[PATCH testsuite] policy: only define anon_inode class if not defined in system policy

Ondrej Mosnacek <omosnace@xxxxxxxxxx> · Fri, 30 Apr 2021 11:11:19 +0200

When the system policy already defines this class, loading the test
policy fails with:

Re-declaration of class anon_inode
Previous declaration of class at /var/lib/selinux/targeted/tmp/modules/100/base/cil:1003
Bad class declaration at /var/lib/selinux/targeted/tmp/modules/400/test_userfaultfd/cil:2
/usr/sbin/semodule:  Failed!

Fix this by only including the anon_inode class declarations when it's
not found in the system policy headers.

Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
 policy/Makefile                  | 3 +++
 policy/test_anon_inode_class.cil | 4 ++++
 policy/test_userfaultfd.cil      | 5 -----
 3 files changed, 7 insertions(+), 5 deletions(-)
 create mode 100644 policy/test_anon_inode_class.cil

diff --git a/policy/Makefile b/policy/Makefile
index 91364d5..dee55a2 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -39,6 +39,9 @@ ifeq ($(SUPPORTS_CIL),y)
 CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil
 # userfaultfd test policy uses also xperms
 ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && echo true),true)
+ifneq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo true),true)
+CIL_TARGETS += test_anon_inode_class.cil
+endif
 CIL_TARGETS += test_userfaultfd.cil
 TARGETS += test_userfaultfd.te
 endif
diff --git a/policy/test_anon_inode_class.cil b/policy/test_anon_inode_class.cil
new file mode 100644
index 0000000..3e36599
--- /dev/null
+++ b/policy/test_anon_inode_class.cil
@@ -0,0 +1,4 @@
+; Define new class anon_inode
+(class anon_inode ())
+(classcommon anon_inode file)
+(classorder (unordered anon_inode))
diff --git a/policy/test_userfaultfd.cil b/policy/test_userfaultfd.cil
index 18d5f3f..f6a6791 100644
--- a/policy/test_userfaultfd.cil
+++ b/policy/test_userfaultfd.cil
@@ -1,8 +1,3 @@
-; Define new class anon_inode
-(class anon_inode ())
-(classcommon anon_inode file)
-(classorder (unordered anon_inode))
-
 ; Allow all anonymous inodes
 (typeattributeset cil_gen_require test_notransition_uffd_t)
 (allow test_notransition_uffd_t self (anon_inode (create getattr ioctl read)))
-- 
2.30.2







