Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
On Fri, Jun 9, 2017 at 4:23 PM, Daniel Jurgenswrote: > On 6/9/2017 3:01 PM, Paul Moore wrote: >> On Fri, Jun 9, 2017 at 10:59 AM, Daniel Jurgens wrote: >> >> Should be all set now, let me know if you notice any problems. I did >> add a separate third commit to munge the style/formatting (see >> previous emails); I didn't bother posting it to the list as it is just >> style changes, but in case anyone is curious, this is the commit: >> >> commit 8e0339cef20d0356d3e115c31a133662e9562e65 >> Author: Paul Moore >> Date: Fri Jun 9 15:46:37 2017 -0400 >> >>infiniband: apply style corrections to the infiniband tests >> >>Patch generated by './tools/check-syntax -f'. >> >>Signed-off-by: Paul Moore >> >>> I recall you saying you do most of your testing in VMs on a laptop. But if >>> you have a system with a free pci-e slot we can ship you an HCA if you'd >>> like to be able to run these yourself. >> Thank you for the offer, and yes I generally run the tests in a VM, >> however we've been working on getting something a bit more automated >> in place for upstream testing (more info on that once everything is >> sorted out). >> >> Let me think about this a bit (and dust off my somewhat neglected >> testing hardware), I generally try to avoid getting tied to specific >> hardware, but it is necessary in this case, and I fear that this may >> be the easiest way to ensure it gets tested regularly. >> > OK, just let me know if you want one. Once the feature works it's way back > to mainstream kernel I'll add the tests to our automated regressions too. > Thanks for all your help getting this whole thing through review! FWIW, this was in the pull request I sent up to James, you should see it arrive in Linus' tree during the upcoming merge window. > How often does the fedora-selinux project switch the base refpolicy? It needs > additions to the unconfined user role to allow access. My apologies, I just realized I never answered this last question about Fedora ... the answer is the usual "it depends". I've added Lukas Vrabec to this email as he is in charge of the Fedora SELinux policy. -- paul moore www.paul-moore.com
Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
On 6/9/2017 3:01 PM, Paul Moore wrote: > On Fri, Jun 9, 2017 at 10:59 AM, Daniel Jurgenswrote: > > Should be all set now, let me know if you notice any problems. I did > add a separate third commit to munge the style/formatting (see > previous emails); I didn't bother posting it to the list as it is just > style changes, but in case anyone is curious, this is the commit: > > commit 8e0339cef20d0356d3e115c31a133662e9562e65 > Author: Paul Moore > Date: Fri Jun 9 15:46:37 2017 -0400 > >infiniband: apply style corrections to the infiniband tests > >Patch generated by './tools/check-syntax -f'. > >Signed-off-by: Paul Moore > >> I recall you saying you do most of your testing in VMs on a laptop. But if >> you have a system with a free pci-e slot we can ship you an HCA if you'd >> like to be able to run these yourself. > Thank you for the offer, and yes I generally run the tests in a VM, > however we've been working on getting something a bit more automated > in place for upstream testing (more info on that once everything is > sorted out). > > Let me think about this a bit (and dust off my somewhat neglected > testing hardware), I generally try to avoid getting tied to specific > hardware, but it is necessary in this case, and I fear that this may > be the easiest way to ensure it gets tested regularly. > OK, just let me know if you want one. Once the feature works it's way back to mainstream kernel I'll add the tests to our automated regressions too. Thanks for all your help getting this whole thing through review! How often does the fedora-selinux project switch the base refpolicy? It needs additions to the unconfined user role to allow access.
Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
On Fri, Jun 9, 2017 at 10:59 AM, Daniel Jurgenswrote: > On 6/9/2017 9:50 AM, Paul Moore wrote: >> On Fri, Jun 9, 2017 at 10:44 AM, Daniel Jurgens wrote: >>> On 6/5/2017 5:34 PM, Daniel Jurgens wrote: On 6/5/2017 5:13 PM, Paul Moore wrote: > On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley > wrote: >> On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote: >>> On 5/30/2017 12:05 PM, Stephen Smalley wrote: On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote: > From: Daniel Jurgens > > New tests for Infiniband endports. Most users do not have > infiniband > hardware, and if they do the device names can vary. There is a > configuration file for enabling the tests and setting environment > specific configurations. If the tests are disabled they always > show > as > passed. > > A special test application was unnecessary, a standard diagnostic > application is used instead. This required a change to the make > file > to avoid trying to build an application in the new subdir. > > Signed-off-by: Daniel Jurgens > ... > >> I wouldn't bother re-spinning unless Paul has other comments. > Nothing worthy of a respin. > > Daniel, have you run these tests against the kernel, userspace, and > policy code that has been merged? It would be nice to have a sanity > check that something didn't break while we were merging everything. > > [SIDE NOTE: This afternoon I noticed what I think may be a problem > with my COPR kernel builds that affects the test suite, so YMMY at the > moment.] > I ran them against the merged kernel and selinux code. But I used the same policy RPMs that I had been using, I didn't try to rebuild the RPMs against the new refpolicy. >>> Are these tests good to go? I haven't gotten any additional comments since >>> v2. >> Yes, my apologies for not getting back to you sooner; I had hoped to >> talk to some of the IB folks at Red Hat to see if they could verify >> everything (or at least get access to a IB system so I could verify >> it) but I got wrapped in a few audit issues this week and didn't get >> to it. >> >> I'll merge these patches later this afternoon. >> > No problem, just wanted to make sure I wasn't holding it up in anyway. Should be all set now, let me know if you notice any problems. I did add a separate third commit to munge the style/formatting (see previous emails); I didn't bother posting it to the list as it is just style changes, but in case anyone is curious, this is the commit: commit 8e0339cef20d0356d3e115c31a133662e9562e65 Author: Paul Moore Date: Fri Jun 9 15:46:37 2017 -0400 infiniband: apply style corrections to the infiniband tests Patch generated by './tools/check-syntax -f'. Signed-off-by: Paul Moore > I recall you saying you do most of your testing in VMs on a laptop. But if > you have a system with a free pci-e slot we can ship you an HCA if you'd like > to be able to run these yourself. Thank you for the offer, and yes I generally run the tests in a VM, however we've been working on getting something a bit more automated in place for upstream testing (more info on that once everything is sorted out). Let me think about this a bit (and dust off my somewhat neglected testing hardware), I generally try to avoid getting tied to specific hardware, but it is necessary in this case, and I fear that this may be the easiest way to ensure it gets tested regularly. -- paul moore www.paul-moore.com
Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
On 6/9/2017 9:50 AM, Paul Moore wrote: > On Fri, Jun 9, 2017 at 10:44 AM, Daniel Jurgenswrote: >> On 6/5/2017 5:34 PM, Daniel Jurgens wrote: >>> On 6/5/2017 5:13 PM, Paul Moore wrote: On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley wrote: > On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote: >> On 5/30/2017 12:05 PM, Stephen Smalley wrote: >>> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote: From: Daniel Jurgens New tests for Infiniband endports. Most users do not have infiniband hardware, and if they do the device names can vary. There is a configuration file for enabling the tests and setting environment specific configurations. If the tests are disabled they always show as passed. A special test application was unnecessary, a standard diagnostic application is used instead. This required a change to the make file to avoid trying to build an application in the new subdir. Signed-off-by: Daniel Jurgens ... > I wouldn't bother re-spinning unless Paul has other comments. Nothing worthy of a respin. Daniel, have you run these tests against the kernel, userspace, and policy code that has been merged? It would be nice to have a sanity check that something didn't break while we were merging everything. [SIDE NOTE: This afternoon I noticed what I think may be a problem with my COPR kernel builds that affects the test suite, so YMMY at the moment.] >>> I ran them against the merged kernel and selinux code. But I used the same >>> policy RPMs that I had been using, I didn't try to rebuild the RPMs against >>> the new refpolicy. >>> >> Are these tests good to go? I haven't gotten any additional comments since >> v2. > Yes, my apologies for not getting back to you sooner; I had hoped to > talk to some of the IB folks at Red Hat to see if they could verify > everything (or at least get access to a IB system so I could verify > it) but I got wrapped in a few audit issues this week and didn't get > to it. > > I'll merge these patches later this afternoon. > No problem, just wanted to make sure I wasn't holding it up in anyway. I recall you saying you do most of your testing in VMs on a laptop. But if you have a system with a free pci-e slot we can ship you an HCA if you'd like to be able to run these yourself.
Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
On Fri, Jun 9, 2017 at 10:44 AM, Daniel Jurgenswrote: > On 6/5/2017 5:34 PM, Daniel Jurgens wrote: >> On 6/5/2017 5:13 PM, Paul Moore wrote: >>> On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley wrote: On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote: > On 5/30/2017 12:05 PM, Stephen Smalley wrote: >> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote: >>> From: Daniel Jurgens >>> >>> New tests for Infiniband endports. Most users do not have >>> infiniband >>> hardware, and if they do the device names can vary. There is a >>> configuration file for enabling the tests and setting environment >>> specific configurations. If the tests are disabled they always >>> show >>> as >>> passed. >>> >>> A special test application was unnecessary, a standard diagnostic >>> application is used instead. This required a change to the make >>> file >>> to avoid trying to build an application in the new subdir. >>> >>> Signed-off-by: Daniel Jurgens >>> ... >>> I wouldn't bother re-spinning unless Paul has other comments. >>> Nothing worthy of a respin. >>> >>> Daniel, have you run these tests against the kernel, userspace, and >>> policy code that has been merged? It would be nice to have a sanity >>> check that something didn't break while we were merging everything. >>> >>> [SIDE NOTE: This afternoon I noticed what I think may be a problem >>> with my COPR kernel builds that affects the test suite, so YMMY at the >>> moment.] >>> >> I ran them against the merged kernel and selinux code. But I used the same >> policy RPMs that I had been using, I didn't try to rebuild the RPMs against >> the new refpolicy. >> > Are these tests good to go? I haven't gotten any additional comments since v2. Yes, my apologies for not getting back to you sooner; I had hoped to talk to some of the IB folks at Red Hat to see if they could verify everything (or at least get access to a IB system so I could verify it) but I got wrapped in a few audit issues this week and didn't get to it. I'll merge these patches later this afternoon. -- paul moore www.paul-moore.com
Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
On 6/5/2017 5:34 PM, Daniel Jurgens wrote: > On 6/5/2017 5:13 PM, Paul Moore wrote: >> On Tue, May 30, 2017 at 1:52 PM, Stephen Smalleywrote: >>> On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote: On 5/30/2017 12:05 PM, Stephen Smalley wrote: > On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote: >> From: Daniel Jurgens >> >> New tests for Infiniband endports. Most users do not have >> infiniband >> hardware, and if they do the device names can vary. There is a >> configuration file for enabling the tests and setting environment >> specific configurations. If the tests are disabled they always >> show >> as >> passed. >> >> A special test application was unnecessary, a standard diagnostic >> application is used instead. This required a change to the make >> file >> to avoid trying to build an application in the new subdir. >> >> Signed-off-by: Daniel Jurgens >> ... >> >>> I wouldn't bother re-spinning unless Paul has other comments. >> Nothing worthy of a respin. >> >> Daniel, have you run these tests against the kernel, userspace, and >> policy code that has been merged? It would be nice to have a sanity >> check that something didn't break while we were merging everything. >> >> [SIDE NOTE: This afternoon I noticed what I think may be a problem >> with my COPR kernel builds that affects the test suite, so YMMY at the >> moment.] >> > I ran them against the merged kernel and selinux code. But I used the same > policy RPMs that I had been using, I didn't try to rebuild the RPMs against > the new refpolicy. > Are these tests good to go? I haven't gotten any additional comments since v2.
Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
On 6/5/2017 5:13 PM, Paul Moore wrote: > On Tue, May 30, 2017 at 1:52 PM, Stephen Smalleywrote: >> On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote: >>> On 5/30/2017 12:05 PM, Stephen Smalley wrote: On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote: > From: Daniel Jurgens > > New tests for Infiniband endports. Most users do not have > infiniband > hardware, and if they do the device names can vary. There is a > configuration file for enabling the tests and setting environment > specific configurations. If the tests are disabled they always > show > as > passed. > > A special test application was unnecessary, a standard diagnostic > application is used instead. This required a change to the make > file > to avoid trying to build an application in the new subdir. > > Signed-off-by: Daniel Jurgens > ... > >> I wouldn't bother re-spinning unless Paul has other comments. > Nothing worthy of a respin. > > Daniel, have you run these tests against the kernel, userspace, and > policy code that has been merged? It would be nice to have a sanity > check that something didn't break while we were merging everything. > > [SIDE NOTE: This afternoon I noticed what I think may be a problem > with my COPR kernel builds that affects the test suite, so YMMY at the > moment.] > I ran them against the merged kernel and selinux code. But I used the same policy RPMs that I had been using, I didn't try to rebuild the RPMs against the new refpolicy.
Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
On 5/30/2017 12:48 PM, Stephen Smalley wrote: > On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote: >> On 5/30/2017 12:05 PM, Stephen Smalley wrote: >>> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote: From: Daniel Jurgensdiff --git a/tests/infiniband_pkey/test b/tests/infiniband_pkey/test old mode 100644 new mode 100755 >>> Not a big deal, but it seems odd that this mode change wasn't just >>> squashed into the first patch. >>> >>> Otherwise, it looks ok to me, but I don't have hardware to test it >>> on. >>> Did you confirm that when you run the tests, you get the expected >>> avc >>> denials in the audit logs? Also, did you confirm that if you >>> manually >>> run the tests in permissive mode, that the tests you expect to fail >>> do >>> so (and the rest do not)? >>> >>> >> I'm not sure what happened with the mode there. I didn't change it >> manually. I can clean it up if you want. > Looks like tests/Makefile does a chmod +x */test. > I wouldn't bother re-spinning unless Paul has other comments. > >> Regarding testing the test. Yes, I did make sure they fail as >> expected when in permissive mode. Also I changed setting in the >> configuration files to make sure all cases fail when they should >> where that was possible. > And avc: denied messages are as expected? > Yes, here's a sample: type=AVC msg=audit(1496161222.307:1584): avc: denied { manage_subnet } for pid=21976 comm="smpquery" device=mlx5_2 port_num=1 scontext=unconfined_u:unconfined_r:test_ibendport_manage_subnet_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=infiniband_endport permissive=0
Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote: > On 5/30/2017 12:05 PM, Stephen Smalley wrote: > > On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote: > > > From: Daniel Jurgens> > > > > > New tests for Infiniband endports. Most users do not have > > > infiniband > > > hardware, and if they do the device names can vary. There is a > > > configuration file for enabling the tests and setting environment > > > specific configurations. If the tests are disabled they always > > > show > > > as > > > passed. > > > > > > A special test application was unnecessary, a standard diagnostic > > > application is used instead. This required a change to the make > > > file > > > to avoid trying to build an application in the new subdir. > > > > > > Signed-off-by: Daniel Jurgens > > > > > > --- > > > v1: > > > - Synchronize interface names with refpolicy changes. > > > - Allowed access to unlabeled pkeys vs default pkey, default pkey > > > is > > > no > > > longer labeled in the refpolicy. > > > > > > v2: > > > Stephen Smalley: > > > - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive. > > > - Use ifdefs around corenet_ib* interfaces. > > > - Only build the test_ibpendport.te file if the > > > infiniband_endport > > > class > > > is available. > > > - use corecmd_bin_entry_type intefrace instead of allow ... > > > bin_t: > > > --- > > > README | 7 +++- > > > policy/Makefile | 4 +++ > > > policy/test_ibendport.te | 40 > > > +++ > > > tests/Makefile | 2 +- > > > tests/infiniband_endport/Makefile| 2 ++ > > > tests/infiniband_endport/ibendport_test.conf | 14 > > > tests/infiniband_endport/test| 49 > > > > > > tests/infiniband_pkey/test | 0 > > > 8 files changed, 116 insertions(+), 2 deletions(-) > > > create mode 100644 policy/test_ibendport.te > > > create mode 100644 tests/infiniband_endport/Makefile > > > create mode 100644 tests/infiniband_endport/ibendport_test.conf > > > create mode 100755 tests/infiniband_endport/test > > > mode change 100644 => 100755 tests/infiniband_pkey/test > > > > > > diff --git a/README b/README > > > index a4c8ebb..de50eb4 100644 > > > --- a/README > > > +++ b/README > > > @@ -201,7 +201,12 @@ INFINIBAND TESTS > > > > > > Because running Infiniband tests requires specialized hardware > > > you > > > must > > > set up a configuration file for these tests. The tests are > > > disabled > > > by > > > -default. See comments in the configuration file for info. > > > +default. See comments in the configuration file for info. The > > > endport > > > +tests use smpquery, for Fedora it's provided by the infiniband- > > > diags > > > +package. > > > > > > Infiniband PKey test conf file: > > > tests/infiniband_pkey/ibpkey_test.conf > > > + > > > +Infiniband Endport test conf file: > > > +tests/infiniband_endport/ibendport_test.conf > > > diff --git a/policy/Makefile b/policy/Makefile > > > index 46c9fb5..c062009 100644 > > > --- a/policy/Makefile > > > +++ b/policy/Makefile > > > @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit > > > $(POLDEV)/include/support/all_perms.spt && echo > > > TARGETS += test_prlimit.te > > > endif > > > > > > +ifeq ($(shell grep -q infiniband_endport > > > $(POLDEV)/include/support/all_perms.spt && echo true),true) > > > +TARGETS += test_ibendport.te > > > +endif > > > + > > > ifeq ($(shell grep -q all_file_perms.*map > > > $(POLDEV)/include/support/all_perms.spt && echo true),true) > > > export M4PARAM = -Dmap_permission_defined > > > endif > > > diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te > > > new file mode 100644 > > > index 000..2a02c57 > > > --- /dev/null > > > +++ b/policy/test_ibendport.te > > > @@ -0,0 +1,40 @@ > > > +# > > > +# > > > +# Policy for testing Infiniband Pkey access. > > > +# > > > + > > > +gen_require(` > > > + type bin_t; > > > + type infiniband_mgmt_device_t; > > > +') > > > + > > > +attribute ibendportdomain; > > > + > > > +# Domain for process. > > > +type test_ibendport_manage_subnet_t; > > > +domain_type(test_ibendport_manage_subnet_t) > > > +unconfined_runs_test(test_ibendport_manage_subnet_t) > > > +typeattribute test_ibendport_manage_subnet_t testdomain; > > > +typeattribute test_ibendport_manage_subnet_t ibendportdomain; > > > + > > > +type test_ibendport_t; > > > +ifdef(`corenet_ib_endport',` > > > +corenet_ib_endport(test_ibendport_t) > > > +') > > > + > > > +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t) > > > +dev_rw_sysfs(test_ibendport_manage_subnet_t) > > > + > > > +corecmd_bin_entry_type(test_ibendport_manage_subnet_t) > > > + > > > +allow test_ibendport_manage_subnet_t > > > infiniband_mgmt_device_t:chr_file { read write open
Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
On 5/30/2017 12:05 PM, Stephen Smalley wrote: > On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote: >> From: Daniel Jurgens>> >> New tests for Infiniband endports. Most users do not have infiniband >> hardware, and if they do the device names can vary. There is a >> configuration file for enabling the tests and setting environment >> specific configurations. If the tests are disabled they always show >> as >> passed. >> >> A special test application was unnecessary, a standard diagnostic >> application is used instead. This required a change to the make file >> to avoid trying to build an application in the new subdir. >> >> Signed-off-by: Daniel Jurgens >> >> --- >> v1: >> - Synchronize interface names with refpolicy changes. >> - Allowed access to unlabeled pkeys vs default pkey, default pkey is >> no >> longer labeled in the refpolicy. >> >> v2: >> Stephen Smalley: >> - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive. >> - Use ifdefs around corenet_ib* interfaces. >> - Only build the test_ibpendport.te file if the infiniband_endport >> class >> is available. >> - use corecmd_bin_entry_type intefrace instead of allow ... bin_t: >> --- >> README | 7 +++- >> policy/Makefile | 4 +++ >> policy/test_ibendport.te | 40 >> +++ >> tests/Makefile | 2 +- >> tests/infiniband_endport/Makefile| 2 ++ >> tests/infiniband_endport/ibendport_test.conf | 14 >> tests/infiniband_endport/test| 49 >> >> tests/infiniband_pkey/test | 0 >> 8 files changed, 116 insertions(+), 2 deletions(-) >> create mode 100644 policy/test_ibendport.te >> create mode 100644 tests/infiniband_endport/Makefile >> create mode 100644 tests/infiniband_endport/ibendport_test.conf >> create mode 100755 tests/infiniband_endport/test >> mode change 100644 => 100755 tests/infiniband_pkey/test >> >> diff --git a/README b/README >> index a4c8ebb..de50eb4 100644 >> --- a/README >> +++ b/README >> @@ -201,7 +201,12 @@ INFINIBAND TESTS >> >> Because running Infiniband tests requires specialized hardware you >> must >> set up a configuration file for these tests. The tests are disabled >> by >> -default. See comments in the configuration file for info. >> +default. See comments in the configuration file for info. The >> endport >> +tests use smpquery, for Fedora it's provided by the infiniband-diags >> +package. >> >> Infiniband PKey test conf file: >> tests/infiniband_pkey/ibpkey_test.conf >> + >> +Infiniband Endport test conf file: >> +tests/infiniband_endport/ibendport_test.conf >> diff --git a/policy/Makefile b/policy/Makefile >> index 46c9fb5..c062009 100644 >> --- a/policy/Makefile >> +++ b/policy/Makefile >> @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit >> $(POLDEV)/include/support/all_perms.spt && echo >> TARGETS += test_prlimit.te >> endif >> >> +ifeq ($(shell grep -q infiniband_endport >> $(POLDEV)/include/support/all_perms.spt && echo true),true) >> +TARGETS += test_ibendport.te >> +endif >> + >> ifeq ($(shell grep -q all_file_perms.*map >> $(POLDEV)/include/support/all_perms.spt && echo true),true) >> export M4PARAM = -Dmap_permission_defined >> endif >> diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te >> new file mode 100644 >> index 000..2a02c57 >> --- /dev/null >> +++ b/policy/test_ibendport.te >> @@ -0,0 +1,40 @@ >> +# >> +# >> +# Policy for testing Infiniband Pkey access. >> +# >> + >> +gen_require(` >> +type bin_t; >> +type infiniband_mgmt_device_t; >> +') >> + >> +attribute ibendportdomain; >> + >> +# Domain for process. >> +type test_ibendport_manage_subnet_t; >> +domain_type(test_ibendport_manage_subnet_t) >> +unconfined_runs_test(test_ibendport_manage_subnet_t) >> +typeattribute test_ibendport_manage_subnet_t testdomain; >> +typeattribute test_ibendport_manage_subnet_t ibendportdomain; >> + >> +type test_ibendport_t; >> +ifdef(`corenet_ib_endport',` >> +corenet_ib_endport(test_ibendport_t) >> +') >> + >> +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t) >> +dev_rw_sysfs(test_ibendport_manage_subnet_t) >> + >> +corecmd_bin_entry_type(test_ibendport_manage_subnet_t) >> + >> +allow test_ibendport_manage_subnet_t >> infiniband_mgmt_device_t:chr_file { read write open ioctl}; >> + >> +ifdef(`corenet_ib_access_unlabeled_pkeys',` >> +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t) >> +') >> + >> +allow test_ibendport_manage_subnet_t >> test_ibendport_t:infiniband_endport manage_subnet; >> + >> +# Allow all of these domains to be entered from the sysadm domain. >> +miscfiles_domain_entry_test_files(ibendportdomain) >> +userdom_sysadm_entry_spec_domtrans_to(ibendportdomain) >> diff --git a/tests/Makefile b/tests/Makefile >> index
Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote: > From: Daniel Jurgens> > New tests for Infiniband endports. Most users do not have infiniband > hardware, and if they do the device names can vary. There is a > configuration file for enabling the tests and setting environment > specific configurations. If the tests are disabled they always show > as > passed. > > A special test application was unnecessary, a standard diagnostic > application is used instead. This required a change to the make file > to avoid trying to build an application in the new subdir. > > Signed-off-by: Daniel Jurgens > > --- > v1: > - Synchronize interface names with refpolicy changes. > - Allowed access to unlabeled pkeys vs default pkey, default pkey is > no > longer labeled in the refpolicy. > > v2: > Stephen Smalley: > - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive. > - Use ifdefs around corenet_ib* interfaces. > - Only build the test_ibpendport.te file if the infiniband_endport > class > is available. > - use corecmd_bin_entry_type