From patchwork Tue May  9 19:11:10 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stephen Smalley <sds@tycho.nsa.gov>
X-Patchwork-Id: 9718871
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	8806560236 for <patchwork-selinux@patchwork.kernel.org>;
	Tue,  9 May 2017 19:07:11 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7A970204C2
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue,  9 May 2017 19:07:11 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 6DCA928174; Tue,  9 May 2017 19:07:11 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea10.nsa.gov (emsm-gh1-uea10.nsa.gov [8.44.101.8])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 48E68204C2
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue,  9 May 2017 19:07:09 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.38,315,1491264000"; d="scan'208";a="6816380"
IronPort-PHdr: =?us-ascii?q?9a23=3AdtpvEhPDeQ9gc8Xvvvkl6mtUPXoX/o7sNwtQ0KIM?=
	=?us-ascii?q?zox0LPzyosbcNUDSrc9gkEXOFd2CrakV1KyO6uu5ATNIyK3CmUhKSIZLWR4BhJ?=
	=?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+?=
	=?us-ascii?q?KPjrFY7OlcS30P2594HObwlSijewZbF/IA+qoQnMucUanJduJ6QswRbVv3VEfP?=
	=?us-ascii?q?hby3l1LlyJhRb84cmw/J9n8ytOvv8q6tBNX6bncakmVLJUFDspPXw7683trhnD?=
	=?us-ascii?q?UBCA5mAAXWUMkxpHGBbK4RfnVZrsqCT6t+592C6HPc3qSL0/RDqv47t3RBLulS?=
	=?us-ascii?q?wIOSQ58GXKgcJuiqxVrg+qqxhmz4LKfI2ZMfxzdb7fc9wHX2pMRsZfWTJcDI2y?=
	=?us-ascii?q?bIUBCPIBMORFo4TzuVQOtgCzCRWwCO711jNFnGP60bE83u88EQ/GxgsgH9cWvX?=
	=?us-ascii?q?rJsNX6Kr8SUeCrw6nO0D7NcvZW1i356IjMbB8goeyHULVrccXM0kkiDB/Fj1WM?=
	=?us-ascii?q?pozlODOZzOINs3OB4OZ6WuKvjHAnphh3rzOyxckskpHEip8ax13L7yl0wJs5Kc?=
	=?us-ascii?q?emREN0f9KoCoZcuieHPIVsWMwiWXtnuCMix70Dvp60YTYFxYw8xx7ad/yHa4+I?=
	=?us-ascii?q?4g//VOqJITd3mnZleLWnihau60eg0Oz8VtSv0FpQsipEksXDtnAK1xDJ7MiIVu?=
	=?us-ascii?q?B98Vu71TaK1gDT7vlIIUEylaXFN54s2qM8m5UcvEjZHiL6hV/6gLGZe0k64OSk?=
	=?us-ascii?q?9vzrYrD8qZ+dM490hBv+MqMrmsGnGuQ3LAwOX2md+eSh27zv5Fb2QLJXjv0wjq?=
	=?us-ascii?q?bWrovaKN8Hpq+5HwBV0oEj5wy5Dze9ytsUh3YHLFVbeB6flYjmJ0nOIOzkDfe4?=
	=?us-ascii?q?m1mskjBrx/bcMb39ApXCNH7DnazjfbZ67U5czRA8zctD551KELEBO+j/WkjrtN?=
	=?us-ascii?q?zXFhU5KRC7w/77CNVh0YMTQWCPAq2DP6zOsl+I/eUvI++NZI8Lozv9Jfwl5+Ph?=
	=?us-ascii?q?jHAihF8de7Wp3YYNZHC/BPRmLF2TYWDwjdcZDWcKog0+QfTkiV2DVT5TYmi9X7?=
	=?us-ascii?q?gn6zE1Fo2pEIDDRpq3j7yZxie7GZ9WaX5aBVCQC3vocJ+EW/gUYiKIPsBhiiAE?=
	=?us-ascii?q?VaSmS4I5yB6hqAr6y71hLurI5yEVrozj28Zv5+3SlBAy8jp0A96b026TU2F+hn?=
	=?us-ascii?q?kISCMu3KBjvUx9zU+O3rVkg/NCD9xe/O9GUgA/NZHA1eN6EMzyVhjHftiXVFas?=
	=?us-ascii?q?Ws+mDi0pTtIt398OZF5wGtWjjxDE2SqnGLoVl7iSCJw19KLQxX7xKNxny3bF1a?=
	=?us-ascii?q?khkUcpTtFJNWK4mq517xLTCJLRk0WFi6aqcrwR0zXW+2uEyWqOvVpYUBJrUanf?=
	=?us-ascii?q?RnAQeFfZoc7i5kzcS7+uCLInMhZOyMOZNqRLasfpjUhdRPv5NtXReX6xm3y3BR?=
	=?us-ascii?q?aO3L+Ma5Dqe2oF1iXHFEcEixwT/WqBNQUmGCihu3jRDCZvFVL0eE7s6fNxqGm6?=
	=?us-ascii?q?Tk8v1wGKa1du2Kar9RIPgvycUfwT1KoeuCg9szV0AEq939XOBtqOvQpuZqNcbs?=
	=?us-ascii?q?884Fdczm/ZshR9Pp25I6B5iF8eaB57v0T01xV4Eo9Ai9QlrGs2zApuLqKVyFBB?=
	=?us-ascii?q?eCmb3ZD3J73aMWry8wqsa67Rx1HSytGW+r0A6P4gsVXsoBmpFlY+83Vgy9RayW?=
	=?us-ascii?q?aT5o/LDAUMS5L8SVw4+AR/p73AZSk9/YzU32V2Maaoqj/Cx84pBOw9xxa7cddf?=
	=?us-ascii?q?KqSEFBTuE8ABHMiuLusqmlasbh0eOuBe7qg0MN26d/Gewq6kIP5gnC66jWRA+I?=
	=?us-ascii?q?183FiD9y5gSuHWxZYF2OqV3hWZWDfml1ihr8X3lZpDZTEIEWq10TLkC5JJZq1u?=
	=?us-ascii?q?YYYLDn+jI9Gqydpjhp7iQXpY+UW/CFMB3c+mZQCdb0fh3QFK00QYv2CnkzOizz?=
	=?us-ascii?q?NoizEpsraf3CvWzuTkdRoHPmpLS3d5jVr3O4e7kcoaXE+yYwgujhul6l7wx7JH?=
	=?us-ascii?q?q6RnM2nTXUBIcjDoL2FjTqSwqr2CY9RV5Jw0sSVXV+K8YV+BR775ohsa1TnsH3?=
	=?us-ascii?q?FZxDwhcDGqoJr5lQRgiG2BNHZzsGbZecZoyBfb5dzcXuJR0iMdRCZmjTnXB168?=
	=?us-ascii?q?P8Sm/NiPjJfDquG+V2SgVpJPainn14WAuzWn5WdyGx2wg+izmsH7EQg9ySL7zd?=
	=?us-ascii?q?5qVSHMrBnieInky6O6MOx8c0lzGV/z99F6Fpt5kosqi5EawWIaiYmN/XobjWfz?=
	=?us-ascii?q?Ns1W2brkY3oQQT4H2cTa7BL+101kKnKJ24X5VnOGz8tke9W6ZGQW1T4n48BMFq?=
	=?us-ascii?q?iU8KROnTFprVqgsQLRff99ky8eyfQw7n4amPoEuAkzwSWbGbASG1dXPTD2mxSP?=
	=?us-ascii?q?9dC+o71dZHyzfrioyEp+gdehAamcogFaRXn0YYkiHSlt4cV/Kl7M1mP86p38ct?=
	=?us-ascii?q?nKcd0TrgGUkwvHj+VNMJI+jOcKhS58NG3hvH0l1+46gQVg3Z6guoiLMWJt/Li2?=
	=?us-ascii?q?AhRALD36e9sT+i3xjaZZhsuWxZ2gEYh6FzUEWZvpQuikEDQMuvT7LwyOCiEzqm?=
	=?us-ascii?q?+HGbrDGg+S8F9moGjSE5CvKX6XPGMWzdN+RBaDPkxSmx0UXC4kkZ4jDQCm3tfh?=
	=?us-ascii?q?cEBk5jAL+lH3tBVMyuVyNxnwTGjTvgGoZSkoSJKHNhpZ8hlC51vJMcyZ9u9zET?=
	=?us-ascii?q?tX/pu9rAyKL2yWfApIAn8UVUyDHVDsJKGu5cPH8+iaGOWxM+fOba+JqexEWPeC?=
	=?us-ascii?q?3Yiv3Zd+/zaQKsWPOWFvD/gh1UpHWXB2BdjZmykVRCMNjC/NadCUpAun+iJrtM?=
	=?us-ascii?q?+/6OrkVBjp5YSRF7tYKc9v9AyugaefK+6Qgz50KSxC2pIC33PIzaIQ3FoViyBu?=
	=?us-ascii?q?bDSiC6gPtSvXQKLXgK9XAAYRazlvO8tQ86I8wg5NNNbVitPvyLF3k+U1BE1DVV?=
	=?us-ascii?q?z9ncGpftcHLHuhO1PCHkqLM66GJTLTycHtfay8UaFQjPlTtxCovzabCVXsPiyb?=
	=?us-ascii?q?lzTyWRCvMPtMjDqHPBxQuYG9dAxiCW7/Q9LncBK7NMV7jToswb07nnnKL3ITMS?=
	=?us-ascii?q?Bgc0NRqb2d9TtYjetkFGNf6HplLPWEmyGC4unZNJkZr+VkDj5zl+JA73Qw06FV?=
	=?us-ascii?q?4z1cRPxphCvSqcZjrEy9kuaR0DVnXwBOpSxVhI+QpkVtI6bZ9oRaWXne5h4N6X?=
	=?us-ascii?q?iQCxIQqNt/E9Hvp6dQytvPlaL0MjtC9czb/dcEDcjONM2HKGYhMQbuGDPMFwsK?=
