From patchwork Tue Jul 25 15:59:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9862459 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 08AC0601A1 for ; Tue, 25 Jul 2017 15:55:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E2BFC286E7 for ; Tue, 25 Jul 2017 15:55:30 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D78B2286F1; Tue, 25 Jul 2017 15:55:30 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from USFB19PA13.eemsg.mail.mil (uphb19pa10.eemsg.mail.mil [214.24.26.84]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E66C5286E7 for ; Tue, 25 Jul 2017 15:55:28 +0000 (UTC) X-EEMSG-Attachment-filename: 0001-libsepol-Define-nnp_nosuid_transition-policy-capabil.patch, refpolicy-nnptransition.patch Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by USFB19PA13.eemsg.mail.mil with ESMTP; 25 Jul 2017 15:55:26 +0000 X-Attachment-Exists: TRUE X-IronPort-AV: E=Sophos;i="5.40,411,1496102400"; d="scan'208,223";a="463469" IronPort-PHdr: =?us-ascii?q?9a23=3ApM5vVB018A1y0xvQsmDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?sewWLv/xwZ3uMQTl6Ol3ixeRBMOAuqIC07KempujcFRI2YyGvnEGfc4EfD4+ou?= =?us-ascii?q?JSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgpp?= =?us-ascii?q?POT1HZPZg9iq2+yo9ZDeZwZFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+?= =?us-ascii?q?RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLd?= =?us-ascii?q?QgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9Qr4uWTSm8qxlVhnmhi?= =?us-ascii?q?kaPDI96W3blNB8gKddrRm8pRJw3pTUbZmWOvR+YK3Tc9EVRWRGXslNUCJODZ6y?= =?us-ascii?q?b5MNAuYcM+tXsZL9qkALrReiHwShHvnixiNKi3LwwKY00/4hEQbD3AE4AtwOrG?= =?us-ascii?q?rbrM31NKgMV+C+0bTGzTDZYPNS3Tfy9ojJeQ0mrPGXQL1watHcyVUvFgzZjlWQ?= =?us-ascii?q?rpbpPzWO1usXqWSb4O1gVfy2hmMhtgp/oSCvy98xhoTGiY8Z0FDJ+ThjzIorKt?= =?us-ascii?q?C0VlR3bcOiHZBNrS+VLZF2TdknQ2xwvSY6zaAJtoCjcSgRzZQn2wbfa/uac4iU?= =?us-ascii?q?+h7jVPieITN/hH99ZLKwnQyy8Um9yu3nTMW0zFZLoTZFktnLrHwN0QDc6tObRf?= =?us-ascii?q?dn+0eh2DKP2xjS6uFCP080ibLWJ4Muz7M/jJYesVnPEjXolEj5kqOabFgo9vCt?= =?us-ascii?q?6+v9Y7XmopGcN5VzigH7KqkugdKwAeA5MggIQmia9v2w26bk/U3kRrVFkuM5kr?= =?us-ascii?q?LCvZDGJcUUuq65AwhP3oYl8BawFS2q0NsfnXkZNF5FYg6Ij5D1O1HSJ/D1FfW/?= =?us-ascii?q?g1OqkDhx2/DGPqfuApPWI3jBl7fhe7N95FRHyAov099f/YlUBqsGIPLpVU/7rM?= =?us-ascii?q?bYAQMhMwyo3+bnD81w1oEcWW2VHqCZM7jSsViO5uIuPemBf4EVuDLgK/kq/PHu?= =?us-ascii?q?kHk5mUMAfaWz2psXcn+4FOx8I0qFeXrsnssBEWASswomUuPlk0ONUThSZ3auWK?= =?us-ascii?q?Ix/TA7B5y4AojdXIyth6aB3CijFJ1Mem9GEkyMEWvvd4icRvgMbySSIsl8nTMa?= =?us-ascii?q?UbihSpQs2guwuw/gzLprNO3U+jcXtZj7zth6+/XTlQ0u9TxzF8mSzn2NQHtunm?= =?us-ascii?q?4TWzA226V/rlBnxVeYzah0mfpYGsJP5/lRSAc1KYbcz/BmC9D1Qg/Bf9GJSEq4?= =?us-ascii?q?TdWiHz4xS8w+w8MUY0d9ANiiiQjD0DSsA78QjbOLBZg0/bnb33n+Pcp9zGzG1K?= =?us-ascii?q?Y5hVk8XsRPLXGmhrJ49wXLB4/IkkKZl6CxeKQZ2C7B7WaDzWyUsEFeSgFwS6bF?= =?us-ascii?q?XXEBZkTIt9j54F3NT6O2A7Q9LgRB0dKCKrdNatDxk1pGXO3sOM7fY2KqgGqwHQ?= =?us-ascii?q?yHxqmNbIrxY2Ud2D/SB1QanAwJ+naGLwc+DD+7o23CFDxuCU7vY0T0/OhwqXO7?= =?us-ascii?q?Sko0wB+Qb0B62bq65AMahfuGS/wJxrIEoiAhqzdqE1mhw9LaEd2ApxBufK9Ee9?= =?us-ascii?q?My/E9H1X7Ftwx6JpGgIbpiiUQYcwtrvkPuzA56CoBYkcgrtX8q1wRzKbmC3FNG?= =?us-ascii?q?bTOY0oj6OqfLJWnq4BCvd6nW10nd0NmM+acP7+k4pk7gvA6zFUoi9Ghn38NS03?= =?us-ascii?q?uG6ZXAFBASXo7pUkYr6xh6oKnXbTMg6IPO1H1jL7O0vyTY1N01Aesp0BGgf81Q?= =?us-ascii?q?MKmcDg/9D9UaB9SyKOwtg1WmcggLPORM+64vI8Ond/yG1bWwPOl8nTKpk2JH4J?= =?us-ascii?q?x80k2W7SZ8TPDH34odyfGCwgSHTyv8jEumss3vg4BLeCwdE3GwySjhC49dfKty?= =?us-ascii?q?cpgXCW22Oc242s1+h4LxW35f7FOjHF0G2NWueRqJc1zwxhZQ1UIQoX2pnCu31T?= =?us-ascii?q?p0nysvrqWBwCzE2/7iewYfOm5XWGliik/hIIaugNAeQEincRIplAC+6Ebk2adb?= =?us-ascii?q?vr9wL3TWQUtSeCj2NW5iWLOqtrWee85P9I8osSJPXeSgfF+VV7/9rAEe0y74A2?