| Message ID | 20240909090236.194250-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | [testsuite] policy/test_filesystem.te: fix policy for NFS over a symlinked directory | expand |
On Mon, Sep 9, 2024 at 5:02 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > When the curret directory is a symlink to the actual selinux-testsuite s/curret/current/ > directory, running ./tools/nfs.sh would fail at nfs_filesystem/test due > to missing policy rules. Add the necessary rules so that it can pass > also in this scenario. > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Otherwise, Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> > --- > policy/test_filesystem.te | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te > index efe1f4d..f60b0c8 100644 > --- a/policy/test_filesystem.te > +++ b/policy/test_filesystem.te > @@ -31,6 +31,7 @@ allow test_filesystem_t test_file_t:dir { add_name mounton read write remove_nam > # Create test file > allow test_filesystem_t test_filesystem_file_t:dir { read add_name write search mounton }; > allow test_filesystem_t test_filesystem_file_t:file { open getattr create read write relabelfrom relabelto }; > +allow test_filesystem_t test_filesystem_file_t:lnk_file { read }; > > fs_mount_all_fs(test_filesystem_t) > fs_remount_all_fs(test_filesystem_t) > @@ -44,6 +45,7 @@ fs_getattr_xattr_fs(test_filesystem_t) > > # Required when running the tests on a labeled NFS mount. > fs_getattr_nfs(test_filesystem_t) > +fs_read_nfs_symlinks(test_filesystem_t) > > # Update quotas > fs_set_all_quotas(test_filesystem_t) > -- > 2.46.0 >
On Mon, Sep 9, 2024 at 4:57 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Mon, Sep 9, 2024 at 5:02 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > When the curret directory is a symlink to the actual selinux-testsuite > > s/curret/current/ > > > directory, running ./tools/nfs.sh would fail at nfs_filesystem/test due > > to missing policy rules. Add the necessary rules so that it can pass > > also in this scenario. > > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > Otherwise, > Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Thanks, fixed and applied: https://github.com/SELinuxProject/selinux-testsuite/commit/82cdcae9e3e8c506c37d900d497e94da70728799
diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te index efe1f4d..f60b0c8 100644 --- a/policy/test_filesystem.te +++ b/policy/test_filesystem.te @@ -31,6 +31,7 @@ allow test_filesystem_t test_file_t:dir { add_name mounton read write remove_nam # Create test file allow test_filesystem_t test_filesystem_file_t:dir { read add_name write search mounton }; allow test_filesystem_t test_filesystem_file_t:file { open getattr create read write relabelfrom relabelto }; +allow test_filesystem_t test_filesystem_file_t:lnk_file { read }; fs_mount_all_fs(test_filesystem_t) fs_remount_all_fs(test_filesystem_t) @@ -44,6 +45,7 @@ fs_getattr_xattr_fs(test_filesystem_t) # Required when running the tests on a labeled NFS mount. fs_getattr_nfs(test_filesystem_t) +fs_read_nfs_symlinks(test_filesystem_t) # Update quotas fs_set_all_quotas(test_filesystem_t)
When the curret directory is a symlink to the actual selinux-testsuite directory, running ./tools/nfs.sh would fail at nfs_filesystem/test due to missing policy rules. Add the necessary rules so that it can pass also in this scenario. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- policy/test_filesystem.te | 2 ++ 1 file changed, 2 insertions(+)