Message ID | 1499944132-6721-1-git-send-email-mmalik@redhat.com (mailing list archive) |
---|---|
State | Changes Requested |
Headers | show |
On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote: > This patch contains tests for classes which are already supported for > a > long time but are not tested by the selinux-testsuite yet. These > tests > involve classes like: netlink_route_socket, netlink_xfrm_socket, > netlink_selinux_socket, netlink_audit_socket, > netlink_kobject_uevent_socket, netlink_connector_socket, > netlink_scsitransport_socket, netlink_fib_lookup_socket. These look fine (aside from a whitespace issue which git am complained about) and ran successfully for me on Fedora, but I did have one question: policy/Makefile and tests/Makefile only enable the netlink_socket tests if the new netlink socket classes are defined by the base policy, and tests/Makefile further excludes them from running on RHEL7 because RHEL7.3 back-ported the policy change defining the new classes but not the kernel support. In contrast, the tests you are adding could be run on RHEL7 (and earlier). If we want them to be run on RHEL7 or earlier, then you need to split them into their own test policy and test case that can be separately enabled, or otherwise wrap the current ones to allow use on RHEL7. You can see examples in other test policies and scripts of such conditional inclusion of subsets of the tests/policies (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to be tested on RHEL7 or earlier? > > Signed-off-by: Milos Malik <mmalik@redhat.com> > --- > policy/test_netlink_socket.te | 8 ++++ > tests/netlink_socket/test | 99 > ++++++++++++++++++++++++++++++++++++++++++- > 2 files changed, 106 insertions(+), 1 deletion(-) > > diff --git a/policy/test_netlink_socket.te > b/policy/test_netlink_socket.te > index c852c04..aaa6e4d 100644 > --- a/policy/test_netlink_socket.te > +++ b/policy/test_netlink_socket.te > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket) > netlink_socket_test(netlink_netfilter_socket) > netlink_socket_test(netlink_generic_socket) > netlink_socket_test(netlink_crypto_socket) > +netlink_socket_test(netlink_route_socket) > +netlink_socket_test(netlink_xfrm_socket) > +netlink_socket_test(netlink_selinux_socket) > +netlink_socket_test(netlink_audit_socket) > +netlink_socket_test(netlink_kobject_uevent_socket) > +netlink_socket_test(netlink_connector_socket) > +netlink_socket_test(netlink_scsitransport_socket) > +netlink_socket_test(netlink_fib_lookup_socket) > > # > # Common rules for all netlink socket class test domains. > diff --git a/tests/netlink_socket/test b/tests/netlink_socket/test > index 487edbc..cc8c2d4 100755 > --- a/tests/netlink_socket/test > +++ b/tests/netlink_socket/test > @@ -1,7 +1,7 @@ > #!/usr/bin/perl > > use Test; > -BEGIN { plan tests => 8 } > +BEGIN { plan tests => 24 } > > $basedir = $0; > $basedir =~ s|(.*)/[^/]*|$1|; > @@ -53,3 +53,100 @@ $result = system( > "runcon -t test_no_netlink_crypto_socket_t -- $basedir/netlinkcreate > crypto 2>&1" > ); > ok($result); > + > +# Verify that test_netlink_route_socket_t can create a NETLINK_ROUTE > socket. > +$result = system( > +"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate > route 2>&1" > +); > +ok( $result, 0 ); > + > +# Verify that test_no_netlink_route_socket_t cannot create a > NETLINK_ROUTE socket. > +$result = system( > +"runcon -t test_no_netlink_route_socket_t -- $basedir/netlinkcreate > route 2>&1" > +); > +ok($result); > + > +# Verify that test_netlink_xfrm_socket_t can create a NETLINK_XFRM > socket. > +$result = system( > +"runcon -t test_netlink_xfrm_socket_t -- $basedir/netlinkcreate xfrm > 2>&1" > +); > +ok( $result, 0 ); > + > +# Verify that test_no_netlink_xfrm_socket_t cannot create a > NETLINK_XFRM socket. > +$result = system( > +"runcon -t test_no_netlink_xfrm_socket_t -- $basedir/netlinkcreate > xfrm 2>&1" > +); > +ok($result); > + > +# Verify that test_netlink_selinux_socket_t can create a > NETLINK_SELINUX socket. > +$result = system( > +"runcon -t test_netlink_selinux_socket_t -- $basedir/netlinkcreate > selinux 2>&1" > +); > +ok( $result, 0 ); > + > +# Verify that test_no_netlink_selinux_socket_t cannot create a > NETLINK_SELINUX socket. > +$result = system( > +"runcon -t test_no_netlink_selinux_socket_t -- > $basedir/netlinkcreate selinux 2>&1" > +); > +ok($result); > + > +# Verify that test_netlink_audit_socket_t can create a NETLINK_AUDIT > socket. > +$result = system( > +"runcon -t test_netlink_audit_socket_t -- $basedir/netlinkcreate > audit 2>&1" > +); > +ok( $result, 0 ); > + > +# Verify that test_no_netlink_audit_socket_t cannot create a > NETLINK_AUDIT socket. > +$result = system( > +"runcon -t test_no_netlink_audit_socket_t -- $basedir/netlinkcreate > audit 2>&1" > +); > +ok($result); > + > +# Verify that test_netlink_kobject_uevent_socket_t can create a > NETLINK_KOBJECT_UEVENT socket. > +$result = system( > +"runcon -t test_netlink_kobject_uevent_socket_t -- > $basedir/netlinkcreate kobject_uevent 2>&1" > +); > +ok( $result, 0 ); > + > +# Verify that test_no_netlink_kobject_uevent_socket_t cannot create > a NETLINK_KOBJECT_UEVENT socket. > +$result = system( > +"runcon -t test_no_netlink_kobject_uevent_socket_t -- > $basedir/netlinkcreate kobject_uevent 2>&1" > +); > +ok($result); > + > +# Verify that test_netlink_connector_socket_t can create a > NETLINK_CONNECTOR socket. > +$result = system( > +"runcon -t test_netlink_connector_socket_t -- $basedir/netlinkcreate > connector 2>&1" > +); > +ok( $result, 0 ); > + > +# Verify that test_no_netlink_connector_socket_t cannot create a > NETLINK_CONNECTOR socket. > +$result = system( > +"runcon -t test_no_netlink_connector_socket_t -- > $basedir/netlinkcreate connector 2>&1" > +); > +ok($result); > + > +# Verify that test_netlink_scsitransport_socket_t can create a > NETLINK_SCSITRANSPORT socket. > +$result = system( > +"runcon -t test_netlink_scsitransport_socket_t -- > $basedir/netlinkcreate scsitransport 2>&1" > +); > +ok( $result, 0 ); > + > +# Verify that test_no_netlink_scsitransport_socket_t cannot create a > NETLINK_SCSITRANSPORT socket. > +$result = system( > +"runcon -t test_no_netlink_scsitransport_socket_t -- > $basedir/netlinkcreate scsitransport 2>&1" > +); > +ok($result); > + > +# Verify that test_netlink_fib_lookup_socket_t can create a > NETLINK_FIB_LOOKUP socket. > +$result = system( > +"runcon -t test_netlink_fib_lookup_socket_t -- > $basedir/netlinkcreate fib_lookup 2>&1" > +); > +ok( $result, 0 ); > + > +# Verify that test_no_netlink_fib_lookup_socket_t cannot create a > NETLINK_FIB_LOOKUP socket. > +$result = system( > +"runcon -t test_no_netlink_fib_lookup_socket_t -- > $basedir/netlinkcreate fib_lookup 2>&1" > +); > +ok($result); > +
