| Message ID | 20230717122800.619345-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | [testsuite] policy: allow all test domains to search user/admin home directories | expand |
On Mon, Jul 17, 2023 at 8:28 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > The permissions are sometimes needed to resolve paths when running the > testsuite from a user/admin home directory. To avoid cluttering > individual policy files with macros that allow it, apply the macros to > the whole testsuite_domain attribute. Thankfully this doesn't break the > other tests. > > This also fixes the inet_socket test, which started to require these > permissions after a recent change. > > While there, also remove userdom_read_user_tmp_files() from > test_overlay_mounter_t, which doesn't seem to be needed. > > Fixes: 4dcea27ada77 ("tests/inet_socket: cover the MPTCP protocol") > Inspired-by: Stephen Smalley <stephen.smalley.work@gmail.com> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> All tests pass with this applied, thanks. Tested-by: Stephen Smalley <stephen.smalley.work@gmail.com> > --- > policy/test_filesystem.te | 1 - > policy/test_filesystem_notify.te | 1 - > policy/test_global.te | 7 +++++++ > policy/test_ipc.te | 2 -- > policy/test_overlayfs.te | 7 ------- > policy/test_policy.if | 7 ------- > policy/test_ptrace.te | 1 - > 7 files changed, 7 insertions(+), 19 deletions(-) > > diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te > index 59eac2b..efe1f4d 100644 > --- a/policy/test_filesystem.te > +++ b/policy/test_filesystem.te > @@ -366,7 +366,6 @@ allow test_filesystem_inode_setxattr_no_associate_t test_file_t:file { create re > # > ############### Rules for NFS mount ################## > # > -userdom_search_user_home_content(filesystemdomain) > allow test_filesystem_t test_filesystem_file_t:filesystem { getattr mount remount unmount relabelto relabelfrom }; > allow test_filesystem_t test_file_t:file { create write relabelfrom }; > allow test_file_t test_filesystem_file_t:filesystem { associate }; > diff --git a/policy/test_filesystem_notify.te b/policy/test_filesystem_notify.te > index 30056e4..77d46ae 100644 > --- a/policy/test_filesystem_notify.te > +++ b/policy/test_filesystem_notify.te > @@ -16,7 +16,6 @@ allow test_filesystem_t dosfs_t:filesystem { watch }; > # > ############### Rules for NFS mount with rootcontext option ################# > # > -userdom_search_user_home_content(filesystemdomain) > allow test_filesystem_no_watch_mount_t nfs_t:filesystem { unmount }; > allow test_filesystem_no_watch_mount_t test_filesystem_file_t:dir { search }; > allow test_filesystem_no_watch_sb_t nfs_t:filesystem { unmount watch }; > diff --git a/policy/test_global.te b/policy/test_global.te > index 052c7dd..0078485 100644 > --- a/policy/test_global.te > +++ b/policy/test_global.te > @@ -153,6 +153,13 @@ selinux_compute_create_context(testsuite_domain) > selinux_compute_relabel_context(testsuite_domain) > selinux_compute_user_contexts(testsuite_domain) > > +userdom_search_user_home_content(testsuite_domain) > +# Refpolicy does not have admin_home_t - assume /root will be user_home_dir_t, > +# which is covered by the above call. > +ifdef(`userdom_search_admin_dir', ` > + userdom_search_admin_dir(testsuite_domain) > +') > + > # Reference policy renamed files_list_pids() to files_list_runtime() > ifdef(`files_list_pids', ` > files_list_pids(testsuite_domain) > diff --git a/policy/test_ipc.te b/policy/test_ipc.te > index 678eca8..5e26384 100644 > --- a/policy/test_ipc.te > +++ b/policy/test_ipc.te > @@ -67,5 +67,3 @@ fs_rw_tmpfs_files(ipcdomain) > > allow test_ipc_base_t self:sem create_sem_perms; > allow test_ipc_base_t self:shm create_shm_perms; > -# ipcrm needs this... > -userdom_search_user_home_dirs(test_ipc_base_t) > diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te > index ab589bb..c09b577 100644 > --- a/policy/test_overlayfs.te > +++ b/policy/test_overlayfs.te > @@ -45,10 +45,6 @@ kernel_search_proc(test_overlay_mounter_t) > fs_relabelfrom_xattr_fs(test_overlay_mounter_t) > fs_mount_xattr_fs(test_overlay_mounter_t) > > -userdom_search_admin_dir(test_overlay_mounter_t) > -userdom_search_user_home_content(test_overlay_mounter_t) > -userdom_read_user_tmp_files(test_overlay_mounter_t) > - > mount_exec(test_overlay_mounter_t) > mount_rw_pid_files(test_overlay_mounter_t) > > @@ -113,9 +109,6 @@ mcs_constrained(test_overlay_client_t) > kernel_read_system_state(test_overlay_client_t) > kernel_read_proc_symlinks(test_overlay_client_t) > > -userdom_search_admin_dir(test_overlay_client_t) > -userdom_search_user_home_content(test_overlay_client_t) > - > fs_getattr_xattr_fs(test_overlay_client_t) > > selinux_getattr_fs(test_overlay_client_t) > diff --git a/policy/test_policy.if b/policy/test_policy.if > index 5458f6c..b20baad 100644 > --- a/policy/test_policy.if > +++ b/policy/test_policy.if > @@ -82,13 +82,6 @@ interface(`mount_rw_pid_files', ` > ') > ') > > -# Refpolicy does not have admin_home_t - assume /root will be user_home_dir_t. > -ifdef(`userdom_search_admin_dir', `', ` dnl > -interface(`userdom_search_admin_dir', ` > - userdom_search_user_home_content($1) > -') > -') > - > # If the macro is not defined, then most probably module_request permission > # is just not supported (and relevant operations should be just allowed). > ifdef(`kernel_request_load_module', `', ` dnl > diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te > index 352ead5..1a8a10d 100644 > --- a/policy/test_ptrace.te > +++ b/policy/test_ptrace.te > @@ -27,7 +27,6 @@ allow test_ptrace_traced_t test_file_t:fifo_file rw_file_perms; > > # Allow the tracer domain to trace the traced domain. > allow test_ptrace_tracer_t test_ptrace_traced_t:process ptrace; > -userdom_search_user_home_dirs(test_ptrace_traced_t) > > # Let the tracer wait on the traced domain. > allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld; > -- > 2.41.0 >
On Mon, Jul 17, 2023 at 2:55 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Mon, Jul 17, 2023 at 8:28 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > The permissions are sometimes needed to resolve paths when running the > > testsuite from a user/admin home directory. To avoid cluttering > > individual policy files with macros that allow it, apply the macros to > > the whole testsuite_domain attribute. Thankfully this doesn't break the > > other tests. > > > > This also fixes the inet_socket test, which started to require these > > permissions after a recent change. > > > > While there, also remove userdom_read_user_tmp_files() from > > test_overlay_mounter_t, which doesn't seem to be needed. > > > > Fixes: 4dcea27ada77 ("tests/inet_socket: cover the MPTCP protocol") > > Inspired-by: Stephen Smalley <stephen.smalley.work@gmail.com> > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > All tests pass with this applied, thanks. > > Tested-by: Stephen Smalley <stephen.smalley.work@gmail.com> Thanks, applied: https://github.com/SELinuxProject/selinux-testsuite/commit/ab02919a0f9db4b6f3d162073b93380d80478014
diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te index 59eac2b..efe1f4d 100644 --- a/policy/test_filesystem.te +++ b/policy/test_filesystem.te @@ -366,7 +366,6 @@ allow test_filesystem_inode_setxattr_no_associate_t test_file_t:file { create re # ############### Rules for NFS mount ################## # -userdom_search_user_home_content(filesystemdomain) allow test_filesystem_t test_filesystem_file_t:filesystem { getattr mount remount unmount relabelto relabelfrom }; allow test_filesystem_t test_file_t:file { create write relabelfrom }; allow test_file_t test_filesystem_file_t:filesystem { associate }; diff --git a/policy/test_filesystem_notify.te b/policy/test_filesystem_notify.te index 30056e4..77d46ae 100644 --- a/policy/test_filesystem_notify.te +++ b/policy/test_filesystem_notify.te @@ -16,7 +16,6 @@ allow test_filesystem_t dosfs_t:filesystem { watch }; # ############### Rules for NFS mount with rootcontext option ################# # -userdom_search_user_home_content(filesystemdomain) allow test_filesystem_no_watch_mount_t nfs_t:filesystem { unmount }; allow test_filesystem_no_watch_mount_t