Re: [PATCH 1/2] libsepol: Clean up scope handling

[Nicolas Iooss]

On Tue, May 30, 2017 at 9:13 PM, James Carter  wrote:
> Currently, when checking if an identifier is enabled, each scope in
> the decl_ids list is checked. This means that if any block that
> requires the identifier is enabled, then the identifier will be treated
> as being declared.
>
> Now, declarations will be kept at the end of the decl_ids list and
> when checking if an identifier is enabled, only the last scope will
> be checked (Except for roles and users which allow multiple declarations,
> they will have to keep the old behavior.)
>
> Signed-off-by: James Carter 
> ---
>  libsepol/src/avrule_block.c | 24 
>  libsepol/src/policydb.c | 13 +
>  2 files changed, 33 insertions(+), 4 deletions(-)
>
> diff --git a/libsepol/src/avrule_block.c b/libsepol/src/avrule_block.c
> index 224e999..e1f460e 100644
> --- a/libsepol/src/avrule_block.c
> +++ b/libsepol/src/avrule_block.c
> @@ -156,20 +156,36 @@ int is_id_enabled(char *id, policydb_t * p, int 
> symbol_table)
>  {
> scope_datum_t *scope =
> (scope_datum_t *) hashtab_search(p->scope[symbol_table].table, 
> id);
> -   uint32_t i;
> +   avrule_decl_t *decl;
> +   uint32_t len = scope->decl_ids_len;
> +
> if (scope == NULL) {
> return 0;
> }
> if (scope->scope != SCOPE_DECL) {
> return 0;
> }
> -   for (i = 0; i < scope->decl_ids_len; i++) {
> -   avrule_decl_t *decl =
> -   p->decl_val_to_struct[scope->decl_ids[i] - 1];
> +
> +   if (len < 1) {
> +   return 0;
> +   }
> +
> +   if (symbol_table == SYM_ROLES || symbol_table == SYM_USERS) {
> +   uint32_t i;
> +   for (i = 0; i < len; i++) {
> +   avrule_decl_t *decl =
> +   p->decl_val_to_struct[scope->decl_ids[i] - 1];

Hello,
This statement creates a local variable which shadows the previous
"decl" variable that is introduced in this commit too (this gets
reported as a -Wshadow warning). You may want to rename one of these
two variables.

Cheers,
Nicolas

Re: [PATCH RFC 2/2] nfs: update labeling behavior on a superblock when submounting

[Stephen Smalley]

On Tue, 2017-05-30 at 15:40 -0400, J . Bruce Fields wrote:
> On Tue, May 30, 2017 at 10:38:45AM -0400, Stephen Smalley wrote:
> > On Fri, 2017-05-26 at 11:28 -0400, Scott Mayhew wrote:
> > > On Fri, 26 May 2017, Stephen Smalley wrote:
> > > 
> > > > On Thu, 2017-05-25 at 17:07 -0400, Scott Mayhew wrote:
> > > > > When the client traverses from filesystem exported without
> > > > > the
> > > > > "security_label" option to one exported with the
> > > > > "security_label"
> > > > > option, it needs to pass SECURITY_LSM_NATIVE_LABELS to
> > > > > security_sb_set_mnt_opts() so that the new superblock has
> > > > > SBLABEL_MNT
> > > > > set in its security mount options.  Otherwise, attempts to
> > > > > set
> > > > > security
> > > > > labels via setxattr over NFSv4.2 will fail.
> > > > > 
> > > > > Signed-off-by: Scott Mayhew 
> > > > > ---
> > > > >  fs/nfs/super.c | 23 ++-
> > > > >  1 file changed, 22 insertions(+), 1 deletion(-)
> > > > > 
> > > > > diff --git a/fs/nfs/super.c b/fs/nfs/super.c
> > > > > index 2f3822a..d7a3b89 100644
> > > > > --- a/fs/nfs/super.c
> > > > > +++ b/fs/nfs/super.c
> > > > > @@ -2544,10 +2544,31 @@
> > > > > EXPORT_SYMBOL_GPL(nfs_set_sb_security);
> > > > >  int nfs_clone_sb_security(struct super_block *s, struct
> > > > > dentry
> > > > > *mntroot,
> > > > >     struct nfs_mount_info *mount_info)
> > > > >  {
> > > > > + int error;
> > > > > + unsigned long kflags = 0, kflags_out = 0;
> > > > > + struct security_mnt_opts opts;
> > > > > +
> > > > >   /* clone any lsm security options from the parent to
> > > > > the
> > > > > new
> > > > > sb */
> > > > >   if (d_inode(mntroot)->i_op != NFS_SB(s)->nfs_client-
> > > > > > rpc_ops->dir_inode_ops)
> > > > > 
> > > > >   return -ESTALE;
> > > > > - return security_sb_clone_mnt_opts(mount_info-
> > > > > >cloned-
> > > > > > sb,
> > > > > 
> > > > > s);
> > > > > + error = security_sb_clone_mnt_opts(mount_info-
> > > > > >cloned-
> > > > > > sb,
> > > > > 
> > > > > s);
> > > > > + if (error)
> > > > > + goto err;
> > > > > +
> > > > > + if (NFS_SB(s)->caps & NFS_CAP_SECURITY_LABEL &&
> > > > > + !(NFS_SB(mount_info->cloned->sb)->caps &
> > > > > NFS_CAP_SECURITY_LABEL)) {
> > > > > + memset(, 0, sizeof(opts));
> > > > > + kflags |= SECURITY_LSM_NATIVE_LABELS;
> > > > > +
> > > > > + error = security_sb_set_mnt_opts(s, ,
> > > > > kflags,
> > > > > _out);
> > > > > + if (error)
> > > > > + goto err;
> > > > > +
> > > > > + if (!(kflags_out &
> > > > > SECURITY_LSM_NATIVE_LABELS))
> > > > > + NFS_SB(s)->caps &=
> > > > > ~NFS_CAP_SECURITY_LABEL;
> > > > > + }
> > > > > +err:
> > > > > + return error;
> > > > >  }
> > > > >  EXPORT_SYMBOL_GPL(nfs_clone_sb_security);
> > > > 
> > > > Could this clobber a context set via context= mount option?
> > > 
> > > Argh, yes I suppose it could.  In my first attempt to fix this, I
> > > added
> > > a security_sb_get_mnt_opts() hook to get the original mount
> > > options
> > > and
> > > then passed that along with the SECURITY_LSM_NATIVE_LABELS flag
> > > to
> > > security_sb_set_mnt_opts().  When I saw that
> > > security_sb_set_mnt_opts()
> > > wouldn't allow me to change a superblock that had already been
> > > initialized, I got rid of the hook and added the check in patch
> > > 1...
> > > maybe a combination of the two is needed?
> > > 
> > > Testing it again now, I'm not sure the context= mount option is
> > > working
> > > correctly with the latest kernel.
> > 
> > Looks like you are correct,
> > https://github.com/SELinuxProject/selinux-kernel/issues/35
> 
> Ugh.  So, to make sure I understand: the desired behavior is that in
> the
> case the client mounts with a context= option, behavior is exactly as
> if
> the client or server didn't support the new security labeling
> protocol.
> That would make sense to me.

Yes, that's correct.  And in theory that is what nfs_set_sb_security()
is trying to do by clearing NFS_CAP_SECURITY_LABEL if
SECURITY_LSM_NATIVE_LABELS was not set by the security hook.

Re: [PATCH RFC 2/2] nfs: update labeling behavior on a superblock when submounting

[J . Bruce Fields]

On Tue, May 30, 2017 at 10:38:45AM -0400, Stephen Smalley wrote:
> On Fri, 2017-05-26 at 11:28 -0400, Scott Mayhew wrote:
> > On Fri, 26 May 2017, Stephen Smalley wrote:
> > 
> > > On Thu, 2017-05-25 at 17:07 -0400, Scott Mayhew wrote:
> > > > When the client traverses from filesystem exported without the
> > > > "security_label" option to one exported with the "security_label"
> > > > option, it needs to pass SECURITY_LSM_NATIVE_LABELS to
> > > > security_sb_set_mnt_opts() so that the new superblock has
> > > > SBLABEL_MNT
> > > > set in its security mount options.  Otherwise, attempts to set
> > > > security
> > > > labels via setxattr over NFSv4.2 will fail.
> > > > 
> > > > Signed-off-by: Scott Mayhew 
> > > > ---
> > > >  fs/nfs/super.c | 23 ++-
> > > >  1 file changed, 22 insertions(+), 1 deletion(-)
> > > > 
> > > > diff --git a/fs/nfs/super.c b/fs/nfs/super.c
> > > > index 2f3822a..d7a3b89 100644
> > > > --- a/fs/nfs/super.c
> > > > +++ b/fs/nfs/super.c
> > > > @@ -2544,10 +2544,31 @@ EXPORT_SYMBOL_GPL(nfs_set_sb_security);
> > > >  int nfs_clone_sb_security(struct super_block *s, struct dentry
> > > > *mntroot,
> > > >       struct nfs_mount_info *mount_info)
> > > >  {
> > > > +   int error;
> > > > +   unsigned long kflags = 0, kflags_out = 0;
> > > > +   struct security_mnt_opts opts;
> > > > +
> > > >     /* clone any lsm security options from the parent to the
> > > > new
> > > > sb */
> > > >     if (d_inode(mntroot)->i_op != NFS_SB(s)->nfs_client-
> > > > > rpc_ops->dir_inode_ops)
> > > > 
> > > >     return -ESTALE;
> > > > -   return security_sb_clone_mnt_opts(mount_info->cloned-
> > > > >sb,
> > > > s);
> > > > +   error = security_sb_clone_mnt_opts(mount_info->cloned-
> > > > >sb,
> > > > s);
> > > > +   if (error)
> > > > +   goto err;
> > > > +
> > > > +   if (NFS_SB(s)->caps & NFS_CAP_SECURITY_LABEL &&
> > > > +   !(NFS_SB(mount_info->cloned->sb)->caps &
> > > > NFS_CAP_SECURITY_LABEL)) {
> > > > +   memset(, 0, sizeof(opts));
> > > > +   kflags |= SECURITY_LSM_NATIVE_LABELS;
> > > > +
> > > > +   error = security_sb_set_mnt_opts(s, ,
> > > > kflags,
> > > > _out);
> > > > +   if (error)
> > > > +   goto err;
> > > > +
> > > > +   if (!(kflags_out & SECURITY_LSM_NATIVE_LABELS))
> > > > +   NFS_SB(s)->caps &=
> > > > ~NFS_CAP_SECURITY_LABEL;
> > > > +   }
> > > > +err:
> > > > +   return error;
> > > >  }
> > > >  EXPORT_SYMBOL_GPL(nfs_clone_sb_security);
> > > 
> > > Could this clobber a context set via context= mount option?
> > 
> > Argh, yes I suppose it could.  In my first attempt to fix this, I
> > added
> > a security_sb_get_mnt_opts() hook to get the original mount options
> > and
> > then passed that along with the SECURITY_LSM_NATIVE_LABELS flag to
> > security_sb_set_mnt_opts().  When I saw that
> > security_sb_set_mnt_opts()
> > wouldn't allow me to change a superblock that had already been
> > initialized, I got rid of the hook and added the check in patch 1...
> > maybe a combination of the two is needed?
> > 
> > Testing it again now, I'm not sure the context= mount option is
> > working
> > correctly with the latest kernel.
> 
> Looks like you are correct,
> https://github.com/SELinuxProject/selinux-kernel/issues/35

Ugh.  So, to make sure I understand: the desired behavior is that in the
case the client mounts with a context= option, behavior is exactly as if
the client or server didn't support the new security labeling protocol.
That would make sense to me.

--b.

[PATCH 2/2] libsepol: Fix module_to_cil's handling of type aliases

[James Carter]

Type aliases present a problem for module_to_cil because they are not
in the sym_val_to_name table that it uses to write declarations. Type
aliases are gathered by going through the decl_ids list and then
the alias declaration is written out when the block with that scope
id is handled. This doesn't work if a type alias appears in a require
block, since the require cannot be distinguished from the declaration.
The result is two declarations of the alias and an error when secilc
compiles the policy.

Because of the work cleaning up scope handling, the alias declaration
will always be at the end of the decl_ids list, so now only gather
the last scope id.

Also, when an alias is used in a module it is required as a type and
it will appear in the sym_val_to_name table. When that occurs, just
skip the alias when writing out types.

Signed-off-by: James Carter 
---
 libsepol/src/module_to_cil.c | 18 +-
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 7d8eb20..429d164 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -317,7 +317,7 @@ static int typealiases_gather_map(char *key, void *data, 
void *arg)
struct type_datum *type = data;
struct policydb *pdb = arg;
struct scope_datum *scope;
-   uint32_t i;
+   uint32_t len;
uint32_t scope_id;
 
if (type->primary != 1) {
@@ -326,8 +326,9 @@ static int typealiases_gather_map(char *key, void *data, 
void *arg)
return -1;
}
 
-   for (i = 0; i < scope->decl_ids_len; i++) {
-   scope_id = scope->decl_ids[i];
+   len = scope->decl_ids_len;
+   if (len > 0) {
+   scope_id = scope->decl_ids[len-1];
if (typealias_lists[scope_id] == NULL) {
rc = list_init(_lists[scope_id]);
if (rc != 0) {
@@ -2262,6 +2263,8 @@ static int type_to_cil(int indent, struct policydb *pdb, 
struct avrule_block *UN
cil_printf("))\n");
}
break;
+   case TYPE_ALIAS:
+   break;
default:
log_err("Unknown flavor (%i) of type %s", type->flavor, key);
rc = -1;
@@ -3321,6 +3324,7 @@ static int typealiases_to_cil(int indent, struct policydb 
*pdb, struct avrule_bl
 {
struct type_datum *alias_datum;
char *alias_name;
+   char *type_name;
struct list_node *curr;
struct avrule_decl *decl = stack_peek(decl_stack);
struct list *alias_list = typealias_lists[decl->decl_id];
@@ -3337,9 +3341,13 @@ static int typealiases_to_cil(int indent, struct 
policydb *pdb, struct avrule_bl
rc = -1;
goto exit;
}
-
+   if (alias_datum->flavor == TYPE_ALIAS) {
+   type_name = 
pdb->p_type_val_to_name[alias_datum->primary - 1];
+   } else {
+   type_name = 
pdb->p_type_val_to_name[alias_datum->s.value - 1];
+   }
cil_println(indent, "(typealias %s)", alias_name);
-   cil_println(indent, "(typealiasactual %s %s)", alias_name, 
pdb->p_type_val_to_name[alias_datum->s.value - 1]);
+   cil_println(indent, "(typealiasactual %s %s)", alias_name, 
type_name);
}
 
return 0;
-- 
2.9.4

[PATCH 1/2] libsepol: Clean up scope handling

[James Carter]

Currently, when checking if an identifier is enabled, each scope in
the decl_ids list is checked. This means that if any block that
requires the identifier is enabled, then the identifier will be treated
as being declared.

Now, declarations will be kept at the end of the decl_ids list and
when checking if an identifier is enabled, only the last scope will
be checked (Except for roles and users which allow multiple declarations,
they will have to keep the old behavior.)

Signed-off-by: James Carter 
---
 libsepol/src/avrule_block.c | 24 
 libsepol/src/policydb.c | 13 +
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/libsepol/src/avrule_block.c b/libsepol/src/avrule_block.c
index 224e999..e1f460e 100644
--- a/libsepol/src/avrule_block.c
+++ b/libsepol/src/avrule_block.c
@@ -156,20 +156,36 @@ int is_id_enabled(char *id, policydb_t * p, int 
symbol_table)
 {
scope_datum_t *scope =
(scope_datum_t *) hashtab_search(p->scope[symbol_table].table, id);
-   uint32_t i;
+   avrule_decl_t *decl;
+   uint32_t len = scope->decl_ids_len;
+
if (scope == NULL) {
return 0;
}
if (scope->scope != SCOPE_DECL) {
return 0;
}
-   for (i = 0; i < scope->decl_ids_len; i++) {
-   avrule_decl_t *decl =
-   p->decl_val_to_struct[scope->decl_ids[i] - 1];
+
+   if (len < 1) {
+   return 0;
+   }
+
+   if (symbol_table == SYM_ROLES || symbol_table == SYM_USERS) {
+   uint32_t i;
+   for (i = 0; i < len; i++) {
+   avrule_decl_t *decl =
+   p->decl_val_to_struct[scope->decl_ids[i] - 1];
+   if (decl != NULL && decl->enabled) {
+   return 1;
+   }
+   }
+   } else {
+   decl = p->decl_val_to_struct[scope->decl_ids[len-1] - 1];
if (decl != NULL && decl->enabled) {
return 1;
}
}
+
return 0;
 }
 
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index b153095..ff4fc4e 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -1698,6 +1698,19 @@ int symtab_insert(policydb_t * pol, uint32_t sym,
return -ENOMEM;
}
 
+   if (scope_datum->scope == SCOPE_DECL && scope == SCOPE_REQ) {
+   /* Need to keep the decl at the end of the list */
+   uint32_t len, tmp;
+   len = scope_datum->decl_ids_len;
+   if (len < 2) {
+   /* This should be impossible here */
+   return -1;
+   }
+   tmp = scope_datum->decl_ids[len-2];
+   scope_datum->decl_ids[len-2] = scope_datum->decl_ids[len-1];
+   scope_datum->decl_ids[len-1] = tmp;
+   }
+
return retval;
 }
 
-- 
2.9.4

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Daniel Jurgens]

On 5/30/2017 12:48 PM, Stephen Smalley wrote:
> On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote:
>> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
>>> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
 From: Daniel Jurgens 

 diff --git a/tests/infiniband_pkey/test
 b/tests/infiniband_pkey/test
 old mode 100644
 new mode 100755
>>> Not a big deal, but it seems odd that this mode change wasn't just
>>> squashed into the first patch.
>>>
>>> Otherwise, it looks ok to me, but I don't have hardware to test it
>>> on.
>>> Did you confirm that when you run the tests, you get the expected
>>> avc
>>> denials in the audit logs?  Also, did you confirm that if you
>>> manually
>>> run the tests in permissive mode, that the tests you expect to fail
>>> do
>>> so (and the rest do not)?
>>>
>>>
>> I'm not sure what happened with the mode there.  I didn't change it
>> manually.  I can clean it up if you want.
> Looks like tests/Makefile does a chmod +x */test.
> I wouldn't bother re-spinning unless Paul has other comments.
>
>> Regarding testing the test. Yes, I did make sure they fail as
>> expected when in permissive mode.  Also I changed setting in the
>> configuration files to make sure all cases fail when they should
>> where that was possible.
> And avc: denied messages are as expected?
>
Yes, here's a sample:

type=AVC msg=audit(1496161222.307:1584): avc:  denied  { manage_subnet } for  
pid=21976 comm="smpquery" device=mlx5_2 port_num=1 
scontext=unconfined_u:unconfined_r:test_ibendport_manage_subnet_t:s0-s0:c0.c1023
 tcontext=system_u:object_r:unlabeled_t:s0 tclass=infiniband_endport 
permissive=0

Re: [RFC PATCH] tools: add perltidy to the syntax checker/fixer

[Paul Moore]

On Tue, May 30, 2017 at 9:52 AM, Stephen Smalley  wrote:
> On Fri, 2017-05-26 at 11:58 -0400, Paul Moore wrote:
>> From: Paul Moore 
>>
>> Signed-off-by: Paul Moore 
>> ---
>>  tools/check-syntax |   86 
>> 
>>  1 file changed, 66 insertions(+), 20 deletions(-)

...