On Thu, 2017-07-13 at 12:53 -0400, Stephen Smalley wrote: > On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote: > > This patch contains tests for classes which are already supported > > for > > a > > long time but are not tested by the selinux-testsuite yet. These > > tests > > involve classes like: netlink_route_socket, netlink_xfrm_socket, > > netlink_selinux_socket, netlink_audit_socket, > > netlink_kobject_uevent_socket, netlink_connector_socket, > > netlink_scsitransport_socket, netlink_fib_lookup_socket. > > These look fine (aside from a whitespace issue which git am > complained > about) and ran successfully for me on Fedora, but I did have one > question: > > policy/Makefile and tests/Makefile only enable the netlink_socket > tests > if the new netlink socket classes are defined by the base policy, and > tests/Makefile further excludes them from running on RHEL7 because > RHEL7.3 back-ported the policy change defining the new classes but > not > the kernel support. In contrast, the tests you are adding could be > run > on RHEL7 (and earlier). If we want them to be run on RHEL7 or > earlier, > then you need to split them into their own test policy and test case > that can be separately enabled, or otherwise wrap the current ones to > allow use on RHEL7. You can see examples in other test policies and > scripts of such conditional inclusion of subsets of the > tests/policies > (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit > b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to be > tested on RHEL7 or earlier? Also, I wanted to mention that this still doesn't address testing of the finer-grained permissions for netlink sockets, e.g. nlmsg_read/write/..., as noted in the open issue: https://github.com/SELinuxProject/selinux-testsuite/issues/17 That isn't an obstacle to taking this one, but wanted to note that we still want to address that at some point. Also, on the kernel side, we might want to consider defining those permissions for more of the netlink socket classes, particularly the newer ones, if/where it makes sense to do so. Or, alternatively, to implement support analogous to the ioctl whitelisting support for netlink messages so that we can do fine-grained restrictions there. > > > > > Signed-off-by: Milos Malik <mmalik@redhat.com> > > --- > > policy/test_netlink_socket.te | 8 ++++ > > tests/netlink_socket/test | 99 > > ++++++++++++++++++++++++++++++++++++++++++- > > 2 files changed, 106 insertions(+), 1 deletion(-) > > > > diff --git a/policy/test_netlink_socket.te > > b/policy/test_netlink_socket.te > > index c852c04..aaa6e4d 100644 > > --- a/policy/test_netlink_socket.te > > +++ b/policy/test_netlink_socket.te > > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket) > > netlink_socket_test(netlink_netfilter_socket) > > netlink_socket_test(netlink_generic_socket) > > netlink_socket_test(netlink_crypto_socket) > > +netlink_socket_test(netlink_route_socket) > > +netlink_socket_test(netlink_xfrm_socket) > > +netlink_socket_test(netlink_selinux_socket) > > +netlink_socket_test(netlink_audit_socket) > > +netlink_socket_test(netlink_kobject_uevent_socket) > > +netlink_socket_test(netlink_connector_socket) > > +netlink_socket_test(netlink_scsitransport_socket) > > +netlink_socket_test(netlink_fib_lookup_socket) > > > > # > > # Common rules for all netlink socket class test domains. > > diff --git a/tests/netlink_socket/test b/tests/netlink_socket/test > > index 487edbc..cc8c2d4 100755 > > --- a/tests/netlink_socket/test > > +++ b/tests/netlink_socket/test > > @@ -1,7 +1,7 @@ > > #!/usr/bin/perl > > > > use Test; > > -BEGIN { plan tests => 8 } > > +BEGIN { plan tests => 24 } > > > > $basedir = $0; > > $basedir =~ s|(.*)/[^/]*|$1|; > > @@ -53,3 +53,100 @@ $result = system( > > "runcon -t test_no_netlink_crypto_socket_t -- > > $basedir/netlinkcreate > > crypto 2>&1" > > ); > > ok($result); > > + > > +# Verify that test_netlink_route_socket_t can create a > > NETLINK_ROUTE > > socket. > > +$result = system( > > +"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate > > route 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_route_socket_t cannot create a > > NETLINK_ROUTE socket. > > +$result = system( > > +"runcon -t test_no_netlink_route_socket_t -- > > $basedir/netlinkcreate > > route 2>&1" > > +); > > +ok($result); > > + > > +# Verify that test_netlink_xfrm_socket_t can create a NETLINK_XFRM > > socket. > > +$result = system( > > +"runcon -t test_netlink_xfrm_socket_t -- $basedir/netlinkcreate > > xfrm > > 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_xfrm_socket_t cannot create a > > NETLINK_XFRM socket. > > +$result = system( > > +"runcon -t test_no_netlink_xfrm_socket_t -- $basedir/netlinkcreate > > xfrm 2>&1" > > +); > > +ok($result); > > + > > +# Verify that test_netlink_selinux_socket_t can create a > > NETLINK_SELINUX socket. > > +$result = system( > > +"runcon -t test_netlink_selinux_socket_t -- $basedir/netlinkcreate > > selinux 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_selinux_socket_t cannot create a > > NETLINK_SELINUX socket. > > +$result = system( > > +"runcon -t test_no_netlink_selinux_socket_t -- > > $basedir/netlinkcreate selinux 2>&1" > > +); > > +ok($result); > > + > > +# Verify that test_netlink_audit_socket_t can create a > > NETLINK_AUDIT > > socket. > > +$result = system( > > +"runcon -t test_netlink_audit_socket_t -- $basedir/netlinkcreate > > audit 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_audit_socket_t cannot create a > > NETLINK_AUDIT socket. > > +$result = system( > > +"runcon -t test_no_netlink_audit_socket_t -- > > $basedir/netlinkcreate > > audit 2>&1" > > +); > > +ok($result); > > + > > +# Verify that test_netlink_kobject_uevent_socket_t can create a > > NETLINK_KOBJECT_UEVENT socket. > > +$result = system( > > +"runcon -t test_netlink_kobject_uevent_socket_t -- > > $basedir/netlinkcreate kobject_uevent 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_kobject_uevent_socket_t cannot > > create > > a NETLINK_KOBJECT_UEVENT socket. > > +$result = system( > > +"runcon -t test_no_netlink_kobject_uevent_socket_t -- > > $basedir/netlinkcreate kobject_uevent 2>&1" > > +); > > +ok($result); > > + > > +# Verify that test_netlink_connector_socket_t can create a > > NETLINK_CONNECTOR socket. > > +$result = system( > > +"runcon -t test_netlink_connector_socket_t -- > > $basedir/netlinkcreate > > connector 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_connector_socket_t cannot create a > > NETLINK_CONNECTOR socket. > > +$result = system( > > +"runcon -t test_no_netlink_connector_socket_t -- > > $basedir/netlinkcreate connector 2>&1" > > +); > > +ok($result); > > + > > +# Verify that test_netlink_scsitransport_socket_t can create a > > NETLINK_SCSITRANSPORT socket. > > +$result = system( > > +"runcon -t test_netlink_scsitransport_socket_t -- > > $basedir/netlinkcreate scsitransport 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_scsitransport_socket_t cannot create > > a > > NETLINK_SCSITRANSPORT socket. > > +$result = system( > > +"runcon -t test_no_netlink_scsitransport_socket_t -- > > $basedir/netlinkcreate scsitransport 2>&1" > > +); > > +ok($result); > > + > > +# Verify that test_netlink_fib_lookup_socket_t can create a > > NETLINK_FIB_LOOKUP socket. > > +$result = system( > > +"runcon -t test_netlink_fib_lookup_socket_t -- > > $basedir/netlinkcreate fib_lookup 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_fib_lookup_socket_t cannot create a > > NETLINK_FIB_LOOKUP socket. > > +$result = system( > > +"runcon -t test_no_netlink_fib_lookup_socket_t -- > > $basedir/netlinkcreate fib_lookup 2>&1" > > +); > > +ok($result); > > +
On Thu, Jul 13, 2017 at 1:35 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > Also, I wanted to mention that this still doesn't address testing of > the finer-grained permissions for netlink sockets, e.g. > nlmsg_read/write/..., as noted in the open issue: > https://github.com/SELinuxProject/selinux-testsuite/issues/17 > > That isn't an obstacle to taking this one, but wanted to note that we > still want to address that at some point. Agreed. I still think that Milos' patch is an improvement and worth merging once the RHEL-7 are answered/resolved (your previous email). > Also, on the kernel side, we might want to consider defining those > permissions for more of the netlink socket classes, particularly the > newer ones, if/where it makes sense to do so. Or, alternatively, to > implement support analogous to the ioctl whitelisting support for > netlink messages so that we can do fine-grained restrictions there. Yes, definitely. Long term I think doing something similar to what was done for the individual ioctls is the best solution, but I'd be happy to accept netlink permission mapping updates in the meantime.
