Re: [PATCH v1 2/2] selinux-testsuite: Infiniband endport tests

2017-05-30 Thread Daniel Jurgens 
On 5/25/2017 3:04 PM, Stephen Smalley wrote:
> On Wed, 2017-05-24 at 17:18 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens 
>>
>>
>> +allow test_ibendport_manage_subnet_t bin_t:file entrypoint;
>> +allow test_ibendport_manage_subnet_t bin_t:file execute;
> Just use:
> corecmd_bin_entry_type(test_ibendport_manage_subnet_t)

Done

>
>> +allow test_ibendport_manage_subnet_t
>> infiniband_mgmt_device_t:chr_file { read write open ioctl};
>> +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
> This interface needs to be wrapped with an ifdef if this file is not
> excluded when refpolicy lacks the necessary definitions.

Done

>> +
>> +allow test_ibendport_manage_subnet_t
>> test_ibendport_t:infiniband_endport manage_subnet;
> This needs to be conditional on the definition of this class.  You
> could either omit the .te file altogether in the Makefile if not
> defined, as we do for e.g. cap_userns, icmp_socket, etc, or you need to
>  wrap it conditionally as we do for e.g. map permission.

Excluded building the .te file if the class is not defined.

>
>> +@SUBDIRS="$(SUBDIRS) $(SUBDIRS_NO_MAKE)"
>> PATH=/usr/bin:/bin:/usr/sbin:/sbin ./runtests.pl
> This works, but elsewhere we've always just put a trivial Makefile with
> empty all: and clean: targets in it, e.g. entrypoint/Makefile.  No big
> deal either way.

Switched to a stub makefile.

Re: [PATCH v1 2/2] selinux-testsuite: Infiniband endport tests

2017-05-25 Thread Paul Moore 
On Thu, May 25, 2017 at 4:08 PM, Stephen Smalley  wrote:
> On Wed, 2017-05-24 at 17:18 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens 
>>
>> New tests for Infiniband endports. Most users do not have infiniband
>> hardware, and if they do the device names can vary.  There is a
>> configuration file for enabling the tests and setting environment
>> specific configurations.  If the tests are disabled they always show
>> as
>> passed.
>>
>> A special test application was unnecessary, a standard diagnostic
>> application is used instead.  This required a change to the make file
>> to avoid trying to build an application in the new subdir.
>>
>> Signed-off-by: Daniel Jurgens 

...

>> +
>> +# Allow all of these domains to be entered from the sysadm domain.
>> +miscfiles_domain_entry_test_files(ibendportdomain)
>> +userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
>> diff --git a/tests/Makefile b/tests/Makefile
>> index 7dfe2a8..63e6f57 100644
>> --- a/tests/Makefile
>> +++ b/tests/Makefile
>> @@ -12,6 +12,8 @@ SUBDIRS:= domain_trans entrypoint execshare
>> exectrace execute_no_trans \
>>   capable_sys dyntrans dyntrace bounds nnp mmap unix_socket
>> inet_socket \
>>   overlay checkreqprot mqueue mac_admin infiniband_pkey
>>
>> +SUBDIRS_NO_MAKE:= infiniband_endport
>> +
>>  ifeq ($(shell grep -q cap_userns
>> $(POLDEV)/include/support/all_perms.spt && echo true),true)
>>  ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1)
>>  SUBDIRS += cap_userns
>> @@ -56,7 +58,7 @@ all:
>>
>>  test: all
>>   chcon -R -t test_file_t .
>> - @SUBDIRS="$(SUBDIRS)" PATH=/usr/bin:/bin:/usr/sbin:/sbin
>> ./runtests.pl
>> + @SUBDIRS="$(SUBDIRS) $(SUBDIRS_NO_MAKE)"
>> PATH=/usr/bin:/bin:/usr/sbin:/sbin ./runtests.pl
>
> This works, but elsewhere we've always just put a trivial Makefile with
> empty all: and clean: targets in it, e.g. entrypoint/Makefile.  No big
> deal either way.

Since it looks like this needs a respin anyway to fix other issues,
I'd probably prefer the entrypoint/Makefile approach for the sake of
consistency.

-- 
paul moore
www.paul-moore.com

[PATCH v1 2/2] selinux-testsuite: Infiniband endport tests

2017-05-24 Thread Dan Jurgens 
From: Daniel Jurgens 

New tests for Infiniband endports. Most users do not have infiniband
hardware, and if they do the device names can vary.  There is a
configuration file for enabling the tests and setting environment
specific configurations.  If the tests are disabled they always show as
passed.

A special test application was unnecessary, a standard diagnostic
application is used instead.  This required a change to the make file
to avoid trying to build an application in the new subdir.

Signed-off-by: Daniel Jurgens 

---
v1:
- Synchronize interface names with refpolicy changes.
- Allowed access to unlabeled pkeys vs default pkey, default pkey is no
longer labeled in the refpolicy.
---
 README   |  7 +++-
 policy/Makefile  |  2 +-
 policy/test_ibendport.te | 35 
 tests/Makefile   |  4 ++-
 tests/infiniband_endport/ibendport_test.conf | 14 
 tests/infiniband_endport/test| 49 
 6 files changed, 108 insertions(+), 3 deletions(-)
 create mode 100644 policy/test_ibendport.te
 create mode 100644 tests/infiniband_endport/ibendport_test.conf
 create mode 100644 tests/infiniband_endport/test

diff --git a/README b/README
index b64e2de..8e1b391 100644
--- a/README
+++ b/README
@@ -200,7 +200,12 @@ INFINIBAND TESTS
 
 Because running Infiniband tests requires specialized hardware you must
 set up a configuration file for these tests. The tests are disabled by
-default.  See comments in the configuration file for info.
+default.  See comments in the configuration file for info. The endport
+tests use smpquery, for Fedora it's provided by the infiniband-diags
+package.
 
 Infiniband PKey test conf file:
 tests/infiniband_pkey/ibpkey_test.conf
+
+Infiniband Endport test conf file:
+tests/infiniband_endport/ibendport_test.conf
diff --git a/policy/Makefile b/policy/Makefile
index 46c9fb5..694836b 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -23,7 +23,7 @@ TARGETS = \
test_task_getsid.te test_task_setpgid.te test_task_setsched.te \
test_transition.te test_inet_socket.te test_unix_socket.te \
test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te \
-   test_ibpkey.te
+   test_ibpkey.te test_ibendport.te
 
 ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true)
 TARGETS += test_bounds.te
diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
new file mode 100644
index 000..8387432
--- /dev/null
+++ b/policy/test_ibendport.te
@@ -0,0 +1,35 @@
+#
+#
+# Policy for testing Infiniband Pkey access.
+#
+
+gen_require(`
+   type bin_t;
+   type infiniband_mgmt_device_t;
+')
+
+attribute ibendportdomain;
+
+# Domain for process.
+type test_ibendport_manage_subnet_t;
+domain_type(test_ibendport_manage_subnet_t)
+unconfined_runs_test(test_ibendport_manage_subnet_t)
+typeattribute test_ibendport_manage_subnet_t testdomain;
+typeattribute test_ibendport_manage_subnet_t ibendportdomain;
+
+type test_ibendport_t;
+corenet_ib_endport(test_ibendport_t)
+
+dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
+dev_rw_sysfs(test_ibendport_manage_subnet_t)
+
+allow test_ibendport_manage_subnet_t bin_t:file entrypoint;
+allow test_ibendport_manage_subnet_t bin_t:file execute;
+allow test_ibendport_manage_subnet_t infiniband_mgmt_device_t:chr_file { read 
write open ioctl};
+corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
+
+allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport 
manage_subnet;
+
+# Allow all of these domains to be entered from the sysadm domain.
+miscfiles_domain_entry_test_files(ibendportdomain)
+userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
diff --git a/tests/Makefile b/tests/Makefile
index 7dfe2a8..63e6f57 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -12,6 +12,8 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace 
execute_no_trans \
capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \
overlay checkreqprot mqueue mac_admin infiniband_pkey
 
+SUBDIRS_NO_MAKE:= infiniband_endport
+
 ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && 
echo true),true)
 ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1)
 SUBDIRS += cap_userns
@@ -56,7 +58,7 @@ all:
 
 test: all
chcon -R -t test_file_t .
-   @SUBDIRS="$(SUBDIRS)" PATH=/usr/bin:/bin:/usr/sbin:/sbin ./runtests.pl
+   @SUBDIRS="$(SUBDIRS) $(SUBDIRS_NO_MAKE)" 
PATH=/usr/bin:/bin:/usr/sbin:/sbin ./runtests.pl
 
 clean:
@for subdir in $(SUBDIRS); do \
diff --git a/tests/infiniband_endport/ibendport_test.conf 
b/tests/infiniband_endport/ibendport_test.conf
new file mode 100644
index 000..601b290
--- /dev/null
+++ b/tests/infiniband_endport/ibendport_test.conf
@@ -0,0 +1,14 @@
+# Enable(1)/Disable