On Wed, Nov 6, 2024 at 4:44 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>
> These are only needed when peer labeling is enabled, which is normally
> true only in some parts of the testsuite, but nothing prevents it from
> being enabled the whole time (either by configuration or policy
> capability), so better add the missing rules.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> ---
> policy/test_sctp.te | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/policy/test_sctp.te b/policy/test_sctp.te
> index 8db84a3..fb057b9 100644
> --- a/policy/test_sctp.te
> +++ b/policy/test_sctp.te
> @@ -122,6 +122,7 @@ typeattribute test_sctp_connectx_t sctpsocketdomain;
> allow test_sctp_connectx_t self:sctp_socket create_stream_socket_perms;
> corenet_sctp_bind_all_nodes(test_sctp_connectx_t)
> corenet_inout_generic_node(test_sctp_connectx_t)
> +corenet_inout_generic_if(test_sctp_connectx_t)
>
> #
> ############################# Deny Connectx #################################
> @@ -132,6 +133,7 @@ typeattribute test_sctp_deny_connectx_t sctpsocketdomain;
> allow test_sctp_deny_connectx_t self:sctp_socket { create listen accept bind ioctl read getattr write getopt setopt };
> corenet_sctp_bind_all_nodes(test_sctp_deny_connectx_t)
> corenet_inout_generic_node(test_sctp_deny_connectx_t)
> +corenet_inout_generic_if(test_sctp_deny_connectx_t)
>
> #
> ############################## Bindx #####################################
> @@ -142,6 +144,7 @@ typeattribute test_sctp_bindx_t sctpsocketdomain;
> allow test_sctp_bindx_t self:sctp_socket create_stream_socket_perms;
> corenet_sctp_bind_all_nodes(test_sctp_bindx_t)
> corenet_inout_generic_node(test_sctp_bindx_t)
> +corenet_inout_generic_if(test_sctp_bindx_t)
>
> #
> ############################## Deny Bindx ###################################
> @@ -152,6 +155,7 @@ typeattribute test_sctp_deny_bindx_t sctpsocketdomain;
> allow test_sctp_deny_bindx_t self:sctp_socket { create ioctl read getattr write getopt setopt };
> corenet_sctp_bind_all_nodes(test_sctp_deny_bindx_t)
> corenet_inout_generic_node(test_sctp_deny_bindx_t)
> +corenet_inout_generic_if(test_sctp_deny_bindx_t)
>
> #
> ############################# ASCONF Server ##############################
> @@ -162,6 +166,7 @@ typeattribute sctp_asconf_params_server_t sctpsocketdomain;
> allow sctp_asconf_params_server_t self:sctp_socket { create listen bind ioctl read getattr write getopt setopt };
> corenet_sctp_bind_all_nodes(sctp_asconf_params_server_t)
> corenet_inout_generic_node(sctp_asconf_params_server_t)
> +corenet_inout_generic_if(sctp_asconf_params_server_t)
>
> #
> ############################# ASCONF Client ##############################
> --
> 2.47.0
>
This patch is now applied:
https://github.com/SELinuxProject/selinux-testsuite/commit/000b2bf26254ff2607d3b13aba87ac2c998a2386
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
