Re: [PATCH] Additional tests for long-time supported netlink classes

Stephen Smalley <sds@xxxxxxxxxxxxx> · Thu, 13 Jul 2017 12:53:39 -0400

On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote:
> This patch contains tests for classes which are already supported for
> a
> long time but are not tested by the selinux-testsuite yet. These
> tests
> involve classes like: netlink_route_socket, netlink_xfrm_socket,
> netlink_selinux_socket, netlink_audit_socket,
> netlink_kobject_uevent_socket, netlink_connector_socket,
> netlink_scsitransport_socket, netlink_fib_lookup_socket.

These look fine (aside from a whitespace issue which git am complained
about) and ran successfully for me on Fedora, but I did have one
question:

policy/Makefile and tests/Makefile only enable the netlink_socket tests
if the new netlink socket classes are defined by the base policy, and
tests/Makefile further excludes them from running on RHEL7 because
RHEL7.3 back-ported the policy change defining the new classes but not
the kernel support.  In contrast, the tests you are adding could be run
on RHEL7 (and earlier).  If we want them to be run on RHEL7 or earlier,
then you need to split them into their own test policy and test case
that can be separately enabled, or otherwise wrap the current ones to
allow use on RHEL7.  You can see examples in other test policies and
scripts of such conditional inclusion of subsets of the tests/policies
(e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit
b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to be
tested on RHEL7 or earlier?

> 
> Signed-off-by: Milos Malik <mmalik@xxxxxxxxxx>
> ---
>  policy/test_netlink_socket.te |  8 ++++
>  tests/netlink_socket/test     | 99
> ++++++++++++++++++++++++++++++++++++++++++-
>  2 files changed, 106 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/test_netlink_socket.te
> b/policy/test_netlink_socket.te
> index c852c04..aaa6e4d 100644
> --- a/policy/test_netlink_socket.te
> +++ b/policy/test_netlink_socket.te
> @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket)
>  netlink_socket_test(netlink_netfilter_socket)
>  netlink_socket_test(netlink_generic_socket)
>  netlink_socket_test(netlink_crypto_socket)
> +netlink_socket_test(netlink_route_socket)
> +netlink_socket_test(netlink_xfrm_socket)
> +netlink_socket_test(netlink_selinux_socket)
> +netlink_socket_test(netlink_audit_socket)
> +netlink_socket_test(netlink_kobject_uevent_socket)
> +netlink_socket_test(netlink_connector_socket)
> +netlink_socket_test(netlink_scsitransport_socket)
> +netlink_socket_test(netlink_fib_lookup_socket)
>  
>  #
>  # Common rules for all netlink socket class test domains.
> diff --git a/tests/netlink_socket/test b/tests/netlink_socket/test
> index 487edbc..cc8c2d4 100755
> --- a/tests/netlink_socket/test
> +++ b/tests/netlink_socket/test
> @@ -1,7 +1,7 @@
>  #!/usr/bin/perl
>  
>  use Test;
> -BEGIN { plan tests => 8 }
> +BEGIN { plan tests => 24 }
>  
>  $basedir = $0;
>  $basedir =~ s|(.*)/[^/]*|$1|;
> @@ -53,3 +53,100 @@ $result = system(
>  "runcon -t test_no_netlink_crypto_socket_t -- $basedir/netlinkcreate
> crypto 2>&1"
>  );
>  ok($result);
> +
> +# Verify that test_netlink_route_socket_t can create a NETLINK_ROUTE
> socket.
> +$result = system(
> +"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate
> route 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_route_socket_t cannot create a
> NETLINK_ROUTE socket.
> +$result = system(
> +"runcon -t test_no_netlink_route_socket_t -- $basedir/netlinkcreate
> route 2>&1"
> +);
> +ok($result);
> +
> +# Verify that test_netlink_xfrm_socket_t can create a NETLINK_XFRM
> socket.
> +$result = system(
> +"runcon -t test_netlink_xfrm_socket_t -- $basedir/netlinkcreate xfrm
> 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_xfrm_socket_t cannot create a
> NETLINK_XFRM socket.
> +$result = system(
> +"runcon -t test_no_netlink_xfrm_socket_t -- $basedir/netlinkcreate
> xfrm 2>&1"
> +);
> +ok($result);
> +
> +# Verify that test_netlink_selinux_socket_t can create a
> NETLINK_SELINUX socket.
> +$result = system(
> +"runcon -t test_netlink_selinux_socket_t -- $basedir/netlinkcreate
> selinux 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_selinux_socket_t cannot create a
> NETLINK_SELINUX socket.
> +$result = system(
> +"runcon -t test_no_netlink_selinux_socket_t --
> $basedir/netlinkcreate selinux 2>&1"
> +);
> +ok($result);
> +
> +# Verify that test_netlink_audit_socket_t can create a NETLINK_AUDIT
> socket.
> +$result = system(
> +"runcon -t test_netlink_audit_socket_t -- $basedir/netlinkcreate
> audit 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_audit_socket_t cannot create a
> NETLINK_AUDIT socket.
> +$result = system(
> +"runcon -t test_no_netlink_audit_socket_t -- $basedir/netlinkcreate
> audit 2>&1"
> +);
> +ok($result);
> +
> +# Verify that test_netlink_kobject_uevent_socket_t can create a
> NETLINK_KOBJECT_UEVENT socket.
> +$result = system(
> +"runcon -t test_netlink_kobject_uevent_socket_t --
> $basedir/netlinkcreate kobject_uevent 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_kobject_uevent_socket_t cannot create
> a NETLINK_KOBJECT_UEVENT socket.
> +$result = system(
> +"runcon -t test_no_netlink_kobject_uevent_socket_t --
> $basedir/netlinkcreate kobject_uevent 2>&1"
> +);
> +ok($result);
> +
> +# Verify that test_netlink_connector_socket_t can create a
> NETLINK_CONNECTOR socket.
> +$result = system(
> +"runcon -t test_netlink_connector_socket_t -- $basedir/netlinkcreate
> connector 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_connector_socket_t cannot create a
> NETLINK_CONNECTOR socket.
> +$result = system(
> +"runcon -t test_no_netlink_connector_socket_t --
> $basedir/netlinkcreate connector 2>&1"
> +);
> +ok($result);
> +
> +# Verify that test_netlink_scsitransport_socket_t can create a
> NETLINK_SCSITRANSPORT socket.
> +$result = system(
> +"runcon -t test_netlink_scsitransport_socket_t --
> $basedir/netlinkcreate scsitransport 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_scsitransport_socket_t cannot create a
> NETLINK_SCSITRANSPORT socket.
> +$result = system(
> +"runcon -t test_no_netlink_scsitransport_socket_t --
> $basedir/netlinkcreate scsitransport 2>&1"
> +);
> +ok($result);
> +
> +# Verify that test_netlink_fib_lookup_socket_t can create a
> NETLINK_FIB_LOOKUP socket.
> +$result = system(
> +"runcon -t test_netlink_fib_lookup_socket_t --
> $basedir/netlinkcreate fib_lookup 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_fib_lookup_socket_t cannot create a
> NETLINK_FIB_LOOKUP socket.
> +$result = system(
> +"runcon -t test_no_netlink_fib_lookup_socket_t --
> $basedir/netlinkcreate fib_lookup 2>&1"
> +);
> +ok($result);
> +