This patch allows the new key permissions to be tested as discussed in [1].
To test:
1) Build and install kernel from [2].
2) Run the selinux-testsuite to check ok.
3) Update selinux-testsuite with this patch.
4) Update libsepol with: libsepol-Add-key_perms-policy-capability.patch
5) Add the following CIL statements to test_keys.cil and install:
semodule -i test_keys.cil
(policycap key_perms) ; comment out to test original permission translation
(common key (inval revoke join clear))
(classcommon key key)
6) Edit /usr/share/selinux/devel/include/support/all_perms.spt
and insert the 'inval revoke join clear' permissions:
define(`all_key_perms',`{ view read write ...}')
7) Run 'make test'
[1] https://lore.kernel.org/selinux/459818a9ad1c808298bf3d7c9bcb130323d30e97.camel@xxxxxxxxxxxxxx/
[2] https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next
Richard Haines (1):
selinux-testsuite: Add additional key permission tests
policy/test_keys.te | 139 ++++++++++++++++++++++++++++-------
tests/keys/keyctl.c | 39 ++++++++++
tests/keys/keyring_service.c | 12 ++-
tests/keys/request_keys.c | 70 ++++++++++++++----
tests/keys/test | 63 ++++++++++++++--
5 files changed, 273 insertions(+), 50 deletions(-)
--
2.24.1
