Re: ioctl help

[Dominick Grift]

On Wed, May 24, 2017 at 04:11:44PM -0400, Stephen Smalley wrote:
> On Wed, 2017-05-24 at 14:08 +0200, Dominick Grift wrote:
> > I was looking again at ioctl whitelisting, and excuse me if I
> > overlooked some documentation, but I am having a hard time
> > implementing this.
> > what I did was I just wanted to basically test blacklisting a single
> > ioctl (no particular one)
> > 
> > So i looked into androids sepolicy and just picked a semi-random
> > ioctl from their "https://android.googlesource.com/platform/system/se
> > policy/+/master/public/ioctl_defines"
> > 
> > for example: PHONE_CAPABILITIES_CHECK 0x40087182
> > 
> > However the xpermissions statement only allows 0x to 0x when
> > i tried: (xpermission alg_socket_ioctl (ioctl alg_socket (not
> > (0x40087182
> > 
> > My question is how do i convert these to something i can use with the
> > xpermission statement in CIL, and why can seandroid sepolicy get away
> > with using 0x12345678 where i have to use 0x1234? I could not find
> > any scripts that converts these in the android tree.
> 
> FWIW, I added a simple test of ioctl whitelisting to the selinux-
> testsuite, although that was done in source policy and depends on the
> binary module format support for xperms.
> 
> With regard to your question though, only the low 16 bits of the ioctl
> value (the type/driver and number/function fields) are actually used;
> the upper 16 bits encode the direction (read/write) and size of any
> argument to the ioctl and are therefore not relevant for whitelisting.
> So you can just use 0x7182.  checkpolicy just ignores the upper bits,
> which I guess is convenient so that they can use ioctl macro lists
> generated from kernel header definitions, and Android builds by using
> checkpolicy -C to convert policy.conf to CIL.

Thanks. I considered that but then I thought I saw various different ioctls 
with the same last 16 bits so that got me confused

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift


signature.asc
Description: PGP signature

Re: Fedora COPR repositories with builds of latest code

[Dominick Grift]

On Wed, May 24, 2017 at 04:40:55PM -0400, Stephen Smalley wrote:
> On Wed, 2017-05-24 at 16:53 +0200, Dominick Grift wrote:
> > On Wed, May 24, 2017 at 04:33:16PM +0200, Dominick Grift wrote:
> > > On Wed, May 24, 2017 at 04:22:08PM +0200, Petr Lautrbach wrote:
> > > > For the motivation see
> > > > https://marc.info/?l=selinux=149435307518336=2
> > > 
> > > Thanks! I enabled the one with Fedora patches because i need
> > > python3 support for setools4
> > > 
> > > This should allow me to enable extended_socket_class functionality
> > > and test it.
> > > 
> > > I hope this repository will be maintained consistently so that it
> > > can be useful
> > 
> > I just enabled the extended_socket_class capability and in seinfo --
> > polcap -x it currently shows up as "redhat1":
> > 
> > # seinfo --polcap -x
> > 
> > Polcap: 3
> >    policycap network_peer_controls;
> >    policycap open_perms;
> >    policycap redhat1;
> > 
> > I know the redhat1 polcap is re-used but not sure if this expected to
> > return like that...
> 
> Maybe setools4 hasn't been rebuilt to use the updated libsepol, or has
> its own internal table of the policy capability string names?

thanks , yes thats the case (former)

> 
> > 
> > > 
> > > > 
> > > > I've restarted building of Fedora packages based on latest
> > > > SELinux userspace code in Fedora COPR. Packages are built using
> > > > the https://gitlab.com/bachradsusi/selinux-rpm project.
> > > > 
> > > > There is a new selinux.spec [1] file which allows to build all
> > > > Fedora packages from one src.rpm and Makefile which makes the
> > > > process simple.
> > > > 
> > > > Currently there are two COPR projects:
> > > > 
> > > > * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora
> > > > /
> > > > 
> > > > This is built with Python3 support based on Fedora patches which
> > > > are rebased against latest upstream code.
> > > > 
> > > > 
> > > > * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-SELinu
> > > > xProject/
> > > > 
> > > > This is based on pure upstream sources and without Python 3.
> > > > 
> > > > 
> > > > Currently I run copr builds manually but the plan is to make it
> > > > fully automated.
> > > > 
> > > > 
> > > > Let me know if you find it useful or if you have ideas, comments
> > > > and so on.
> > > > 
> > > > 
> > > > [1] https://gitlab.com/bachradsusi/selinux-rpm/blob/master/selinu
> > > > x.spec
> > > > 
> > > > 
> > > > Thanks,
> > > > 
> > > > Petr
> > > 
> > > -- 
> > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B
> > > 6B02
> > > https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6
> > > B02
> > > Dominick Grift
> > 
> > 
> > 

