On 12/01/2016 03:42 PM, Guido Trentalancia wrote:
> Hello Stephen.
> On Thu, 01/12/2016 at 13.03 -0500, Stephen Smalley write:
>> On 12/01/2016 12:28 PM, Guido Trentalancia wrote:
>>> Hello again Stephen and Paul.
>>> On Thu, 01/12/2016 at 10.57 -0500, Stephen Smalley wrote:
>>>> On 12/01/2016 10:07 AM, Stephen Smalley wrote:
>>>> A couple of notes on this change:
>>>> - To fully test (beyond just confirming that it doesn't break
>>>> when the policy capability is not defined), we'll need a patched
>>>> libsepol and policy (and unfortunately it requires patching the
>>>> policy; can't be done via a policy module). Can certainly
>>>> too but figured I'd wait to see the response to the kernel patch
>>> The libsepol patch is straightforward.
>>> You can have a look at the one I have posted on the 23rd of August
>>> under the subject "[PATCH] Update libsepol to support the policy
>>> capability for AF_ALG sockets" and adapt it to the new policy
>>> capability name and to the fact that you are now removing the
>>> policy capability.
>>> As for the Reference Policy patch, if you want, I can forward to
>>> the one that I had created at that time for the ALG_SOCKET family,
>>> that you can adapt it to the multiple socket types.
>>> Same thing for the SELinux Testsuite patch: if you want, I can
>>> to you the one that I had created at that time for the ALG_SOCKET
>>> family and that would be enough for testing the new capability
>>> it's representative of all the new socket types.
>>> With kind regards,
>> Actually, I realized belatedly that CIL makes it possible to enable
>> testing of this change just through a policy module. Attached is a
>> policy module that one can insert via semodule -i
>> testextsockclass.cil (caveat: may break your system if using any of
>> these socket classes). Also attached is the libsepol patch. So now I
>> just need a test case - will have a look at your AF_ALG patch.
> The libsepol patch looks fine to me, provided that, as you say, it
> doesn't break anything on Redhat systems.
AFAICT, the ptrace_child policy capability (for which redhat1 was
reserved, occupying the same bit) was never set in a policy in any
Fedora release (only rawhide) and never in RHEL. And the kernel patch
for ptrace_child seems to only have been in F17. So I don't believe
there are any ramifications to reusing it.
Selinux mailing list
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.