On Tue, Oct 8, 2024 at 3:41 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Tue, Oct 8, 2024 at 9:02 AM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > On Mon, Sep 16, 2024 at 9:04 AM Stephen Smalley > > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > > > On Wed, Aug 28, 2024 at 4:00 PM Stephen Smalley > > > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > > > > > Add tests for netlink xperms. Test program is based on an earlier test > > > > program for netlink_send checking by Paul Moore. Exercising these > > > > tests depends on the corresponding kernel patch, userspace patches, > > > > and updating the base policy to define the new nlmsg permissions > > > > and to enable the new netlink_xperm policy capability. > > > > > > > > For testing purposes, you can update the base policy by manually > > > > modifying your base module and tweaking /usr/share/selinux/devel > > > > (latter only required due to writing the test policy as a .te file > > > > rather than as .cil in order to use the test macros) as follows: > > > > sudo semodule -c -E base > > > > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" base.cil > > > > sudo semodule -i base.cil > > > > echo "(policycap netlink_xperm)" > netlink_xperm.cil > > > > sudo semodule -i netlink_xperm.cil > > > > sudo sed -i.orig "s/nlmsg_read/nlmsg nlmsg_read/" \ > > > > /usr/share/selinux/devel/include/support/all_perms.spt > > > > > > > > When finished testing, you can semodule -r base netlink_xperm to > > > > undo the two module changes and restore your all_perms.spt file > > > > from the saved .orig file. > > > > > > > > NB The above may lead to unexpected denials of the new nlmsg permission > > > > for existing domains on your system and prevent new ssh sessions from > > > > being created. Recommend only inserting the netlink_xperm.cil module > > > > just prior to running the testsuite and removing immediately thereafter. > > > > > > > > Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > > > > > > Now that the kernel and userspace patches have been accepted, can we > > > get this testsuite patch merged please? The test will only be enabled > > > when the underlying policy defines the new nlmsg permission and > > > enables the new netlink_xperm policy capability, so it won't break > > > anything in the interim. We will need to separately submit a patch for > > > refpolicy and/or Fedora policy to add these. > > > > Any objections to merging these tests now that the corresponding > > kernel support is merged? > > Not from me, although since the kernel support was merged less than 24 > hours ago I might give Ondrej another day or two just in case he was > waiting on that. If we still haven't heard from Ondrej towards the > end of the week I think it's fair game to merge, I would have thought > if he had any concerns he would have voiced them by now. It is now applied: https://github.com/SELinuxProject/selinux-testsuite/commit/023b79b8319e5fe222fb5af892c579593e1cbc50 -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
