Re: [PATCH testsuite v6] policy: use the kernel_request_load_module() interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/28/19 9:08 AM, Ondrej Mosnacek wrote:

...instead of open-coding the rules. Also define a fallback to allow the
policy to build even if the interface is not defined.

Fixes: f5e5a0b8d005 ("selinux-testsuite: Add key_socket tests")
Cc: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Suggested-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>


Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>


---

Change in v6: avoid apostrophes in comments
Change in v5: call the macro only once for the whole domain
Change in v4: fix copy-paste mistakes spotted by Richard
Change in v3: use different approach as suggested by Stephen
Change in v2: update also tests/Makefile for consistency

  policy/test_key_socket.te | 8 +++-----
  policy/test_policy.if     | 8 +++++++-
  2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te
index cde426b..64d2cee 100644
--- a/policy/test_key_socket.te
+++ b/policy/test_key_socket.te
@@ -12,8 +12,6 @@ typeattribute test_key_sock_t keysockdomain;
  # key_socket rules:
  allow test_key_sock_t self:capability { net_admin };
  allow test_key_sock_t self:key_socket { create write read setopt };
-# For CONFIG_NET_KEY=m
-allow test_key_sock_t kernel_t:system { module_request };
################## Deny capability { net_admin } ########################## 
  #
@@ -29,7 +27,6 @@ typeattribute test_key_sock_no_net_admin_t testdomain;
  typeattribute test_key_sock_no_net_admin_t keysockdomain;
allow test_key_sock_no_net_admin_t self:key_socket { create write read setopt }; 
-allow test_key_sock_no_net_admin_t kernel_t:system { module_request };
####################### Deny key_socket { create } ########################## 
  type test_key_sock_no_create_t;
@@ -50,7 +47,6 @@ typeattribute test_key_sock_no_write_t keysockdomain;
allow test_key_sock_no_write_t self:capability { net_admin }; 
  allow test_key_sock_no_write_t self:key_socket { create read setopt };
-allow test_key_sock_no_write_t kernel_t:system { module_request };
####################### Deny key_socket { read } ########################## 
  type test_key_sock_no_read_t;
@@ -61,10 +57,12 @@ typeattribute test_key_sock_no_read_t keysockdomain;
allow test_key_sock_no_read_t self:capability { net_admin }; 
  allow test_key_sock_no_read_t self:key_socket { create write setopt };
-allow test_key_sock_no_read_t kernel_t:system { module_request };
# 
  ########### Allow these domains to be entered from sysadm domain ############
  #
  miscfiles_domain_entry_test_files(keysockdomain)
  userdom_sysadm_entry_spec_domtrans_to(keysockdomain)
+
+# For CONFIG_NET_KEY=m
+kernel_request_load_module(keysockdomain)
diff --git a/policy/test_policy.if b/policy/test_policy.if
index e1175e8..cefc8fb 100644
--- a/policy/test_policy.if
+++ b/policy/test_policy.if
@@ -76,9 +76,15 @@ interface(`mount_rw_pid_files', `
  ')
  ')
-# Refpolicy doesn't have admin_home_t - assume /root will be user_home_dir_t. 
+# Refpolicy does not have admin_home_t - assume /root will be user_home_dir_t.
  ifdef(`userdom_search_admin_dir', `', ` dnl
  interface(`userdom_search_admin_dir', `
      userdom_search_user_home_content($1)
  ')
  ')
+
+# If the macro is not defined, then most probably module_request permission
+# is just not supported (and relevant operations should be just allowed).
+ifdef(`kernel_request_load_module', `', ` dnl
+interface(`kernel_request_load_module', `')
+')
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux