On Wed, 2019-11-27 at 13:33 +0100, Ondrej Mosnacek wrote:
> ...instead of open-coding the rules. Also define a fallback to allow
> the
> policy to build even if the interface is not defined.
>
> Fixes: f5e5a0b8d005 ("selinux-testsuite: Add key_socket tests")
> Cc: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> Suggested-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> ---
>
Thanks, ack from me
> Change in v5: call the macro only once for the whole domain
> Change in v4: fix copy-paste mistakes spotted by Richard
> Change in v3: use different approach as suggested by Stephen
> Change in v2: update also tests/Makefile for consistency
>
> policy/test_key_socket.te | 8 +++-----
> policy/test_policy.if | 6 ++++++
> 2 files changed, 9 insertions(+), 5 deletions(-)
>
> diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te
> index cde426b..64d2cee 100644
> --- a/policy/test_key_socket.te
> +++ b/policy/test_key_socket.te
> @@ -12,8 +12,6 @@ typeattribute test_key_sock_t keysockdomain;
> # key_socket rules:
> allow test_key_sock_t self:capability { net_admin };
> allow test_key_sock_t self:key_socket { create write read setopt };
> -# For CONFIG_NET_KEY=m
> -allow test_key_sock_t kernel_t:system { module_request };
>
> ################## Deny capability { net_admin }
> ##########################
> #
> @@ -29,7 +27,6 @@ typeattribute test_key_sock_no_net_admin_t
> testdomain;
> typeattribute test_key_sock_no_net_admin_t keysockdomain;
>
> allow test_key_sock_no_net_admin_t self:key_socket { create write
> read setopt };
> -allow test_key_sock_no_net_admin_t kernel_t:system { module_request
> };
>
> ####################### Deny key_socket { create }
> ##########################
> type test_key_sock_no_create_t;
> @@ -50,7 +47,6 @@ typeattribute test_key_sock_no_write_t
> keysockdomain;
>
> allow test_key_sock_no_write_t self:capability { net_admin };
> allow test_key_sock_no_write_t self:key_socket { create read setopt
> };
> -allow test_key_sock_no_write_t kernel_t:system { module_request };
>
> ####################### Deny key_socket { read }
> ##########################
> type test_key_sock_no_read_t;
> @@ -61,10 +57,12 @@ typeattribute test_key_sock_no_read_t
> keysockdomain;
>
> allow test_key_sock_no_read_t self:capability { net_admin };
> allow test_key_sock_no_read_t self:key_socket { create write setopt
> };
> -allow test_key_sock_no_read_t kernel_t:system { module_request };
>
> #
> ########### Allow these domains to be entered from sysadm domain
> ############
> #
> miscfiles_domain_entry_test_files(keysockdomain)
> userdom_sysadm_entry_spec_domtrans_to(keysockdomain)
> +
> +# For CONFIG_NET_KEY=m
> +kernel_request_load_module(keysockdomain)
> diff --git a/policy/test_policy.if b/policy/test_policy.if
> index e1175e8..3f163cb 100644
> --- a/policy/test_policy.if
> +++ b/policy/test_policy.if
> @@ -82,3 +82,9 @@ interface(`userdom_search_admin_dir', `
> userdom_search_user_home_content($1)
> ')
> ')
> +
> +# If the macro isn't defined, then most probably module_request
> permission
> +# is just not supported (and relevant operations should be just
> allowed).
> +ifdef(`kernel_request_load_module', `', ` dnl
> +interface(`kernel_request_load_module', `')
> +')
