I'm sorry I did have a newer kernel (4.*) on my RHEL-7.3 testing machine.
The netlink tests from the selinux-testsuite fail on a freshly installed RHEL-7.3
machine (kernel = 3.10.0-514.el7.x86_64).
Milos Malik
----- Original Message -----
> On Fri, 2017-07-14 at 03:44 -0400, Milos Malik wrote:
> > All of the netlink classes currently tested by the selinux-testsuite
> > + classes
> > tested by the attached patch are supported (at the same time by the
> > kernel
> > and by the policy) on RHEL-7.3.
>
> Are you sure? What kernel did you use? When I tried, they all failed
> on 7.3, which is why I disabled them in tests/Makefile for RHEL7.
>
> I don't know if we care about distinguishing at the granularity of
> point releases of RHEL7 (e.g. RHEL7.2 vs RHEL7.3); we just want to
> ensure that the testsuite will pass on the latest release of RHEL7.
>
> >
> > Unfortunately, selinux-policy for RHEL-6.9 and RHEL-7.2 does not
> > recognize
> > following classes:
> > netlink_connector_socket, netlink_crypto_socket,
> > netlink_fib_lookup_socket,
> > netlink_generic_socket, netlink_iscsi_socket,
> > netlink_netfilter_socket,
> > netlink_rdma_socket, netlink_scsitransport_socket.
> >
> > Based on my RHEL-7.3 and RHEL-7.4 test results, the netlink tests can
> > be safely executed on RHEL-7.3 and higher.
> >
> > You're right about splitting the netlink tests into at least 2
> > subsets:
> > RHEL<7.3 (which also covers RHEL-6) and RHEL>=7.3. I will take a look
> > at the commits you provided and let you know.
> >
> > Milos Malik
> >
> > ----- Original Message -----
> > > On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote:
> > > > This patch contains tests for classes which are already supported
> > > > for
> > > > a
> > > > long time but are not tested by the selinux-testsuite yet. These
> > > > tests
> > > > involve classes like: netlink_route_socket, netlink_xfrm_socket,
> > > > netlink_selinux_socket, netlink_audit_socket,
> > > > netlink_kobject_uevent_socket, netlink_connector_socket,
> > > > netlink_scsitransport_socket, netlink_fib_lookup_socket.
> > >
> > > These look fine (aside from a whitespace issue which git am
> > > complained
> > > about) and ran successfully for me on Fedora, but I did have one
> > > question:
> > >
> > > policy/Makefile and tests/Makefile only enable the netlink_socket
> > > tests
> > > if the new netlink socket classes are defined by the base policy,
> > > and
> > > tests/Makefile further excludes them from running on RHEL7 because
> > > RHEL7.3 back-ported the policy change defining the new classes but
> > > not
> > > the kernel support. In contrast, the tests you are adding could be
> > > run
> > > on RHEL7 (and earlier). If we want them to be run on RHEL7 or
> > > earlier,
> > > then you need to split them into their own test policy and test
> > > case
> > > that can be separately enabled, or otherwise wrap the current ones
> > > to
> > > allow use on RHEL7. You can see examples in other test policies
> > > and
> > > scripts of such conditional inclusion of subsets of the
> > > tests/policies
> > > (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit
> > > b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to be
> > > tested on RHEL7 or earlier?
> > >
> > > >
> > > > Signed-off-by: Milos Malik <mmalik@xxxxxxxxxx>
> > > > ---
> > > > policy/test_netlink_socket.te | 8 ++++
> > > > tests/netlink_socket/test | 99
> > > > ++++++++++++++++++++++++++++++++++++++++++-
> > > > 2 files changed, 106 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/policy/test_netlink_socket.te
> > > > b/policy/test_netlink_socket.te
> > > > index c852c04..aaa6e4d 100644
> > > > --- a/policy/test_netlink_socket.te
> > > > +++ b/policy/test_netlink_socket.te
> > > > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket)
> > > > netlink_socket_test(netlink_netfilter_socket)
> > > > netlink_socket_test(netlink_generic_socket)
> > > > netlink_socket_test(netlink_crypto_socket)
> > > > +netlink_socket_test(netlink_route_socket)
> > > > +netlink_socket_test(netlink_xfrm_socket)
> > > > +netlink_socket_test(netlink_selinux_socket)
> > > > +netlink_socket_test(netlink_audit_socket)
> > > > +netlink_socket_test(netlink_kobject_uevent_socket)
> > > > +netlink_socket_test(netlink_connector_socket)
> > > > +netlink_socket_test(netlink_scsitransport_socket)
> > > > +netlink_socket_test(netlink_fib_lookup_socket)
> > > >
> > > > #
> > > > # Common rules for all netlink socket class test domains.
> > > > diff --git a/tests/netlink_socket/test
> > > > b/tests/netlink_socket/test
> > > > index 487edbc..cc8c2d4 100755
> > > > --- a/tests/netlink_socket/test
> > > > +++ b/tests/netlink_socket/test
> > > > @@ -1,7 +1,7 @@
> > > > #!/usr/bin/perl
> > > >
> > > > use Test;
> > > > -BEGIN { plan tests => 8 }
> > > > +BEGIN { plan tests => 24 }
> > > >
> > > > $basedir = $0;
> > > > $basedir =~ s|(.*)/[^/]*|$1|;
> > > > @@ -53,3 +53,100 @@ $result = system(
> > > > "runcon -t test_no_netlink_crypto_socket_t --
> > > > $basedir/netlinkcreate
> > > > crypto 2>&1"
> > > > );
> > > > ok($result);
> > > > +
> > > > +# Verify that test_netlink_route_socket_t can create a
> > > > NETLINK_ROUTE
> > > > socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate
> > > > route 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_route_socket_t cannot create a
> > > > NETLINK_ROUTE socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_route_socket_t --
> > > > $basedir/netlinkcreate
> > > > route 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> > > > +# Verify that test_netlink_xfrm_socket_t can create a
> > > > NETLINK_XFRM
> > > > socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_xfrm_socket_t -- $basedir/netlinkcreate
> > > > xfrm
> > > > 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_xfrm_socket_t cannot create a
> > > > NETLINK_XFRM socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_xfrm_socket_t --
> > > > $basedir/netlinkcreate
> > > > xfrm 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> > > > +# Verify that test_netlink_selinux_socket_t can create a
> > > > NETLINK_SELINUX socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_selinux_socket_t --
> > > > $basedir/netlinkcreate
> > > > selinux 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_selinux_socket_t cannot create a
> > > > NETLINK_SELINUX socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_selinux_socket_t --
> > > > $basedir/netlinkcreate selinux 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> > > > +# Verify that test_netlink_audit_socket_t can create a
> > > > NETLINK_AUDIT
> > > > socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_audit_socket_t -- $basedir/netlinkcreate
> > > > audit 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_audit_socket_t cannot create a
> > > > NETLINK_AUDIT socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_audit_socket_t --
> > > > $basedir/netlinkcreate
> > > > audit 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> > > > +# Verify that test_netlink_kobject_uevent_socket_t can create a
> > > > NETLINK_KOBJECT_UEVENT socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_kobject_uevent_socket_t --
> > > > $basedir/netlinkcreate kobject_uevent 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_kobject_uevent_socket_t cannot
> > > > create
> > > > a NETLINK_KOBJECT_UEVENT socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_kobject_uevent_socket_t --
> > > > $basedir/netlinkcreate kobject_uevent 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> > > > +# Verify that test_netlink_connector_socket_t can create a
> > > > NETLINK_CONNECTOR socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_connector_socket_t --
> > > > $basedir/netlinkcreate
> > > > connector 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_connector_socket_t cannot create a
> > > > NETLINK_CONNECTOR socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_connector_socket_t --
> > > > $basedir/netlinkcreate connector 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> > > > +# Verify that test_netlink_scsitransport_socket_t can create a
> > > > NETLINK_SCSITRANSPORT socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_scsitransport_socket_t --
> > > > $basedir/netlinkcreate scsitransport 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_scsitransport_socket_t cannot
> > > > create a
> > > > NETLINK_SCSITRANSPORT socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_scsitransport_socket_t --
> > > > $basedir/netlinkcreate scsitransport 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> > > > +# Verify that test_netlink_fib_lookup_socket_t can create a
> > > > NETLINK_FIB_LOOKUP socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_fib_lookup_socket_t --
> > > > $basedir/netlinkcreate fib_lookup 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_fib_lookup_socket_t cannot create
> > > > a
> > > > NETLINK_FIB_LOOKUP socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_fib_lookup_socket_t --
> > > > $basedir/netlinkcreate fib_lookup 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> >
> >
>
