| Message ID | 20240208161125.620477-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | [testsuite] policy: fix testsuite_domain_type_minimal() to work with rpm-ostree | expand |
On Thu, Feb 8, 2024 at 5:11 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > After a live package installation on an OSTree system using `rpm-ostree > install --apply-live ...`, domains need to be able to use file > descriptors from install_t, otherwise they fail to load dynamic > libraries. Thus, this rule needs to be added to > testsuite_domain_type_minimal() so that the testuite ca run successfully > on OSTree systems. > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > policy/test_policy.if | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/policy/test_policy.if b/policy/test_policy.if > index b20baad..e590f0b 100644 > --- a/policy/test_policy.if > +++ b/policy/test_policy.if > @@ -37,6 +37,7 @@ interface(`testsuite_domain_type',` > interface(`testsuite_domain_type_minimal',` > gen_require(` > type setrans_var_run_t; > + type install_t; > ') > > testsuite_domain_type_common($1) > @@ -46,6 +47,7 @@ interface(`testsuite_domain_type_minimal',` > allow $1 proc_t:lnk_file { read }; > allow $1 self:dir { search }; > allow $1 self:file { open read write }; > + allow $1 install_t:fd use; # for rpm-ostree --apply-live magic > dontaudit $1 security_t:filesystem getattr; > dontaudit $1 self:file getattr; > dontaudit $1 setrans_var_run_t:dir search; > -- > 2.43.0 Applied: https://github.com/SELinuxProject/selinux-testsuite/commit/f9f4a604b50eecdc9ff674f1762208f23c15013f
diff --git a/policy/test_policy.if b/policy/test_policy.if index b20baad..e590f0b 100644 --- a/policy/test_policy.if +++ b/policy/test_policy.if @@ -37,6 +37,7 @@ interface(`testsuite_domain_type',` interface(`testsuite_domain_type_minimal',` gen_require(` type setrans_var_run_t; + type install_t; ') testsuite_domain_type_common($1) @@ -46,6 +47,7 @@ interface(`testsuite_domain_type_minimal',` allow $1 proc_t:lnk_file { read }; allow $1 self:dir { search }; allow $1 self:file { open read write }; + allow $1 install_t:fd use; # for rpm-ostree --apply-live magic dontaudit $1 security_t:filesystem getattr; dontaudit $1 self:file getattr; dontaudit $1 setrans_var_run_t:dir search;
After a live package installation on an OSTree system using `rpm-ostree install --apply-live ...`, domains need to be able to use file descriptors from install_t, otherwise they fail to load dynamic libraries. Thus, this rule needs to be added to testsuite_domain_type_minimal() so that the testuite ca run successfully on OSTree systems. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- policy/test_policy.if | 2 ++ 1 file changed, 2 insertions(+)