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift


signature.asc
Description: PGP signature

Re: [PATCH v3 9/9] semanage: Update man pages for infiniband

[Stephen Smalley]

On Mon, 2017-05-22 at 16:08 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens 
> 
> Update the main man page and add specific pages for ibpkeys and
> ibendports.

Thanks, applied all nine.  I did notice that you left Dan Walsh as the
author of the man pages you added though; feel free to submit a patch
to fix that.

> 
> Signed-off-by: Daniel Jurgens 
> ---
>  python/semanage/semanage-ibendport.8 | 66
> 
>  python/semanage/semanage-ibpkey.8| 66
> 
>  python/semanage/semanage.8   | 16 ++---
>  3 files changed, 144 insertions(+), 4 deletions(-)
>  create mode 100644 python/semanage/semanage-ibendport.8
>  create mode 100644 python/semanage/semanage-ibpkey.8
> 
> diff --git a/python/semanage/semanage-ibendport.8
> b/python/semanage/semanage-ibendport.8
> new file mode 100644
> index ..c3753a27
> --- /dev/null
> +++ b/python/semanage/semanage-ibendport.8
> @@ -0,0 +1,66 @@
> +.TH "semanage-ibendport" "8" "20170508" "" ""
> +.SH "NAME"
> +.B semanage\-ibendport \- SELinux Policy Management ibendport
> mapping tool
> +.SH "SYNOPSIS"
> +.B semanage ibendport [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t
> TYPE \-z IBDEV_NAME \-r RANGE port | \-\-delete \-z IBDEV_NAME port |
> \-\-deleteall  | \-\-extract  | \-\-list [\-C] | \-\-modify \-t TYPE
> \-z IBDEV_NAME \-r RANGE port ]
> +
> +.SH "DESCRIPTION"
> +semanage is used to configure certain elements of SELinux policy
> without requiring modification to or recompilation from policy
> sources.  semanage ibendport controls the ibendport number to
> ibendport type definitions.
> +
> +.SH "OPTIONS"
> +.TP
> +.I  \-h, \-\-help
> +show this help message and exit
> +.TP
> +.I   \-n, \-\-noheading
> +Do not print heading when listing the specified object type
> +.TP
> +.I   \-N, \-\-noreload
> +Do not reload policy after commit
> +.TP
> +.I   \-S STORE, \-\-store STORE
> +Select an alternate SELinux Policy Store to manage
> +.TP
> +.I   \-C, \-\-locallist
> +List local customizations
> +.TP
> +.I   \-a, \-\-add
> +Add a record of the specified object type
> +.TP
> +.I   \-d, \-\-delete
> +Delete a record of the specified object type
> +.TP
> +.I   \-m, \-\-modify
> +Modify a record of the specified object type
> +.TP
> +.I   \-l, \-\-list
> +List records of the specified object type
> +.TP
> +.I   \-E, \-\-extract
> +Extract customizable commands, for use within a transaction
> +.TP
> +.I   \-D, \-\-deleteall
> +Remove all local customizations
> +.TP
> +.I   \-t TYPE, \-\-type TYPE
> +SELinux type for the object
> +.TP
> +.I   \-r RANGE, \-\-range RANGE
> +MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for
> SELinux login mapping defaults to the SELinux user record range.
> SELinux Range for SELinux user defaults to s0.
> +.TP
> +.I \-z IBDEV_NAME, \-\-ibdev_name IBDEV_NAME
> +The name of the infiniband device for the port to be labeled.  (ex.
> mlx5_0)
> +
> +.SH EXAMPLE
> +.nf
> +List all ibendport definitions
> +# semanage ibendport \-l
> +Label mlx4_0 port 2.
> +# semanage ibendport \-a \-t allowed_ibendport_t \-z mlx4_0 2
> +
> +.SH "SEE ALSO"
> +.BR selinux (8),
> +.BR semanage (8)
> +
> +.SH "AUTHOR"
> +This man page was written by Daniel Walsh 
> diff --git a/python/semanage/semanage-ibpkey.8
> b/python/semanage/semanage-ibpkey.8
> new file mode 100644
> index ..2da4f546
> --- /dev/null
> +++ b/python/semanage/semanage-ibpkey.8
> @@ -0,0 +1,66 @@
> +.TH "semanage-ibpkey" "8" "20170508" "" ""
> +.SH "NAME"
> +.B semanage\-ibpkey \- SELinux Policy Management ibpkey mapping tool
> +.SH "SYNOPSIS"
> +.B semanage ibpkey [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE
> \-x SUBNET_PREFIX \-r RANGE ibpkey_name | ibpkey_range | \-\-delete
> \-x SUBNET_PREFIX ibpkey_name | ibpkey_range | \-\-deleteall  | \-\-
> extract  | \-\-list [\-C] | \-\-modify \-t TYPE \-x SUBNET_PREFIX \-r 
> RANGE ibpkey_name | ibpkey_range ]
> +
> +.SH "DESCRIPTION"
> +semanage is used to configure certain elements of SELinux policy
> without requiring modification to or recompilation from policy
> sources.  semanage ibpkey controls the ibpkey number to ibpkey type
> definitions.
> +
> +.SH "OPTIONS"
> +.TP
> +.I  \-h, \-\-help
> +show this help message and exit
> +.TP
> +.I   \-n, \-\-noheading
> +Do not print heading when listing the specified object type
> +.TP
> +.I   \-N, \-\-noreload
> +Do not reload policy after commit
> +.TP
> +.I   \-S STORE, \-\-store STORE
> +Select an alternate SELinux Policy Store to manage
> +.TP
> +.I   \-C, \-\-locallist
> +List local customizations
> +.TP
> +.I   \-a, \-\-add
> +Add a record of the specified object type
> +.TP
> +.I   \-d, \-\-delete
> +Delete a record of the specified object type
> +.TP
> +.I   \-m, \-\-modify
> +Modify a record of the specified object type
> +.TP
> +.I   \-l, \-\-list
> +List records of the specified object type
> +.TP
> +.I   \-E, \-\-extract
> 

Re: Fedora COPR repositories with builds of latest code

[Stephen Smalley]

On Wed, 2017-05-24 at 16:53 +0200, Dominick Grift wrote:
> On Wed, May 24, 2017 at 04:33:16PM +0200, Dominick Grift wrote:
> > On Wed, May 24, 2017 at 04:22:08PM +0200, Petr Lautrbach wrote:
> > > For the motivation see
> > > https://marc.info/?l=selinux=149435307518336=2
> > 
> > Thanks! I enabled the one with Fedora patches because i need
> > python3 support for setools4
> > 
> > This should allow me to enable extended_socket_class functionality
> > and test it.
> > 
> > I hope this repository will be maintained consistently so that it
> > can be useful
> 
> I just enabled the extended_socket_class capability and in seinfo --
> polcap -x it currently shows up as "redhat1":
> 
> # seinfo --polcap -x
> 
> Polcap: 3
>    policycap network_peer_controls;
>    policycap open_perms;
>    policycap redhat1;
> 
> I know the redhat1 polcap is re-used but not sure if this expected to
> return like that...

Maybe setools4 hasn't been rebuilt to use the updated libsepol, or has
its own internal table of the policy capability string names?

> 
> > 
> > > 
> > > I've restarted building of Fedora packages based on latest
> > > SELinux userspace code in Fedora COPR. Packages are built using
> > > the https://gitlab.com/bachradsusi/selinux-rpm project.
> > > 
> > > There is a new selinux.spec [1] file which allows to build all
> > > Fedora packages from one src.rpm and Makefile which makes the
> > > process simple.
> > > 
> > > Currently there are two COPR projects:
> > > 
> > > * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora
> > > /
> > > 
> > > This is built with Python3 support based on Fedora patches which
> > > are rebased against latest upstream code.
> > > 
> > > 
> > > * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-SELinu
> > > xProject/
> > > 
> > > This is based on pure upstream sources and without Python 3.
> > > 
> > > 
> > > Currently I run copr builds manually but the plan is to make it
> > > fully automated.
> > > 
> > > 
> > > Let me know if you find it useful or if you have ideas, comments
> > > and so on.
> > > 
> > > 
> > > [1] https://gitlab.com/bachradsusi/selinux-rpm/blob/master/selinu
> > > x.spec
> > > 
> > > 
> > > Thanks,
> > > 
> > > Petr
> > 
> > -- 
> > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B
> > 6B02
> > https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6
> > B02
> > Dominick Grift
> 
> 
> 

Re: ioctl help

[Stephen Smalley]

On Wed, 2017-05-24 at 14:08 +0200, Dominick Grift wrote:
> I was looking again at ioctl whitelisting, and excuse me if I
> overlooked some documentation, but I am having a hard time
> implementing this.
> what I did was I just wanted to basically test blacklisting a single
> ioctl (no particular one)
> 
> So i looked into androids sepolicy and just picked a semi-random
> ioctl from their "https://android.googlesource.com/platform/system/se
> policy/+/master/public/ioctl_defines"
> 
> for example: PHONE_CAPABILITIES_CHECK 0x40087182
> 
> However the xpermissions statement only allows 0x to 0x when
> i tried: (xpermission alg_socket_ioctl (ioctl alg_socket (not
> (0x40087182
> 
> My question is how do i convert these to something i can use with the
> xpermission statement in CIL, and why can seandroid sepolicy get away
> with using 0x12345678 where i have to use 0x1234? I could not find
> any scripts that converts these in the android tree.

FWIW, I added a simple test of ioctl whitelisting to the selinux-
testsuite, although that was done in source policy and depends on the
binary module format support for xperms.

With regard to your question though, only the low 16 bits of the ioctl
value (the type/driver and number/function fields) are actually used;
the upper 16 bits encode the direction (read/write) and size of any
argument to the ioctl and are therefore not relevant for whitelisting.
So you can just use 0x7182.  checkpolicy just ignores the upper bits,
which I guess is convenient so that they can use ioctl macro lists
generated from kernel header definitions, and Android builds by using
checkpolicy -C to convert policy.conf to CIL.

Re: Fedora COPR repositories with builds of latest code

[Dominick Grift]

On Wed, May 24, 2017 at 04:33:16PM +0200, Dominick Grift wrote:
> On Wed, May 24, 2017 at 04:22:08PM +0200, Petr Lautrbach wrote:
> > For the motivation see
> > https://marc.info/?l=selinux=149435307518336=2
> 
> Thanks! I enabled the one with Fedora patches because i need python3 support 
> for setools4
> 
> This should allow me to enable extended_socket_class functionality and test 
> it.
> 
> I hope this repository will be maintained consistently so that it can be 
> useful

I just enabled the extended_socket_class capability and in seinfo --polcap -x 
it currently shows up as "redhat1":

# seinfo --polcap -x

Polcap: 3
   policycap network_peer_controls;
   policycap open_perms;
   policycap redhat1;

I know the redhat1 polcap is re-used but not sure if this expected to return 
like that...

> 
> > 
> > I've restarted building of Fedora packages based on latest
> > SELinux userspace code in Fedora COPR. Packages are built using
> > the https://gitlab.com/bachradsusi/selinux-rpm project.
> > 
> > There is a new selinux.spec [1] file which allows to build all
> > Fedora packages from one src.rpm and Makefile which makes the
> > process simple.
> > 
> > Currently there are two COPR projects:
> > 
> > * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/
> > 
> > This is built with Python3 support based on Fedora patches which
> > are rebased against latest upstream code.
> > 
> > 
> > * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-SELinuxProject/
> > 
> > This is based on pure upstream sources and without Python 3.
> > 
> > 
> > Currently I run copr builds manually but the plan is to make it
> > fully automated.
> > 
> > 
> > Let me know if you find it useful or if you have ideas, comments and so on.
> > 
> > 
> > [1] https://gitlab.com/bachradsusi/selinux-rpm/blob/master/selinux.spec
> > 
> > 
> > Thanks,
> > 
> > Petr
> 
> -- 
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
> Dominick Grift



