Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

2017-06-26 Thread Paul Moore 
On Fri, Jun 9, 2017 at 4:23 PM, Daniel Jurgens  wrote:
> On 6/9/2017 3:01 PM, Paul Moore wrote:
>> On Fri, Jun 9, 2017 at 10:59 AM, Daniel Jurgens  wrote:
>>
>> Should be all set now, let me know if you notice any problems.  I did
>> add a separate third commit to munge the style/formatting (see
>> previous emails); I didn't bother posting it to the list as it is just
>> style changes, but in case anyone is curious, this is the commit:
>>
>>   commit 8e0339cef20d0356d3e115c31a133662e9562e65
>>   Author: Paul Moore 
>>   Date:   Fri Jun 9 15:46:37 2017 -0400
>>
>>infiniband: apply style corrections to the infiniband tests
>>
>>Patch generated by './tools/check-syntax -f'.
>>
>>Signed-off-by: Paul Moore 
>>
>>> I recall you saying you do most of your testing in VMs on a laptop.  But if 
>>> you have a system with a free pci-e slot we can ship you an HCA if you'd 
>>> like to be able to run these yourself.
>> Thank you for the offer, and yes I generally run the tests in a VM,
>> however we've been working on getting something a bit more automated
>> in place for upstream testing (more info on that once everything is
>> sorted out).
>>
>> Let me think about this a bit (and dust off my somewhat neglected
>> testing hardware), I generally try to avoid getting tied to specific
>> hardware, but it is necessary in this case, and I fear that this may
>> be the easiest way to ensure it gets tested regularly.
>>
> OK, just let me know if you want one.  Once the feature works it's way back 
> to mainstream kernel I'll add the tests to our automated regressions too. 
> Thanks for all your help getting this whole thing through review!

FWIW, this was in the pull request I sent up to James, you should see
it arrive in Linus' tree during the upcoming merge window.

> How often does the fedora-selinux project switch the base refpolicy? It needs 
> additions to the unconfined user role to allow access.

My apologies, I just realized I never answered this last question
about Fedora ... the answer is the usual "it depends".  I've added
Lukas Vrabec to this email as he is in charge of the Fedora SELinux
policy.

-- 
paul moore
www.paul-moore.com

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

2017-06-09 Thread Daniel Jurgens 
On 6/9/2017 3:01 PM, Paul Moore wrote:
> On Fri, Jun 9, 2017 at 10:59 AM, Daniel Jurgens  wrote:
>
> Should be all set now, let me know if you notice any problems.  I did
> add a separate third commit to munge the style/formatting (see
> previous emails); I didn't bother posting it to the list as it is just
> style changes, but in case anyone is curious, this is the commit:
>
>   commit 8e0339cef20d0356d3e115c31a133662e9562e65
>   Author: Paul Moore 
>   Date:   Fri Jun 9 15:46:37 2017 -0400
>
>infiniband: apply style corrections to the infiniband tests
>
>Patch generated by './tools/check-syntax -f'.
>
>Signed-off-by: Paul Moore 
>
>> I recall you saying you do most of your testing in VMs on a laptop.  But if 
>> you have a system with a free pci-e slot we can ship you an HCA if you'd 
>> like to be able to run these yourself.
> Thank you for the offer, and yes I generally run the tests in a VM,
> however we've been working on getting something a bit more automated
> in place for upstream testing (more info on that once everything is
> sorted out).
>
> Let me think about this a bit (and dust off my somewhat neglected
> testing hardware), I generally try to avoid getting tied to specific
> hardware, but it is necessary in this case, and I fear that this may
> be the easiest way to ensure it gets tested regularly.
>
OK, just let me know if you want one.  Once the feature works it's way back to 
mainstream kernel I'll add the tests to our automated regressions too. Thanks 
for all your help getting this whole thing through review!

How often does the fedora-selinux project switch the base refpolicy? It needs 
additions to the unconfined user role to allow access.

