Re: [PATCH] selinux-testsuite: Enhance inet_socket tests

On Tue, 2018-06-12 at 18:02 -0400, Paul Moore wrote: > On Fri, Apr 13, 2018 at 6:13 AM, Richard Haines via Selinux > wrote: > > Enhance the tests as follows: > > 1) Determine number of tests to run with current config. > > 2) Add CALIPSO STREAM tests (DGRAM not support

[PATCH V2] selinux-testsuite: Add SCTP test support

The sctp testsuite tests all new sctp SELinux functionality. Signed-off-by: Richard Haines --- V2 Changes: Add -v option to test Add info in README.md regarding lksctp-tools-devel requirements Fix asconf parameter chunk processing in test Fix merge error for policy/Makefile Fix buffer overflow

Re: [PATCH] selinux-testsuite: Add SCTP test support

On Wed, 2018-05-30 at 16:42 -0400, Paul Moore wrote: > On Tue, Mar 20, 2018 at 1:48 PM, Richard Haines via Selinux > wrote: > > The sctp testsuite tests all new sctp SELinux functionality. > > > > Signed-off-by: Richard Haines > > Now that the new SELinux userspac

Re: [RFC V4 PATCH 0/1] selinux-testsuite: Add binder tests

On Tue, 2018-05-22 at 09:53 -0400, Stephen Smalley wrote: > On 05/22/2018 09:11 AM, Stephen Smalley wrote: > > On 05/22/2018 09:01 AM, Stephen Smalley wrote: > > > On 05/22/2018 07:37 AM, Richard Haines wrote: > > > > Could you try this version where I've packed the transaction > > > > structures.

[RFC V4 PATCH 1/1] selinux-testsuite: Add binder tests

Add binder tests. See tests/binder/test_binder.c for details on message flows to test security_binder*() functions. Signed-off-by: Richard Haines --- README.md | 8 + defconfig | 7 + policy/Makefile | 4 +

[RFC V4 PATCH 0/1] selinux-testsuite: Add binder tests

Could you try this version where I've packed the transaction structures. I could not get the tests to fail on my two systems (but then V3 didn't). Thanks I've updated this so it still tests all the binder permissions. I didn't bother with a Client as I found another way to achieve the same

Re: [RFC V3 PATCH 1/1] selinux-testsuite: Add binder tests

On Mon, 2018-05-21 at 13:06 -0400, Stephen Smalley wrote: > On 05/21/2018 01:02 PM, Stephen Smalley wrote: > > On 05/21/2018 12:33 PM, Richard Haines wrote: > > > Add binder tests. See tests/binder/test_binder.c for details on > > > message flows to test security_binder*() functions. > > > >

[RFC V3 PATCH 0/1] selinux-testsuite: Add binder tests

I've update this so it still tests all the binder permissions. I didn't bother with a Client as I found another way to achieve the same result. Plenty of comments in test_binder.c to explain. Hopefully it is sane, otherwise a Client will be required. I've tested on Fedora 28 with linux-4.17-rc5

[RFC V3 PATCH 1/1] selinux-testsuite: Add binder tests

Add binder tests. See tests/binder/test_binder.c for details on message flows to test security_binder*() functions. Signed-off-by: Richard Haines --- README.md | 8 + defconfig | 7 + policy/Makefile | 4 +

[RFC V2 PATCH 1/1] selinux-testsuite: Add binder tests

Add binder tests. See tests/binder/test_binder.c for details on message flows to test security_binder*() functions. Signed-off-by: Richard Haines --- README.md | 8 + defconfig | 7 + policy/Makefile | 4 +

[RFC V2 PATCH 0/1] selinux-testsuite: Add binder tests

I've update this so it still tests all the binder permissions. I didn't bother with a Client as I found another way to achieve the same result. Plenty of comments in test_binder.c to explain. Hopefully it is sane, otherwise a Client will be required. I've tested on Fedora 28 with linux-4.17-rc5

Re: [RFC PATCH 1/1] selinux-testsuite: Add binder tests

On Tue, 2018-05-15 at 12:56 -0400, Stephen Smalley wrote: > On 05/15/2018 12:38 PM, Stephen Smalley wrote: > > On 05/15/2018 09:43 AM, Stephen Smalley wrote: > > > On 05/15/2018 09:36 AM, Stephen Smalley wrote: > > > > This test is failing for me (with or without -v): > > > > # ./test -v > > > >

Re: [RFC PATCH 1/1] selinux-testsuite: Add binder tests

On Tue, 2018-05-15 at 09:43 -0400, Stephen Smalley wrote: > On 05/15/2018 09:36 AM, Stephen Smalley wrote: > > On 05/15/2018 04:25 AM, Richard Haines via Selinux wrote: > > > Add binder tests. See tests/binder/test_binder.c for details on > > > message flows to test s

[RFC PATCH 1/1] selinux-testsuite: Add binder tests

Add binder tests. See tests/binder/test_binder.c for details on message flows to test security_binder*() functions. Signed-off-by: Richard Haines --- README.md | 8 + defconfig | 8 + policy/Makefile | 2 +-

[RFC PATCH 0/1] selinux-testsuite: Add binder tests

Not sure how useful this is but saw [1] and thought I'll have a go out of idle curiosity. I've only tested on Fedora 27 with kernel-4.16.3-200.fc27.x86_64 Use ./test -v to see the flow of binder info I just added the following to the standard kernel-x86_64.config:

Re: [PATCH v2 1/3] selinux: add AF_UNSPEC and INADDR_ANY checks to selinux_socket_bind()

On Fri, 2018-05-11 at 20:15 +0300, Alexey Kodanev wrote: > Commit d452930fd3b9 ("selinux: Add SCTP support") breaks > compatibility > with the old programs that can pass sockaddr_in structure with > AF_UNSPEC > and INADDR_ANY to bind(). As a result, bind() returns EAFNOSUPPORT > error. > This was

[PATCH] selinux-testsuite: Enhance inet_socket tests

Enhance the tests as follows: 1) Determine number of tests to run with current config. 2) Add CALIPSO STREAM tests (DGRAM not supported in kernel. See [1]). 3) Add support for CIPSO TAGS 1 & 2. Closes [2]. 4) Run scripts using /bin/sh. 5) Shorten sleep time as more tests. [1]

Re: [GIT PULL] SELinux patches for v4.17

On Sun, 2018-04-08 at 19:59 +0100, Richard Haines via Selinux wrote: > On Mon, 2018-04-09 at 01:43 +0800, Xin Long wrote: > > On Sun, Apr 8, 2018 at 10:09 PM, Richard Haines > > <richard_c_hai...@btinternet.com> wrote: > > > On Sun, 2018-04-08 at 08:50 -0400, Paul M

Re: [GIT PULL] SELinux patches for v4.17

On Mon, 2018-04-09 at 01:43 +0800, Xin Long wrote: > On Sun, Apr 8, 2018 at 10:09 PM, Richard Haines > wrote: > > On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote: > > > On April 7, 2018 1:03:57 PM Linus Torvalds > > tion > > > .org>

Re: [GIT PULL] SELinux patches for v4.17

On Sun, 2018-04-08 at 08:50 -0400, Paul Moore wrote: > On April 7, 2018 1:03:57 PM Linus Torvalds .org> wrote: > On Sat, Apr 7, 2018 at 9:54 AM, Richard Haines > wrote: > > So please check my resolution, but also somebody should tell

Re: [GIT PULL] SELinux patches for v4.17

On Fri, 2018-04-06 at 16:07 -0700, Linus Torvalds wrote: > On Tue, Apr 3, 2018 at 6:37 PM, Paul Moore > wrote: > > > > Everything passes the selinux-testsuite, but there are a few known > > merge conflicts. The first is with the netdev tree and is in > > net/sctp/socket.c.

[PATCH] selinux-testsuite: Add SCTP test support

The sctp testsuite tests all new sctp SELinux functionality. Signed-off-by: Richard Haines --- policy/Makefile| 4 + policy/test_sctp.te| 159 +++ tests/Makefile | 4 +

[PATCH] selinux: Update SELinux SCTP documentation

Update SELinux-sctp.rst "SCTP Peer Labeling" section to reflect how the association permission is validated. Reported-by: Dominick Grift Signed-off-by: Richard Haines --- Documentation/security/SELinux-sctp.rst | 11 ++- 1 file

[PATCH] selinux: Add support for the SCTP portcon keyword

Update libsepol, checkpolicy and the CIL compiler to support the SCTP portcon keyword. Signed-off-by: Richard Haines --- checkpolicy/checkpolicy.c | 5 + checkpolicy/policy_define.c| 5 + libsepol/cil/src/cil.c

[PATCH] selinux: Fix ltp test connect-syscall failure

Fix the following error when running regression tests using LTP as follows: cd /opt/ltp/ cat runtest/syscalls |grep connect01>runtest/connect-syscall ./runltp -pq -f connect-syscall Running tests... connect011 TPASS : bad file descriptor successful connect012 TPASS : invalid

Re: Regression found when running LTP connect01 on next-20180301

On Thu, 2018-03-01 at 13:03 -0500, Paul Moore wrote: > On March 1, 2018 9:36:37 AM Richard Haines et.com> wrote: > > On Thu, 2018-03-01 at 08:42 -0500, Paul Moore wrote: > > > On Thu, Mar 1, 2018 at 3:33 AM, Anders Roxell > > ro.o > > > rg> wrote:

Re: Regression found when running LTP connect01 on next-20180301

On Thu, 2018-03-01 at 08:42 -0500, Paul Moore wrote: > On Thu, Mar 1, 2018 at 3:33 AM, Anders Roxell rg> wrote: > > Hi, > > > > I was running LTP's testcase connect01 [1] and found a regression > > in linux-next > > (next-20180301). Bisect gave me this patch as the

[PATCH V8 2/4] sctp: Add ip option support

Add ip option support to allow LSM security modules to utilise CIPSO/IPv4 and CALIPSO/IPv6 services. Signed-off-by: Richard Haines --- All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode. All "./sctp-tests run" obtained from:

Re: [PATCH] selinux: fix typo in selinux_netlbl_sctp_sk_clone declaration

On Fri, 2018-02-23 at 16:25 -0500, Paul Moore wrote: > On Fri, Feb 23, 2018 at 4:12 PM, Arnd Bergmann wrote: > > A missing 'struct' keyword caused a build error when > > CONFIG_NETLABEL > > is disabled: > > > > In file included from security/selinux/hooks.c:99: > >

Re: [pcmoore-selinux:next 5/5] security/selinux/include/netlabel.h:135:66: error: unknown type name 'sock'

On Fri, 2018-02-23 at 08:21 +0800, kbuild test robot wrote: > tree: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selin > ux.git next > head: db97c9f9d31217e3e133056fe2bea76639f87ec1 > commit: db97c9f9d31217e3e133056fe2bea76639f87ec1 [5/5] selinux: Add > SCTP support > config:

[PATCH V7 2/4] sctp: Add ip option support

Add ip option support to allow LSM security modules to utilise CIPSO/IPv4 and CALIPSO/IPv6 services. Signed-off-by: Richard Haines --- All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode. All "./sctp-tests run" obtained from:

Re: [PATCH V6 2/4] sctp: Add ip option support

On Fri, 2018-02-16 at 23:28 -0500, Neil Horman wrote: > On Fri, Feb 16, 2018 at 07:51:02PM -0200, Marcelo Ricardo Leitner > wrote: > > On Fri, Feb 16, 2018 at 03:14:35PM -0500, Neil Horman wrote: > > > On Fri, Feb 16, 2018 at 10:56:07AM -0200, Marcelo Ricardo Leitner > > > wrote: > > > > On Thu,

Re: FYI: selinux/next rebased to v4.16-rc1

On Tue, 2018-02-13 at 12:55 -0500, Paul Moore wrote: > On Tue, Feb 13, 2018 at 11:22 AM, Richard Haines > wrote: > > On Mon, 2018-02-12 at 16:13 -0500, Paul Moore wrote: > > > A quick note to let you know that I've just rebased the > > > selinux/next > > > branch

[PATCH V6 3/4] sctp: Add LSM hooks

Add security hooks allowing security modules to exercise access control over SCTP. Signed-off-by: Richard Haines --- include/net/sctp/structs.h | 10 include/uapi/linux/sctp.h | 1 + net/sctp/sm_make_chunk.c | 12 + net/sctp/sm_statefuns.c

[PATCH V6 2/4] sctp: Add ip option support

Add ip option support to allow LSM security modules to utilise CIPSO/IPv4 and CALIPSO/IPv6 services. Signed-off-by: Richard Haines --- include/net/sctp/sctp.h| 4 +++- include/net/sctp/structs.h | 2 ++ net/sctp/chunk.c | 12 +++-

[PATCH V6 1/4] security: Add support for SCTP security hooks

The SCTP security hooks are explained in: Documentation/security/LSM-sctp.rst Signed-off-by: Richard Haines --- Documentation/security/LSM-sctp.rst | 175 include/linux/lsm_hooks.h | 36

[PATCH V6 0/4] Add SELinux SCTP protocol support

These patches have been built on Fedora 27 with kernel-4.16.0-0.rc1 plus the following userspace patches to enable testing: 1) Updates to libsepol 2.7 to support the sctp portcon statement. The patch is available from: http://arctic.selinuxproject.org/~rhaines/selinux-sctp/

Re: FYI: selinux/next rebased to v4.16-rc1

On Mon, 2018-02-12 at 16:13 -0500, Paul Moore wrote: > A quick note to let you know that I've just rebased the selinux/next > branch to v4.16-rc1. Over the next day or two I'm going to be > working > through the backlog of kernel patches, most notably the SCTP work. > I've just rebuilt the SCTP