-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift


signature.asc
Description: PGP signature

Re: Fedora COPR repositories with builds of latest code

[Paul Moore]

On Wed, May 24, 2017 at 10:22 AM, Petr Lautrbach  wrote:
> For the motivation see
> https://marc.info/?l=selinux=149435307518336=2
>
> I've restarted building of Fedora packages based on latest SELinux userspace
> code in Fedora COPR. Packages are built using the
> https://gitlab.com/bachradsusi/selinux-rpm project.
>
> There is a new selinux.spec [1] file which allows to build all Fedora
> packages from one src.rpm and Makefile which makes the process simple.
>
> Currently there are two COPR projects:
>
> * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/
>
> This is built with Python3 support based on Fedora patches which are rebased
> against latest upstream code.

Thanks Petr!

FWIW, I've been using the plautrba/selinux-fedora COPR on my test
system for the past ~week and it has been working well.

-- 
paul moore
www.paul-moore.com

Re: Fedora COPR repositories with builds of latest code

[Dominick Grift]

On Wed, May 24, 2017 at 04:22:08PM +0200, Petr Lautrbach wrote:
> For the motivation see
> https://marc.info/?l=selinux=149435307518336=2

Thanks! I enabled the one with Fedora patches because i need python3 support 
for setools4

This should allow me to enable extended_socket_class functionality and test it.

I hope this repository will be maintained consistently so that it can be useful

> 
> I've restarted building of Fedora packages based on latest
> SELinux userspace code in Fedora COPR. Packages are built using
> the https://gitlab.com/bachradsusi/selinux-rpm project.
> 
> There is a new selinux.spec [1] file which allows to build all
> Fedora packages from one src.rpm and Makefile which makes the
> process simple.
> 
> Currently there are two COPR projects:
> 
> * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/
> 
> This is built with Python3 support based on Fedora patches which
> are rebased against latest upstream code.
> 
> 
> * https://copr.fedorainfracloud.org/coprs/plautrba/selinux-SELinuxProject/
> 
> This is based on pure upstream sources and without Python 3.
> 
> 
> Currently I run copr builds manually but the plan is to make it
> fully automated.
> 
> 
> Let me know if you find it useful or if you have ideas, comments and so on.
> 
> 
> [1] https://gitlab.com/bachradsusi/selinux-rpm/blob/master/selinux.spec
> 
> 
> Thanks,
> 
> Petr

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift


signature.asc
Description: PGP signature

Fedora COPR repositories with builds of latest code

[Petr Lautrbach]

For the motivation see
https://marc.info/?l=selinux=149435307518336=2

I've restarted building of Fedora packages based on latest SELinux 
userspace code in Fedora COPR. Packages are built using the 
https://gitlab.com/bachradsusi/selinux-rpm project.


There is a new selinux.spec [1] file which allows to build all Fedora 
packages from one src.rpm and Makefile which makes the process simple.


Currently there are two COPR projects:

* https://copr.fedorainfracloud.org/coprs/plautrba/selinux-fedora/

This is built with Python3 support based on Fedora patches which are 
rebased against latest upstream code.



* https://copr.fedorainfracloud.org/coprs/plautrba/selinux-SELinuxProject/

This is based on pure upstream sources and without Python 3.


Currently I run copr builds manually but the plan is to make it fully 
automated.



Let me know if you find it useful or if you have ideas, comments and so on.


[1] https://gitlab.com/bachradsusi/selinux-rpm/blob/master/selinux.spec


Thanks,

Petr

[PATCH v1 2/2] selinux-testsuite: Infiniband endport tests

[Dan Jurgens]

From: Daniel Jurgens 

New tests for Infiniband endports. Most users do not have infiniband
hardware, and if they do the device names can vary.  There is a
configuration file for enabling the tests and setting environment
specific configurations.  If the tests are disabled they always show as
passed.