	=?us-ascii?q?VyCrOnvQh0NDi/Gf7WaVoYIkqpf2l5oBVKRbWEYzFvwEFkRvBMYCL4tvXjM4jb?=
	=?us-ascii?q?6bi9YF6mG/rBneQ8VauIvKWe+MDvr0KTaWl79EawEPwbPiIoQZLpf71FB6allm?=
	=?us-ascii?q?gITKHFLdUspCoiJ7cA87vl5A8H9mTmIt3ULlbxmi4H4XFfGvmR43hRFyYeM39D?=
	=?us-ascii?q?fj+103PEbFpDMskEktntXomSyRcDn0LKuqR4FWDCv1uFY3MpzgWQZ1ahO9nU9/?=
	=?us-ascii?q?OTjYQLJRiqdvenpwiA/Ao5dPH+BTTbFcah8K2f6Xf+ko0Uhbqii/xk9G5e/FBo?=
	=?us-ascii?q?V5mQsvdp6soXxA1Bx/bN4pJazQI69JwUZKiqKIoCCoyvg7wBUCKEYV7GOSZCkI?=
	=?us-ascii?q?tVQONrY4PSWo+vdh6Q+FmztYZGgDTfwqoulp9kM8IeiAyTzv06JbIECrK+OfN7?=
	=?us-ascii?q?+Zu3THlcOQWFM/yFgImFdf8rhszcgjc1GZWFsuzLuLChsJMsTCKRlPb8VM9Hnf?=
	=?us-ascii?q?ZyCOvvvRwZhtJYWyCvjoTfOStKYTmk+rAQEpH4IK7sscAJas1EDYINz9I7Eb0x?=
	=?us-ascii?q?Ut4x7nJFKfDPRGYBiLiisIo9mjzJ9r2olQPiwSDn9jMSW2+7nXvRQnj+CZXNcs?=
	=?us-ascii?q?ZXcbUJAEOWwqV82ngS5ZvmhADTmt3uIf1geC8yf2pj7MAznkc9pjePCUaAtoCN?=
	=?us-ascii?q?Gx4zUw7a62iF/Q8pjFKGH6M8litsXI6eMAqJaNE+lUQqVls0fAh4lYQGSnU3XR?=
	=?us-ascii?q?Ht6xJpjwbZQsbNPvB3mmVVy/ji46QN3qPNaxNKSIhx/nRZpMuomBwD8jLdO9Fi?=
	=?us-ascii?q?0ZGxpopOED/qJ9ahcFY5onYR7lrAs+N6unIAiEyNmuRXiiKSdORflF0eq6f6BX?=
	=?us-ascii?q?zzYrbuKi1HsgT5Q6z+6r8U4NRJAHlQzRxfejZoZESif/AHpddBvTpSAhjWhuKv?=
	=?us-ascii?q?4ywvsjwBPPqVQTKTSLdO11Z2Nap948AFOTIXNxCmo+XVCRlpHM4g+20LAU5idd?=
	=?us-ascii?q?kctU3fdDsHfgop/VeCisV7CzqZXJryogasArrLZvPozlOcaJro7RniLBQ5nKqQ?=
	=?us-ascii?q?2KSjS6FvpAlthXOiJYT+FCmXs5NswepYpB9U0xW98xJ7xSCaksorSqZiRhDSMJ?=
	=?us-ascii?q?0CAWSZiP3D0Yjee6wbfakQ2QcJs6OhwerJpCmscdUzJxYi4Gvq+jUYTWmHOESm?=
	=?us-ascii?q?gMJAcT9hxC6hsdmIFqYu3r55HFQ4NLyz5Tv/17SDDLFoVy+1v9VG6WnUDySO+9?=
	=?us-ascii?q?nOyxwQJS0PXs38EBWBFlE0hdwP1Zm1A0KLFtMaYQoJDFsjuJdUP8s2LtzOqmJF?=
	=?us-ascii?q?ZRyc3IeV33FpDFtW/mXi0a53IUWZdFyGvDGpQKjwp5dKErqU1CIYy8Zkn+5z0k?=
	=?us-ascii?q?x4FoH7aiVsCm3FclomgYSCi0CdZBDPtmsF3PUj1/f5+rsInlO4lVQmJI4pKdsU?=
	=?us-ascii?q?pZkEN3Py660pdcKsBN4j8QXDdUuzmdusW9SNFb089sE5AMOst/u2v6GK5cOZiR?=
	=?us-ascii?q?pWE2taLrynDH/jAzrku6xC+zGqKjSOJZ53MRGgMsJ2uEq0kvC/Aj8mDd81zXtV?=
	=?us-ascii?q?B05ehbDKCVjUptuDZ9AoxOBjFR2HCqNVR8Vn9Gs/lBJaTUdMxdTf8yZQOvOxMg?=
	=?us-ascii?q?FP4m2VCJ8l9unXvjZSx9qBda8TjHXwYoTSkVnqvtmToGp8G7Pj8aTolFbSk9Yy?=
	=?us-ascii?q?fAMA2XgyZXswhDa0tyQZAWHs5F+60H3YtT5sfCSVyjKTsfUxxmKw01yudQmlBb?=
	=?us-ascii?q?sEWAZy/dCRSndezVvh1wZ8eRo9ajLO7l8wdfloPnrOc4+r0BR32hhwKgWs3RoJ?=
	=?us-ascii?q?HnttKUrEuOaLn3PPCmbX/HUjfMkQi6ha04AJnS4yjTLA1bJoFhxnoqfZftFWzG?=
	=?us-ascii?q?MQlIKq8AO0VbUqV6ZslcreBBe89oYqAJ9rFxBhifXBPgBJSvrOVaLlbUXTneNT?=
	=?us-ascii?q?uO/fG/oY3J8bzQUuzgZsuSx3nZXa54IpB65iTlFLvw149R5Fb20O939kxmUVjG?=
	=?us-ascii?q?LzyBrNP5KwMT/8mialHtsYA1HT7NG5dwl2ftxltceMUJRS2q7I4Yx4ld6HrqTu?=
	=?us-ascii?q?J4yEfzuvVI97Z48Yk3/6xpycCsKKfOM/RVr1FoDQWPCwV38pUtHHJ/SHpPYu8Q?=
	=?us-ascii?q?L/fReboWjdz0p+DwDawX5wWf+/ZFZtvfO0HBhs6/BymeSRNehgcBriUaLg+G2P?=
	=?us-ascii?q?6bgKJ0TNulpezl2kIs/1e+LwQJzLZ25Yue/aqIvuDXZQPLzbcYQqjqWt/zrrM0?=
	=?us-ascii?q?tkOQ//IkkrAOenZyYwK6DucQTdIdyX3mzaAxyiIgCcXDEKz8+PRbTXI2girgm4?=
	=?us-ascii?q?xhH1URAv4UG76L8J9fnmc+nuzVLNwWcqZMmmaVDxGkCaMCyWS26ySLPGllnwvO?=
	=?us-ascii?q?3A/qTWO09l/2ojdyQTHQwNf7jkpVSr63CF9UXyqoJUB4tzePMxDztNbtuKQ160?=
	=?us-ascii?q?Y2Mnf/tN+WkWusN7xWE9f4JNyGLik+vEgXg4EpRtyzxYAbHsKwL8sL/3F6cPTe?=
	=?us-ascii?q?8H+rki9Go6pcnIrR/sCV9evRHXm8jq2Vsa+BxDZGxXgkpVs/8MyvNunS592WRP?=
	=?us-ascii?q?Slz2IRTzx6uwbBRBO1pKLUoE0TOUyRykjLgJYKPtZb3XYmyk7m+PIvQNUp9AVR?=
	=?us-ascii?q?DozAfe8NpSjvODvoxlaSe9A3Viib0zZMG1L6D1l5F7Ym2GLxusLJmm3c+1s2SY?=
	=?us-ascii?q?lsb0bnnwB4D50kKUIx71ga2isDEAkXZh+BEL6lHl/lIpUYVUcddRuLxr+6er04?=
	=?us-ascii?q?3Udr2LOg+PfTbfBgB6oKLvtSlQ+OnENVG50Ms60eQa58e0dH+67KogjvEJToX/?=
	=?us-ascii?q?/7mnUuL/K1X9pa8ccDt3Q4+Aq/QACg6Zhb5bYBlJ+IbrJEYYTLvM1k90do/yIP?=
	=?us-ascii?q?eTBNgBlxiBO5S+McqPn44tfFtJqo6+CuVLsiRugM7xg7HXh+gIfwgFEtptHXze?=
	=?us-ascii?q?RcRpfWiYvh6gBNJWCFuILA3xl7M+oOJJqhfKx8+HUfOygeO3UOMMKKa/km/SBt?=
	=?us-ascii?q?NC/c51pcDc4XeNwYPcXNmQFIikLzQ7Fc7NDbGkKCB4d1ac8o83L9yCop/pskTu?=
	=?us-ascii?q?bg9Di2KIjQ715XJfNMkjlslNLZqegRwPrSFDYY4XmDZBho2SOO0Z+NBOjs/e+U?=
	=?us-ascii?q?0tHbS0sGHjIqU4daPDeC9hKoRuyplJXuVQOY7dTzj4w6dEKRQHyxgasEv71IEe?=
	=?us-ascii?q?FekCX63iJRGprzh/2Lr9qm8HFXuUFfEIZv8R3FH71SMYl5ORviisamXVRzBiz7?=
	=?us-ascii?q?eMHQdxohpvCWxvsS7OpiN0vyf4gbIggLy7ji83paUhNuSKLqvlaeRe8RYdxmSP?=
	=?us-ascii?q?XYrnBa941tMKoPPFmHq5zssDhItF43AAgzaL8ztTxWbE/OkxNJW6zsor4PlhMc?=
	=?us-ascii?q?UcJluU9LAW+wN34x5yHcVahMkaefB/ob8jSVTqwTXERlKSx+Qxav15VoZbSlh/?=
	=?us-ascii?q?dHsnlJnilluvglzyRmRAeguS3rv68N2zUg+LG+tDkbpXNFTuGekzrVBlRCzfQK?=
	=?us-ascii?q?i7wcC3Xj6VGnfnkDbZXy76NjJcv99Ikt+XI/bgs/fyceR+SvFznwj7+UAoyIqN?=
	=?us-ascii?q?9chQCNt9/IbbKoKSgSK6kyyRPkR3hmyATemwxo8GQTSDW68NAkPJm9Odoixiew?=
	=?us-ascii?q?G2jUalgM4q1NsMbqu18EVu02Zk19wGl51MiIWDENTtTVG2kplggkdXlEcJVb5B?=
	=?us-ascii?q?8VE6kohTiJsbdC/gEQezrUCYOl+o/RncjUw3U9S8llxn7OrK2fmpwqyGFlm89z?=
	=?us-ascii?q?7iOWunQSd+zZU9drAnj314df1fLxau6osuAGVItm0qquXOUFMsm59mu8wI9qVV?=
	=?us-ascii?q?O9xrQCA1q5N/cOxqvaUyegUmCYReWLfHSPnzknNk7+/x+oIUMraM1StU8yLvPC?=
	=?us-ascii?q?hoJAlw3mSb50QySQpVzYzGwkKu4adRg5uISgewwMUuERYfKQJe4wz/0iEFEMdW?=
	=?us-ascii?q?PGHTNqC++qtl6ghJN0NGtm4UXmeunt6QTmMNyOGhkYD47VsIN+9ea9RmKbNn9q?=
	=?us-ascii?q?1AdyM1Vs9+fDC1QxsfdRc46WndjUndt7y+AEd/BpMS0zodMTn4Vj6Y6P0MiUbR?=
	=?us-ascii?q?7R1JHyJcrOoviZBf3fwF4memZAUroWeQn1/Zk1PsYlW73PGrtUpRocCrY+QJwg?=
	=?us-ascii?q?L2f+6rp5LQJycg7UYbS7nNPqpuaVaZdOoH/W9F0wJj/GuxIf0vy0URB7b5eyin?=
	=?us-ascii?q?T8OJAwXDNBoMFzBRZ9GYtPGt8ArxC5DJKOn6G7kdCx8Vtgu+AWqarwFuzK1NOh?=
	=?us-ascii?q?0oV2W5hV+1eGPC7VBKZxmURlkuWyjevc0pnrF8ztZ8kIVO5lTW7ZcrXGBJmwKi?=
	=?us-ascii?q?qSOsLgfE5L67qc0LN/UhWMayH1Rq6GtCy/NPV4+kU20Y14c/DVzDwq9b3b38Hy?=
	=?us-ascii?q?Z25DrCe5sXGJLIdf7EDNBeHGRBJbV/6F8GdjHa0KYor48+gAMcAiwNeC+Ql88i?=
	=?us-ascii?q?xC39GeLqiisEDMwER7eozfLETyxiY5VpMGIBOlMUsjmWXZsGjSAWxALsi4Lslg?=
	=?us-ascii?q?mNOVAQbx6ElxmGEtYGlBF3H2RdeQP2gUxca+ZAyM9AJWANcPhem3eVQ3tqeqU+?=
	=?us-ascii?q?lnJo1Fmfm2tLUAidtpKTvARMtdPy7LN7J2IzxRDvnPpFgvfx4EvLg1WpsvaZiI?=
	=?us-ascii?q?PkwHLF+KyTnuwgvazU30a9us2b6GICkM6XpH1bPF3iZIpwSip/aZhtfsUKvYbJ?=
	=?us-ascii?q?HrRvLSNjQqVi2CTzQoDUmp4Uuku+YDvPeAI2cfp1cUYjiICA4SvaBitt7QAXXW?=
	=?us-ascii?q?meJ9fZ0GnveaWzr/SCdgjqo9Gj5LtVyQQ/oEDQTWdHHhgG9AtwGjJfJB5mzlYK?=
	=?us-ascii?q?OCxqpUWu0WBY1MfuefQ9TGZfANbwsvwy0QJeKUZ9TBq/M81VXSQC0SFKyb2keZ?=
	=?us-ascii?q?SRutXvGExz/tFb4QtowwtztgrsnchQdrAq/IOPCZvDfo/Ymm2nXL8dbCX3UgNh?=
	=?us-ascii?q?RmyNkJB3OMlVwacGw=3D?=
X-IPAS-Result: =?us-ascii?q?A2HxAQCZEhJZ/wHyM5BdGgEBAQECAQEBAQgBAQEBFQEBAQE?=
	=?us-ascii?q?CAQEBAQgBAQEBgwEpgW6OdI8wAQEBAQEBBpkgKIpyVwEBAQEBAQEBAgECaCiCM?=
	=?us-ascii?q?yKCSAJEMgMDCQIXMQgDAWwFiAOCDA21IiYCgxeHYoYZkAsFngWTDA2CBIkVDIZ?=
	=?us-ascii?q?EAoh9i0NYgQomCQIeCB8PhHaCX1qIdAEBAQ?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea10.nsa.gov with ESMTP; 09 May 2017 19:07:07 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v49J6vfI000714;
	Tue, 9 May 2017 15:07:00 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	v49J6tsr149290 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Tue, 9 May 2017 15:06:55 -0400
Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto
	[192.168.25.131])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id
	v49J6sCA000679; Tue, 9 May 2017 15:06:54 -0400
From: Stephen Smalley <sds@tycho.nsa.gov>
To: paul@paul-moore.com
Subject: [PATCH] selinux-testsuite: update mmap tests for map permission
Date: Tue,  9 May 2017 15:11:10 -0400
Message-Id: <20170509191110.21116-1-sds@tycho.nsa.gov>
X-Mailer: git-send-email 2.9.3
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: Stephen Smalley <sds@tycho.nsa.gov>, selinux@tycho.nsa.gov
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

If the map permission is defined, allow it in the mmap test policy
for the existing mmap test domains, and introduce a new domain and test
for testing that it is enforced.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 policy/Makefile       |  4 ++++
 policy/test_global.te |  4 ++++
 policy/test_mmap.te   | 20 ++++++++++++++++++++
 tests/mmap/test       | 11 +++++++++++
 4 files changed, 39 insertions(+)

diff --git a/policy/Makefile b/policy/Makefile
index 661f27a..14b215b 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -42,6 +42,10 @@ ifeq ($(shell grep -q getrlimit $(POLDEV)/include/support/all_perms.spt && echo
 TARGETS += test_prlimit.te
 endif
 
+ifeq ($(shell grep -q all_file_perms.*map $(POLDEV)/include/support/all_perms.spt && echo true),true)
+export M4PARAM = -Dmap_permission_defined
+endif
+
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
 TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te, $(TARGETS))
 endif
diff --git a/policy/test_global.te b/policy/test_global.te
index 9114abf..b77e025 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -95,3 +95,7 @@ ifdef(`distro_redhat', `
         auth_read_passwd(testdomain)
     ')
 ')
+
+define(`allow_map',
+ifdef(`map_permission_defined', `allow $1 $2:$3 map;')
+)
diff --git a/policy/test_mmap.te b/policy/test_mmap.te
index 3b92853..1d20f30 100644
--- a/policy/test_mmap.te
+++ b/policy/test_mmap.te
@@ -29,8 +29,10 @@ typeattribute test_execmem_t mmaptestdomain;
 allow test_execmem_t self:process execmem;
 # For mprotect_file_private test.
 allow test_execmem_t test_mmap_file_t:file { open read execute };
+allow_map(test_execmem_t, test_mmap_file_t, file)
 # For mmap_hugetlb_anon_shared test.
 allow test_execmem_t hugetlbfs_t:file { read write execute };
+allow_map(test_execmem_t, hugetlbfs_t, file)
 # For shmat test.
 allow test_execmem_t self:shm create_shm_perms;
 # For shmat test on old kernels.
@@ -43,8 +45,10 @@ typeattribute test_no_execmem_t testdomain;
 typeattribute test_no_execmem_t mmaptestdomain;
 # For mprotect_file_private test.
 allow test_no_execmem_t test_mmap_file_t:file { open read };
+allow_map(test_no_execmem_t, test_mmap_file_t, file)
 # For mmap_hugetlb_anon_shared test.
 allow test_no_execmem_t hugetlbfs_t:file { read write };
+allow_map(test_no_execmem_t, hugetlbfs_t, file)
 # For shmat test.
 allow test_no_execmem_t self:shm create_shm_perms;
 # For shmat test on old kernels: no execmem check, only tmpfs write+execute.
@@ -67,6 +71,7 @@ gen_require(`
 # We allow both permissions here so that the test passes regardless.
 allow test_mprotect_anon_shared_t tmpfs_t:file { read execute };
 allow test_mprotect_anon_shared_t hugetlbfs_t:file { read write execute };
+allow_map(test_mprotect_anon_shared_t, hugetlbfs_t, file)
 allow test_mprotect_anon_shared_t self:process execmem;
 
 type test_no_mprotect_anon_shared_t;
@@ -76,6 +81,7 @@ typeattribute test_no_mprotect_anon_shared_t testdomain;
 typeattribute test_no_mprotect_anon_shared_t mmaptestdomain;
 allow test_no_mprotect_anon_shared_t tmpfs_t:file read;
 allow test_no_mprotect_anon_shared_t hugetlbfs_t:file { read write };
+allow_map(test_no_mprotect_anon_shared_t, hugetlbfs_t, file)
 
 type test_mmap_dev_zero_t;
 domain_type(test_mmap_dev_zero_t)
@@ -118,6 +124,15 @@ unconfined_runs_test(test_file_rwx_t)
 typeattribute test_file_rwx_t testdomain;
 typeattribute test_file_rwx_t mmaptestdomain;
 allow test_file_rwx_t test_mmap_file_t:file { open read write execute };
+allow_map(test_file_rwx_t, test_mmap_file_t, file)
+
+# Same as test_file_rwx_t but intentionally omitting map permission.
+type test_no_map_t;
+domain_type(test_no_map_t)
+unconfined_runs_test(test_no_map_t)
+typeattribute test_no_map_t testdomain;
+typeattribute test_no_map_t mmaptestdomain;
+allow test_no_map_t test_mmap_file_t:file { open read write execute };
 
 type test_file_rx_t;
 domain_type(test_file_rx_t)
@@ -125,6 +140,7 @@ unconfined_runs_test(test_file_rx_t)
 typeattribute test_file_rx_t testdomain;
 typeattribute test_file_rx_t mmaptestdomain;
 allow test_file_rx_t test_mmap_file_t:file { open read execute };
+allow_map(test_file_rx_t, test_mmap_file_t, file)
 
 type test_file_rw_t;
 domain_type(test_file_rw_t)
@@ -132,6 +148,7 @@ unconfined_runs_test(test_file_rw_t)
 typeattribute test_file_rw_t testdomain;
 typeattribute test_file_rw_t mmaptestdomain;
 allow test_file_rw_t test_mmap_file_t:file { open read write };
+allow_map(test_file_rw_t, test_mmap_file_t, file)
 
 type test_file_r_t;
 domain_type(test_file_r_t)
@@ -139,6 +156,7 @@ unconfined_runs_test(test_file_r_t)
 typeattribute test_file_r_t testdomain;
 typeattribute test_file_r_t mmaptestdomain;
 allow test_file_r_t test_mmap_file_t:file { open read };
+allow_map(test_file_r_t, test_mmap_file_t, file)
 
 type test_execstack_t;
 domain_type(test_execstack_t)
@@ -160,6 +178,7 @@ unconfined_runs_test(test_execmod_t)
 typeattribute test_execmod_t testdomain;
 typeattribute test_execmod_t mmaptestdomain;
 allow test_execmod_t test_mmap_file_t:file { open read execute execmod };
+allow_map(test_execmod_t, test_mmap_file_t, file)
 
 type test_no_execmod_t;
 domain_type(test_no_execmod_t)
@@ -167,6 +186,7 @@ unconfined_runs_test(test_no_execmod_t)
 typeattribute test_no_execmod_t testdomain;
 typeattribute test_no_execmod_t mmaptestdomain;
 allow test_no_execmod_t test_mmap_file_t:file { open read execute };
+allow_map(test_no_execmod_t, test_mmap_file_t, file)
 
 # Allow entrypoint via the test programs.
 miscfiles_domain_entry_test_files(mmaptestdomain)
diff --git a/tests/mmap/test b/tests/mmap/test
index 0f09b64..6a2df8f 100755
--- a/tests/mmap/test
+++ b/tests/mmap/test
@@ -5,6 +5,7 @@ BEGIN {
 	$test_count = 34;
 	$test_hugepages = 0;
 	$test_exec_checking = 0;
+	$test_map_checking = 0;
 
 	system("echo 1 > /proc/sys/vm/nr_hugepages 2> /dev/null");
 	if (system("grep -q 1 /proc/sys/vm/nr_hugepages 2> /dev/null") == 0) {
@@ -17,6 +18,11 @@ BEGIN {
 		$test_count += 4;
 	}
 
+	if (-e '/sys/fs/selinux/class/file/perms/map') {
+		$test_map_checking = 1;
+		$test_count += 1;
+	}
+
 	plan tests => $test_count
 }
 
@@ -113,6 +119,11 @@ if ($test_exec_checking) {
 	ok($result);
 }
 
+if ($test_map_checking) {
+	$result = system "runcon -t test_no_map_t -- $basedir/mmap_file_shared $basedir/temp_file 2>&1";
+	ok($result);
+}
+
 # Test success and failure for file execute on mprotect w/ file shared mapping.
 $result = system "runcon -t test_file_rwx_t $basedir/mprotect_file_shared $basedir/temp_file";
 ok($result, 0);