intefrace instead of allow ... bin_t: > --- > README | 7 +++- > policy/Makefile | 4 +++ > policy/test_ibendport.te | 40 > +++ > tests/Makefile | 2 +- > tests/infiniband_endport/Makefile| 2 ++ > tests/infiniband_endport/ibendport_test.conf | 14 > tests/infiniband_endport/test| 49 > > tests/infiniband_pkey/test | 0 > 8 files changed, 116 insertions(+), 2 deletions(-) > create mode 100644 policy/test_ibendport.te > create mode 100644 tests/infiniband_endport/Makefile > create mode 100644 tests/infiniband_endport/ibendport_test.conf > create mode 100755 tests/infiniband_endport/test > mode change 100644 => 100755 tests/infiniband_pkey/test > > diff --git a/README b/README > index a4c8ebb..de50eb4 100644 > --- a/README > +++ b/README > @@ -201,7 +201,12 @@ INFINIBAND TESTS > > Because running Infiniband tests requires specialized hardware you > must > set up a configuration file for these tests. The tests are disabled > by > -default. See comments in the configuration file for info. > +default. See comments in the configuration file for info. The > endport > +tests use smpquery, for Fedora it's provided by the infiniband-diags > +package. > > Infiniband PKey test conf file: > tests/infiniband_pkey/ibpkey_test.conf > + > +Infiniband Endport test conf file: > +tests/infiniband_endport/ibendport_test.conf > diff --git a/policy/Makefile b/policy/Makefile > index 46c9fb5..c062009 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit > $(POLDEV)/include/support/all_perms.spt && echo > TARGETS += test_prlimit.te > endif > > +ifeq ($(shell grep -q infiniband_endport > $(POLDEV)/include/support/all_perms.spt && echo true),true) > +TARGETS += test_ibendport.te > +endif > + > ifeq ($(shell grep -q all_file_perms.*map > $(POLDEV)/include/support/all_perms.spt && echo true),true) > export M4PARAM = -Dmap_permission_defined > endif > diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te > new file mode 100644 > index 000..2a02c57 > --- /dev/null > +++ b/policy/test_ibendport.te > @@ -0,0 +1,40 @@ > +# > +# > +# Policy for testing Infiniband Pkey access. > +# > + > +gen_require(` > + type bin_t; > + type infiniband_mgmt_device_t; > +') > + > +attribute ibendportdomain; > + > +# Domain for process. > +type test_ibendport_manage_subnet_t; > +domain_type(test_ibendport_manage_subnet_t) > +unconfined_runs_test(test_ibendport_manage_subnet_t) > +typeattribute test_ibendport_manage_subnet_t testdomain; > +typeattribute test_ibendport_manage_subnet_t ibendportdomain; > + > +type test_ibendport_t; > +ifdef(`corenet_ib_endport',` > +corenet_ib_endport(test_ibendport_t) > +') > + > +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t) > +dev_rw_sysfs(test_ibendport_manage_subnet_t) > + > +corecmd_bin_entry_type(test_ibendport_manage_subnet_t) > + > +allow test_ibendport_manage_subnet_t > infiniband_mgmt_device_t:chr_file { read write open ioctl}; > + > +ifdef(`corenet_ib_access_unlabeled_pkeys',` > +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t) > +') > + > +allow test_ibendport_manage_subnet_t > test_ibendport_t:infiniband_endport manage_subnet; > + > +# Allow all of these domains to be entered from the sysadm domain. > +miscfiles_domain_entry_test_files(ibendportdomain) > +userdom_sysadm_entry_spec_domtrans_to(ibendportdomain) > diff --git a/tests/Makefile b/tests/Makefile > index 7dfe2a8..369b678 100644 > --- a/tests/Makefile > +++ b/tests/Makefile > @@ -10,7 +10,7 @@ SUBDIRS:= domain_trans entrypoint execshare > exectrace execute_no_trans \ >
[PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
