| Message ID | 20191217134414.25746-1-richard_c_haines@btinternet.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | selinux-testsuite: Fix policy to allow process { setfscreate } testing | expand |
On 12/17/19 8:44 AM, Richard Haines wrote: > The global test policy allows process { setfscreate } for all tests. > To specifically test this, need to remove it globally and update test > policy that rely on it (mkdir & mac_admin). > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > policy/test_global.te | 1 - > policy/test_mac_admin.te | 2 ++ > policy/test_mkdir.te | 2 ++ > 3 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/policy/test_global.te b/policy/test_global.te > index 90f9b65..97f51e4 100644 > --- a/policy/test_global.te > +++ b/policy/test_global.te > @@ -38,7 +38,6 @@ allow testdomain self:process setcurrent; > #domain_dyntrans_type(testdomain) > #selinux_get_fs_mount(testdomain) > allow testdomain self:process setexec; > -allow testdomain self:process setfscreate; > > # General permissions commonly required for test operation. > # general_domain_access > diff --git a/policy/test_mac_admin.te b/policy/test_mac_admin.te > index 579a017..790a731 100644 > --- a/policy/test_mac_admin.te > +++ b/policy/test_mac_admin.te > @@ -10,6 +10,7 @@ domain_type(test_mac_admin_t) > unconfined_runs_test(test_mac_admin_t) > typeattribute test_mac_admin_t mac_admintestdomain; > typeattribute test_mac_admin_t testdomain; > +allow test_mac_admin_t self:process { setfscreate }; > > # Relabeling a file to an undefined label remaps it to the unlabeled context, > # which may have a different SELinux user identity (e.g. system_u). > @@ -26,6 +27,7 @@ domain_type(test_no_mac_admin_t) > unconfined_runs_test(test_no_mac_admin_t) > typeattribute test_no_mac_admin_t mac_admintestdomain; > typeattribute test_no_mac_admin_t testdomain; > +allow test_no_mac_admin_t self:process { setfscreate }; > > # See above. > domain_obj_id_change_exemption(test_no_mac_admin_t) > diff --git a/policy/test_mkdir.te b/policy/test_mkdir.te > index 1410a96..a5ba9b1 100644 > --- a/policy/test_mkdir.te > +++ b/policy/test_mkdir.te > @@ -45,6 +45,7 @@ unconfined_runs_test(test_create_t) > typeattribute test_create_t test_mkdir_domain; > typeattribute test_create_t testdomain; > domain_obj_id_change_exemption(test_create_t) > +allow test_create_t self:process { setfscreate }; > allow test_create_t test_mkdir_dir_t:dir { search getattr write add_name }; > allow test_create_t test_create_dir_t:dir { search getattr write create }; > > @@ -56,6 +57,7 @@ unconfined_runs_test(test_nocreate_t) > typeattribute test_nocreate_t test_mkdir_domain; > typeattribute test_nocreate_t testdomain; > domain_obj_id_change_exemption(test_nocreate_t) > +allow test_nocreate_t self:process { setfscreate }; > allow test_nocreate_t test_mkdir_dir_t:dir { search getattr write add_name }; > allow test_nocreate_t test_create_dir_t:dir { search getattr }; > >
On 12/17/19 8:44 AM, Richard Haines wrote: > The global test policy allows process { setfscreate } for all tests. > To specifically test this, need to remove it globally and update test > policy that rely on it (mkdir & mac_admin). > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Thanks, applied. > --- > policy/test_global.te | 1 - > policy/test_mac_admin.te | 2 ++ > policy/test_mkdir.te | 2 ++ > 3 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/policy/test_global.te b/policy/test_global.te > index 90f9b65..97f51e4 100644 > --- a/policy/test_global.te > +++ b/policy/test_global.te > @@ -38,7 +38,6 @@ allow testdomain self:process setcurrent; > #domain_dyntrans_type(testdomain) > #selinux_get_fs_mount(testdomain) > allow testdomain self:process setexec; > -allow testdomain self:process setfscreate; > > # General permissions commonly required for test operation. > # general_domain_access > diff --git a/policy/test_mac_admin.te b/policy/test_mac_admin.te > index 579a017..790a731 100644 > --- a/policy/test_mac_admin.te > +++ b/policy/test_mac_admin.te > @@ -10,6 +10,7 @@ domain_type(test_mac_admin_t) > unconfined_runs_test(test_mac_admin_t) > typeattribute test_mac_admin_t