= =?us-ascii?q?RewzU7eC2wtZXigxx2kmSdI2hvrHDBY8F/2Q/f5MDARf5WxjcGWih4hiXLBli7?= =?us-ascii?q?Jdml58mbl5fEsuC4WGKsTZlTcSjtzYyariu74ndmARqln/C8gtfnCxQ10Tfn19?= =?us-ascii?q?l2UiXFtBL8Yojw16SmKO5nZVdnBFv968p8B4F/nZA9hIoI2XgbgJWV/GYIkXzp?= =?us-ascii?q?PdVdx63+cGIHRSQXzN7N/AjlxEpjI2qTx4L+UnWdxtVuZ8OmbWMR1CMw9NtKCL?= =?us-ascii?q?qI47xfhyd1pUC4rQ3Ja/hngjgd0ecu6GIdg+wRoAoi1DidArQIEUZCJyDjjBOI?= =?us-ascii?q?79SirKVQYmaiar2w2FZ4ndCmEL6OuAdcV2jlep06By9/8t1/ME7Q0H308ozke8?= =?us-ascii?q?ffbdQIthCPkBfPke5VKIk3lvUUmSprI2X9vWcqy+QjlxxhwYm6vJSbK2Vq5K+5?= =?us-ascii?q?GgRXNiDxZ8wN4jHil6BentqI0IC1BZhhBy4LU4XyTfKzCj4SrvPnNxuUEDIgtH?= =?us-ascii?q?ibF73fHRWQ6Eh4tX7PFY6kN22PLnkD0dpiXAWdJFBYgA0MQjU6mIM2Gxu0xMzn?= =?us-ascii?q?bUh55iod5ljmpRtQ0uhoLQXwUn/DpAe0bTc5UICfIwBL7gFG/EraLc2e7v5zHi?= =?us-ascii?q?1B8J2utgqNJnacZwRSAmEDQlaECEz7Prmy+dnA9PCVBum+LvvKf7qDsuleV/CG?= =?us-ascii?q?xZKhzIRm4yqMNsWIPnlnEfI3wExDUm5lG87BgTUAVzQXlz7Rb86cvBq89Dd4rs?= =?us-ascii?q?aj8PTsXQLi/oWPBKVPPtVo4RC5m7+DN/SXhCZ7NzlXyo8MyWXPyLgF014Ykztu?= =?us-ascii?q?eCW1EbQcqS7NS7rdmrVNAx8VcS9zMdFH76Y73ghNIsPUkM/61rtigv4yEVdFWk?= =?us-ascii?q?Trmtu1aswSP2G9KFTHCV6FNLScOzLE3tr3brm6Sb1Mi+VUrAa9tiyHHE/mJDiD?= =?us-ascii?q?kCPpVx+3O+FWkC6bJABeuJ26cht1D2jjVsjpagWjMNJsgz02wKc0hmjWNW4SMD?= =?us-ascii?q?h8dVlCrruM4iNZmPp/H3ZN7n1/LemLgyyZ9fXXKo4Ksft3BSR5j/9V4G8kxLRP?= =?us-ascii?q?4yFEXuZ6mDXJo951uV6mkfSPyiB9XxZUrjZLmYSLsl94OanA6plAXnXE/RIK7W?= =?us-ascii?q?mKDRQFucdlAMX1u69M0tjPiL7zKDBa/tLS/MscA8zUJ9ycMHc6KxXmBiTUDAwf?= =?us-ascii?q?QT6sL2HfiFRXkOuO+X2Nspg6tp/slYIVRb9aW1w1EfUaB194E9McO5h3Xykrkb?= =?us-ascii?q?iBgM4P/3q+owHbRN9GsZDfSvKSHfLvJS6DgrlLfRQI3633IJ8UNo3jxUNibFx6?= =?us-ascii?q?k57LG0rURt9NpSJgYhUzoEVX/3h0Vncz1F79agOx/H8TEua5ngIxigt7e+gt7j?= =?us-ascii?q?Ds4lYpKVrMvyQwik4xlsvmgT2KbDHxK6KwUp1MBCrvq0g9KJX7TBhpbQeqh0xr?= =?us-ascii?q?KC/ER65Nj7tnbW1rjhHTtoFLGfNHTq1EZwQQxe2NaPUuylRcqSSnyVVB5eTbFZ?= =?us-ascii?q?tojBEqfoK0r3JcxwJja8Y4JbbOK6pS0FdfnLiOsTOo1u0q2wAeJlwN/36VeC4G?= =?us-ascii?q?oEwILKcpJiqy8uxq9wOChyNJeHIQWPoyvvJq6kQ9NvydwC36zb5DK12+N/eEIq?= =?us-ascii?q?yDoWjAj8mIQ10r1kwWi0ZF4KJ20cY/c0uUTUwvyqWeFwgRP8rYNQ5Vd9ZS9GTU?= =?us-ascii?q?fSuWteXNxoh1MJu7FuHpSu+Dr6kUgkS5HAozGIQM9MsBFIG20E7ENcfnMKIFyR?= =?us-ascii?q?I16QTwOlqFCPVJeBSWkDYIuMyw0Jh33YxBKT4HGmV9LT+75rDJqQ82mPCDRss5?= =?us-ascii?q?Ym8GXosYMXI7QNC1lDJcv3RHCjm3zv8VxROc7zDivCTQDTj9b91lZPuOYxNjFs?= =?us-ascii?q?228y0l86eqkV7X7oneJ2biONRhoN/O6fkVp5CbC/NUVrR9vEDcm5FESHCwVW7A?= =?us-ascii?q?D8K1LYDqa4Ywddz0Fmq6UlunhjIpTsfxOdGtLrSIgQDoXotbrYib3TA5OsCmDD?= =?us-ascii?q?0eHQl/p/0b7qJmeQIDe4Y7YQLvtwkmOKy/Oh2X0tOyQ2u2KDtWSPdezeOmZ7xX?= =?us-ascii?q?0SUsb+m6yGc+QZEg1eW391ACRI0ShBHE2fmjf5VeUTT0GnFFYQrPoSs5mHR/Oe?= =?us-ascii?q?kqx+c+wBXIsV4aMz+Rb+Fmc21EsMs6BV+LL3V2F3A0R1mCgorf+gSsxawd/zNB?= =?us-ascii?q?n9ZI1u1IqGPxsYHZYD+3QqOktIvVvDQ6bdg9uaJxK4ziLtGBtJPEkTzVVIPQvR?= =?us-ascii?q?GdUC6mC/pancBdIDheQPlJhW4lOcsGuY5a6UQpT8kwOqZBBbUrqL2xdTVkCisS?= =?us-ascii?q?wjMDWIObwDwOmOG81KXGlh2IapQtLAQEsIlegtsaSyN5fiEeq7W/WIjNi2CETW?= =?us-ascii?q?wLIAMS7QtS/gIAipF/cfzl4IbSS59M0TFWqepuUiTXDplo60f7SmaOjFjiUvqh?= =?us-ascii?q?ieup0hlJwfLwyNkUQgB/BlZZx+ZXkEsoJ7V3K6gfvo7Krj+Ie1n1vHjoyOe8Il?= =?us-ascii?q?le19HUfUXiDIXZrWr8TjEc+XoMSI5B0n3QCZQSkwt8aKYqvlpMI5urekfg6DM6?= =?us-ascii?q?2YtlBb64Vdqkx1w9t3YJWz+qE8ZdC+FhqF/XQDplY5Sxp5X/NZRSRWtQ+JOGpl?= =?us-ascii?q?dcl0VtNDW5xoRAJMFX5T4MRyNPoTSbvNu9UsFD3tV2D5AUKNdlp3j9AL9EOISW?= =?us-ascii?q?o3AuoLPv0GLZ+zYmvFe53zizGq64T+NF/2IFAAkpIXqRqlU3Bes27mjS6kzNsk?= =?us-ascii?q?xz/+pDGriPikBxrS1hHpxSAzZGzmqpL1JtQ3laq+9aMrjac9RAQ/kuYh+iIxw+?= =?us-ascii?q?GuQ830OT+UF7gGz0bDFsuQtC4yDSQQ00WjcPgrv3nj0esM6nMycAS51UdTUhcz?