On Tue, Feb 28, 2023 at 9:13 AM Ondrej Mosnacek <[email protected]> wrote:
>
> ibv_get_device_list(3) first tries to get the device list via netlink
> and if that fails it falls back to getting it from sysfs. Currently the
> policy denies getting it from netlink, generating some denials. Allow
> test_ibpkey_access_t the necessary permissions so it can do it the
> preferred way and doesn't generate audit AVC noise.
>
> Signed-off-by: Ondrej Mosnacek <[email protected]>
> ---
> policy/test_ibpkey.te | 1 +
> 1 file changed, 1 insertion(+)
Similar to the other policy issue, it seems like this is a general
problem and not specifically a selinux-testsuite issue, right? If
that is the case should we fix this in refpol? I think it's okay to
put a temporary fix in the test suite, but we should also push to fix
this in refpol.
> diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te
> index 97f0c3c..6835897 100644
> --- a/policy/test_ibpkey.te
> +++ b/policy/test_ibpkey.te
> @@ -11,6 +11,7 @@ testsuite_domain_type(test_ibpkey_access_t)
> typeattribute test_ibpkey_access_t ibpkeydomain;
>
> allow test_ibpkey_access_t self:capability ipc_lock;
> +allow test_ibpkey_access_t self:netlink_rdma_socket create_socket_perms;
>
> dev_rw_infiniband_dev(test_ibpkey_access_t)
> dev_rw_sysfs(test_ibpkey_access_t)
> --
> 2.39.2
--
paul-moore.com
On Tue, Feb 28, 2023 at 6:01 PM Paul Moore <[email protected]> wrote:
> On Tue, Feb 28, 2023 at 9:13 AM Ondrej Mosnacek <[email protected]> wrote:
> >
> > ibv_get_device_list(3) first tries to get the device list via netlink
> > and if that fails it falls back to getting it from sysfs. Currently the
> > policy denies getting it from netlink, generating some denials. Allow
> > test_ibpkey_access_t the necessary permissions so it can do it the
> > preferred way and doesn't generate audit AVC noise.
> >
> > Signed-off-by: Ondrej Mosnacek <[email protected]>
> > ---
> > policy/test_ibpkey.te | 1 +
> > 1 file changed, 1 insertion(+)
>
> Similar to the other policy issue, it seems like this is a general
> problem and not specifically a selinux-testsuite issue, right? If
> that is the case should we fix this in refpol? I think it's okay to
> put a temporary fix in the test suite, but we should also push to fix
> this in refpol.
Basically the same as I said in the first paragraph of my reply under
patch 1 applies here, just in this case we are talking about users of
ibv_get_device_list(3) instead of ibv_create_cq(3).
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
On Wed, Mar 1, 2023 at 10:25 AM Ondrej Mosnacek <[email protected]> wrote:
> On Tue, Feb 28, 2023 at 6:01 PM Paul Moore <[email protected]> wrote:
> > On Tue, Feb 28, 2023 at 9:13 AM Ondrej Mosnacek <[email protected]> wrote:
> > >
> > > ibv_get_device_list(3) first tries to get the device list via netlink
> > > and if that fails it falls back to getting it from sysfs. Currently the
> > > policy denies getting it from netlink, generating some denials. Allow
> > > test_ibpkey_access_t the necessary permissions so it can do it the
> > > preferred way and doesn't generate audit AVC noise.
> > >
> > > Signed-off-by: Ondrej Mosnacek <[email protected]>
> > > ---
> > > policy/test_ibpkey.te | 1 +
> > > 1 file changed, 1 insertion(+)
> >
> > Similar to the other policy issue, it seems like this is a general
> > problem and not specifically a selinux-testsuite issue, right? If
> > that is the case should we fix this in refpol? I think it's okay to
> > put a temporary fix in the test suite, but we should also push to fix
> > this in refpol.
>
> Basically the same as I said in the first paragraph of my reply under
> patch 1 applies here, just in this case we are talking about users of
> ibv_get_device_list(3) instead of ibv_create_cq(3).
Yeah, let's just tackle this in the other thread, at this point it's a
bit silly to duplicate the discussion.
--
paul-moore.com