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

2017-06-09 Thread Paul Moore 
On Fri, Jun 9, 2017 at 10:59 AM, Daniel Jurgens  wrote:
> On 6/9/2017 9:50 AM, Paul Moore wrote:
>> On Fri, Jun 9, 2017 at 10:44 AM, Daniel Jurgens  wrote:
>>> On 6/5/2017 5:34 PM, Daniel Jurgens wrote:
 On 6/5/2017 5:13 PM, Paul Moore wrote:
> On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley  
> wrote:
>> On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote:
>>> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
 On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens 
>
> New tests for Infiniband endports. Most users do not have
> infiniband
> hardware, and if they do the device names can vary.  There is a
> configuration file for enabling the tests and setting environment
> specific configurations.  If the tests are disabled they always
> show
> as
> passed.
>
> A special test application was unnecessary, a standard diagnostic
> application is used instead.  This required a change to the make
> file
> to avoid trying to build an application in the new subdir.
>
> Signed-off-by: Daniel Jurgens 
> ...
>
>> I wouldn't bother re-spinning unless Paul has other comments.
> Nothing worthy of a respin.
>
> Daniel, have you run these tests against the kernel, userspace, and
> policy code that has been merged?  It would be nice to have a sanity
> check that something didn't break while we were merging everything.
>
> [SIDE NOTE: This afternoon I noticed what I think may be a problem
> with my COPR kernel builds that affects the test suite, so YMMY at the
> moment.]
>
 I ran them against the merged kernel and selinux code.  But I used the 
 same policy RPMs that I had been using, I didn't try to rebuild the RPMs 
 against the new refpolicy.

>>> Are these tests good to go? I haven't gotten any additional comments since 
>>> v2.
>> Yes, my apologies for not getting back to you sooner; I had hoped to
>> talk to some of the IB folks at Red Hat to see if they could verify
>> everything (or at least get access to a IB system so I could verify
>> it) but I got wrapped in a few audit issues this week and didn't get
>> to it.
>>
>> I'll merge these patches later this afternoon.
>>
> No problem, just wanted to make sure I wasn't holding it up in anyway.

Should be all set now, let me know if you notice any problems.  I did
add a separate third commit to munge the style/formatting (see
previous emails); I didn't bother posting it to the list as it is just
style changes, but in case anyone is curious, this is the commit:

  commit 8e0339cef20d0356d3e115c31a133662e9562e65
  Author: Paul Moore 
  Date:   Fri Jun 9 15:46:37 2017 -0400

   infiniband: apply style corrections to the infiniband tests

   Patch generated by './tools/check-syntax -f'.

   Signed-off-by: Paul Moore 

> I recall you saying you do most of your testing in VMs on a laptop.  But if 
> you have a system with a free pci-e slot we can ship you an HCA if you'd like 
> to be able to run these yourself.

Thank you for the offer, and yes I generally run the tests in a VM,
however we've been working on getting something a bit more automated
in place for upstream testing (more info on that once everything is
sorted out).

Let me think about this a bit (and dust off my somewhat neglected
testing hardware), I generally try to avoid getting tied to specific
hardware, but it is necessary in this case, and I fear that this may
be the easiest way to ensure it gets tested regularly.

-- 
paul moore
www.paul-moore.com

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

2017-06-09 Thread Daniel Jurgens 
On 6/9/2017 9:50 AM, Paul Moore wrote:
> On Fri, Jun 9, 2017 at 10:44 AM, Daniel Jurgens  wrote:
>> On 6/5/2017 5:34 PM, Daniel Jurgens wrote:
>>> On 6/5/2017 5:13 PM, Paul Moore wrote:
 On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley  
 wrote:
> On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote:
>> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
>>> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
 From: Daniel Jurgens 

 New tests for Infiniband endports. Most users do not have
 infiniband
 hardware, and if they do the device names can vary.  There is a
 configuration file for enabling the tests and setting environment
 specific configurations.  If the tests are disabled they always
 show
 as
 passed.

 A special test application was unnecessary, a standard diagnostic
 application is used instead.  This required a change to the make
 file
 to avoid trying to build an application in the new subdir.

 Signed-off-by: Daniel Jurgens 
 ...

> I wouldn't bother re-spinning unless Paul has other comments.
 Nothing worthy of a respin.

 Daniel, have you run these tests against the kernel, userspace, and
 policy code that has been merged?  It would be nice to have a sanity
 check that something didn't break while we were merging everything.

 [SIDE NOTE: This afternoon I noticed what I think may be a problem
 with my COPR kernel builds that affects the test suite, so YMMY at the
 moment.]

>>> I ran them against the merged kernel and selinux code.  But I used the same 
>>> policy RPMs that I had been using, I didn't try to rebuild the RPMs against 
>>> the new refpolicy.
>>>
>> Are these tests good to go? I haven't gotten any additional comments since 
>> v2.
> Yes, my apologies for not getting back to you sooner; I had hoped to
> talk to some of the IB folks at Red Hat to see if they could verify
> everything (or at least get access to a IB system so I could verify
> it) but I got wrapped in a few audit issues this week and didn't get
> to it.
>
> I'll merge these patches later this afternoon.
>
No problem, just wanted to make sure I wasn't holding it up in anyway.