>>  #
>> -# Fix the formatting on a C source/header file
>> +# Fix the formatting on a file
>>  #
>>  # Arguments:
>> -# 1File to fix
>> +# 1Language
>> +# 2File to check
>>  #
>> -function tool_c_style_fix() {
>> - [[ -z "$1" || ! -r "$1" ]] && return
>> +function style_fix() {
>> + [[ -z "$1" ]] && return
>> + [[ -z "$2" || ! -w "$2" ]] && return
>>
>> - tmp="$(mktemp --tmpdir=$(dirname "$1"))"
>> - tool_c_style "$1" > "$tmp"
>> - mv "$tmp" "$1"
>> + tmp="$(mktemp --tmpdir=$(dirname "$2"))"
>> + case "$1" in
>> + c|C)
>> + tool_c_style "$2" > "$tmp"
>> + ;;
>> + perl|Perl)
>> + tool_perl_style "$2" > "$tmp"
>> + ;;
>> + esac
>> + mv "$tmp" "$2"
>
> This approach doesn't preserve mode or other attributes on the file,
> and therefore leaves the perl scripts non-executable after running
> ./tools/check_syntax -f.

Yes, good point.  I'll replace that final mv command with the following:

  cat "$tmp" > "$2"
  rm "$tmp"

-- 
paul moore
www.paul-moore.com

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Stephen Smalley]

On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote:
> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
> > On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
> > > From: Daniel Jurgens 
> > > 
> > > New tests for Infiniband endports. Most users do not have
> > > infiniband
> > > hardware, and if they do the device names can vary.  There is a
> > > configuration file for enabling the tests and setting environment
> > > specific configurations.  If the tests are disabled they always
> > > show
> > > as
> > > passed.
> > > 
> > > A special test application was unnecessary, a standard diagnostic
> > > application is used instead.  This required a change to the make
> > > file
> > > to avoid trying to build an application in the new subdir.
> > > 
> > > Signed-off-by: Daniel Jurgens 
> > > 
> > > ---
> > > v1:
> > > - Synchronize interface names with refpolicy changes.
> > > - Allowed access to unlabeled pkeys vs default pkey, default pkey
> > > is
> > > no
> > > longer labeled in the refpolicy.
> > > 
> > > v2:
> > > Stephen Smalley:
> > > - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive.
> > > - Use ifdefs around corenet_ib* interfaces.
> > > - Only build the test_ibpendport.te file if the
> > > infiniband_endport
> > > class
> > > is available.
> > > - use corecmd_bin_entry_type intefrace instead of allow ...
> > > bin_t:
> > > ---
> > >  README   |  7 +++-
> > >  policy/Makefile  |  4 +++
> > >  policy/test_ibendport.te | 40
> > > +++
> > >  tests/Makefile   |  2 +-
> > >  tests/infiniband_endport/Makefile|  2 ++
> > >  tests/infiniband_endport/ibendport_test.conf | 14 
> > >  tests/infiniband_endport/test| 49
> > > 
> > >  tests/infiniband_pkey/test   |  0
> > >  8 files changed, 116 insertions(+), 2 deletions(-)
> > >  create mode 100644 policy/test_ibendport.te
> > >  create mode 100644 tests/infiniband_endport/Makefile
> > >  create mode 100644 tests/infiniband_endport/ibendport_test.conf
> > >  create mode 100755 tests/infiniband_endport/test
> > >  mode change 100644 => 100755 tests/infiniband_pkey/test
> > > 
> > > diff --git a/README b/README
> > > index a4c8ebb..de50eb4 100644
> > > --- a/README
> > > +++ b/README
> > > @@ -201,7 +201,12 @@ INFINIBAND TESTS
> > >  
> > >  Because running Infiniband tests requires specialized hardware
> > > you
> > > must
> > >  set up a configuration file for these tests. The tests are
> > > disabled
> > > by
> > > -default.  See comments in the configuration file for info.
> > > +default.  See comments in the configuration file for info. The
> > > endport
> > > +tests use smpquery, for Fedora it's provided by the infiniband-
> > > diags
> > > +package.
> > >  
> > >  Infiniband PKey test conf file:
> > >  tests/infiniband_pkey/ibpkey_test.conf
> > > +
> > > +Infiniband Endport test conf file:
> > > +tests/infiniband_endport/ibendport_test.conf
> > > diff --git a/policy/Makefile b/policy/Makefile
> > > index 46c9fb5..c062009 100644
> > > --- a/policy/Makefile
> > > +++ b/policy/Makefile
> > > @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit
> > > $(POLDEV)/include/support/all_perms.spt && echo
> > >  TARGETS += test_prlimit.te
> > >  endif
> > >  
> > > +ifeq ($(shell grep -q infiniband_endport
> > > $(POLDEV)/include/support/all_perms.spt && echo true),true)
> > > +TARGETS += test_ibendport.te
> > > +endif
> > > +
> > >  ifeq ($(shell grep -q all_file_perms.*map
> > > $(POLDEV)/include/support/all_perms.spt && echo true),true)
> > >  export M4PARAM = -Dmap_permission_defined
> > >  endif
> > > diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
> > > new file mode 100644
> > > index 000..2a02c57
> > > --- /dev/null
> > > +++ b/policy/test_ibendport.te
> > > @@ -0,0 +1,40 @@
> > > +#
> > > +#
> > > +# Policy for testing Infiniband Pkey access.
> > > +#
> > > +
> > > +gen_require(`
> > > + type bin_t;
> > > + type infiniband_mgmt_device_t;
> > > +')
> > > +
> > > +attribute ibendportdomain;
> > > +
> > > +# Domain for process.
> > > +type test_ibendport_manage_subnet_t;
> > > +domain_type(test_ibendport_manage_subnet_t)
> > > +unconfined_runs_test(test_ibendport_manage_subnet_t)
> > > +typeattribute test_ibendport_manage_subnet_t testdomain;
> > > +typeattribute test_ibendport_manage_subnet_t ibendportdomain;
> > > +
> > > +type test_ibendport_t;
> > > +ifdef(`corenet_ib_endport',`
> > > +corenet_ib_endport(test_ibendport_t)
> > > +')
> > > +
> > > +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
> > > +dev_rw_sysfs(test_ibendport_manage_subnet_t)
> > > +
> > > +corecmd_bin_entry_type(test_ibendport_manage_subnet_t)
> > > +
> > > +allow test_ibendport_manage_subnet_t
> > > infiniband_mgmt_device_t:chr_file { read write open 

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Daniel Jurgens]

On 5/30/2017 12:05 PM, Stephen Smalley wrote:
> On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens 
>>
>> New tests for Infiniband endports. Most users do not have infiniband
>> hardware, and if they do the device names can vary.  There is a
>> configuration file for enabling the tests and setting environment
>> specific configurations.  If the tests are disabled they always show
>> as
>> passed.
>>
>> A special test application was unnecessary, a standard diagnostic
>> application is used instead.  This required a change to the make file
>> to avoid trying to build an application in the new subdir.
>>
>> Signed-off-by: Daniel Jurgens 
>>
>> ---
>> v1:
>> - Synchronize interface names with refpolicy changes.
>> - Allowed access to unlabeled pkeys vs default pkey, default pkey is
>> no
>> longer labeled in the refpolicy.
>>
>> v2:
>> Stephen Smalley:
>> - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive.
>> - Use ifdefs around corenet_ib* interfaces.
>> - Only build the test_ibpendport.te file if the infiniband_endport
>> class
>> is available.
>> - use corecmd_bin_entry_type intefrace instead of allow ... bin_t:
>> ---
>>  README   |  7 +++-
>>  policy/Makefile  |  4 +++
>>  policy/test_ibendport.te | 40
>> +++
>>  tests/Makefile   |  2 +-
>>  tests/infiniband_endport/Makefile|  2 ++
>>  tests/infiniband_endport/ibendport_test.conf | 14 
>>  tests/infiniband_endport/test| 49
>> 
>>  tests/infiniband_pkey/test   |  0
>>  8 files changed, 116 insertions(+), 2 deletions(-)
>>  create mode 100644 policy/test_ibendport.te
>>  create mode 100644 tests/infiniband_endport/Makefile
>>  create mode 100644 tests/infiniband_endport/ibendport_test.conf
>>  create mode 100755 tests/infiniband_endport/test
>>  mode change 100644 => 100755 tests/infiniband_pkey/test
>>
>> diff --git a/README b/README
>> index a4c8ebb..de50eb4 100644
>> --- a/README
>> +++ b/README
>> @@ -201,7 +201,12 @@ INFINIBAND TESTS
>>  
>>  Because running Infiniband tests requires specialized hardware you
>> must
>>  set up a configuration file for these tests. The tests are disabled
>> by
>> -default.  See comments in the configuration file for info.
>> +default.  See comments in the configuration file for info. The
>> endport
>> +tests use smpquery, for Fedora it's provided by the infiniband-diags
>> +package.
>>  
>>  Infiniband PKey test conf file:
>>  tests/infiniband_pkey/ibpkey_test.conf
>> +
>> +Infiniband Endport test conf file:
>> +tests/infiniband_endport/ibendport_test.conf
>> diff --git a/policy/Makefile b/policy/Makefile
>> index 46c9fb5..c062009 100644
>> --- a/policy/Makefile
>> +++ b/policy/Makefile
>> @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit
>> $(POLDEV)/include/support/all_perms.spt && echo
>>  TARGETS += test_prlimit.te
>>  endif
>>  
>> +ifeq ($(shell grep -q infiniband_endport
>> $(POLDEV)/include/support/all_perms.spt && echo true),true)
>> +TARGETS += test_ibendport.te
>> +endif
>> +
>>  ifeq ($(shell grep -q all_file_perms.*map
>> $(POLDEV)/include/support/all_perms.spt && echo true),true)
>>  export M4PARAM = -Dmap_permission_defined
>>  endif
>> diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
>> new file mode 100644
>> index 000..2a02c57
>> --- /dev/null
>> +++ b/policy/test_ibendport.te
>> @@ -0,0 +1,40 @@
>> +#
>> +#
>> +# Policy for testing Infiniband Pkey access.
>> +#
>> +
>> +gen_require(`
>> +type bin_t;
>> +type infiniband_mgmt_device_t;
>> +')
>> +
>> +attribute ibendportdomain;
>> +
>> +# Domain for process.
>> +type test_ibendport_manage_subnet_t;
>> +domain_type(test_ibendport_manage_subnet_t)
>> +unconfined_runs_test(test_ibendport_manage_subnet_t)
>> +typeattribute test_ibendport_manage_subnet_t testdomain;
>> +typeattribute test_ibendport_manage_subnet_t ibendportdomain;
>> +
>> +type test_ibendport_t;
>> +ifdef(`corenet_ib_endport',`
>> +corenet_ib_endport(test_ibendport_t)
>> +')
>> +
>> +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
>> +dev_rw_sysfs(test_ibendport_manage_subnet_t)
>> +
>> +corecmd_bin_entry_type(test_ibendport_manage_subnet_t)
>> +
>> +allow test_ibendport_manage_subnet_t
>> infiniband_mgmt_device_t:chr_file { read write open ioctl};
>> +
>> +ifdef(`corenet_ib_access_unlabeled_pkeys',`
>> +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
>> +')
>> +
>> +allow test_ibendport_manage_subnet_t
>> test_ibendport_t:infiniband_endport manage_subnet;
>> +
>> +# Allow all of these domains to be entered from the sysadm domain.
>> +miscfiles_domain_entry_test_files(ibendportdomain)
>> +userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
>> diff --git a/tests/Makefile b/tests/Makefile
>> index 

Re: [PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Stephen Smalley]

On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens 
> 
> New tests for Infiniband endports. Most users do not have infiniband
> hardware, and if they do the device names can vary.  There is a
> configuration file for enabling the tests and setting environment
> specific configurations.  If the tests are disabled they always show
> as
> passed.
> 
> A special test application was unnecessary, a standard diagnostic
> application is used instead.  This required a change to the make file
> to avoid trying to build an application in the new subdir.
> 
> Signed-off-by: Daniel Jurgens 
> 
> ---
> v1:
> - Synchronize interface names with refpolicy changes.
> - Allowed access to unlabeled pkeys vs default pkey, default pkey is
> no
> longer labeled in the refpolicy.
> 
> v2:
> Stephen Smalley:
> - Use a stub makefile instead of a SUBDIRS_NO_MAKE directive.
> - Use ifdefs around corenet_ib* interfaces.
> - Only build the test_ibpendport.te file if the infiniband_endport
> class
> is available.
> - use corecmd_bin_entry_type intefrace instead of allow ... bin_t:
> ---
>  README   |  7 +++-
>  policy/Makefile  |  4 +++
>  policy/test_ibendport.te | 40
> +++
>  tests/Makefile   |  2 +-
>  tests/infiniband_endport/Makefile|  2 ++
>  tests/infiniband_endport/ibendport_test.conf | 14 
>  tests/infiniband_endport/test| 49
> 
>  tests/infiniband_pkey/test   |  0
>  8 files changed, 116 insertions(+), 2 deletions(-)
>  create mode 100644 policy/test_ibendport.te
>  create mode 100644 tests/infiniband_endport/Makefile
>  create mode 100644 tests/infiniband_endport/ibendport_test.conf
>  create mode 100755 tests/infiniband_endport/test
>  mode change 100644 => 100755 tests/infiniband_pkey/test
> 
> diff --git a/README b/README
> index a4c8ebb..de50eb4 100644
> --- a/README
> +++ b/README
> @@ -201,7 +201,12 @@ INFINIBAND TESTS
>  
>  Because running Infiniband tests requires specialized hardware you
> must
>  set up a configuration file for these tests. The tests are disabled
> by
> -default.  See comments in the configuration file for info.
> +default.  See comments in the configuration file for info. The
> endport
> +tests use smpquery, for Fedora it's provided by the infiniband-diags
> +package.
>  
>  Infiniband PKey test conf file:
>  tests/infiniband_pkey/ibpkey_test.conf
> +
> +Infiniband Endport test conf file:
> +tests/infiniband_endport/ibendport_test.conf
> diff --git a/policy/Makefile b/policy/Makefile
> index 46c9fb5..c062009 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit
> $(POLDEV)/include/support/all_perms.spt && echo
>  TARGETS += test_prlimit.te
>  endif
>  
> +ifeq ($(shell grep -q infiniband_endport
> $(POLDEV)/include/support/all_perms.spt && echo true),true)
> +TARGETS += test_ibendport.te
> +endif
> +
>  ifeq ($(shell grep -q all_file_perms.*map
> $(POLDEV)/include/support/all_perms.spt && echo true),true)
>  export M4PARAM = -Dmap_permission_defined
>  endif
> diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
> new file mode 100644
> index 000..2a02c57
> --- /dev/null
> +++ b/policy/test_ibendport.te
> @@ -0,0 +1,40 @@
> +#
> +#
> +# Policy for testing Infiniband Pkey access.
> +#
> +
> +gen_require(`
> + type bin_t;
> + type infiniband_mgmt_device_t;
> +')
> +
> +attribute ibendportdomain;
> +
> +# Domain for process.
> +type test_ibendport_manage_subnet_t;
> +domain_type(test_ibendport_manage_subnet_t)
> +unconfined_runs_test(test_ibendport_manage_subnet_t)
> +typeattribute test_ibendport_manage_subnet_t testdomain;
> +typeattribute test_ibendport_manage_subnet_t ibendportdomain;
> +
> +type test_ibendport_t;
> +ifdef(`corenet_ib_endport',`
> +corenet_ib_endport(test_ibendport_t)
> +')
> +
> +dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
> +dev_rw_sysfs(test_ibendport_manage_subnet_t)
> +
> +corecmd_bin_entry_type(test_ibendport_manage_subnet_t)
> +
> +allow test_ibendport_manage_subnet_t
> infiniband_mgmt_device_t:chr_file { read write open ioctl};
> +
> +ifdef(`corenet_ib_access_unlabeled_pkeys',`
> +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
> +')
> +
> +allow test_ibendport_manage_subnet_t
> test_ibendport_t:infiniband_endport manage_subnet;
> +
> +# Allow all of these domains to be entered from the sysadm domain.
> +miscfiles_domain_entry_test_files(ibendportdomain)
> +userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
> diff --git a/tests/Makefile b/tests/Makefile
> index 7dfe2a8..369b678 100644
> --- a/tests/Makefile
> +++ b/tests/Makefile
> @@ -10,7 +10,7 @@ SUBDIRS:= domain_trans entrypoint execshare
> exectrace execute_no_trans \
>   

Re: libsepol segfaults with typealias and typealiasactual

[Steve Lawrence]

On 05/30/2017 10:05 AM, Dominick Grift wrote:
> I have a typealias/typealiasactual in dssp2-standard at:
> 
> https://github.com/DefenSec/dssp2-standard/blob/master/policy/system/rpm.cil#L18
> 
> This *works*
> 
> However now i want to additionally associate "unconfined.user.subj" with 
> "rpm_script_t"
> So i created a module:
> 
> echo "(typealiasesactual rpm_script_t unconfined.user.subj)" > mytest.cil && 
> semodule -i mytest.cil
> it returns (something along those lines):
> 
> "subj is not an alias"
> 
> however it seems as though the module did install. I cannot think of any 
> simple way to determine whether it works as I cannot find any "seinfo 
> --typealias" or sesearch "--typealiases"
> 
> Anyway libsepol segfaults when i try to play more with this
> 
> So I tried the following
> 
> (typeattribute rpm_script_aliases_type_attribute)
> (typeattributeset rpm_script_aliases_type_attribute rpm.script.subj)
> (typeattributeset rpm_script_aliases_type_attribute unconfined.user.subj)
> 
> (typealias rpm_script_t)
> (typealiasactual rpm_script_t rpm_script_aliases_type_attribute)
> 
> This also return incoherent messages something like "invalid "." in ...", but 
> it seems to install
> 
> and after that everything just segfaults (libsepol), untill i remove my local 
> customizations
> 
> I dont know a better way to explain this but looks to me theres a serious bug 
> in how typealiases are handled by libsepol:
> 
> https://www.youtube.com/watch?v=qe-vqieu2jg
> 

The first argument to the typealiasactual statement must resolve to a
typealias, and the second argument must resolve to a type. In your above
CIL snipppet you have it resolving to an attribute, which is not
allowed. However, we weren't correctly checking these restrictions,
which could lead to segfaults and weird error messages. I've just sent a
patch that should fix this conditions and error out with helpful messages.