All of the netlink classes currently tested by the selinux-testsuite + classes tested by the attached patch are supported (at the same time by the kernel and by the policy) on RHEL-7.3. Unfortunately, selinux-policy for RHEL-6.9 and RHEL-7.2 does not recognize following classes: netlink_connector_socket, netlink_crypto_socket, netlink_fib_lookup_socket, netlink_generic_socket, netlink_iscsi_socket, netlink_netfilter_socket, netlink_rdma_socket, netlink_scsitransport_socket. Based on my RHEL-7.3 and RHEL-7.4 test results, the netlink tests can be safely executed on RHEL-7.3 and higher. You're right about splitting the netlink tests into at least 2 subsets: RHEL<7.3 (which also covers RHEL-6) and RHEL>=7.3. I will take a look at the commits you provided and let you know. Milos Malik ----- Original Message ----- > On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote: > > This patch contains tests for classes which are already supported for > > a > > long time but are not tested by the selinux-testsuite yet. These > > tests > > involve classes like: netlink_route_socket, netlink_xfrm_socket, > > netlink_selinux_socket, netlink_audit_socket, > > netlink_kobject_uevent_socket, netlink_connector_socket, > > netlink_scsitransport_socket, netlink_fib_lookup_socket. > > These look fine (aside from a whitespace issue which git am complained > about) and ran successfully for me on Fedora, but I did have one > question: > > policy/Makefile and tests/Makefile only enable the netlink_socket tests > if the new netlink socket classes are defined by the base policy, and > tests/Makefile further excludes them from running on RHEL7 because > RHEL7.3 back-ported the policy change defining the new classes but not > the kernel support. In contrast, the tests you are adding could be run > on RHEL7 (and earlier). If we want them to be run on RHEL7 or earlier, > then you need to split them into their own test policy and test case > that can be separately enabled, or otherwise wrap the current ones to > allow use on RHEL7. You can see examples in other test policies and > scripts of such conditional inclusion of subsets of the tests/policies > (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit > b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to be > tested on RHEL7 or earlier? > > > > > Signed-off-by: Milos Malik <mmalik@redhat.com> > > --- > > policy/test_netlink_socket.te | 8 ++++ > > tests/netlink_socket/test | 99 > > ++++++++++++++++++++++++++++++++++++++++++- > > 2 files changed, 106 insertions(+), 1 deletion(-) > > > > diff --git a/policy/test_netlink_socket.te > > b/policy/test_netlink_socket.te > > index c852c04..aaa6e4d 100644 > > --- a/policy/test_netlink_socket.te > > +++ b/policy/test_netlink_socket.te > > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket) > > netlink_socket_test(netlink_netfilter_socket) > > netlink_socket_test(netlink_generic_socket) > > netlink_socket_test(netlink_crypto_socket) > > +netlink_socket_test(netlink_route_socket) > > +netlink_socket_test(netlink_xfrm_socket) > > +netlink_socket_test(netlink_selinux_socket) > > +netlink_socket_test(netlink_audit_socket) > > +netlink_socket_test(netlink_kobject_uevent_socket) > > +netlink_socket_test(netlink_connector_socket) > > +netlink_socket_test(netlink_scsitransport_socket) > > +netlink_socket_test(netlink_fib_lookup_socket) > > > > # > > # Common rules for all netlink socket class test domains. > > diff --git a/tests/netlink_socket/test b/tests/netlink_socket/test > > index 487edbc..cc8c2d4 100755 > > --- a/tests/netlink_socket/test > > +++ b/tests/netlink_socket/test > > @@ -1,7 +1,7 @@ > > #!/usr/bin/perl > > > > use Test; > > -BEGIN { plan tests => 8 } > > +BEGIN { plan tests => 24 } > > > > $basedir = $0; > > $basedir =~ s|(.*)/[^/]*|$1|; > > @@ -53,3 +53,100 @@ $result = system( > > "runcon -t test_no_netlink_crypto_socket_t -- $basedir/netlinkcreate > > crypto 2>&1" > > ); > > ok($result); > > + > > +# Verify that test_netlink_route_socket_t can create a NETLINK_ROUTE > > socket. > > +$result = system( > > +"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate > > route 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_route_socket_t cannot create a > > NETLINK_ROUTE socket. > > +$result = system( > > +"runcon -t test_no_netlink_route_socket_t -- $basedir/netlinkcreate > > route 2>&1" > > +); > > +ok($result); > > + > > +# Verify that test_netlink_xfrm_socket_t can create a NETLINK_XFRM > > socket. > > +$result = system( > > +"runcon -t test_netlink_xfrm_socket_t -- $basedir/netlinkcreate xfrm > > 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_xfrm_socket_t cannot create a > > NETLINK_XFRM socket. > > +$result = system( > > +"runcon -t test_no_netlink_xfrm_socket_t -- $basedir/netlinkcreate > > xfrm 2>&1" > > +); > > +ok($result); > > + > > +# Verify that test_netlink_selinux_socket_t can create a > > NETLINK_SELINUX socket. > > +$result = system( > > +"runcon -t test_netlink_selinux_socket_t -- $basedir/netlinkcreate > > selinux 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_selinux_socket_t cannot create a > > NETLINK_SELINUX socket. > > +$result = system( > > +"runcon -t test_no_netlink_selinux_socket_t -- > > $basedir/netlinkcreate selinux 2>&1" > > +); > > +ok($result); > > + > > +# Verify that test_netlink_audit_socket_t can create a NETLINK_AUDIT > > socket. > > +$result = system( > > +"runcon -t test_netlink_audit_socket_t -- $basedir/netlinkcreate > > audit 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_audit_socket_t cannot create a > > NETLINK_AUDIT socket. > > +$result = system( > > +"runcon -t test_no_netlink_audit_socket_t -- $basedir/netlinkcreate > > audit 2>&1" > > +); > > +ok($result); > > + > > +# Verify that test_netlink_kobject_uevent_socket_t can create a > > NETLINK_KOBJECT_UEVENT socket. > > +$result = system( > > +"runcon -t test_netlink_kobject_uevent_socket_t -- > > $basedir/netlinkcreate kobject_uevent 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_kobject_uevent_socket_t cannot create > > a NETLINK_KOBJECT_UEVENT socket. > > +$result = system( > > +"runcon -t test_no_netlink_kobject_uevent_socket_t -- > > $basedir/netlinkcreate kobject_uevent 2>&1" > > +); > > +ok($result); > > + > > +# Verify that test_netlink_connector_socket_t can create a > > NETLINK_CONNECTOR socket. > > +$result = system( > > +"runcon -t test_netlink_connector_socket_t -- $basedir/netlinkcreate > > connector 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_connector_socket_t cannot create a > > NETLINK_CONNECTOR socket. > > +$result = system( > > +"runcon -t test_no_netlink_connector_socket_t -- > > $basedir/netlinkcreate connector 2>&1" > > +); > > +ok($result); > > + > > +# Verify that test_netlink_scsitransport_socket_t can create a > > NETLINK_SCSITRANSPORT socket. > > +$result = system( > > +"runcon -t test_netlink_scsitransport_socket_t -- > > $basedir/netlinkcreate scsitransport 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_scsitransport_socket_t cannot create a > > NETLINK_SCSITRANSPORT socket. > > +$result = system( > > +"runcon -t test_no_netlink_scsitransport_socket_t -- > > $basedir/netlinkcreate scsitransport 2>&1" > > +); > > +ok($result); > > + > > +# Verify that test_netlink_fib_lookup_socket_t can create a > > NETLINK_FIB_LOOKUP socket. > > +$result = system( > > +"runcon -t test_netlink_fib_lookup_socket_t -- > > $basedir/netlinkcreate fib_lookup 2>&1" > > +); > > +ok( $result, 0 ); > > + > > +# Verify that test_no_netlink_fib_lookup_socket_t cannot create a > > NETLINK_FIB_LOOKUP socket. > > +$result = system( > > +"runcon -t test_no_netlink_fib_lookup_socket_t -- > > $basedir/netlinkcreate fib_lookup 2>&1" > > +); > > +ok($result); > > + >