I recall you saying you do most of your testing in VMs on a laptop.  But if you 
have a system with a free pci-e slot we can ship you an HCA if you'd like to be 
able to run these yourself.

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

2017-06-09 Thread Paul Moore 
On Fri, Jun 9, 2017 at 10:44 AM, Daniel Jurgens  wrote:
> On 6/5/2017 5:34 PM, Daniel Jurgens wrote:
>> On 6/5/2017 5:13 PM, Paul Moore wrote:
>>> On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley  wrote:
 On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote:
> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
>> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
>>> From: Daniel Jurgens 
>>>
>>> New tests for Infiniband endports. Most users do not have
>>> infiniband
>>> hardware, and if they do the device names can vary.  There is a
>>> configuration file for enabling the tests and setting environment
>>> specific configurations.  If the tests are disabled they always
>>> show
>>> as
>>> passed.
>>>
>>> A special test application was unnecessary, a standard diagnostic
>>> application is used instead.  This required a change to the make
>>> file
>>> to avoid trying to build an application in the new subdir.
>>>
>>> Signed-off-by: Daniel Jurgens 
>>> ...
>>>
 I wouldn't bother re-spinning unless Paul has other comments.
>>> Nothing worthy of a respin.
>>>
>>> Daniel, have you run these tests against the kernel, userspace, and
>>> policy code that has been merged?  It would be nice to have a sanity
>>> check that something didn't break while we were merging everything.
>>>
>>> [SIDE NOTE: This afternoon I noticed what I think may be a problem
>>> with my COPR kernel builds that affects the test suite, so YMMY at the
>>> moment.]
>>>
>> I ran them against the merged kernel and selinux code.  But I used the same 
>> policy RPMs that I had been using, I didn't try to rebuild the RPMs against 
>> the new refpolicy.
>>
> Are these tests good to go? I haven't gotten any additional comments since v2.

Yes, my apologies for not getting back to you sooner; I had hoped to
talk to some of the IB folks at Red Hat to see if they could verify
everything (or at least get access to a IB system so I could verify
it) but I got wrapped in a few audit issues this week and didn't get
to it.

I'll merge these patches later this afternoon.

-- 
paul moore
www.paul-moore.com

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

2017-06-09 Thread Daniel Jurgens 
On 6/5/2017 5:34 PM, Daniel Jurgens wrote:
> On 6/5/2017 5:13 PM, Paul Moore wrote:
>> On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley  wrote:
>>> On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote:
 On 5/30/2017 12:05 PM, Stephen Smalley wrote:
> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens 
>>
>> New tests for Infiniband endports. Most users do not have
>> infiniband
>> hardware, and if they do the device names can vary.  There is a
>> configuration file for enabling the tests and setting environment
>> specific configurations.  If the tests are disabled they always
>> show
>> as
>> passed.
>>
>> A special test application was unnecessary, a standard diagnostic
>> application is used instead.  This required a change to the make
>> file
>> to avoid trying to build an application in the new subdir.
>>
>> Signed-off-by: Daniel Jurgens 
>> ...
>>
>>> I wouldn't bother re-spinning unless Paul has other comments.
>> Nothing worthy of a respin.
>>
>> Daniel, have you run these tests against the kernel, userspace, and
>> policy code that has been merged?  It would be nice to have a sanity
>> check that something didn't break while we were merging everything.
>>
>> [SIDE NOTE: This afternoon I noticed what I think may be a problem
>> with my COPR kernel builds that affects the test suite, so YMMY at the
>> moment.]
>>
> I ran them against the merged kernel and selinux code.  But I used the same 
> policy RPMs that I had been using, I didn't try to rebuild the RPMs against 
> the new refpolicy.
>
Are these tests good to go? I haven't gotten any additional comments since v2.

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

2017-06-06 Thread Daniel Jurgens 
On 6/5/2017 5:13 PM, Paul Moore wrote:
> On Tue, May 30, 2017 at 1:52 PM, Stephen Smalley  wrote:
>> On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote:
>>> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
 On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens 
>
> New tests for Infiniband endports. Most users do not have
> infiniband
> hardware, and if they do the device names can vary.  There is a
> configuration file for enabling the tests and setting environment
> specific configurations.  If the tests are disabled they always
> show
> as
> passed.
>
> A special test application was unnecessary, a standard diagnostic
> application is used instead.  This required a change to the make
> file
> to avoid trying to build an application in the new subdir.
>
> Signed-off-by: Daniel Jurgens 
> ...
>
>> I wouldn't bother re-spinning unless Paul has other comments.
> Nothing worthy of a respin.
>
> Daniel, have you run these tests against the kernel, userspace, and
> policy code that has been merged?  It would be nice to have a sanity
> check that something didn't break while we were merging everything.
>
> [SIDE NOTE: This afternoon I noticed what I think may be a problem
> with my COPR kernel builds that affects the test suite, so YMMY at the
> moment.]
>
I ran them against the merged kernel and selinux code.  But I used the same 
policy RPMs that I had been using, I didn't try to rebuild the RPMs against the 
new refpolicy.

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

2017-05-30 Thread Daniel Jurgens 
On 5/30/2017 12:48 PM, Stephen Smalley wrote:
> On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote:
>> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
>>> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
 From: Daniel Jurgens 

 diff --git a/tests/infiniband_pkey/test
 b/tests/infiniband_pkey/test
 old mode 100644
 new mode 100755
>>> Not a big deal, but it seems odd that this mode change wasn't just
>>> squashed into the first patch.
>>>
>>> Otherwise, it looks ok to me, but I don't have hardware to test it
>>> on.
>>> Did you confirm that when you run the tests, you get the expected
>>> avc
>>> denials in the audit logs?  Also, did you confirm that if you
>>> manually
>>> run the tests in permissive mode, that the tests you expect to fail
>>> do
>>> so (and the rest do not)?
>>>
>>>
>> I'm not sure what happened with the mode there.  I didn't change it
>> manually.  I can clean it up if you want.
> Looks like tests/Makefile does a chmod +x */test.
> I wouldn't bother re-spinning unless Paul has other comments.
>
>> Regarding testing the test. Yes, I did make sure they fail as
>> expected when in permissive mode.  Also I changed setting in the
>> configuration files to make sure all cases fail when they should
>> where that was possible.
> And avc: denied messages are as expected?
>
Yes, here's a sample:

type=AVC msg=audit(1496161222.307:1584): avc:  denied  { manage_subnet } for  
pid=21976 comm="smpquery" device=mlx5_2 port_num=1 
scontext=unconfined_u:unconfined_r:test_ibendport_manage_subnet_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:unlabeled_t:s0 tclass=infiniband_endport 
permissive=0

