests/netlink_socket/test | 99
> > > > > ++-
> > > > >  2 files changed, 106 insertions(+), 1 deletion(-)
> > > > > 
> > > > > diff --git a/policy/test_netlink_socket.te
> > > > > b/policy/test_netlink_socket.te
> > > > > index c852c04..aaa6e4d 100644
> > > > > --- a/policy/test_netlink_socket.te
> > > > > +++ b/policy/test_netlink_socket.te
> > > > > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket)
> > > > >  netlink_socket_test(netlink_netfilter_socket)
> > > > >  netlink_socket_test(netlink_generic_socket)
> > > > >  netlink_socket_test(netlink_crypto_socket)
> > > > > +netlink_socket_test(netlink_route_socket)
> > > > > +netlink_socket_test(netlink_xfrm_socket)
> > > > > +netlink_socket_test(netlink_selinux_socket)
> > > > > +netlink_socket_test(netlink_audit_socket)
> > > > > +netlink_socket_test(netlink_kobject_uevent_socket)
> > > > > +netlink_socket_test(netlink_connector_socket)
> > > > > +netlink_socket_test(netlink_scsitransport_socket)

Re: [PATCH] Additional tests for long-time supported netlink classes

[Milos Malik]

I'm sorry I did have a newer kernel (4.*) on my RHEL-7.3 testing machine.

The netlink tests from the selinux-testsuite fail on a freshly installed 
RHEL-7.3
 machine (kernel = 3.10.0-514.el7.x86_64). 

Milos Malik

- Original Message -
> On Fri, 2017-07-14 at 03:44 -0400, Milos Malik wrote:
> > All of the netlink classes currently tested by the selinux-testsuite
> > + classes
> > tested by the attached patch are supported (at the same time by the
> > kernel
> > and by the policy) on RHEL-7.3.
> 
> Are you sure?  What kernel did you use?  When I tried, they all failed
> on 7.3, which is why I disabled them in tests/Makefile for RHEL7.
> 
> I don't know if we care about distinguishing at the granularity of
> point releases of RHEL7 (e.g. RHEL7.2 vs RHEL7.3); we just want to
> ensure that the testsuite will pass on the latest release of RHEL7.
> 
> > 
> > Unfortunately, selinux-policy for RHEL-6.9 and RHEL-7.2 does not
> > recognize
> > following classes:
> > netlink_connector_socket, netlink_crypto_socket,
> > netlink_fib_lookup_socket,
> > netlink_generic_socket, netlink_iscsi_socket,
> > netlink_netfilter_socket,
> > netlink_rdma_socket, netlink_scsitransport_socket.
> > 
> > Based on my RHEL-7.3 and RHEL-7.4 test results, the netlink tests can
> > be safely executed on RHEL-7.3 and higher.
> > 
> > You're right about splitting the netlink tests into at least 2
> > subsets:
> > RHEL<7.3 (which also covers RHEL-6) and RHEL>=7.3. I will take a look
> > at the commits you provided and let you know.
> > 
> > Milos Malik
> > 
> > - Original Message -
> > > On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote:
> > > > This patch contains tests for classes which are already supported
> > > > for
> > > > a
> > > > long time but are not tested by the selinux-testsuite yet. These
> > > > tests
> > > > involve classes like: netlink_route_socket, netlink_xfrm_socket,
> > > > netlink_selinux_socket, netlink_audit_socket,
> > > > netlink_kobject_uevent_socket, netlink_connector_socket,
> > > > netlink_scsitransport_socket, netlink_fib_lookup_socket.
> > > 
> > > These look fine (aside from a whitespace issue which git am
> > > complained
> > > about) and ran successfully for me on Fedora, but I did have one
> > > question:
> > > 
> > > policy/Makefile and tests/Makefile only enable the netlink_socket
> > > tests
> > > if the new netlink socket classes are defined by the base policy,
> > > and
> > > tests/Makefile further excludes them from running on RHEL7 because
> > > RHEL7.3 back-ported the policy change defining the new classes but
> > > not
> > > the kernel support.  In contrast, the tests you are adding could be
> > > run
> > > on RHEL7 (and earlier).  If we want them to be run on RHEL7 or
> > > earlier,
> > > then you need to split them into their own test policy and test
> > > case
> > > that can be separately enabled, or otherwise wrap the current ones
> > > to
> > > allow use on RHEL7.  You can see examples in other test policies
> > > and
> > > scripts of such conditional inclusion of subsets of the
> > > tests/policies
> > > (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit
> > > b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to be
> > > tested on RHEL7 or earlier?
> > > 
> > > > 
> > > > Signed-off-by: Milos Malik 
> > > > ---
> > > >  policy/test_netlink_socket.te |  8 
> > > >  tests/netlink_socket/test | 99
> > > > ++-
> > > >  2 files changed, 106 insertions(+), 1 deletion(-)
> > > > 
> > > > diff --git a/policy/test_netlink_socket.te
> > > > b/policy/test_netlink_socket.te
> > > > index c852c04..aaa6e4d 100644
> > > > --- a/policy/test_netlink_socket.te
> > > > +++ b/policy/test_netlink_socket.te
> > > > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket)
> > > >  netlink_socket_test(netlink_netfilter_socket)
> > > >  netlink_socket_test(netlink_generic_socket)
> > > >  netlink_socket_test(netlink_crypto_socket)
> > > > +netlink_socket_test(netlink_route_socket)
> > > > +netlink_socket_test(netlink_xfrm_socket)
> > > > +netlink_socket_test(netlink_selinux_socket)
> > > > +netlink_socket_test(netlink_audit_socket)
> > > > +netlink_socket_test(netlink_kobject_uevent_socket)
> > > > +netlink_socket_test(netlink_connector_socket)
> > > > +netlink_socket_test(netlink_scsitransport_socket)
> > > > +netlink_socket_test(netlink_fib_lookup_socket)
> > > >  
> > > >  #
> > > >  # Common rules for all netlink socket class test domains.
> > > > diff --git a/tests/netlink_socket/test
> > > > b/tests/netlink_socket/test
> > > > index 487edbc..cc8c2d4 100755
> > > > --- a/tests/netlink_socket/test
> > > > +++ b/tests/netlink_socket/test
> > > > @@ -1,7 +1,7 @@
> > > >  #!/usr/bin/perl
> > > >  
> > > >  use Test;
> > > > -BEGIN { plan tests => 8 }
> > > > +BEGIN { plan tests => 24 }
> > > >  
> > > >  $basedir = $0;
> > > >  $basedir =~ s|(.*)/[^/]*|$1|;
> > > > @@ -53,3 +53,100 @@ $result = 

Re: [PATCH] Additional tests for long-time supported netlink classes

[Stephen Smalley]

On Fri, 2017-07-14 at 03:44 -0400, Milos Malik wrote:
> All of the netlink classes currently tested by the selinux-testsuite
> + classes
> tested by the attached patch are supported (at the same time by the
> kernel
> and by the policy) on RHEL-7.3.

Are you sure?  What kernel did you use?  When I tried, they all failed
on 7.3, which is why I disabled them in tests/Makefile for RHEL7.

I don't know if we care about distinguishing at the granularity of
point releases of RHEL7 (e.g. RHEL7.2 vs RHEL7.3); we just want to
ensure that the testsuite will pass on the latest release of RHEL7.