[PATCH] sort input files

[Stephen Smalley]

From: "Bernhard M. Wiedemann" 

when building packages (e.g. for openSUSE Linux)
(random) filesystem order of input files
influences ordering of functions in the output,
thus without the patch, builds (in disposable VMs) would usually differ.

See https://reproducible-builds.org/ for why this matters.
---
 libselinux/utils/Makefile| 2 +-
 libsemanage/src/Makefile | 2 +-
 libsemanage/tests/Makefile   | 2 +-
 libsepol/tests/Makefile  | 2 +-
 libsepol/utils/Makefile  | 2 +-
 mcstrans/utils/Makefile  | 2 +-
 policycoreutils/hll/pp/Makefile  | 2 +-
 policycoreutils/load_policy/Makefile | 2 +-
 policycoreutils/run_init/Makefile| 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index 14f94bd..5f5368a 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -53,7 +53,7 @@ PCRE_LDLIBS ?= -lpcre
 ifeq ($(ANDROID_HOST),y)
 TARGETS=sefcontext_compile
 else
-TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
 endif
 
 sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol
diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
index dba50c8..f01385c 100644
--- a/libsemanage/src/Makefile
+++ b/libsemanage/src/Makefile
@@ -51,7 +51,7 @@ SWIGFILES=$(SWIGSO) semanage.py
 SWIGRUBYSO=$(RUBYPREFIX)_semanage.so
 LIBSO=$(TARGET).$(LIBVERSION)
 
-GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) semanageswig_python_exception.i 
$(wildcard conf-*.[ch])
+GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) semanageswig_python_exception.i $(sort 
$(wildcard conf-*.[ch]))
 SRCS= $(filter-out $(GENERATED),$(sort $(wildcard *.c)))
 
 OBJS= $(patsubst %.c,%.o,$(SRCS)) conf-scan.o conf-parse.o
diff --git a/libsemanage/tests/Makefile b/libsemanage/tests/Makefile
index 9b27224..9ccb5b2 100644
--- a/libsemanage/tests/Makefile
+++ b/libsemanage/tests/Makefile
@@ -2,7 +2,7 @@ PREFIX ?= $(DESTDIR)/usr
 LIBDIR ?= $(PREFIX)/lib
 
 # Add your test source files here:
-SOURCES = $(wildcard *.c)
+SOURCES = $(sort $(wildcard *.c))
 
 # Add the required external object files here:
 LIBS = ../src/libsemanage.a -lselinux -lsepol
diff --git a/libsepol/tests/Makefile b/libsepol/tests/Makefile
index 6ae8ad2..1bd96db 100644
--- a/libsepol/tests/Makefile
+++ b/libsepol/tests/Makefile
@@ -15,7 +15,7 @@ CHECKPOLICY := ../../checkpolicy/
 CPPFLAGS += -I../include/ -I$(CHECKPOLICY)
 
 # test program object files
-objs := $(patsubst %.c,%.o,$(wildcard *.c))
+objs := $(patsubst %.c,%.o,$(sort $(wildcard *.c)))
 parserobjs := $(CHECKPOLICY)queue.o $(CHECKPOLICY)y.tab.o \
$(CHECKPOLICY)parse_util.o $(CHECKPOLICY)lex.yy.o \
$(CHECKPOLICY)policy_define.o $(CHECKPOLICY)module_compiler.o
diff --git a/libsepol/utils/Makefile b/libsepol/utils/Makefile
index 3b2fb77..467aff2 100644
--- a/libsepol/utils/Makefile
+++ b/libsepol/utils/Makefile
@@ -7,7 +7,7 @@ override CFLAGS += -I../include
 override LDFLAGS += -L../src
 LDLIBS += -lsepol
 
-TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
 
 all: $(TARGETS)
 
diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
index e6f329b..7e59641 100644
--- a/mcstrans/utils/Makefile
+++ b/mcstrans/utils/Makefile
@@ -8,7 +8,7 @@ CFLAGS ?= -Wall
 override CFLAGS += -I../src -D_GNU_SOURCE
 LDLIBS += -lselinux -lpcre
 
-TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
 
 all: $(TARGETS)
 
diff --git a/policycoreutils/hll/pp/Makefile b/policycoreutils/hll/pp/Makefile
index 1ca6c9d..813c9c6 100644
--- a/policycoreutils/hll/pp/Makefile
+++ b/policycoreutils/hll/pp/Makefile
@@ -10,7 +10,7 @@ HLLDIR ?= $(LIBEXECDIR)/selinux/hll
 CFLAGS ?= -Werror -Wall -W
 LDLIBS = -lsepol
 
-PP_SRCS = $(wildcard *.c)
+PP_SRCS = $(sort $(wildcard *.c))
 PP_OBJS = $(patsubst %.c,%.o,$(PP_SRCS))
 
 all: pp
diff --git a/policycoreutils/load_policy/Makefile 
b/policycoreutils/load_policy/Makefile
index 6ab0f9d..256d95a 100644
--- a/policycoreutils/load_policy/Makefile
+++ b/policycoreutils/load_policy/Makefile
@@ -9,7 +9,7 @@ CFLAGS ?= -Werror -Wall -W
 override CFLAGS += $(LDFLAGS) -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" 
-DPACKAGE="\"policycoreutils\""
 LDLIBS += -lsepol -lselinux
 
-TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
 
 all: $(TARGETS)
 
diff --git a/policycoreutils/run_init/Makefile 
b/policycoreutils/run_init/Makefile
index 6f5ee13..7b25952 100644
--- a/policycoreutils/run_init/Makefile
+++ b/policycoreutils/run_init/Makefile
@@ -23,7 +23,7 @@ ifeq ($(AUDITH), y)
LDLIBS += -laudit
 endif
 
-TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
 
 all: $(TARGETS)
 
-- 
2.9.4

[PATCH v2 1/2] selinux-testsuite: Infiniband pkey tests

[Dan Jurgens]

From: Daniel Jurgens 

New tests for infiniband pkeys. Most users don't have Infiniband
hardware, and if they do the pkey configuration is not standardized.
There is a configuration file for enabling the test and setting
environment specific test configurations. If the tests are disabled they
will always show as passed.

Signed-off-by: Daniel Jurgens 

---
v1:
- Synchronized interface names with refpolicy changes.
- Changed pkey test to not assume the default pkey is labeled, instead
it take a list of indexes with labeled and unlabeled pkeys.  It checks
that the labeled aren't allowed, unlabeled are allowed, and it labels
the unlabeled ones to make sure they aren't allowed when labeled.

v2:
Stephen Smalley:
- Ifdef around new corenet_ib* interfaces.
- Updated README with libibverbs-devel dependency.
- Ran new test program through astyle with recommended settings.
---
 README   |  12 ++-
 policy/Makefile  |   3 +-
 policy/test_ibpkey.te|  30 +++
 tests/Makefile   |   4 +-
 tests/infiniband_pkey/Makefile   |   7 ++
 tests/infiniband_pkey/create_modify_qp.c | 136 +++
 tests/infiniband_pkey/ibpkey_test.conf   |  18 
 tests/infiniband_pkey/test   |  84 +++
 8 files changed, 290 insertions(+), 4 deletions(-)
 create mode 100644 policy/test_ibpkey.te
 create mode 100644 tests/infiniband_pkey/Makefile
 create mode 100644 tests/infiniband_pkey/create_modify_qp.c
 create mode 100644 tests/infiniband_pkey/ibpkey_test.conf
 create mode 100644 tests/infiniband_pkey/test

diff --git a/README b/README
index deedae5..a4c8ebb 100644
--- a/README
+++ b/README
@@ -68,8 +68,9 @@ libselinux-devel # to build some of the test programs
 net-tools # for ifconfig, used by capable_net/test
 netlabel_tools # to load NetLabel configuration during inet_socket tests
 iptables # to load iptables SECMARK rules during inet_socket tests
+libibverbs-devel # to build ibpkey test program.
 
-yum install perl-Test perl-Test-Harness perl-Test-Simple selinux-policy-devel 
gcc libselinux-devel net-tools netlabel_tools iptables
+yum install perl-Test perl-Test-Harness perl-Test-Simple selinux-policy-devel 
gcc libselinux-devel net-tools netlabel_tools iptables libibverbs-devel
 
 The testsuite requires a pre-existing base policy configuration of
 SELinux, using either the old example policy or the reference policy
@@ -195,3 +196,12 @@ establish a base directory (based on the path of the script
 executable).  This won't always be accurate, but will work for this
 test harness/configuration.
$basedir = $0;  $basedir =~ s|(.*)/[^/]*|$1|;
+
+INFINIBAND TESTS
+
+Because running Infiniband tests requires specialized hardware you must
+set up a configuration file for these tests. The tests are disabled by
+default.  See comments in the configuration file for info.
+
+Infiniband PKey test conf file:
+tests/infiniband_pkey/ibpkey_test.conf
diff --git a/policy/Makefile b/policy/Makefile
index 7bc7f95..46c9fb5 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -22,7 +22,8 @@ TARGETS = \
test_task_create.te test_task_getpgid.te test_task_getsched.te \
test_task_getsid.te test_task_setpgid.te test_task_setsched.te \
test_transition.te test_inet_socket.te test_unix_socket.te \
-   test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te
+   test_mmap.te test_overlayfs.te test_mqueue.te test_mac_admin.te \
+   test_ibpkey.te
 
 ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true)
 TARGETS += test_bounds.te
diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te
new file mode 100644
index 000..373404c
--- /dev/null
+++ b/policy/test_ibpkey.te
@@ -0,0 +1,30 @@
+#
+#
+# Policy for testing Infiniband Pkey access.
+#
+
+attribute ibpkeydomain;
+
+# Domain for process.
+type test_ibpkey_access_t;
+domain_type(test_ibpkey_access_t)
+unconfined_runs_test(test_ibpkey_access_t)
+typeattribute test_ibpkey_access_t testdomain;
+typeattribute test_ibpkey_access_t ibpkeydomain;
+
+dev_rw_infiniband_dev(test_ibpkey_access_t)
+dev_rw_sysfs(test_ibpkey_access_t)
+
+# Define a pkey type for labeling pkeys during the test.
+type test_ibpkey_t;
+ifdef(`corenet_ib_pkey',`
+corenet_ib_pkey(test_ibpkey_t)
+')
+
+ifdef(`corenet_ib_access_unlabeled_pkeys',`
+corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t)
+')
+
+# Allow all of these domains to be entered from the sysadm domain.
+miscfiles_domain_entry_test_files(ibpkeydomain)
+userdom_sysadm_entry_spec_domtrans_to(ibpkeydomain)
diff --git a/tests/Makefile b/tests/Makefile
index fb8a0aa..7dfe2a8 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -4,13 +4,13 @@ export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE
 
 DISTRO=$(shell ./os_detect)
 
-SUBDIRS:=domain_trans entrypoint execshare exectrace execute_no_trans \

[PATCH v2 2/2] selinux-testsuite: Infiniband endport tests

[Dan Jurgens]

From: Daniel Jurgens 

New tests for Infiniband endports. Most users do not have infiniband
hardware, and if they do the device names can vary.  There is a
configuration file for enabling the tests and setting environment
specific configurations.  If the tests are disabled they always show as
passed.

A special test application was unnecessary, a standard diagnostic
application is used instead.  This required a change to the make file
to avoid trying to build an application in the new subdir.

Signed-off-by: Daniel Jurgens 

---
v1:
- Synchronize interface names with refpolicy changes.
- Allowed access to unlabeled pkeys vs default pkey, default pkey is no
longer labeled in the refpolicy.

v2:
Stephen Smalley:
- Use a stub makefile instead of a SUBDIRS_NO_MAKE directive.
- Use ifdefs around corenet_ib* interfaces.
- Only build the test_ibpendport.te file if the infiniband_endport class
is available.
- use corecmd_bin_entry_type intefrace instead of allow ... bin_t:
---
 README   |  7 +++-
 policy/Makefile  |  4 +++
 policy/test_ibendport.te | 40 +++
 tests/Makefile   |  2 +-
 tests/infiniband_endport/Makefile|  2 ++
 tests/infiniband_endport/ibendport_test.conf | 14 
 tests/infiniband_endport/test| 49 
 tests/infiniband_pkey/test   |  0
 8 files changed, 116 insertions(+), 2 deletions(-)
 create mode 100644 policy/test_ibendport.te
 create mode 100644 tests/infiniband_endport/Makefile
 create mode 100644 tests/infiniband_endport/ibendport_test.conf
 create mode 100755 tests/infiniband_endport/test
 mode change 100644 => 100755 tests/infiniband_pkey/test

diff --git a/README b/README
index a4c8ebb..de50eb4 100644
--- a/README
+++ b/README
@@ -201,7 +201,12 @@ INFINIBAND TESTS
 
 Because running Infiniband tests requires specialized hardware you must
 set up a configuration file for these tests. The tests are disabled by
-default.  See comments in the configuration file for info.
+default.  See comments in the configuration file for info. The endport
+tests use smpquery, for Fedora it's provided by the infiniband-diags
+package.
 
 Infiniband PKey test conf file:
 tests/infiniband_pkey/ibpkey_test.conf
+
+Infiniband Endport test conf file:
+tests/infiniband_endport/ibendport_test.conf
diff --git a/policy/Makefile b/policy/Makefile
index 46c9fb5..c062009 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -49,6 +49,10 @@ ifeq ($(shell grep -q getrlimit 
$(POLDEV)/include/support/all_perms.spt && echo
 TARGETS += test_prlimit.te
 endif
 
+ifeq ($(shell grep -q infiniband_endport 
$(POLDEV)/include/support/all_perms.spt && echo true),true)
+TARGETS += test_ibendport.te
+endif
+
 ifeq ($(shell grep -q all_file_perms.*map 
$(POLDEV)/include/support/all_perms.spt && echo true),true)
 export M4PARAM = -Dmap_permission_defined
 endif
diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te
new file mode 100644
index 000..2a02c57
--- /dev/null
+++ b/policy/test_ibendport.te
@@ -0,0 +1,40 @@
+#
+#
+# Policy for testing Infiniband Pkey access.
+#
+
+gen_require(`
+   type bin_t;
+   type infiniband_mgmt_device_t;
+')
+
+attribute ibendportdomain;
+
+# Domain for process.
+type test_ibendport_manage_subnet_t;
+domain_type(test_ibendport_manage_subnet_t)
+unconfined_runs_test(test_ibendport_manage_subnet_t)
+typeattribute test_ibendport_manage_subnet_t testdomain;
+typeattribute test_ibendport_manage_subnet_t ibendportdomain;
+
+type test_ibendport_t;
+ifdef(`corenet_ib_endport',`
+corenet_ib_endport(test_ibendport_t)
+')
+
+dev_rw_infiniband_dev(test_ibendport_manage_subnet_t)
+dev_rw_sysfs(test_ibendport_manage_subnet_t)
+
+corecmd_bin_entry_type(test_ibendport_manage_subnet_t)
+
+allow test_ibendport_manage_subnet_t infiniband_mgmt_device_t:chr_file { read 
write open ioctl};
+
+ifdef(`corenet_ib_access_unlabeled_pkeys',`
+corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
+')
+
+allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport 
manage_subnet;
+
+# Allow all of these domains to be entered from the sysadm domain.
+miscfiles_domain_entry_test_files(ibendportdomain)
+userdom_sysadm_entry_spec_domtrans_to(ibendportdomain)
diff --git a/tests/Makefile b/tests/Makefile
index 7dfe2a8..369b678 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -10,7 +10,7 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace 
execute_no_trans \
task_setnice task_setscheduler task_getscheduler task_getsid \
task_getpgid task_setpgid file ioctl capable_file capable_net \
capable_sys dyntrans dyntrace bounds nnp mmap unix_socket inet_socket \
-   overlay checkreqprot mqueue mac_admin infiniband_pkey
+   overlay checkreqprot mqueue mac_admin 

[PATCH v2 0/2] Selinux tests for Infinfiband

[Dan Jurgens]

From: Daniel Jurgens 

Implements new tests for Infiniband pkeys and endports. Because infiniband
isn't widely used, and when it is the configuration is site specific,
configuration files are used to enable the tests and set environment
specific settings. When the tests are disable they always show as passed.

If enabled, the tests require correstponding updates to selinux, refpolicy,
and the linux kernel.

---

v1:
- Synchronize intefrace names with changes to refpolicy.
- Change tests to not assume that default pkey is labeled.
- See patches v1 notes for more detail.

v2:
- Use ifdefs around new corenet_ib* interfaces.
- Exclude endport policy if infiniband_endport class is undefined.
- Use a stub makefile in tests/infinband_endport vs a new SUBDIRS_NO_MAKE
  list in the makefile.
- Style cleanup in new pkey test program.
- Updated README for new dependency.

Daniel Jurgens (2):
  selinux-testsuite: Infiniband pkey tests
  selinux-testsuite: Infiniband endport tests

 README   |  17 +++-
 policy/Makefile  |   7 +-
 policy/test_ibendport.te |  40 
 policy/test_ibpkey.te|  30 ++
 tests/Makefile   |   4 +-
 tests/infiniband_endport/Makefile|   2 +
 tests/infiniband_endport/ibendport_test.conf |  14 +++
 tests/infiniband_endport/test|  49 ++
 tests/infiniband_pkey/Makefile   |   7 ++
 tests/infiniband_pkey/create_modify_qp.c | 136 +++
 tests/infiniband_pkey/ibpkey_test.conf   |  18 
 tests/infiniband_pkey/test   |  84 +
 12 files changed, 404 insertions(+), 4 deletions(-)
 create mode 100644 policy/test_ibendport.te
 create mode 100644 policy/test_ibpkey.te
 create mode 100644 tests/infiniband_endport/Makefile
 create mode 100644 tests/infiniband_endport/ibendport_test.conf
 create mode 100755 tests/infiniband_endport/test
 create mode 100644 tests/infiniband_pkey/Makefile
 create mode 100644 tests/infiniband_pkey/create_modify_qp.c
 create mode 100644 tests/infiniband_pkey/ibpkey_test.conf
 create mode 100755 tests/infiniband_pkey/test

