@@ -7,6 +7,9 @@ policy_module(test_policy,1.0.0)
#
attribute testsuite_domain;
+attribute testsuite_caller_domain;
+attribute testsuite_caller_ifconfig_domain;
+attribute testsuite_caller_iptables_domain;
optional_policy(`
gen_require(`
@@ -14,6 +17,10 @@ optional_policy(`
role unconfined_r;
')
+ typeattribute unconfined_t testsuite_caller_domain;
+ typeattribute unconfined_t testsuite_caller_ifconfig_domain;
+ typeattribute unconfined_t testsuite_caller_iptables_domain;
+
# Transition from the caller to the test domain.
allow unconfined_t testsuite_domain:process transition;
role unconfined_r types testsuite_domain;
@@ -27,9 +34,26 @@ optional_policy(`
optional_policy(`
gen_require(`
+ type sysadm_t;
role sysadm_r;
')
+ typeattribute sysadm_t testsuite_caller_domain;
+ typeattribute sysadm_t testsuite_caller_ifconfig_domain;
+ typeattribute sysadm_t testsuite_caller_iptables_domain;
+ optional_policy(`
+ gen_require(`
+ type ifconfig_t;
+ ')
+ typeattribute ifconfig_t testsuite_caller_ifconfig_domain;
+ ')
+ optional_policy(`
+ gen_require(`
+ type iptables_t;
+ ')
+ typeattribute iptables_t testsuite_caller_iptables_domain;
+ ')
+
# Authorize sysadm_r for the test domains.
role sysadm_r types testsuite_domain;
@@ -130,12 +130,8 @@ corenet_inout_generic_node(test_inet_no_name_connect_t)
#
# For ipsec-load/ipsec-flush.
-gen_require(`
- type unconfined_t;
-')
type test_spd_t;
-allow unconfined_t inetsocketdomain:association setcontext;
-allow unconfined_t test_spd_t:association setcontext;
+testsuite_caller_association_setcontext({ inetsocketdomain test_spd_t })
# Each of the test client domains must match against the SPD entry
# in order to use labeled IPSEC.
@@ -147,7 +143,7 @@ allow test_inet_bad_client_t test_spd_t:association polmatch;
#
type test_server_packet_t;
-allow unconfined_t test_server_packet_t:packet relabelto;
+testsuite_caller_packet_relabelto(test_server_packet_t)
allow test_inet_server_t test_server_packet_t:packet { send recv };
allow test_inet_client_t test_server_packet_t:packet { send recv };
@@ -51,6 +51,22 @@ interface(`testsuite_domain_type_minimal',`
dontaudit $1 setrans_var_run_t:dir search;
')
+interface(`testsuite_caller_association_setcontext',`
+ gen_require(`
+ attribute testsuite_caller_ifconfig_domain;
+ ')
+
+ allow testsuite_caller_ifconfig_domain $1:association setcontext;
+')
+
+interface(`testsuite_caller_packet_relabelto',`
+ gen_require(`
+ attribute testsuite_caller_iptables_domain;
+ ')
+
+ allow testsuite_caller_iptables_domain $1:packet relabelto;
+')
+
# Workarounds for refpolicy:
ifdef(`dev_rw_infiniband_dev', `', ` dnl
@@ -213,7 +213,7 @@ corenet_inout_generic_if(sctp_asconf_deny_param_add_client_t)
######################### SECMARK-specific policy ############################
#
type test_sctp_server_packet_t;
-allow unconfined_t test_sctp_server_packet_t:packet { relabelto };
+testsuite_caller_packet_relabelto(test_sctp_server_packet_t)
allow test_sctp_server_t test_sctp_server_packet_t:packet { send recv };
allow test_sctp_client_t test_sctp_server_packet_t:packet { send recv };
Replace them with generic common interfaces. For sysdadm_t we need to allow certain stuff also to ifconfig_t and iptables_t domains due to type transitions. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- policy/test_global.te | 24 ++++++++++++++++++++++++ policy/test_inet_socket.te | 8 ++------ policy/test_policy.if | 16 ++++++++++++++++ policy/test_sctp.te | 2 +- 4 files changed, 43 insertions(+), 7 deletions(-)