> 
> Unfortunately, selinux-policy for RHEL-6.9 and RHEL-7.2 does not
> recognize
> following classes:
> netlink_connector_socket, netlink_crypto_socket,
> netlink_fib_lookup_socket,
> netlink_generic_socket, netlink_iscsi_socket,
> netlink_netfilter_socket,
> netlink_rdma_socket, netlink_scsitransport_socket.
> 
> Based on my RHEL-7.3 and RHEL-7.4 test results, the netlink tests can
> be safely executed on RHEL-7.3 and higher.
> 
> You're right about splitting the netlink tests into at least 2
> subsets:
> RHEL<7.3 (which also covers RHEL-6) and RHEL>=7.3. I will take a look
> at the commits you provided and let you know.
> 
> Milos Malik
> 
> - Original Message -
> > On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote:
> > > This patch contains tests for classes which are already supported
> > > for
> > > a
> > > long time but are not tested by the selinux-testsuite yet. These
> > > tests
> > > involve classes like: netlink_route_socket, netlink_xfrm_socket,
> > > netlink_selinux_socket, netlink_audit_socket,
> > > netlink_kobject_uevent_socket, netlink_connector_socket,
> > > netlink_scsitransport_socket, netlink_fib_lookup_socket.
> > 
> > These look fine (aside from a whitespace issue which git am
> > complained
> > about) and ran successfully for me on Fedora, but I did have one
> > question:
> > 
> > policy/Makefile and tests/Makefile only enable the netlink_socket
> > tests
> > if the new netlink socket classes are defined by the base policy,
> > and
> > tests/Makefile further excludes them from running on RHEL7 because
> > RHEL7.3 back-ported the policy change defining the new classes but
> > not
> > the kernel support.  In contrast, the tests you are adding could be
> > run
> > on RHEL7 (and earlier).  If we want them to be run on RHEL7 or
> > earlier,
> > then you need to split them into their own test policy and test
> > case
> > that can be separately enabled, or otherwise wrap the current ones
> > to
> > allow use on RHEL7.  You can see examples in other test policies
> > and
> > scripts of such conditional inclusion of subsets of the
> > tests/policies
> > (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit
> > b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to be
> > tested on RHEL7 or earlier?
> > 
> > > 
> > > Signed-off-by: Milos Malik 
> > > ---
> > >  policy/test_netlink_socket.te |  8 
> > >  tests/netlink_socket/test | 99
> > > ++-
> > >  2 files changed, 106 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/policy/test_netlink_socket.te
> > > b/policy/test_netlink_socket.te
> > > index c852c04..aaa6e4d 100644
> > > --- a/policy/test_netlink_socket.te
> > > +++ b/policy/test_netlink_socket.te
> > > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket)
> > >  netlink_socket_test(netlink_netfilter_socket)
> > >  netlink_socket_test(netlink_generic_socket)
> > >  netlink_socket_test(netlink_crypto_socket)
> > > +netlink_socket_test(netlink_route_socket)
> > > +netlink_socket_test(netlink_xfrm_socket)
> > > +netlink_socket_test(netlink_selinux_socket)
> > > +netlink_socket_test(netlink_audit_socket)
> > > +netlink_socket_test(netlink_kobject_uevent_socket)
> > > +netlink_socket_test(netlink_connector_socket)
> > > +netlink_socket_test(netlink_scsitransport_socket)
> > > +netlink_socket_test(netlink_fib_lookup_socket)
> > >  
> > >  #
> > >  # Common rules for all netlink socket class test domains.
> > > diff --git a/tests/netlink_socket/test
> > > b/tests/netlink_socket/test
> > > index 487edbc..cc8c2d4 100755
> > > --- a/tests/netlink_socket/test
> > > +++ b/tests/netlink_socket/test
> > > @@ -1,7 +1,7 @@
> > >  #!/usr/bin/perl
> > >  
> > >  use Test;
> > > -BEGIN { plan tests => 8 }
> > > +BEGIN { plan tests => 24 }
> > >  
> > >  $basedir = $0;
> > >  $basedir =~ s|(.*)/[^/]*|$1|;
> > > @@ -53,3 +53,100 @@ $result = system(
> > >  "runcon -t test_no_netlink_crypto_socket_t --
> > > $basedir/netlinkcreate
> > > crypto 2>&1"
> > >  );
> > >  ok($result);
> > > +
> > > +# Verify that test_netlink_route_socket_t can create a
> > > NETLINK_ROUTE
> > > socket.
> > > +$result = system(
> > > +"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate
> > > route 2>&1"
> > > +);
> > > +ok( $result, 0 );
> > > +
> > > +# Verify that test_no_netlink_route_socket_t cannot create a
> > > 