= =?us-ascii?q?vFKwWDlCBVuxZQdVpnVI0HDdZe5b4bx5dU8dTfRkq2LyEKQgBiPBoi0fVDjU5D?= =?us-ascii?q?rFmYeSfFAAWze/bArgF7cMWMoMOnN/n24ABHiob7v+8i7KUDW2eqmQuzTtDCt4?= =?us-ascii?q?X8rMGFtlOSdKfkNO2xeWXBQybRghCwn7gkE4LH/yzUMApFNZZ212YrYZ/8BmHV?= =?us-ascii?q?JxhGIbwUJ1ZDX6BgddpGuvxaZ9NjeKsR4a9tHQ6HSQnyF4yzt/RGNVHTRSnELy?= =?us-ascii?q?qd7OO/p57T7abHRujkfMCMwGzHQ61vNJdg9Tb7A6vq0ZNZ+kfuxvdt7F11Rkbb?= =?us-ascii?q?PC2asdThIh8L5NO4eUv8v50pGjfWD4lskHb3wUFAbcUXSTWw8JsE0JNZ9GrwSe?= =?us-ascii?q?Vg30j2quJS871k5pcr47B108i7P7zfKfJEvk97GRibGh9l9o0zD2RlQWBefPMR?= =?us-ascii?q?Iu/LfasFlcDut/z3F6sP5R2X4eNZc9zHJ1rFmsalFDGRUhlEnBoFqT4GLwuTy/?= =?us-ascii?q?+FlLVySca+v+T53Vgt41emJB4c0L9t/ZuE+raPpOLPbRve174EWqbwRsP0s7sj?= =?us-ascii?q?pVif5eE+m74IYWx1ZBerEO4DWc4B3m3g17wlzTowE8PfGLLt4PFDV284njLkn5?= =?us-ascii?q?ByAVAWF+gJErWV5oten303m+rDOt0RaKBClX6FFQS4Hb8a1X6r9yyXLXFjghHK?= =?us-ascii?q?yBzwQGWz7FrsoS95RyvMwc3jnVBOVrmrH0dSQjamOVNlsDOVIgXkrt33ub467E?= =?us-ascii?q?suKGzrqMqNlHe9OLNQB8D/IducIS8opFIYkpI8Xdmv2YEBFtq7PtgR7H9/bvzE?= =?us-ascii?q?62OoiC9NuaFHiJTC4suN4PXYAWGgj7GGq7WK3D1YzmM4vVQ/5927OPHB+cCFQ/?= =?us-ascii?q?Oy12kLVyd/oQzBXxyrpbPHs1AYI0uL0F3EmIYSJNFWwWE41l365OgkWN8z7x9R?= =?us-ascii?q?FpjaaPMNuz/zIyD5wU2FbNIpTCae3CVYHknvHVl+Bqc8xHr6vNjVmnfI510oWo?= =?us-ascii?q?5welTlhRx2CoU1Mkct50YXwyUdCwgNaBabDL6yCUTjM4QESVAJaQ6b07iiZqc3?= =?us-ascii?q?wUpzz6uu5O7Sd+NzHbYCO+1GjgGQgFhUBI4ZvbcZQLJmdF9X7LTXqRT6C4j7Q/?= =?us-ascii?q?jmkmI9Oua0QsBB/8EWrXki4gejRxq485hD8rIbhYuUea5DfJfDotpz71p95T4I?= =?us-ascii?q?bCxCmgJzjxSjUeATvOrj+MTUsIK06uayU6YgX/0X+AIoB2tij5vxjlcjocvU1+?= =?us-ascii?q?tFUY3al4D/8AFLI36Xt4fXyAF8JvASK423fLZh+XIHJzIdJ34UPtqZdeM84ylz?= =?us-ascii?q?PzXX/VBCBdkMZdwANsrXhQ9UklHpWK1U9sfDBl+YEZl8d8Qy4Grx1j846oYzUu?= =?us-ascii?q?fv6D+3OZDQ9UpNMOlZjCVxjt7CovYawebKAigN/XaZcwR1wj+Fy5SVBPb/5/+M?= =?us-ascii?q?x8/IV1MGBSM2V4ZdJCac9gynXOW1iY7pXhmS6sDtnJI0bFiQSWCpnKQZrqZMFv?= =?us-ascii?q?ZNiirl0ThYCoD1gPWVv9236GRJsl1HEYBz7QDKGahEOpV0Jw74l8mxSURmACvw?= =?us-ascii?q?Zt3UfAI0uOWK3ucM//l+N0zmaI8dIxIL17X66X5PQQt1UrL2v1GZXeUKZNt9U/?= =?us-ascii?q?7Eq39Y6I16J68IJlidq4Tgri1Up1AuHA8pdLgwoyRVdkbShw1VQL/4tqMPhAUa?= =?us-ascii?q?UN55v1JMGG2rNWIx4jrIT6JVg7eLBPwS6DWTQbQEU190PSNmXxO1xJJudqOrnf?= =?us-ascii?q?BAsmNGmDlxr+Qq0zxiWRuzpCztp6ML2TI7+7G4tS4MuWJETuWAiSjIDUhMzPUQ?= =?us-ascii?q?gacaFXni9US2YGMfY4vq/LlnOcPg+JEg43QhexojeTYLXeC9Cy7tjqOIBZePvM?= =?us-ascii?q?hbhB6Xt8XEdaWzIjQKNrQh1RLjQGBw0grAkxZm/msLRi6t7dE+K4W7J8kl2jCk?= =?us-ascii?q?GW7Fe1YQ+qlJqtf+tUYXTOsqblNs2Gpj0syARiwDWsPPH2I1gxM/aWVDdpJD6A?= =?us-ascii?q?MVG7MugjmWoqlM5hsUbyvMEoS55onQmt/F2Xs9TdZq3mLWoamFhpI20HJ7gN50?= =?us-ascii?q?6y+OuGgId+PGScNsBWLz1ohHw+zke/qtqvwHSJdhyLm5TP8CM8yj9HCq2JVrRk?= =?us-ascii?q?ClxaoRH16jPO8F2LjbTz+vSXeEVuSTb2iMgzE5P1b35RmpLV03a8BKolQ/MuTY?= =?us-ascii?q?hZ5ckAvhXq1yRimKo1/U0nAjO/sAdw0qoIenZxAKTOkJaueHO+cuxuE+BUAXb3?= =?us-ascii?q?/NGit2F/O2sUCzk4dmIXlg5l/6Yev1+AD8LNSSAgUEEZLdrpNp9/y1WGaBOX54?= =?us-ascii?q?zBJsJ0R19ubfF1E0tuBCaZaRmcbfi8580e4fePdnKTc9tcILmoJ/9YmU19+HcB?= =?us-ascii?q?/JzpboJNHavuaXDubaz0QrZmFaSKQWbRny54UgMd4zQ6fTEqdBvRQAGag6R4Qs?= =?us-ascii?q?N2D19K5qNw5zagrRa66vgsn2p+KEeodUp2XI4V0uNivcvQMMyuCsRwxhc5+qn2?= =?us-ascii?q?nyIIw3Rj9Zq91tCx1mHJZAGs8ZqwqnAoWUmL2gi9Kq+kN1oekKsa3qBvDNztS5?= =?us-ascii?q?0J17X4JG6kyTIDbRGK5rj1x+juushvfA05/xCd7teN8DW+Z7Xm7FZaHcHoqhMj?= =?us-ascii?q?KBINnxe01Y/L6G1rJ2TBGRazvkX6qJriGkM+9k4UojwIxiYOXT1CAt763c2Nbq?= =?us-ascii?q?YmFUvDusrX6INJtZ61zHHvLeXxNSSfWb9GZlHKsXbZb79esUNtwi2tec6RFp7D?= =?us-ascii?q?teyMuFP7ShrkjU10J5b53bL0zp1D0iVIkXJhS/LUssgWjEqnTSAXRcMtKoKc9z?= =?us-ascii?q?j9aJFhbt/VV+mXkxZm5dHWrlXcyeNnMc18K6ZQ2K7x5LD80Zk+6sZ0E3qre+Sf?= =?us-ascii?q?J2NZVBmOWqsqgHkNlyJi7TRMlaJTzQLKRsMjtfFOrPuEMoYhkCs7QvXYc1f5eO?