Hello Stephen. On Thu, 01/12/2016 at 13.03 -0500, Stephen Smalley write: > On 12/01/2016 12:28 PM, Guido Trentalancia wrote: > > > > Hello again Stephen and Paul. > > > > On Thu, 01/12/2016 at 10.57 -0500, Stephen Smalley wrote: > > > > > > On 12/01/2016 10:07 AM, Stephen Smalley wrote: > > > > [...] > > > > > > > > A couple of notes on this change: > > > > > > - To fully test (beyond just confirming that it doesn't break > > > anything > > > when the policy capability is not defined), we'll need a patched > > > libsepol and policy (and unfortunately it requires patching the > > > base > > > policy; can't be done via a policy module). Can certainly > > > provide > > > those > > > too but figured I'd wait to see the response to the kernel patch > > > first. > > > > The libsepol patch is straightforward. > > > > You can have a look at the one I have posted on the 23rd of August > > 2016 > > under the subject "[PATCH] Update libsepol to support the policy > > capability for AF_ALG sockets" and adapt it to the new policy > > capability name and to the fact that you are now removing the > > Redhat > > policy capability. > > > > As for the Reference Policy patch, if you want, I can forward to > > you > > the one that I had created at that time for the ALG_SOCKET family, > > so > > that you can adapt it to the multiple socket types. > > > > Same thing for the SELinux Testsuite patch: if you want, I can > > forward > > to you the one that I had created at that time for the ALG_SOCKET > > family and that would be enough for testing the new capability > > because > > it's representative of all the new socket types. > > > > With kind regards, > > Actually, I realized belatedly that CIL makes it possible to enable > testing of this change just through a policy module. Attached is a > CIL > policy module that one can insert via semodule -i > testextsockclass.cil (caveat: may break your system if using any of > these socket classes). Also attached is the libsepol patch. So now I > just need a test case - will have a look at your AF_ALG patch. The libsepol patch looks fine to me, provided that, as you say, it doesn't break anything on Redhat systems. Regards, Guido _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
