On Thu, Aug 29, 2024 at 6:00 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > Add tests for netlink xperms. Test program is based on an earlier test > program for netlink_send checking by Paul Moore. Exercising these > tests depends on the corresponding kernel patch, userspace patches, > and updating the base policy to define the new nlmsg permissions > and to enable the new netlink_xperm policy capability. > > For testing purposes, you can update the base policy by manually > modifying your base module and tweaking /usr/share/selinux/devel > (latter only required due to writing the test policy as a .te file > rather than as .cil in order to use the test macros) as follows: > sudo semodule -c -E base > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" base.cil > sudo semodule -i base.cil > echo "(policycap netlink_xperm)" > netlink_xperm.cil > sudo semodule -i netlink_xperm.cil > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" \ > /usr/share/selinux/devel/include/support/all_perms.spt > > When finished testing, you can semodule -r base netlink_xperm to > undo the two module changes and restore your all_perms.spt file > from the saved .orig file. > > NB The above may lead to unexpected denials of the new nlmsg permission > for existing domains on your system and prevent new ssh sessions from > being created. Recommend only inserting the netlink_xperm.cil module > just prior to running the testsuite and removing immediately thereafter. > > Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> Thank you Stephen. I was able to reproduce on Fedora rawhide, following your instructions. Tested-by: Thiébaud Weksteen <tweek@xxxxxxxxxx>