Re: [PATCH] Additional tests for long-time supported netlink classes

[Milos Malik]

All of the netlink classes currently tested by the selinux-testsuite + classes
tested by the attached patch are supported (at the same time by the kernel
and by the policy) on RHEL-7.3.

Unfortunately, selinux-policy for RHEL-6.9 and RHEL-7.2 does not recognize
following classes:
netlink_connector_socket, netlink_crypto_socket, netlink_fib_lookup_socket,
netlink_generic_socket, netlink_iscsi_socket, netlink_netfilter_socket,
netlink_rdma_socket, netlink_scsitransport_socket.

Based on my RHEL-7.3 and RHEL-7.4 test results, the netlink tests can
be safely executed on RHEL-7.3 and higher.

You're right about splitting the netlink tests into at least 2 subsets:
RHEL<7.3 (which also covers RHEL-6) and RHEL>=7.3. I will take a look
at the commits you provided and let you know.

Milos Malik

- Original Message -
> On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote:
> > This patch contains tests for classes which are already supported for
> > a
> > long time but are not tested by the selinux-testsuite yet. These
> > tests
> > involve classes like: netlink_route_socket, netlink_xfrm_socket,
> > netlink_selinux_socket, netlink_audit_socket,
> > netlink_kobject_uevent_socket, netlink_connector_socket,
> > netlink_scsitransport_socket, netlink_fib_lookup_socket.
> 
> These look fine (aside from a whitespace issue which git am complained
> about) and ran successfully for me on Fedora, but I did have one
> question:
> 
> policy/Makefile and tests/Makefile only enable the netlink_socket tests
> if the new netlink socket classes are defined by the base policy, and
> tests/Makefile further excludes them from running on RHEL7 because
> RHEL7.3 back-ported the policy change defining the new classes but not
> the kernel support.  In contrast, the tests you are adding could be run
> on RHEL7 (and earlier).  If we want them to be run on RHEL7 or earlier,
> then you need to split them into their own test policy and test case
> that can be separately enabled, or otherwise wrap the current ones to
> allow use on RHEL7.  You can see examples in other test policies and
> scripts of such conditional inclusion of subsets of the tests/policies
> (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit
> b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to be
> tested on RHEL7 or earlier?
> 
> > 
> > Signed-off-by: Milos Malik 
> > ---
> >  policy/test_netlink_socket.te |  8 
> >  tests/netlink_socket/test | 99
> > ++-
> >  2 files changed, 106 insertions(+), 1 deletion(-)
> > 
> > diff --git a/policy/test_netlink_socket.te
> > b/policy/test_netlink_socket.te
> > index c852c04..aaa6e4d 100644
> > --- a/policy/test_netlink_socket.te
> > +++ b/policy/test_netlink_socket.te
> > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket)
> >  netlink_socket_test(netlink_netfilter_socket)
> >  netlink_socket_test(netlink_generic_socket)
> >  netlink_socket_test(netlink_crypto_socket)
> > +netlink_socket_test(netlink_route_socket)
> > +netlink_socket_test(netlink_xfrm_socket)
> > +netlink_socket_test(netlink_selinux_socket)
> > +netlink_socket_test(netlink_audit_socket)
> > +netlink_socket_test(netlink_kobject_uevent_socket)
> > +netlink_socket_test(netlink_connector_socket)
> > +netlink_socket_test(netlink_scsitransport_socket)
> > +netlink_socket_test(netlink_fib_lookup_socket)
> >  
> >  #
> >  # Common rules for all netlink socket class test domains.
> > diff --git a/tests/netlink_socket/test b/tests/netlink_socket/test
> > index 487edbc..cc8c2d4 100755
> > --- a/tests/netlink_socket/test
> > +++ b/tests/netlink_socket/test
> > @@ -1,7 +1,7 @@
> >  #!/usr/bin/perl
> >  
> >  use Test;
> > -BEGIN { plan tests => 8 }
> > +BEGIN { plan tests => 24 }
> >  
> >  $basedir = $0;
> >  $basedir =~ s|(.*)/[^/]*|$1|;
> > @@ -53,3 +53,100 @@ $result = system(
> >  "runcon -t test_no_netlink_crypto_socket_t -- $basedir/netlinkcreate
> > crypto 2>&1"
> >  );
> >  ok($result);
> > +
> > +# Verify that test_netlink_route_socket_t can create a NETLINK_ROUTE
> > socket.
> > +$result = system(
> > +"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate
> > route 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_route_socket_t cannot create a
> > NETLINK_ROUTE socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_route_socket_t -- $basedir/netlinkcreate
> > route 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_xfrm_socket_t can create a NETLINK_XFRM
> > socket.
> > +$result = system(
> > +"runcon -t test_netlink_xfrm_socket_t -- $basedir/netlinkcreate xfrm
> > 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_xfrm_socket_t cannot create a
> > NETLINK_XFRM socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_xfrm_socket_t -- $basedir/netlinkcreate
> > xfrm 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_selinux_socket_t can create a
> > 

Re: [RFC][PATCH] selinux: Introduce a policy capability and permission for NNP transitions

[Dominick Grift]

On Thu, Jul 13, 2017 at 07:55:14PM -0400, Chris PeBenito wrote:
> On 07/13/2017 04:11 PM, Dominick Grift wrote:
> > On Thu, Jul 13, 2017 at 03:59:29PM -0400, Stephen Smalley wrote:
> > > On Thu, 2017-07-13 at 21:43 +0200, Dominick Grift wrote:
> > > > On Thu, Jul 13, 2017 at 09:28:43PM +0200, Dominick Grift wrote:
> > > > > On Thu, Jul 13, 2017 at 03:29:56PM -0400, Stephen Smalley wrote:
> > > > > > On Thu, 2017-07-13 at 20:16 +0200, Dominick Grift wrote:
> > > > > > > On Thu, Jul 13, 2017 at 02:13:40PM -0400, Stephen Smalley
> > > > > > > wrote:
> > > > > > > > On Thu, 2017-07-13 at 18:55 +0200, Dominick Grift wrote:
> > > > > > > > > On Thu, Jul 13, 2017 at 11:59:55AM -0400, Stephen Smalley
> > > > > > > > > wrote:
> > > > > > > > > > On Thu, 2017-07-13 at 11:48 -0400, Stephen Smalley wrote:
> > > > > > > > > > > On Thu, 2017-07-13 at 09:25 -0400, Paul Moore wrote:
> > > > > > > > > > > > On Thu, Jul 13, 2017 at 8:44 AM, Stephen Smalley  > > > > > > > > > > > @tycho
> > > > > > > > > > > > .nsa
> > > > > > > > > > > > .gov
> > > > > > > > > > > > > 
> > > > > > > > > > > > 
> > > > > > > > > > > > wrote:
> > > > > > > > > > > > > On Wed, 2017-07-12 at 20:27 -0400, Chris PeBenito
> > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > On 07/12/2017 05:38 PM, Paul Moore wrote:
> > > > > > > > > > > > > > > On Wed, Jul 12, 2017 at 9:26 AM, Stephen
> > > > > > > > > > > > > > > Smalley  > > > > > > > > > > > > > > @tyc
> > > > > > > > > > > > > > > ho.n
> > > > > > > > > > > > > > > sa
> > > > > > > > > > > > > > > .gov
> > > > > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > > On Tue, 2017-07-11 at 17:00 -0400, Paul Moore
> > > > > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > > > On Mon, Jul 10, 2017 at 4:25 PM, Stephen
> > > > > > > > > > > > > > > > > Smalley
> > > > > > > > > > > > > > > > >  > > > > > > > > > > > > > > > > @tyc
> > > > > > > > > > > > > > > > > ho
> > > > > > > > > > > > > > > > > .nsa
> > > > > > > > > > > > > > > > > .gov>
> > > > > > > > > > > > > > > > > wrote:
> > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > While I think splitting the NNP/nosuid
> > > > > > > > > > > > > > > transition
> > > > > > > > > > > > > > > restrictions
> > > > > > > > > > > > > > > might
> > > > > > > > > > > > > > > be a good idea under the new policy capability,
> > > > > > > > > > > > > > > I'm
> > > > > > > > > > > > > > > not
> > > > > > > > > > > > > > > sure
