[PATCH v4 testsuite 09/15] policy: Add MCS constraint on peer recv

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Some of the inet_socket and sctp tests rely on a MCS constraint on
the peer recv permission that exists in Fedora policy but not
refpolicy and hence not Debian.  Add the constraint to the test policy
to provide consistent behavior.  On Fedora this is merely redundant.
The constraint is defined via a CIL module since constraints are not
supported in .te files for binary modules.  Introduce a SUPPORTS_CIL
variable in the Makefile and disable it automatically on older RHEL
releases that lack CIL support to avoid breaking policy load on them.

Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
---
 policy/Makefile              | 15 +++++++++++----
 policy/test_mlsconstrain.cil |  2 ++
 2 files changed, 13 insertions(+), 4 deletions(-)
 create mode 100644 policy/test_mlsconstrain.cil

diff --git a/policy/Makefile b/policy/Makefile
index dfe601b..8f43427 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -7,6 +7,7 @@ SELINUXFS ?= /sys/fs/selinux
 SEMODULE = $(SBINDIR)/semodule
 CHECKPOLICY = $(BINDIR)/checkpolicy
 CHECKMODULE = $(BINDIR)/checkmodule
+SUPPORTS_CIL ?= y
 
 DISTRO=$(shell ../tests/os_detect)
 
@@ -30,15 +31,21 @@ TARGETS = \
 	test_mmap.te test_overlayfs.te test_mqueue.te \
 	test_ibpkey.te test_atsecure.te test_cgroupfs.te
 
+ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
+SUPPORTS_CIL = n
+endif
 
+ifeq ($(SUPPORTS_CIL),y)
+CIL_TARGETS = test_mlsconstrain.cil
 ifeq ($(shell [[ $(MAX_KERNEL_POLICY) -ge 32 && $(POL_VERS) -ge 32 ]] && echo true),true)
 # If other MLS tests get written this can be moved outside of the glblub test
 ifeq ($(POL_TYPE), MLS)
-CIL_TARGETS = test_glblub.cil
+CIL_TARGETS += test_glblub.cil
 else ifeq ($(POL_TYPE), MCS)
-CIL_TARGETS = test_add_levels.cil test_glblub.cil
-endif
-endif # GLBLUB
+CIL_TARGETS += test_add_levels.cil test_glblub.cil
+endif # POL_TYPE
+endif # MAX_KERNEL_POLICY
+endif # SUPPORTS_CIL
 
 ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true)
 TARGETS += test_bounds.te test_nnp_nosuid.te
diff --git a/policy/test_mlsconstrain.cil b/policy/test_mlsconstrain.cil
new file mode 100644
index 0000000..1412f91
--- /dev/null
+++ b/policy/test_mlsconstrain.cil
@@ -0,0 +1,2 @@
+(mlsconstrain (peer (recv)) (or (dom l1 l2) (and (neq t1 mcs_constrained_type) (neq t2 mcs_constrained_type))))
+(mlsconstrain (packet (recv)) (or (dom l1 l2) (and (neq t1 mcs_constrained_type) (neq t2 mcs_constrained_type))))
-- 
2.23.1




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux