selinux-testsuite: fix the inet_socket tests on older policy releases

Commit Message

Paul Moore June 11, 2018, 2:10 p.m. UTC

From: Paul Moore <paul@paul-moore.com>

Ensure that we apply MCS constraints to the test_inet_server_t domain,
this was causing test failures on RHEL-6.x based systems.

Thanks to Stephen Smalley and Lukas Vrabec for some off-list discussion
related to this problem and its solution.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 policy/test_inet_socket.te |   10 ++++++++++
 1 file changed, 10 insertions(+)

Patch

diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te
index c25900b..428d28e 100644
--- a/policy/test_inet_socket.te
+++ b/policy/test_inet_socket.te
@@ -33,6 +33,16 @@  corenet_udp_bind_all_nodes(test_inet_server_t)
 corenet_inout_generic_if(test_inet_server_t)
 corenet_inout_generic_node(test_inet_server_t)
 
+# We need to ensure that the test domain is MCS constrained.
+## newer systems, e.g. Fedora and RHEL >= 7.x
+ifdef(`mcs_constrained', `
+	mcs_constrained(test_inet_server_t)
+')
+## older systems, e.g. RHEL == 6.x
+ifdef(`mcs_untrusted_proc', `
+	mcs_untrusted_proc(test_inet_server_t)
+')
+
 # Domain for client process.
 type test_inet_client_t;
 domain_type(test_inet_client_t)