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

2017-05-30 Thread Stephen Smalley 
On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote:
> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
> > On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
> > > From: Daniel Jurgens 
> > > 
> > > New tests for Infiniband endports. Most users do not have
> > > infiniband
> > > hardware, and if they do the device names can vary.  There is a
> > > configuration file for enabling the tests and setting environment
> > > specific configurations.  If the tests are disabled they always
> > > show
> > > as
> > > passed.
> > > 
> > > A special test application was unnecessary, a standard diagnostic
> > > application is used instead.  This required a change to the make
> > > file
> > > to avoid trying to build an application in the new subdir.
> > > 
> > > Signed-off-by: Daniel Jurgens 
> > > 
> > > ---
> > > v1:
> > > - Synchronize interface names with refpolicy changes.
> > > - Allowed access to unlabeled pkeys vs default pkey, default pkey
> > > is
> > > no
> > > longer labeled in the refpolicy.
> > > 
> > > v2:
> > > Stephen Smalley:
> > > - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive.
> > > - Use ifdefs around corenet_ib* interfaces.
> > > - Only build the test_ibpendport.te file if the
> > > infiniband_endport
> > > class
> > > is available.
> > > - use corecmd_bin_entry_type intefrace instead of allow ...
> > > bin_t:
> > > ---
> > >  README   |  7 +++-
> > >  policy/Makefile  |  4 +++
> > >  policy/test_ibendport.te | 40
> > > +++
> > >  tests/Makefile   |  2 +-
> > >  tests/infiniband_endport/Makefile|  2 ++
> > >  tests/infiniband_endport/ibendport_test.conf | 14 
> > >  tests/infiniband_endport/test| 49
> > > 
> > >  tests/infiniband_pkey/test   |  0
> > >  8 files changed, 116 insertions(+), 2 deletions(-)
> > >  create mode 100644 policy/test_ibendport.te
> > >  create mode 100644 tests/infiniband_endport/Makefile
> > >  create mode 100644 tests/infiniband_endport/ibendport_test.conf
> > >  create mode 100755 tests/infiniband_endport/test
> > >  mode change 100644 => 100755 tests/infiniband_pkey/test
> > > 
> > > diff --git a/README b/README
> > > index a4c8ebb..de50eb4 100644
> > > --- a/README
> > > +++ b/README
> > > @@ -201,7 +201,12 @@ INFINIBAND TESTS
> > >  
> > >  Because running Infiniband tests requires specialized hardware
> > > you
> > > must
> > >  set up a configuration file for these tests. The tests are
> > > disabled
> > > by
> > > -default.  See comments in the configuration file for info.
> > > +default.  See comments in the configuration file for info. The
> > > endport
> > > +tests use smpquery, for Fedora it's provided by the infiniband-
> > > diags
> > > +package.
> > >  
> > >  Infiniband PKey test conf file:
> > >  tests/infiniband_pkey/ibpkey_test.conf
> > > +
> > > +Infiniband Endport test conf file:
> > > +tests/infiniband_endport/ibendport_test.conf
> > > diff --git a/policy/Makefile b/policy/Makefile
> > > index 46c9fb5..c062009 100644
> > > --- a/policy/Makefile
> > > +++ b/policy/Makefile
> > > @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit
> > > $(POLDEV)/include/support/all_perms.spt && echo
> > >  TARGETS += test_prlimit.te
> > >  endif
> > >  
> > > +ifeq ($(shell grep -q infiniband_endport
> > > $(POLDEV)/include/support/all_perms.spt && echo true),true)
> > > +TARGETS += test_ibendport.te
> > > +endif
> > > +
> > >  ifeq ($(shell grep -q all_file_perms.*map
> > > $(POLDEV)/include/support/all_perms.spt && echo true),true)
> > >  export M4PARAM = -Dmap_permission_defined
> > >  endif
> > > diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
> > > new file mode 100644
> > > index 000..2a02c57
> > > --- /dev/null
> > > +++ b/policy/test_ibendport.te
> > > @@ -0,0 +1,40 @@
> > > +#
> > > +#
> > > +# Policy for testing Infiniband Pkey access.
> > > +#
> > > +
> > > +gen_require(`
> > > + type bin_t;
> > > + type infiniband_mgmt_device_t;
> > > +')
> > > +
> > > +attribute ibendportdomain;
> > > +
> > > +# Domain for process.
> > > +type test_ibendport_manage_subnet_t;
> > > +domain_type(test_ibendport_manage_subnet_t)
> > > +unconfined_runs_test(test_ibendport_manage_subnet_t)
> > > +typeattribute test_ibendport_manage_subnet_t testdomain;
> > > +typeattribute test_ibendport_manage_subnet_t ibendportdomain;
> > > +
> > > +type test_ibendport_t;
> > > +ifdef(`corenet_ib_endport',`
> > > +corenet_ib_endport(test_ibendport_t)
> > > +')
> > > +
> > > +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
> > > +dev_rw_sysfs(test_ibendport_manage_subnet_t)
> > > +
> > > +corecmd_bin_entry_type(test_ibendport_manage_subnet_t)
> > > +
> > > +allow test_ibendport_manage_subnet_t
> > > infiniband_mgmt_device_t:chr_file { read write open