From: Daniel JurgensNew tests for Infiniband endports. Most users do not have infiniband hardware, and if they do the device names can vary. There is a configuration file for enabling the tests and setting environment specific configurations. If the tests are disabled they always show as passed. A special test application was unnecessary, a standard diagnostic application is used instead. This required a change to the make file to avoid trying to build an application in the new subdir. Signed-off-by: Daniel Jurgens --- v1: - Synchronize interface names with refpolicy changes. - Allowed access to unlabeled pkeys vs default pkey, default pkey is no longer labeled in the refpolicy. v2: Stephen Smalley: - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive. - Use ifdefs around corenet_ib* interfaces. - Only build the test_ibpendport.te file if the infiniband_endport class is available. - use corecmd_bin_entry_type intefrace instead of allow ... bin_t: --- README | 7 +++- policy/Makefile | 4 +++ policy/test_ibendport.te | 40 +++ tests/Makefile | 2 +- tests/infiniband_endport/Makefile| 2 ++ tests/infiniband_endport/ibendport_test.conf | 14 tests/infiniband_endport/test| 49 tests/infiniband_pkey/test | 0 8 files changed, 116 insertions(+), 2 deletions(-) create mode 100644 policy/test_ibendport.te create mode 100644 tests/infiniband_endport/Makefile create mode 100644 tests/infiniband_endport/ibendport_test.conf create mode 100755 tests/infiniband_endport/test mode change 100644 => 100755 tests/infiniband_pkey/test diff --git a/README b/README index a4c8ebb..de50eb4 100644 --- a/README +++ b/README @@ -201,7 +201,12 @@ INFINIBAND TESTS Because running Infiniband tests requires specialized hardware you must set up a configuration file for these tests. The tests are disabled by -default. See comments in the configuration file for info. +default. See comments in the configuration file for info. The endport +tests use smpquery, for Fedora it's provided by the infiniband-diags +package. Infiniband PKey test conf file: tests/infiniband_pkey/ibpkey_test.conf + +Infiniband Endport test conf file: +tests/infiniband_endport/ibendport_test.conf diff --git a/policy/Makefile b/policy/Makefile index 46c9fb5..c062009 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit $(POLDEV)/include/support/all_perms.spt && echo TARGETS += test_prlimit.te endif +ifeq ($(shell grep -q infiniband_endport $(POLDEV)/include/support/all_perms.spt && echo true),true) +TARGETS += test_ibendport.te +endif + ifeq ($(shell grep -q all_file_perms.*map $(POLDEV)/include/support/all_perms.spt && echo true),true) export M4PARAM = -Dmap_permission_defined endif diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te new file mode 100644 index 000..2a02c57 --- /dev/null +++ b/policy/test_ibendport.te @@ -0,0 +1,40 @@ +# +# +# Policy for testing Infiniband Pkey access. +# + +gen_require(` + type bin_t; + type infiniband_mgmt_device_t; +') + +attribute ibendportdomain; + +# Domain for process. +type test_ibendport_manage_subnet_t; +domain_type(test_ibendport_manage_subnet_t) +unconfined_runs_test(test_ibendport_manage_subnet_t) +typeattribute test_ibendport_manage_subnet_t testdomain; +typeattribute test_ibendport_manage_subnet_t ibendportdomain; + +type test_ibendport_t; +ifdef(`corenet_ib_endport',` +corenet_ib_endport(test_ibendport_t) +') + +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t) +dev_rw_sysfs(test_ibendport_manage_subnet_t) + +corecmd_bin_entry_type(test_ibendport_manage_subnet_t) + +allow test_ibendport_manage_subnet_t infiniband_mgmt_device_t:chr_file { read write open ioctl}; + +ifdef(`corenet_ib_access_unlabeled_pkeys',` +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t) +') + +allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_subnet; + +# Allow all of these domains to be entered from the sysadm domain. +miscfiles_domain_entry_test_files(ibendportdomain) +userdom_sysadm_entry_spec_domtrans_to(ibendportdomain) diff --git a/tests/Makefile b/tests/Makefile index 7dfe2a8..369b678 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -10,7 +10,7 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \ task_setnice task_setscheduler task_getscheduler task_getsid \ task_getpgid task_setpgid file ioctl capable_file capable_net \ capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \ - overlay checkreqprot mqueue mac_admin infiniband_pkey + overlay checkreqprot mqueue mac_admin