test_filesystem_file_t:dir { search }; allow test_filesystem_no_watch_sb_t nfs_t:filesystem { unmount watch }; diff --git a/policy/test_global.te b/policy/test_global.te index 052c7dd..0078485 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -153,6 +153,13 @@ selinux_compute_create_context(testsuite_domain) selinux_compute_relabel_context(testsuite_domain) selinux_compute_user_contexts(testsuite_domain) +userdom_search_user_home_content(testsuite_domain) +# Refpolicy does not have admin_home_t - assume /root will be user_home_dir_t, +# which is covered by the above call. +ifdef(`userdom_search_admin_dir', ` + userdom_search_admin_dir(testsuite_domain) +') + # Reference policy renamed files_list_pids() to files_list_runtime() ifdef(`files_list_pids', ` files_list_pids(testsuite_domain) diff --git a/policy/test_ipc.te b/policy/test_ipc.te index 678eca8..5e26384 100644 --- a/policy/test_ipc.te +++ b/policy/test_ipc.te @@ -67,5 +67,3 @@ fs_rw_tmpfs_files(ipcdomain) allow test_ipc_base_t self:sem create_sem_perms; allow test_ipc_base_t self:shm create_shm_perms; -# ipcrm needs this... -userdom_search_user_home_dirs(test_ipc_base_t) diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te index ab589bb..c09b577 100644 --- a/policy/test_overlayfs.te +++ b/policy/test_overlayfs.te @@ -45,10 +45,6 @@ kernel_search_proc(test_overlay_mounter_t) fs_relabelfrom_xattr_fs(test_overlay_mounter_t) fs_mount_xattr_fs(test_overlay_mounter_t) -userdom_search_admin_dir(test_overlay_mounter_t) -userdom_search_user_home_content(test_overlay_mounter_t) -userdom_read_user_tmp_files(test_overlay_mounter_t) - mount_exec(test_overlay_mounter_t) mount_rw_pid_files(test_overlay_mounter_t) @@ -113,9 +109,6 @@ mcs_constrained(test_overlay_client_t) kernel_read_system_state(test_overlay_client_t) kernel_read_proc_symlinks(test_overlay_client_t) -userdom_search_admin_dir(test_overlay_client_t) -userdom_search_user_home_content(test_overlay_client_t) - fs_getattr_xattr_fs(test_overlay_client_t) selinux_getattr_fs(test_overlay_client_t) diff --git a/policy/test_policy.if b/policy/test_policy.if index 5458f6c..b20baad 100644 --- a/policy/test_policy.if +++ b/policy/test_policy.if @@ -82,13 +82,6 @@ interface(`mount_rw_pid_files', ` ') ') -# Refpolicy does not have admin_home_t - assume /root will be user_home_dir_t. -ifdef(`userdom_search_admin_dir', `', ` dnl -interface(`userdom_search_admin_dir', ` - userdom_search_user_home_content($1) -') -') - # If the macro is not defined, then most probably module_request permission # is just not supported (and relevant operations should be just allowed). ifdef(`kernel_request_load_module', `', ` dnl diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te index 352ead5..1a8a10d 100644 --- a/policy/test_ptrace.te +++ b/policy/test_ptrace.te @@ -27,7 +27,6 @@ allow test_ptrace_traced_t test_file_t:fifo_file rw_file_perms; # Allow the tracer domain to trace the traced domain. allow test_ptrace_tracer_t test_ptrace_traced_t:process ptrace; -userdom_search_user_home_dirs(test_ptrace_traced_t) # Let the tracer wait on the traced domain. allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;
The permissions are sometimes needed to resolve paths when running the testsuite from a user/admin home directory. To avoid cluttering individual policy files with macros that allow it, apply the macros to the whole testsuite_domain attribute. Thankfully this doesn't break the other tests. This also fixes the inet_socket test, which started to require these permissions after a recent change. While there, also remove userdom_read_user_tmp_files() from test_overlay_mounter_t, which doesn't seem to be needed. Fixes: 4dcea27ada77 ("tests/inet_socket: cover the MPTCP protocol") Inspired-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- policy/test_filesystem.te | 1 - policy/test_filesystem_notify.te | 1 - policy/test_global.te | 7 +++++++ policy/test_ipc.te | 2 -- policy/test_overlayfs.te | 7 ------- policy/test_policy.if | 7 ------- policy/test_ptrace.te | 1 - 7 files changed, 7 insertions(+), 19 deletions(-)