| Message ID | 20200508154138.24217-8-stephen.smalley.work@gmail.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | Update to work on Debian | expand |
On Fri, May 8, 2020 at 5:42 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > refpolicy does not define an unconfined_devpts_t type instead > assigning user_devpts_t to unconfined ptys. Switch to using ptynode > in the test policy to provide compatibility across both refpolicy and > Fedora. ptynode is an attribute that includes all pty types. > > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> > --- > policy/test_policy.if | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/policy/test_policy.if b/policy/test_policy.if > index cefc8fb..f0400f5 100644 > --- a/policy/test_policy.if > +++ b/policy/test_policy.if > @@ -29,7 +29,7 @@ > interface(`unconfined_runs_test',` > gen_require(` > type unconfined_t; > - type unconfined_devpts_t; > + attribute ptynode; > role unconfined_r; > ') > > @@ -38,7 +38,7 @@ interface(`unconfined_runs_test',` > role unconfined_r types $1; > # Report back from the test domain to the caller. > allow $1 unconfined_t:fd use; > - allow $1 unconfined_devpts_t:chr_file { read write ioctl getattr }; > + allow $1 ptynode:chr_file { read write ioctl getattr }; How about using term_use_all_ptys($1) instead? It allows a few extra permissions (open, append, lock), but it doesn't seem to influence the tests. It would allow us to remove the 'attribute ptynode' from the gen_require block. > allow $1 unconfined_t:fifo_file { read write ioctl getattr }; > allow $1 unconfined_t:process { sigchld }; > > -- > 2.23.1 > -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
diff --git a/policy/test_policy.if b/policy/test_policy.if index cefc8fb..f0400f5 100644 --- a/policy/test_policy.if +++ b/policy/test_policy.if @@ -29,7 +29,7 @@ interface(`unconfined_runs_test',` gen_require(` type unconfined_t; - type unconfined_devpts_t; + attribute ptynode; role unconfined_r; ') @@ -38,7 +38,7 @@ interface(`unconfined_runs_test',` role unconfined_r types $1; # Report back from the test domain to the caller. allow $1 unconfined_t:fd use; - allow $1 unconfined_devpts_t:chr_file { read write ioctl getattr }; + allow $1 ptynode:chr_file { read write ioctl getattr }; allow $1 unconfined_t:fifo_file { read write ioctl getattr }; allow $1 unconfined_t:process { sigchld };
refpolicy does not define an unconfined_devpts_t type instead assigning user_devpts_t to unconfined ptys. Switch to using ptynode in the test policy to provide compatibility across both refpolicy and Fedora. ptynode is an attribute that includes all pty types. Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> --- policy/test_policy.if | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)