-- 
2.12.2

[PATCH 1/1] libsepol/cil: fix aliasactual resolution errors

[Steve Lawrence]

- Set rc to SEPOL_ERR if the alias part of an aliasactual statement
  does not resolve to the correct alias flavor (e.g. typealias, senalias, 
catalias)
- Add an error check if the actual part of an aliasactual statement
  does not resolve to the correct actual flavor (type, sens, cat)

Signed-off-by: Steve Lawrence 
---
 libsepol/cil/src/cil_resolve_ast.c | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/libsepol/cil/src/cil_resolve_ast.c 
b/libsepol/cil/src/cil_resolve_ast.c
index a671068..5c26530 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -521,6 +521,7 @@ int cil_resolve_aliasactual(struct cil_tree_node *current, 
void *extra_args, enu
}
if (NODE(alias_datum)->flavor != alias_flavor) {
cil_log(CIL_ERR, "%s is not an alias\n",alias_datum->name);
+   rc = SEPOL_ERR;
goto exit;
}
 
@@ -529,6 +530,12 @@ int cil_resolve_aliasactual(struct cil_tree_node *current, 
void *extra_args, enu
goto exit;
}
 
+   if (NODE(actual_datum)->flavor != flavor) {
+   cil_log(CIL_ERR, "%s is a %s, but aliases a %s\n", 
alias_datum->name, cil_node_to_string(NODE(alias_datum)), 
cil_node_to_string(NODE(actual_datum)));
+   rc = SEPOL_ERR;
+   goto exit;
+   }
+
alias = (struct cil_alias *)alias_datum;
 
if (alias->actual != NULL) {
-- 
2.9.4

Re: [PATCH v1 2/2] selinux-testsuite: Infiniband endport tests

[Daniel Jurgens]

On 5/25/2017 3:04 PM, Stephen Smalley wrote:
> On Wed, 2017-05-24 at 17:18 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens 
>>
>>
>> +allow test_ibendport_manage_subnet_t bin_t:file entrypoint;
>> +allow test_ibendport_manage_subnet_t bin_t:file execute;
> Just use:
> corecmd_bin_entry_type(test_ibendport_manage_subnet_t)

Done

>
>> +allow test_ibendport_manage_subnet_t
>> infiniband_mgmt_device_t:chr_file { read write open ioctl};
>> +corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t)
> This interface needs to be wrapped with an ifdef if this file is not
> excluded when refpolicy lacks the necessary definitions.

Done

>> +
>> +allow test_ibendport_manage_subnet_t
>> test_ibendport_t:infiniband_endport manage_subnet;
> This needs to be conditional on the definition of this class.  You
> could either omit the .te file altogether in the Makefile if not
> defined, as we do for e.g. cap_userns, icmp_socket, etc, or you need to
>  wrap it conditionally as we do for e.g. map permission.

Excluded building the .te file if the class is not defined.

>
>> +@SUBDIRS="$(SUBDIRS) $(SUBDIRS_NO_MAKE)"
>> PATH=/usr/bin:/bin:/usr/sbin:/sbin ./runtests.pl
> This works, but elsewhere we've always just put a trivial Makefile with
> empty all: and clean: targets in it, e.g. entrypoint/Makefile.  No big
> deal either way.

Switched to a stub makefile.

Re: [PATCH v1 1/2] selinux-testsuite: Infiniband pkey tests

[Daniel Jurgens]

On 5/25/2017 2:52 PM, Stephen Smalley wrote:
> On Wed, 2017-05-24 at 17:18 +0300, Dan Jurgens wrote:
>> From: Daniel Jurgens 
>>
>> +corenet_ib_pkey(test_ibpkey_t)
>> +corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t)
> This will break the build on current Fedora and RHEL.
> So, you can either conditionalize inclusion of test_ibpkey.te in the
> Makefile (see other examples already there) so that it is omitted
> entirely if refpolicy lacks the requisite support, or wrap these
> interface calls with suitable ifdefs, e.g.
> ifdef(`corenet_ib_pkey', `
> corenet_ib_pkey(test_ibpkey_t)
> ')
> ...
>
> Probably the latter is best so that we get at least some build testing.

Done, with ifdefs.

>> +
>>
>> +TARGETS=create_modify_qp
>> +
>> +LDLIBS+= -libverbs
> This is a new build dependency (libibverbs-devel), which should be
> listed in the README.

Done

>
>> +int init_ib_rsrc(char* deviceName)
>> +{
>> +int ndev = 0;
>> +struct ibv_device  **dlist = ibv_get_device_list();
>> +struct ibv_device  *device = NULL;;
>> +struct ibv_srq_init_attr srqiattr;
>> +struct ibv_qp_init_attr qpiattr;
>> +int i;
>> +
>> +if (!ndev)
>> +{
> Can you run these test programs through
> astyle --options=none --lineend=linux --mode=c --style=linux --
> indent=force-tab=8 --indent-preprocessor --indent-col1-comments --min-
> conditional-indent=0 --max-instatement-indent=80 --pad-oper --align-
> pointer=name --align-reference=name --max-code-length=80 --break-after-
> logical

Done.

Re: [PATCH RFC 2/2] nfs: update labeling behavior on a superblock when submounting

[Stephen Smalley]

On Fri, 2017-05-26 at 11:28 -0400, Scott Mayhew wrote:
> On Fri, 26 May 2017, Stephen Smalley wrote:
> 
> > On Thu, 2017-05-25 at 17:07 -0400, Scott Mayhew wrote:
> > > When the client traverses from filesystem exported without the
> > > "security_label" option to one exported with the "security_label"
> > > option, it needs to pass SECURITY_LSM_NATIVE_LABELS to
> > > security_sb_set_mnt_opts() so that the new superblock has
> > > SBLABEL_MNT
> > > set in its security mount options.  Otherwise, attempts to set
> > > security
> > > labels via setxattr over NFSv4.2 will fail.
> > > 
> > > Signed-off-by: Scott Mayhew 
> > > ---
> > >  fs/nfs/super.c | 23 ++-
> > >  1 file changed, 22 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/fs/nfs/super.c b/fs/nfs/super.c
> > > index 2f3822a..d7a3b89 100644
> > > --- a/fs/nfs/super.c
> > > +++ b/fs/nfs/super.c
> > > @@ -2544,10 +2544,31 @@ EXPORT_SYMBOL_GPL(nfs_set_sb_security);
> > >  int nfs_clone_sb_security(struct super_block *s, struct dentry
> > > *mntroot,
> > >     struct nfs_mount_info *mount_info)
> > >  {
> > > + int error;
> > > + unsigned long kflags = 0, kflags_out = 0;
> > > + struct security_mnt_opts opts;
> > > +
> > >   /* clone any lsm security options from the parent to the
> > > new
> > > sb */
> > >   if (d_inode(mntroot)->i_op != NFS_SB(s)->nfs_client-
> > > > rpc_ops->dir_inode_ops)
> > > 
> > >   return -ESTALE;
> > > - return security_sb_clone_mnt_opts(mount_info->cloned-
> > > >sb,
> > > s);
> > > + error = security_sb_clone_mnt_opts(mount_info->cloned-
> > > >sb,
> > > s);
> > > + if (error)
> > > + goto err;
> > > +
> > > + if (NFS_SB(s)->caps & NFS_CAP_SECURITY_LABEL &&
> > > + !(NFS_SB(mount_info->cloned->sb)->caps &
> > > NFS_CAP_SECURITY_LABEL)) {
> > > + memset(, 0, sizeof(opts));
> > > + kflags |= SECURITY_LSM_NATIVE_LABELS;
> > > +
> > > + error = security_sb_set_mnt_opts(s, ,
> > > kflags,
> > > _out);
> > > + if (error)
> > > + goto err;
> > > +
> > > + if (!(kflags_out & SECURITY_LSM_NATIVE_LABELS))
> > > + NFS_SB(s)->caps &=
> > > ~NFS_CAP_SECURITY_LABEL;
> > > + }
> > > +err:
> > > + return error;
> > >  }
> > >  EXPORT_SYMBOL_GPL(nfs_clone_sb_security);
> > 
> > Could this clobber a context set via context= mount option?
> 
> Argh, yes I suppose it could.  In my first attempt to fix this, I
> added
> a security_sb_get_mnt_opts() hook to get the original mount options
> and
> then passed that along with the SECURITY_LSM_NATIVE_LABELS flag to
> security_sb_set_mnt_opts().  When I saw that
> security_sb_set_mnt_opts()
> wouldn't allow me to change a superblock that had already been
> initialized, I got rid of the hook and added the check in patch 1...
> maybe a combination of the two is needed?
> 
> Testing it again now, I'm not sure the context= mount option is
> working
> correctly with the latest kernel.

Looks like you are correct,
https://github.com/SELinuxProject/selinux-kernel/issues/35

Re: [PATCH 1/1] semanage: Fix manpage author for ibpkey and ibendport pages.

[Stephen Smalley]

On Tue, 2017-05-30 at 16:26 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens 
> 
> Signed-off-by: Daniel Jurgens 

Thanks, applied.