A special test application was unnecessary, a standard diagnostic
application is used instead.  This required a change to the make file
to avoid trying to build an application in the new subdir.

Signed-off-by: Daniel Jurgens 

---
v1:
- Synchronize interface names with refpolicy changes.
- Allowed access to unlabeled pkeys vs default pkey, default pkey is no
longer labeled in the refpolicy.
---
 README   |  7 +++-
 policy/Makefile  |  2 +-
 policy/test_ibendport.te | 35 
 tests/Makefile   |  4 ++-
 tests/infiniband_endport/ibendport_test.conf | 14 
 tests/infiniband_endport/test| 49 
 6 files changed, 108 insertions(+), 3 deletions(-)
 create mode 100644 policy/test_ibendport.te
 create mode 100644 tests/infiniband_endport/ibendport_test.conf
 create mode 100644 tests/infiniband_endport/test

diff --git a/README b/README
index b64e2de..8e1b391 100644
--- a/README
+++ b/README
@@ -200,7 +200,12 @@ INFINIBAND TESTS
 
 Because running Infiniband tests requires specialized hardware you must
 set up a configuration file for these tests. The tests are disabled by
-default.  See comments in the configuration file for info.
+default.  See comments in the configuration file for info. The endport
+tests use smpquery, for Fedora it's provided by the infiniband-diags
+package.
 
 Infiniband PKey test conf file:
 tests/infiniband_pkey/ibpkey_test.conf
+
+Infiniband Endport test conf file:
+tests/infiniband_endport/ibendport_test.conf
diff --git a/policy/Makefile b/policy/Makefile
index 46c9fb5..694836b 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -23,7 +23,7 @@ TARGETS = \
test_task_getsid.te test_task_setpgid.te test_task_setsched.te \
test_transition.te test_inet_socket.te test_unix_socket.te \
test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te \
-   test_ibpkey.te
+   test_ibpkey.te test_ibendport.te
 
 ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true)
 TARGETS += test_bounds.te
diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
new file mode 100644
index 000..8387432
--- /dev/null
+++ b/policy/test_ibendport.te
@@ -0,0 +1,35 @@
+#
+#
+# Policy for testing Infiniband Pkey access.
+#
+
+gen_require(`
+   type bin_t;
+   type infiniband_mgmt_device_t;
+')
+
+attribute ibendportdomain;
+
+# Domain for process.
+type test_ibendport_manage_subnet_t;
+domain_type(test_ibendport_manage_subnet_t)
+unconfined_runs_test(test_ibendport_manage_subnet_t)
+typeattribute test_ibendport_manage_subnet_t testdomain;
+typeattribute test_ibendport_manage_subnet_t ibendportdomain;
+
+type test_ibendport_t;
+corenet_ib_endport(test_ibendport_t)
+
+dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
+dev_rw_sysfs(test_ibendport_manage_subnet_t)
+
+allow test_ibendport_manage_subnet_t bin_t:file entrypoint;
+allow test_ibendport_manage_subnet_t bin_t:file execute;
+allow test_ibendport_manage_subnet_t infiniband_mgmt_device_t:chr_file { read 
write open ioctl};
+corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
+
+allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport 
manage_subnet;
+
+# Allow all of these domains to be entered from the sysadm domain.
+miscfiles_domain_entry_test_files(ibendportdomain)
+userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
diff --git a/tests/Makefile b/tests/Makefile
index 7dfe2a8..63e6f57 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -12,6 +12,8 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace 
execute_no_trans \
capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \
overlay checkreqprot mqueue mac_admin infiniband_pkey
 
+SUBDIRS_NO_MAKE:= infiniband_endport
+
 ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && 
echo true),true)
 ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1)
 SUBDIRS += cap_userns
@@ -56,7 +58,7 @@ all:
 
 test: all
chcon -R -t test_file_t .
-   @SUBDIRS="$(SUBDIRS)" PATH=/usr/bin:/bin:/usr/sbin:/sbin ./runtests.pl
+   @SUBDIRS="$(SUBDIRS) $(SUBDIRS_NO_MAKE)" 
PATH=/usr/bin:/bin:/usr/sbin:/sbin ./runtests.pl
 
 clean:
@for subdir in $(SUBDIRS); do \
diff --git a/tests/infiniband_endport/ibendport_test.conf 
b/tests/infiniband_endport/ibendport_test.conf
new file mode 100644
index 000..601b290
--- /dev/null
+++ b/tests/infiniband_endport/ibendport_test.conf
@@ -0,0 +1,14 @@
+# Enable(1)/Disable 

[PATCH v1 1/2] selinux-testsuite: Infiniband pkey tests

[Dan Jurgens]

From: Daniel Jurgens 

New tests for infiniband pkeys. Most users don't have Infiniband
hardware, and if they do the pkey configuration is not standardized.
There is a configuration file for enabling the test and setting
environment specific test configurations. If the tests are disabled they
will always show as passed.

Signed-off-by: Daniel Jurgens 

---
v1:
- Synchronized interface names with refpolicy changes.
- Changed pkey test to not assume the default pkey is labeled, instead
it take a list of indexes with labeled and unlabeled pkeys.  It checks
that the labeled aren't allowed, unlabeled are allowed, and it labels
the unlabeled ones to make sure they aren't allowed when labeled.
---
 README   |   9 ++
 policy/Makefile  |   3 +-
 policy/test_ibpkey.te|  25 ++
 tests/Makefile   |   4 +-
 tests/infiniband_pkey/Makefile   |   7 ++
 tests/infiniband_pkey/create_modify_qp.c | 144 +++
 tests/infiniband_pkey/ibpkey_test.conf   |  18 
 tests/infiniband_pkey/test   |  84 ++
 8 files changed, 291 insertions(+), 3 deletions(-)
 create mode 100644 policy/test_ibpkey.te
 create mode 100644 tests/infiniband_pkey/Makefile
 create mode 100644 tests/infiniband_pkey/create_modify_qp.c
 create mode 100644 tests/infiniband_pkey/ibpkey_test.conf
 create mode 100755 tests/infiniband_pkey/test

diff --git a/README b/README
index deedae5..b64e2de 100644
--- a/README
+++ b/README
@@ -195,3 +195,12 @@ establish a base directory (based on the path of the script
 executable).  This won't always be accurate, but will work for this
 test harness/configuration.
$basedir = $0;  $basedir =~ s|(.*)/[^/]*|$1|;
+
+INFINIBAND TESTS
+
+Because running Infiniband tests requires specialized hardware you must
+set up a configuration file for these tests. The tests are disabled by
+default.  See comments in the configuration file for info.
+
+Infiniband PKey test conf file:
+tests/infiniband_pkey/ibpkey_test.conf
diff --git a/policy/Makefile b/policy/Makefile
index 7bc7f95..46c9fb5 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -22,7 +22,8 @@ TARGETS = \
test_task_create.te test_task_getpgid.te test_task_getsched.te \
test_task_getsid.te test_task_setpgid.te test_task_setsched.te \
test_transition.te test_inet_socket.te test_unix_socket.te \
-   test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te
+   test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te \
+   test_ibpkey.te
 
 ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true)
 TARGETS += test_bounds.te
diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te
new file mode 100644
index 000..b2f5057
--- /dev/null
+++ b/policy/test_ibpkey.te
@@ -0,0 +1,25 @@
+#
+#
+# Policy for testing Infiniband Pkey access.
+#
+
+attribute ibpkeydomain;
+
+# Domain for process.
+type test_ibpkey_access_t;
+domain_type(test_ibpkey_access_t)
+unconfined_runs_test(test_ibpkey_access_t)
+typeattribute test_ibpkey_access_t testdomain;
+typeattribute test_ibpkey_access_t ibpkeydomain;
+
+dev_rw_infiniband_dev(test_ibpkey_access_t)
+dev_rw_sysfs(test_ibpkey_access_t)
+
+# Define a pkey type for labeling pkeys during the test.
+type test_ibpkey_t;
+corenet_ib_pkey(test_ibpkey_t)
+corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t)
+
+# Allow all of these domains to be entered from the sysadm domain.
+miscfiles_domain_entry_test_files(ibpkeydomain)
+userdom_sysadm_entry_spec_domtrans_to(ibpkeydomain)
diff --git a/tests/Makefile b/tests/Makefile
index fb8a0aa..7dfe2a8 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -4,13 +4,13 @@ export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE
 