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

2017-05-30 Thread Daniel Jurgens 
On 5/30/2017 12:05 PM, Stephen Smalley wrote:
> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens 
>>
>> New tests for Infiniband endports. Most users do not have infiniband
>> hardware, and if they do the device names can vary.  There is a
>> configuration file for enabling the tests and setting environment
>> specific configurations.  If the tests are disabled they always show
>> as
>> passed.
>>
>> A special test application was unnecessary, a standard diagnostic
>> application is used instead.  This required a change to the make file
>> to avoid trying to build an application in the new subdir.
>>
>> Signed-off-by: Daniel Jurgens 
>>
>> ---
>> v1:
>> - Synchronize interface names with refpolicy changes.
>> - Allowed access to unlabeled pkeys vs default pkey, default pkey is
>> no
>> longer labeled in the refpolicy.
>>
>> v2:
>> Stephen Smalley:
>> - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive.
>> - Use ifdefs around corenet_ib* interfaces.
>> - Only build the test_ibpendport.te file if the infiniband_endport
>> class
>> is available.
>> - use corecmd_bin_entry_type intefrace instead of allow ... bin_t:
>> ---
>>  README   |  7 +++-
>>  policy/Makefile  |  4 +++
>>  policy/test_ibendport.te | 40
>> +++
>>  tests/Makefile   |  2 +-
>>  tests/infiniband_endport/Makefile|  2 ++
>>  tests/infiniband_endport/ibendport_test.conf | 14 
>>  tests/infiniband_endport/test| 49
>> 
>>  tests/infiniband_pkey/test   |  0
>>  8 files changed, 116 insertions(+), 2 deletions(-)
>>  create mode 100644 policy/test_ibendport.te
>>  create mode 100644 tests/infiniband_endport/Makefile
>>  create mode 100644 tests/infiniband_endport/ibendport_test.conf
>>  create mode 100755 tests/infiniband_endport/test
>>  mode change 100644 => 100755 tests/infiniband_pkey/test
>>
>> diff --git a/README b/README
>> index a4c8ebb..de50eb4 100644
>> --- a/README
>> +++ b/README
>> @@ -201,7 +201,12 @@ INFINIBAND TESTS
>>  
>>  Because running Infiniband tests requires specialized hardware you
>> must
>>  set up a configuration file for these tests. The tests are disabled
>> by
>> -default.  See comments in the configuration file for info.
>> +default.  See comments in the configuration file for info. The
>> endport
>> +tests use smpquery, for Fedora it's provided by the infiniband-diags
>> +package.
>>  
>>  Infiniband PKey test conf file:
>>  tests/infiniband_pkey/ibpkey_test.conf
>> +
>> +Infiniband Endport test conf file:
>> +tests/infiniband_endport/ibendport_test.conf
>> diff --git a/policy/Makefile b/policy/Makefile
>> index 46c9fb5..c062009 100644
>> --- a/policy/Makefile
>> +++ b/policy/Makefile
>> @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit
>> $(POLDEV)/include/support/all_perms.spt && echo
>>  TARGETS += test_prlimit.te
>>  endif
>>  
>> +ifeq ($(shell grep -q infiniband_endport
>> $(POLDEV)/include/support/all_perms.spt && echo true),true)
>> +TARGETS += test_ibendport.te
>> +endif
>> +
>>  ifeq ($(shell grep -q all_file_perms.*map
>> $(POLDEV)/include/support/all_perms.spt && echo true),true)
>>  export M4PARAM = -Dmap_permission_defined
>>  endif
>> diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
>> new file mode 100644
>> index 000..2a02c57
>> --- /dev/null
>> +++ b/policy/test_ibendport.te
>> @@ -0,0 +1,40 @@
>> +#
>> +#
>> +# Policy for testing Infiniband Pkey access.
>> +#
>> +
>> +gen_require(`
>> +type bin_t;
>> +type infiniband_mgmt_device_t;
>> +')
>> +
>> +attribute ibendportdomain;
>> +
>> +# Domain for process.
>> +type test_ibendport_manage_subnet_t;
>> +domain_type(test_ibendport_manage_subnet_t)
>> +unconfined_runs_test(test_ibendport_manage_subnet_t)
>> +typeattribute test_ibendport_manage_subnet_t testdomain;
>> +typeattribute test_ibendport_manage_subnet_t ibendportdomain;
>> +
>> +type test_ibendport_t;
>> +ifdef(`corenet_ib_endport',`
>> +corenet_ib_endport(test_ibendport_t)
>> +')
>> +
>> +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
>> +dev_rw_sysfs(test_ibendport_manage_subnet_t)
>> +
>> +corecmd_bin_entry_type(test_ibendport_manage_subnet_t)
>> +
>> +allow test_ibendport_manage_subnet_t
>> infiniband_mgmt_device_t:chr_file { read write open ioctl};
>> +
>> +ifdef(`corenet_ib_access_unlabeled_pkeys',`
>> +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
>> +')
>> +
>> +allow test_ibendport_manage_subnet_t
>> test_ibendport_t:infiniband_endport manage_subnet;
>> +
>> +# Allow all of these domains to be entered from the sysadm domain.
>> +miscfiles_domain_entry_test_files(ibendportdomain)
>> +userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
>> diff --git a/tests/Makefile b/tests/Makefile
>> index

