On Fri, Dec 9, 2016 at 11:14 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 12/09/2016 10:57 AM, Stephen Smalley wrote: >> Add tests for the extended_socket_class policy capability. >> This change includes the following tests: >> - Test that ICMP datagram sockets are mapped to the new icmp_socket >> class and not to rawip_socket for both IPv4 and IPv6. >> >> - Test that SCTP stream and seqpacket sockets are mapped to the >> new sctp_socket class and not to rawip_socket for both IPv4 and IPv6. >> >> - Test that Bluetooth sockets are mapped to the new bluetooth_socket >> class and not to socket. >> >> - Test that AF_ALG sockets are mapped to the new alg_socket class >> and not to socket. >> >> The tests are only run if the extended_socket_class policy capability >> is present and enabled in the kernel and the base policy, and only if >> the new classes are defined in the base policy. This avoids breaking >> the testsuite on systems with older kernels, older policies, or >> policies that do not enable the policy capability. > > BTW, while creating these tests, I was also trying to test AF_BRIDGE > originally, but it doesn't appear that you can in fact create AF_BRIDGE > sockets AFAICT; socket(AF_BRIDGE, <any>, <any>) seems to always return > EAFNOSUPPORT even though CONFIG_BRIDGE_* is enabled in the kernel > config. So possibly we don't need a bridge_socket security class? Not > sure what other address families are similar? It sounds like a good idea to try each of the address families we're adding in your previous kernel patch; if the socket family isn't readily accessible from userspace I'm not sure it makes sense to add the object class at this point in time. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