 DISTRO=$(shell ./os_detect)
 
-SUBDIRS:=domain_trans entrypoint execshare exectrace execute_no_trans \
+SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \
fdreceive inherit link mkdir msg open ptrace readlink relabel rename \
rxdir sem setattr setnice shm sigkill stat sysctl task_create \
task_setnice task_setscheduler task_getscheduler task_getsid \
task_getpgid task_setpgid file ioctl capable_file capable_net \
capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \
-   overlay checkreqprot mqueue mac_admin
+   overlay checkreqprot mqueue mac_admin infiniband_pkey
 
 ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && 
echo true),true)
 ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1)
diff --git a/tests/infiniband_pkey/Makefile b/tests/infiniband_pkey/Makefile
new file mode 100644
index 000..60f0d24
--- /dev/null
+++ b/tests/infiniband_pkey/Makefile
@@ -0,0 +1,7 @@
+TARGETS=create_modify_qp
+
+LDLIBS+= -libverbs
+
+all: $(TARGETS)
+clean:
+   rm -f $(TARGETS)
diff --git 

[PATCH v1 0/2] Selinux tests for Infinfiband

[Dan Jurgens]

From: Daniel Jurgens 

Implements new tests for Infiniband pkeys and endports. Because infiniband
isn't widely used, and when it is the configuration is site specific,
configuration files are used to enable the tests and set environment
specific settings. When the tests are disable they always show as passed.

If enabled, the tests require correstponding updates to selinux, refpolicy,
and the linux kernel.

---

v1:
- Synchronize intefrace names with changes to refpolicy.
- Change tests to not assume that default pkey is labeled.
- See patches v1 notes for more detail.

Daniel Jurgens (2):
  selinux-testsuite: Infiniband pkey tests
  selinux-testsuite: Infiniband endport tests

 README   |  14 +++
 policy/Makefile  |   3 +-
 policy/test_ibendport.te |  35 +++
 policy/test_ibpkey.te|  25 +
 tests/Makefile   |   8 +-
 tests/infiniband_endport/ibendport_test.conf |  14 +++
 tests/infiniband_endport/test|  49 +
 tests/infiniband_pkey/Makefile   |   7 ++
 tests/infiniband_pkey/create_modify_qp.c | 144 +++
 tests/infiniband_pkey/ibpkey_test.conf   |  18 
 tests/infiniband_pkey/test   |  84 
 11 files changed, 397 insertions(+), 4 deletions(-)
 create mode 100644 policy/test_ibendport.te
 create mode 100644 policy/test_ibpkey.te
 create mode 100644 tests/infiniband_endport/ibendport_test.conf
 create mode 100644 tests/infiniband_endport/test
 create mode 100644 tests/infiniband_pkey/Makefile
 create mode 100644 tests/infiniband_pkey/create_modify_qp.c
 create mode 100644 tests/infiniband_pkey/ibpkey_test.conf
 create mode 100755 tests/infiniband_pkey/test

-- 
2.12.2

ioctl help

[Dominick Grift]

I was looking again at ioctl whitelisting, and excuse me if I overlooked some 
documentation, but I am having a hard time implementing this.
what I did was I just wanted to basically test blacklisting a single ioctl (no 
particular one)

So i looked into androids sepolicy and just picked a semi-random ioctl from 
their 
"https://android.googlesource.com/platform/system/sepolicy/+/master/public/ioctl_defines;

for example: PHONE_CAPABILITIES_CHECK 0x40087182

However the xpermissions statement only allows 0x to 0x when i tried: 
(xpermission alg_socket_ioctl (ioctl alg_socket (not (0x40087182

My question is how do i convert these to something i can use with the 
xpermission statement in CIL, and why can seandroid sepolicy get away with 
using 0x12345678 where i have to use 0x1234? I could not find any scripts that 
converts these in the android tree.

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift


signature.asc
Description: PGP signature