On Fri, 2017-07-14 at 03:44 -0400, Milos Malik wrote: > All of the netlink classes currently tested by the selinux-testsuite > + classes > tested by the attached patch are supported (at the same time by the > kernel > and by the policy) on RHEL-7.3. Are you sure? What kernel did you use? When I tried, they all failed on 7.3, which is why I disabled them in tests/Makefile for RHEL7. I don't know if we care about distinguishing at the granularity of point releases of RHEL7 (e.g. RHEL7.2 vs RHEL7.3); we just want to ensure that the testsuite will pass on the latest release of RHEL7. > > Unfortunately, selinux-policy for RHEL-6.9 and RHEL-7.2 does not > recognize > following classes: > netlink_connector_socket, netlink_crypto_socket, > netlink_fib_lookup_socket, > netlink_generic_socket, netlink_iscsi_socket, > netlink_netfilter_socket, > netlink_rdma_socket, netlink_scsitransport_socket. > > Based on my RHEL-7.3 and RHEL-7.4 test results, the netlink tests can > be safely executed on RHEL-7.3 and higher. > > You're right about splitting the netlink tests into at least 2 > subsets: > RHEL<7.3 (which also covers RHEL-6) and RHEL>=7.3. I will take a look > at the commits you provided and let you know. > > Milos Malik > > ----- Original Message ----- > > On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote: > > > This patch contains tests for classes which are already supported > > > for > > > a > > > long time but are not tested by the selinux-testsuite yet. These > > > tests > > > involve classes like: netlink_route_socket, netlink_xfrm_socket, > > > netlink_selinux_socket, netlink_audit_socket, > > > netlink_kobject_uevent_socket, netlink_connector_socket, > > > netlink_scsitransport_socket, netlink_fib_lookup_socket. > > > > These look fine (aside from a whitespace issue which git am > > complained > > about) and ran successfully for me on Fedora, but I did have one > > question: > > > > policy/Makefile and tests/Makefile only enable the netlink_socket > > tests > > if the new netlink socket classes are defined by the base policy, > > and > > tests/Makefile further excludes them from running on RHEL7 because > > RHEL7.3 back-ported the policy change defining the new classes but > > not > > the kernel support. In contrast, the tests you are adding could be > > run > > on RHEL7 (and earlier). If we want them to be run on RHEL7 or > > earlier, > > then you need to split them into their own test policy and test > > case > > that can be separately enabled, or otherwise wrap the current ones > > to > > allow use on RHEL7. You can see examples in other test policies > > and > > scripts of such conditional inclusion of subsets of the > > tests/policies > > (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit > > b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to be > > tested on RHEL7 or earlier? > > > > > > > > Signed-off-by: Milos Malik <mmalik@redhat.com> > > > --- > > > policy/test_netlink_socket.te | 8 ++++ > > > tests/netlink_socket/test | 99 > > > ++++++++++++++++++++++++++++++++++++++++++- > > > 2 files changed, 106 insertions(+), 1 deletion(-) > > > > > > diff --git a/policy/test_netlink_socket.te > > > b/policy/test_netlink_socket.te > > > index c852c04..aaa6e4d 100644 > > > --- a/policy/test_netlink_socket.te > > > +++ b/policy/test_netlink_socket.te > > > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket) > > > netlink_socket_test(netlink_netfilter_socket) > > > netlink_socket_test(netlink_generic_socket) > > > netlink_socket_test(netlink_crypto_socket) > > > +netlink_socket_test(netlink_route_socket) > > > +netlink_socket_test(netlink_xfrm_socket) > > > +netlink_socket_test(netlink_selinux_socket) > > > +netlink_socket_test(netlink_audit_socket) > > > +netlink_socket_test(netlink_kobject_uevent_socket) > > > +netlink_socket_test(netlink_connector_socket) > > > +netlink_socket_test(netlink_scsitransport_socket) > > > +netlink_socket_test(netlink_fib_lookup_socket) > > > > > > # > > > # Common rules for all netlink socket class test domains. > > > diff --git a/tests/netlink_socket/test > > > b/tests/netlink_socket/test > > > index 487edbc..cc8c2d4 100755 > > > --- a/tests/netlink_socket/test > > > +++ b/tests/netlink_socket/test > > > @@ -1,7 +1,7 @@ > > > #!/usr/bin/perl > > > > > > use Test; > > > -BEGIN { plan tests => 8 } > > > +BEGIN { plan tests => 24 } > > > > > > $basedir = $0; > > > $basedir =~ s|(.*)/[^/]*|$1|; > > > @@ -53,3 +53,100 @@ $result = system( > > > "runcon -t test_no_netlink_crypto_socket_t -- > > > $basedir/netlinkcreate > > > crypto 2>&1" > > > ); > > > ok($result); > > > + > > > +# Verify that test_netlink_route_socket_t can create a > > > NETLINK_ROUTE > > > socket. > > > +$result = system( > > > +"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate > > > route 2>&1" > > > +); > > > +ok( $result, 0 ); > > > + > > > +# Verify that test_no_netlink_route_socket_t cannot create a > > > NETLINK_ROUTE socket. > > > +$result = system( > > > +"runcon -t test_no_netlink_route_socket_t -- > > > $basedir/netlinkcreate > > > route 2>&1" > > > +); > > > +ok($result); > > > + > > > +# Verify that test_netlink_xfrm_socket_t can create a > > > NETLINK_XFRM > > > socket. > > > +$result = system( > > > +"runcon -t test_netlink_xfrm_socket_t -- $basedir/netlinkcreate > > > xfrm > > > 2>&1" > > > +); > > > +ok( $result, 0 ); > > > + > > > +# Verify that test_no_netlink_xfrm_socket_t cannot create a > > > NETLINK_XFRM socket. > > > +$result = system( > > > +"runcon -t test_no_netlink_xfrm_socket_t -- > > > $basedir/netlinkcreate > > > xfrm 2>&1" > > > +); > > > +ok($result); > > > + > > > +# Verify that test_netlink_selinux_socket_t can create a > > > NETLINK_SELINUX socket. > > > +$result = system( > > > +"runcon -t test_netlink_selinux_socket_t -- > > > $basedir/netlinkcreate > > > selinux 2>&1" > > > +); > > > +ok( $result, 0 ); > > > + > > > +# Verify that test_no_netlink_selinux_socket_t cannot create a > > > NETLINK_SELINUX socket. > > > +$result = system( > > > +"runcon -t test_no_netlink_selinux_socket_t -- > > > $basedir/netlinkcreate selinux 2>&1" > > > +); > > > +ok($result); > > > + > > > +# Verify that test_netlink_audit_socket_t can create a > > > NETLINK_AUDIT > > > socket. > > > +$result = system( > > > +"runcon -t test_netlink_audit_socket_t -- $basedir/netlinkcreate > > > audit 2>&1" > > > +); > > > +ok( $result, 0 ); > > > + > > > +# Verify that test_no_netlink_audit_socket_t cannot create a > > > NETLINK_AUDIT socket. > > > +$result = system( > > > +"runcon -t test_no_netlink_audit_socket_t -- > > > $basedir/netlinkcreate > > > audit 2>&1" > > > +); > > > +ok($result); > > > + > > > +# Verify that test_netlink_kobject_uevent_socket_t can create a > > > NETLINK_KOBJECT_UEVENT socket. > > > +$result = system( > > > +"runcon -t test_netlink_kobject_uevent_socket_t -- > > > $basedir/netlinkcreate kobject_uevent 2>&1" > > > +); > > > +ok( $result, 0 ); > > > + > > > +# Verify that test_no_netlink_kobject_uevent_socket_t cannot > > > create > > > a NETLINK_KOBJECT_UEVENT socket. > > > +$result = system( > > > +"runcon -t test_no_netlink_kobject_uevent_socket_t -- > > > $basedir/netlinkcreate kobject_uevent 2>&1" > > > +); > > > +ok($result); > > > + > > > +# Verify that test_netlink_connector_socket_t can create a > > > NETLINK_CONNECTOR socket. > > > +$result = system( > > > +"runcon -t test_netlink_connector_socket_t -- > > > $basedir/netlinkcreate > > > connector 2>&1" > > > +); > > > +ok( $result, 0 ); > > > + > > > +# Verify that test_no_netlink_connector_socket_t cannot create a > > > NETLINK_CONNECTOR socket. > > > +$result = system( > > > +"runcon -t test_no_netlink_connector_socket_t -- > > > $basedir/netlinkcreate connector 2>&1" > > > +); > > > +ok($result); > > > + > > > +# Verify that test_netlink_scsitransport_socket_t can create a > > > NETLINK_SCSITRANSPORT socket. > > > +$result = system( > > > +"runcon -t test_netlink_scsitransport_socket_t -- > > > $basedir/netlinkcreate scsitransport 2>&1" > > > +); > > > +ok( $result, 0 ); > > > + > > > +# Verify that test_no_netlink_scsitransport_socket_t cannot > > > create a > > > NETLINK_SCSITRANSPORT socket. > > > +$result = system( > > > +"runcon -t test_no_netlink_scsitransport_socket_t -- > > > $basedir/netlinkcreate scsitransport 2>&1" > > > +); > > > +ok($result); > > > + > > > +# Verify that test_netlink_fib_lookup_socket_t can create a > > > NETLINK_FIB_LOOKUP socket. > > > +$result = system( > > > +"runcon -t test_netlink_fib_lookup_socket_t -- > > > $basedir/netlinkcreate fib_lookup 2>&1" > > > +); > > > +ok( $result, 0 ); > > > + > > > +# Verify that test_no_netlink_fib_lookup_socket_t cannot create > > > a > > > NETLINK_FIB_LOOKUP socket. > > > +$result = system( > > > +"runcon -t test_no_netlink_fib_lookup_socket_t -- > > > $basedir/netlinkcreate fib_lookup 2>&1" > > > +); > > > +ok($result); > > > + > >
I'm sorry I did have a newer kernel (4.*) on my RHEL-7.3 testing machine. The netlink tests from the selinux-testsuite fail on a freshly installed RHEL-7.3 machine (kernel = 3.10.0-514.el7.x86_64). Milos Malik ----- Original Message ----- > On Fri, 2017-07-14 at 03:44 -0400, Milos Malik wrote: > > All of the netlink classes currently tested by the selinux-testsuite > > + classes > > tested by the attached patch are supported (at the same time by the > > kernel > > and by the policy) on RHEL-7.3. > > Are you sure? What kernel did you use? When I tried, they all failed > on 7.3, which is why I disabled them in tests/Makefile for RHEL7. > > I don't know if we care about distinguishing at the granularity of > point releases of RHEL7 (e.g. RHEL7.2 vs RHEL7.3); we just want to > ensure that the testsuite will pass on the latest release of RHEL7. > > > > > Unfortunately, selinux-policy for RHEL-6.9 and RHEL-7.2 does not > > recognize > > following classes: > > netlink_connector_socket, netlink_crypto_socket, > > netlink_fib_lookup_socket, > > netlink_generic_socket, netlink_iscsi_socket, > > netlink_netfilter_socket, > > netlink_rdma_socket, netlink_scsitransport_socket. > > > > Based on my RHEL-7.3 and RHEL-7.4 test results, the netlink tests can > > be safely executed on RHEL-7.3 and higher. > > > > You're right about splitting the netlink tests into at least 2 > > subsets: > > RHEL<7.3 (which also covers RHEL-6) and RHEL>=7.3. I will take a look > > at the commits you provided and let you know. > > > > Milos Malik > > > > ----- Original Message ----- > > > On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote: > > > > This patch contains tests for classes which are already supported > > > > for > > > > a > > > > long time but are not tested by the selinux-testsuite yet. These > > > > tests > > > > involve classes like: netlink_route_socket, netlink_xfrm_socket, > > > > netlink_selinux_socket, netlink_audit_socket, > > > > netlink_kobject_uevent_socket, netlink_connector_socket, > > > > netlink_scsitransport_socket, netlink_fib_lookup_socket. > > > > > > These look fine (aside from a whitespace issue which git am > > > complained > > > about) and ran successfully for me on Fedora, but I did have one > > > question: > > > > > > policy/Makefile and tests/Makefile only enable the netlink_socket > > > tests > > > if the new netlink socket classes are defined by the base policy, > > > and > > > tests/Makefile further excludes them from running on RHEL7 because > > > RHEL7.3 back-ported the policy change defining the new classes but > > > not > > > the kernel support. In contrast, the tests you are adding could be > > > run > > > on RHEL7 (and earlier). If we want them to be run on RHEL7 or > > > earlier, > > > then you need to split them into their own test policy and test > > > case > > > that can be separately enabled, or otherwise wrap the current ones > > > to > > > allow use on RHEL7. You can see examples in other test policies > > > and > > > scripts of such conditional inclusion of subsets of the > > > tests/policies > > > (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit > > > b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to be > > > tested on RHEL7 or earlier? > > > > > > > > > > > Signed-off-by: Milos Malik <mmalik@redhat.com> > > > > --- > > > > policy/test_netlink_socket.te | 8 ++++ > > > > tests/netlink_socket/test | 99 > > > > ++++++++++++++++++++++++++++++++++++++++++- > > > > 2 files changed, 106 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/policy/test_netlink_socket.te > > > > b/policy/test_netlink_socket.te > > > > index c852c04..aaa6e4d 100644 > > > > --- a/policy/test_netlink_socket.te > > > > +++ b/policy/test_netlink_socket.te > > > > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket) > > > > netlink_socket_test(netlink_netfilter_socket) > > > > netlink_socket_test(netlink_generic_socket) > > > > netlink_socket_test(netlink_crypto_socket) > > > > +netlink_socket_test(netlink_route_socket) > > > > +netlink_socket_test(netlink_xfrm_socket) > > > > +netlink_socket_test(netlink_selinux_socket) > > > > +netlink_socket_test(netlink_audit_socket) > > > > +netlink_socket_test(netlink_kobject_uevent_socket) > > > > +netlink_socket_test(netlink_connector_socket) > > > > +netlink_socket_test(netlink_scsitransport_socket) > > > > +netlink_socket_test(netlink_fib_lookup_socket) > > > > > > > > # > > > > # Common rules for all netlink socket class test domains. > > > > diff --git a/tests/netlink_socket/test > > > > b/tests/netlink_socket/test > > > > index 487edbc..cc8c2d4 100755 > > > > --- a/tests/netlink_socket/test > > > > +++ b/tests/netlink_socket/test > > > > @@ -1,7 +1,7 @@ > > > > #!/usr/bin/perl > > > > > > > > use Test; > > > > -BEGIN { plan tests => 8 } > > > > +BEGIN { plan tests => 24 } > > > > > > > > $basedir = $0; > > > > $basedir =~ s|(.