* [PATCH] Additional tests for long-time supported netlink classes
@ 2017-07-13 11:08 Milos Malik
2017-07-13 16:53 ` Stephen Smalley
0 siblings, 1 reply; 9+ messages in thread
From: Milos Malik @ 2017-07-13 11:08 UTC (permalink / raw)
To: selinux
This patch contains tests for classes which are already supported for a
long time but are not tested by the selinux-testsuite yet. These tests
involve classes like: netlink_route_socket, netlink_xfrm_socket,
netlink_selinux_socket, netlink_audit_socket,
netlink_kobject_uevent_socket, netlink_connector_socket,
netlink_scsitransport_socket, netlink_fib_lookup_socket.
Signed-off-by: Milos Malik <mmalik@redhat.com>
---
policy/test_netlink_socket.te | 8 ++++
tests/netlink_socket/test | 99 ++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 106 insertions(+), 1 deletion(-)
diff --git a/policy/test_netlink_socket.te b/policy/test_netlink_socket.te
index c852c04..aaa6e4d 100644
--- a/policy/test_netlink_socket.te
+++ b/policy/test_netlink_socket.te
@@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket)
netlink_socket_test(netlink_netfilter_socket)
netlink_socket_test(netlink_generic_socket)
netlink_socket_test(netlink_crypto_socket)
+netlink_socket_test(netlink_route_socket)
+netlink_socket_test(netlink_xfrm_socket)
+netlink_socket_test(netlink_selinux_socket)
+netlink_socket_test(netlink_audit_socket)
+netlink_socket_test(netlink_kobject_uevent_socket)
+netlink_socket_test(netlink_connector_socket)
+netlink_socket_test(netlink_scsitransport_socket)
+netlink_socket_test(netlink_fib_lookup_socket)
#
# Common rules for all netlink socket class test domains.
diff --git a/tests/netlink_socket/test b/tests/netlink_socket/test
index 487edbc..cc8c2d4 100755
--- a/tests/netlink_socket/test
+++ b/tests/netlink_socket/test
@@ -1,7 +1,7 @@
#!/usr/bin/perl
use Test;
-BEGIN { plan tests => 8 }
+BEGIN { plan tests => 24 }
$basedir = $0;
$basedir =~ s|(.*)/[^/]*|$1|;
@@ -53,3 +53,100 @@ $result = system(
"runcon -t test_no_netlink_crypto_socket_t -- $basedir/netlinkcreate crypto 2>&1"
);
ok($result);
+
+# Verify that test_netlink_route_socket_t can create a NETLINK_ROUTE socket.
+$result = system(
+"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate route 2>&1"
+);
+ok( $result, 0 );
+
+# Verify that test_no_netlink_route_socket_t cannot create a NETLINK_ROUTE socket.
+$result = system(
+"runcon -t test_no_netlink_route_socket_t -- $basedir/netlinkcreate route 2>&1"
+);
+ok($result);
+
+# Verify that test_netlink_xfrm_socket_t can create a NETLINK_XFRM socket.
+$result = system(
+"runcon -t test_netlink_xfrm_socket_t -- $basedir/netlinkcreate xfrm 2>&1"
+);
+ok( $result, 0 );
+
+# Verify that test_no_netlink_xfrm_socket_t cannot create a NETLINK_XFRM socket.
+$result = system(
+"runcon -t test_no_netlink_xfrm_socket_t -- $basedir/netlinkcreate xfrm 2>&1"
+);
+ok($result);
+
+# Verify that test_netlink_selinux_socket_t can create a NETLINK_SELINUX socket.
+$result = system(
+"runcon -t test_netlink_selinux_socket_t -- $basedir/netlinkcreate selinux 2>&1"
+);
+ok( $result, 0 );
+
+# Verify that test_no_netlink_selinux_socket_t cannot create a NETLINK_SELINUX socket.
+$result = system(
+"runcon -t test_no_netlink_selinux_socket_t -- $basedir/netlinkcreate selinux 2>&1"
+);
+ok($result);
+
+# Verify that test_netlink_audit_socket_t can create a NETLINK_AUDIT socket.
+$result = system(
+"runcon -t test_netlink_audit_socket_t -- $basedir/netlinkcreate audit 2>&1"
+);
+ok( $result, 0 );
+
+# Verify that test_no_netlink_audit_socket_t cannot create a NETLINK_AUDIT socket.
+$result = system(
+"runcon -t test_no_netlink_audit_socket_t -- $basedir/netlinkcreate audit 2>&1"
+);
+ok($result);
+
+# Verify that test_netlink_kobject_uevent_socket_t can create a NETLINK_KOBJECT_UEVENT socket.
+$result = system(
+"runcon -t test_netlink_kobject_uevent_socket_t -- $basedir/netlinkcreate kobject_uevent 2>&1"
+);
+ok( $result, 0 );
+
+# Verify that test_no_netlink_kobject_uevent_socket_t cannot create a NETLINK_KOBJECT_UEVENT socket.
+$result = system(
+"runcon -t test_no_netlink_kobject_uevent_socket_t -- $basedir/netlinkcreate kobject_uevent 2>&1"
+);
+ok($result);
+
+# Verify that test_netlink_connector_socket_t can create a NETLINK_CONNECTOR socket.
+$result = system(
+"runcon -t test_netlink_connector_socket_t -- $basedir/netlinkcreate connector 2>&1"
+);
+ok( $result, 0 );
+
+# Verify that test_no_netlink_connector_socket_t cannot create a NETLINK_CONNECTOR socket.
+$result = system(
+"runcon -t test_no_netlink_connector_socket_t -- $basedir/netlinkcreate connector 2>&1"
+);
+ok($result);
+
+# Verify that test_netlink_scsitransport_socket_t can create a NETLINK_SCSITRANSPORT socket.
+$result = system(
+"runcon -t test_netlink_scsitransport_socket_t -- $basedir/netlinkcreate scsitransport 2>&1"
+);
+ok( $result, 0 );
+
+# Verify that test_no_netlink_scsitransport_socket_t cannot create a NETLINK_SCSITRANSPORT socket.
+$result = system(
+"runcon -t test_no_netlink_scsitransport_socket_t -- $basedir/netlinkcreate scsitransport 2>&1"
+);
+ok($result);
+
+# Verify that test_netlink_fib_lookup_socket_t can create a NETLINK_FIB_LOOKUP socket.
+$result = system(
+"runcon -t test_netlink_fib_lookup_socket_t -- $basedir/netlinkcreate fib_lookup 2>&1"
+);
+ok( $result, 0 );
+
+# Verify that test_no_netlink_fib_lookup_socket_t cannot create a NETLINK_FIB_LOOKUP socket.
+$result = system(
+"runcon -t test_no_netlink_fib_lookup_socket_t -- $basedir/netlinkcreate fib_lookup 2>&1"
+);
+ok($result);
+
--
2.4.11
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] Additional tests for long-time supported netlink classes
2017-07-13 11:08 [PATCH] Additional tests for long-time supported netlink classes Milos Malik
@ 2017-07-13 16:53 ` Stephen Smalley
2017-07-13 17:35 ` Stephen Smalley
2017-07-14 7:44 ` Milos Malik
0 siblings, 2 replies; 9+ messages in thread
From: Stephen Smalley @ 2017-07-13 16:53 UTC (permalink / raw)
To: Milos Malik, selinux
On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote:
> This patch contains tests for classes which are already supported for
> a
> long time but are not tested by the selinux-testsuite yet. These
> tests
> involve classes like: netlink_route_socket, netlink_xfrm_socket,
> netlink_selinux_socket, netlink_audit_socket,
> netlink_kobject_uevent_socket, netlink_connector_socket,
> netlink_scsitransport_socket, netlink_fib_lookup_socket.
These look fine (aside from a whitespace issue which git am complained
about) and ran successfully for me on Fedora, but I did have one
question:
policy/Makefile and tests/Makefile only enable the netlink_socket tests
if the new netlink socket classes are defined by the base policy, and
tests/Makefile further excludes them from running on RHEL7 because
RHEL7.3 back-ported the policy change defining the new classes but not
the kernel support. In contrast, the tests you are adding could be run
on RHEL7 (and earlier). If we want them to be run on RHEL7 or earlier,
then you need to split them into their own test policy and test case
that can be separately enabled, or otherwise wrap the current ones to
allow use on RHEL7. You can see examples in other test policies and
scripts of such conditional inclusion of subsets of the tests/policies
(e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit
b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to be
tested on RHEL7 or earlier?
