Re: [PATCH testsuite 2/3] policy: allow test_ibpkey_access_t to use RDMA netlink sockets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Feb 28, 2023 at 6:01 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> On Tue, Feb 28, 2023 at 9:13 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> >
> > ibv_get_device_list(3) first tries to get the device list via netlink
> > and if that fails it falls back to getting it from sysfs. Currently the
> > policy denies getting it from netlink, generating some denials. Allow
> > test_ibpkey_access_t the necessary permissions so it can do it the
> > preferred way and doesn't generate audit AVC noise.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > ---
> >  policy/test_ibpkey.te | 1 +
> >  1 file changed, 1 insertion(+)
>
> Similar to the other policy issue, it seems like this is a general
> problem and not specifically a selinux-testsuite issue, right?  If
> that is the case should we fix this in refpol?  I think it's okay to
> put a temporary fix in the test suite, but we should also push to fix
> this in refpol.

Basically the same as I said in the first paragraph of my reply under
patch 1 applies here, just in this case we are talking about users of
ibv_get_device_list(3) instead of ibv_create_cq(3).

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux