From patchwork Fri Jul 29 12:02:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932366 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D240C00144 for ; Fri, 29 Jul 2022 12:02:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235311AbiG2MCk (ORCPT ); Fri, 29 Jul 2022 08:02:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40668 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234954AbiG2MCj (ORCPT ); Fri, 29 Jul 2022 08:02:39 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A0E0D863E2 for ; Fri, 29 Jul 2022 05:02:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096157; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Ru7AO4+krIi1b4RrFRybUL38uPz5oXMkGuUPMxkiesU=; b=EUN7zWKStpZPp6eTFnD7mwsPf/uc5/chvTmJWPhiOzveZIx6X1v+/EHCE8zLmSSYaa+LLM xb8y5j/uGutEO/xSfxRuFJamqkzAb2NtUEXK71gAeyUWpPYx4U8ZDyFyGXN2KDv0jizvZx /jt1231I5IJfaTdn3Fp8UGJbJsPT9Yc= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-470-3qpG9hXBPn2lYeh5cYToIA-1; Fri, 29 Jul 2022 08:02:36 -0400 X-MC-Unique: 3qpG9hXBPn2lYeh5cYToIA-1 Received: by mail-wm1-f72.google.com with SMTP id z20-20020a1c4c14000000b003a3020da654so790519wmf.5 for ; Fri, 29 Jul 2022 05:02:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=Ru7AO4+krIi1b4RrFRybUL38uPz5oXMkGuUPMxkiesU=; b=LOAEZQFuh9Y7L9IXyJ1JtbQbeAUuM8+X9NA2cD93LOSCtkTvgnZY5YPjutGarCFM3h L5h0tLf1J7Io57w6CJOl7xT6emzDN4RjWzKtSpsZ1fPntaoVwGe9Z0qFmRZrxTttOJaM QkI/sVeQwuQmotTk5DM0QZyDnweClAbc0HC/CAEFOlEDqQxCbGx8f/2yuq77URtUH3kk mN+yoD9gOV+oiQGlTSztnPvWRN0CtIFzPz+jR7HMAp5ucAqeNCWi+S49EY1LEE8aINN8 VrWcGw9zfyh2ozREmBFf18xclkE/gV7+a2ZDkw492pfgmtab2+kTV5JfgTjgzN4URuNw 00rQ== X-Gm-Message-State: AJIora/MQoDBxEdy/PTruhl6KO17l3NwgtX+iABEm59ZoYoF3dBxiPmE /aWWRobJglE+9h1ctGtOhO9Ab3IJqDUnu8EQmq2b48F1FGOqXL7ka3giJ0fssb1XxzkpshXIfUo wk4AzMDdRIsXVepayvV2Zyxvgn4TNF2RK5nb6Pw1Xaqqs/CWcXe9W+tQJqGizxsHVeLEBow== X-Received: by 2002:a05:600c:1c2a:b0:3a3:25f7:184d with SMTP id j42-20020a05600c1c2a00b003a325f7184dmr2293408wms.2.1659096154713; Fri, 29 Jul 2022 05:02:34 -0700 (PDT) X-Google-Smtp-Source: AGRyM1t0+1NEwF7/qJMf/MN/zj59ilFonMjkPhgXITTlvUuXX0FJWw7tTe84Tw1NKUsAnhmFcygw5w== X-Received: by 2002:a05:600c:1c2a:b0:3a3:25f7:184d with SMTP id j42-20020a05600c1c2a00b003a325f7184dmr2293375wms.2.1659096154205; Fri, 29 Jul 2022 05:02:34 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:33 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 01/24] keys: change test_newcon_key_t to be just an object context Date: Fri, 29 Jul 2022 14:02:06 +0200 Message-Id: <20220729120229.207584-2-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org It's only used to test chaing the label of a key, so there is no need to declare it as a domain type. Signed-off-by: Ondrej Mosnacek --- policy/test_keys.te | 4 ---- tests/keys/test | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/policy/test_keys.te b/policy/test_keys.te index 78c0663..f6a3f2c 100644 --- a/policy/test_keys.te +++ b/policy/test_keys.te @@ -40,10 +40,6 @@ allow test_key_t self:key { create write search read view link setattr }; # Set new context on a keyring: type test_newcon_key_t; -key_domain_type(test_newcon_key_t) -unconfined_runs_test(test_newcon_key_t) -typeattribute test_newcon_key_t testdomain; -typeattribute test_newcon_key_t keydomain; allow test_key_t test_newcon_key_t:key { create write search view }; diff --git a/tests/keys/test b/tests/keys/test index 2dafb17..061bc62 100755 --- a/tests/keys/test +++ b/tests/keys/test @@ -67,7 +67,7 @@ ok( $result >> 8 eq 11 ); print "Change keyring context\n"; $result = system -"runcon -t test_key_t $basedir/keyctl_relabel $v system_u:system_r:test_newcon_key_t:s0"; +"runcon -t test_key_t $basedir/keyctl_relabel $v system_u:object_r:test_newcon_key_t:s0"; ok( $result eq 0 ); print "Test permission checks between a keyring created by another process\n"; From patchwork Fri Jul 29 12:02:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932368 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD67BC19F29 for ; Fri, 29 Jul 2022 12:02:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235098AbiG2MCm (ORCPT ); Fri, 29 Jul 2022 08:02:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40686 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235451AbiG2MCl (ORCPT ); Fri, 29 Jul 2022 08:02:41 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D7B24863DF for ; Fri, 29 Jul 2022 05:02:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096159; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pCNTP7AQDJgrxxpzoEvSEzOecZLF3Xzn6XGCSPV0z88=; b=DRFDLDSW+fZaqIFhe9gHE9n18CyHBHj6cfGYDaLrdHL/HdKPFnmt6+3HaMdMU9bvOCDybi Ly3OZnQzG9KcydKkVWOgn95raXkxGsSmUoEXQPbvxARofss5LBZJ1SsqSM22vmHPv8qFlq tzwTP01HIPgERCS75z/bW9AUQNxnwhI= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-264-o5sRbsKYNf-n_4nbbZ40zw-1; Fri, 29 Jul 2022 08:02:37 -0400 X-MC-Unique: o5sRbsKYNf-n_4nbbZ40zw-1 Received: by mail-wm1-f71.google.com with SMTP id v18-20020a05600c215200b003a2fea66b7cso791639wml.4 for ; Fri, 29 Jul 2022 05:02:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=pCNTP7AQDJgrxxpzoEvSEzOecZLF3Xzn6XGCSPV0z88=; b=mm8fPbJKYBc1KGWyNaWOFT89D1CpQJGDn98yOtwphH9Ioip0bo0+qJA0ZobtMT8s5E NroXC0PkJIYd+6V1q4XgS37EC3X7EA+CXJ1yYAq3tLB7uFx+CLOXUvKIQHnEJGM33zZM k+xlmrBEfSGKzZsCwQEyamPtKZi/EU/FGFgyGEYTN1tMJPijNFvXPIB9iHwcYpKxAc7B 7nNP6dFlg3HvNg0+YnX6Q6uLkxpvv2B+QdoLuxlaZaOJQq688uYetlwt7iccsWoMHsEE SpEYI9v20JrqBYpi/Iqva6KRzOgQVACmlJdX563r6MuKRFeacwikAdfm+EU11groE9ri soQA== X-Gm-Message-State: ACgBeo2js+BCOTxQIkNZW3USvu7HvKN8H08mY4ZNcEfmKKhdxdWSmFE5 0gDyT736aWpi+oOmkU3MD9Cqi/BKD/OGA7MH6TZSdZlLeQ61u4VpsJDoxUJt72HLydcn+UdG05v MgAtpjS44hxhRSOgUS4Sp2skRK0+Gs+8spxlLCoANNYTVO/L7XVfHz8z+cx77D1pmegdIfw== X-Received: by 2002:a05:6000:a1a:b0:21f:10a3:924 with SMTP id co26-20020a0560000a1a00b0021f10a30924mr1792758wrb.650.1659096156222; Fri, 29 Jul 2022 05:02:36 -0700 (PDT) X-Google-Smtp-Source: AA6agR5Tspv6TpEqYMPuTYr4a5BmVoB/6+g3kX5Jse04mMpGYPr8p7QIPmYya14kZs6fRp0sZ0DVXg== X-Received: by 2002:a05:6000:a1a:b0:21f:10a3:924 with SMTP id co26-20020a0560000a1a00b0021f10a30924mr1792737wrb.650.1659096155922; Fri, 29 Jul 2022 05:02:35 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:34 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 02/24] test_global.te: remove unused role require Date: Fri, 29 Jul 2022 14:02:07 +0200 Message-Id: <20220729120229.207584-3-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org The staff_r role is not used and can be dropped. Signed-off-by: Ondrej Mosnacek --- policy/test_global.te | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/test_global.te b/policy/test_global.te index d19b4be..dae20d6 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -9,7 +9,6 @@ policy_module(test_policy,1.0.0) attribute testdomain; gen_require(` - role staff_r; role system_r; role sysadm_r; ') From patchwork Fri Jul 29 12:02:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932369 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E459AC00144 for ; Fri, 29 Jul 2022 12:02:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235451AbiG2MCn (ORCPT ); Fri, 29 Jul 2022 08:02:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40708 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235368AbiG2MCn (ORCPT ); Fri, 29 Jul 2022 08:02:43 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 92AB1863DF for ; Fri, 29 Jul 2022 05:02:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096161; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BnOxdtziTPCBTKHzOjlnSAKt875y/kRGevMuZoFMUWE=; b=Pu8mg2mV41BRh9q8i3Y0rNB8nqCK0fnRwiLkdoTkPUnhTTxueoHWDWtrlNZLXVkrta0Bfr CuwsAZvGCH4QTvBTHCY/yU54CLE7OpKcBe/aqKK8dopm4UnrOvuqYIS2roj4mEbgbCKW2R uODgIlqgrQYPmKEXXONufZzLpW1XrTM= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-444-wc1fZsQPOVWHGjv3y0b6Tw-1; Fri, 29 Jul 2022 08:02:40 -0400 X-MC-Unique: wc1fZsQPOVWHGjv3y0b6Tw-1 Received: by mail-wm1-f72.google.com with SMTP id p36-20020a05600c1da400b003a33a8c14f2so2111202wms.7 for ; Fri, 29 Jul 2022 05:02:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=BnOxdtziTPCBTKHzOjlnSAKt875y/kRGevMuZoFMUWE=; b=ul0Y6IRJn6GjuausGrSBJypB5rpNzeUPOjQq+ZytWIdy2nELHPPBnDrk7xnz2I8mND DDtUXHb0mZAyj2JgXfguYxh7XK0EvZhA/r4HJIvUdaAO06Wj7QUlOhf6bsCgo3it68OZ Vxh+5rk1KhmWXPoEV3HFbd+leZL2ui0xzX6DgU7lWiuo0ltnJi7mZA+8fIA2pJxwpwzB lBI5in45FCU1C1FMQHeYCPEPdNb/MiQL3ukoRSS8a+mBAypW25aWOpN0qTYmfS2TDkEw lU51kXbOJRZ7rHqYsT1IDPgkvcVYeQdlFE2nRErUekc9OsoFefgl+y8w1LqncE/5w1sI cdEQ== X-Gm-Message-State: ACgBeo1BMa/EDc/EZ4ANniyzA/hkGvyVu04nI+7dS9/V1v2b8nk6GktL 3cgnQkDSMQPnWsHMyEPxrYdBjMvySAyGmqmESaoKX4pP5fsDhBxfWdpbaEAoAqUNEP1YPlKCKNp K77E2x+zoNJdOAXw4a2yZzaX2kM9hho+BZA12B1Mp2IM6VMVM3wtGs9OAnLNT2fwSyx2RQA== X-Received: by 2002:adf:f7c7:0:b0:21e:fc10:b81b with SMTP id a7-20020adff7c7000000b0021efc10b81bmr2307333wrq.51.1659096158267; Fri, 29 Jul 2022 05:02:38 -0700 (PDT) X-Google-Smtp-Source: AA6agR51t/tRTDu3qJlq5JgfmYumNMzuOQX9XXNyxB1eH71W8Nhn/w5EKVx9PxnoCDJi3ynakpXzjg== X-Received: by 2002:adf:f7c7:0:b0:21e:fc10:b81b with SMTP id a7-20020adff7c7000000b0021efc10b81bmr2307311wrq.51.1659096157896; Fri, 29 Jul 2022 05:02:37 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:36 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 03/24] test_global.te: don't add domains to system_r Date: Fri, 29 Jul 2022 14:02:08 +0200 Message-Id: <20220729120229.207584-4-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org It doesn't seem to be useful and is unlikely to work without extra rules anyway. Signed-off-by: Ondrej Mosnacek --- policy/test_global.te | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/policy/test_global.te b/policy/test_global.te index dae20d6..800e55f 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -9,13 +9,11 @@ policy_module(test_policy,1.0.0) attribute testdomain; gen_require(` - role system_r; role sysadm_r; ') -# Authorize sysadm_r and system_r for the test domains. +# Authorize sysadm_r for the test domains. role sysadm_r types testdomain; -role system_r types testdomain; # Allow the test domains to access the sysadm terminal. # This allows read and write sysadm ttys and ptys. From patchwork Fri Jul 29 12:02:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932370 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A00FAC00144 for ; Fri, 29 Jul 2022 12:02:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235681AbiG2MCt (ORCPT ); Fri, 29 Jul 2022 08:02:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40730 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235368AbiG2MCr (ORCPT ); Fri, 29 Jul 2022 08:02:47 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 03E31863DF for ; Fri, 29 Jul 2022 05:02:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096166; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WoqBvJ1RPB6zJhzyX8rN5aJ0gmFYZk5hM2vNESXDqyg=; b=MiSdk+Cv9SIqIimQdUV95vCpDFqZkygj/k2vbzrYFqKxx1fLhV/RZevwCiydJjCLw/bQPI p/14tHlZ1HVDqyvBrlXyA22p1ruIUGs0JJhQtdfg/8hQMdui5iDdeBdkHuLZxO2hGyz3El v5btjbh0CzrXM/2ssWhNMeCAxXfrkQA= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-18-6ytuL0o6NvSFoJr2WGf9fg-1; Fri, 29 Jul 2022 08:02:45 -0400 X-MC-Unique: 6ytuL0o6NvSFoJr2WGf9fg-1 Received: by mail-wr1-f72.google.com with SMTP id h9-20020adfa4c9000000b0021ee4a48ea7so1143570wrb.10 for ; Fri, 29 Jul 2022 05:02:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=WoqBvJ1RPB6zJhzyX8rN5aJ0gmFYZk5hM2vNESXDqyg=; b=tx/ZTlOIMao7Bh4gaOBaCFC/UgUVwtOx7i993TAbmbybjiIw8R/CVUr3e6tC9X3RZn N+2R0247teeH6X4eGx4BolrqIN/4kmxKCzBVn4sCD7lOYo0b2O4KtUWrM+oa0g3DDLfm Qim62vRZzAcp+2vIaByAjCsZBZoLn1TqnEmLRV1kiYPTz0g2PIqW5gt0LfroUuhX8667 CBEtif9cd6/UKSeBMWbd9qjbU6PTsmoI2WS10eYTO4kg9pqiBE/O9e+8s3HVxDmhIkHg TgURPJlrg7tDseAsl6hrdaweZGGCJFBHvd6lcHyazGjH5hyvy+qR/TgHm9bdIJmaqwJY /6hQ== X-Gm-Message-State: AJIora/JSIf2j8nbPJ6+IP7Jnek1bgIA4QZfEzBuDFv5rVD9AFC7hJ5w v1oaPAmAuFWc19BxMb6ybShv/JrxlGugMCDqnT6yyNlyNUeUO/9IgaQcWBi4iG/qjQsTj4tGART qQT90WBIgElfP6ldVoKkv4RYAc2HOr5h6Cdi52+UwQfQbcacnTdk/6H4qMSeJEjAC78RuDw== X-Received: by 2002:a05:600c:35c6:b0:3a3:4217:f06e with SMTP id r6-20020a05600c35c600b003a34217f06emr2490510wmq.95.1659096163150; Fri, 29 Jul 2022 05:02:43 -0700 (PDT) X-Google-Smtp-Source: AGRyM1thMrLIlslHcNLArcs98qFcAm/VFmURkYw/xQWhIHCfZqsTgAcY7jR6Gl/X52Ow0hvdvgYD0g== X-Received: by 2002:a05:600c:35c6:b0:3a3:4217:f06e with SMTP id r6-20020a05600c35c600b003a34217f06emr2490492wmq.95.1659096162842; Fri, 29 Jul 2022 05:02:42 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:41 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 06/24] test_policy.if: remove weird rule from testsuite_domain_type_minimal() Date: Fri, 29 Jul 2022 14:02:11 +0200 Message-Id: <20220729120229.207584-7-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org The rule doesn't depend on the target domain, so it doesn't make sense for it to be there. Signed-off-by: Ondrej Mosnacek --- policy/test_policy.if | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/policy/test_policy.if b/policy/test_policy.if index 4912efd..f17a384 100644 --- a/policy/test_policy.if +++ b/policy/test_policy.if @@ -49,7 +49,7 @@ interface(`testsuite_domain_type',` interface(`testsuite_domain_type_minimal',` gen_require(` - type setrans_var_run_t, syslogd_t, unconfined_t; + type setrans_var_run_t, unconfined_t; ') testsuite_domain_type_common($1) @@ -59,7 +59,6 @@ interface(`testsuite_domain_type_minimal',` allow $1 proc_t:lnk_file { read }; allow $1 self:dir { search }; allow $1 self:file { open read write }; - dontaudit init_t syslogd_t:fd use; dontaudit $1 security_t:filesystem getattr; dontaudit $1 self:file getattr; dontaudit $1 setrans_var_run_t:dir search; From patchwork Fri Jul 29 12:02:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932371 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 274E8C19F2B for ; Fri, 29 Jul 2022 12:02:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235742AbiG2MCt (ORCPT ); Fri, 29 Jul 2022 08:02:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40752 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235751AbiG2MCs (ORCPT ); Fri, 29 Jul 2022 08:02:48 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 08CDD863E5 for ; Fri, 29 Jul 2022 05:02:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096167; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KWI61jbcfbb8052FR+10GJuzaU0vBwsaXeTG94kHbvQ=; b=HYPqwKdmUYMGjebQMlyaB4TV5G8Dl0JUHTJFmd+cfNEytWfMl6CEXaAUErZr5XC/41ZDFW 08LWaxuiFnZJClj50rNDcLR2FTrAe6hhv6ASPaM2mpvbECeu+DHroJXqEJsSPeCI2MH2OK VK8QfzqQfDniH7p81Q7ADOOs0Yx8er8= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-360-t4OjbnZNPKqsE7CjCPNr2A-1; Fri, 29 Jul 2022 08:02:45 -0400 X-MC-Unique: t4OjbnZNPKqsE7CjCPNr2A-1 Received: by mail-wr1-f71.google.com with SMTP id c7-20020adfc6c7000000b0021db3d6961bso1142068wrh.23 for ; Fri, 29 Jul 2022 05:02:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=KWI61jbcfbb8052FR+10GJuzaU0vBwsaXeTG94kHbvQ=; b=5AxTMZbwSgDyH77MFXHCVsoHUu4zP7jobzHKqWPwLmJBpRSI9tzTW2QEufV54yTZa/ Et9LiYua4yK3ufEXqINfZlx9J6j4CZZ7BvT9Xj4kn6EoOvAUGYOoMX/qPNoBbpN2thkl JBtAvw/sEGZb/QKu+YFGfcqjCcayJwn1vhylQq7cck2hA/j6yunf2er0BRVyR/MSwr+p LFXx4uITOeiwFvXcDqp6DZ7BxLxpMx+ljAfwSETOyu20FCub+ZOpD+Y6fByDIJrp3emy qiT60xUBRNvOh2dUJ36tx+5ewlkvzB2dbZak+72k2c8Ob1m9aAryQmE78aUQbMRw5Nei qLRw== X-Gm-Message-State: ACgBeo0FwuZlLJyBF/kkeDKd7Ewn6RyLxCuvm0w3CCqEkyLSay9+7jBE rOUhrAGEHUSwogldqHKHnW9FrS1EYEodGzBQNQdHMMlkrPPavaM+jaSGgMf57+iM7xVwq/wqkOg vbTG3QmdpXxaqU8MRXlzQ5wgQtvU2mJ3J22xmbqTHzjlfysPSCGs/3/cJjohzamNMA8s1Wg== X-Received: by 2002:a05:6000:a1a:b0:21f:10a3:924 with SMTP id co26-20020a0560000a1a00b0021f10a30924mr1793249wrb.650.1659096164138; Fri, 29 Jul 2022 05:02:44 -0700 (PDT) X-Google-Smtp-Source: AA6agR7KhKCe7bdlwnr95MsunqlkFjoDBtvCOBEi0uzN8i+PTNYqffIfGn8n63s+ytF9mWVdZNUKAA== X-Received: by 2002:a05:6000:a1a:b0:21f:10a3:924 with SMTP id co26-20020a0560000a1a00b0021f10a30924mr1793228wrb.650.1659096163862; Fri, 29 Jul 2022 05:02:43 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:43 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 07/24] policy: move unconfined_t-related dontaudit rule to where it fits better Date: Fri, 29 Jul 2022 14:02:12 +0200 Message-Id: <20220729120229.207584-8-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Even though it is only needed for the 'minimal' domains, it will be cleaner to apply it to all of them inside the optional block. Signed-off-by: Ondrej Mosnacek --- policy/test_global.te | 2 ++ policy/test_policy.if | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/policy/test_global.te b/policy/test_global.te index 83e573c..03acc19 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -21,6 +21,8 @@ optional_policy(` allow testsuite_domain unconfined_t:fd use; allow testsuite_domain unconfined_t:fifo_file { read write ioctl getattr }; allow testsuite_domain unconfined_t:process { sigchld }; + # needed for domains outside domain_type() + dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh }; ') gen_require(` diff --git a/policy/test_policy.if b/policy/test_policy.if index f17a384..6cef8dd 100644 --- a/policy/test_policy.if +++ b/policy/test_policy.if @@ -49,7 +49,7 @@ interface(`testsuite_domain_type',` interface(`testsuite_domain_type_minimal',` gen_require(` - type setrans_var_run_t, unconfined_t; + type setrans_var_run_t; ') testsuite_domain_type_common($1) @@ -62,7 +62,6 @@ interface(`testsuite_domain_type_minimal',` dontaudit $1 security_t:filesystem getattr; dontaudit $1 self:file getattr; dontaudit $1 setrans_var_run_t:dir search; - dontaudit unconfined_t $1:process { noatsecure rlimitinh siginh }; ') # Workarounds for refpolicy: From patchwork Fri Jul 29 12:02:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932376 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9BAEC19F29 for ; Fri, 29 Jul 2022 12:02:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235368AbiG2MCy (ORCPT ); Fri, 29 Jul 2022 08:02:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40806 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235885AbiG2MCy (ORCPT ); Fri, 29 Jul 2022 08:02:54 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id F1515863E2 for ; Fri, 29 Jul 2022 05:02:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096171; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ek1WsD0jgerpMK6h16W2N412NDepdks0lBqkQEQupco=; b=MoH/uJgBYKRyGpIG5uOzMV42VLQAtEXe2kNuUKZvi6P6ZBepFjenZCDyM3otG91KqBjPYr M4ydV5lWs1zrxtN6LE3b4A4vGPNl21uF3ZoFvMf7rHDHsQKzkz1LvUye4+SgBvd9v3boZE BizBaGwZ21ZqMsCvIIDiosNNgpV0Wtc= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-526-MYACXNmrO6G-AgDYvdkrBQ-1; Fri, 29 Jul 2022 08:02:48 -0400 X-MC-Unique: MYACXNmrO6G-AgDYvdkrBQ-1 Received: by mail-wm1-f71.google.com with SMTP id q19-20020a7bce93000000b003a3264f3de9so795104wmj.3 for ; Fri, 29 Jul 2022 05:02:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=ek1WsD0jgerpMK6h16W2N412NDepdks0lBqkQEQupco=; b=U2R31ivTk34pS7zFNjzGYYC1TRnnhSyaj60VYjSrhNOWMVEBLK/B2Zk5k25V1q4piW ZoiskGfuArT4H0CBbvAeN6wrK3LxbVARYbqkgJth/xQDyEmfMxFzVC51XQ50VeLIBLna Y5rZoFt+URXrqxJHAB1qxXKCPXX1ZnPlMznC5/RoDawlYgF7YHKdapJoSr5ME1UphnRR 7iRZxUVBd+nLTONl86KUOYIRJBCR60fwRK8qmtR4VRsYWStMomgn46vakPqJ9p81/45P Z8NQCw9enYRerYGDKwG4nXp4RAH6c2ron/4oEcXV11tSaDw5LSOYL23FXNNcRwC14KY0 pOlA== X-Gm-Message-State: AJIora+bpXt6CeM+VdBtkaiqZFf1Umo0KOp71v3bb5a5QZJpcElisDzb WIsm4afAO+D1I2mjaFnyP/oqrOOEzGAdOf3Hr1kkCNds1G2N78xcMplYR4GmW9JorLhR//bmMv1 21vSlIiK2mSDBjA759rIiLVDhgVIK+n40vrvq9mdHoZFxsDQoKDKbY6+sNCbygLEXvfxftA== X-Received: by 2002:a05:600c:a184:b0:3a3:e5c3:e5c2 with SMTP id id4-20020a05600ca18400b003a3e5c3e5c2mr2617991wmb.130.1659096166082; Fri, 29 Jul 2022 05:02:46 -0700 (PDT) X-Google-Smtp-Source: AGRyM1s9YbXDQu3geffGatClJ/Mp2h8mpcp8nEuYXBYZq51hf1tIUFvrR/R5T+U9BUvxa98QsB71QA== X-Received: by 2002:a05:600c:a184:b0:3a3:e5c3:e5c2 with SMTP id id4-20020a05600ca18400b003a3e5c3e5c2mr2617943wmb.130.1659096165297; Fri, 29 Jul 2022 05:02:45 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:44 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 08/24] policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy Date: Fri, 29 Jul 2022 14:02:13 +0200 Message-Id: <20220729120229.207584-9-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This is good to have for pretty much all domains, so remove the individual calls and move it to test_general.te. Signed-off-by: Ondrej Mosnacek --- policy/test_atsecure.te | 3 --- policy/test_binder.te | 1 - policy/test_binder_bpf.te | 1 - policy/test_bpf.te | 1 - policy/test_capable_file.te | 1 - policy/test_dyntrace.te | 1 - policy/test_dyntrans.te | 1 - policy/test_entrypoint.te | 1 - policy/test_execshare.te | 1 - policy/test_exectrace.te | 1 - policy/test_execute_no_trans.te | 1 - policy/test_extended_socket_class.te | 1 - policy/test_fdreceive.te | 1 - policy/test_fdreceive_bpf.te | 1 - policy/test_file.te | 1 - policy/test_filesystem.te | 1 - policy/test_global.te | 3 +++ policy/test_ibendport.te | 1 - policy/test_ibpkey.te | 1 - policy/test_inet_socket.te | 1 - policy/test_inherit.te | 1 - policy/test_ioctl.te | 1 - policy/test_ipc.te | 1 - policy/test_key_socket.te | 1 - policy/test_keys.te | 1 - policy/test_mac_admin.te | 1 - policy/test_module_load.te | 1 - policy/test_mqueue.te | 1 - policy/test_netlink_socket.te | 1 - policy/test_notify.te | 1 - policy/test_open.te | 1 - policy/test_perf_event.te | 1 - policy/test_prlimit.te | 1 - policy/test_ptrace.te | 1 - policy/test_sctp.te | 1 - policy/test_sigkill.te | 1 - policy/test_task_create.te | 1 - policy/test_task_getpgid.te | 1 - policy/test_task_getsched.te | 1 - policy/test_task_getsid.te | 1 - policy/test_task_setpgid.te | 1 - policy/test_task_setsched.te | 1 - policy/test_transition.te | 3 --- policy/test_tun_tap.te | 1 - policy/test_unix_socket.te | 1 - policy/test_userfaultfd.te | 1 - policy/test_vsock_socket.te | 1 - policy/test_watchkey.te | 1 - 48 files changed, 3 insertions(+), 51 deletions(-) diff --git a/policy/test_atsecure.te b/policy/test_atsecure.te index f7ab29a..90e58f1 100644 --- a/policy/test_atsecure.te +++ b/policy/test_atsecure.te @@ -35,6 +35,3 @@ allow_map(atsecuredomain, test_file_t, file) # Only allow the allowed domain noatsecure permission to the # new domain. allow test_atsecure_allowed_t test_atsecure_newdomain_t:process noatsecure; - -# Allow all of these domains to be entered from the sysadm domain. -userdom_sysadm_entry_spec_domtrans_to(atsecuredomain) diff --git a/policy/test_binder.te b/policy/test_binder.te index e74a2fc..096c467 100644 --- a/policy/test_binder.te +++ b/policy/test_binder.te @@ -99,4 +99,3 @@ allow_map(test_binder_client_no_transfer_t, device_t, chr_file) ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(binderdomain) -userdom_sysadm_entry_spec_domtrans_to(binderdomain) diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te index 8c04d19..2d91af2 100644 --- a/policy/test_binder_bpf.te +++ b/policy/test_binder_bpf.te @@ -62,4 +62,3 @@ allow_map(test_binder_client_no_bpf_perm_t, device_t, chr_file) ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(binderbpfdomain) -userdom_sysadm_entry_spec_domtrans_to(binderbpfdomain) diff --git a/policy/test_bpf.te b/policy/test_bpf.te index 58daebd..fb21c29 100644 --- a/policy/test_bpf.te +++ b/policy/test_bpf.te @@ -62,4 +62,3 @@ allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_loa ############ Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(bpfdomain) -userdom_sysadm_entry_spec_domtrans_to(bpfdomain) diff --git a/policy/test_capable_file.te b/policy/test_capable_file.te index 73ad856..9ce9487 100644 --- a/policy/test_capable_file.te +++ b/policy/test_capable_file.te @@ -40,7 +40,6 @@ libs_exec_lib_files(capabledomain) # Allow test_file_t and bin_t to be entered from sysadm role miscfiles_domain_entry_test_files(capabledomain) -userdom_sysadm_entry_spec_domtrans_to(capabledomain) corecmd_bin_entry_type(capabledomain) sysadm_bin_spec_domtrans_to(capabledomain) diff --git a/policy/test_dyntrace.te b/policy/test_dyntrace.te index 28836b8..0a598a4 100644 --- a/policy/test_dyntrace.te +++ b/policy/test_dyntrace.te @@ -26,7 +26,6 @@ typeattribute test_dyntrace_notchild_t dyntracedomain; # Allow test_files_t to be entered from the sysadm domain. miscfiles_domain_entry_test_files(dyntracedomain) -userdom_sysadm_entry_spec_domtrans_to(dyntracedomain) miscfiles_exec_test_files(dyntracedomain) # Grant the necessary permissions for the child domain. diff --git a/policy/test_dyntrans.te b/policy/test_dyntrans.te index c749340..e4110c5 100644 --- a/policy/test_dyntrans.te +++ b/policy/test_dyntrans.te @@ -26,5 +26,4 @@ allow test_dyntrans_fromdomain_t test_dyntrans_todomain_t:process dyntransition; # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(dyntransdomain) -userdom_sysadm_entry_spec_domtrans_to(dyntransdomain) diff --git a/policy/test_entrypoint.te b/policy/test_entrypoint.te index 28f4705..1fcbf0c 100644 --- a/policy/test_entrypoint.te +++ b/policy/test_entrypoint.te @@ -16,5 +16,4 @@ corecmd_exec_bin(test_entrypoint_t) # Allow this domain to be entered via its entrypoint type. domain_entry_file(test_entrypoint_t, test_entrypoint_execute_t) -userdom_sysadm_entry_spec_domtrans_to(test_entrypoint_t) diff --git a/policy/test_execshare.te b/policy/test_execshare.te index 6d8b12e..22ed09f 100644 --- a/policy/test_execshare.te +++ b/policy/test_execshare.te @@ -22,7 +22,6 @@ typeattribute test_execshare_notchild_t execsharedomain; # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(execsharedomain) -userdom_sysadm_entry_spec_domtrans_to(execsharedomain) # Grant the necessary permissions for the child domain. domain_entry_file_spec_domtrans(test_execshare_parent_t, test_execshare_child_t) diff --git a/policy/test_exectrace.te b/policy/test_exectrace.te index a4a8b96..302ba80 100644 --- a/policy/test_exectrace.te +++ b/policy/test_exectrace.te @@ -25,7 +25,6 @@ typeattribute test_exectrace_notchild_t exectracedomain; # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(exectracedomain) -userdom_sysadm_entry_spec_domtrans_to(exectracedomain) # Grant the necessary permissions for the child domain. domain_entry_file_spec_domtrans(test_exectrace_parent_t, test_exectrace_child_t) diff --git a/policy/test_execute_no_trans.te b/policy/test_execute_no_trans.te index d0a46bc..e310353 100644 --- a/policy/test_execute_no_trans.te +++ b/policy/test_execute_no_trans.te @@ -18,7 +18,6 @@ testsuite_domain_type(test_execute_notrans_t); # Allow this domain to be entered via the shell. corecmd_shell_entry_type(test_execute_notrans_t) -userdom_sysadm_entry_spec_domtrans_to(test_execute_notrans_t) #Allow test_execute_notrans permissions to the allowed type can_exec(test_execute_notrans_t,test_execute_notrans_allowed_t) diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te index 75636ec..681a71d 100644 --- a/policy/test_extended_socket_class.te +++ b/policy/test_extended_socket_class.te @@ -57,4 +57,3 @@ kernel_request_load_module(extsocktestdomain) # Entry into the test domains via the test program. miscfiles_domain_entry_test_files(extsocktestdomain) -userdom_sysadm_entry_spec_domtrans_to(extsocktestdomain) diff --git a/policy/test_fdreceive.te b/policy/test_fdreceive.te index e060ffd..9987503 100644 --- a/policy/test_fdreceive.te +++ b/policy/test_fdreceive.te @@ -32,7 +32,6 @@ typeattribute test_fdreceive_server_t fdreceivedomain; # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(fdreceivedomain) -userdom_sysadm_entry_spec_domtrans_to(fdreceivedomain) # Grant the necessary permissions for the server domain. ## Create the Unix domain socket file. diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te index 5a23931..264a703 100644 --- a/policy/test_fdreceive_bpf.te +++ b/policy/test_fdreceive_bpf.te @@ -51,4 +51,3 @@ allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write }; # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(fdreceivebpfdomain) -userdom_sysadm_entry_spec_domtrans_to(fdreceivebpfdomain) diff --git a/policy/test_file.te b/policy/test_file.te index e20ae3e..9acc211 100644 --- a/policy/test_file.te +++ b/policy/test_file.te @@ -55,7 +55,6 @@ libs_exec_lib_files(fileopdomain) # Allow all of these domains to be entered from sysadm domain miscfiles_domain_entry_test_files(fileopdomain) -userdom_sysadm_entry_spec_domtrans_to(fileopdomain) corecmd_bin_entry_type(fileopdomain) sysadm_bin_spec_domtrans_to(fileopdomain) diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te index 71075fb..fd06d5d 100644 --- a/policy/test_filesystem.te +++ b/policy/test_filesystem.te @@ -413,4 +413,3 @@ allow test_move_mount_no_mounton_t dosfs_t:filesystem { associate }; ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(filesystemdomain) -userdom_sysadm_entry_spec_domtrans_to(filesystemdomain) diff --git a/policy/test_global.te b/policy/test_global.te index 03acc19..5ef3b02 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -40,6 +40,9 @@ term_use_all_terms(testsuite_domain) allow testsuite_domain init_t:fd use; allow testsuite_domain initrc_t:fd use; +# Allow the test domain to be entered from sysadm_t +userdom_sysadm_entry_spec_domtrans_to(testsuite_domain) + # Allow the test domains to access the test directory and files # even if they are not root owned. allow testsuite_domain self:capability { dac_override dac_read_search }; diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te index 674293f..a403be0 100644 --- a/policy/test_ibendport.te +++ b/policy/test_ibendport.te @@ -32,4 +32,3 @@ allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_ # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(ibendportdomain) -userdom_sysadm_entry_spec_domtrans_to(ibendportdomain) diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te index e65895f..de0f5e1 100644 --- a/policy/test_ibpkey.te +++ b/policy/test_ibpkey.te @@ -25,4 +25,3 @@ corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t) # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(ibpkeydomain) -userdom_sysadm_entry_spec_domtrans_to(ibpkeydomain) diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te index da507d1..dd0e83c 100644 --- a/policy/test_inet_socket.te +++ b/policy/test_inet_socket.te @@ -161,4 +161,3 @@ kernel_recvfrom_unlabeled_peer(inetsocketdomain) # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(inetsocketdomain) -userdom_sysadm_entry_spec_domtrans_to(inetsocketdomain) diff --git a/policy/test_inherit.te b/policy/test_inherit.te index 31d719e..15ab8fc 100644 --- a/policy/test_inherit.te +++ b/policy/test_inherit.te @@ -33,7 +33,6 @@ typeattribute test_inherit_nowrite_t inheritdomain; # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(inheritdomain) -userdom_sysadm_entry_spec_domtrans_to(inheritdomain) # Grant the necessary permissions for the parent domain. allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms; diff --git a/policy/test_ioctl.te b/policy/test_ioctl.te index 24cff32..955695d 100644 --- a/policy/test_ioctl.te +++ b/policy/test_ioctl.te @@ -31,7 +31,6 @@ libs_exec_lib_files(ioctldomain) # Allow all of these domains to be entered from sysadm domain # via a shell script in the test directory or by.... miscfiles_domain_entry_test_files(ioctldomain) -userdom_sysadm_entry_spec_domtrans_to(ioctldomain) corecmd_bin_entry_type(ioctldomain) sysadm_bin_spec_domtrans_to(ioctldomain) diff --git a/policy/test_ipc.te b/policy/test_ipc.te index 07f8b4a..f68d35c 100644 --- a/policy/test_ipc.te +++ b/policy/test_ipc.te @@ -68,7 +68,6 @@ fs_rw_tmpfs_files(ipcdomain) # Allow all of these domains to be entered from user domains. # via a shell script in the test directory or by another program. miscfiles_domain_entry_test_files(ipcdomain) -userdom_sysadm_entry_spec_domtrans_to(ipcdomain) corecmd_bin_entry_type(ipcdomain) sysadm_bin_spec_domtrans_to(ipcdomain) diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te index fad5dfd..2763472 100644 --- a/policy/test_key_socket.te +++ b/policy/test_key_socket.te @@ -52,7 +52,6 @@ allow test_key_sock_no_read_t self:key_socket { create write setopt }; ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(keysockdomain) -userdom_sysadm_entry_spec_domtrans_to(keysockdomain) # For CONFIG_NET_KEY=m kernel_request_load_module(keysockdomain) diff --git a/policy/test_keys.te b/policy/test_keys.te index 142a70c..de1b46c 100644 --- a/policy/test_keys.te +++ b/policy/test_keys.te @@ -169,4 +169,3 @@ allow test_request_keys_no_link_t test_keyring_service_t:key { read write search ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(keydomain) -userdom_sysadm_entry_spec_domtrans_to(keydomain) diff --git a/policy/test_mac_admin.te b/policy/test_mac_admin.te index e816b03..d63dc80 100644 --- a/policy/test_mac_admin.te +++ b/policy/test_mac_admin.te @@ -47,4 +47,3 @@ allow mac_admintestdomain unlabeled_t:dir { getattr create }; # Entry into the test domains via the test program. corecmd_bin_entry_type(mac_admintestdomain) -userdom_sysadm_entry_spec_domtrans_to(mac_admintestdomain) diff --git a/policy/test_module_load.te b/policy/test_module_load.te index bbb805a..770b2dd 100644 --- a/policy/test_module_load.te +++ b/policy/test_module_load.te @@ -46,4 +46,3 @@ neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request } ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(kmoduledomain) -userdom_sysadm_entry_spec_domtrans_to(kmoduledomain) diff --git a/policy/test_mqueue.te b/policy/test_mqueue.te index b9e84e7..ea3fa68 100644 --- a/policy/test_mqueue.te +++ b/policy/test_mqueue.te @@ -57,7 +57,6 @@ files_type(mqop_mqrw_t) # basic permision for all mqopdomains miscfiles_domain_entry_test_files(mqopdomain) -userdom_sysadm_entry_spec_domtrans_to(mqopdomain) corecmd_bin_entry_type(mqopdomain) sysadm_bin_spec_domtrans_to(mqopdomain) diff --git a/policy/test_netlink_socket.te b/policy/test_netlink_socket.te index 0d6fc5e..589e372 100644 --- a/policy/test_netlink_socket.te +++ b/policy/test_netlink_socket.te @@ -43,7 +43,6 @@ netlink_socket_test(netlink_crypto_socket) # Entry into the test domains via the test program. miscfiles_domain_entry_test_files(netlinksocktestdomain) -userdom_sysadm_entry_spec_domtrans_to(netlinksocktestdomain) # Trigger kernel module auto-loading of the protocol implementations. kernel_request_load_module(netlinksocktestdomain) diff --git a/policy/test_notify.te b/policy/test_notify.te index 86979a5..4ffd287 100644 --- a/policy/test_notify.te +++ b/policy/test_notify.te @@ -75,4 +75,3 @@ typeattribute test_rdonly_t test_notify_domain; allow test_rdonly_t test_notify_file_t:dir { read open watch }; miscfiles_domain_entry_test_files(test_notify_domain) -userdom_sysadm_entry_spec_domtrans_to(test_notify_domain) diff --git a/policy/test_open.te b/policy/test_open.te index acb31d8..0d662f0 100644 --- a/policy/test_open.te +++ b/policy/test_open.te @@ -31,4 +31,3 @@ allow test_append_t test_open_file_t:file append_file_perms; # Allow all of these domains to be entered from sysadm domain miscfiles_domain_entry_test_files(test_open_domain) -userdom_sysadm_entry_spec_domtrans_to(test_open_domain) diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te index 6d3828a..8a914ff 100644 --- a/policy/test_perf_event.te +++ b/policy/test_perf_event.te @@ -75,4 +75,3 @@ allow_lockdown_confidentiality(test_perf_no_write_t) ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(perfdomain) -userdom_sysadm_entry_spec_domtrans_to(perfdomain) diff --git a/policy/test_prlimit.te b/policy/test_prlimit.te index 3f32136..4b6a5c8 100644 --- a/policy/test_prlimit.te +++ b/policy/test_prlimit.te @@ -43,4 +43,3 @@ prlimit_test(getrlimit) # Entry into the test domains via the test program. miscfiles_domain_entry_test_files(prlimittestdomain) -userdom_sysadm_entry_spec_domtrans_to(prlimittestdomain) diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te index 34aa636..f327cc5 100644 --- a/policy/test_ptrace.te +++ b/policy/test_ptrace.te @@ -36,7 +36,6 @@ allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld; # Allow all of these domains to be entered from the sysadm domains. # via a program in the test directory. miscfiles_domain_entry_test_files(ptracedomain) -userdom_sysadm_entry_spec_domtrans_to(ptracedomain) # Allow execution of helper programs. corecmd_exec_bin(ptracedomain) diff --git a/policy/test_sctp.te b/policy/test_sctp.te index 4c18c72..7b24b8c 