| Message ID | 20220729120229.207584-12-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | Clean up testsuite policy and support running as sysadm_t | expand |
On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote: > That should allow running selinux-testsuite with the sysadm module > disabled. > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > policy/test_global.te | 26 ++++++++++++++------------ > 1 file changed, 14 insertions(+), 12 deletions(-) > > diff --git a/policy/test_global.te b/policy/test_global.te > index aceac48..3862ee7 100644 > --- a/policy/test_global.te > +++ b/policy/test_global.te > @@ -25,12 +25,21 @@ optional_policy(` > dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh }; > ') > > -gen_require(` > - role sysadm_r; > -') > +optional_policy(` > + gen_require(` > + role sysadm_r; > + ') > + > + # Authorize sysadm_r for the test domains. > + role sysadm_r types testsuite_domain; > > -# Authorize sysadm_r for the test domains. > -role sysadm_r types testsuite_domain; > + # Allow the test domain to be entered from sysadm_t > + sysadm_entry_spec_domtrans_to(testsuite_domain) > + > + # Let sysadm_t use runcon to run the test programs in various domains. > + #allow sysadm_t self:process setexec; > + #selinux_get_fs_mount(sysadm_t) > +') These commented out rules can probably just be removed entirely instead of being moved into the optional block? -Daniel > > # Allow the test domains to access the sysadm terminal. > # This allows read and write sysadm ttys and ptys. > @@ -40,17 +49,10 @@ term_use_all_terms(testsuite_domain) > allow testsuite_domain init_t:fd use; > allow testsuite_domain initrc_t:fd use; > > -# Allow the test domain to be entered from sysadm_t > -sysadm_entry_spec_domtrans_to(testsuite_domain) > - > # Allow the test domains to access the test directory and files > # even if they are not root owned. > allow testsuite_domain self:capability { dac_override dac_read_search }; > > -# Let sysadm_t use runcon to run the test programs in various domains. > -#allow sysadm_t self:process setexec; > -#selinux_get_fs_mount(sysadm_t) > - > # Let all test domains read test directories and files and to use test > # files as entry points. > miscfiles_read_test_files(testsuite_domain)
On Tue, Aug 2, 2022 at 4:03 PM Daniel Burgener <dburgener@linux.microsoft.com> wrote: > On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote: > > That should allow running selinux-testsuite with the sysadm module > > disabled. > > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > --- > > policy/test_global.te | 26 ++++++++++++++------------ > > 1 file changed, 14 insertions(+), 12 deletions(-) > > > > diff --git a/policy/test_global.te b/policy/test_global.te > > index aceac48..3862ee7 100644 > > --- a/policy/test_global.te > > +++ b/policy/test_global.te > > @@ -25,12 +25,21 @@ optional_policy(` > > dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh }; > > ') > > > > -gen_require(` > > - role sysadm_r; > > -') > > +optional_policy(` > > + gen_require(` > > + role sysadm_r; > > + ') > > + > > + # Authorize sysadm_r for the test domains. > > + role sysadm_r types testsuite_domain; > > > > -# Authorize sysadm_r for the test domains. > > -role sysadm_r types testsuite_domain; > > + # Allow the test domain to be entered from sysadm_t > > + sysadm_entry_spec_domtrans_to(testsuite_domain) > > + > > + # Let sysadm_t use runcon to run the test programs in various domains. > > + #allow sysadm_t self:process setexec; > > + #selinux_get_fs_mount(sysadm_t) > > +') > > These commented out rules can probably just be removed entirely instead > of being moved into the optional block? Probably, but I didn't want to think about it and just preserved the fossils :) I'll take a closer look and possibly remove them in a separate commit. -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
diff --git a/policy/test_global.te b/policy/test_global.te index aceac48..3862ee7 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -25,12 +25,21 @@ optional_policy(` dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh }; ') -gen_require(` - role sysadm_r; -') +optional_policy(` + gen_require(` + role sysadm_r; + ') + + # Authorize sysadm_r for the test domains. + role sysadm_r types testsuite_domain; -# Authorize sysadm_r for the test domains. -role sysadm_r types testsuite_domain; + # Allow the test domain to be entered from sysadm_t + sysadm_entry_spec_domtrans_to(testsuite_domain) + + # Let sysadm_t use runcon to run the test programs in various domains. + #allow sysadm_t self:process setexec; + #selinux_get_fs_mount(sysadm_t) +') # Allow the test domains to access the sysadm terminal. # This allows read and write sysadm ttys and ptys. @@ -40,17 +49,10 @@ term_use_all_terms(testsuite_domain) allow testsuite_domain init_t:fd use; allow testsuite_domain initrc_t:fd use; -# Allow the test domain to be entered from sysadm_t -sysadm_entry_spec_domtrans_to(testsuite_domain) - # Allow the test domains to access the test directory and files # even if they are not root owned. allow testsuite_domain self:capability { dac_override dac_read_search }; -# Let sysadm_t use runcon to run the test programs in various domains. -#allow sysadm_t self:process setexec; -#selinux_get_fs_mount(sysadm_t) - # Let all test domains read test directories and files and to use test # files as entry points. miscfiles_read_test_files(testsuite_domain)
That should allow running selinux-testsuite with the sysadm module disabled. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- policy/test_global.te | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-)