[testsuite,15/24] tests/*filesystem: remove weird uses of unconfined_t

Commit Message

Ondrej Mosnacek July 29, 2022, 12:02 p.m. UTC

It seems more logical to drop the associate permission for test_file_t
from the *_no_associate_t domains and use test_file_t in the tests
instead of unconfined_t. This also fixes the tests as they weren't
testing the associate permission (as the comments say), but in fact they
were failing on the lack of relabelto unconfined_t permission instead.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/test_filesystem.te | 8 ++------
 tests/filesystem/test     | 4 ++--
 tests/fs_filesystem/test  | 4 ++--
 tests/nfs_filesystem/test | 4 ++--
 4 files changed, 8 insertions(+), 12 deletions(-)

Patch

diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
index d8c5c51..59eac2b 100644
--- a/policy/test_filesystem.te
+++ b/policy/test_filesystem.te
@@ -356,16 +356,12 @@  allow test_filesystem_may_create_no_associate_t nfs_t:filesystem { associate };
 allow test_filesystem_may_create_no_associate_t test_file_t:dir { add_name };
 allow test_filesystem_may_create_no_associate_t test_file_t:file { create write relabelfrom };
 allow test_filesystem_may_create_no_associate_t test_filesystem_file_t:filesystem { mount unmount relabelto };
-allow test_file_t test_filesystem_may_create_no_associate_t:filesystem { associate };
-allow unconfined_t test_filesystem_may_create_no_associate_t:filesystem { getattr mount relabelto unmount };
-# neverallow unconfined_t test_filesystem_may_create_no_associate_t:filesystem { associate };
+# neverallow test_file_t test_filesystem_may_create_no_associate_t:filesystem { associate };
 
 allow test_filesystem_inode_setxattr_no_associate_t nfs_t:filesystem { associate };
 allow test_filesystem_inode_setxattr_no_associate_t test_file_t:dir { add_name };
 allow test_filesystem_inode_setxattr_no_associate_t test_file_t:file { create relabelfrom write };
-allow test_file_t test_filesystem_inode_setxattr_no_associate_t:filesystem { associate };
-allow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem { getattr mount relabelfrom relabelto unmount };
-# neverallow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem { associate };
+# neverallow test_file_t test_filesystem_inode_setxattr_no_associate_t:filesystem { associate };
 
 #
 ############### Rules for NFS mount ##################
diff --git a/tests/filesystem/test b/tests/filesystem/test
index c94deda..382923a 100755
--- a/tests/filesystem/test
+++ b/tests/filesystem/test
@@ -476,7 +476,7 @@  if ( not $nfs_enabled and not $vfat_enabled ) {
 
     print "Creating test file $basedir/mntpoint/mp1/test_file\n";
     $result = system(
-"runcon -t test_filesystem_may_create_no_associate_t $basedir/create_file_change_context -t unconfined_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
+"runcon -t test_filesystem_may_create_no_associate_t $basedir/create_file_change_context -t test_file_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
     );
     ok( $result >> 8 eq 13 );    # EACCES
 
@@ -783,7 +783,7 @@  if ( not $nfs_enabled and not $vfat_enabled ) {
     ok( $result eq 0 );
 
     $result = system(
-"runcon -t test_filesystem_inode_setxattr_no_associate_t $basedir/create_file_change_context -t unconfined_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
+"runcon -t test_filesystem_inode_setxattr_no_associate_t $basedir/create_file_change_context -t test_file_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
     );
     ok( $result >> 8 eq 13 );    # EACCES
 
diff --git a/tests/fs_filesystem/test b/tests/fs_filesystem/test
index e706e42..9917c41 100755
--- a/tests/fs_filesystem/test
+++ b/tests/fs_filesystem/test
@@ -504,7 +504,7 @@  if ( not $nfs_enabled and not $vfat_enabled ) {
 
     print "Creating test file $basedir/mntpoint/mp1/test_file\n";
     $result = system(
-"runcon -t test_filesystem_may_create_no_associate_t $filesystem_dir/create_file_change_context -t unconfined_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
+"runcon -t test_filesystem_may_create_no_associate_t $filesystem_dir/create_file_change_context -t test_file_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
     );
     ok( $result >> 8 eq 13 );    # EACCES
 
@@ -813,7 +813,7 @@  if ( not $nfs_enabled and not $vfat_enabled ) {
     ok( $result eq 0 );
 
     $result = system(
-"runcon -t test_filesystem_inode_setxattr_no_associate_t $filesystem_dir/create_file_change_context -t unconfined_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
+"runcon -t test_filesystem_inode_setxattr_no_associate_t $filesystem_dir/create_file_change_context -t test_file_t -f $basedir/mntpoint/mp1/test_file $v 2>&1"
     );
     ok( $result >> 8 eq 13 );    # EACCES
 
diff --git a/tests/nfs_filesystem/test b/tests/nfs_filesystem/test
index e43da67..fc8d525 100755
--- a/tests/nfs_filesystem/test
+++ b/tests/nfs_filesystem/test
@@ -240,7 +240,7 @@  while ( $i < 2 ) {
     ok( $result eq 0, $test_msg );
 
     $result = system(
-"runcon -t test_filesystem_may_create_no_associate_t $filesystem_dir/create_file_change_context $v -t unconfined_t -f $target/tests/nfs_filesystem/mntpoint/mp1/test_file 2>&1"
+"runcon -t test_filesystem_may_create_no_associate_t $filesystem_dir/create_file_change_context $v -t test_file_t -f $target/tests/nfs_filesystem/mntpoint/mp1/test_file 2>&1"
     );
     ok( $result >> 8 eq 13, $test_msg );    # EACCES
 
@@ -264,7 +264,7 @@  while ( $i < 2 ) {
     ok( $result eq 0, $test_msg );
 
     $result = system(
-"runcon -t test_filesystem_inode_setxattr_no_associate_t $filesystem_dir/create_file_change_context $v -t unconfined_t -f $target/tests/nfs_filesystem/mntpoint/mp1/test_file 2>&1"
+"runcon -t test_filesystem_inode_setxattr_no_associate_t $filesystem_dir/create_file_change_context $v -t test_file_t -f $target/tests/nfs_filesystem/mntpoint/mp1/test_file 2>&1"
     );
     ok( $result >> 8 eq 13, $test_msg );    # EACCES