| Message ID | 20230714180554.17850-1-stephen.smalley.work@gmail.com (mailing list archive) |
|---|---|
| State | Rejected |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | [testsuite] policy: allow inet socket test domains to search user home content | expand |
On Fri, Jul 14, 2023 at 8:07 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > This is necessary for resolving pathnames when running the testsuite > from a user home directory. > > Reproducer: > 1. Clone selinux-testsuite into home directory. > 2. Try running it there. > > Before: > inet_socket/tcp/test ........ Flag file open: Permission denied > (test hangs) > > After: > all tests complete and pass > > Fixes: 4dcea27ada77f51c2868095e951aab790374fba9 ("tests/inet_socket: > cover the MPTCP protocol") > Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> > --- > policy/test_inet_socket.te | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te > index 47969fc..0eacb31 100644 > --- a/policy/test_inet_socket.te > +++ b/policy/test_inet_socket.te > @@ -154,3 +154,6 @@ allow test_inet_client_t test_server_packet_t:packet { send recv }; > # Send/recv unlabeled packets. > kernel_sendrecv_unlabeled_packets(inetsocketdomain) > kernel_recvfrom_unlabeled_peer(inetsocketdomain) > + > +# Search user home directories (for running testsuite from one) > +userdom_search_user_home_content(inetsocketdomain) > -- > 2.40.1 Thank you for the patch, although this made me realize that we can grant userdom_search_user_home_content()/userdom_search_admin_dir() to the whole test_domain in test_general.te to simplify the policy (there are a few other existing uses of them in other subtests). I posted an alternative patch to the list - please let me know if you're okay with it. -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te index 47969fc..0eacb31 100644 --- a/policy/test_inet_socket.te +++ b/policy/test_inet_socket.te @@ -154,3 +154,6 @@ allow test_inet_client_t test_server_packet_t:packet { send recv }; # Send/recv unlabeled packets. kernel_sendrecv_unlabeled_packets(inetsocketdomain) kernel_recvfrom_unlabeled_peer(inetsocketdomain) + +# Search user home directories (for running testsuite from one) +userdom_search_user_home_content(inetsocketdomain)
This is necessary for resolving pathnames when running the testsuite from a user home directory. Reproducer: 1. Clone selinux-testsuite into home directory. 2. Try running it there. Before: inet_socket/tcp/test ........ Flag file open: Permission denied (test hangs) After: all tests complete and pass Fixes: 4dcea27ada77f51c2868095e951aab790374fba9 ("tests/inet_socket: cover the MPTCP protocol") Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com> --- policy/test_inet_socket.te | 3 +++ 1 file changed, 3 insertions(+)