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

2017-05-30 Thread Stephen Smalley 
On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens 
> 
> New tests for Infiniband endports. Most users do not have infiniband
> hardware, and if they do the device names can vary.  There is a
> configuration file for enabling the tests and setting environment
> specific configurations.  If the tests are disabled they always show
> as
> passed.
> 
> A special test application was unnecessary, a standard diagnostic
> application is used instead.  This required a change to the make file
> to avoid trying to build an application in the new subdir.
> 
> Signed-off-by: Daniel Jurgens 
> 
> ---
> v1:
> - Synchronize interface names with refpolicy changes.
> - Allowed access to unlabeled pkeys vs default pkey, default pkey is
> no
> longer labeled in the refpolicy.
> 
> v2:
> Stephen Smalley:
> - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive.
> - Use ifdefs around corenet_ib* interfaces.
> - Only build the test_ibpendport.te file if the infiniband_endport
> class
> is available.
> - use corecmd_bin_entry_type intefrace instead of allow ... bin_t:
> ---
>  README   |  7 +++-
>  policy/Makefile  |  4 +++
>  policy/test_ibendport.te | 40
> +++
>  tests/Makefile   |  2 +-
>  tests/infiniband_endport/Makefile|  2 ++
>  tests/infiniband_endport/ibendport_test.conf | 14 
>  tests/infiniband_endport/test| 49
> 
>  tests/infiniband_pkey/test   |  0
>  8 files changed, 116 insertions(+), 2 deletions(-)
>  create mode 100644 policy/test_ibendport.te
>  create mode 100644 tests/infiniband_endport/Makefile
>  create mode 100644 tests/infiniband_endport/ibendport_test.conf
>  create mode 100755 tests/infiniband_endport/test
>  mode change 100644 => 100755 tests/infiniband_pkey/test
> 
> diff --git a/README b/README
> index a4c8ebb..de50eb4 100644
> --- a/README
> +++ b/README
> @@ -201,7 +201,12 @@ INFINIBAND TESTS
>  
>  Because running Infiniband tests requires specialized hardware you
> must
>  set up a configuration file for these tests. The tests are disabled
> by
> -default.  See comments in the configuration file for info.
> +default.  See comments in the configuration file for info. The
> endport
> +tests use smpquery, for Fedora it's provided by the infiniband-diags
> +package.
>  
>  Infiniband PKey test conf file:
>  tests/infiniband_pkey/ibpkey_test.conf
> +
> +Infiniband Endport test conf file:
> +tests/infiniband_endport/ibendport_test.conf
> diff --git a/policy/Makefile b/policy/Makefile
> index 46c9fb5..c062009 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit
> $(POLDEV)/include/support/all_perms.spt && echo
>  TARGETS += test_prlimit.te
>  endif
>  
> +ifeq ($(shell grep -q infiniband_endport
> $(POLDEV)/include/support/all_perms.spt && echo true),true)
> +TARGETS += test_ibendport.te
> +endif
> +
>  ifeq ($(shell grep -q all_file_perms.*map
> $(POLDEV)/include/support/all_perms.spt && echo true),true)
>  export M4PARAM = -Dmap_permission_defined
>  endif
> diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
> new file mode 100644
> index 000..2a02c57
> --- /dev/null
> +++ b/policy/test_ibendport.te
> @@ -0,0 +1,40 @@
> +#
> +#
> +# Policy for testing Infiniband Pkey access.
> +#
> +
> +gen_require(`
> + type bin_t;
> + type infiniband_mgmt_device_t;
> +')
> +
> +attribute ibendportdomain;
> +
> +# Domain for process.
> +type test_ibendport_manage_subnet_t;
> +domain_type(test_ibendport_manage_subnet_t)
> +unconfined_runs_test(test_ibendport_manage_subnet_t)
> +typeattribute test_ibendport_manage_subnet_t testdomain;
> +typeattribute test_ibendport_manage_subnet_t ibendportdomain;
> +
> +type test_ibendport_t;
> +ifdef(`corenet_ib_endport',`
> +corenet_ib_endport(test_ibendport_t)
> +')
> +
> +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
> +dev_rw_sysfs(test_ibendport_manage_subnet_t)
> +
> +corecmd_bin_entry_type(test_ibendport_manage_subnet_t)
> +
> +allow test_ibendport_manage_subnet_t
> infiniband_mgmt_device_t:chr_file { read write open ioctl};
> +
> +ifdef(`corenet_ib_access_unlabeled_pkeys',`
> +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
> +')
> +
> +allow test_ibendport_manage_subnet_t
> test_ibendport_t:infiniband_endport manage_subnet;
> +
> +# Allow all of these domains to be entered from the sysadm domain.
> +miscfiles_domain_entry_test_files(ibendportdomain)
> +userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
> diff --git a/tests/Makefile b/tests/Makefile
> index 7dfe2a8..369b678 100644
> --- a/tests/Makefile
> +++ b/tests/Makefile
> @@ -10,7 +10,7 @@ SUBDIRS:= domain_trans entrypoint execshare
> exectrace execute_no_trans \
>  

[PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

2017-05-30 Thread Dan Jurgens 
From: Daniel Jurgens 

New tests for Infiniband endports. Most users do not have infiniband
hardware, and if they do the device names can vary.  There is a
configuration file for enabling the tests and setting environment
specific configurations.  If the tests are disabled they always show as
passed.