*)/[^/]*|$1|; > > > > @@ -53,3 +53,100 @@ $result = system( > > > > "runcon -t test_no_netlink_crypto_socket_t -- > > > > $basedir/netlinkcreate > > > > crypto 2>&1" > > > > ); > > > > ok($result); > > > > + > > > > +# Verify that test_netlink_route_socket_t can create a > > > > NETLINK_ROUTE > > > > socket. > > > > +$result = system( > > > > +"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate > > > > route 2>&1" > > > > +); > > > > +ok( $result, 0 ); > > > > + > > > > +# Verify that test_no_netlink_route_socket_t cannot create a > > > > NETLINK_ROUTE socket. > > > > +$result = system( > > > > +"runcon -t test_no_netlink_route_socket_t -- > > > > $basedir/netlinkcreate > > > > route 2>&1" > > > > +); > > > > +ok($result); > > > > + > > > > +# Verify that test_netlink_xfrm_socket_t can create a > > > > NETLINK_XFRM > > > > socket. > > > > +$result = system( > > > > +"runcon -t test_netlink_xfrm_socket_t -- $basedir/netlinkcreate > > > > xfrm > > > > 2>&1" > > > > +); > > > > +ok( $result, 0 ); > > > > + > > > > +# Verify that test_no_netlink_xfrm_socket_t cannot create a > > > > NETLINK_XFRM socket. > > > > +$result = system( > > > > +"runcon -t test_no_netlink_xfrm_socket_t -- > > > > $basedir/netlinkcreate > > > > xfrm 2>&1" > > > > +); > > > > +ok($result); > > > > + > > > > +# Verify that test_netlink_selinux_socket_t can create a > > > > NETLINK_SELINUX socket. > > > > +$result = system( > > > > +"runcon -t test_netlink_selinux_socket_t -- > > > > $basedir/netlinkcreate > > > > selinux 2>&1" > > > > +); > > > > +ok( $result, 0 ); > > > > + > > > > +# Verify that test_no_netlink_selinux_socket_t cannot create a > > > > NETLINK_SELINUX socket. > > > > +$result = system( > > > > +"runcon -t test_no_netlink_selinux_socket_t -- > > > > $basedir/netlinkcreate selinux 2>&1" > > > > +); > > > > +ok($result); > > > > + > > > > +# Verify that test_netlink_audit_socket_t can create a > > > > NETLINK_AUDIT > > > > socket. > > > > +$result = system( > > > > +"runcon -t test_netlink_audit_socket_t -- $basedir/netlinkcreate > > > > audit 2>&1" > > > > +); > > > > +ok( $result, 0 ); > > > > + > > > > +# Verify that test_no_netlink_audit_socket_t cannot create a > > > > NETLINK_AUDIT socket. > > > > +$result = system( > > > > +"runcon -t test_no_netlink_audit_socket_t -- > > > > $basedir/netlinkcreate > > > > audit 2>&1" > > > > +); > > > > +ok($result); > > > > + > > > > +# Verify that test_netlink_kobject_uevent_socket_t can create a > > > > NETLINK_KOBJECT_UEVENT socket. > > > > +$result = system( > > > > +"runcon -t test_netlink_kobject_uevent_socket_t -- > > > > $basedir/netlinkcreate kobject_uevent 2>&1" > > > > +); > > > > +ok( $result, 0 ); > > > > + > > > > +# Verify that test_no_netlink_kobject_uevent_socket_t cannot > > > > create > > > > a NETLINK_KOBJECT_UEVENT socket. > > > > +$result = system( > > > > +"runcon -t test_no_netlink_kobject_uevent_socket_t -- > > > > $basedir/netlinkcreate kobject_uevent 2>&1" > > > > +); > > > > +ok($result); > > > > + > > > > +# Verify that test_netlink_connector_socket_t can create a > > > > NETLINK_CONNECTOR socket. > > > > +$result = system( > > > > +"runcon -t test_netlink_connector_socket_t -- > > > > $basedir/netlinkcreate > > > > connector 2>&1" > > > > +); > > > > +ok( $result, 0 ); > > > > + > > > > +# Verify that test_no_netlink_connector_socket_t cannot create a > > > > NETLINK_CONNECTOR socket. > > > > +$result = system( > > > > +"runcon -t test_no_netlink_connector_socket_t -- > > > > $basedir/netlinkcreate connector 2>&1" > > > > +); > > > > +ok($result); > > > > + > > > > +# Verify that test_netlink_scsitransport_socket_t can create a > > > > NETLINK_SCSITRANSPORT socket. > > > > +$result = system( > > > > +"runcon -t test_netlink_scsitransport_socket_t -- > > > > $basedir/netlinkcreate scsitransport 2>&1" > > > > +); > > > > +ok( $result, 0 ); > > > > + > > > > +# Verify that test_no_netlink_scsitransport_socket_t cannot > > > > create a > > > > NETLINK_SCSITRANSPORT socket. > > > > +$result = system( > > > > +"runcon -t test_no_netlink_scsitransport_socket_t -- > > > > $basedir/netlinkcreate scsitransport 2>&1" > > > > +); > > > > +ok($result); > > > > + > > > > +# Verify that test_netlink_fib_lookup_socket_t can create a > > > > NETLINK_FIB_LOOKUP socket. > > > > +$result = system( > > > > +"runcon -t test_netlink_fib_lookup_socket_t -- > > > > $basedir/netlinkcreate fib_lookup 2>&1" > > > > +); > > > > +ok( $result, 0 ); > > > > + > > > > +# Verify that test_no_netlink_fib_lookup_socket_t cannot create > > > > a > > > > NETLINK_FIB_LOOKUP socket. > > > > +$result = system( > > > > +"runcon -t test_no_netlink_fib_lookup_socket_t -- > > > > $basedir/netlinkcreate fib_lookup 2>&1" > > > > +); > > > > +ok($result); > > > > + > > > > >
On Fri, 2017-07-14 at 12:09 -0400, Milos Malik wrote: > I'm sorry I did have a newer kernel (4.*) on my RHEL-7.3 testing > machine. > > The netlink tests from the selinux-testsuite fail on a freshly > installed RHEL-7.3 > machine (kernel = 3.10.0-514.el7.x86_64). Ok, so we are seeing consistent results. I think however that the tests you are adding would work on RHEL7 (and earlier), unlike the existing ones, because those classes have been defined for a long time. > > > Milos Malik > > ----- Original Message ----- > > On Fri, 2017-07-14 at 03:44 -0400, Milos Malik wrote: > > > All of the netlink classes currently tested by the selinux- > > > testsuite > > > + classes > > > tested by the attached patch are supported (at the same time by > > > the > > > kernel > > > and by the policy) on RHEL-7.3. > > > > Are you sure? What kernel did you use? When I tried, they all > > failed > > on 7.3, which is why I disabled them in tests/Makefile for RHEL7. > > > > I don't know if we care about distinguishing at the granularity of > > point releases of RHEL7 (e.g. RHEL7.2 vs RHEL7.3); we just want to > > ensure that the testsuite will pass on the latest release of RHEL7. > > > > > > > > Unfortunately, selinux-policy for RHEL-6.9 and RHEL-7.2 does not > > > recognize > > > following classes: > > > netlink_connector_socket, netlink_crypto_socket, > > > netlink_fib_lookup_socket, > > > netlink_generic_socket, netlink_iscsi_socket, > > > netlink_netfilter_socket, > > > netlink_rdma_socket, netlink_scsitransport_socket. > > > > > > Based on my RHEL-7.3 and RHEL-7.4 test results, the netlink tests > > > can > > > be safely executed on RHEL-7.3 and higher. > > > > > > You're right about splitting the netlink tests into at least 2 > > > subsets: > > > RHEL<7.3 (which also covers RHEL-6) and RHEL>=7.3. I will take a > > > look > > > at the commits you provided and let you know. > > > > > > Milos Malik > > > > > > ----- Original Message ----- > > > > On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote: > > > > > This patch contains tests for classes which are already > > > > > supported > > > > > for > > > > > a > > > > > long time but are not tested by the selinux-testsuite yet. > > > > > These > > > > > tests > > > > > involve classes like: netlink_route_socket, > > > > > netlink_xfrm_socket, > > > > > netlink_selinux_socket, netlink_audit_socket, > > > > > netlink_kobject_uevent_socket, netlink_connector_socket, > > > > > netlink_scsitransport_socket, netlink_fib_lookup_socket. > > > > > > > > These look fine (aside from a whitespace issue which git am > > > > complained > > > > about) and ran successfully for me on Fedora, but I did have > > > > one > > > > question: > > > > > > > > policy/Makefile and tests/Makefile only enable the > > > > netlink_socket > > > > tests > > > > if the new netlink socket classes are defined by the base > > > > policy, > > > > and > > > > tests/Makefile further excludes them from running on RHEL7 > > > > because > > > > RHEL7.3 back-ported the policy change defining the new classes > > > > but > > > > not > > > > the kernel support. In contrast, the tests you are adding > > > > could be > > > > run > > > > on RHEL7 (and earlier). If we want them to be run on RHEL7 or > > > > earlier, > > > > then you need to split them into their own test policy and test > > > > case > > > > that can be separately enabled, or otherwise wrap the current > > > > ones > > > > to > > > > allow use on RHEL7. You can see examples in other test > > > > policies > > > > and > > > > scripts of such conditional inclusion of subsets of the > > > > tests/policies > > > > (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit > > > > b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to > > > > be > > > > tested on RHEL7 or earlier? > > > > > > > > > > > > > > Signed-off-by: Milos Malik <mmalik@redhat.com> > > > > > --- > > > > > policy/test_netlink_socket.te | 8 ++++ > > > > > tests/netlink_socket/test | 99 > > > > > ++++++++++++++++++++++++++++++++++++++++++- > > > > > 2 files changed, 106 insertions(+), 1 deletion(-) > > > > > > > > > > diff --git a/policy/test_netlink_socket.te > > > > > b/policy/test_netlink_socket.te > > > > > index c852c04..aaa6e4d 100644 > > > > > --- a/policy/test_netlink_socket.te > > > > > +++ b/policy/test_netlink_socket.te > > > > > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket) > > > > > netlink_socket_test(netlink_netfilter_socket) > > > > > netlink_socket_test(netlink_generic_socket) > > > > > netlink_socket_test(netlink_crypto_socket) > > > > > +netlink_socket_test(netlink_route_socket) > > > > > +netlink_socket_test(netlink_xfrm_socket) > > > > > +netlink_socket_test(netlink_selinux_socket) > > > > > +netlink_socket_test(netlink_audit_socket) > > > > > +netlink_socket_test(netlink_kobject_uevent_socket) > > > > > +netlink_socket_test(netlink_connector_socket) > > > > > +netlink_socket_test(netlink_scsitransport_socket) > > > > > +netlink_socket_test(netlink_fib_lookup_socket) > > > > > > > > > > # > > > > > # Common rules for all netlink socket class test domains. > > > > > diff --git a/tests/netlink_socket/test > > > > > b/tests/netlink_socket/test > > > > > index 487edbc..cc8c2d4 100755 > > > > > --- a/tests/netlink_socket/test > > > > > +++ b/tests/netlink_socket/test > > > > > @@ -1,7 +1,7 @@ > > > > > #!/usr/bin/perl > > > > > > > > > > use Test; > > > > > -BEGIN { plan tests => 8 } > > > > > +BEGIN { plan tests => 24 } > > > > > > > > > > $basedir = $0; > > > > > $basedir =~ s|(.*)/[^/]*|$1|; > > > > > @@ -53,3 +53,100 @@ $result = system( > > > > > "runcon -t test_no_netlink_crypto_socket_t -- > > > > > $basedir/netlinkcreate > > > > > crypto 2>&1" > > > > > ); > > > > > ok($result); > > > > > + > > > > > +# Verify that test_netlink_route_socket_t can create a > > > > > NETLINK_ROUTE > > > > > socket. > > > > > +$result = system( > > > > > +"runcon -t test_netlink_route_socket_t -- > > > > > $basedir/netlinkcreate > > > > > route 2>&1" > > > > > +); > > > > > +ok( $result, 0 ); > > > > > + > > > > > +# Verify that test_no_netlink_route_socket_t cannot create a > > > > > NETLINK_ROUTE socket. > > > > > +$result = system( > > > > > +"runcon -t test_no_netlink_route_socket_t -- > > > > > $basedir/netlinkcreate > > > > > route 2>&1" > > > > > +); > > > > > +ok($result); > > > > > + > > > > > +# Verify that test_netlink_xfrm_socket_t can create a > > > > > NETLINK_XFRM > > > > > socket. > > > > > +$result = system( > > > > > +"runcon -t test_netlink_xfrm_socket_t -- > > > > > $basedir/netlinkcreate > > > > > xfrm > > > > > 2>&1" > > > > > +); > > > > > +ok( $result, 0 ); > > > > > + > > > > > +# Verify that test_no_netlink_xfrm_socket_t cannot create a > > > > > NETLINK_XFRM socket. > > > > > +$result = system( > > > > > +"runcon -t test_no_netlink_xfrm_socket_t -- > > > > > $basedir/netlinkcreate > > > > > xfrm 2>&1" > > > > > +); > > > > > +ok($result); > > > > > + > > > > > +# Verify that test_netlink_selinux_socket_t can create a > > > > > NETLINK_SELINUX socket. > > > > > +$result = system( > > > > > +"runcon -t test_netlink_selinux_socket_t -- > > > > > $basedir/netlinkcreate > > > > > selinux 2>&1" > > > > > +); > > > > > +ok( $result, 0 ); > > > > > + > > > > > +# Verify that test_no_netlink_selinux_socket_t cannot create > > > > > a > > > > > NETLINK_SELINUX socket. > > > > > +$result = system( > > > > > +"runcon -t test_no_netlink_selinux_socket_t -- > > > > > $basedir/netlinkcreate selinux 2>&1" > > > > > +); > > > > > +ok($result); > > > > > + > > > > > +# Verify that test_netlink_audit_socket_t can create a > > > > > NETLINK_AUDIT > > > > > socket. > > > > > +$result = system( > > > > > +"runcon -t test_netlink_audit_socket_t -- > > > > > $basedir/netlinkcreate > > > > > audit 2>&1" > > > > > +); > > > > > +ok( $result, 0 ); > > > > > + > > > > > +# Verify that test_no_netlink_audit_socket_t cannot create a > > > > > NETLINK_AUDIT socket. > > > > > +$result = system( > > > > > +"runcon -t test_no_netlink_audit_socket_t -- > > > > > $basedir/netlinkcreate > > > > > audit 2>&1" > > > > > +); > > > > > +ok($result); > > > > > + > > > > > +# Verify that test_netlink_kobject_uevent_socket_t can > > > > > create a > > > > > NETLINK_KOBJECT_UEVENT socket. > > > > > +$result = system( > > > > > +"runcon -t test_netlink_kobject_uevent_socket_t -- > > > > > $basedir/netlinkcreate kobject_uevent 2>&1" > > > > > +); > > > > > +ok( $result, 0 ); > > > > > + > > > > > +# Verify that test_no_netlink_kobject_uevent_socket_t cannot > > > > > create > > > > > a NETLINK_KOBJECT_UEVENT socket. > > > > > +$result = system( > > > > > +"runcon -t test_no_netlink_kobject_uevent_socket_t -- > > > > > $basedir/netlinkcreate kobject_uevent 2>&1" > > > > > +); > > > > > +ok($result); > > > > > + > > > > > +# Verify that test_netlink_connector_socket_t can create a > > > > > NETLINK_CONNECTOR socket. > > > > > +$result = system( > > > > > +"runcon -t test_netlink_connector_socket_t -- > > > > > $basedir/netlinkcreate > > > > > connector 2>&1" > > > > > +); > > > > > +ok( $result, 0 ); > > > > > + > > > > > +# Verify that test_no_netlink_connector_socket_t cannot > > > > > create a > > > > > NETLINK_CONNECTOR socket. > > > > > +$result = system( > > > > > +"runcon -t test_no_netlink_connector_socket_t -- > > > > > $basedir/netlinkcreate connector 2>&1" > > > > > +); > > > > > +ok($result); > > > > > + > > > > > +# Verify that test_netlink_scsitransport_socket_t can create > > > > > a > > > > > NETLINK_SCSITRANSPORT socket. > > > > > +$result = system( > > > > > +"runcon -t test_netlink_scsitransport_socket_t -- > > > > > $basedir/netlinkcreate scsitransport 2>&1" > > > > > +); > > > > > +ok( $result, 0 ); > > > > > + > > > > > +# Verify that test_no_netlink_scsitransport_socket_t cannot > > > > > create a > > > > > NETLINK_SCSITRANSPORT socket. > > > > > +$result = system( > > > > > +"runcon -t test_no_netlink_scsitransport_socket_t -- > > > > > $basedir/netlinkcreate scsitransport 2>&1" > > > > > +); > > > > > +ok($result); > > > > > + > > > > > +# Verify that test_netlink_fib_lookup_socket_t can create a > > > > > NETLINK_FIB_LOOKUP socket. > > > > > +$result = system( > > > > > +"runcon -t test_netlink_fib_lookup_socket_t -- > > > > > $basedir/netlinkcreate fib_lookup 2>&1" > > > > > +); > > > > > +ok( $result, 0 ); > > > > > + > > > > > +# Verify that test_no_netlink_fib_lookup_socket_t cannot > > > > > create > > > > > a > > > > > NETLINK_FIB_LOOKUP socket. > > > > > +$result = system( > > > > > +"runcon -t test_no_netlink_fib_lookup_socket_t -- > > > > > $basedir/netlinkcreate fib_lookup 2>&1" > > > > > +); > > > > > +ok($result); > > > > > + > > > > > >
On Fri, Jul 14, 2017 at 10:53 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > I don't know if we care about distinguishing at the granularity of > point releases of RHEL7 (e.g. RHEL7.2 vs RHEL7.3); we just want to > ensure that the testsuite will pass on the latest release of RHEL7. I think this is the right way to go about it the way the tests currently work. At some point we will probably want to provide some better infrastructure for specifying different minor releases or kernel revisions, but right now sticking with the latest minor release seems reasonable.
