| Message ID | 20190930104850.5482-2-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | Fix refpolicy build & build test_policy.pp in Travis | expand |
On 9/30/19 6:48 AM, Ondrej Mosnacek wrote: > Use userdom_search_generic_user_home_dirs(), which is always defined, > and redefine it to match what overlayfs was doing (just in case), > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > policy/test_overlayfs.te | 6 ++---- > policy/test_policy.if | 9 +++++++-- > 2 files changed, 9 insertions(+), 6 deletions(-) > > diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te > index 6f1756e..f56ef78 100644 > --- a/policy/test_overlayfs.te > +++ b/policy/test_overlayfs.te > @@ -50,8 +50,7 @@ fs_mount_xattr_fs(test_overlay_mounter_t) > corecmd_shell_entry_type(test_overlay_mounter_t) > corecmd_exec_bin(test_overlay_mounter_t) > > -userdom_search_admin_dir(test_overlay_mounter_t) > -userdom_search_user_home_content(test_overlay_mounter_t) > +userdom_search_generic_user_home_dirs(test_overlay_mounter_t) > > mount_exec(test_overlay_mounter_t) > mount_rw_pid_files(test_overlay_mounter_t) > @@ -122,8 +121,7 @@ corecmd_exec_bin(test_overlay_client_t) > kernel_read_system_state(test_overlay_client_t) > kernel_read_proc_symlinks(test_overlay_client_t) > > -userdom_search_admin_dir(test_overlay_client_t) > -userdom_search_user_home_content(test_overlay_client_t) > +userdom_search_generic_user_home_dirs(test_overlay_client_t) > > fs_getattr_xattr_fs(test_overlay_client_t) > > diff --git a/policy/test_policy.if b/policy/test_policy.if > index 5f4000f..40e7499 100644 > --- a/policy/test_policy.if > +++ b/policy/test_policy.if > @@ -61,8 +61,13 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',` > ') > ') > > -ifdef(`userdom_search_generic_user_home_dirs', `', ` dnl > +ifdef(`userdom_search_admin_dir', ` dnl > interface(`userdom_search_generic_user_home_dirs', ` > - userdom_search_user_home_dirs($1) > + userdom_search_user_home_content($1) > + userdom_search_admin_dir($1) > +') > +', ` dnl > +interface(`userdom_search_generic_user_home_dirs', ` > + userdom_search_user_home_content($1) > ') > ') Previously, if userdom_search_generic_user_home_dirs() was defined by the base policy (as it used to be), we would use that definition, else we would use userdom_search_user_home_dirs(). After, we will always redefine it, and the redefinition is more expansive than just search access to $HOME and its ancestors in the hierarchy. Might not affect the tests themselves but it seems a bit confusing.
On Mon, Sep 30, 2019 at 3:24 PM Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 9/30/19 6:48 AM, Ondrej Mosnacek wrote: > > Use userdom_search_generic_user_home_dirs(), which is always defined, > > and redefine it to match what overlayfs was doing (just in case), > > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > --- > > policy/test_overlayfs.te | 6 ++---- > > policy/test_policy.if | 9 +++++++-- > > 2 files changed, 9 insertions(+), 6 deletions(-) > > > > diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te > > index 6f1756e..f56ef78 100644 > > --- a/policy/test_overlayfs.te > > +++ b/policy/test_overlayfs.te > > @@ -50,8 +50,7 @@ fs_mount_xattr_fs(test_overlay_mounter_t) > > corecmd_shell_entry_type(test_overlay_mounter_t) > > corecmd_exec_bin(test_overlay_mounter_t) > > > > -userdom_search_admin_dir(test_overlay_mounter_t) > > -userdom_search_user_home_content(test_overlay_mounter_t) > > +userdom_search_generic_user_home_dirs(test_overlay_mounter_t) > > > > mount_exec(test_overlay_mounter_t) > > mount_rw_pid_files(test_overlay_mounter_t) > > @@ -122,8 +121,7 @@ corecmd_exec_bin(test_overlay_client_t) > > kernel_read_system_state(test_overlay_client_t) > > kernel_read_proc_symlinks(test_overlay_client_t) > > > > -userdom_search_admin_dir(test_overlay_client_t) > > -userdom_search_user_home_content(test_overlay_client_t) > > +userdom_search_generic_user_home_dirs(test_overlay_client_t) > > > > fs_getattr_xattr_fs(test_overlay_client_t) > > > > diff --git a/policy/test_policy.if b/policy/test_policy.if > > index 5f4000f..40e7499 100644 > > --- a/policy/test_policy.if > > +++ b/policy/test_policy.if > > @@ -61,8 +61,13 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',` > > ') > > ') > > > > -ifdef(`userdom_search_generic_user_home_dirs', `', ` dnl > > +ifdef(`userdom_search_admin_dir', ` dnl > > interface(`userdom_search_generic_user_home_dirs', ` > > - userdom_search_user_home_dirs($1) > > + userdom_search_user_home_content($1) > > + userdom_search_admin_dir($1) > > +') > > +', ` dnl > > +interface(`userdom_search_generic_user_home_dirs', ` > > + userdom_search_user_home_content($1) > > ') > > ') > > Previously, if userdom_search_generic_user_home_dirs() was defined by > the base policy (as it used to be), we would use that definition, else > we would use userdom_search_user_home_dirs(). After, we will always > redefine it, and the redefinition is more expansive than just search > access to $HOME and its ancestors in the hierarchy. Might not affect > the tests themselves but it seems a bit confusing. You're right, I'm mixing up the semantics too much. Let me see if I can handle this more nicely... -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te index 6f1756e..f56ef78 100644 --- a/policy/test_overlayfs.te +++ b/policy/test_overlayfs.te @@ -50,8 +50,7 @@ fs_mount_xattr_fs(test_overlay_mounter_t) corecmd_shell_entry_type(test_overlay_mounter_t) corecmd_exec_bin(test_overlay_mounter_t) -userdom_search_admin_dir(test_overlay_mounter_t) -userdom_search_user_home_content(test_overlay_mounter_t) +userdom_search_generic_user_home_dirs(test_overlay_mounter_t) mount_exec(test_overlay_mounter_t) mount_rw_pid_files(test_overlay_mounter_t) @@ -122,8 +121,7 @@ corecmd_exec_bin(test_overlay_client_t) kernel_read_system_state(test_overlay_client_t) kernel_read_proc_symlinks(test_overlay_client_t) -userdom_search_admin_dir(test_overlay_client_t) -userdom_search_user_home_content(test_overlay_client_t) +userdom_search_generic_user_home_dirs(test_overlay_client_t) fs_getattr_xattr_fs(test_overlay_client_t) diff --git a/policy/test_policy.if b/policy/test_policy.if index 5f4000f..40e7499 100644 --- a/policy/test_policy.if +++ b/policy/test_policy.if @@ -61,8 +61,13 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',` ') ') -ifdef(`userdom_search_generic_user_home_dirs', `', ` dnl +ifdef(`userdom_search_admin_dir', ` dnl interface(`userdom_search_generic_user_home_dirs', ` - userdom_search_user_home_dirs($1) + userdom_search_user_home_content($1) + userdom_search_admin_dir($1) +') +', ` dnl +interface(`userdom_search_generic_user_home_dirs', ` + userdom_search_user_home_content($1) ') ')
Use userdom_search_generic_user_home_dirs(), which is always defined, and redefine it to match what overlayfs was doing (just in case), Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- policy/test_overlayfs.te | 6 ++---- policy/test_policy.if | 9 +++++++-- 2 files changed, 9 insertions(+), 6 deletions(-)