On Tue, Oct 8, 2024 at 9:02 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > On Mon, Sep 16, 2024 at 9:04 AM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > On Wed, Aug 28, 2024 at 4:00 PM Stephen Smalley > > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > > > Add tests for netlink xperms. Test program is based on an earlier test > > > program for netlink_send checking by Paul Moore. Exercising these > > > tests depends on the corresponding kernel patch, userspace patches, > > > and updating the base policy to define the new nlmsg permissions > > > and to enable the new netlink_xperm policy capability. > > > > > > For testing purposes, you can update the base policy by manually > > > modifying your base module and tweaking /usr/share/selinux/devel > > > (latter only required due to writing the test policy as a .te file > > > rather than as .cil in order to use the test macros) as follows: > > > sudo semodule -c -E base > > > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" base.cil > > > sudo semodule -i base.cil > > > echo "(policycap netlink_xperm)" > netlink_xperm.cil > > > sudo semodule -i netlink_xperm.cil > > > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" \ > > > /usr/share/selinux/devel/include/support/all_perms.spt > > > > > > When finished testing, you can semodule -r base netlink_xperm to > > > undo the two module changes and restore your all_perms.spt file > > > from the saved .orig file. > > > > > > NB The above may lead to unexpected denials of the new nlmsg permission > > > for existing domains on your system and prevent new ssh sessions from > > > being created. Recommend only inserting the netlink_xperm.cil module > > > just prior to running the testsuite and removing immediately thereafter. > > > > > > Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > > > > Now that the kernel and userspace patches have been accepted, can we > > get this testsuite patch merged please? The test will only be enabled > > when the underlying policy defines the new nlmsg permission and > > enables the new netlink_xperm policy capability, so it won't break > > anything in the interim. We will need to separately submit a patch for > > refpolicy and/or Fedora policy to add these. > > Any objections to merging these tests now that the corresponding > kernel support is merged? Not from me, although since the kernel support was merged less than 24 hours ago I might give Ondrej another day or two just in case he was waiting on that. If we still haven't heard from Ondrej towards the end of the week I think it's fair game to merge, I would have thought if he had any concerns he would have voiced them by now. > They will only run if the underlying base policy defines the new nlmsg > permissions and enables the new netlink_xperm policy capability so > nothing should break in the interim. -- paul-moore.com
