Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp5843965ybl; Tue, 27 Aug 2019 10:24:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqxdyD/8brlGX1SMlpwgoIAA7wNuRoCcPgZ9FlMkReXWjlH29qAe8JG/cG5z8zV3wB4fJWud X-Received: by 2002:a17:90a:3847:: with SMTP id l7mr25415558pjf.99.1566926692932; Tue, 27 Aug 2019 10:24:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566926692; cv=none; d=google.com; s=arc-20160816; b=y44vHO2dr2gI25OOTesKpS+2i5TOOHet/lEnPHWOaUhn5iLRJ4QpBQV3UOv3QIHhAD u9hjMFTlFi9K4ukswa/PpeTEWijtUwvqop1+xohxcDsb+wr1QE0g516sXsXxDFvJgUUq vI0Ps26uO04IOWixH0jc50ODfXJz/dxhVjYtEwJeYgR0eB3FwhKApmSazWcSsvttuVbC 6QYRpDFuHrRPT+2Q/03MIh694Ws+Y/1pgyTJeQcRiBeksd4Y0VXTF28fhw/L40hvCBmz PqlsZSNoF/BomctadOPP2Zu8j3ppHwxdZL45u33XrtG4TKdXnEc9rHF9zrCk4pHx4LRB Serg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Ad0rlor5MGfGSOlkRJBMrrnHr5e679Yzb11amluiugk=; b=Fw9ubrB01JV97sBET7MYwqLZli3y8+taJ6LwQxf+rSUAjJNoekxPprmFsp7q62WrZF 3yz67XtsV9bZ7xASS0X18UH3it9FYnYqIyXRECqkbIga0q24XbIcrhKw0Ljj6Bn61td5 jxpbAulH3UV9bUUOcRQIEGpIDyHSttLThmwEAOBwJZ4RWRUQwoAzvzSnvnPN4M6n1hYK PEPKLhDnZLunQwRXVf7kHSunf5EMqoF5FWWFVyzIwmSyqo1vPGOQk6SYFss36UTigCwg fOrfjqpcK4d25gnGQFZfUrTMlOvYUqiK25qb0CtX5vMXOPRpUrk894ug4BIlHY/SV3vP KRYQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=1COEvurp; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i13si12729284pgf.335.2019.08.27.10.24.50; Tue, 27 Aug 2019 10:24:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=1COEvurp; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728506AbfH0RYq (ORCPT + 11 others); Tue, 27 Aug 2019 13:24:46 -0400 Received: from mail-lf1-f68.google.com ([209.85.167.68]:46173 "EHLO mail-lf1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727057AbfH0RYq (ORCPT ); Tue, 27 Aug 2019 13:24:46 -0400 Received: by mail-lf1-f68.google.com with SMTP id n19so15817721lfe.13 for ; Tue, 27 Aug 2019 10:24:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ad0rlor5MGfGSOlkRJBMrrnHr5e679Yzb11amluiugk=; b=1COEvurpyqmjhijgoJ2749mFxQKddU4K66iWQ5rNylO6NprPAmSoRPCWz83CgzB2fO fa7z5gwenVfk1isTfsx4CY3amtyxwftWiipAMlIG78XSg8B/UaWy1SOotUR6SkEu5mmH qJdk5tglmxJDOOjm1BkgUCKYNgJHKXiw72JHPDgpdSV9FFwO3pz089BDMErN/jzaQY44 wE9VrKyC6s4d7tJWRlISUuqdT2W6+tZJTTHG6BBfZmUjSF/y4/HIuBmb90AhcO0G2/cM QBVJofWEeP/ruIT+Sto/9cQUvyjxF1VDzqfIjsGLT1Aei+zQNkvQpjJhEvSoNcgxG04I +wCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ad0rlor5MGfGSOlkRJBMrrnHr5e679Yzb11amluiugk=; b=o3P6fMsZFt/P7UH4jgw6mJIq5OCWPIzV+p0VW1zmKJmnadmW3jez54agQZrGF+aRNl mAkT6DnAqdw8jRhUYntw6NDSyzfWU86X8ThHSHvRvFp78dEQIFtW6KynFCNY05W5jqI3 v8qBKaYtU+ZZzypV5Smnerw0GMJxN1Xr8gWTCpEk6LaN+4z7vdXnA3jFDpv9LINNGJJ3 sSSWOm5jd7VThwZSdg9wv8wJlTiVcLng0W8UGzXAw+X2KkNQcnWnanv5arcQYDcPok11 zbik790POod+fZhU2b3LBBkAjw+csOm9CBi6Ed1P7+H+mmOBmCr0p41mkuyw4WiwoyL2 w+WQ== X-Gm-Message-State: APjAAAUCaK0lhmo8Qy68gZtC5YKf2c+XxOpPZrlvh3BYlH1ymI0enIiO 0QxHw0KA5QYGB7k/zm9KEt2UcAx1prwbrxMIo5Vv X-Received: by 2002:ac2:4474:: with SMTP id y20mr5314780lfl.31.1566926683848; Tue, 27 Aug 2019 10:24:43 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Paul Moore Date: Tue, 27 Aug 2019 13:24:31 -0400 Message-ID: Subject: Re: IB pkey policy problem found via the selinux-testsuite To: selinux@vger.kernel.org, selinux-refpolicy@vger.kernel.org, Lukas Vrabec , Chris PeBenito Cc: danielj@mellanox.com Content-Type: text/plain; charset="UTF-8" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Thu, Feb 28, 2019 at 4:58 PM Paul Moore wrote: > On Wed, Feb 13, 2019 at 4:35 PM Paul Moore wrote: > > Hello all, > > > > On a fully up-to-date Rawhide system you need the following line added > > to the policy/test_ibpkey.te file to get a clean run of the > > selinux-testsuite: > > > > allow test_ibpkey_access_t self:capability { ipc_lock }; > > > > The breakage doesn't appear to be due to a kernel change (previously > > working kernels now fail), or a Fedora Rawhide policy change (nothing > > relevant changed since the last clean run), but I did notice that my > > libibverbs package was updated just prior to the breakage. I haven't > > had the time to dig into the library code, but I expect that to be the > > source of the problem. > > Just to be clear, I don't believe this breakage is limited to the test > suite, I expect any users of the SELinux IB hooks will run into this > problem. I believe we need to update the upstream and distro > policies. A ping to bring this issue back to the top of the mailing list. -- paul moore www.paul-moore.com