> ---
>  python/semanage/semanage-ibendport.8 | 2 +-
>  python/semanage/semanage-ibpkey.8| 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/python/semanage/semanage-ibendport.8
> b/python/semanage/semanage-ibendport.8
> index c3753a27..0a29eae1 100644
> --- a/python/semanage/semanage-ibendport.8
> +++ b/python/semanage/semanage-ibendport.8
> @@ -63,4 +63,4 @@ Label mlx4_0 port 2.
>  .BR semanage (8)
>  
>  .SH "AUTHOR"
> -This man page was written by Daniel Walsh 
> +This man page was written by Daniel Jurgens 
> diff --git a/python/semanage/semanage-ibpkey.8
> b/python/semanage/semanage-ibpkey.8
> index 2da4f546..51f455ab 100644
> --- a/python/semanage/semanage-ibpkey.8
> +++ b/python/semanage/semanage-ibpkey.8
> @@ -63,4 +63,4 @@ Label pkey 0x8FFF (limited membership default pkey)
> as a default pkey type
>  .BR semanage (8)
>  
>  .SH "AUTHOR"
> -This man page was written by Daniel Walsh 
> +This man page was written by Daniel Jurgens 

libsepol segfaults with typealias and typealiasactual

[Dominick Grift]

I have a typealias/typealiasactual in dssp2-standard at:

https://github.com/DefenSec/dssp2-standard/blob/master/policy/system/rpm.cil#L18

This *works*

However now i want to additionally associate "unconfined.user.subj" with 
"rpm_script_t"
So i created a module:

echo "(typealiasesactual rpm_script_t unconfined.user.subj)" > mytest.cil && 
semodule -i mytest.cil
it returns (something along those lines):

"subj is not an alias"

however it seems as though the module did install. I cannot think of any simple 
way to determine whether it works as I cannot find any "seinfo --typealias" or 
sesearch "--typealiases"

Anyway libsepol segfaults when i try to play more with this

So I tried the following

(typeattribute rpm_script_aliases_type_attribute)
(typeattributeset rpm_script_aliases_type_attribute rpm.script.subj)
(typeattributeset rpm_script_aliases_type_attribute unconfined.user.subj)

(typealias rpm_script_t)
(typealiasactual rpm_script_t rpm_script_aliases_type_attribute)

This also return incoherent messages something like "invalid "." in ...", but 
it seems to install

and after that everything just segfaults (libsepol), untill i remove my local 
customizations

I dont know a better way to explain this but looks to me theres a serious bug 
in how typealiases are handled by libsepol:

https://www.youtube.com/watch?v=qe-vqieu2jg

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift


signature.asc
Description: PGP signature

Re: [RFC PATCH] tools: add perltidy to the syntax checker/fixer

[Stephen Smalley]

On Fri, 2017-05-26 at 11:58 -0400, Paul Moore wrote:
> From: Paul Moore 
> 
> Signed-off-by: Paul Moore 
> ---
>  tools/check-syntax |   86 
> 
>  1 file changed, 66 insertions(+), 20 deletions(-)
> 
> diff --git a/tools/check-syntax b/tools/check-syntax
> index 72cb06b..ee83c03 100755
> --- a/tools/check-syntax
> +++ b/tools/check-syntax
> @@ -13,6 +13,9 @@
>  CHK_C_LIST="$(find tests/ -name "*.c") $(find tests/ -name "*.h")"
>  CHK_C_EXCLUDE=""
>  
> +CHK_PERL_LIST="$(find tests/ -name "*.pl") $(find tests/ -name
> "test")"
> +CHK_PERL_EXCLUDE=""
> +
>  
>  # functions
>  
> @@ -66,50 +69,92 @@ function tool_c_style() {
>  }
>  
>  #
> -# Check the formatting on a C source/header file
> +# Generate a properly formatted Perl source file
>  #
>  # Arguments:
> -# 1File to check
> +# 1Source file
>  #
> -function tool_c_style_check() {
> - [[ -z "$1" || ! -r "$1" ]] && return
> +function tool_perl_style() {
> + perltidy < "$1"
> +}
>  
> - tool_c_style "$1" | diff -pu --label="$1.orig" "$1" --
> label="$1" -
> +#
> +# Check the formatting on a file
> +#
> +# Arguments:
> +# 1Language
> +# 2File to check
> +#
> +function style_check() {
> + [[ -z "$1" ]] && return
> + [[ -z "$2" || ! -r "$2" ]] && return
> +
> + case "$1" in
> + c|C)
> + tool_c_style "$2" | \
> + diff -pu --label="$2.orig" "$2" --label="$2" 
> -
> + ;;
> + perl|Perl)
> + tool_perl_style "$2" | \
> + diff -pu --label="$2.orig" "$2" --label="$2" 
> -
> + ;;
> + esac
>  }
>  
>  #
> -# Fix the formatting on a C source/header file
> +# Fix the formatting on a file
>  #
>  # Arguments:
> -# 1File to fix
> +# 1Language
> +# 2File to check
>  #
> -function tool_c_style_fix() {
> - [[ -z "$1" || ! -r "$1" ]] && return
> +function style_fix() {
> + [[ -z "$1" ]] && return
> + [[ -z "$2" || ! -w "$2" ]] && return
>  
> - tmp="$(mktemp --tmpdir=$(dirname "$1"))"
> - tool_c_style "$1" > "$tmp"
> - mv "$tmp" "$1"
> + tmp="$(mktemp --tmpdir=$(dirname "$2"))"
> + case "$1" in
> + c|C)
> + tool_c_style "$2" > "$tmp"
> + ;;
> + perl|Perl)
> + tool_perl_style "$2" > "$tmp"
> + ;;
> + esac
> + mv "$tmp" "$2"

This approach doesn't preserve mode or other attributes on the file,
and therefore leaves the perl scripts non-executable after running
./tools/check_syntax -f.

>  }
>  
>  #
> -# Perform all known syntax checks for the configured C
> sources/headers
> +# Perform all known syntax checks for the configured files
>  #
> -function check_c() {
> +function check() {
>   for i in $CHK_C_LIST; do
>   echo "$CHK_C_EXCLUDE" | grep -q "$i" && continue
>   echo "Differences for $i"
> - tool_c_style_check "$i"
> + style_check c "$i"
> + done
> +
> + for i in $CHK_PERL_LIST; do
> + echo "$CHK_PERL_EXCLUDE" | grep -q "$i" && continue
> + echo "Differences for $i"
> + style_check perl "$i"
>   done
>  }
>  
>  #
> -# Perform all known syntax fixes for the configured C
> sources/headers
> +# Perform all known syntax fixes for the configured files
>  #
> -function fix_c() {
> +function fix() {
>   for i in $CHK_C_LIST; do
>   echo "$CHK_C_EXCLUDE" | grep -q "$i" && continue
>   echo "Fixing $i"
> - tool_c_style_fix "$i"
> + style_fix c "$i"
> + done
> +
> + for i in $CHK_PERL_LIST; do
> + echo "$CHK_PERL_EXCLUDE" | grep -q "$i" && continue
> + echo "Fixing $i"
> + style_fix perl "$i"
>   done
>  }
>  
> @@ -117,6 +162,7 @@ function fix_c() {
>  # main
>  
>  verify_deps astyle
> +verify_deps perltidy
>  
>  opt_fix=0
>  
> @@ -136,9 +182,9 @@ done
>  echo "=== $(date) ==="
>  echo "Code Syntax Check Results (\"check-syntax $*\")"
>  if [[ $opt_fix -eq 1 ]]; then
> - fix_c
> + fix
>  else
> - check_c
> + check
>  fi
>  echo ""
>  

[PATCH 1/1] semanage: Fix manpage author for ibpkey and ibendport pages.

[Dan Jurgens]

From: Daniel Jurgens 

Signed-off-by: Daniel Jurgens 
---
 python/semanage/semanage-ibendport.8 | 2 +-
 python/semanage/semanage-ibpkey.8| 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/semanage/semanage-ibendport.8 
b/python/semanage/semanage-ibendport.8
index c3753a27..0a29eae1 100644
--- a/python/semanage/semanage-ibendport.8
+++ b/python/semanage/semanage-ibendport.8
@@ -63,4 +63,4 @@ Label mlx4_0 port 2.
 .BR semanage (8)
 
 .SH "AUTHOR"
-This man page was written by Daniel Walsh 
+This man page was written by Daniel Jurgens 
diff --git a/python/semanage/semanage-ibpkey.8 
b/python/semanage/semanage-ibpkey.8
index 2da4f546..51f455ab 100644
--- a/python/semanage/semanage-ibpkey.8
+++ b/python/semanage/semanage-ibpkey.8
@@ -63,4 +63,4 @@ Label pkey 0x8FFF (limited membership default pkey) as a 
default pkey type
 .BR semanage (8)
 
 .SH "AUTHOR"
-This man page was written by Daniel Walsh 
+This man page was written by Daniel Jurgens 
-- 
2.12.2

Re: Access Vector Cache initialization audit message

[Stephen Smalley]

On Mon, 2017-05-29 at 14:53 -0400, Richard Guy Briggs wrote:
> Hi, 
>   
> On kernel Access Vector Cache (AVC) initialization, there is an audit
> KERNEL 
> type message logged to announce this fact.
> 
> The general format of audit messages are label=value pair
> fields.  Steve Grubb 
> has been asking to have these records normalized by having a
> predictable set of 
> field labels present.
> 
> There already exists an audit KERNEL message giving audit state which
> has been 
> normalized thus:
> "state=initialized audit_enabled=%u res=1"
> 
> The AVC initialization audit message doesn't currently fit that
> format:
> "AVC INITIALIZED"
> 
> I'd created an issue to normalize the AVC initialization along these
> lines or 
> to have it move to a new message type and Paul Moore is questioning
> whether
> this message is required at all:
> https://github.com/linux-audit/audit-kernel/issues/48
> 
> Can this message simply be eliminated?

AFAICT, yes, you can just remove it.