> > > > > > > > > > > > > > > it
> > > > > > > > > > > > > > > is
> > > > > > > > > > > > > > > worth the cost of a "process2" object class.
> > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > With that in mind, let's do two things with
> > > > > > > > > > > > > > > this
> > > > > > > > > > > > > > > patch:
> > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > * Mention the nosuid restrictions in the patch
> > > > > > > > > > > > > > > description.  It
> > > > > > > > > > > > > > > doesn't need much text, but something would be
> > > > > > > > > > > > > > > good
> > > > > > > > > > > > > > > so we
> > > > > > > > > > > > > > > have
> > > > > > > > > > > > > > > documentation in the git log.
> > > > > > > > > > > > > > > 
> > > > > > > > > > > > > > > * Let's pick a new permission name that is not
> > > > > > > > > > > > > > > specific
> > > > > > > > > > > > > > > to
> > > > > > > > > > > > > > > NNP
> > > > > > > > > > > > > > > or
> > > > > > > > > > > > > > > nosuid.  IMHO, nnpnosuid_transition is ... less
> > > > > > > > > > > > > > > than
> > > > > > > > > > > > > > > good.
> > > > > > > > > > > > > > > Unfortunately, I'm not sure I'm much better at
> > > > > > > > > > > > > > > picking
> > > > > > > > > > > > > > > names;
> > > > > > > > > > > > > > > how
> > > > > > > > > > > > > > > about
> > > > > > > > > > > > > > > "protected_transition"?  "restricted_transition
> > > > > > > > > > > > > > > "?
> > > > > > > > > > > > > > > "enable_transition"?  "override_transition"?
> > > > > > > > > > > > > > 
> > > > > > > > > > > > > > I vote for nnp_transition anyway.  "No New
> > > > > > > > > > > > > > Privileges"
> > > > > > > > > > > > > > encompasses
> > > > > > > > > > > > > > nosuid in my mind.  If the two perms had been
> > > > > > > > > > > > > > separated
> > > > > > > > > > > > > > I
> > > > > > > > > > > > > > would
> > > > > > > > > > > > > > have
> > > > > > > > > > > > > > been inclined to allow both every time one of
> > > > > > > > > > > > > > them was
> > > > > > > > > > > > > > needed,
> > > > > > > > > > > > > > to
> > > > > > > > > > > > > > make
> > > > > > > > > > > > > > sure no one was surprised by the behavior
> > > > > > > > > > > > > > difference.
> > > > > > > > > > > > > 
> > > > > > > > > > > > > I agree; I'll keep it as nnp_transition and just
> > > > > > > > > > > > > document
> > > > > > > > > > > > > it
> > > > > > > > > > > > > in
> > > > > > > > > > > > > the
> > > > > > > > > > > > > patch description.
> > > > > > > > > > > > 
> > > > > > > > > > >