= =?us-ascii?q?KlsdMEic0SPy0RfC0Ursetyu0aaJJzwW8m9Gz7LeyjVMoRO2ufOHjc3iSrzZa4?= =?us-ascii?q?v2XPHKOio/Sj6aXSgyEVqu+Vq8oPoEsv+YLnser10XeS+SFhAcprpurdnRCW/T?= =?us-ascii?q?n/dvfJsUi/CGCGjMT3hjma4zADtbnVydSPoEUw/NZjnuh3QPlhalI6p34X/9b7?= =?us-ascii?q?CejpFQUugSD5oEJuaVWPPEaPteIHEujTxfN+GiKY6P540l207FGDNKW5LD80eT?= =?us-ascii?q?GQvMGvE=3D?= X-IPAS-Result: =?us-ascii?q?A2BxAQCaaXdZ/wHyM5BeGQEBAQEBAQEBAQEBBwEBAQEBFQE?= =?us-ascii?q?BAQECAQEBAQgBAQEBgwQrgWUTjn+QdZgNBCiFJoM5VwEBAQEBAQEBAgFqKIIzJ?= =?us-ascii?q?IJBAQEBAQIBAQIgWQMJAQEIAg0EAwECASYEAgICAQFFAQUIGQWICU+BRQUIk3G?= =?us-ascii?q?dZIImIgKLRw+DKIUugySETEeCc4JhBZ9XhDCCHo1Ri0iGcZVpV4EKKAoCHwgiD?= =?us-ascii?q?4UbRByCA1qGdYJAAQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 25 Jul 2017 15:55:09 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6PFsnng025972; Tue, 25 Jul 2017 11:54:55 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v6PFslqX026449 for ; Tue, 25 Jul 2017 11:54:47 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6PFsjbu025970; Tue, 25 Jul 2017 11:54:45 -0400 Message-ID: <1500998367.22271.11.camel@tycho.nsa.gov> From: Stephen Smalley To: selinux@tycho.nsa.gov Date: Tue, 25 Jul 2017 11:59:27 -0400 In-Reply-To: <20170725155542.32496-1-sds@tycho.nsa.gov> References: <20170725155542.32496-1-sds@tycho.nsa.gov> Organization: National Security Agency X-Mailer: Evolution 3.22.6 (3.22.6-2.fc25) Mime-Version: 1.0 Subject: Re: [PATCH] selinux-testsuite: Add tests for transitions under NNP/nosuid X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP On Tue, 2017-07-25 at 11:55 -0400, Stephen Smalley wrote: > Duplicate the existing tests for transitions under NNP for > transitions on a nosuid mount, and then augment both the NNP > and nosuid tests to also test the new support for allowing > transitions based on nnp_transition and/or nosuid_transition > permission if the nnp_nosuid_transition policy capability is > enabled. NB: To actually exercise the new tests for nnp/nosuid_transition, you need to rebuild your libsepol and policy with the attached patches (relative to upstream libsepol and Fedora selinux-policy SRPM, respectively) and you need to be running a kernel with the corresponding kernel patch. However, this patch can be applied now without causing breakage; the tests that depend on the kernel patch will be automatically skipped with kernels and/or policies that do not support nnp_nosuid_transition. > > Signed-off-by: Stephen Smalley > --- >  policy/Makefile           |  6 ++- >  policy/test_nnp.te        | 17 +++++++++ >  policy/test_nosuid.te     | 51 ++++++++++++++++++++++++++ >  tests/Makefile            |  2 +- >  tests/nnp/test            | 40 +++++++++++++++++++- >  tests/nosuid/Makefile     |  7 ++++ >  tests/nosuid/checkcon.c   | 41 +++++++++++++++++++++ >  tests/nosuid/execnosuid.c | 55 ++++++++++++++++++++++++++++ >  tests/nosuid/test         | 93 > +++++++++++++++++++++++++++++++++++++++++++++++ >  9 files changed, 309 insertions(+), 3 deletions(-) >  create mode 100644 policy/test_nosuid.te >  create mode 100644 tests/nosuid/Makefile >  create mode 100644 tests/nosuid/checkcon.c >  create mode 100644 tests/nosuid/execnosuid.c >  create mode 100755 tests/nosuid/test > > diff --git a/policy/Makefile b/policy/Makefile > index b728a9e..7cdee96 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -23,7 +23,7 @@ TARGETS = \ >   test_task_getsid.te test_task_setpgid.te > test_task_setsched.te \ >   test_transition.te test_inet_socket.te test_unix_socket.te \ >   test_mmap.te test_overlayfs.te test_mqueue.te > test_mac_admin.te \ > - test_ibpkey.te test_atsecure.te > + test_ibpkey.te test_atsecure.te test_nosuid.te >   >  ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true) >  TARGETS += test_bounds.te > @@ -57,6 +57,10 @@ ifeq ($(shell grep -q all_file_perms.*map > $(POLDEV)/include/support/all_perms.sp >  export M4PARAM = -Dmap_permission_defined >  endif >   > +ifeq ($(shell grep -q nnp_transition > $(POLDEV)/include/support/all_perms.spt && echo true),true) > +export M4PARAM += -Dnnp_transition_permission_defined > +endif > + >  ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6)) >  TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS)) >  endif > diff --git a/policy/test_nnp.te b/policy/test_nnp.te > index 54ebfd3..b99e406 100644 > --- a/policy/test_nnp.te > +++ b/policy/test_nnp.te > @@ -32,3 +32,20 @@ domain_entry_file(test_nnp_notbounded_t, > test_nnp_notbounded_exec_t) >  # Run it!  This should fail always. >  unconfined_runs_test(test_nnp_notbounded_t) >  unconfined_run_to(test_nnp_notbounded_t, test_nnp_notbounded_exec_t) > + > +# A domain to which the unconfined domain is allowed nnp_transition. > +type test_nnp_nnptransition_t; > +domain_type(test_nnp_nnptransition_t) > +typeattribute test_nnp_nnptransition_t testdomain; > + > +# The entrypoint type for this domain. > +type test_nnp_nnptransition_exec_t; > +files_type(test_nnp_nnptransition_exec_t) > +domain_entry_file(test_nnp_nnptransition_t, > test_nnp_nnptransition_exec_t) > + > +# Run it!  This should succeed on v4.14 or later. > +unconfined_runs_test(test_nnp_nnptransition_t) > +unconfined_run_to(test_nnp_nnptransition_t, > test_nnp_nnptransition_exec_t) > +ifdef(`nnp_transition_permission_defined', ` > +allow unconfined_t test_nnp_nnptransition_t:process nnp_transition; > +') > diff --git a/policy/test_nosuid.te b/policy/test_nosuid.te > new file mode 100644 > index 0000000..0d3d2ab > --- /dev/null > +++ b/policy/test_nosuid.te > @@ -0,0 +1,51 @@ > +################################# > +# > +# Policy for testing nosuid transitions. > +# > + > +# A domain bounded by the unconfined domain. > +type test_nosuid_bounded_t; > +domain_type(test_nosuid_bounded_t) > +typeattribute test_nosuid_bounded_t testdomain; > +typebounds unconfined_t test_nosuid_bounded_t; > + > +# The entrypoint type for this domain. > +type test_nosuid_bounded_exec_t; > +files_type(test_nosuid_bounded_exec_t) > +domain_entry_file(test_nosuid_bounded_t, test_nosuid_bounded_exec_t) > +domain_entry_file(unconfined_t, test_nosuid_bounded_exec_t) > + > +# Run it!  This should succeed on v3.18 or later, fail on older > kernels. > +unconfined_runs_test(test_nosuid_bounded_t) > +unconfined_run_to(test_nosuid_bounded_t, test_nosuid_bounded_exec_t) > + > +# A domain that is not bounded by the unconfined domain. > +type test_nosuid_notbounded_t; > +domain_type(test_nosuid_notbounded_t) > +typeattribute test_nosuid_notbounded_t testdomain; > + > +# The entrypoint type for this domain. > +type test_nosuid_notbounded_exec_t; > +files_type(test_nosuid_notbounded_exec_t) > +domain_entry_file(test_nosuid_notbounded_t, > test_nosuid_notbounded_exec_t) > + > +# Run it!  This should fail always. > +unconfined_runs_test(test_nosuid_notbounded_t) > +unconfined_run_to(test_nosuid_notbounded_t, > test_nosuid_notbounded_exec_t) > + > +# A domain to which the unconfined domain is allowed > nosuid_transition. > +type test_nosuid_nosuidtransition_t; > +domain_type(test_nosuid_nosuidtransition_t) > +typeattribute test_nosuid_nosuidtransition_t testdomain; > + > +# The entrypoint type for this domain. > +type test_nosuid_nosuidtransition_exec_t; > +files_type(test_nosuid_nosuidtransition_exec_t) > +domain_entry_file(test_nosuid_nosuidtransition_t, > test_nosuid_nosuidtransition_exec_t) > + > +# Run it!  This should succeed on v4.14 or later. > +unconfined_runs_test(test_nosuid_nosuidtransition_t) > +unconfined_run_to(test_nosuid_nosuidtransition_t, > test_nosuid_nosuidtransition_exec_t) > +ifdef(`nnp_transition_permission_defined', ` > +allow unconfined_t test_nosuid_nosuidtransition_t:process2 > nosuid_transition; > +') > diff --git a/tests/Makefile b/tests/Makefile > index f42fe7e..3edf73c 100644 > --- a/tests/Makefile > +++ b/tests/Makefile > @@ -11,7 +11,7 @@ SUBDIRS:= domain_trans entrypoint execshare > exectrace execute_no_trans \ >   task_getpgid task_setpgid file ioctl capable_file > capable_net \ >   capable_sys dyntrans dyntrace bounds nnp mmap unix_socket > inet_socket \ >   overlay checkreqprot mqueue mac_admin infiniband_pkey \ > - infiniband_endport atsecure > + infiniband_endport atsecure nosuid >   >  ifeq ($(shell grep -q cap_userns > $(POLDEV)/include/support/all_perms.spt && echo true),true) >  ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1) > diff --git a/tests/nnp/test b/tests/nnp/test > index 4c7e010..6dcb5dc 100755 > --- a/tests/nnp/test > +++ b/tests/nnp/test > @@ -1,7 +1,23 @@ >  #!/usr/bin/perl >   >  use Test; > -BEGIN { plan tests => 4 } > + > +BEGIN { > +    $test_count          = 4; > +    $test_nnp_transition = 0; > + > +    if ( > +        system( > +"grep -q 1 /sys/fs/selinux/policy_capabilities/nnp_nosuid_transition > 2> /dev/null" > +        ) == 0 > +      ) > +    { > +        $test_nnp_transition = 1; > +        $test_count += 2; > +    } > + > +    plan tests => $test_count; > +} >   >  $basedir = $0; >  $basedir =~ s|(.*)/[^/]*|$1|; > @@ -38,6 +54,28 @@ $result = >    system("$basedir/execnnp $basedir/checkcon test_nnp_notbounded_t > 2>&1"); >  ok($result);         #this should fail >   > +if ($test_nnp_transition) { > + > +    # Set entrypoint type for nnptransition domain. > +    system( > +        "chcon -t test_nnp_nnptransition_exec_t $basedir/checkcon > $basedir/true" > +    ); > + > +    # Transition to nnptransition domain via setexec. > +    $result = > +      system( > +        "$basedir/execnnp runcon -t test_nnp_nnptransition_t > $basedir/true 2>&1" > +      ); > +    ok( $result, 0 );    #this should succeed > + > +    # Automatic transition to nnptransition domain via exec. > +    $result = > +      system( > +        "$basedir/execnnp $basedir/checkcon test_nnp_nnptransition_t > 2>&1"); > +    ok( $result, 0 );    #this should succeed > + > +} > + >  # Cleanup. >  system("rm -f $basedir/true"); >   > diff --git a/tests/nosuid/Makefile b/tests/nosuid/Makefile > new file mode 100644 > index 0000000..239e0f0 > --- /dev/null > +++ b/tests/nosuid/Makefile > @@ -0,0 +1,7 @@ > +TARGETS=execnosuid checkcon > + > +LDLIBS += -lselinux > + > +all: $(TARGETS) > +clean: > + rm -f $(TARGETS) > diff --git a/tests/nosuid/checkcon.c b/tests/nosuid/checkcon.c > new file mode 100644 > index 0000000..d8a1e15 > --- /dev/null > +++ b/tests/nosuid/checkcon.c > @@ -0,0 +1,41 @@ > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +int main(int argc, char **argv) > +{ > + char *con = NULL; > + context_t c; > + const char *type; > + int rc; > + > + if (argc != 2) { > + fprintf(stderr, "usage:  %s expected-type\n", > argv[0]); > + exit(-1); > + } > + > + if (getcon(&con) < 0) { > + perror("getcon"); > + exit(-1); > + } > + > + c = context_new(con); > + if (!c) { > + perror("context_new"); > + exit(-1); > + } > + > + type = context_type_get(c); > + if (!type) { > + perror("context_type_get"); > + exit(-1); > + > + } > + > + rc = strcmp(type, argv[1]); > + exit(rc); > +} > diff --git a/tests/nosuid/execnosuid.c b/tests/nosuid/execnosuid.c > new file mode 100644 > index 0000000..4324937 > --- /dev/null > +++ b/tests/nosuid/execnosuid.c > @@ -0,0 +1,55 @@ > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +int main(int argc, char **argv) > +{ > + bool nobounded; > + struct utsname uts; > + pid_t pid; > + int rc, status; > + > + if (argc < 2) { > + fprintf(stderr, "usage:  %s command [args...]\n", > argv[0]); > + exit(-1); > + } > + > + if (uname(&uts) < 0) { > + perror("uname"); > + exit(-1); > + } > + > + nobounded = ((strcmp(argv[argc - 1], > "test_nosuid_bounded_t") == 0) && > +      (strverscmp(uts.release, "3.18") < 0)); > + > + pid = fork(); > + if (pid < 0) { > + perror("fork"); > + exit(-1); > + } > + > + if (pid == 0) { > + execvp(argv[1], &argv[1]); > + perror(argv[1]); > + exit(-1); > + } > + > + pid = wait(&status); > + if (WIFEXITED(status)) { > + if (WEXITSTATUS(status) && nobounded) { > + printf("%s:  Kernels < v3.18 do not support > bounded transitions under NNP.\n", > +        argv[0]); > + /* pass the test */ > + exit(0); > + } > + exit(WEXITSTATUS(status)); > + } > + > + fprintf(stderr, "Unexpected exit status 0x%x\n", status); > + exit(-1); > +} > diff --git a/tests/nosuid/test b/tests/nosuid/test > new file mode 100755 > index 0000000..cd46109 > --- /dev/null > +++ b/tests/nosuid/test > @@ -0,0 +1,93 @@ > +#!/usr/bin/perl > + > +use Test; > + > +BEGIN { > +    $test_count             = 4; > +    $test_nosuid_transition = 0; > + > +    if ( > +        system( > +"grep -q 1 /sys/fs/selinux/policy_capabilities/nnp_nosuid_transition > 2> /dev/null" > +        ) == 0 > +      ) > +    { > +        $test_nosuid_transition = 1; > +        $test_count += 2; > +    } > + > +    plan tests => $test_count; > +} > + > +$basedir = $0; > +$basedir =~ s|(.*)/[^/]*|$1|; > + > +# Create nosuid mount. > +system("mkdir -p $basedir/testdir"); > +system("mount -t tmpfs -o nosuid none $basedir/testdir"); > + > +# Set entrypoint type for bounded domain. > +system("cp $basedir/checkcon $basedir/testdir"); > +system("chcon -t test_nosuid_bounded_exec_t > $basedir/testdir/checkcon"); > + > +# Transition to bounded type via setexec. > +$result = system( > +"$basedir/execnosuid runcon -t test_nosuid_bounded_t > $basedir/testdir/checkcon test_nosuid_bounded_t 2>&1" > +); > +ok( $result, 0 );    #this should pass > + > +# Automatic transition to bounded domain via exec. > +$result = system( > +    "$basedir/execnosuid $basedir/testdir/checkcon > test_nosuid_bounded_t 2>&1"); > +ok( $result, 0 );    #this should pass > + > +# Use true as an entrypoint program to test ability to exec at all. > +system("cp /bin/true $basedir/testdir/true"); > + > +# Set entrypoint type for notbounded domain. > +system( > +"chcon -t test_nosuid_notbounded_exec_t $basedir/testdir/checkcon > $basedir/testdir/true" > +); > + > +# Transition to notbounded domain via setexec. > +$result = > +  system( > +"$basedir/execnosuid runcon -t test_nosuid_notbounded_t > $basedir/testdir/true 2>&1" > +  ); > +ok($result);    #this should fail > + > +# Automatic transition to notbounded domain via exec. > +$result = > +  system( > +"$basedir/execnosuid $basedir/testdir/checkcon > test_nosuid_notbounded_t 2>&1" > +  ); > +ok($result);    #this should fail > + > +if ($test_nosuid_transition) { > + > +    # Set entrypoint type for nosuid domain. > +    system( > +"chcon -t test_nosuid_nosuidtransition_exec_t > $basedir/testdir/checkcon $basedir/testdir/true" > +    ); > + > +    # Transition to nosuid domain via setexec. > +    $result = > +      system( > +"$basedir/execnosuid runcon -t test_nosuid_nosuidtransition_t > $basedir/testdir/true 2>&1" > +      ); > +    ok( $result, 0 );    #this should succeed > + > +    # Automatic transition to nosuid domain via exec. > +    $result = > +      system( > +"$basedir/execnosuid $basedir/testdir/checkcon > test_nosuid_nosuidtransition_t 2>&1" > +      ); > +    ok( $result, 0 );    #this should succeed > + > +} > + > +# Cleanup. > +system("umount $basedir/testdir"); > +system("rmdir $basedir/testdir"); > + > +exit; diff -ru serefpolicy-3.13.1.nnp/policy/flask/access_vectors serefpolicy-3.13.1/policy/flask/access_vectors --- serefpolicy-3.13.1.nnp/policy/flask/access_vectors 2017-07-25 09:40:45.333144170 -0400 +++ serefpolicy-3.13.1/policy/flask/access_vectors 2017-07-25 09:42:56.889364716 -0400 @@ -386,8 +386,13 @@ setkeycreate setsockcreate getrlimit + nnp_transition } +class process2 +{ + nosuid_transition +} # # Define the access vector interpretation for ipc-related objects diff -ru serefpolicy-3.13.1.nnp/policy/flask/security_classes serefpolicy-3.13.1/policy/flask/security_classes --- serefpolicy-3.13.1.nnp/policy/flask/security_classes 2017-07-25 09:40:45.330144158 -0400 +++ serefpolicy-3.13.1/policy/flask/security_classes 2017-07-25 09:44:38.386109990 -0400 @@ -110,6 +110,9 @@ # Capabilities >= 32 class capability2 +# Process permissions >= 32 +class process2 + # More SE-X Windows stuff class x_resource # userspace class x_event # userspace diff -ru serefpolicy-3.13.1.nnp/policy/modules/kernel/domain.te serefpolicy-3.13.1/policy/modules/kernel/domain.te --- serefpolicy-3.13.1.nnp/policy/modules/kernel/domain.te 2017-07-25 09:40:45.280143958 -0400 +++ serefpolicy-3.13.1/policy/modules/kernel/domain.te 2017-07-25 09:42:27.086845103 -0400 @@ -49,7 +49,7 @@ attribute named_filetrans_domain; # Transitions only allowed from domains to other domains -neverallow domain ~domain:process { transition dyntransition }; +neverallow domain ~domain:process { transition nnp_transition dyntransition }; # Domains that are unconfined attribute unconfined_domain_type; @@ -238,7 +238,7 @@ allow unconfined_domain_type unconfined_domain_type:dbus send_msg; # Act upon any other process. -allow unconfined_domain_type domain:process ~{ ptrace transition dyntransition execmem execstack execheap }; +allow unconfined_domain_type domain:process ~{ ptrace transition nnp_transition dyntransition execmem execstack execheap }; tunable_policy(`deny_ptrace',`',` allow unconfined_domain_type domain:process ptrace; ') diff -ru serefpolicy-3.13.1.nnp/policy/modules/kernel/kernel.te serefpolicy-3.13.1/policy/modules/kernel/kernel.te --- serefpolicy-3.13.1.nnp/policy/modules/kernel/kernel.te 2017-07-25 09:40:45.287143986 -0400 +++ serefpolicy-3.13.1/policy/modules/kernel/kernel.te 2017-07-25 09:42:27.087844917 -0400 @@ -507,7 +507,7 @@ allow kern_unconfined unlabeled_t:filesystem *; allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; -allow kern_unconfined unlabeled_t:process ~{ ptrace transition dyntransition execmem execstack execheap }; +allow kern_unconfined unlabeled_t:process ~{ ptrace transition nnp_transition dyntransition execmem execstack execheap }; gen_require(` bool secure_mode_insmod; diff -ru serefpolicy-3.13.1.nnp/policy/policy_capabilities serefpolicy-3.13.1/policy/policy_capabilities --- serefpolicy-3.13.1.nnp/policy/policy_capabilities 2017-07-25 09:40:45.330144158 -0400 +++ serefpolicy-3.13.1/policy/policy_capabilities 2017-07-25 09:42:27.087844917 -0400 @@ -72,3 +72,5 @@ # qipcrtr_socket # policycap extended_socket_class; + +policycap nnp_nosuid_transition;