| Message ID | 20220729120229.207584-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Clean up testsuite policy and support running as sysadm_t | expand |
On Fri, Jul 29, 2022 at 2:02 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > This series aim for two things: > 1. Refactor the policy so that it is easier to work with. > 2. Leverage the refactoring to fully support running the testsuite > as sysadm_u:sysadm_r:sysadm_t. > > The gist of this work lies in unifying how test domains are defined, > deduplicating the various boilerplate spread out all across the > individual files (and not even used consistently), and in abstracting > the policy caller domain/role away from the individual test policies > into test_general.te. Some tests also had to be massaged to not > hard-code unconfined_* and be generic against the context of the > testsuite caller. > > The series also extends the CI to test running the testsuite as sysadm_* > and also verify that no unconfined_t/sysadm_t unexpected denials are > produced (which would usually indicate a missing dontaudit rule in the > testsuite policy). Lol, I got a bounce for patches 4 and 5 because they are too long :D Hopefully the list owners can approve them manually. If not, I'll submit this series as a GitHub PR and post a link here.
On Fri, Jul 29, 2022 at 2:27 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > On Fri, Jul 29, 2022 at 2:02 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > This series aim for two things: > > 1. Refactor the policy so that it is easier to work with. > > 2. Leverage the refactoring to fully support running the testsuite > > as sysadm_u:sysadm_r:sysadm_t. > > > > The gist of this work lies in unifying how test domains are defined, > > deduplicating the various boilerplate spread out all across the > > individual files (and not even used consistently), and in abstracting > > the policy caller domain/role away from the individual test policies > > into test_general.te. Some tests also had to be massaged to not > > hard-code unconfined_* and be generic against the context of the > > testsuite caller. > > > > The series also extends the CI to test running the testsuite as sysadm_* > > and also verify that no unconfined_t/sysadm_t unexpected denials are > > produced (which would usually indicate a missing dontaudit rule in the > > testsuite policy). > > Lol, I got a bounce for patches 4 and 5 because they are too long :D > Hopefully the list owners can approve them manually. If not, I'll > submit this series as a GitHub PR and post a link here. The patches are still not there, so opened a pull request: https://github.com/SELinuxProject/selinux-testsuite/pull/82 One can fetch the contents of the PR in the git-format-patch format through the following URL: https://github.com/SELinuxProject/selinux-testsuite/pull/82.patch
On Mon, Aug 1, 2022 at 10:02 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > On Fri, Jul 29, 2022 at 2:27 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > On Fri, Jul 29, 2022 at 2:02 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > > > This series aim for two things: > > > 1. Refactor the policy so that it is easier to work with. > > > 2. Leverage the refactoring to fully support running the testsuite > > > as sysadm_u:sysadm_r:sysadm_t. > > > > > > The gist of this work lies in unifying how test domains are defined, > > > deduplicating the various boilerplate spread out all across the > > > individual files (and not even used consistently), and in abstracting > > > the policy caller domain/role away from the individual test policies > > > into test_general.te. Some tests also had to be massaged to not > > > hard-code unconfined_* and be generic against the context of the > > > testsuite caller. > > > > > > The series also extends the CI to test running the testsuite as sysadm_* > > > and also verify that no unconfined_t/sysadm_t unexpected denials are > > > produced (which would usually indicate a missing dontaudit rule in the > > > testsuite policy). > > > > Lol, I got a bounce for patches 4 and 5 because they are too long :D > > Hopefully the list owners can approve them manually. If not, I'll > > submit this series as a GitHub PR and post a link here. > > The patches are still not there, so opened a pull request: > https://github.com/SELinuxProject/selinux-testsuite/pull/82 > > One can fetch the contents of the PR in the git-format-patch format > through the following URL: > https://github.com/SELinuxProject/selinux-testsuite/pull/82.patch This is just a note that I have merged the PR now.
