Re: [PATCH 1/2] libsepol: Clean up scope handling
On Tue, May 30, 2017 at 9:13 PM, James Carterwrote: > Currently, when checking if an identifier is enabled, each scope in > the decl_ids list is checked. This means that if any block that > requires the identifier is enabled, then the identifier will be treated > as being declared. > > Now, declarations will be kept at the end of the decl_ids list and > when checking if an identifier is enabled, only the last scope will > be checked (Except for roles and users which allow multiple declarations, > they will have to keep the old behavior.) > > Signed-off-by: James Carter > --- > libsepol/src/avrule_block.c | 24 > libsepol/src/policydb.c | 13 + > 2 files changed, 33 insertions(+), 4 deletions(-) > > diff --git a/libsepol/src/avrule_block.c b/libsepol/src/avrule_block.c > index 224e999..e1f460e 100644 > --- a/libsepol/src/avrule_block.c > +++ b/libsepol/src/avrule_block.c > @@ -156,20 +156,36 @@ int is_id_enabled(char *id, policydb_t * p, int > symbol_table) > { > scope_datum_t *scope = > (scope_datum_t *) hashtab_search(p->scope[symbol_table].table, > id); > - uint32_t i; > + avrule_decl_t *decl; > + uint32_t len = scope->decl_ids_len; > + > if (scope == NULL) { > return 0; > } > if (scope->scope != SCOPE_DECL) { > return 0; > } > - for (i = 0; i < scope->decl_ids_len; i++) { > - avrule_decl_t *decl = > - p->decl_val_to_struct[scope->decl_ids[i] - 1]; > + > + if (len < 1) { > + return 0; > + } > + > + if (symbol_table == SYM_ROLES || symbol_table == SYM_USERS) { > + uint32_t i; > + for (i = 0; i < len; i++) { > + avrule_decl_t *decl = > + p->decl_val_to_struct[scope->decl_ids[i] - 1]; Hello, This statement creates a local variable which shadows the previous "decl" variable that is introduced in this commit too (this gets reported as a -Wshadow warning). You may want to rename one of these two variables. Cheers, Nicolas
Re: [PATCH RFC 2/2] nfs: update labeling behavior on a superblock when submounting
On Tue, 2017-05-30 at 15:40 -0400, J . Bruce Fields wrote: > On Tue, May 30, 2017 at 10:38:45AM -0400, Stephen Smalley wrote: > > On Fri, 2017-05-26 at 11:28 -0400, Scott Mayhew wrote: > > > On Fri, 26 May 2017, Stephen Smalley wrote: > > > > > > > On Thu, 2017-05-25 at 17:07 -0400, Scott Mayhew wrote: > > > > > When the client traverses from filesystem exported without > > > > > the > > > > > "security_label" option to one exported with the > > > > > "security_label" > > > > > option, it needs to pass SECURITY_LSM_NATIVE_LABELS to > > > > > security_sb_set_mnt_opts() so that the new superblock has > > > > > SBLABEL_MNT > > > > > set in its security mount options. Otherwise, attempts to > > > > > set > > > > > security > > > > > labels via setxattr over NFSv4.2 will fail. > > > > > > > > > > Signed-off-by: Scott Mayhew> > > > > --- > > > > > fs/nfs/super.c | 23 ++- > > > > > 1 file changed, 22 insertions(+), 1 deletion(-) > > > > > > > > > > diff --git a/fs/nfs/super.c b/fs/nfs/super.c > > > > > index 2f3822a..d7a3b89 100644 > > > > > --- a/fs/nfs/super.c > > > > > +++ b/fs/nfs/super.c > > > > > @@ -2544,10 +2544,31 @@ > > > > > EXPORT_SYMBOL_GPL(nfs_set_sb_security); > > > > > int nfs_clone_sb_security(struct super_block *s, struct > > > > > dentry > > > > > *mntroot, > > > > > struct nfs_mount_info *mount_info) > > > > > { > > > > > + int error; > > > > > + unsigned long kflags = 0, kflags_out = 0; > > > > > + struct security_mnt_opts opts; > > > > > + > > > > > /* clone any lsm security options from the parent to > > > > > the > > > > > new > > > > > sb */ > > > > > if (d_inode(mntroot)->i_op != NFS_SB(s)->nfs_client- > > > > > > rpc_ops->dir_inode_ops) > > > > > > > > > > return -ESTALE; > > > > > - return security_sb_clone_mnt_opts(mount_info- > > > > > >cloned- > > > > > > sb, > > > > > > > > > > s); > > > > > + error = security_sb_clone_mnt_opts(mount_info- > > > > > >cloned- > > > > > > sb, > > > > > > > > > > s); > > > > > + if (error) > > > > > + goto err; > > > > > + > > > > > + if (NFS_SB(s)->caps & NFS_CAP_SECURITY_LABEL && > > > > > + !(NFS_SB(mount_info->cloned->sb)->caps & > > > > > NFS_CAP_SECURITY_LABEL)) { > > > > > + memset(, 0, sizeof(opts)); > > > > > + kflags |= SECURITY_LSM_NATIVE_LABELS; > > > > > + > > > > > + error = security_sb_set_mnt_opts(s, , > > > > > kflags, > > > > > _out); > > > > > + if (error) > > > > > + goto err; > > > > > + > > > > > + if (!(kflags_out & > > > > > SECURITY_LSM_NATIVE_LABELS)) > > > > > + NFS_SB(s)->caps &= > > > > > ~NFS_CAP_SECURITY_LABEL; > > > > > + } > > > > > +err: > > > > > + return error; > > > > > } > > > > > EXPORT_SYMBOL_GPL(nfs_clone_sb_security); > > > > > > > > Could this clobber a context set via context= mount option? > > > > > > Argh, yes I suppose it could. In my first attempt to fix this, I > > > added > > > a security_sb_get_mnt_opts() hook to get the original mount > > > options > > > and > > > then passed that along with the SECURITY_LSM_NATIVE_LABELS flag > > > to > > > security_sb_set_mnt_opts(). When I saw that > > > security_sb_set_mnt_opts() > > > wouldn't allow me to change a superblock that had already been > > > initialized, I got rid of the hook and added the check in patch > > > 1... > > > maybe a combination of the two is needed? > > > > > > Testing it again now, I'm not sure the context= mount option is > > > working > > > correctly with the latest kernel. > > > > Looks like you are correct, > > https://github.com/SELinuxProject/selinux-kernel/issues/35 > > Ugh. So, to make sure I understand: the desired behavior is that in > the > case the client mounts with a context= option, behavior is exactly as > if > the client or server didn't support the new security labeling > protocol. > That would make sense to me. Yes, that's correct. And in theory that is what nfs_set_sb_security() is trying to do by clearing NFS_CAP_SECURITY_LABEL if SECURITY_LSM_NATIVE_LABELS was not set by the security hook.