>
> Signed-off-by: Milos Malik <mmalik@redhat.com>
> ---
> policy/test_netlink_socket.te | 8 ++++
> tests/netlink_socket/test | 99
> ++++++++++++++++++++++++++++++++++++++++++-
> 2 files changed, 106 insertions(+), 1 deletion(-)
>
> diff --git a/policy/test_netlink_socket.te
> b/policy/test_netlink_socket.te
> index c852c04..aaa6e4d 100644
> --- a/policy/test_netlink_socket.te
> +++ b/policy/test_netlink_socket.te
> @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket)
> netlink_socket_test(netlink_netfilter_socket)
> netlink_socket_test(netlink_generic_socket)
> netlink_socket_test(netlink_crypto_socket)
> +netlink_socket_test(netlink_route_socket)
> +netlink_socket_test(netlink_xfrm_socket)
> +netlink_socket_test(netlink_selinux_socket)
> +netlink_socket_test(netlink_audit_socket)
> +netlink_socket_test(netlink_kobject_uevent_socket)
> +netlink_socket_test(netlink_connector_socket)
> +netlink_socket_test(netlink_scsitransport_socket)
> +netlink_socket_test(netlink_fib_lookup_socket)
>
> #
> # Common rules for all netlink socket class test domains.
> diff --git a/tests/netlink_socket/test b/tests/netlink_socket/test
> index 487edbc..cc8c2d4 100755
> --- a/tests/netlink_socket/test
> +++ b/tests/netlink_socket/test
> @@ -1,7 +1,7 @@
> #!/usr/bin/perl
>
> use Test;
> -BEGIN { plan tests => 8 }
> +BEGIN { plan tests => 24 }
>
> $basedir = $0;
> $basedir =~ s|(.*)/[^/]*|$1|;
> @@ -53,3 +53,100 @@ $result = system(
> "runcon -t test_no_netlink_crypto_socket_t -- $basedir/netlinkcreate
> crypto 2>&1"
> );
> ok($result);
> +
> +# Verify that test_netlink_route_socket_t can create a NETLINK_ROUTE
> socket.
> +$result = system(
> +"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate
> route 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_route_socket_t cannot create a
> NETLINK_ROUTE socket.
> +$result = system(
> +"runcon -t test_no_netlink_route_socket_t -- $basedir/netlinkcreate
> route 2>&1"
> +);
> +ok($result);
> +
> +# Verify that test_netlink_xfrm_socket_t can create a NETLINK_XFRM
> socket.
> +$result = system(
> +"runcon -t test_netlink_xfrm_socket_t -- $basedir/netlinkcreate xfrm
> 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_xfrm_socket_t cannot create a
> NETLINK_XFRM socket.
> +$result = system(
> +"runcon -t test_no_netlink_xfrm_socket_t -- $basedir/netlinkcreate
> xfrm 2>&1"
> +);
> +ok($result);
> +
> +# Verify that test_netlink_selinux_socket_t can create a
> NETLINK_SELINUX socket.
> +$result = system(
> +"runcon -t test_netlink_selinux_socket_t -- $basedir/netlinkcreate
> selinux 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_selinux_socket_t cannot create a
> NETLINK_SELINUX socket.
> +$result = system(
> +"runcon -t test_no_netlink_selinux_socket_t --
> $basedir/netlinkcreate selinux 2>&1"
> +);
> +ok($result);
> +
> +# Verify that test_netlink_audit_socket_t can create a NETLINK_AUDIT
> socket.
> +$result = system(
> +"runcon -t test_netlink_audit_socket_t -- $basedir/netlinkcreate
> audit 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_audit_socket_t cannot create a
> NETLINK_AUDIT socket.
> +$result = system(
> +"runcon -t test_no_netlink_audit_socket_t -- $basedir/netlinkcreate
> audit 2>&1"
> +);
> +ok($result);
> +
> +# Verify that test_netlink_kobject_uevent_socket_t can create a
> NETLINK_KOBJECT_UEVENT socket.
> +$result = system(
> +"runcon -t test_netlink_kobject_uevent_socket_t --
> $basedir/netlinkcreate kobject_uevent 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_kobject_uevent_socket_t cannot create
> a NETLINK_KOBJECT_UEVENT socket.
> +$result = system(
> +"runcon -t test_no_netlink_kobject_uevent_socket_t --
> $basedir/netlinkcreate kobject_uevent 2>&1"
> +);
> +ok($result);
> +
> +# Verify that test_netlink_connector_socket_t can create a
> NETLINK_CONNECTOR socket.
> +$result = system(
> +"runcon -t test_netlink_connector_socket_t -- $basedir/netlinkcreate
> connector 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_connector_socket_t cannot create a
> NETLINK_CONNECTOR socket.
> +$result = system(
> +"runcon -t test_no_netlink_connector_socket_t --
> $basedir/netlinkcreate connector 2>&1"
> +);
> +ok($result);
> +
> +# Verify that test_netlink_scsitransport_socket_t can create a
> NETLINK_SCSITRANSPORT socket.
> +$result = system(
> +"runcon -t test_netlink_scsitransport_socket_t --
> $basedir/netlinkcreate scsitransport 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_scsitransport_socket_t cannot create a
> NETLINK_SCSITRANSPORT socket.
> +$result = system(
> +"runcon -t test_no_netlink_scsitransport_socket_t --
> $basedir/netlinkcreate scsitransport 2>&1"
> +);
> +ok($result);
> +
> +# Verify that test_netlink_fib_lookup_socket_t can create a
> NETLINK_FIB_LOOKUP socket.
> +$result = system(
> +"runcon -t test_netlink_fib_lookup_socket_t --
> $basedir/netlinkcreate fib_lookup 2>&1"
> +);
> +ok( $result, 0 );
> +
> +# Verify that test_no_netlink_fib_lookup_socket_t cannot create a
> NETLINK_FIB_LOOKUP socket.
> +$result = system(
> +"runcon -t test_no_netlink_fib_lookup_socket_t --
> $basedir/netlinkcreate fib_lookup 2>&1"
> +);
> +ok($result);
> +
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Additional tests for long-time supported netlink classes
2017-07-13 16:53 ` Stephen Smalley
@ 2017-07-13 17:35 ` Stephen Smalley
2017-07-13 20:59 ` Paul Moore
2017-07-14 7:44 ` Milos Malik
1 sibling, 1 reply; 9+ messages in thread
From: Stephen Smalley @ 2017-07-13 17:35 UTC (permalink / raw)
To: Milos Malik, selinux
On Thu, 2017-07-13 at 12:53 -0400, Stephen Smalley wrote:
> On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote:
> > This patch contains tests for classes which are already supported
> > for
> > a
> > long time but are not tested by the selinux-testsuite yet. These
> > tests
> > involve classes like: netlink_route_socket, netlink_xfrm_socket,
> > netlink_selinux_socket, netlink_audit_socket,
> > netlink_kobject_uevent_socket, netlink_connector_socket,
> > netlink_scsitransport_socket, netlink_fib_lookup_socket.
>
> These look fine (aside from a whitespace issue which git am
> complained
> about) and ran successfully for me on Fedora, but I did have one
> question:
>
> policy/Makefile and tests/Makefile only enable the netlink_socket
> tests
> if the new netlink socket classes are defined by the base policy, and
> tests/Makefile further excludes them from running on RHEL7 because
> RHEL7.3 back-ported the policy change defining the new classes but
> not
> the kernel support. In contrast, the tests you are adding could be
> run
> on RHEL7 (and earlier). If we want them to be run on RHEL7 or
> earlier,
> then you need to split them into their own test policy and test case
> that can be separately enabled, or otherwise wrap the current ones to
> allow use on RHEL7. You can see examples in other test policies and
> scripts of such conditional inclusion of subsets of the
> tests/policies
> (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit
> b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to be
> tested on RHEL7 or earlier?
Also, I wanted to mention that this still doesn't address testing of
the finer-grained permissions for netlink sockets, e.g.
nlmsg_read/write/..., as noted in the open issue:
https://github.com/SELinuxProject/selinux-testsuite/issues/17
That isn't an obstacle to taking this one, but wanted to note that we
still want to address that at some point.
Also, on the kernel side, we might want to consider defining those
permissions for more of the netlink socket classes, particularly the
newer ones, if/where it makes sense to do so. Or, alternatively, to
implement support analogous to the ioctl whitelisting support for
netlink messages so that we can do fine-grained restrictions there.
>
> >
> > Signed-off-by: Milos Malik <mmalik@redhat.com>
> > ---
> > policy/test_netlink_socket.te | 8 ++++
> > tests/netlink_socket/test | 99
> > ++++++++++++++++++++++++++++++++++++++++++-
> > 2 files changed, 106 insertions(+), 1 deletion(-)
> >
> > diff --git a/policy/test_netlink_socket.te
> > b/policy/test_netlink_socket.te
> > index c852c04..aaa6e4d 100644
> > --- a/policy/test_netlink_socket.te
> > +++ b/policy/test_netlink_socket.te
> > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket)
> > netlink_socket_test(netlink_netfilter_socket)
> > netlink_socket_test(netlink_generic_socket)
> > netlink_socket_test(netlink_crypto_socket)
> > +netlink_socket_test(netlink_route_socket)
> > +netlink_socket_test(netlink_xfrm_socket)
> > +netlink_socket_test(netlink_selinux_socket)
> > +netlink_socket_test(netlink_audit_socket)
> > +netlink_socket_test(netlink_kobject_uevent_socket)
> > +netlink_socket_test(netlink_connector_socket)
> > +netlink_socket_test(netlink_scsitransport_socket)
> > +netlink_socket_test(netlink_fib_lookup_socket)
> >
> > #
> > # Common rules for all netlink socket class test domains.
> > diff --git a/tests/netlink_socket/test b/tests/netlink_socket/test
> > index 487edbc..cc8c2d4 100755
> > --- a/tests/netlink_socket/test
> > +++ b/tests/netlink_socket/test
> > @@ -1,7 +1,7 @@
> > #!/usr/bin/perl
> >
> > use Test;
> > -BEGIN { plan tests => 8 }
> > +BEGIN { plan tests => 24 }
> >
> > $basedir = $0;
> > $basedir =~ s|(.*)/[^/]*|$1|;
> > @@ -53,3 +53,100 @@ $result = system(
> > "runcon -t test_no_netlink_crypto_socket_t --
> > $basedir/netlinkcreate
> > crypto 2>&1"
> > );
> > ok($result);
> > +
> > +# Verify that test_netlink_route_socket_t can create a
> > NETLINK_ROUTE
> > socket.
> > +$result = system(
> > +"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate
> > route 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_route_socket_t cannot create a
> > NETLINK_ROUTE socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_route_socket_t --
> > $basedir/netlinkcreate
> > route 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_xfrm_socket_t can create a NETLINK_XFRM
> > socket.
> > +$result = system(
> > +"runcon -t test_netlink_xfrm_socket_t -- $basedir/netlinkcreate
> > xfrm
> > 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_xfrm_socket_t cannot create a
> > NETLINK_XFRM socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_xfrm_socket_t -- $basedir/netlinkcreate
> > xfrm 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_selinux_socket_t can create a
> > NETLINK_SELINUX socket.
> > +$result = system(
> > +"runcon -t test_netlink_selinux_socket_t -- $basedir/netlinkcreate
> > selinux 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_selinux_socket_t cannot create a
> > NETLINK_SELINUX socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_selinux_socket_t --
> > $basedir/netlinkcreate selinux 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_audit_socket_t can create a
> > NETLINK_AUDIT
> > socket.
> > +$result = system(
> > +"runcon -t test_netlink_audit_socket_t -- $basedir/netlinkcreate
> > audit 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_audit_socket_t cannot create a
> > NETLINK_AUDIT socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_audit_socket_t --
> > $basedir/netlinkcreate
> > audit 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_kobject_uevent_socket_t can create a
> > NETLINK_KOBJECT_UEVENT socket.
> > +$result = system(
> > +"runcon -t test_netlink_kobject_uevent_socket_t --
> > $basedir/netlinkcreate kobject_uevent 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_kobject_uevent_socket_t cannot
> > create
> > a NETLINK_KOBJECT_UEVENT socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_kobject_uevent_socket_t --
> > $basedir/netlinkcreate kobject_uevent 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_connector_socket_t can create a
> > NETLINK_CONNECTOR socket.
> > +$result = system(
> > +"runcon -t test_netlink_connector_socket_t --
> > $basedir/netlinkcreate
> > connector 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_connector_socket_t cannot create a
> > NETLINK_CONNECTOR socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_connector_socket_t --
> > $basedir/netlinkcreate connector 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_scsitransport_socket_t can create a
> > NETLINK_SCSITRANSPORT socket.
> > +$result = system(
> > +"runcon -t test_netlink_scsitransport_socket_t --
> > $basedir/netlinkcreate scsitransport 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_scsitransport_socket_t cannot create
> > a
> > NETLINK_SCSITRANSPORT socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_scsitransport_socket_t --
> > $basedir/netlinkcreate scsitransport 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_fib_lookup_socket_t can create a
> > NETLINK_FIB_LOOKUP socket.
> > +$result = system(
> > +"runcon -t test_netlink_fib_lookup_socket_t --
> > $basedir/netlinkcreate fib_lookup 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_fib_lookup_socket_t cannot create a
> > NETLINK_FIB_LOOKUP socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_fib_lookup_socket_t --
> > $basedir/netlinkcreate fib_lookup 2>&1"
> > +);
> > +ok($result);
> > +
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Additional tests for long-time supported netlink classes
2017-07-13 17:35 ` Stephen Smalley
@ 2017-07-13 20:59 ` Paul Moore
0 siblings, 0 replies; 9+ messages in thread
From: Paul Moore @ 2017-07-13 20:59 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Milos Malik, selinux
On Thu, Jul 13, 2017 at 1:35 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> Also, I wanted to mention that this still doesn't address testing of
> the finer-grained permissions for netlink sockets, e.g.
> nlmsg_read/write/..., as noted in the open issue:
> https://github.com/SELinuxProject/selinux-testsuite/issues/17
>
> That isn't an obstacle to taking this one, but wanted to note that we
> still want to address that at some point.
Agreed. I still think that Milos' patch is an improvement and worth
merging once the RHEL-7 are answered/resolved (your previous email).
> Also, on the kernel side, we might want to consider defining those
> permissions for more of the netlink socket classes, particularly the
> newer ones, if/where it makes sense to do so. Or, alternatively, to
> implement support analogous to the ioctl whitelisting support for
> netlink messages so that we can do fine-grained restrictions there.
Yes, definitely. Long term I think doing something similar to what
was done for the individual ioctls is the best solution, but I'd be
happy to accept netlink permission mapping updates in the meantime.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Additional tests for long-time supported netlink classes
2017-07-13 16:53 ` Stephen Smalley
2017-07-13 17:35 ` Stephen Smalley
@ 2017-07-14 7:44 ` Milos Malik
2017-07-14 14:53 ` Stephen Smalley
1 sibling, 1 reply; 9+ messages in thread
From: Milos Malik @ 2017-07-14 7:44 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux, Paul Moore
All of the netlink classes currently tested by the selinux-testsuite + classes
tested by the attached patch are supported (at the same time by the kernel
and by the policy) on RHEL-7.3.
Unfortunately, selinux-policy for RHEL-6.9 and RHEL-7.2 does not recognize
following classes:
netlink_connector_socket, netlink_crypto_socket, netlink_fib_lookup_socket,
netlink_generic_socket, netlink_iscsi_socket, netlink_netfilter_socket,
netlink_rdma_socket, netlink_scsitransport_socket.
Based on my RHEL-7.3 and RHEL-7.4 test results, the netlink tests can
be safely executed on RHEL-7.3 and higher.
You're right about splitting the netlink tests into at least 2 subsets:
RHEL<7.3 (which also covers RHEL-6) and RHEL>=7.3. I will take a look
at the commits you provided and let you know.
Milos Malik
----- Original Message -----
> On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote:
> > This patch contains tests for classes which are already supported for
> > a
> > long time but are not tested by the selinux-testsuite yet. These
> > tests
> > involve classes like: netlink_route_socket, netlink_xfrm_socket,
> > netlink_selinux_socket, netlink_audit_socket,
> > netlink_kobject_uevent_socket, netlink_connector_socket,
> > netlink_scsitransport_socket, netlink_fib_lookup_socket.
>
> These look fine (aside from a whitespace issue which git am complained
> about) and ran successfully for me on Fedora, but I did have one
> question:
>
> policy/Makefile and tests/Makefile only enable the netlink_socket tests
> if the new netlink socket classes are defined by the base policy, and
> tests/Makefile further excludes them from running on RHEL7 because
> RHEL7.3 back-ported the policy change defining the new classes but not
> the kernel support. In contrast, the tests you are adding could be run
> on RHEL7 (and earlier). If we want them to be run on RHEL7 or earlier,
> then you need to split them into their own test policy and test case
> that can be separately enabled, or otherwise wrap the current ones to
> allow use on RHEL7. You can see examples in other test policies and
> scripts of such conditional inclusion of subsets of the tests/policies
> (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit
> b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to be
> tested on RHEL7 or earlier?
>
> >
> > Signed-off-by: Milos Malik <mmalik@redhat.com>
> > ---
> > policy/test_netlink_socket.te | 8 ++++
> > tests/netlink_socket/test | 99
> > ++++++++++++++++++++++++++++++++++++++++++-
> > 2 files changed, 106 insertions(+), 1 deletion(-)
> >
> > diff --git a/policy/test_netlink_socket.te
> > b/policy/test_netlink_socket.te
> > index c852c04..aaa6e4d 100644
> > --- a/policy/test_netlink_socket.te
> > +++ b/policy/test_netlink_socket.te
> > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket)
> > netlink_socket_test(netlink_netfilter_socket)
> > netlink_socket_test(netlink_generic_socket)
> > netlink_socket_test(netlink_crypto_socket)
> > +netlink_socket_test(netlink_route_socket)
> > +netlink_socket_test(netlink_xfrm_socket)
> > +netlink_socket_test(netlink_selinux_socket)
> > +netlink_socket_test(netlink_audit_socket)
> > +netlink_socket_test(netlink_kobject_uevent_socket)
> > +netlink_socket_test(netlink_connector_socket)
> > +netlink_socket_test(netlink_scsitransport_socket)
> > +netlink_socket_test(netlink_fib_lookup_socket)
> >
> > #
> > # Common rules for all netlink socket class test domains.
> > diff --git a/tests/netlink_socket/test b/tests/netlink_socket/test
> > index 487edbc..cc8c2d4 100755
> > --- a/tests/netlink_socket/test
> > +++ b/tests/netlink_socket/test
> > @@ -1,7 +1,7 @@
> > #!/usr/bin/perl
> >
> > use Test;
> > -BEGIN { plan tests => 8 }
> > +BEGIN { plan tests => 24 }
> >
> > $basedir = $0;
> > $basedir =~ s|(.*)/[^/]*|$1|;
> > @@ -53,3 +53,100 @@ $result = system(
> > "runcon -t test_no_netlink_crypto_socket_t -- $basedir/netlinkcreate
> > crypto 2>&1"
> > );
> > ok($result);
> > +
> > +# Verify that test_netlink_route_socket_t can create a NETLINK_ROUTE
> > socket.
> > +$result = system(
> > +"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate
> > route 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_route_socket_t cannot create a
> > NETLINK_ROUTE socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_route_socket_t -- $basedir/netlinkcreate
> > route 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_xfrm_socket_t can create a NETLINK_XFRM
> > socket.
> > +$result = system(
> > +"runcon -t test_netlink_xfrm_socket_t -- $basedir/netlinkcreate xfrm
> > 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_xfrm_socket_t cannot create a
> > NETLINK_XFRM socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_xfrm_socket_t -- $basedir/netlinkcreate
> > xfrm 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_selinux_socket_t can create a
> > NETLINK_SELINUX socket.
> > +$result = system(
> > +"runcon -t test_netlink_selinux_socket_t -- $basedir/netlinkcreate
> > selinux 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_selinux_socket_t cannot create a
> > NETLINK_SELINUX socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_selinux_socket_t --
> > $basedir/netlinkcreate selinux 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_audit_socket_t can create a NETLINK_AUDIT
> > socket.
> > +$result = system(
> > +"runcon -t test_netlink_audit_socket_t -- $basedir/netlinkcreate
> > audit 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_audit_socket_t cannot create a
> > NETLINK_AUDIT socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_audit_socket_t -- $basedir/netlinkcreate
> > audit 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_kobject_uevent_socket_t can create a
> > NETLINK_KOBJECT_UEVENT socket.
> > +$result = system(
> > +"runcon -t test_netlink_kobject_uevent_socket_t --
> > $basedir/netlinkcreate kobject_uevent 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_kobject_uevent_socket_t cannot create
> > a NETLINK_KOBJECT_UEVENT socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_kobject_uevent_socket_t --
> > $basedir/netlinkcreate kobject_uevent 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_connector_socket_t can create a
> > NETLINK_CONNECTOR socket.
> > +$result = system(
> > +"runcon -t test_netlink_connector_socket_t -- $basedir/netlinkcreate
> > connector 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_connector_socket_t cannot create a
> > NETLINK_CONNECTOR socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_connector_socket_t --
> > $basedir/netlinkcreate connector 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_scsitransport_socket_t can create a
> > NETLINK_SCSITRANSPORT socket.
> > +$result = system(
> > +"runcon -t test_netlink_scsitransport_socket_t --
> > $basedir/netlinkcreate scsitransport 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_scsitransport_socket_t cannot create a
> > NETLINK_SCSITRANSPORT socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_scsitransport_socket_t --
> > $basedir/netlinkcreate scsitransport 2>&1"
> > +);
> > +ok($result);
> > +
> > +# Verify that test_netlink_fib_lookup_socket_t can create a
> > NETLINK_FIB_LOOKUP socket.
> > +$result = system(
> > +"runcon -t test_netlink_fib_lookup_socket_t --
> > $basedir/netlinkcreate fib_lookup 2>&1"
> > +);
> > +ok( $result, 0 );
> > +
> > +# Verify that test_no_netlink_fib_lookup_socket_t cannot create a
> > NETLINK_FIB_LOOKUP socket.
> > +$result = system(
> > +"runcon -t test_no_netlink_fib_lookup_socket_t --
> > $basedir/netlinkcreate fib_lookup 2>&1"
> > +);
> > +ok($result);
> > +
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Additional tests for long-time supported netlink classes
2017-07-14 7:44 ` Milos Malik
@ 2017-07-14 14:53 ` Stephen Smalley
2017-07-14 16:09 ` Milos Malik
2017-07-14 21:57 ` Paul Moore
0 siblings, 2 replies; 9+ messages in thread
From: Stephen Smalley @ 2017-07-14 14:53 UTC (permalink / raw)
To: Milos Malik; +Cc: selinux
On Fri, 2017-07-14 at 03:44 -0400, Milos Malik wrote:
> All of the netlink classes currently tested by the selinux-testsuite
> + classes
> tested by the attached patch are supported (at the same time by the
> kernel
> and by the policy) on RHEL-7.3.
Are you sure? What kernel did you use? When I tried, they all failed
on 7.3, which is why I disabled them in tests/Makefile for RHEL7.
I don't know if we care about distinguishing at the granularity of
point releases of RHEL7 (e.g. RHEL7.2 vs RHEL7.3); we just want to
ensure that the testsuite will pass on the latest release of RHEL7.
>
> Unfortunately, selinux-policy for RHEL-6.9 and RHEL-7.2 does not
> recognize
> following classes:
> netlink_connector_socket, netlink_crypto_socket,
> netlink_fib_lookup_socket,
> netlink_generic_socket, netlink_iscsi_socket,
> netlink_netfilter_socket,
> netlink_rdma_socket, netlink_scsitransport_socket.
>
> Based on my RHEL-7.3 and RHEL-7.4 test results, the netlink tests can
> be safely executed on RHEL-7.3 and higher.
>
> You're right about splitting the netlink tests into at least 2
> subsets:
> RHEL<7.3 (which also covers RHEL-6) and RHEL>=7.3. I will take a look
> at the commits you provided and let you know.
>
> Milos Malik
>
> ----- Original Message -----
> > On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote:
> > > This patch contains tests for classes which are already supported
> > > for
> > > a
> > > long time but are not tested by the selinux-testsuite yet. These
> > > tests
> > > involve classes like: netlink_route_socket, netlink_xfrm_socket,
> > > netlink_selinux_socket, netlink_audit_socket,
> > > netlink_kobject_uevent_socket, netlink_connector_socket,
> > > netlink_scsitransport_socket, netlink_fib_lookup_socket.
> >
> > These look fine (aside from a whitespace issue which git am
> > complained
> > about) and ran successfully for me on Fedora, but I did have one
> > question:
> >
> > policy/Makefile and tests/Makefile only enable the netlink_socket
> > tests
> > if the new netlink socket classes are defined by the base policy,
> > and
> > tests/Makefile further excludes them from running on RHEL7 because
> > RHEL7.3 back-ported the policy change defining the new classes but
> > not
> > the kernel support. In contrast, the tests you are adding could be
> > run
> > on RHEL7 (and earlier). If we want them to be run on RHEL7 or
> > earlier,
> > then you need to split them into their own test policy and test
> > case
> > that can be separately enabled, or otherwise wrap the current ones
> > to
> > allow use on RHEL7. You can see examples in other test policies
> > and
> > scripts of such conditional inclusion of subsets of the
> > tests/policies
> > (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit
> > b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to be
> > tested on RHEL7 or earlier?
> >
> > >
> > > Signed-off-by: Milos Malik <mmalik@redhat.com>
> > > ---
> > > policy/test_netlink_socket.te | 8 ++++
> > > tests/netlink_socket/test | 99
> > > ++++++++++++++++++++++++++++++++++++++++++-
> > > 2 files changed, 106 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/policy/test_netlink_socket.te
> > > b/policy/test_netlink_socket.te
> > > index c852c04..aaa6e4d 100644
> > > --- a/policy/test_netlink_socket.te
> > > +++ b/policy/test_netlink_socket.te
> > > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket)
> > > netlink_socket_test(netlink_netfilter_socket)
> > > netlink_socket_test(netlink_generic_socket)
> > > netlink_socket_test(netlink_crypto_socket)
> > > +netlink_socket_test(netlink_route_socket)
> > > +netlink_socket_test(netlink_xfrm_socket)
> > > +netlink_socket_test(netlink_selinux_socket)
> > > +netlink_socket_test(netlink_audit_socket)
> > > +netlink_socket_test(netlink_kobject_uevent_socket)
> > > +netlink_socket_test(netlink_connector_socket)
> > > +netlink_socket_test(netlink_scsitransport_socket)
> > > +netlink_socket_test(netlink_fib_lookup_socket)
> > >
> > > #
> > > # Common rules for all netlink socket class test domains.
> > > diff --git a/tests/netlink_socket/test
> > > b/tests/netlink_socket/test
> > > index 487edbc..cc8c2d4 100755
> > > --- a/tests/netlink_socket/test
> > > +++ b/tests/netlink_socket/test
> > > @@ -1,7 +1,7 @@
> > > #!/usr/bin/perl
> > >
> > > use Test;
> > > -BEGIN { plan tests => 8 }
> > > +BEGIN { plan tests => 24 }
> > >
> > > $basedir = $0;
> > > $basedir =~ s|(.*)/[^/]*|$1|;
> > > @@ -53,3 +53,100 @@ $result = system(
> > > "runcon -t test_no_netlink_crypto_socket_t --
> > > $basedir/netlinkcreate
> > > crypto 2>&1"
> > > );
> > > ok($result);
> > > +
> > > +# Verify that test_netlink_route_socket_t can create a
> > > NETLINK_ROUTE
> > > socket.
> > > +$result = system(
> > > +"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate
> > > route 2>&1"
> > > +);
> > > +ok( $result, 0 );
> > > +
> > > +# Verify that test_no_netlink_route_socket_t cannot create a
> > > NETLINK_ROUTE socket.
> > > +$result = system(
> > > +"runcon -t test_no_netlink_route_socket_t --
> > > $basedir/netlinkcreate
> > > route 2>&1"
> > > +);
> > > +ok($result);
> > > +
> > > +# Verify that test_netlink_xfrm_socket_t can create a
> > > NETLINK_XFRM
> > > socket.
> > > +$result = system(
> > > +"runcon -t test_netlink_xfrm_socket_t -- $basedir/netlinkcreate
> > > xfrm
> > > 2>&1"
> > > +);
> > > +ok( $result, 0 );
> > > +
> > > +# Verify that test_no_netlink_xfrm_socket_t cannot create a
> > > NETLINK_XFRM socket.
> > > +$result = system(
> > > +"runcon -t test_no_netlink_xfrm_socket_t --
> > > $basedir/netlinkcreate
> > > xfrm 2>&1"
> > > +);
> > > +ok($result);
> > > +
> > > +# Verify that test_netlink_selinux_socket_t can create a
> > > NETLINK_SELINUX socket.
> > > +$result = system(
> > > +"runcon -t test_netlink_selinux_socket_t --
> > > $basedir/netlinkcreate
> > > selinux 2>&1"
> > > +);
> > > +ok( $result, 0 );
> > > +
> > > +# Verify that test_no_netlink_selinux_socket_t cannot create a
> > > NETLINK_SELINUX socket.
> > > +$result = system(
> > > +"runcon -t test_no_netlink_selinux_socket_t --
> > > $basedir/netlinkcreate selinux 2>&1"
> > > +);
> > > +ok($result);
> > > +
> > > +# Verify that test_netlink_audit_socket_t can create a
> > > NETLINK_AUDIT
> > > socket.
> > > +$result = system(
> > > +"runcon -t test_netlink_audit_socket_t -- $basedir/netlinkcreate
> > > audit 2>&1"
> > > +);
> > > +ok( $result, 0 );
> > > +
> > > +# Verify that test_no_netlink_audit_socket_t cannot create a
> > > NETLINK_AUDIT socket.
> > > +$result = system(
> > > +"runcon -t test_no_netlink_audit_socket_t --
> > > $basedir/netlinkcreate
> > > audit 2>&1"
> > > +);
> > > +ok($result);
> > > +
> > > +# Verify that test_netlink_kobject_uevent_socket_t can create a
> > > NETLINK_KOBJECT_UEVENT socket.
> > > +$result = system(
> > > +"runcon -t test_netlink_kobject_uevent_socket_t --
> > > $basedir/netlinkcreate kobject_uevent 2>&1"
> > > +);
> > > +ok( $result, 0 );
> > > +
> > > +# Verify that test_no_netlink_kobject_uevent_socket_t cannot
> > > create
> > > a NETLINK_KOBJECT_UEVENT socket.
> > > +$result = system(
> > > +"runcon -t test_no_netlink_kobject_uevent_socket_t --
> > > $basedir/netlinkcreate kobject_uevent 2>&1"
> > > +);
> > > +ok($result);
> > > +
> > > +# Verify that test_netlink_connector_socket_t can create a
> > > NETLINK_CONNECTOR socket.
> > > +$result = system(
> > > +"runcon -t test_netlink_connector_socket_t --
> > > $basedir/netlinkcreate
> > > connector 2>&1"
> > > +);
> > > +ok( $result, 0 );
> > > +
> > > +# Verify that test_no_netlink_connector_socket_t cannot create a
> > > NETLINK_CONNECTOR socket.
> > > +$result = system(
> > > +"runcon -t test_no_netlink_connector_socket_t --
> > > $basedir/netlinkcreate connector 2>&1"
> > > +);
> > > +ok($result);
> > > +
> > > +# Verify that test_netlink_scsitransport_socket_t can create a
> > > NETLINK_SCSITRANSPORT socket.
> > > +$result = system(
> > > +"runcon -t test_netlink_scsitransport_socket_t --
> > > $basedir/netlinkcreate scsitransport 2>&1"
> > > +);
> > > +ok( $result, 0 );
> > > +
> > > +# Verify that test_no_netlink_scsitransport_socket_t cannot
> > > create a
> > > NETLINK_SCSITRANSPORT socket.
> > > +$result = system(
> > > +"runcon -t test_no_netlink_scsitransport_socket_t --
> > > $basedir/netlinkcreate scsitransport 2>&1"
> > > +);
> > > +ok($result);
> > > +
> > > +# Verify that test_netlink_fib_lookup_socket_t can create a
> > > NETLINK_FIB_LOOKUP socket.
> > > +$result = system(
> > > +"runcon -t test_netlink_fib_lookup_socket_t --
> > > $basedir/netlinkcreate fib_lookup 2>&1"
> > > +);
> > > +ok( $result, 0 );
> > > +
> > > +# Verify that test_no_netlink_fib_lookup_socket_t cannot create
> > > a
> > > NETLINK_FIB_LOOKUP socket.
> > > +$result = system(
> > > +"runcon -t test_no_netlink_fib_lookup_socket_t --
> > > $basedir/netlinkcreate fib_lookup 2>&1"
> > > +);
> > > +ok($result);
> > > +
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Additional tests for long-time supported netlink classes
2017-07-14 14:53 ` Stephen Smalley
@ 2017-07-14 16:09 ` Milos Malik
2017-07-14 16:36 ` Stephen Smalley
2017-07-14 21:57 ` Paul Moore
1 sibling, 1 reply; 9+ messages in thread
From: Milos Malik @ 2017-07-14 16:09 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
I'm sorry I did have a newer kernel (4.*) on my RHEL-7.3 testing machine.
The netlink tests from the selinux-testsuite fail on a freshly installed RHEL-7.3
machine (kernel = 3.10.0-514.el7.x86_64).
Milos Malik
----- Original Message -----
> On Fri, 2017-07-14 at 03:44 -0400, Milos Malik wrote:
> > All of the netlink classes currently tested by the selinux-testsuite
> > + classes
> > tested by the attached patch are supported (at the same time by the
> > kernel
> > and by the policy) on RHEL-7.3.
>
> Are you sure? What kernel did you use? When I tried, they all failed
> on 7.3, which is why I disabled them in tests/Makefile for RHEL7.
>
> I don't know if we care about distinguishing at the granularity of
> point releases of RHEL7 (e.g. RHEL7.2 vs RHEL7.3); we just want to
> ensure that the testsuite will pass on the latest release of RHEL7.
>
> >
> > Unfortunately, selinux-policy for RHEL-6.9 and RHEL-7.2 does not
> > recognize
> > following classes:
> > netlink_connector_socket, netlink_crypto_socket,
> > netlink_fib_lookup_socket,
> > netlink_generic_socket, netlink_iscsi_socket,
> > netlink_netfilter_socket,
> > netlink_rdma_socket, netlink_scsitransport_socket.
> >
> > Based on my RHEL-7.3 and RHEL-7.4 test results, the netlink tests can
> > be safely executed on RHEL-7.3 and higher.
> >
> > You're right about splitting the netlink tests into at least 2
> > subsets:
> > RHEL<7.3 (which also covers RHEL-6) and RHEL>=7.3. I will take a look
> > at the commits you provided and let you know.
> >
> > Milos Malik
> >
> > ----- Original Message -----
> > > On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote:
> > > > This patch contains tests for classes which are already supported
> > > > for
> > > > a
> > > > long time but are not tested by the selinux-testsuite yet. These
> > > > tests
> > > > involve classes like: netlink_route_socket, netlink_xfrm_socket,
> > > > netlink_selinux_socket, netlink_audit_socket,
> > > > netlink_kobject_uevent_socket, netlink_connector_socket,
> > > > netlink_scsitransport_socket, netlink_fib_lookup_socket.
> > >
> > > These look fine (aside from a whitespace issue which git am
> > > complained
> > > about) and ran successfully for me on Fedora, but I did have one
> > > question:
> > >
> > > policy/Makefile and tests/Makefile only enable the netlink_socket
> > > tests
> > > if the new netlink socket classes are defined by the base policy,
> > > and
> > > tests/Makefile further excludes them from running on RHEL7 because
> > > RHEL7.3 back-ported the policy change defining the new classes but
> > > not
> > > the kernel support. In contrast, the tests you are adding could be
> > > run
> > > on RHEL7 (and earlier). If we want them to be run on RHEL7 or
> > > earlier,
> > > then you need to split them into their own test policy and test
> > > case
> > > that can be separately enabled, or otherwise wrap the current ones
> > > to
> > > allow use on RHEL7. You can see examples in other test policies
> > > and
> > > scripts of such conditional inclusion of subsets of the
> > > tests/policies
> > > (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit
> > > b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to be
> > > tested on RHEL7 or earlier?
> > >
> > > >
> > > > Signed-off-by: Milos Malik <mmalik@redhat.com>
> > > > ---
> > > > policy/test_netlink_socket.te | 8 ++++
> > > > tests/netlink_socket/test | 99
> > > > ++++++++++++++++++++++++++++++++++++++++++-
> > > > 2 files changed, 106 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/policy/test_netlink_socket.te
> > > > b/policy/test_netlink_socket.te
> > > > index c852c04..aaa6e4d 100644
> > > > --- a/policy/test_netlink_socket.te
> > > > +++ b/policy/test_netlink_socket.te
> > > > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket)
> > > > netlink_socket_test(netlink_netfilter_socket)
> > > > netlink_socket_test(netlink_generic_socket)
> > > > netlink_socket_test(netlink_crypto_socket)
> > > > +netlink_socket_test(netlink_route_socket)
> > > > +netlink_socket_test(netlink_xfrm_socket)
> > > > +netlink_socket_test(netlink_selinux_socket)
> > > > +netlink_socket_test(netlink_audit_socket)
> > > > +netlink_socket_test(netlink_kobject_uevent_socket)
> > > > +netlink_socket_test(netlink_connector_socket)
> > > > +netlink_socket_test(netlink_scsitransport_socket)
> > > > +netlink_socket_test(netlink_fib_lookup_socket)
> > > >
> > > > #
> > > > # Common rules for all netlink socket class test domains.
