Re: [PATCH testsuite 2/3] policy: allow test_ibpkey_access_t to use RDMA netlink sockets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Feb 28, 2023 at 9:13 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>
> ibv_get_device_list(3) first tries to get the device list via netlink
> and if that fails it falls back to getting it from sysfs. Currently the
> policy denies getting it from netlink, generating some denials. Allow
> test_ibpkey_access_t the necessary permissions so it can do it the
> preferred way and doesn't generate audit AVC noise.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> ---
>  policy/test_ibpkey.te | 1 +
>  1 file changed, 1 insertion(+)

Similar to the other policy issue, it seems like this is a general
problem and not specifically a selinux-testsuite issue, right?  If
that is the case should we fix this in refpol?  I think it's okay to
put a temporary fix in the test suite, but we should also push to fix
this in refpol.

> diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te
> index 97f0c3c..6835897 100644
> --- a/policy/test_ibpkey.te
> +++ b/policy/test_ibpkey.te
> @@ -11,6 +11,7 @@ testsuite_domain_type(test_ibpkey_access_t)
>  typeattribute test_ibpkey_access_t ibpkeydomain;
>
>  allow test_ibpkey_access_t self:capability ipc_lock;
> +allow test_ibpkey_access_t self:netlink_rdma_socket create_socket_perms;
>
>  dev_rw_infiniband_dev(test_ibpkey_access_t)
>  dev_rw_sysfs(test_ibpkey_access_t)
> --
> 2.39.2

-- 
paul-moore.com




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux