On Thu, Aug 22, 2024 at 11:37 AM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Thu, Aug 22, 2024 at 10:37 AM Stephen Smalley
> <stephen.smalley.work@xxxxxxxxx> wrote:
> >
> > On Wed, Aug 21, 2024 at 8:56 PM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote:
> > >
> > > On Wed, Aug 21, 2024 at 5:54 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> > > >
> > > > On Tue, Aug 20, 2024 at 2:02 PM Stephen Smalley
> > > > <stephen.smalley.work@xxxxxxxxx> wrote:
> > > >
> > > > Thank you for reviving this patch.
> > > > Do you have a corresponding userspace patch? And for extra credit, a
> > > > selinux-testsuite patch?
> > > >
> > >
> > > Thank you for the quick response and initial feedback. I've just sent
> > > the libsepol patches for userland on this mailing list.
> > > For selinux-testsuite, an issue I came across while testing is that
> > > the policy capabilities cannot be updated (that is, only the
> > > capabilities from the original host policy are active). I am not sure
> > > if I got that right or if there is any obvious solution (except
> > > toggling on the new capability in Fedora).
> > > I'm still hoping to get the extra credits by: updating the selinux
> > > notebook documentation as well as updating setools (for sesearch
> > > support). :) I will send pull requests if these patches get accepted.
> >
> > With your userspace patches, can't you just do this:
> > $ cat netlink_xperm.cil
> > (policycap netlink_xperm)
> > $ sudo semodule -i netlink_xperm.cil
> >
> > If so, then you can add that along with corresponding allowxperm rules
> > to the test policy to exercise this.
>
> NB you may need to also allow { domain -testsuite_domain } the new
> nlmsg permission for all the netlink socket classes to avoid breaking
> the other processes running on the test system.
Sorry, never mind - you would still need to define the nlmsg
permission for each of the netlink socket classes and that doesn't
appear to be something one can do in anything other than the original
definition in the base module.
Oh well.