Re: [PATCH RFC 2/2] nfs: update labeling behavior on a superblock when submounting
On Tue, May 30, 2017 at 10:38:45AM -0400, Stephen Smalley wrote: > On Fri, 2017-05-26 at 11:28 -0400, Scott Mayhew wrote: > > On Fri, 26 May 2017, Stephen Smalley wrote: > > > > > On Thu, 2017-05-25 at 17:07 -0400, Scott Mayhew wrote: > > > > When the client traverses from filesystem exported without the > > > > "security_label" option to one exported with the "security_label" > > > > option, it needs to pass SECURITY_LSM_NATIVE_LABELS to > > > > security_sb_set_mnt_opts() so that the new superblock has > > > > SBLABEL_MNT > > > > set in its security mount options. Otherwise, attempts to set > > > > security > > > > labels via setxattr over NFSv4.2 will fail. > > > > > > > > Signed-off-by: Scott Mayhew> > > > --- > > > > fs/nfs/super.c | 23 ++- > > > > 1 file changed, 22 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/fs/nfs/super.c b/fs/nfs/super.c > > > > index 2f3822a..d7a3b89 100644 > > > > --- a/fs/nfs/super.c > > > > +++ b/fs/nfs/super.c > > > > @@ -2544,10 +2544,31 @@ EXPORT_SYMBOL_GPL(nfs_set_sb_security); > > > > int nfs_clone_sb_security(struct super_block *s, struct dentry > > > > *mntroot, > > > > struct nfs_mount_info *mount_info) > > > > { > > > > + int error; > > > > + unsigned long kflags = 0, kflags_out = 0; > > > > + struct security_mnt_opts opts; > > > > + > > > > /* clone any lsm security options from the parent to the > > > > new > > > > sb */ > > > > if (d_inode(mntroot)->i_op != NFS_SB(s)->nfs_client- > > > > > rpc_ops->dir_inode_ops) > > > > > > > > return -ESTALE; > > > > - return security_sb_clone_mnt_opts(mount_info->cloned- > > > > >sb, > > > > s); > > > > + error = security_sb_clone_mnt_opts(mount_info->cloned- > > > > >sb, > > > > s); > > > > + if (error) > > > > + goto err; > > > > + > > > > + if (NFS_SB(s)->caps & NFS_CAP_SECURITY_LABEL && > > > > + !(NFS_SB(mount_info->cloned->sb)->caps & > > > > NFS_CAP_SECURITY_LABEL)) { > > > > + memset(, 0, sizeof(opts)); > > > > + kflags |= SECURITY_LSM_NATIVE_LABELS; > > > > + > > > > + error = security_sb_set_mnt_opts(s, , > > > > kflags, > > > > _out); > > > > + if (error) > > > > + goto err; > > > > + > > > > + if (!(kflags_out & SECURITY_LSM_NATIVE_LABELS)) > > > > + NFS_SB(s)->caps &= > > > > ~NFS_CAP_SECURITY_LABEL; > > > > + } > > > > +err: > > > > + return error; > > > > } > > > > EXPORT_SYMBOL_GPL(nfs_clone_sb_security); > > > > > > Could this clobber a context set via context= mount option? > > > > Argh, yes I suppose it could. In my first attempt to fix this, I > > added > > a security_sb_get_mnt_opts() hook to get the original mount options > > and > > then passed that along with the SECURITY_LSM_NATIVE_LABELS flag to > > security_sb_set_mnt_opts(). When I saw that > > security_sb_set_mnt_opts() > > wouldn't allow me to change a superblock that had already been > > initialized, I got rid of the hook and added the check in patch 1... > > maybe a combination of the two is needed? > > > > Testing it again now, I'm not sure the context= mount option is > > working > > correctly with the latest kernel. > > Looks like you are correct, > https://github.com/SELinuxProject/selinux-kernel/issues/35 Ugh. So, to make sure I understand: the desired behavior is that in the case the client mounts with a context= option, behavior is exactly as if the client or server didn't support the new security labeling protocol. That would make sense to me. --b.
[PATCH 2/2] libsepol: Fix module_to_cil's handling of type aliases
Type aliases present a problem for module_to_cil because they are not in the sym_val_to_name table that it uses to write declarations. Type aliases are gathered by going through the decl_ids list and then the alias declaration is written out when the block with that scope id is handled. This doesn't work if a type alias appears in a require block, since the require cannot be distinguished from the declaration. The result is two declarations of the alias and an error when secilc compiles the policy. Because of the work cleaning up scope handling, the alias declaration will always be at the end of the decl_ids list, so now only gather the last scope id. Also, when an alias is used in a module it is required as a type and it will appear in the sym_val_to_name table. When that occurs, just skip the alias when writing out types. Signed-off-by: James Carter--- libsepol/src/module_to_cil.c | 18 +- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 7d8eb20..429d164 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -317,7 +317,7 @@ static int typealiases_gather_map(char *key, void *data, void *arg) struct type_datum *type = data; struct policydb *pdb = arg; struct scope_datum *scope; - uint32_t i; + uint32_t len; uint32_t scope_id; if (type->primary != 1) { @@ -326,8 +326,9 @@ static int typealiases_gather_map(char *key, void *data, void *arg) return -1; } - for (i = 0; i < scope->decl_ids_len; i++) { - scope_id = scope->decl_ids[i]; + len = scope->decl_ids_len; + if (len > 0) { + scope_id = scope->decl_ids[len-1]; if (typealias_lists[scope_id] == NULL) { rc = list_init(_lists[scope_id]); if (rc != 0) { @@ -2262,6 +2263,8 @@ static int type_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN cil_printf("))\n"); } break; + case TYPE_ALIAS: + break; default: log_err("Unknown flavor (%i) of type %s", type->flavor, key); rc = -1; @@ -3321,6 +3324,7 @@ static int typealiases_to_cil(int indent, struct policydb *pdb, struct avrule_bl { struct type_datum *alias_datum; char *alias_name; + char *type_name; struct list_node *curr; struct avrule_decl *decl = stack_peek(decl_stack); struct list *alias_list = typealias_lists[decl->decl_id]; @@ -3337,9 +3341,13 @@ static int typealiases_to_cil(int indent, struct policydb *pdb, struct avrule_bl rc = -1; goto exit; } - + if (alias_datum->flavor == TYPE_ALIAS) { + type_name = pdb->p_type_val_to_name[alias_datum->primary - 1]; + } else { + type_name = pdb->p_type_val_to_name[alias_datum->s.value - 1]; + } cil_println(indent, "(typealias %s)", alias_name); - cil_println(indent, "(typealiasactual %s %s)", alias_name, pdb->p_type_val_to_name[alias_datum->s.value - 1]); + cil_println(indent, "(typealiasactual %s %s)", alias_name, type_name); } return 0; -- 2.9.4
[PATCH 1/2] libsepol: Clean up scope handling
Currently, when checking if an identifier is enabled, each scope in the decl_ids list is checked. This means that if any block that requires the identifier is enabled, then the identifier will be treated as being declared. Now, declarations will be kept at the end of the decl_ids list and when checking if an identifier is enabled, only the last scope will be checked (Except for roles and users which allow multiple declarations, they will have to keep the old behavior.) Signed-off-by: James Carter--- libsepol/src/avrule_block.c | 24 libsepol/src/policydb.c | 13 + 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/libsepol/src/avrule_block.c b/libsepol/src/avrule_block.c index 224e999..e1f460e 100644 --- a/libsepol/src/avrule_block.c +++ b/libsepol/src/avrule_block.c @@ -156,20 +156,36 @@ int is_id_enabled(char *id, policydb_t * p, int symbol_table) { scope_datum_t *scope = (scope_datum_t *) hashtab_search(p->scope[symbol_table].table, id); - uint32_t i; + avrule_decl_t *decl; + uint32_t len = scope->decl_ids_len; + if (scope == NULL) { return 0; } if (scope->scope != SCOPE_DECL) { return 0; } - for (i = 0; i < scope->decl_ids_len; i++) { - avrule_decl_t *decl = - p->decl_val_to_struct[scope->decl_ids[i] - 1]; + + if (len < 1) { + return 0; + } + + if (symbol_table == SYM_ROLES || symbol_table == SYM_USERS) { + uint32_t i; + for (i = 0; i < len; i++) { + avrule_decl_t *decl = + p->decl_val_to_struct[scope->decl_ids[i] - 1]; + if (decl != NULL && decl->enabled) { + return 1; + } + } + } else { + decl = p->decl_val_to_struct[scope->decl_ids[len-1] - 1]; if (decl != NULL && decl->enabled) { return 1; } } + return 0; } diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index b153095..ff4fc4e 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -1698,6 +1698,19 @@ int symtab_insert(policydb_t * pol, uint32_t sym, return -ENOMEM; } + if (scope_datum->scope == SCOPE_DECL && scope == SCOPE_REQ) { + /* Need to keep the decl at the end of the list */ + uint32_t len, tmp; + len = scope_datum->decl_ids_len; + if (len < 2) { + /* This should be impossible here */ + return -1; + } + tmp = scope_datum->decl_ids[len-2]; + scope_datum->decl_ids[len-2] = scope_datum->decl_ids[len-1]; + scope_datum->decl_ids[len-1] = tmp; + } + return retval; } -- 2.9.4
Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
On 5/30/2017 12:48 PM, Stephen Smalley wrote: > On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote: >> On 5/30/2017 12:05 PM, Stephen Smalley wrote: >>> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote: From: Daniel Jurgensdiff --git a/tests/infiniband_pkey/test b/tests/infiniband_pkey/test old mode 100644 new mode 100755 >>> Not a big deal, but it seems odd that this mode change wasn't just >>> squashed into the first patch. >>> >>> Otherwise, it looks ok to me, but I don't have hardware to test it >>> on. >>> Did you confirm that when you run the tests, you get the expected >>> avc >>> denials in the audit logs? Also, did you confirm that if you >>> manually >>> run the tests in permissive mode, that the tests you expect to fail >>> do >>> so (and the rest do not)? >>> >>> >> I'm not sure what happened with the mode there. I didn't change it >> manually. I can clean it up if you want. > Looks like tests/Makefile does a chmod +x */test. > I wouldn't bother re-spinning unless Paul has other comments. > >> Regarding testing the test. Yes, I did make sure they fail as >> expected when in permissive mode. Also I changed setting in the >> configuration files to make sure all cases fail when they should >> where that was possible. > And avc: denied messages are as expected? > Yes, here's a sample: type=AVC msg=audit(1496161222.307:1584): avc: denied { manage_subnet } for pid=21976 comm="smpquery" device=mlx5_2 port_num=1 scontext=unconfined_u:unconfined_r:test_ibendport_manage_subnet_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=infiniband_endport permissive=0
Re: [RFC PATCH] tools: add perltidy to the syntax checker/fixer
On Tue, May 30, 2017 at 9:52 AM, Stephen Smalleywrote: > On Fri, 2017-05-26 at 11:58 -0400, Paul Moore wrote: >> From: Paul Moore >> >> Signed-off-by: Paul Moore >> --- >> tools/check-syntax | 86 >> >> 1 file changed, 66 insertions(+), 20 deletions(-) ... >> # >> -# Fix the formatting on a C source/header file >> +# Fix the formatting on a file >> # >> # Arguments: >> -# 1File to fix >> +# 1Language >> +# 2File to check >> # >> -function tool_c_style_fix() { >> - [[ -z "$1" || ! -r "$1" ]] && return >> +function style_fix() { >> + [[ -z "$1" ]] && return >> + [[ -z "$2" || ! -w "$2" ]] && return >> >> - tmp="$(mktemp --tmpdir=$(dirname "$1"))" >> - tool_c_style "$1" > "$tmp" >> - mv "$tmp" "$1" >> + tmp="$(mktemp --tmpdir=$(dirname "$2"))" >> + case "$1" in >> + c|C) >> + tool_c_style "$2" > "$tmp" >> + ;; >> + perl|Perl) >> + tool_perl_style "$2" > "$tmp" >> + ;; >> + esac >> + mv "$tmp" "$2" > > This approach doesn't preserve mode or other attributes on the file, > and therefore leaves the perl scripts non-executable after running > ./tools/check_syntax -f. Yes, good point. I'll replace that final mv command with the following: cat "$tmp" > "$2" rm "$tmp" -- paul moore www.paul-moore.com
Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote: > On 5/30/2017 12:05 PM, Stephen Smalley wrote: > > On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote: > > > From: Daniel Jurgens> > > > > > New tests for Infiniband endports. Most users do not have > > > infiniband > > > hardware, and if they do the device names can vary. There is a > > > configuration file for enabling the tests and setting environment > > > specific configurations. If the tests are disabled they always > > > show > > > as > > > passed. > > > > > > A special test application was unnecessary, a standard diagnostic > > > application is used instead. This required a change to the make > > > file > > > to avoid trying to build an application in the new subdir. > > > > > > Signed-off-by: Daniel Jurgens > > > > > > --- > > > v1: > > > - Synchronize interface names with refpolicy changes. > > > - Allowed access to unlabeled pkeys vs default pkey, default pkey > > > is > > > no > > > longer labeled in the refpolicy. > > > > > > v2: > > > Stephen Smalley: > > > - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive. > > > - Use ifdefs around corenet_ib* interfaces. > > > - Only build the test_ibpendport.te file if the > > > infiniband_endport > > > class > > > is available. > > > - use corecmd_bin_entry_type intefrace instead of allow ... > > > bin_t: > > > --- > > > README | 7 +++- > > > policy/Makefile | 4 +++ > > > policy/test_ibendport.te | 40 > > > +++ > > > tests/Makefile | 2 +- > > > tests/infiniband_endport/Makefile| 2 ++ > > > tests/infiniband_endport/ibendport_test.conf | 14 > > > tests/infiniband_endport/test| 49 > > > > > > tests/infiniband_pkey/test | 0 > > > 8 files changed, 116 insertions(+), 2 deletions(-) > > > create mode 100644 policy/test_ibendport.te > > > create mode 100644 tests/infiniband_endport/Makefile > > > create mode 100644 tests/infiniband_endport/ibendport_test.conf > > > create mode 100755 tests/infiniband_endport/test > > > mode change 100644 => 100755 tests/infiniband_pkey/test > > > > > > diff --git a/README b/README > > > index a4c8ebb..de50eb4 100644 > > > --- a/README > > > +++ b/README > > > @@ -201,7 +201,12 @@ INFINIBAND TESTS > > > > > > Because running Infiniband tests requires specialized hardware > > > you > > > must > > > set up a configuration file for these tests. The tests are > > > disabled > > > by > > > -default. See comments in the configuration file for info. > > > +default. See comments in the configuration file for info. The > > > endport > > > +tests use smpquery, for Fedora it's provided by the infiniband- > > > diags > > > +package. > > > > > > Infiniband PKey test conf file: > > > tests/infiniband_pkey/ibpkey_test.conf > > > + > > > +Infiniband Endport test conf file: > > > +tests/infiniband_endport/ibendport_test.conf > > > diff --git a/policy/Makefile b/policy/Makefile > > > index 46c9fb5..c062009 100644 > > > --- a/policy/Makefile > > > +++ b/policy/Makefile > > > @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit > > > $(POLDEV)/include/support/all_perms.spt && echo > > > TARGETS += test_prlimit.te > > > endif > > > > > > +ifeq ($(shell grep -q infiniband_endport > > > $(POLDEV)/include/support/all_perms.spt && echo true),true) > > > +TARGETS += test_ibendport.te > > > +endif > > > + > > > ifeq ($(shell grep -q all_file_perms.*map > > > $(POLDEV)/include/support/all_perms.spt && echo true),true) > > > export M4PARAM = -Dmap_permission_defined > > > endif > > > diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te > > > new file mode 100644 > > > index 000..2a02c57 > > > --- /dev/null > > > +++ b/policy/test_ibendport.te > > > @@ -0,0 +1,40 @@ > > > +# > > > +# > > > +# Policy for testing Infiniband Pkey access. > > > +# > > > + > > > +gen_require(` > > > + type bin_t; > > > + type infiniband_mgmt_device_t; > > > +') > > > + > > > +attribute ibendportdomain; > > > + > > > +# Domain for process. > > > +type test_ibendport_manage_subnet_t; > > > +domain_type(test_ibendport_manage_subnet_t) > > > +unconfined_runs_test(test_ibendport_manage_subnet_t) > > > +typeattribute test_ibendport_manage_subnet_t testdomain; > > > +typeattribute test_ibendport_manage_subnet_t ibendportdomain; > > > + > > > +type test_ibendport_t; > > > +ifdef(`corenet_ib_endport',` > > > +corenet_ib_endport(test_ibendport_t) > > > +') > > > + > > > +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t) > > > +dev_rw_sysfs(test_ibendport_manage_subnet_t) > > > + > > > +corecmd_bin_entry_type(test_ibendport_manage_subnet_t) > > > + > > > +allow test_ibendport_manage_subnet_t > > > infiniband_mgmt_device_t:chr_file { read write open
Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
On 5/30/2017 12:05 PM, Stephen Smalley wrote: > On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote: >> From: Daniel Jurgens>> >> New tests for Infiniband endports. Most users do not have infiniband >> hardware, and if they do the device names can vary. There is a >> configuration file for enabling the tests and setting environment >> specific configurations. If the tests are disabled they always show >> as >> passed. >> >> A special test application was unnecessary, a standard diagnostic >> application is used instead. This required a change to the make file >> to avoid trying to build an application in the new subdir. >> >> Signed-off-by: Daniel Jurgens >> >> --- >> v1: >> - Synchronize interface names with refpolicy changes. >> - Allowed access to unlabeled pkeys vs default pkey, default pkey is >> no >> longer labeled in the refpolicy. >> >> v2: >> Stephen Smalley: >> - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive. >> - Use ifdefs around corenet_ib* interfaces. >> - Only build the test_ibpendport.te file if the infiniband_endport >> class >> is available. >> - use corecmd_bin_entry_type intefrace instead of allow ... bin_t: >> --- >> README | 7 +++- >> policy/Makefile | 4 +++ >> policy/test_ibendport.te | 40 >> +++ >> tests/Makefile | 2 +- >> tests/infiniband_endport/Makefile| 2 ++ >> tests/infiniband_endport/ibendport_test.conf | 14 >> tests/infiniband_endport/test| 49 >> >> tests/infiniband_pkey/test | 0 >> 8 files changed, 116 insertions(+), 2 deletions(-) >> create mode 100644 policy/test_ibendport.te >> create mode 100644 tests/infiniband_endport/Makefile >> create mode 100644 tests/infiniband_endport/ibendport_test.conf >> create mode 100755 tests/infiniband_endport/test >> mode change 100644 => 100755 tests/infiniband_pkey/test >> >> diff --git a/README b/README >> index a4c8ebb..de50eb4 100644 >> --- a/README >> +++ b/README >> @@ -201,7 +201,12 @@ INFINIBAND TESTS >> >> Because running Infiniband tests requires specialized hardware you >> must >> set up a configuration file for these tests. The tests are disabled >> by >> -default. See comments in the configuration file for info. >> +default. See comments in the configuration file for info. The >> endport >> +tests use smpquery, for Fedora it's provided by the infiniband-diags >> +package. >> >> Infiniband PKey test conf file: >> tests/infiniband_pkey/ibpkey_test.conf >> + >> +Infiniband Endport test conf file: >> +tests/infiniband_endport/ibendport_test.conf >> diff --git a/policy/Makefile b/policy/Makefile >> index 46c9fb5..c062009 100644 >> --- a/policy/Makefile >> +++ b/policy/Makefile >> @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit >> $(POLDEV)/include/support/all_perms.spt && echo >> TARGETS += test_prlimit.te >> endif >> >> +ifeq ($(shell grep -q infiniband_endport >> $(POLDEV)/include/support/all_perms.spt && echo true),true) >> +TARGETS += test_ibendport.te >> +endif >> + >> ifeq ($(shell grep -q all_file_perms.*map >> $(POLDEV)/include/support/all_perms.spt && echo true),true) >> export M4PARAM = -Dmap_permission_defined >> endif >> diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te >> new file mode 100644 >> index 000..2a02c57 >> --- /dev/null >> +++ b/policy/test_ibendport.te >> @@ -0,0 +1,40 @@ >> +# >> +# >> +# Policy for testing Infiniband Pkey access. >> +# >> + >> +gen_require(` >> +type bin_t; >> +type infiniband_mgmt_device_t; >> +') >> + >> +attribute ibendportdomain; >> + >> +# Domain for process. >> +type test_ibendport_manage_subnet_t; >> +domain_type(test_ibendport_manage_subnet_t) >> +unconfined_runs_test(test_ibendport_manage_subnet_t) >> +typeattribute test_ibendport_manage_subnet_t testdomain; >> +typeattribute test_ibendport_manage_subnet_t ibendportdomain; >> + >> +type test_ibendport_t; >> +ifdef(`corenet_ib_endport',` >> +corenet_ib_endport(test_ibendport_t) >> +') >> + >> +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t) >> +dev_rw_sysfs(test_ibendport_manage_subnet_t) >> + >> +corecmd_bin_entry_type(test_ibendport_manage_subnet_t) >> + >> +allow test_ibendport_manage_subnet_t >> infiniband_mgmt_device_t:chr_file { read write open ioctl}; >> + >> +ifdef(`corenet_ib_access_unlabeled_pkeys',` >> +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t) >> +') >> + >> +allow test_ibendport_manage_subnet_t >> test_ibendport_t:infiniband_endport manage_subnet; >> + >> +# Allow all of these domains to be entered from the sysadm domain. >> +miscfiles_domain_entry_test_files(ibendportdomain) >> +userdom_sysadm_entry_spec_domtrans_to(ibendportdomain) >> diff --git a/tests/Makefile b/tests/Makefile >> index
Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote: > From: Daniel Jurgens> > New tests for Infiniband endports. Most users do not have infiniband > hardware, and if they do the device names can vary. There is a > configuration file for enabling the tests and setting environment > specific configurations. If the tests are disabled they always show > as > passed. > > A special test application was unnecessary, a standard diagnostic > application is used instead. This required a change to the make file > to avoid trying to build an application in the new subdir. > > Signed-off-by: Daniel Jurgens > > --- > v1: > - Synchronize interface names with refpolicy changes. > - Allowed access to unlabeled pkeys vs default pkey, default pkey is > no > longer labeled in the refpolicy. > > v2: > Stephen Smalley: > - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive. > - Use ifdefs around corenet_ib* interfaces. > - Only build the test_ibpendport.te file if the infiniband_endport > class > is available. > - use corecmd_bin_entry_type intefrace instead of allow ... bin_t: > --- > README | 7 +++- > policy/Makefile | 4 +++ > policy/test_ibendport.te | 40 > +++ > tests/Makefile | 2 +- > tests/infiniband_endport/Makefile| 2 ++ > tests/infiniband_endport/ibendport_test.conf | 14 > tests/infiniband_endport/test| 49 > > tests/infiniband_pkey/test | 0 > 8 files changed, 116 insertions(+), 2 deletions(-) > create mode 100644 policy/test_ibendport.te > create mode 100644 tests/infiniband_endport/Makefile > create mode 100644 tests/infiniband_endport/ibendport_test.conf > create mode 100755 tests/infiniband_endport/test > mode change 100644 => 100755 tests/infiniband_pkey/test > > diff --git a/README b/README > index a4c8ebb..de50eb4 100644 > --- a/README > +++ b/README > @@ -201,7 +201,12 @@ INFINIBAND TESTS > > Because running Infiniband tests requires specialized hardware you > must > set up a configuration file for these tests. The tests are disabled > by > -default. See comments in the configuration file for info. > +default. See comments in the configuration file for info. The > endport > +tests use smpquery, for Fedora it's provided by the infiniband-diags > +package. > > Infiniband PKey test conf file: > tests/infiniband_pkey/ibpkey_test.conf > + > +Infiniband Endport test conf file: > +tests/infiniband_endport/ibendport_test.conf > diff --git a/policy/Makefile b/policy/Makefile > index 46c9fb5..c062009 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit > $(POLDEV)/include/support/all_perms.spt && echo > TARGETS += test_prlimit.te > endif > > +ifeq ($(shell grep -q infiniband_endport > $(POLDEV)/include/support/all_perms.spt && echo true),true) > +TARGETS += test_ibendport.te > +endif > + > ifeq ($(shell grep -q all_file_perms.*map > $(POLDEV)/include/support/all_perms.spt && echo true),true) > export M4PARAM = -Dmap_permission_defined > endif > diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te > new file mode 100644 > index 000..2a02c57 > --- /dev/null > +++ b/policy/test_ibendport.te > @@ -0,0 +1,40 @@ > +# > +# > +# Policy for testing Infiniband Pkey access. > +# > + > +gen_require(` > + type bin_t; > + type infiniband_mgmt_device_t; > +') > + > +attribute ibendportdomain; > + > +# Domain for process. > +type test_ibendport_manage_subnet_t; > +domain_type(test_ibendport_manage_subnet_t) > +unconfined_runs_test(test_ibendport_manage_subnet_t) > +typeattribute test_ibendport_manage_subnet_t testdomain; > +typeattribute test_ibendport_manage_subnet_t ibendportdomain; > + > +type test_ibendport_t; > +ifdef(`corenet_ib_endport',` > +corenet_ib_endport(test_ibendport_t) > +') > + > +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t) > +dev_rw_sysfs(test_ibendport_manage_subnet_t) > + > +corecmd_bin_entry_type(test_ibendport_manage_subnet_t) > + > +allow test_ibendport_manage_subnet_t > infiniband_mgmt_device_t:chr_file { read write open ioctl}; > + > +ifdef(`corenet_ib_access_unlabeled_pkeys',` > +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t) > +') > + > +allow test_ibendport_manage_subnet_t > test_ibendport_t:infiniband_endport manage_subnet; > + > +# Allow all of these domains to be entered from the sysadm domain. > +miscfiles_domain_entry_test_files(ibendportdomain) > +userdom_sysadm_entry_spec_domtrans_to(ibendportdomain) > diff --git a/tests/Makefile b/tests/Makefile > index 7dfe2a8..369b678 100644 > --- a/tests/Makefile > +++ b/tests/Makefile > @@ -10,7 +10,7 @@ SUBDIRS:= domain_trans entrypoint execshare > exectrace execute_no_trans \ >
Re: libsepol segfaults with typealias and typealiasactual
On 05/30/2017 10:05 AM, Dominick Grift wrote: > I have a typealias/typealiasactual in dssp2-standard at: > > https://github.com/DefenSec/dssp2-standard/blob/master/policy/system/rpm.cil#L18 > > This *works* > > However now i want to additionally associate "unconfined.user.subj" with > "rpm_script_t" > So i created a module: > > echo "(typealiasesactual rpm_script_t unconfined.user.subj)" > mytest.cil && > semodule -i mytest.cil > it returns (something along those lines): > > "subj is not an alias" > > however it seems as though the module did install. I cannot think of any > simple way to determine whether it works as I cannot find any "seinfo > --typealias" or sesearch "--typealiases" > > Anyway libsepol segfaults when i try to play more with this > > So I tried the following > > (typeattribute rpm_script_aliases_type_attribute) > (typeattributeset rpm_script_aliases_type_attribute rpm.script.subj) > (typeattributeset rpm_script_aliases_type_attribute unconfined.user.subj) > > (typealias rpm_script_t) > (typealiasactual rpm_script_t rpm_script_aliases_type_attribute) > > This also return incoherent messages something like "invalid "." in ...", but > it seems to install > > and after that everything just segfaults (libsepol), untill i remove my local > customizations > > I dont know a better way to explain this but looks to me theres a serious bug > in how typealiases are handled by libsepol: > > https://www.youtube.com/watch?v=qe-vqieu2jg > The first argument to the typealiasactual statement must resolve to a typealias, and the second argument must resolve to a type. In your above CIL snipppet you have it resolving to an attribute, which is not allowed. However, we weren't correctly checking these restrictions, which could lead to segfaults and weird error messages. I've just sent a patch that should fix this conditions and error out with helpful messages.
[PATCH] sort input files
From: "Bernhard M. Wiedemann"when building packages (e.g. for openSUSE Linux) (random) filesystem order of input files influences ordering of functions in the output, thus without the patch, builds (in disposable VMs) would usually differ. See https://reproducible-builds.org/ for why this matters. --- libselinux/utils/Makefile| 2 +- libsemanage/src/Makefile | 2 +- libsemanage/tests/Makefile | 2 +- libsepol/tests/Makefile | 2 +- libsepol/utils/Makefile | 2 +- mcstrans/utils/Makefile | 2 +- policycoreutils/hll/pp/Makefile | 2 +- policycoreutils/load_policy/Makefile | 2 +- policycoreutils/run_init/Makefile| 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile index 14f94bd..5f5368a 100644 --- a/libselinux/utils/Makefile +++ b/libselinux/utils/Makefile @@ -53,7 +53,7 @@ PCRE_LDLIBS ?= -lpcre ifeq ($(ANDROID_HOST),y) TARGETS=sefcontext_compile else -TARGETS=$(patsubst %.c,%,$(wildcard *.c)) +TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c))) endif sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile index dba50c8..f01385c 100644 --- a/libsemanage/src/Makefile +++ b/libsemanage/src/Makefile @@ -51,7 +51,7 @@ SWIGFILES=$(SWIGSO) semanage.py SWIGRUBYSO=$(RUBYPREFIX)_semanage.so LIBSO=$(TARGET).$(LIBVERSION) -GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) semanageswig_python_exception.i $(wildcard conf-*.[ch]) +GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) semanageswig_python_exception.i $(sort $(wildcard conf-*.[ch])) SRCS= $(filter-out $(GENERATED),$(sort $(wildcard *.c))) OBJS= $(patsubst %.c,%.o,$(SRCS)) conf-scan.o conf-parse.o diff --git a/libsemanage/tests/Makefile b/libsemanage/tests/Makefile index 9b27224..9ccb5b2 100644 --- a/libsemanage/tests/Makefile +++ b/libsemanage/tests/Makefile @@ -2,7 +2,7 @@ PREFIX ?= $(DESTDIR)/usr LIBDIR ?= $(PREFIX)/lib # Add your test source files here: -SOURCES = $(wildcard *.c) +SOURCES = $(sort $(wildcard *.c)) # Add the required external object files here: LIBS = ../src/libsemanage.a -lselinux -lsepol diff --git a/libsepol/tests/Makefile b/libsepol/tests/Makefile index 6ae8ad2..1bd96db 100644 --- a/libsepol/tests/Makefile +++ b/libsepol/tests/Makefile @@ -15,7 +15,7 @@ CHECKPOLICY := ../../checkpolicy/ CPPFLAGS += -I../include/ -I$(CHECKPOLICY) # test program object files -objs := $(patsubst %.c,%.o,$(wildcard *.c)) +objs := $(patsubst %.c,%.o,$(sort $(wildcard *.c))) parserobjs := $(CHECKPOLICY)queue.o $(CHECKPOLICY)y.tab.o \ $(CHECKPOLICY)parse_util.o $(CHECKPOLICY)lex.yy.o \ $(CHECKPOLICY)policy_define.o $(CHECKPOLICY)module_compiler.o diff --git a/libsepol/utils/Makefile b/libsepol/utils/Makefile index 3b2fb77..467aff2 100644 --- a/libsepol/utils/Makefile +++ b/libsepol/utils/Makefile @@ -7,7 +7,7 @@ override CFLAGS += -I../include override LDFLAGS += -L../src LDLIBS += -lsepol -TARGETS=$(patsubst %.c,%,$(wildcard *.c)) +TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c))) all: $(TARGETS) diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile index e6f329b..7e59641 100644 --- a/mcstrans/utils/Makefile +++ b/mcstrans/utils/Makefile @@ -8,7 +8,7 @@ CFLAGS ?= -Wall override CFLAGS += -I../src -D_GNU_SOURCE LDLIBS += -lselinux -lpcre -TARGETS=$(patsubst %.c,%,$(wildcard *.c)) +TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c))) all: $(TARGETS) diff --git a/policycoreutils/hll/pp/Makefile b/policycoreutils/hll/pp/Makefile index 1ca6c9d..813c9c6 100644 --- a/policycoreutils/hll/pp/Makefile +++ b/policycoreutils/hll/pp/Makefile @@ -10,7 +10,7 @@ HLLDIR ?= $(LIBEXECDIR)/selinux/hll CFLAGS ?= -Werror -Wall -W LDLIBS = -lsepol -PP_SRCS = $(wildcard *.c) +PP_SRCS = $(sort $(wildcard *.c)) PP_OBJS = $(patsubst %.c,%.o,$(PP_SRCS)) all: pp diff --git a/policycoreutils/load_policy/Makefile b/policycoreutils/load_policy/Makefile index 6ab0f9d..256d95a 100644 --- a/policycoreutils/load_policy/Makefile +++ b/policycoreutils/load_policy/Makefile @@ -9,7 +9,7 @@ CFLAGS ?= -Werror -Wall -W override CFLAGS += $(LDFLAGS) -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\"" LDLIBS += -lsepol -lselinux -TARGETS=$(patsubst %.c,%,$(wildcard *.c)) +TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c))) all: $(TARGETS) diff --git a/policycoreutils/run_init/Makefile b/policycoreutils/run_init/Makefile index 6f5ee13..7b25952 100644 --- a/policycoreutils/run_init/Makefile +++ b/policycoreutils/run_init/Makefile @@ -23,7 +23,7 @@ ifeq ($(AUDITH), y) LDLIBS += -laudit endif -TARGETS=$(patsubst %.c,%,$(wildcard *.c)) +TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c))) all: $(TARGETS) -- 2.9.4
[PATCH v2 1/2] selinux-testsuite: Infiniband pkey tests
From: Daniel JurgensNew tests for infiniband pkeys. Most users don't have Infiniband hardware, and if they do the pkey configuration is not standardized. There is a configuration file for enabling the test and setting environment specific test configurations. If the tests are disabled they will always show as passed. Signed-off-by: Daniel Jurgens --- v1: - Synchronized interface names with refpolicy changes. - Changed pkey test to not assume the default pkey is labeled, instead it take a list of indexes with labeled and unlabeled pkeys. It checks that the labeled aren't allowed, unlabeled are allowed, and it labels the unlabeled ones to make sure they aren't allowed when labeled. v2: Stephen Smalley: - Ifdef around new corenet_ib* interfaces. - Updated README with libibverbs-devel dependency. - Ran new test program through astyle with recommended settings. --- README | 12 ++- policy/Makefile | 3 +- policy/test_ibpkey.te| 30 +++ tests/Makefile | 4 +- tests/infiniband_pkey/Makefile | 7 ++ tests/infiniband_pkey/create_modify_qp.c | 136 +++ tests/infiniband_pkey/ibpkey_test.conf | 18 tests/infiniband_pkey/test | 84 +++ 8 files changed, 290 insertions(+), 4 deletions(-) create mode 100644 policy/test_ibpkey.te create mode 100644 tests/infiniband_pkey/Makefile create mode 100644 tests/infiniband_pkey/create_modify_qp.c create mode 100644 tests/infiniband_pkey/ibpkey_test.conf create mode 100644 tests/infiniband_pkey/test diff --git a/README b/README index deedae5..a4c8ebb 100644 --- a/README +++ b/README @@ -68,8 +68,9 @@ libselinux-devel # to build some of the test programs net-tools # for ifconfig, used by capable_net/test netlabel_tools # to load NetLabel configuration during inet_socket tests iptables # to load iptables SECMARK rules during inet_socket tests +libibverbs-devel # to build ibpkey test program. -yum install perl-Test perl-Test-Harness perl-Test-Simple selinux-policy-devel gcc libselinux-devel net-tools netlabel_tools iptables +yum install perl-Test perl-Test-Harness perl-Test-Simple selinux-policy-devel gcc libselinux-devel net-tools netlabel_tools iptables libibverbs-devel The testsuite requires a pre-existing base policy configuration of SELinux, using either the old example policy or the reference policy @@ -195,3 +196,12 @@ establish a base directory (based on the path of the script executable). This won't always be accurate, but will work for this test harness/configuration. $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; + +INFINIBAND TESTS + +Because running Infiniband tests requires specialized hardware you must +set up a configuration file for these tests. The tests are disabled by +default. See comments in the configuration file for info. + +Infiniband PKey test conf file: +tests/infiniband_pkey/ibpkey_test.conf diff --git a/policy/Makefile b/policy/Makefile index 7bc7f95..46c9fb5 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -22,7 +22,8 @@ TARGETS = \ test_task_create.te test_task_getpgid.te test_task_getsched.te \ test_task_getsid.te test_task_setpgid.te test_task_setsched.te \ test_transition.te test_inet_socket.te test_unix_socket.te \ - test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te + test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te \ + test_ibpkey.te ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true) TARGETS += test_bounds.te diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te new file mode 100644 index 000..373404c --- /dev/null +++ b/policy/test_ibpkey.te @@ -0,0 +1,30 @@ +# +# +# Policy for testing Infiniband Pkey access. +# + +attribute ibpkeydomain; + +# Domain for process. +type test_ibpkey_access_t; +domain_type(test_ibpkey_access_t) +unconfined_runs_test(test_ibpkey_access_t) +typeattribute test_ibpkey_access_t testdomain; +typeattribute test_ibpkey_access_t ibpkeydomain; + +dev_rw_infiniband_dev(test_ibpkey_access_t) +dev_rw_sysfs(test_ibpkey_access_t) + +# Define a pkey type for labeling pkeys during the test. +type test_ibpkey_t; +ifdef(`corenet_ib_pkey',` +corenet_ib_pkey(test_ibpkey_t) +') + +ifdef(`corenet_ib_access_unlabeled_pkeys',` +corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t) +') + +# Allow all of these domains to be entered from the sysadm domain. +miscfiles_domain_entry_test_files(ibpkeydomain) +userdom_sysadm_entry_spec_domtrans_to(ibpkeydomain) diff --git a/tests/Makefile b/tests/Makefile index fb8a0aa..7dfe2a8 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -4,13 +4,13 @@ export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE DISTRO=$(shell ./os_detect) -SUBDIRS:=domain_trans entrypoint execshare exectrace execute_no_trans \
[PATCH v2 2/2] selinux-testsuite: Infiniband endport tests
From: Daniel JurgensNew tests for Infiniband endports. Most users do not have infiniband hardware, and if they do the device names can vary. There is a configuration file for enabling the tests and setting environment specific configurations. If the tests are disabled they always show as passed. A special test application was unnecessary, a standard diagnostic application is used instead. This required a change to the make file to avoid trying to build an application in the new subdir. Signed-off-by: Daniel Jurgens --- v1: - Synchronize interface names with refpolicy changes. - Allowed access to unlabeled pkeys vs default pkey, default pkey is no longer labeled in the refpolicy. v2: Stephen Smalley: - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive. - Use ifdefs around corenet_ib* interfaces. - Only build the test_ibpendport.te file if the infiniband_endport class is available. - use corecmd_bin_entry_type intefrace instead of allow ... bin_t: --- README | 7 +++- policy/Makefile | 4 +++ policy/test_ibendport.te | 40 +++ tests/Makefile | 2 +- tests/infiniband_endport/Makefile| 2 ++ tests/infiniband_endport/ibendport_test.conf | 14 tests/infiniband_endport/test| 49 tests/infiniband_pkey/test | 0 8 files changed, 116 insertions(+), 2 deletions(-) create mode 100644 policy/test_ibendport.te create mode 100644 tests/infiniband_endport/Makefile create mode 100644 tests/infiniband_endport/ibendport_test.conf create mode 100755 tests/infiniband_endport/test mode change 100644 => 100755 tests/infiniband_pkey/test diff --git a/README b/README index a4c8ebb..de50eb4 100644 --- a/README +++ b/README @@ -201,7 +201,12 @@ INFINIBAND TESTS Because running Infiniband tests requires specialized hardware you must set up a configuration file for these tests. The tests are disabled by -default. See comments in the configuration file for info. +default. See comments in the configuration file for info. The endport +tests use smpquery, for Fedora it's provided by the infiniband-diags +package. Infiniband PKey test conf file: tests/infiniband_pkey/ibpkey_test.conf + +Infiniband Endport test conf file: +tests/infiniband_endport/ibendport_test.conf diff --git a/policy/Makefile b/policy/Makefile index 46c9fb5..c062009 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit $(POLDEV)/include/support/all_perms.spt && echo TARGETS += test_prlimit.te endif +ifeq ($(shell grep -q infiniband_endport $(POLDEV)/include/support/all_perms.spt && echo true),true) +TARGETS += test_ibendport.te +endif + ifeq ($(shell grep -q all_file_perms.*map $(POLDEV)/include/support/all_perms.spt && echo true),true) export M4PARAM = -Dmap_permission_defined endif diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te new file mode 100644 index 000..2a02c57 --- /dev/null +++ b/policy/test_ibendport.te @@ -0,0 +1,40 @@ +# +# +# Policy for testing Infiniband Pkey access. +# + +gen_require(` + type bin_t; + type infiniband_mgmt_device_t; +') + +attribute ibendportdomain; + +# Domain for process. +type test_ibendport_manage_subnet_t; +domain_type(test_ibendport_manage_subnet_t) +unconfined_runs_test(test_ibendport_manage_subnet_t) +typeattribute test_ibendport_manage_subnet_t testdomain; +typeattribute test_ibendport_manage_subnet_t ibendportdomain; + +type test_ibendport_t; +ifdef(`corenet_ib_endport',` +corenet_ib_endport(test_ibendport_t) +') + +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t) +dev_rw_sysfs(test_ibendport_manage_subnet_t) + +corecmd_bin_entry_type(test_ibendport_manage_subnet_t) + +allow test_ibendport_manage_subnet_t infiniband_mgmt_device_t:chr_file { read write open ioctl}; + +ifdef(`corenet_ib_access_unlabeled_pkeys',` +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t) +') + +allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_subnet; + +# Allow all of these domains to be entered from the sysadm domain. +miscfiles_domain_entry_test_files(ibendportdomain) +userdom_sysadm_entry_spec_domtrans_to(ibendportdomain) diff --git a/tests/Makefile b/tests/Makefile index 7dfe2a8..369b678 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -10,7 +10,7 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \ task_setnice task_setscheduler task_getscheduler task_getsid \ task_getpgid task_setpgid file ioctl capable_file capable_net \ capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \ - overlay checkreqprot mqueue mac_admin infiniband_pkey + overlay checkreqprot mqueue mac_admin
[PATCH v2 0/2] Selinux tests for Infinfiband
From: Daniel JurgensImplements new tests for Infiniband pkeys and endports. Because infiniband isn't widely used, and when it is the configuration is site specific, configuration files are used to enable the tests and set environment specific settings. When the tests are disable they always show as passed. If enabled, the tests require correstponding updates to selinux, refpolicy, and the linux kernel. --- v1: - Synchronize intefrace names with changes to refpolicy. - Change tests to not assume that default pkey is labeled. - See patches v1 notes for more detail. v2: - Use ifdefs around new corenet_ib* interfaces. - Exclude endport policy if infiniband_endport class is undefined. - Use a stub makefile in tests/infinband_endport vs a new SUBDIRS_NO_MAKE list in the makefile. - Style cleanup in new pkey test program. - Updated README for new dependency. Daniel Jurgens (2): selinux-testsuite: Infiniband pkey tests selinux-testsuite: Infiniband endport tests README | 17 +++- policy/Makefile | 7 +- policy/test_ibendport.te | 40 policy/test_ibpkey.te| 30 ++ tests/Makefile | 4 +- tests/infiniband_endport/Makefile| 2 + tests/infiniband_endport/ibendport_test.conf | 14 +++ tests/infiniband_endport/test| 49 ++ tests/infiniband_pkey/Makefile | 7 ++ tests/infiniband_pkey/create_modify_qp.c | 136 +++ tests/infiniband_pkey/ibpkey_test.conf | 18 tests/infiniband_pkey/test | 84 + 12 files changed, 404 insertions(+), 4 deletions(-) create mode 100644 policy/test_ibendport.te create mode 100644 policy/test_ibpkey.te create mode 100644 tests/infiniband_endport/Makefile create mode 100644 tests/infiniband_endport/ibendport_test.conf create mode 100755 tests/infiniband_endport/test create mode 100644 tests/infiniband_pkey/Makefile create mode 100644 tests/infiniband_pkey/create_modify_qp.c create mode 100644 tests/infiniband_pkey/ibpkey_test.conf create mode 100755 tests/infiniband_pkey/test -- 2.12.2
