| Message ID | 20200512135602.32110-1-stephen.smalley.work@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | None | expand |
On Tue, May 12, 2020 at 3:56 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > refpolicy does not define an unconfined_devpts_t type instead > assigning user_devpts_t to unconfined ptys. Switch to using > the refpolicy term_use_all_ptys() interface in the test policy > to provide compatibility across both refpolicy and Fedora. > > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> > --- > v5 switches from direct use of ptynode to term_use_all_ptys(). > > policy/test_policy.if | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/policy/test_policy.if b/policy/test_policy.if > index cefc8fb..e3c01c8 100644 > --- a/policy/test_policy.if > +++ b/policy/test_policy.if > @@ -29,7 +29,6 @@ > interface(`unconfined_runs_test',` > gen_require(` > type unconfined_t; > - type unconfined_devpts_t; > role unconfined_r; > ') > > @@ -38,7 +37,7 @@ interface(`unconfined_runs_test',` > role unconfined_r types $1; > # Report back from the test domain to the caller. > allow $1 unconfined_t:fd use; > - allow $1 unconfined_devpts_t:chr_file { read write ioctl getattr }; > + term_use_all_ptys($1) > allow $1 unconfined_t:fifo_file { read write ioctl getattr }; > allow $1 unconfined_t:process { sigchld }; > > -- > 2.23.3 > Acked-by: Ondrej Mosnacek <omosnace@redhat.com> Thanks!
diff --git a/policy/test_policy.if b/policy/test_policy.if index cefc8fb..e3c01c8 100644 --- a/policy/test_policy.if +++ b/policy/test_policy.if @@ -29,7 +29,6 @@ interface(`unconfined_runs_test',` gen_require(` type unconfined_t; - type unconfined_devpts_t; role unconfined_r; ') @@ -38,7 +37,7 @@ interface(`unconfined_runs_test',` role unconfined_r types $1; # Report back from the test domain to the caller. allow $1 unconfined_t:fd use; - allow $1 unconfined_devpts_t:chr_file { read write ioctl getattr }; + term_use_all_ptys($1) allow $1 unconfined_t:fifo_file { read write ioctl getattr }; allow $1 unconfined_t:process { sigchld };
refpolicy does not define an unconfined_devpts_t type instead assigning user_devpts_t to unconfined ptys. Switch to using the refpolicy term_use_all_ptys() interface in the test policy to provide compatibility across both refpolicy and Fedora. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> --- v5 switches from direct use of ptynode to term_use_all_ptys(). policy/test_policy.if | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)