mac_admintestdomain; > typeattribute test_mac_admin_t testdomain; > +allow test_mac_admin_t self:process { setfscreate }; > > # Relabeling a file to an undefined label remaps it to the unlabeled context, > # which may have a different SELinux user identity (e.g. system_u). > @@ -26,6 +27,7 @@ domain_type(test_no_mac_admin_t) > unconfined_runs_test(test_no_mac_admin_t) > typeattribute test_no_mac_admin_t mac_admintestdomain; > typeattribute test_no_mac_admin_t testdomain; > +allow test_no_mac_admin_t self:process { setfscreate }; > > # See above. > domain_obj_id_change_exemption(test_no_mac_admin_t) > diff --git a/policy/test_mkdir.te b/policy/test_mkdir.te > index 1410a96..a5ba9b1 100644 > --- a/policy/test_mkdir.te > +++ b/policy/test_mkdir.te > @@ -45,6 +45,7 @@ unconfined_runs_test(test_create_t) > typeattribute test_create_t test_mkdir_domain; > typeattribute test_create_t testdomain; > domain_obj_id_change_exemption(test_create_t) > +allow test_create_t self:process { setfscreate }; > allow test_create_t test_mkdir_dir_t:dir { search getattr write add_name }; > allow test_create_t test_create_dir_t:dir { search getattr write create }; > > @@ -56,6 +57,7 @@ unconfined_runs_test(test_nocreate_t) > typeattribute test_nocreate_t test_mkdir_domain; > typeattribute test_nocreate_t testdomain; > domain_obj_id_change_exemption(test_nocreate_t) > +allow test_nocreate_t self:process { setfscreate }; > allow test_nocreate_t test_mkdir_dir_t:dir { search getattr write add_name }; > allow test_nocreate_t test_create_dir_t:dir { search getattr }; > >
diff --git a/policy/test_global.te b/policy/test_global.te index 90f9b65..97f51e4 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -38,7 +38,6 @@ allow testdomain self:process setcurrent; #domain_dyntrans_type(testdomain) #selinux_get_fs_mount(testdomain) allow testdomain self:process setexec; -allow testdomain self:process setfscreate; # General permissions commonly required for test operation. # general_domain_access diff --git a/policy/test_mac_admin.te b/policy/test_mac_admin.te index 579a017..790a731 100644 --- a/policy/test_mac_admin.te +++ b/policy/test_mac_admin.te @@ -10,6 +10,7 @@ domain_type(test_mac_admin_t) unconfined_runs_test(test_mac_admin_t) typeattribute test_mac_admin_t mac_admintestdomain; typeattribute test_mac_admin_t testdomain; +allow test_mac_admin_t self:process { setfscreate }; # Relabeling a file to an undefined label remaps it to the unlabeled context, # which may have a different SELinux user identity (e.g. system_u). @@ -26,6 +27,7 @@ domain_type(test_no_mac_admin_t) unconfined_runs_test(test_no_mac_admin_t) typeattribute test_no_mac_admin_t mac_admintestdomain; typeattribute test_no_mac_admin_t testdomain; +allow test_no_mac_admin_t self:process { setfscreate }; # See above. domain_obj_id_change_exemption(test_no_mac_admin_t) diff --git a/policy/test_mkdir.te b/policy/test_mkdir.te index 1410a96..a5ba9b1 100644 --- a/policy/test_mkdir.te +++ b/policy/test_mkdir.te @@ -45,6 +45,7 @@ unconfined_runs_test(test_create_t) typeattribute test_create_t test_mkdir_domain; typeattribute test_create_t testdomain; domain_obj_id_change_exemption(test_create_t) +allow test_create_t self:process { setfscreate }; allow test_create_t test_mkdir_dir_t:dir { search getattr write add_name }; allow test_create_t test_create_dir_t:dir { search getattr write create }; @@ -56,6 +57,7 @@ unconfined_runs_test(test_nocreate_t) typeattribute test_nocreate_t test_mkdir_domain; typeattribute test_nocreate_t testdomain; domain_obj_id_change_exemption(test_nocreate_t) +allow test_nocreate_t self:process { setfscreate }; allow test_nocreate_t test_mkdir_dir_t:dir { search getattr write add_name }; allow test_nocreate_t test_create_dir_t:dir { search getattr };
The global test policy allows process { setfscreate } for all tests. To specifically test this, need to remove it globally and update test policy that rely on it (mkdir & mac_admin). Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> --- policy/test_global.te | 1 - policy/test_mac_admin.te | 2 ++ policy/test_mkdir.te | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-)