On Fri, Apr 30, 2021 at 1:35 PM Dominick Grift
<dominick.grift@xxxxxxxxxxx> wrote:
> Ondrej Mosnacek <omosnace@xxxxxxxxxx> writes:
>
> > When the system policy already defines this class, loading the test
> > policy fails with:
> >
> > Re-declaration of class anon_inode
> > Previous declaration of class at /var/lib/selinux/targeted/tmp/modules/100/base/cil:1003
> > Bad class declaration at /var/lib/selinux/targeted/tmp/modules/400/test_userfaultfd/cil:2
> > /usr/sbin/semodule: Failed!
> >
> > Fix this by only including the anon_inode class declarations when it's
> > not found in the system policy headers.
>
> Reference policy does not have a "all_perms.spt" AFAIK. This might only work
> with Fedora.
Could be, but this pattern is already used elsewhere in the testsuite,
so for now this'll have to do...
>
> >
> > Fixes: 2ea007924363 ("selinux-testsuite: Add userfaultfd test")
> > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > ---
> > policy/Makefile | 3 +++
> > policy/test_anon_inode_class.cil | 4 ++++
> > policy/test_userfaultfd.cil | 5 -----
> > 3 files changed, 7 insertions(+), 5 deletions(-)
> > create mode 100644 policy/test_anon_inode_class.cil
> >
> > diff --git a/policy/Makefile b/policy/Makefile
> > index 91364d5..dee55a2 100644
> > --- a/policy/Makefile
> > +++ b/policy/Makefile
> > @@ -39,6 +39,9 @@ ifeq ($(SUPPORTS_CIL),y)
> > CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil
> > # userfaultfd test policy uses also xperms
> > ifeq ($(shell [ $(MOD_POL_VERS) -ge 18 -a $(MAX_KERNEL_POLICY) -ge 30 ] && echo true),true)
> > +ifneq ($(shell grep -q anon_inode $(POLDEV)/include/support/all_perms.spt && echo true),true)
> > +CIL_TARGETS += test_anon_inode_class.cil
> > +endif
> > CIL_TARGETS += test_userfaultfd.cil
> > TARGETS += test_userfaultfd.te
> > endif
> > diff --git a/policy/test_anon_inode_class.cil b/policy/test_anon_inode_class.cil
> > new file mode 100644
> > index 0000000..3e36599
> > --- /dev/null
> > +++ b/policy/test_anon_inode_class.cil
> > @@ -0,0 +1,4 @@
> > +; Define new class anon_inode
> > +(class anon_inode ())
> > +(classcommon anon_inode file)
> > +(classorder (unordered anon_inode))
> > diff --git a/policy/test_userfaultfd.cil b/policy/test_userfaultfd.cil
> > index 18d5f3f..f6a6791 100644
> > --- a/policy/test_userfaultfd.cil
> > +++ b/policy/test_userfaultfd.cil
> > @@ -1,8 +1,3 @@
> > -; Define new class anon_inode
> > -(class anon_inode ())
> > -(classcommon anon_inode file)
> > -(classorder (unordered anon_inode))
> > -
> > ; Allow all anonymous inodes
> > (typeattributeset cil_gen_require test_notransition_uffd_t)
> > (allow test_notransition_uffd_t self (anon_inode (create getattr ioctl read)))
>
> --
> gpg --locate-keys dominick.grift@xxxxxxxxxxx
> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
> Dominick Grift
>
--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
