Some of the inet_socket and sctp tests rely on a MCS constraint on the peer recv permission that exists in Fedora policy but not refpolicy and hence not Debian. Add the constraint to the test policy to provide consistent behavior. On Fedora this is merely redundant. The constraint is defined via a CIL module since constraints are not supported in .te files for binary modules. Introduce a SUPPORTS_CIL variable in the Makefile and disable it automatically on older RHEL releases that lack CIL support to avoid breaking policy load on them. Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> --- policy/Makefile | 15 +++++++++++---- policy/test_mlsconstrain.cil | 2 ++ 2 files changed, 13 insertions(+), 4 deletions(-) create mode 100644 policy/test_mlsconstrain.cil diff --git a/policy/Makefile b/policy/Makefile index dfe601b..8f43427 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -7,6 +7,7 @@ SELINUXFS ?= /sys/fs/selinux SEMODULE = $(SBINDIR)/semodule CHECKPOLICY = $(BINDIR)/checkpolicy CHECKMODULE = $(BINDIR)/checkmodule +SUPPORTS_CIL ?= y DISTRO=$(shell ../tests/os_detect) @@ -30,15 +31,21 @@ TARGETS = \ test_mmap.te test_overlayfs.te test_mqueue.te \ test_ibpkey.te test_atsecure.te test_cgroupfs.te +ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) +SUPPORTS_CIL = n +endif +ifeq ($(SUPPORTS_CIL),y) +CIL_TARGETS = test_mlsconstrain.cil ifeq ($(shell [[ $(MAX_KERNEL_POLICY) -ge 32 && $(POL_VERS) -ge 32 ]] && echo true),true) # If other MLS tests get written this can be moved outside of the glblub test ifeq ($(POL_TYPE), MLS) -CIL_TARGETS = test_glblub.cil +CIL_TARGETS += test_glblub.cil else ifeq ($(POL_TYPE), MCS) -CIL_TARGETS = test_add_levels.cil test_glblub.cil -endif -endif # GLBLUB +CIL_TARGETS += test_add_levels.cil test_glblub.cil +endif # POL_TYPE +endif # MAX_KERNEL_POLICY +endif # SUPPORTS_CIL ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true) TARGETS += test_bounds.te test_nnp_nosuid.te diff --git a/policy/test_mlsconstrain.cil b/policy/test_mlsconstrain.cil new file mode 100644 index 0000000..1412f91 --- /dev/null +++ b/policy/test_mlsconstrain.cil @@ -0,0 +1,2 @@ +(mlsconstrain (peer (recv)) (or (dom l1 l2) (and (neq t1 mcs_constrained_type) (neq t2 mcs_constrained_type)))) +(mlsconstrain (packet (recv)) (or (dom l1 l2) (and (neq t1 mcs_constrained_type) (neq t2 mcs_constrained_type)))) -- 2.23.1