On Tue, 2019-12-03 at 10:15 -0500, Stephen Smalley wrote:
> On 12/1/19 9:52 AM, Richard Haines wrote:
> > Test perf_event permissions.
> >
> > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> > ---
> > diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
> > new file mode 100644
> > index 0000000..8b612bc
> > --- /dev/null
> > +++ b/policy/test_perf_event.te
> <snip>
> > +neverallow test_perf_no_admin_t self:capability { sys_admin };
>
> I don't particularly object to this, but I wanted to note that these
> neverallows are not being checked by default (expand-check=0 in
> /etc/selinux/semanage.conf) and in fact, if one were to enable
> expand-check, it would not be possible to insert the test policy
> module
> without triggering some neverallow and/or typebounds failures
> because
> the test policy intentionally violates such invariants at points.
>
> Even the base Fedora policy doesn't appear to pass neverallow
> checking
> at present; if you enable expand-check=1 in
> /etc/selinux/semanage.conf
> and semodule -B, it fails (at least for me).
>
> So your neverallow rules in the test policy are at best
> documentation.
Yes I was just using them as comments as the policy Makefile just stops
if expand-check=1.
I'll comment them out as I need to send a new version. I found that if
I set /proc/sys/kernel/perf_event_paranoid to < 2 then the 'Deny
capability { sys_admin }' test fails. I therefore now test the value
and bypass that test if < 2