This series aim for two things: 1. Refactor the policy so that it is easier to work with. 2. Leverage the refactoring to fully support running the testsuite as sysadm_u:sysadm_r:sysadm_t. The gist of this work lies in unifying how test domains are defined, deduplicating the various boilerplate spread out all across the individual files (and not even used consistently), and in abstracting the policy caller domain/role away from the individual test policies into test_general.te. Some tests also had to be massaged to not hard-code unconfined_* and be generic against the context of the testsuite caller. The series also extends the CI to test running the testsuite as sysadm_* and also verify that no unconfined_t/sysadm_t unexpected denials are produced (which would usually indicate a missing dontaudit rule in the testsuite policy). Ondrej Mosnacek (24): keys: change test_newcon_key_t to be just an object context test_global.te: remove unused role require test_global.te: don't add domains to system_r policy: refactor declaring test domains policy: get rid of unconfined_runs_test() test_policy.if: remove weird rule from testsuite_domain_type_minimal() policy: move unconfined_t-related dontaudit rule to where it fits better policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy policy: move miscfiles_domain_entry_test_files() to general policy policy: substitute userdom_sysadm_entry_spec_domtrans_to() test_general.te: move sysadm-related rules into an optional block test_filesystem.te: remove redundant dontaudit rules test_filesystem.te: remove suspicious rules tests/nnp_nosuid: avoid hardcoding unconfined_t in the policy tests/*filesystem: remove weird uses of unconfined_t policy: remove last hardcoded references to unconfined_t test_general.te: generalize the dontaudit rule policy: don't audit testsuite programs searching the caller's keys ci: check for unconfined_t AVCs tests/binder: check only the type part of the context tests/overlay: don't hard-code SELinux user of the caller policy: give sysadm_t perms needed to run quotacheck(8) tests/vsock_socket: use modprobe to check vsock availability ci: add sysadm_t to the test matrix .github/workflows/checks.yml | 4 + Vagrantfile | 16 +++ policy/test_atsecure.te | 15 +-- policy/test_attrib.te | 1 - policy/test_binder.te | 38 ++----- policy/test_binder_bpf.te | 22 +--- policy/test_bounds.te | 11 +- policy/test_bpf.te | 30 +---- policy/test_cap_userns.te | 9 +- policy/test_capable_file.te | 18 +-- policy/test_capable_net.te | 8 +- policy/test_capable_sys.te | 8 +- policy/test_dyntrace.te | 14 +-- policy/test_dyntrans.te | 17 +-- policy/test_entrypoint.te | 5 +- policy/test_execshare.te | 16 +-- policy/test_exectrace.te | 16 +-- policy/test_execute_no_trans.te | 5 +- policy/test_extended_socket_class.te | 12 +- policy/test_fdreceive.te | 16 +-- policy/test_fdreceive_bpf.te | 16 +-- policy/test_file.te | 16 +-- policy/test_filesystem.te | 99 ++++------------- policy/test_filesystem_name_trans.te | 4 +- policy/test_filesystem_notify.te | 12 +- policy/test_global.te | 157 ++++++++++++++++++--------- policy/test_ibendport.te | 8 +- policy/test_ibpkey.te | 8 +- policy/test_inet_socket.te | 44 ++------ policy/test_inherit.te | 20 +--- policy/test_ioctl.te | 10 +- policy/test_ioctl_xperms.te | 8 +- policy/test_ipc.te | 18 +-- policy/test_key_socket.te | 26 +---- policy/test_keys.te | 104 ++++-------------- policy/test_link.te | 24 +--- policy/test_mac_admin.te | 9 +- policy/test_mkdir.te | 20 +--- policy/test_mmap.te | 79 ++++---------- policy/test_module_load.te | 47 ++------ policy/test_mqueue.te | 16 +-- policy/test_netlink_socket.te | 12 +- policy/test_nnp_nosuid.te | 46 ++++---- policy/test_notify.te | 35 ++---- policy/test_open.te | 16 +-- policy/test_overlayfs.te | 15 +-- policy/test_perf_event.te | 38 ++----- policy/test_policy.if | 71 ++++++------ policy/test_prlimit.te | 20 +--- policy/test_ptrace.te | 17 +-- policy/test_readlink.te | 8 +- policy/test_relabel.te | 12 +- policy/test_rename.te | 32 ++---- policy/test_rxdir.te | 8 +- policy/test_sctp.te | 52 ++------- policy/test_setattr.te | 8 +- policy/test_setnice.te | 13 +-- policy/test_sigkill.te | 22 +--- policy/test_stat.te | 8 +- policy/test_sysctl.te | 8 +- policy/test_task_create.te | 38 +------ policy/test_task_getpgid.te | 16 +-- policy/test_task_getsched.te | 16 +-- policy/test_task_getsid.te | 16 +-- policy/test_task_setpgid.te | 34 +----- policy/test_task_setsched.te | 16 +-- policy/test_transition.te | 15 +-- policy/test_tun_tap.te | 34 ++---- policy/test_unix_socket.te | 20 +--- policy/test_userfaultfd.te | 8 +- policy/test_vsock_socket.te | 12 +- policy/test_watchkey.te | 14 +-- tests/binder/binder_common.h | 1 + tests/binder/service_provider.c | 31 ++++-- tests/binder/test | 2 +- tests/filesystem/test | 4 +- tests/fs_filesystem/test | 4 +- tests/keys/test | 2 +- tests/nfs_filesystem/test | 4 +- tests/nnp_nosuid/test | 45 +++++--- tests/overlay/setup-overlay | 2 +- tests/overlay/test | 34 +++--- tests/vsock_socket/.gitignore | 1 - tests/vsock_socket/Makefile | 2 +- tests/vsock_socket/check_vsock.c | 47 -------- tests/vsock_socket/test | 11 +- 86 files changed, 550 insertions(+), 1346 deletions(-) delete mode 100644 tests/vsock_socket/check_vsock.c