> > > > diff --git a/tests/netlink_socket/test
> > > > b/tests/netlink_socket/test
> > > > index 487edbc..cc8c2d4 100755
> > > > --- a/tests/netlink_socket/test
> > > > +++ b/tests/netlink_socket/test
> > > > @@ -1,7 +1,7 @@
> > > > #!/usr/bin/perl
> > > >
> > > > use Test;
> > > > -BEGIN { plan tests => 8 }
> > > > +BEGIN { plan tests => 24 }
> > > >
> > > > $basedir = $0;
> > > > $basedir =~ s|(.*)/[^/]*|$1|;
> > > > @@ -53,3 +53,100 @@ $result = system(
> > > > "runcon -t test_no_netlink_crypto_socket_t --
> > > > $basedir/netlinkcreate
> > > > crypto 2>&1"
> > > > );
> > > > ok($result);
> > > > +
> > > > +# Verify that test_netlink_route_socket_t can create a
> > > > NETLINK_ROUTE
> > > > socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_route_socket_t -- $basedir/netlinkcreate
> > > > route 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_route_socket_t cannot create a
> > > > NETLINK_ROUTE socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_route_socket_t --
> > > > $basedir/netlinkcreate
> > > > route 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> > > > +# Verify that test_netlink_xfrm_socket_t can create a
> > > > NETLINK_XFRM
> > > > socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_xfrm_socket_t -- $basedir/netlinkcreate
> > > > xfrm
> > > > 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_xfrm_socket_t cannot create a
> > > > NETLINK_XFRM socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_xfrm_socket_t --
> > > > $basedir/netlinkcreate
> > > > xfrm 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> > > > +# Verify that test_netlink_selinux_socket_t can create a
> > > > NETLINK_SELINUX socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_selinux_socket_t --
> > > > $basedir/netlinkcreate
> > > > selinux 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_selinux_socket_t cannot create a
> > > > NETLINK_SELINUX socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_selinux_socket_t --
> > > > $basedir/netlinkcreate selinux 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> > > > +# Verify that test_netlink_audit_socket_t can create a
> > > > NETLINK_AUDIT
> > > > socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_audit_socket_t -- $basedir/netlinkcreate
> > > > audit 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_audit_socket_t cannot create a
> > > > NETLINK_AUDIT socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_audit_socket_t --
> > > > $basedir/netlinkcreate
> > > > audit 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> > > > +# Verify that test_netlink_kobject_uevent_socket_t can create a
> > > > NETLINK_KOBJECT_UEVENT socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_kobject_uevent_socket_t --
> > > > $basedir/netlinkcreate kobject_uevent 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_kobject_uevent_socket_t cannot
> > > > create
> > > > a NETLINK_KOBJECT_UEVENT socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_kobject_uevent_socket_t --
> > > > $basedir/netlinkcreate kobject_uevent 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> > > > +# Verify that test_netlink_connector_socket_t can create a
> > > > NETLINK_CONNECTOR socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_connector_socket_t --
> > > > $basedir/netlinkcreate
> > > > connector 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_connector_socket_t cannot create a
> > > > NETLINK_CONNECTOR socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_connector_socket_t --
> > > > $basedir/netlinkcreate connector 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> > > > +# Verify that test_netlink_scsitransport_socket_t can create a
> > > > NETLINK_SCSITRANSPORT socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_scsitransport_socket_t --
> > > > $basedir/netlinkcreate scsitransport 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_scsitransport_socket_t cannot
> > > > create a
> > > > NETLINK_SCSITRANSPORT socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_scsitransport_socket_t --
> > > > $basedir/netlinkcreate scsitransport 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> > > > +# Verify that test_netlink_fib_lookup_socket_t can create a
> > > > NETLINK_FIB_LOOKUP socket.
> > > > +$result = system(
> > > > +"runcon -t test_netlink_fib_lookup_socket_t --
> > > > $basedir/netlinkcreate fib_lookup 2>&1"
> > > > +);
> > > > +ok( $result, 0 );
> > > > +
> > > > +# Verify that test_no_netlink_fib_lookup_socket_t cannot create
> > > > a
> > > > NETLINK_FIB_LOOKUP socket.
> > > > +$result = system(
> > > > +"runcon -t test_no_netlink_fib_lookup_socket_t --
> > > > $basedir/netlinkcreate fib_lookup 2>&1"
> > > > +);
> > > > +ok($result);
> > > > +
> >
> >
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Additional tests for long-time supported netlink classes
2017-07-14 16:09 ` Milos Malik
@ 2017-07-14 16:36 ` Stephen Smalley
0 siblings, 0 replies; 9+ messages in thread
From: Stephen Smalley @ 2017-07-14 16:36 UTC (permalink / raw)
To: Milos Malik; +Cc: selinux
On Fri, 2017-07-14 at 12:09 -0400, Milos Malik wrote:
> I'm sorry I did have a newer kernel (4.*) on my RHEL-7.3 testing
> machine.
>
> The netlink tests from the selinux-testsuite fail on a freshly
> installed RHEL-7.3
> machine (kernel = 3.10.0-514.el7.x86_64).
Ok, so we are seeing consistent results. I think however that the
tests you are adding would work on RHEL7 (and earlier), unlike the
existing ones, because those classes have been defined for a long time.
>
>
> Milos Malik
>
> ----- Original Message -----
> > On Fri, 2017-07-14 at 03:44 -0400, Milos Malik wrote:
> > > All of the netlink classes currently tested by the selinux-
> > > testsuite
> > > + classes
> > > tested by the attached patch are supported (at the same time by
> > > the
> > > kernel
> > > and by the policy) on RHEL-7.3.
> >
> > Are you sure? What kernel did you use? When I tried, they all
> > failed
> > on 7.3, which is why I disabled them in tests/Makefile for RHEL7.
> >
> > I don't know if we care about distinguishing at the granularity of
> > point releases of RHEL7 (e.g. RHEL7.2 vs RHEL7.3); we just want to
> > ensure that the testsuite will pass on the latest release of RHEL7.
> >
> > >
> > > Unfortunately, selinux-policy for RHEL-6.9 and RHEL-7.2 does not
> > > recognize
> > > following classes:
> > > netlink_connector_socket, netlink_crypto_socket,
> > > netlink_fib_lookup_socket,
> > > netlink_generic_socket, netlink_iscsi_socket,
> > > netlink_netfilter_socket,
> > > netlink_rdma_socket, netlink_scsitransport_socket.
> > >
> > > Based on my RHEL-7.3 and RHEL-7.4 test results, the netlink tests
> > > can
> > > be safely executed on RHEL-7.3 and higher.
> > >
> > > You're right about splitting the netlink tests into at least 2
> > > subsets:
> > > RHEL<7.3 (which also covers RHEL-6) and RHEL>=7.3. I will take a
> > > look
> > > at the commits you provided and let you know.
> > >
> > > Milos Malik
> > >
> > > ----- Original Message -----
> > > > On Thu, 2017-07-13 at 13:08 +0200, Milos Malik wrote:
> > > > > This patch contains tests for classes which are already
> > > > > supported
> > > > > for
> > > > > a
> > > > > long time but are not tested by the selinux-testsuite yet.
> > > > > These
> > > > > tests
> > > > > involve classes like: netlink_route_socket,
> > > > > netlink_xfrm_socket,
> > > > > netlink_selinux_socket, netlink_audit_socket,
> > > > > netlink_kobject_uevent_socket, netlink_connector_socket,
> > > > > netlink_scsitransport_socket, netlink_fib_lookup_socket.
> > > >
> > > > These look fine (aside from a whitespace issue which git am
> > > > complained
> > > > about) and ran successfully for me on Fedora, but I did have
> > > > one
> > > > question:
> > > >
> > > > policy/Makefile and tests/Makefile only enable the
> > > > netlink_socket
> > > > tests
> > > > if the new netlink socket classes are defined by the base
> > > > policy,
> > > > and
> > > > tests/Makefile further excludes them from running on RHEL7
> > > > because
> > > > RHEL7.3 back-ported the policy change defining the new classes
> > > > but
> > > > not
> > > > the kernel support. In contrast, the tests you are adding
> > > > could be
> > > > run
> > > > on RHEL7 (and earlier). If we want them to be run on RHEL7 or
> > > > earlier,
> > > > then you need to split them into their own test policy and test
> > > > case
> > > > that can be separately enabled, or otherwise wrap the current
> > > > ones
> > > > to
> > > > allow use on RHEL7. You can see examples in other test
> > > > policies
> > > > and
> > > > scripts of such conditional inclusion of subsets of the
> > > > tests/policies
> > > > (e.g. commit 32015aad4972321ba23611795b4f0479bf213943 or commit
> > > > b6e5e01a282582322185d67eb628569ac1a9f2dc). Do we want these to
> > > > be
> > > > tested on RHEL7 or earlier?
> > > >
> > > > >
> > > > > Signed-off-by: Milos Malik <mmalik@redhat.com>
> > > > > ---
> > > > > policy/test_netlink_socket.te | 8 ++++
> > > > > tests/netlink_socket/test | 99
> > > > > ++++++++++++++++++++++++++++++++++++++++++-
> > > > > 2 files changed, 106 insertions(+), 1 deletion(-)
> > > > >
> > > > > diff --git a/policy/test_netlink_socket.te
> > > > > b/policy/test_netlink_socket.te
> > > > > index c852c04..aaa6e4d 100644
> > > > > --- a/policy/test_netlink_socket.te
> > > > > +++ b/policy/test_netlink_socket.te
> > > > > @@ -40,6 +40,14 @@ netlink_socket_test(netlink_iscsi_socket)
> > > > > netlink_socket_test(netlink_netfilter_socket)
> > > > > netlink_socket_test(netlink_generic_socket)
> > > > > netlink_socket_test(netlink_crypto_socket)
> > > > > +netlink_socket_test(netlink_route_socket)
> > > > > +netlink_socket_test(netlink_xfrm_socket)
> > > > > +netlink_socket_test(netlink_selinux_socket)
> > > > > +netlink_socket_test(netlink_audit_socket)
> > > > > +netlink_socket_test(netlink_kobject_uevent_socket)
> > > > > +netlink_socket_test(netlink_connector_socket)
> > > > > +netlink_socket_test(netlink_scsitransport_socket)
> > > > > +netlink_socket_test(netlink_fib_lookup_socket)
> > > > >
> > > > > #
> > > > > # Common rules for all netlink socket class test domains.