A special test application was unnecessary, a standard diagnostic
application is used instead.  This required a change to the make file
to avoid trying to build an application in the new subdir.

Signed-off-by: Daniel Jurgens 

---
v1:
- Synchronize interface names with refpolicy changes.
- Allowed access to unlabeled pkeys vs default pkey, default pkey is no
longer labeled in the refpolicy.

v2:
Stephen Smalley:
- Use a stub makefile instead of a SUBDIRS_NO_MAKE directive.
- Use ifdefs around corenet_ib* interfaces.
- Only build the test_ibpendport.te file if the infiniband_endport class
is available.
- use corecmd_bin_entry_type intefrace instead of allow ... bin_t:
---
 README   |  7 +++-
 policy/Makefile  |  4 +++
 policy/test_ibendport.te | 40 +++
 tests/Makefile   |  2 +-
 tests/infiniband_endport/Makefile|  2 ++
 tests/infiniband_endport/ibendport_test.conf | 14 
 tests/infiniband_endport/test| 49 
 tests/infiniband_pkey/test   |  0
 8 files changed, 116 insertions(+), 2 deletions(-)
 create mode 100644 policy/test_ibendport.te
 create mode 100644 tests/infiniband_endport/Makefile
 create mode 100644 tests/infiniband_endport/ibendport_test.conf
 create mode 100755 tests/infiniband_endport/test
 mode change 100644 => 100755 tests/infiniband_pkey/test

diff --git a/README b/README
index a4c8ebb..de50eb4 100644
--- a/README
+++ b/README
@@ -201,7 +201,12 @@ INFINIBAND TESTS
 
 Because running Infiniband tests requires specialized hardware you must
 set up a configuration file for these tests. The tests are disabled by
-default.  See comments in the configuration file for info.
+default.  See comments in the configuration file for info. The endport
+tests use smpquery, for Fedora it's provided by the infiniband-diags
+package.
 
 Infiniband PKey test conf file:
 tests/infiniband_pkey/ibpkey_test.conf
+
+Infiniband Endport test conf file:
+tests/infiniband_endport/ibendport_test.conf
diff --git a/policy/Makefile b/policy/Makefile
index 46c9fb5..c062009 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit 
$(POLDEV)/include/support/all_perms.spt && echo
 TARGETS += test_prlimit.te
 endif
 
+ifeq ($(shell grep -q infiniband_endport 
$(POLDEV)/include/support/all_perms.spt && echo true),true)
+TARGETS += test_ibendport.te
+endif
+
 ifeq ($(shell grep -q all_file_perms.*map 
$(POLDEV)/include/support/all_perms.spt && echo true),true)
 export M4PARAM = -Dmap_permission_defined
 endif
diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
new file mode 100644
index 000..2a02c57
--- /dev/null
+++ b/policy/test_ibendport.te
@@ -0,0 +1,40 @@
+#
+#
+# Policy for testing Infiniband Pkey access.
+#
+
+gen_require(`
+   type bin_t;
+   type infiniband_mgmt_device_t;
+')
+
+attribute ibendportdomain;
+
+# Domain for process.
+type test_ibendport_manage_subnet_t;
+domain_type(test_ibendport_manage_subnet_t)
+unconfined_runs_test(test_ibendport_manage_subnet_t)
+typeattribute test_ibendport_manage_subnet_t testdomain;
+typeattribute test_ibendport_manage_subnet_t ibendportdomain;
+
+type test_ibendport_t;
+ifdef(`corenet_ib_endport',`
+corenet_ib_endport(test_ibendport_t)
+')
+
+dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
+dev_rw_sysfs(test_ibendport_manage_subnet_t)
+
+corecmd_bin_entry_type(test_ibendport_manage_subnet_t)
+
+allow test_ibendport_manage_subnet_t infiniband_mgmt_device_t:chr_file { read 
write open ioctl};
+
+ifdef(`corenet_ib_access_unlabeled_pkeys',`
+corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
+')
+
+allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport 
manage_subnet;
+
+# Allow all of these domains to be entered from the sysadm domain.
+miscfiles_domain_entry_test_files(ibendportdomain)
+userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
diff --git a/tests/Makefile b/tests/Makefile
index 7dfe2a8..369b678 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -10,7 +10,7 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace 
execute_no_trans \
task_setnice task_setscheduler task_getscheduler task_getsid \
task_getpgid task_setpgid file ioctl capable_file capable_net \
capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \
-   overlay checkreqprot mqueue mac_admin infiniband_pkey
+   overlay checkreqprot mqueue mac_admin