On Mon, Sep 16, 2024 at 9:04 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Wed, Aug 28, 2024 at 4:00 PM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > Add tests for netlink xperms. Test program is based on an earlier test > > program for netlink_send checking by Paul Moore. Exercising these > > tests depends on the corresponding kernel patch, userspace patches, > > and updating the base policy to define the new nlmsg permissions > > and to enable the new netlink_xperm policy capability. > > > > For testing purposes, you can update the base policy by manually > > modifying your base module and tweaking /usr/share/selinux/devel > > (latter only required due to writing the test policy as a .te file > > rather than as .cil in order to use the test macros) as follows: > > sudo semodule -c -E base > > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" base.cil > > sudo semodule -i base.cil > > echo "(policycap netlink_xperm)" > netlink_xperm.cil > > sudo semodule -i netlink_xperm.cil > > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" \ > > /usr/share/selinux/devel/include/support/all_perms.spt > > > > When finished testing, you can semodule -r base netlink_xperm to > > undo the two module changes and restore your all_perms.spt file > > from the saved .orig file. > > > > NB The above may lead to unexpected denials of the new nlmsg permission > > for existing domains on your system and prevent new ssh sessions from > > being created. Recommend only inserting the netlink_xperm.cil module > > just prior to running the testsuite and removing immediately thereafter. > > > > Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > > Now that the kernel and userspace patches have been accepted, can we > get this testsuite patch merged please? The test will only be enabled > when the underlying policy defines the new nlmsg permission and > enables the new netlink_xperm policy capability, so it won't break > anything in the interim. We will need to separately submit a patch for > refpolicy and/or Fedora policy to add these. Any objections to merging these tests now that the corresponding kernel support is merged? They will only run if the underlying base policy defines the new nlmsg permissions and enables the new netlink_xperm policy capability so nothing should break in the interim.