> > > > > diff --git a/tests/netlink_socket/test
> > > > > b/tests/netlink_socket/test
> > > > > index 487edbc..cc8c2d4 100755
> > > > > --- a/tests/netlink_socket/test
> > > > > +++ b/tests/netlink_socket/test
> > > > > @@ -1,7 +1,7 @@
> > > > > #!/usr/bin/perl
> > > > >
> > > > > use Test;
> > > > > -BEGIN { plan tests => 8 }
> > > > > +BEGIN { plan tests => 24 }
> > > > >
> > > > > $basedir = $0;
> > > > > $basedir =~ s|(.*)/[^/]*|$1|;
> > > > > @@ -53,3 +53,100 @@ $result = system(
> > > > > "runcon -t test_no_netlink_crypto_socket_t --
> > > > > $basedir/netlinkcreate
> > > > > crypto 2>&1"
> > > > > );
> > > > > ok($result);
> > > > > +
> > > > > +# Verify that test_netlink_route_socket_t can create a
> > > > > NETLINK_ROUTE
> > > > > socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_netlink_route_socket_t --
> > > > > $basedir/netlinkcreate
> > > > > route 2>&1"
> > > > > +);
> > > > > +ok( $result, 0 );
> > > > > +
> > > > > +# Verify that test_no_netlink_route_socket_t cannot create a
> > > > > NETLINK_ROUTE socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_no_netlink_route_socket_t --
> > > > > $basedir/netlinkcreate
> > > > > route 2>&1"
> > > > > +);
> > > > > +ok($result);
> > > > > +
> > > > > +# Verify that test_netlink_xfrm_socket_t can create a
> > > > > NETLINK_XFRM
> > > > > socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_netlink_xfrm_socket_t --
> > > > > $basedir/netlinkcreate
> > > > > xfrm
> > > > > 2>&1"
> > > > > +);
> > > > > +ok( $result, 0 );
> > > > > +
> > > > > +# Verify that test_no_netlink_xfrm_socket_t cannot create a
> > > > > NETLINK_XFRM socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_no_netlink_xfrm_socket_t --
> > > > > $basedir/netlinkcreate
> > > > > xfrm 2>&1"
> > > > > +);
> > > > > +ok($result);
> > > > > +
> > > > > +# Verify that test_netlink_selinux_socket_t can create a
> > > > > NETLINK_SELINUX socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_netlink_selinux_socket_t --
> > > > > $basedir/netlinkcreate
> > > > > selinux 2>&1"
> > > > > +);
> > > > > +ok( $result, 0 );
> > > > > +
> > > > > +# Verify that test_no_netlink_selinux_socket_t cannot create
> > > > > a
> > > > > NETLINK_SELINUX socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_no_netlink_selinux_socket_t --
> > > > > $basedir/netlinkcreate selinux 2>&1"
> > > > > +);
> > > > > +ok($result);
> > > > > +
> > > > > +# Verify that test_netlink_audit_socket_t can create a
> > > > > NETLINK_AUDIT
> > > > > socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_netlink_audit_socket_t --
> > > > > $basedir/netlinkcreate
> > > > > audit 2>&1"
> > > > > +);
> > > > > +ok( $result, 0 );
> > > > > +
> > > > > +# Verify that test_no_netlink_audit_socket_t cannot create a
> > > > > NETLINK_AUDIT socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_no_netlink_audit_socket_t --
> > > > > $basedir/netlinkcreate
> > > > > audit 2>&1"
> > > > > +);
> > > > > +ok($result);
> > > > > +
> > > > > +# Verify that test_netlink_kobject_uevent_socket_t can
> > > > > create a
> > > > > NETLINK_KOBJECT_UEVENT socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_netlink_kobject_uevent_socket_t --
> > > > > $basedir/netlinkcreate kobject_uevent 2>&1"
> > > > > +);
> > > > > +ok( $result, 0 );
> > > > > +
> > > > > +# Verify that test_no_netlink_kobject_uevent_socket_t cannot
> > > > > create
> > > > > a NETLINK_KOBJECT_UEVENT socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_no_netlink_kobject_uevent_socket_t --
> > > > > $basedir/netlinkcreate kobject_uevent 2>&1"
> > > > > +);
> > > > > +ok($result);
> > > > > +
> > > > > +# Verify that test_netlink_connector_socket_t can create a
> > > > > NETLINK_CONNECTOR socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_netlink_connector_socket_t --
> > > > > $basedir/netlinkcreate
> > > > > connector 2>&1"
> > > > > +);
> > > > > +ok( $result, 0 );
> > > > > +
> > > > > +# Verify that test_no_netlink_connector_socket_t cannot
> > > > > create a
> > > > > NETLINK_CONNECTOR socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_no_netlink_connector_socket_t --
> > > > > $basedir/netlinkcreate connector 2>&1"
> > > > > +);
> > > > > +ok($result);
> > > > > +
> > > > > +# Verify that test_netlink_scsitransport_socket_t can create
> > > > > a
> > > > > NETLINK_SCSITRANSPORT socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_netlink_scsitransport_socket_t --
> > > > > $basedir/netlinkcreate scsitransport 2>&1"
> > > > > +);
> > > > > +ok( $result, 0 );
> > > > > +
> > > > > +# Verify that test_no_netlink_scsitransport_socket_t cannot
> > > > > create a
> > > > > NETLINK_SCSITRANSPORT socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_no_netlink_scsitransport_socket_t --
> > > > > $basedir/netlinkcreate scsitransport 2>&1"
> > > > > +);
> > > > > +ok($result);
> > > > > +
> > > > > +# Verify that test_netlink_fib_lookup_socket_t can create a
> > > > > NETLINK_FIB_LOOKUP socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_netlink_fib_lookup_socket_t --
> > > > > $basedir/netlinkcreate fib_lookup 2>&1"
> > > > > +);
> > > > > +ok( $result, 0 );
> > > > > +
> > > > > +# Verify that test_no_netlink_fib_lookup_socket_t cannot
> > > > > create
> > > > > a
> > > > > NETLINK_FIB_LOOKUP socket.
> > > > > +$result = system(
> > > > > +"runcon -t test_no_netlink_fib_lookup_socket_t --
> > > > > $basedir/netlinkcreate fib_lookup 2>&1"
> > > > > +);
> > > > > +ok($result);
> > > > > +
> > >
> > >
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] Additional tests for long-time supported netlink classes
2017-07-14 14:53 ` Stephen Smalley
2017-07-14 16:09 ` Milos Malik
@ 2017-07-14 21:57 ` Paul Moore
1 sibling, 0 replies; 9+ messages in thread
From: Paul Moore @ 2017-07-14 21:57 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Milos Malik, selinux
On Fri, Jul 14, 2017 at 10:53 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> I don't know if we care about distinguishing at the granularity of
> point releases of RHEL7 (e.g. RHEL7.2 vs RHEL7.3); we just want to
> ensure that the testsuite will pass on the latest release of RHEL7.
I think this is the right way to go about it the way the tests
currently work. At some point we will probably want to provide some
better infrastructure for specifying different minor releases or
kernel revisions, but right now sticking with the latest minor release
seems reasonable.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-07-14 21:57 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-13 11:08 [PATCH] Additional tests for long-time supported netlink classes Milos Malik
2017-07-13 16:53 ` Stephen Smalley
2017-07-13 17:35 ` Stephen Smalley
2017-07-13 20:59 ` Paul Moore
2017-07-14 7:44 ` Milos Malik
2017-07-14 14:53 ` Stephen Smalley
2017-07-14 16:09 ` Milos Malik
2017-07-14 16:36 ` Stephen Smalley
2017-07-14 21:57 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.