[v4,testsuite,04/15] test_global.te: allow test domains to statfs selinuxfs

Commit Message

Stephen Smalley May 8, 2020, 3:41 p.m. UTC

libselinux probes for the presence of selinuxfs on /sys/fs/selinux
via statfs(2); this is required for any operations that involve selinuxfs.
Fedora policy allows this to all domains in its base policy but refpolicy
and Debian do not, so explicitly allow it to allow the tests to work.
Otherwise various programs think SELinux is disabled and abort.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/test_global.te | 1 +
 1 file changed, 1 insertion(+)

Patch

diff --git a/policy/test_global.te b/policy/test_global.te
index c9520ec..d19b4be 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -83,6 +83,7 @@  domain_use_interactive_fds(testdomain)
 seutil_read_config(testdomain)
 
 # can getsecurity
+selinux_getattr_fs(testdomain)
 selinux_validate_context(testdomain)
 selinux_compute_access_vector(testdomain)
 selinux_compute_create_context(testdomain)