[PATCH 1/1] libsepol/cil: fix aliasactual resolution errors
- Set rc to SEPOL_ERR if the alias part of an aliasactual statement does not resolve to the correct alias flavor (e.g. typealias, senalias, catalias) - Add an error check if the actual part of an aliasactual statement does not resolve to the correct actual flavor (type, sens, cat) Signed-off-by: Steve Lawrence--- libsepol/cil/src/cil_resolve_ast.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index a671068..5c26530 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -521,6 +521,7 @@ int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_args, enu } if (NODE(alias_datum)->flavor != alias_flavor) { cil_log(CIL_ERR, "%s is not an alias\n",alias_datum->name); + rc = SEPOL_ERR; goto exit; } @@ -529,6 +530,12 @@ int cil_resolve_aliasactual(struct cil_tree_node *current, void *extra_args, enu goto exit; } + if (NODE(actual_datum)->flavor != flavor) { + cil_log(CIL_ERR, "%s is a %s, but aliases a %s\n", alias_datum->name, cil_node_to_string(NODE(alias_datum)), cil_node_to_string(NODE(actual_datum))); + rc = SEPOL_ERR; + goto exit; + } + alias = (struct cil_alias *)alias_datum; if (alias->actual != NULL) { -- 2.9.4
Re: [PATCH v1 2/2] selinux-testsuite: Infiniband endport tests
On 5/25/2017 3:04 PM, Stephen Smalley wrote: > On Wed, 2017-05-24 at 17:18 +0300, Dan Jurgens wrote: >> From: Daniel Jurgens>> >> >> +allow test_ibendport_manage_subnet_t bin_t:file entrypoint; >> +allow test_ibendport_manage_subnet_t bin_t:file execute; > Just use: > corecmd_bin_entry_type(test_ibendport_manage_subnet_t) Done > >> +allow test_ibendport_manage_subnet_t >> infiniband_mgmt_device_t:chr_file { read write open ioctl}; >> +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t) > This interface needs to be wrapped with an ifdef if this file is not > excluded when refpolicy lacks the necessary definitions. Done >> + >> +allow test_ibendport_manage_subnet_t >> test_ibendport_t:infiniband_endport manage_subnet; > This needs to be conditional on the definition of this class. You > could either omit the .te file altogether in the Makefile if not > defined, as we do for e.g. cap_userns, icmp_socket, etc, or you need to > wrap it conditionally as we do for e.g. map permission. Excluded building the .te file if the class is not defined. > >> +@SUBDIRS="$(SUBDIRS) $(SUBDIRS_NO_MAKE)" >> PATH=/usr/bin:/bin:/usr/sbin:/sbin ./runtests.pl > This works, but elsewhere we've always just put a trivial Makefile with > empty all: and clean: targets in it, e.g. entrypoint/Makefile. No big > deal either way. Switched to a stub makefile.
Re: [PATCH v1 1/2] selinux-testsuite: Infiniband pkey tests
On 5/25/2017 2:52 PM, Stephen Smalley wrote: > On Wed, 2017-05-24 at 17:18 +0300, Dan Jurgens wrote: >> From: Daniel Jurgens>> >> +corenet_ib_pkey(test_ibpkey_t) >> +corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t) > This will break the build on current Fedora and RHEL. > So, you can either conditionalize inclusion of test_ibpkey.te in the > Makefile (see other examples already there) so that it is omitted > entirely if refpolicy lacks the requisite support, or wrap these > interface calls with suitable ifdefs, e.g. > ifdef(`corenet_ib_pkey', ` > corenet_ib_pkey(test_ibpkey_t) > ') > ... > > Probably the latter is best so that we get at least some build testing. Done, with ifdefs. >> + >> >> +TARGETS=create_modify_qp >> + >> +LDLIBS+= -libverbs > This is a new build dependency (libibverbs-devel), which should be > listed in the README. Done > >> +int init_ib_rsrc(char* deviceName) >> +{ >> +int ndev = 0; >> +struct ibv_device **dlist = ibv_get_device_list(); >> +struct ibv_device *device = NULL;; >> +struct ibv_srq_init_attr srqiattr; >> +struct ibv_qp_init_attr qpiattr; >> +int i; >> + >> +if (!ndev) >> +{ > Can you run these test programs through > astyle --options=none --lineend=linux --mode=c --style=linux -- > indent=force-tab=8 --indent-preprocessor --indent-col1-comments --min- > conditional-indent=0 --max-instatement-indent=80 --pad-oper --align- > pointer=name --align-reference=name --max-code-length=80 --break-after- > logical Done.
Re: [PATCH RFC 2/2] nfs: update labeling behavior on a superblock when submounting
On Fri, 2017-05-26 at 11:28 -0400, Scott Mayhew wrote: > On Fri, 26 May 2017, Stephen Smalley wrote: > > > On Thu, 2017-05-25 at 17:07 -0400, Scott Mayhew wrote: > > > When the client traverses from filesystem exported without the > > > "security_label" option to one exported with the "security_label" > > > option, it needs to pass SECURITY_LSM_NATIVE_LABELS to > > > security_sb_set_mnt_opts() so that the new superblock has > > > SBLABEL_MNT > > > set in its security mount options. Otherwise, attempts to set > > > security > > > labels via setxattr over NFSv4.2 will fail. > > > > > > Signed-off-by: Scott Mayhew> > > --- > > > fs/nfs/super.c | 23 ++- > > > 1 file changed, 22 insertions(+), 1 deletion(-) > > > > > > diff --git a/fs/nfs/super.c b/fs/nfs/super.c > > > index 2f3822a..d7a3b89 100644 > > > --- a/fs/nfs/super.c > > > +++ b/fs/nfs/super.c > > > @@ -2544,10 +2544,31 @@ EXPORT_SYMBOL_GPL(nfs_set_sb_security); > > > int nfs_clone_sb_security(struct super_block *s, struct dentry > > > *mntroot, > > > struct nfs_mount_info *mount_info) > > > { > > > + int error; > > > + unsigned long kflags = 0, kflags_out = 0; > > > + struct security_mnt_opts opts; > > > + > > > /* clone any lsm security options from the parent to the > > > new > > > sb */ > > > if (d_inode(mntroot)->i_op != NFS_SB(s)->nfs_client- > > > > rpc_ops->dir_inode_ops) > > > > > > return -ESTALE; > > > - return security_sb_clone_mnt_opts(mount_info->cloned- > > > >sb, > > > s); > > > + error = security_sb_clone_mnt_opts(mount_info->cloned- > > > >sb, > > > s); > > > + if (error) > > > + goto err; > > > + > > > + if (NFS_SB(s)->caps & NFS_CAP_SECURITY_LABEL && > > > + !(NFS_SB(mount_info->cloned->sb)->caps & > > > NFS_CAP_SECURITY_LABEL)) { > > > + memset(, 0, sizeof(opts)); > > > + kflags |= SECURITY_LSM_NATIVE_LABELS; > > > + > > > + error = security_sb_set_mnt_opts(s, , > > > kflags, > > > _out); > > > + if (error) > > > + goto err; > > > + > > > + if (!(kflags_out & SECURITY_LSM_NATIVE_LABELS)) > > > + NFS_SB(s)->caps &= > > > ~NFS_CAP_SECURITY_LABEL; > > > + } > > > +err: > > > + return error; > > > } > > > EXPORT_SYMBOL_GPL(nfs_clone_sb_security); > > > > Could this clobber a context set via context= mount option? > > Argh, yes I suppose it could. In my first attempt to fix this, I > added > a security_sb_get_mnt_opts() hook to get the original mount options > and > then passed that along with the SECURITY_LSM_NATIVE_LABELS flag to > security_sb_set_mnt_opts(). When I saw that > security_sb_set_mnt_opts() > wouldn't allow me to change a superblock that had already been > initialized, I got rid of the hook and added the check in patch 1... > maybe a combination of the two is needed? > > Testing it again now, I'm not sure the context= mount option is > working > correctly with the latest kernel. Looks like you are correct, https://github.com/SELinuxProject/selinux-kernel/issues/35
Re: [PATCH 1/1] semanage: Fix manpage author for ibpkey and ibendport pages.
On Tue, 2017-05-30 at 16:26 +0300, Dan Jurgens wrote: > From: Daniel Jurgens> > Signed-off-by: Daniel Jurgens Thanks, applied. > --- > python/semanage/semanage-ibendport.8 | 2 +- > python/semanage/semanage-ibpkey.8| 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/python/semanage/semanage-ibendport.8 > b/python/semanage/semanage-ibendport.8 > index c3753a27..0a29eae1 100644 > --- a/python/semanage/semanage-ibendport.8 > +++ b/python/semanage/semanage-ibendport.8 > @@ -63,4 +63,4 @@ Label mlx4_0 port 2. > .BR semanage (8) > > .SH "AUTHOR" > -This man page was written by Daniel Walsh > +This man page was written by Daniel Jurgens > diff --git a/python/semanage/semanage-ibpkey.8 > b/python/semanage/semanage-ibpkey.8 > index 2da4f546..51f455ab 100644 > --- a/python/semanage/semanage-ibpkey.8 > +++ b/python/semanage/semanage-ibpkey.8 > @@ -63,4 +63,4 @@ Label pkey 0x8FFF (limited membership default pkey) > as a default pkey type > .BR semanage (8) > > .SH "AUTHOR" > -This man page was written by Daniel Walsh > +This man page was written by Daniel Jurgens
libsepol segfaults with typealias and typealiasactual
I have a typealias/typealiasactual in dssp2-standard at: https://github.com/DefenSec/dssp2-standard/blob/master/policy/system/rpm.cil#L18 This *works* However now i want to additionally associate "unconfined.user.subj" with "rpm_script_t" So i created a module: echo "(typealiasesactual rpm_script_t unconfined.user.subj)" > mytest.cil && semodule -i mytest.cil it returns (something along those lines): "subj is not an alias" however it seems as though the module did install. I cannot think of any simple way to determine whether it works as I cannot find any "seinfo --typealias" or sesearch "--typealiases" Anyway libsepol segfaults when i try to play more with this So I tried the following (typeattribute rpm_script_aliases_type_attribute) (typeattributeset rpm_script_aliases_type_attribute rpm.script.subj) (typeattributeset rpm_script_aliases_type_attribute unconfined.user.subj) (typealias rpm_script_t) (typealiasactual rpm_script_t rpm_script_aliases_type_attribute) This also return incoherent messages something like "invalid "." in ...", but it seems to install and after that everything just segfaults (libsepol), untill i remove my local customizations I dont know a better way to explain this but looks to me theres a serious bug in how typealiases are handled by libsepol: https://www.youtube.com/watch?v=qe-vqieu2jg -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 Dominick Grift signature.asc Description: PGP signature
Re: [RFC PATCH] tools: add perltidy to the syntax checker/fixer
On Fri, 2017-05-26 at 11:58 -0400, Paul Moore wrote: > From: Paul Moore> > Signed-off-by: Paul Moore > --- > tools/check-syntax | 86 > > 1 file changed, 66 insertions(+), 20 deletions(-) > > diff --git a/tools/check-syntax b/tools/check-syntax > index 72cb06b..ee83c03 100755 > --- a/tools/check-syntax > +++ b/tools/check-syntax > @@ -13,6 +13,9 @@ > CHK_C_LIST="$(find tests/ -name "*.c") $(find tests/ -name "*.h")" > CHK_C_EXCLUDE="" > > +CHK_PERL_LIST="$(find tests/ -name "*.pl") $(find tests/ -name > "test")" > +CHK_PERL_EXCLUDE="" > + > > # functions > > @@ -66,50 +69,92 @@ function tool_c_style() { > } > > # > -# Check the formatting on a C source/header file > +# Generate a properly formatted Perl source file > # > # Arguments: > -# 1File to check > +# 1Source file > # > -function tool_c_style_check() { > - [[ -z "$1" || ! -r "$1" ]] && return > +function tool_perl_style() { > + perltidy < "$1" > +} > > - tool_c_style "$1" | diff -pu --label="$1.orig" "$1" -- > label="$1" - > +# > +# Check the formatting on a file > +# > +# Arguments: > +# 1Language > +# 2File to check > +# > +function style_check() { > + [[ -z "$1" ]] && return > + [[ -z "$2" || ! -r "$2" ]] && return > + > + case "$1" in > + c|C) > + tool_c_style "$2" | \ > + diff -pu --label="$2.orig" "$2" --label="$2" > - > + ;; > + perl|Perl) > + tool_perl_style "$2" | \ > + diff -pu --label="$2.orig" "$2" --label="$2" > - > + ;; > + esac > } > > # > -# Fix the formatting on a C source/header file > +# Fix the formatting on a file > # > # Arguments: > -# 1File to fix > +# 1Language > +# 2File to check > # > -function tool_c_style_fix() { > - [[ -z "$1" || ! -r "$1" ]] && return > +function style_fix() { > + [[ -z "$1" ]] && return > + [[ -z "$2" || ! -w "$2" ]] && return > > - tmp="$(mktemp --tmpdir=$(dirname "$1"))" > - tool_c_style "$1" > "$tmp" > - mv "$tmp" "$1" > + tmp="$(mktemp --tmpdir=$(dirname "$2"))" > + case "$1" in > + c|C) > + tool_c_style "$2" > "$tmp" > + ;; > + perl|Perl) > + tool_perl_style "$2" > "$tmp" > + ;; > + esac > + mv "$tmp" "$2" This approach doesn't preserve mode or other attributes on the file, and therefore leaves the perl scripts non-executable after running ./tools/check_syntax -f. > } > > # > -# Perform all known syntax checks for the configured C > sources/headers > +# Perform all known syntax checks for the configured files > # > -function check_c() { > +function check() { > for i in $CHK_C_LIST; do > echo "$CHK_C_EXCLUDE" | grep -q "$i" && continue > echo "Differences for $i" > - tool_c_style_check "$i" > + style_check c "$i" > + done > + > + for i in $CHK_PERL_LIST; do > + echo "$CHK_PERL_EXCLUDE" | grep -q "$i" && continue > + echo "Differences for $i" > + style_check perl "$i" > done > } > > # > -# Perform all known syntax fixes for the configured C > sources/headers > +# Perform all known syntax fixes for the configured files > # > -function fix_c() { > +function fix() { > for i in $CHK_C_LIST; do > echo "$CHK_C_EXCLUDE" | grep -q "$i" && continue > echo "Fixing $i" > - tool_c_style_fix "$i" > + style_fix c "$i" > + done > + > + for i in $CHK_PERL_LIST; do > + echo "$CHK_PERL_EXCLUDE" | grep -q "$i" && continue > + echo "Fixing $i" > + style_fix perl "$i" > done > } > > @@ -117,6 +162,7 @@ function fix_c() { > # main > > verify_deps astyle > +verify_deps perltidy > > opt_fix=0 > > @@ -136,9 +182,9 @@ done > echo "=== $(date) ===" > echo "Code Syntax Check Results (\"check-syntax $*\")" > if [[ $opt_fix -eq 1 ]]; then > - fix_c > + fix > else > - check_c > + check > fi > echo "" >
[PATCH 1/1] semanage: Fix manpage author for ibpkey and ibendport pages.
From: Daniel JurgensSigned-off-by: Daniel Jurgens --- python/semanage/semanage-ibendport.8 | 2 +- python/semanage/semanage-ibpkey.8| 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/python/semanage/semanage-ibendport.8 b/python/semanage/semanage-ibendport.8 index c3753a27..0a29eae1 100644 --- a/python/semanage/semanage-ibendport.8 +++ b/python/semanage/semanage-ibendport.8 @@ -63,4 +63,4 @@ Label mlx4_0 port 2. .BR semanage (8) .SH "AUTHOR" -This man page was written by Daniel Walsh +This man page was written by Daniel Jurgens diff --git a/python/semanage/semanage-ibpkey.8 b/python/semanage/semanage-ibpkey.8 index 2da4f546..51f455ab 100644 --- a/python/semanage/semanage-ibpkey.8 +++ b/python/semanage/semanage-ibpkey.8 @@ -63,4 +63,4 @@ Label pkey 0x8FFF (limited membership default pkey) as a default pkey type .BR semanage (8) .SH "AUTHOR" -This man page was written by Daniel Walsh +This man page was written by Daniel Jurgens -- 2.12.2
Re: Access Vector Cache initialization audit message
On Mon, 2017-05-29 at 14:53 -0400, Richard Guy Briggs wrote: > Hi, > > On kernel Access Vector Cache (AVC) initialization, there is an audit > KERNEL > type message logged to announce this fact. > > The general format of audit messages are label=value pair > fields. Steve Grubb > has been asking to have these records normalized by having a > predictable set of > field labels present. > > There already exists an audit KERNEL message giving audit state which > has been > normalized thus: > "state=initialized audit_enabled=%u res=1" > > The AVC initialization audit message doesn't currently fit that > format: > "AVC INITIALIZED" > > I'd created an issue to normalize the AVC initialization along these > lines or > to have it move to a new message type and Paul Moore is questioning > whether > this message is required at all: > https://github.com/linux-audit/audit-kernel/issues/48 > > Can this message simply be eliminated? AFAICT, yes, you can just remove it.