diff --git a/policy/test_netlink_socket.te b/policy/test_netlink_socket.te index c852c04..aaa6e4d 100644 --- a/policy/test_netlink_socket.te +++ b/policy/test_netlink_socket.te @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket) netlink_socket_test(netlink_netfilter_socket) netlink_socket_test(netlink_generic_socket) netlink_socket_test(netlink_crypto_socket) +netlink_socket_test(netlink_route_socket) +netlink_socket_test(netlink_xfrm_socket) +netlink_socket_test(netlink_selinux_socket) +netlink_socket_test(netlink_audit_socket) +netlink_socket_test(netlink_kobject_uevent_socket) +netlink_socket_test(netlink_connector_socket) +netlink_socket_test(netlink_scsitransport_socket) +netlink_socket_test(netlink_fib_lookup_socket) # # Common rules for all netlink socket class test domains. diff --git a/tests/netlink_socket/test b/tests/netlink_socket/test index 487edbc..cc8c2d4 100755 --- a/tests/netlink_socket/test +++ b/tests/netlink_socket/test @@ -1,7 +1,7 @@ #!/usr/bin/perl use Test; -BEGIN { plan tests => 8 } +BEGIN { plan tests => 24 } $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; @@ -53,3 +53,100 @@ $result = system( "runcon -t test_no_netlink_crypto_socket_t -- $basedir/netlinkcreate crypto 2>&1" ); ok($result); + +# Verify that test_netlink_route_socket_t can create a NETLINK_ROUTE socket. +$result = system( +"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate route 2>&1" +); +ok( $result, 0 ); + +# Verify that test_no_netlink_route_socket_t cannot create a NETLINK_ROUTE socket. +$result = system( +"runcon -t test_no_netlink_route_socket_t -- $basedir/netlinkcreate route 2>&1" +); +ok($result); + +# Verify that test_netlink_xfrm_socket_t can create a NETLINK_XFRM socket. +$result = system( +"runcon -t test_netlink_xfrm_socket_t -- $basedir/netlinkcreate xfrm 2>&1" +); +ok( $result, 0 ); + +# Verify that test_no_netlink_xfrm_socket_t cannot create a NETLINK_XFRM socket. +$result = system( +"runcon -t test_no_netlink_xfrm_socket_t -- $basedir/netlinkcreate xfrm 2>&1" +); +ok($result); + +# Verify that test_netlink_selinux_socket_t can create a NETLINK_SELINUX socket. +$result = system( +"runcon -t test_netlink_selinux_socket_t -- $basedir/netlinkcreate selinux 2>&1" +); +ok( $result, 0 ); + +# Verify that test_no_netlink_selinux_socket_t cannot create a NETLINK_SELINUX socket. +$result = system( +"runcon -t test_no_netlink_selinux_socket_t -- $basedir/netlinkcreate selinux 2>&1" +); +ok($result); + +# Verify that test_netlink_audit_socket_t can create a NETLINK_AUDIT socket. +$result = system( +"runcon -t test_netlink_audit_socket_t -- $basedir/netlinkcreate audit 2>&1" +); +ok( $result, 0 ); + +# Verify that test_no_netlink_audit_socket_t cannot create a NETLINK_AUDIT socket. +$result = system( +"runcon -t test_no_netlink_audit_socket_t -- $basedir/netlinkcreate audit 2>&1" +); +ok($result); + +# Verify that test_netlink_kobject_uevent_socket_t can create a NETLINK_KOBJECT_UEVENT socket. +$result = system( +"runcon -t test_netlink_kobject_uevent_socket_t -- $basedir/netlinkcreate kobject_uevent 2>&1" +); +ok( $result, 0 ); + +# Verify that test_no_netlink_kobject_uevent_socket_t cannot create a NETLINK_KOBJECT_UEVENT socket. +$result = system( +"runcon -t test_no_netlink_kobject_uevent_socket_t -- $basedir/netlinkcreate kobject_uevent 2>&1" +); +ok($result); + +# Verify that test_netlink_connector_socket_t can create a NETLINK_CONNECTOR socket. +$result = system( +"runcon -t test_netlink_connector_socket_t -- $basedir/netlinkcreate connector 2>&1" +); +ok( $result, 0 ); + +# Verify that test_no_netlink_connector_socket_t cannot create a NETLINK_CONNECTOR socket. +$result = system( +"runcon -t test_no_netlink_connector_socket_t -- $basedir/netlinkcreate connector 2>&1" +); +ok($result); + +# Verify that test_netlink_scsitransport_socket_t can create a NETLINK_SCSITRANSPORT socket. +$result = system( +"runcon -t test_netlink_scsitransport_socket_t -- $basedir/netlinkcreate scsitransport 2>&1" +); +ok( $result, 0 ); + +# Verify that test_no_netlink_scsitransport_socket_t cannot create a NETLINK_SCSITRANSPORT socket. +$result = system( +"runcon -t test_no_netlink_scsitransport_socket_t -- $basedir/netlinkcreate scsitransport 2>&1" +); +ok($result); + +# Verify that test_netlink_fib_lookup_socket_t can create a NETLINK_FIB_LOOKUP socket. +$result = system( +"runcon -t test_netlink_fib_lookup_socket_t -- $basedir/netlinkcreate fib_lookup 2>&1" +); +ok( $result, 0 ); + +# Verify that test_no_netlink_fib_lookup_socket_t cannot create a NETLINK_FIB_LOOKUP socket. +$result = system( +"runcon -t test_no_netlink_fib_lookup_socket_t -- $basedir/netlinkcreate fib_lookup 2>&1" +); +ok($result); +
This patch contains tests for classes which are already supported for a long time but are not tested by the selinux-testsuite yet. These tests involve classes like: netlink_route_socket, netlink_xfrm_socket, netlink_selinux_socket, netlink_audit_socket, netlink_kobject_uevent_socket, netlink_connector_socket, netlink_scsitransport_socket, netlink_fib_lookup_socket. Signed-off-by: Milos Malik <mmalik@redhat.com> --- policy/test_netlink_socket.te | 8 ++++ tests/netlink_socket/test | 99 ++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 106 insertions(+), 1 deletion(-)