On Thu, Aug 22, 2024 at 10:37 AM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Wed, Aug 21, 2024 at 8:56 PM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote:
> >
> > On Wed, Aug 21, 2024 at 5:54 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> > >
> > > On Tue, Aug 20, 2024 at 2:02 PM Stephen Smalley
> > > <stephen.smalley.work@xxxxxxxxx> wrote:
> > >
> > > Thank you for reviving this patch.
> > > Do you have a corresponding userspace patch? And for extra credit, a
> > > selinux-testsuite patch?
> > >
> >
> > Thank you for the quick response and initial feedback. I've just sent
> > the libsepol patches for userland on this mailing list.
> > For selinux-testsuite, an issue I came across while testing is that
> > the policy capabilities cannot be updated (that is, only the
> > capabilities from the original host policy are active). I am not sure
> > if I got that right or if there is any obvious solution (except
> > toggling on the new capability in Fedora).
> > I'm still hoping to get the extra credits by: updating the selinux
> > notebook documentation as well as updating setools (for sesearch
> > support). :) I will send pull requests if these patches get accepted.
>
> With your userspace patches, can't you just do this:
> $ cat netlink_xperm.cil
> (policycap netlink_xperm)
> $ sudo semodule -i netlink_xperm.cil
>
> If so, then you can add that along with corresponding allowxperm rules
> to the test policy to exercise this.
NB you may need to also allow { domain -testsuite_domain } the new
nlmsg permission for all the netlink socket classes to avoid breaking
the other processes running on the test system