100644 --- a/policy/test_sctp.te +++ b/policy/test_sctp.te @@ -234,4 +234,3 @@ allow sctpsocketdomain self:unix_dgram_socket { create ioctl }; ############ Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(sctpsocketdomain) -userdom_sysadm_entry_spec_domtrans_to(sctpsocketdomain) diff --git a/policy/test_sigkill.te b/policy/test_sigkill.te index a0dce3b..04bed89 100644 --- a/policy/test_sigkill.te +++ b/policy/test_sigkill.te @@ -41,7 +41,6 @@ allow test_kill_signal_t test_kill_server_t:process signal; # Allow all of these domains to be entered from the sysadm domains, # via kill or a program in the test directory. miscfiles_domain_entry_test_files(killdomain) -userdom_sysadm_entry_spec_domtrans_to(killdomain) corecmd_bin_entry_type(killdomain) sysadm_bin_spec_domtrans_to(killdomain) diff --git a/policy/test_task_create.te b/policy/test_task_create.te index eb51cd2..54acb50 100644 --- a/policy/test_task_create.te +++ b/policy/test_task_create.te @@ -25,4 +25,3 @@ typeattribute test_create_no_t test_create_d; # Allow domain to be entered from the sysadm domain. miscfiles_domain_entry_test_files(test_create_d) -userdom_sysadm_entry_spec_domtrans_to(test_create_d) diff --git a/policy/test_task_getpgid.te b/policy/test_task_getpgid.te index 1f81f56..dad584e 100644 --- a/policy/test_task_getpgid.te +++ b/policy/test_task_getpgid.te @@ -26,7 +26,6 @@ typeattribute test_getpgid_no_t test_getpgid_d; # Allow domain to be entered from the sysadm domain miscfiles_domain_entry_test_files(test_getpgid_d) -userdom_sysadm_entry_spec_domtrans_to(test_getpgid_d) # Give test_getpgid_yes_t the permission needed. allow test_getpgid_yes_t test_getpgid_target_t:process getpgid; diff --git a/policy/test_task_getsched.te b/policy/test_task_getsched.te index c67019b..f541d58 100644 --- a/policy/test_task_getsched.te +++ b/policy/test_task_getsched.te @@ -26,7 +26,6 @@ typeattribute test_getsched_no_t test_getsched_d; # Allow domain to be entered from the sysadm domain. miscfiles_domain_entry_test_files(test_getsched_d) -userdom_sysadm_entry_spec_domtrans_to(test_getsched_d) # Give test_getsched_yes_t the permission needed. allow test_getsched_yes_t test_getsched_target_t:process getsched; diff --git a/policy/test_task_getsid.te b/policy/test_task_getsid.te index e5a62f8..8c21d9a 100644 --- a/policy/test_task_getsid.te +++ b/policy/test_task_getsid.te @@ -26,7 +26,6 @@ typeattribute test_getsid_no_t test_getsid_d; # Allow domain to be entered from the sysadm domain. miscfiles_domain_entry_test_files(test_getsid_d) -userdom_sysadm_entry_spec_domtrans_to(test_getsid_d) # Give test_getsid_yes_t the permission needed. allow test_getsid_yes_t test_getsid_target_t:process getsession; diff --git a/policy/test_task_setpgid.te b/policy/test_task_setpgid.te index 8e98859..25e06d4 100644 --- a/policy/test_task_setpgid.te +++ b/policy/test_task_setpgid.te @@ -18,4 +18,3 @@ typeattribute test_setpgid_no_t test_setpgid_d; # Allow domain to be entered from the sysadm domain. miscfiles_domain_entry_test_files(test_setpgid_d) -userdom_sysadm_entry_spec_domtrans_to(test_setpgid_d) diff --git a/policy/test_task_setsched.te b/policy/test_task_setsched.te index c30157e..432135e 100644 --- a/policy/test_task_setsched.te +++ b/policy/test_task_setsched.te @@ -28,7 +28,6 @@ typeattribute test_setsched_no_t test_setsched_d; # Allow domain to be entered from the sysadm domain. miscfiles_domain_entry_test_files(test_setsched_d) -userdom_sysadm_entry_spec_domtrans_to(test_setsched_d) # Allow these domains to execute renice. corecmd_bin_entry_type(test_setsched_d) diff --git a/policy/test_transition.te b/policy/test_transition.te index 8f1f4bf..4adc423 100644 --- a/policy/test_transition.te +++ b/policy/test_transition.te @@ -25,6 +25,3 @@ corecmd_bin_entry_type(transitiondomain) domain_transition_pattern(test_transition_fromdomain_t,bin_t,test_transition_todomain_t) allow test_transition_fromdomain_t test_transition_todomain_t:fd use; allow test_transition_todomain_t test_transition_fromdomain_t:fd use; - -# Allow all of these domains to be entered from the sysadm domain. -userdom_sysadm_entry_spec_domtrans_to(transitiondomain) diff --git a/policy/test_tun_tap.te b/policy/test_tun_tap.te index be317a2..e1aef8d 100644 --- a/policy/test_tun_tap.te +++ b/policy/test_tun_tap.te @@ -96,4 +96,3 @@ allow test_newcon_no_from_tun_tap_t test_tun_tap_t:process { dyntransition }; ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(tuntapdomain) -userdom_sysadm_entry_spec_domtrans_to(tuntapdomain) diff --git a/policy/test_unix_socket.te b/policy/test_unix_socket.te index 924475e..69720f0 100644 --- a/policy/test_unix_socket.te +++ b/policy/test_unix_socket.te @@ -61,4 +61,3 @@ typeattribute test_socketpair_t unixsocketdomain; # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(unixsocketdomain) -userdom_sysadm_entry_spec_domtrans_to(unixsocketdomain) diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te index 0ca733b..5cb7d1c 100644 --- a/policy/test_userfaultfd.te +++ b/policy/test_userfaultfd.te @@ -48,4 +48,3 @@ allow test_uffd_domain self:capability { sys_ptrace }; # Allow all of these domains to be executed miscfiles_domain_entry_test_files(test_uffd_domain) -userdom_sysadm_entry_spec_domtrans_to(test_uffd_domain) diff --git a/policy/test_vsock_socket.te b/policy/test_vsock_socket.te index abbcc0b..4bb989a 100644 --- a/policy/test_vsock_socket.te +++ b/policy/test_vsock_socket.te @@ -45,4 +45,3 @@ vsock_client(nosetopt, connect create getattr getopt read shutdown write) # Allow all of these domains to be entered from the sysadm domain. miscfiles_domain_entry_test_files(vsocksocketdomain) -userdom_sysadm_entry_spec_domtrans_to(vsocksocketdomain) diff --git a/policy/test_watchkey.te b/policy/test_watchkey.te index 9fa5a70..101d68a 100644 --- a/policy/test_watchkey.te +++ b/policy/test_watchkey.te @@ -20,4 +20,3 @@ typeattribute test_watchkey_no_view_t watchkeydomain; ########### Allow these domains to be entered from sysadm domain ############ # miscfiles_domain_entry_test_files(watchkeydomain) -userdom_sysadm_entry_spec_domtrans_to(watchkeydomain) From patchwork Fri Jul 29 12:02:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932375 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4593BC19F2B for ; Fri, 29 Jul 2022 12:02:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235936AbiG2MCy (ORCPT ); Fri, 29 Jul 2022 08:02:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40804 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235368AbiG2MCx (ORCPT ); Fri, 29 Jul 2022 08:02:53 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D79A7863E0 for ; Fri, 29 Jul 2022 05:02:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096170; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zNOT6iq1zNt3X66GT+gYQ98w9CMnfrHbff5MoR0393g=; b=IaYoOe9vfl7sQfGHzj2GgTBnxh/lBBTjt4l01t3gdtXQsL4Wx79AFCs90CPQrGw1UnsG4z STAbi2+J+nezDCJakwa+1VEqKQPZiK6G+e2epp799O4qdQ6bEtRQELdIOXIS8bR7uEoHO/ sZJrlOgpP5J+nxo+TlOTnHHY81sSSQ0= Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-594-9p3Nqt-LMbOhGhTcSfPS_g-1; Fri, 29 Jul 2022 08:02:49 -0400 X-MC-Unique: 9p3Nqt-LMbOhGhTcSfPS_g-1 Received: by mail-wr1-f71.google.com with SMTP id e3-20020adf9bc3000000b0021e50518071so1126763wrc.2 for ; Fri, 29 Jul 2022 05:02:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=zNOT6iq1zNt3X66GT+gYQ98w9CMnfrHbff5MoR0393g=; b=hGBvKeKe1BBkn3bXjav5JvAZLMWAQWeLgCRRRIGp3r4cWyTQIUPQnaUmv51FPuxE5V MBlG+25MFsNWF3IAzQaUQswzU50FVjWlP+9NCn3S41YTZD8ghz1z1vRPQ3HyWNq3sRAm hgfeIIK6emASnLvmaO0Xb1RxcYfQLSWkLOw1meU99KuIGqrTixEJKt4V4V+/4qecXmSw NH5iPsm/8eBYMbWGTr+XkzhzVOO48KuBXsxUv4/16M1wcX9MBrt5mwnV7RTeEWvNp9QT 5y9nEleTkdFywv6kdbV0nrchoUrTF3eXJD52P3Iv9KxBWM/jmJBxc/ErDC2sqYu+VIrH fTyw== X-Gm-Message-State: ACgBeo1N/yu2FvGrgpR/oqhT6av6674KbC3Z3a5GVvyyEYFg+MjYM0c9 nTk/xPVp3RiqWtxCHwfFQFWZEfv3pbkbFuIHAIUe4hkPj34yGqxMXcwmMpIm+Mn867eqiZpFhz4 tbg7bQjTL6nX9LuzChnxxOH/Xy7Ao8yNm14+fVNo8DCCimu9a2ABsazLbITyLmyd8TSX7dQ== X-Received: by 2002:a05:6000:3cc:b0:21e:7f8a:3925 with SMTP id b12-20020a05600003cc00b0021e7f8a3925mr2295983wrg.570.1659096167304; Fri, 29 Jul 2022 05:02:47 -0700 (PDT) X-Google-Smtp-Source: AA6agR70OLKCU1npfYGbp2+hp9SFhSzcI7uXpJEgH3p0x4nbBjdu1hPSvC9P8B3c52/4CmxukYktcw== X-Received: by 2002:a05:6000:3cc:b0:21e:7f8a:3925 with SMTP id b12-20020a05600003cc00b0021e7f8a3925mr2295947wrg.570.1659096166611; Fri, 29 Jul 2022 05:02:46 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:45 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 09/24] policy: move miscfiles_domain_entry_test_files() to general policy Date: Fri, 29 Jul 2022 14:02:14 +0200 Message-Id: <20220729120229.207584-10-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This is good to have for pretty much all domains, so remove the individual calls and move it to test_general.te. Signed-off-by: Ondrej Mosnacek --- policy/test_binder.te | 5 ----- policy/test_binder_bpf.te | 5 ----- policy/test_bounds.te | 1 - policy/test_bpf.te | 5 ----- policy/test_cap_userns.te | 1 - policy/test_capable_file.te | 1 - policy/test_dyntrace.te | 1 - policy/test_dyntrans.te | 4 ---- policy/test_execshare.te | 3 --- policy/test_exectrace.te | 3 --- policy/test_extended_socket_class.te | 3 --- policy/test_fdreceive.te | 3 --- policy/test_fdreceive_bpf.te | 3 --- policy/test_file.te | 3 --- policy/test_filesystem.te | 5 ----- policy/test_global.te | 4 +++- policy/test_ibendport.te | 3 --- policy/test_ibpkey.te | 3 --- policy/test_inet_socket.te | 3 --- policy/test_inherit.te | 3 --- policy/test_ioctl.te | 1 - policy/test_ipc.te | 1 - policy/test_key_socket.te | 5 ----- policy/test_keys.te | 5 ----- policy/test_mmap.te | 3 --- policy/test_module_load.te | 5 ----- policy/test_mqueue.te | 3 --- policy/test_netlink_socket.te | 3 --- policy/test_notify.te | 2 -- policy/test_open.te | 3 --- policy/test_perf_event.te | 5 ----- policy/test_prlimit.te | 7 ------- policy/test_ptrace.te | 4 ---- policy/test_sctp.te | 5 ----- policy/test_setnice.te | 1 - policy/test_sigkill.te | 1 - policy/test_task_create.te | 5 ----- policy/test_task_getpgid.te | 3 --- policy/test_task_getsched.te | 3 --- policy/test_task_getsid.te | 3 --- policy/test_task_setpgid.te | 3 --- policy/test_task_setsched.te | 3 --- policy/test_tun_tap.te | 5 ----- policy/test_unix_socket.te | 3 --- policy/test_userfaultfd.te | 3 --- policy/test_vsock_socket.te | 3 --- policy/test_watchkey.te | 5 ----- 47 files changed, 3 insertions(+), 152 deletions(-) diff --git a/policy/test_binder.te b/policy/test_binder.te index 096c467..4c7974a 100644 --- a/policy/test_binder.te +++ b/policy/test_binder.te @@ -94,8 +94,3 @@ allow test_binder_client_no_transfer_t test_binder_mgr_t:binder { call }; allow test_binder_client_no_transfer_t test_binder_provider_t:binder { call impersonate }; allow test_binder_client_no_transfer_t device_t:chr_file { getattr ioctl open read write }; allow_map(test_binder_client_no_transfer_t, device_t, chr_file) - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(binderdomain) diff --git a/policy/test_binder_bpf.te b/policy/test_binder_bpf.te index 2d91af2..fa79320 100644 --- a/policy/test_binder_bpf.te +++ b/policy/test_binder_bpf.te @@ -57,8 +57,3 @@ allow test_binder_client_no_bpf_perm_t test_binder_bpf_mgr_t:binder { call }; allow test_binder_client_no_bpf_perm_t test_binder_bpf_provider_t:fd { use }; allow test_binder_client_no_bpf_perm_t device_t:chr_file { getattr ioctl open read write }; allow_map(test_binder_client_no_bpf_perm_t, device_t, chr_file) - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(binderbpfdomain) diff --git a/policy/test_bounds.te b/policy/test_bounds.te index 60fbd0b..d132d8a 100644 --- a/policy/test_bounds.te +++ b/policy/test_bounds.te @@ -63,5 +63,4 @@ allow test_bounds_child_domain test_bounds_file_green_t : file { getattr setattr allow test_bounds_child_domain test_bounds_file_blue_t : file { getattr setattr }; # Allow all of these domains to be entered from sysadm domain -miscfiles_domain_entry_test_files(test_bounds_domain) sysadm_entry_spec_domtrans(test_bounds_domain) diff --git a/policy/test_bpf.te b/policy/test_bpf.te index fb21c29..5eab0bd 100644 --- a/policy/test_bpf.te +++ b/policy/test_bpf.te @@ -57,8 +57,3 @@ typeattribute test_bpf_deny_prog_run_t bpfdomain; allow test_bpf_deny_prog_run_t self:process { setrlimit }; allow test_bpf_deny_prog_run_t self:capability { sys_resource sys_admin }; allow test_bpf_deny_prog_run_t self:bpf { map_create map_read map_write prog_load }; - -# -############ Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(bpfdomain) diff --git a/policy/test_cap_userns.te b/policy/test_cap_userns.te index fa90528..cfa510c 100644 --- a/policy/test_cap_userns.te +++ b/policy/test_cap_userns.te @@ -19,7 +19,6 @@ testsuite_domain_type(test_no_cap_userns_t) typeattribute test_no_cap_userns_t capusernsdomain; # Rules common to both domains. -miscfiles_domain_entry_test_files(capusernsdomain) corecmd_exec_bin(capusernsdomain) # linux >= v5.12 needs setfcap to map UID 0 diff --git a/policy/test_capable_file.te b/policy/test_capable_file.te index 9ce9487..2383f6e 100644 --- a/policy/test_capable_file.te +++ b/policy/test_capable_file.te @@ -39,7 +39,6 @@ libs_exec_ld_so(capabledomain) libs_exec_lib_files(capabledomain) # Allow test_file_t and bin_t to be entered from sysadm role -miscfiles_domain_entry_test_files(capabledomain) corecmd_bin_entry_type(capabledomain) sysadm_bin_spec_domtrans_to(capabledomain) diff --git a/policy/test_dyntrace.te b/policy/test_dyntrace.te index 0a598a4..09f983a 100644 --- a/policy/test_dyntrace.te +++ b/policy/test_dyntrace.te @@ -25,7 +25,6 @@ testsuite_domain_type(test_dyntrace_notchild_t) typeattribute test_dyntrace_notchild_t dyntracedomain; # Allow test_files_t to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(dyntracedomain) miscfiles_exec_test_files(dyntracedomain) # Grant the necessary permissions for the child domain. diff --git a/policy/test_dyntrans.te b/policy/test_dyntrans.te index e4110c5..73fe77d 100644 --- a/policy/test_dyntrans.te +++ b/policy/test_dyntrans.te @@ -23,7 +23,3 @@ typeattribute test_dyntrans_todomain_t dyntransdomain; # Allow the fromdomain to dyntrans to the new domain. allow test_dyntrans_fromdomain_t test_dyntrans_todomain_t:process dyntransition; - -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(dyntransdomain) - diff --git a/policy/test_execshare.te b/policy/test_execshare.te index 22ed09f..c127662 100644 --- a/policy/test_execshare.te +++ b/policy/test_execshare.te @@ -20,9 +20,6 @@ type test_execshare_notchild_t; testsuite_domain_type(test_execshare_notchild_t); typeattribute test_execshare_notchild_t execsharedomain; -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(execsharedomain) - # Grant the necessary permissions for the child domain. domain_entry_file_spec_domtrans(test_execshare_parent_t, test_execshare_child_t) allow test_execshare_parent_t test_execshare_child_t:fd use; diff --git a/policy/test_exectrace.te b/policy/test_exectrace.te index 302ba80..d5b74ad 100644 --- a/policy/test_exectrace.te +++ b/policy/test_exectrace.te @@ -23,9 +23,6 @@ type test_exectrace_notchild_t; testsuite_domain_type(test_exectrace_notchild_t) typeattribute test_exectrace_notchild_t exectracedomain; -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(exectracedomain) - # Grant the necessary permissions for the child domain. domain_entry_file_spec_domtrans(test_exectrace_parent_t, test_exectrace_child_t) allow test_exectrace_parent_t test_exectrace_child_t:fd use; diff --git a/policy/test_extended_socket_class.te b/policy/test_extended_socket_class.te index 681a71d..c8840b4 100644 --- a/policy/test_extended_socket_class.te +++ b/policy/test_extended_socket_class.te @@ -54,6 +54,3 @@ extended_socket_class_test(alg_socket, socket) # Trigger kernel module auto-loading of the network protocol implementations. kernel_request_load_module(extsocktestdomain) - -# Entry into the test domains via the test program. -miscfiles_domain_entry_test_files(extsocktestdomain) diff --git a/policy/test_fdreceive.te b/policy/test_fdreceive.te index 9987503..df9e974 100644 --- a/policy/test_fdreceive.te +++ b/policy/test_fdreceive.te @@ -30,9 +30,6 @@ type test_fdreceive_server_t; testsuite_domain_type(test_fdreceive_server_t); typeattribute test_fdreceive_server_t fdreceivedomain; -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(fdreceivedomain) - # Grant the necessary permissions for the server domain. ## Create the Unix domain socket file. allow test_fdreceive_server_t test_file_t:dir rw_dir_perms; diff --git a/policy/test_fdreceive_bpf.te b/policy/test_fdreceive_bpf.te index 264a703..fd633ae 100644 --- a/policy/test_fdreceive_bpf.te +++ b/policy/test_fdreceive_bpf.te @@ -48,6 +48,3 @@ allow test_fdreceive_bpf_client3_t self:process { setrlimit }; # Server side rules: allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:fd { use }; allow test_fdreceive_server_t test_fdreceive_bpf_client3_t:bpf { map_write }; - -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(fdreceivebpfdomain) diff --git a/policy/test_file.te b/policy/test_file.te index 9acc211..5bb0398 100644 --- a/policy/test_file.te +++ b/policy/test_file.te @@ -53,9 +53,6 @@ libs_use_shared_libs(fileopdomain) libs_exec_ld_so(fileopdomain) libs_exec_lib_files(fileopdomain) -# Allow all of these domains to be entered from sysadm domain -miscfiles_domain_entry_test_files(fileopdomain) - corecmd_bin_entry_type(fileopdomain) sysadm_bin_spec_domtrans_to(fileopdomain) diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te index fd06d5d..5de489c 100644 --- a/policy/test_filesystem.te +++ b/policy/test_filesystem.te @@ -408,8 +408,3 @@ allow test_filesystem_no_mount_t dosfs_t:filesystem { associate }; allow test_filesystem_no_remount_t dosfs_t:filesystem { associate }; allow test_filesystem_no_unmount_t dosfs_t:filesystem { associate }; allow test_move_mount_no_mounton_t dosfs_t:filesystem { associate }; - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(filesystemdomain) diff --git a/policy/test_global.te b/policy/test_global.te index 5ef3b02..667c272 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -51,8 +51,10 @@ allow testsuite_domain self:capability { dac_override dac_read_search }; #allow sysadm_t self:process setexec; #selinux_get_fs_mount(sysadm_t) -# Let all test domains read test directories and files. +# Let all test domains read test directories and files and to use test +# files as entry points. miscfiles_read_test_files(testsuite_domain) +miscfiles_domain_entry_test_files(testsuite_domain) # Let the test domains set their current, exec and fscreate contexts. allow testsuite_domain self:process setcurrent; diff --git a/policy/test_ibendport.te b/policy/test_ibendport.te index a403be0..ccfea28 100644 --- a/policy/test_ibendport.te +++ b/policy/test_ibendport.te @@ -29,6 +29,3 @@ corenet_ib_access_unlabeled_pkeys(test_ibendport_manage_subnet_t) ') allow test_ibendport_manage_subnet_t test_ibendport_t:infiniband_endport manage_subnet; - -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(ibendportdomain) diff --git a/policy/test_ibpkey.te b/policy/test_ibpkey.te index de0f5e1..863ff16 100644 --- a/policy/test_ibpkey.te +++ b/policy/test_ibpkey.te @@ -22,6 +22,3 @@ corenet_ib_pkey(test_ibpkey_t) ifdef(`corenet_ib_access_unlabeled_pkeys',` corenet_ib_access_unlabeled_pkeys(test_ibpkey_access_t) ') - -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(ibpkeydomain) diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te index dd0e83c..5feb801 100644 --- a/policy/test_inet_socket.te +++ b/policy/test_inet_socket.te @@ -158,6 +158,3 @@ allow test_inet_client_t test_server_packet_t:packet { send recv }; # Send/recv unlabeled packets. kernel_sendrecv_unlabeled_packets(inetsocketdomain) kernel_recvfrom_unlabeled_peer(inetsocketdomain) - -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(inetsocketdomain) diff --git a/policy/test_inherit.te b/policy/test_inherit.te index 15ab8fc..da26ea3 100644 --- a/policy/test_inherit.te +++ b/policy/test_inherit.te @@ -31,9 +31,6 @@ type test_inherit_nowrite_t; testsuite_domain_type(test_inherit_nowrite_t) typeattribute test_inherit_nowrite_t inheritdomain; -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(inheritdomain) - # Grant the necessary permissions for the parent domain. allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms; diff --git a/policy/test_ioctl.te b/policy/test_ioctl.te index 955695d..dc645f4 100644 --- a/policy/test_ioctl.te +++ b/policy/test_ioctl.te @@ -30,7 +30,6 @@ libs_exec_lib_files(ioctldomain) # Allow all of these domains to be entered from sysadm domain # via a shell script in the test directory or by.... -miscfiles_domain_entry_test_files(ioctldomain) corecmd_bin_entry_type(ioctldomain) sysadm_bin_spec_domtrans_to(ioctldomain) diff --git a/policy/test_ipc.te b/policy/test_ipc.te index f68d35c..21d997b 100644 --- a/policy/test_ipc.te +++ b/policy/test_ipc.te @@ -67,7 +67,6 @@ fs_rw_tmpfs_files(ipcdomain) # Allow all of these domains to be entered from user domains. # via a shell script in the test directory or by another program. -miscfiles_domain_entry_test_files(ipcdomain) corecmd_bin_entry_type(ipcdomain) sysadm_bin_spec_domtrans_to(ipcdomain) diff --git a/policy/test_key_socket.te b/policy/test_key_socket.te index 2763472..27a1545 100644 --- a/policy/test_key_socket.te +++ b/policy/test_key_socket.te @@ -48,10 +48,5 @@ typeattribute test_key_sock_no_read_t keysockdomain; allow test_key_sock_no_read_t self:capability { net_admin }; allow test_key_sock_no_read_t self:key_socket { create write setopt }; -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(keysockdomain) - # For CONFIG_NET_KEY=m kernel_request_load_module(keysockdomain) diff --git a/policy/test_keys.te b/policy/test_keys.te index de1b46c..250950e 100644 --- a/policy/test_keys.te +++ b/policy/test_keys.te @@ -164,8 +164,3 @@ typeattribute test_request_keys_no_link_t keydomain; allow test_request_keys_no_link_t self:key { create write search read view link setattr }; allow test_request_keys_no_link_t test_keyring_service_t:key { read write search view setattr }; - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(keydomain) diff --git a/policy/test_mmap.te b/policy/test_mmap.te index eb59dbe..d0850cc 100644 --- a/policy/test_mmap.te +++ b/policy/test_mmap.te @@ -152,6 +152,3 @@ testsuite_domain_type(test_no_execmod_t) typeattribute test_no_execmod_t mmaptestdomain; allow test_no_execmod_t test_mmap_file_t:file { open read execute }; allow_map(test_no_execmod_t, test_mmap_file_t, file) - -# Allow entrypoint via the test programs. -miscfiles_domain_entry_test_files(mmaptestdomain) diff --git a/policy/test_module_load.te b/policy/test_module_load.te index 770b2dd..a856706 100644 --- a/policy/test_module_load.te +++ b/policy/test_module_load.te @@ -41,8 +41,3 @@ allow test_kmodule_deny_module_request_t test_file_t:system { module_load }; allow test_kmodule_deny_module_request_t self:system { module_load }; allow_lockdown_integrity(test_kmodule_deny_module_request_t) neverallow test_kmodule_deny_module_request_t kernel_t:system { module_request }; - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(kmoduledomain) diff --git a/policy/test_mqueue.te b/policy/test_mqueue.te index ea3fa68..65ffe6d 100644 --- a/policy/test_mqueue.te +++ b/policy/test_mqueue.te @@ -55,9 +55,6 @@ type mqop_mqrw_t; files_type(mqop_mqrw_t) -# basic permision for all mqopdomains -miscfiles_domain_entry_test_files(mqopdomain) - corecmd_bin_entry_type(mqopdomain) sysadm_bin_spec_domtrans_to(mqopdomain) diff --git a/policy/test_netlink_socket.te b/policy/test_netlink_socket.te index 589e372..b6d39c2 100644 --- a/policy/test_netlink_socket.te +++ b/policy/test_netlink_socket.te @@ -41,8 +41,5 @@ netlink_socket_test(netlink_crypto_socket) # Common rules for all netlink socket class test domains. # -# Entry into the test domains via the test program. -miscfiles_domain_entry_test_files(netlinksocktestdomain) - # Trigger kernel module auto-loading of the protocol implementations. kernel_request_load_module(netlinksocktestdomain) diff --git a/policy/test_notify.te b/policy/test_notify.te index 4ffd287..fe60274 100644 --- a/policy/test_notify.te +++ b/policy/test_notify.te @@ -73,5 +73,3 @@ testsuite_domain_type(test_rdonly_t) typeattribute test_rdonly_t test_notify_domain; allow test_rdonly_t test_notify_file_t:dir { read open watch }; - -miscfiles_domain_entry_test_files(test_notify_domain) diff --git a/policy/test_open.te b/policy/test_open.te index 0d662f0..f01a5fe 100644 --- a/policy/test_open.te +++ b/policy/test_open.te @@ -28,6 +28,3 @@ type test_append_t; testsuite_domain_type(test_append_t) typeattribute test_append_t test_open_domain; allow test_append_t test_open_file_t:file append_file_perms; - -# Allow all of these domains to be entered from sysadm domain -miscfiles_domain_entry_test_files(test_open_domain) diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te index 8a914ff..5db46cd 100644 --- a/policy/test_perf_event.te +++ b/policy/test_perf_event.te @@ -70,8 +70,3 @@ typeattribute test_perf_no_write_t perfdomain; allow test_perf_no_write_t self:capability2 { perfmon }; allow test_perf_no_write_t self:perf_event { open cpu kernel tracepoint read }; allow_lockdown_confidentiality(test_perf_no_write_t) - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(perfdomain) diff --git a/policy/test_prlimit.te b/policy/test_prlimit.te index 4b6a5c8..b0314f3 100644 --- a/policy/test_prlimit.te +++ b/policy/test_prlimit.te @@ -36,10 +36,3 @@ spec_domtrans_pattern(test_no_$1_t, test_file_t, test_$1_child_t) prlimit_test(setrlimit) prlimit_test(getrlimit) - -# -# Common rules for all prlimit test domains. -# - -# Entry into the test domains via the test program. -miscfiles_domain_entry_test_files(prlimittestdomain) diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te index f327cc5..8c1d71c 100644 --- a/policy/test_ptrace.te +++ b/policy/test_ptrace.te @@ -33,10 +33,6 @@ userdom_search_user_home_dirs(test_ptrace_traced_t) # Let the tracer wait on the traced domain. allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld; -# Allow all of these domains to be entered from the sysadm domains. -# via a program in the test directory. -miscfiles_domain_entry_test_files(ptracedomain) - # Allow execution of helper programs. corecmd_exec_bin(ptracedomain) domain_exec_all_entry_files(ptracedomain) diff --git a/policy/test_sctp.te b/policy/test_sctp.te index 7b24b8c..e276153 100644 --- a/policy/test_sctp.te +++ b/policy/test_sctp.te @@ -229,8 +229,3 @@ allow sctpsocketdomain proc_net_t:file { read }; allow sctpsocketdomain sysctl_net_t:dir { search }; allow sctpsocketdomain self:udp_socket { create }; allow sctpsocketdomain self:unix_dgram_socket { create ioctl }; - -# -############ Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(sctpsocketdomain) diff --git a/policy/test_setnice.te b/policy/test_setnice.te index 34a2e73..2c34643 100644 --- a/policy/test_setnice.te +++ b/policy/test_setnice.te @@ -31,7 +31,6 @@ libs_exec_lib_files(setnicedomain) # Allow all of these domains to be entered from sysadm domain # via a shell script in the test directory or by.... -miscfiles_domain_entry_test_files(setnicedomain) domain_transition_pattern(sysadm_t, test_file_t, setnicedomain) domain_transition_pattern(test_setnice_change_t, test_file_t, {test_setnice_set_t test_setnice_noset_t}) allow test_setnice_change_t test_setnice_set_t:fd use; diff --git a/policy/test_sigkill.te b/policy/test_sigkill.te index 04bed89..1aaa0af 100644 --- a/policy/test_sigkill.te +++ b/policy/test_sigkill.te @@ -40,7 +40,6 @@ allow test_kill_signal_t test_kill_server_t:process signal; # Allow all of these domains to be entered from the sysadm domains, # via kill or a program in the test directory. -miscfiles_domain_entry_test_files(killdomain) corecmd_bin_entry_type(killdomain) sysadm_bin_spec_domtrans_to(killdomain) diff --git a/policy/test_task_create.te b/policy/test_task_create.te index 54acb50..b90b2e3 100644 --- a/policy/test_task_create.te +++ b/policy/test_task_create.te @@ -20,8 +20,3 @@ type test_create_no_t; # as it makes the permission effectively unusable in real policy. testsuite_domain_type_minimal(test_create_no_t) typeattribute test_create_no_t test_create_d; - -# General rules for the test_create_d - -# Allow domain to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(test_create_d) diff --git a/policy/test_task_getpgid.te b/policy/test_task_getpgid.te index dad584e..4c499f7 100644 --- a/policy/test_task_getpgid.te +++ b/policy/test_task_getpgid.te @@ -24,8 +24,5 @@ type test_getpgid_no_t; testsuite_domain_type(test_getpgid_no_t) typeattribute test_getpgid_no_t test_getpgid_d; -# Allow domain to be entered from the sysadm domain -miscfiles_domain_entry_test_files(test_getpgid_d) - # Give test_getpgid_yes_t the permission needed. allow test_getpgid_yes_t test_getpgid_target_t:process getpgid; diff --git a/policy/test_task_getsched.te b/policy/test_task_getsched.te index f541d58..98b267f 100644 --- a/policy/test_task_getsched.te +++ b/policy/test_task_getsched.te @@ -24,8 +24,5 @@ type test_getsched_no_t; testsuite_domain_type(test_getsched_no_t) typeattribute test_getsched_no_t test_getsched_d; -# Allow domain to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(test_getsched_d) - # Give test_getsched_yes_t the permission needed. allow test_getsched_yes_t test_getsched_target_t:process getsched; diff --git a/policy/test_task_getsid.te b/policy/test_task_getsid.te index 8c21d9a..b53d454 100644 --- a/policy/test_task_getsid.te +++ b/policy/test_task_getsid.te @@ -24,8 +24,5 @@ type test_getsid_no_t; testsuite_domain_type(test_getsid_no_t) typeattribute test_getsid_no_t test_getsid_d; -# Allow domain to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(test_getsid_d) - # Give test_getsid_yes_t the permission needed. allow test_getsid_yes_t test_getsid_target_t:process getsession; diff --git a/policy/test_task_setpgid.te b/policy/test_task_setpgid.te index 25e06d4..bb8afa7 100644 --- a/policy/test_task_setpgid.te +++ b/policy/test_task_setpgid.te @@ -15,6 +15,3 @@ typeattribute test_setpgid_yes_t test_setpgid_d; type test_setpgid_no_t; testsuite_domain_type_minimal(test_setpgid_no_t) typeattribute test_setpgid_no_t test_setpgid_d; - -# Allow domain to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(test_setpgid_d) diff --git a/policy/test_task_setsched.te b/policy/test_task_setsched.te index 432135e..3e75cf6 100644 --- a/policy/test_task_setsched.te +++ b/policy/test_task_setsched.te @@ -26,9 +26,6 @@ type test_setsched_no_t; testsuite_domain_type(test_setsched_no_t) typeattribute test_setsched_no_t test_setsched_d; -# Allow domain to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(test_setsched_d) - # Allow these domains to execute renice. corecmd_bin_entry_type(test_setsched_d) diff --git a/policy/test_tun_tap.te b/policy/test_tun_tap.te index e1aef8d..28efc10 100644 --- a/policy/test_tun_tap.te +++ b/policy/test_tun_tap.te @@ -91,8 +91,3 @@ allow test_newcon_no_from_tun_tap_t self:tun_socket { relabelto }; # For switch back on error: allow test_tun_tap_t test_newcon_no_from_tun_tap_t:fd { use }; allow test_newcon_no_from_tun_tap_t test_tun_tap_t:process { dyntransition }; - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(tuntapdomain) diff --git a/policy/test_unix_socket.te b/policy/test_unix_socket.te index 69720f0..f4e9e41 100644 --- a/policy/test_unix_socket.te +++ b/policy/test_unix_socket.te @@ -58,6 +58,3 @@ allow test_unix_server_t test_unix_dgram_client_t:unix_dgram_socket sendto; type test_socketpair_t; testsuite_domain_type(test_socketpair_t) typeattribute test_socketpair_t unixsocketdomain; - -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(unixsocketdomain) diff --git a/policy/test_userfaultfd.te b/policy/test_userfaultfd.te index 5cb7d1c..f5a6613 100644 --- a/policy/test_userfaultfd.te +++ b/policy/test_userfaultfd.te @@ -45,6 +45,3 @@ userfaultfd_domain_type(test_noread_uffd_t) # userfaultfd(2) requires CAP_SYS_PTRACE allow test_uffd_domain self:capability { sys_ptrace }; - -# Allow all of these domains to be executed -miscfiles_domain_entry_test_files(test_uffd_domain) diff --git a/policy/test_vsock_socket.te b/policy/test_vsock_socket.te index 4bb989a..dbd47f4 100644 --- a/policy/test_vsock_socket.te +++ b/policy/test_vsock_socket.te @@ -42,6 +42,3 @@ vsock_client(noread, connect create getattr getopt setopt shutdown write) vsock_client(nogetattr, connect create getopt setopt read shutdown write) vsock_client(nogetopt, connect create getattr setopt read shutdown write) vsock_client(nosetopt, connect create getattr getopt read shutdown write) - -# Allow all of these domains to be entered from the sysadm domain. -miscfiles_domain_entry_test_files(vsocksocketdomain) diff --git a/policy/test_watchkey.te b/policy/test_watchkey.te index 101d68a..a85bd20 100644 --- a/policy/test_watchkey.te +++ b/policy/test_watchkey.te @@ -15,8 +15,3 @@ allow test_watchkey_t self:key { view }; type test_watchkey_no_view_t; testsuite_domain_type(test_watchkey_no_view_t) typeattribute test_watchkey_no_view_t watchkeydomain; - -# -########### Allow these domains to be entered from sysadm domain ############ -# -miscfiles_domain_entry_test_files(watchkeydomain) From patchwork Fri Jul 29 12:02:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932378 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8EFE2C19F29 for ; Fri, 29 Jul 2022 12:03:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235972AbiG2MDB (ORCPT ); Fri, 29 Jul 2022 08:03:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40868 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235751AbiG2MDA (ORCPT ); Fri, 29 Jul 2022 08:03:00 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 98C5F863E0 for ; Fri, 29 Jul 2022 05:02:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096178; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nmzMdpEjfOAzkgilv+vyVemlaHkoJx1T9GESikwb1uM=; b=EIL4OA0qQS4kUTYhvxc4Znl+1xibq9haLJndiiJCYnDey9xJCK19eGh6Hid2mAwEtZOw6J 5Ca3ZWyL15d/HDkkhIwWh7+s9C3FrrKiNEkjl6SAdUzSNCApF3eOOpmnVTUX/5yVmCR/UX N7tonFP2Bdx/Bangp330Po4ZU379RrM= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-662-xfdiYn8gOx6hry3QZ-Xhyw-1; Fri, 29 Jul 2022 08:02:49 -0400 X-MC-Unique: xfdiYn8gOx6hry3QZ-Xhyw-1 Received: by mail-wr1-f72.google.com with SMTP id i17-20020adfaad1000000b0021ecb856a71so1128128wrc.4 for ; Fri, 29 Jul 2022 05:02:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=nmzMdpEjfOAzkgilv+vyVemlaHkoJx1T9GESikwb1uM=; b=mHbBsjt6M6aF5ydHIbhya4UObo7oMwFu9lGt/IMXjwMqubfzp2zlJCHXIhHCpbTBBd nvEYOcHqUB1CAVKkaLi49BKroM56Llk2Q2f16wcusU8czHrLhEyAAb4/KpGrbm2ijfeb UtqJXcgpaSdvx8hjbdpu4lPGftqmN4GhedkYtCsG7M41R1/4GkUsUoye/7Zrvv7rqVAg EQjf/mPq1VMxOuZgOhKetpBokilr11iIOMPGNwNN6ebtJXyLBh76Dugbl8updT0kuGN3 3HNlaBuGBpiCbFh3NjlofzILhJcu721DzbDhpy0mU/Tk/GHpbf6BTvkmbKl0x/JTyBk3 hEiA== X-Gm-Message-State: AJIora/DLEqdL85XC3OcMT64ADOuJLGAwYN4VLqPA7XCYDHYYWM9cqlc AWaB+/ZA6X6Mtdg0QbVVWgw1pe9sjQQB+3iTZ3K0EJnwYEv46+caNdUehyhNj56mNDywKOAl7Jp xpuoOSaxwsVBgtfXwi/8tBf7XsG4YTWI/9GWtt7DRzeoR1+avWnpZ+it/5hhDALOXCDSJdw== X-Received: by 2002:a05:600c:21d4:b0:3a3:10a0:cc4f with SMTP id x20-20020a05600c21d400b003a310a0cc4fmr2684047wmj.75.1659096168203; Fri, 29 Jul 2022 05:02:48 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uA5Cb8VYuFFGPVEcTB2SmNj8rcZ9v4Q1EYyJj0HLFguTtwkU1X5QpP5J7ci1nry1EgId3AOA== X-Received: by 2002:a05:600c:21d4:b0:3a3:10a0:cc4f with SMTP id x20-20020a05600c21d400b003a310a0cc4fmr2684025wmj.75.1659096167918; Fri, 29 Jul 2022 05:02:47 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:47 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 10/24] policy: substitute userdom_sysadm_entry_spec_domtrans_to() Date: Fri, 29 Jul 2022 14:02:15 +0200 Message-Id: <20220729120229.207584-11-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Use sysadm_entry_spec_domtrans_to() which is the actual name of the interface in Fedora policy and refpolicy now. userdom_sysadm_entry_spec_domtrans_to() has been deprecated. sysadm_entry_spec_domtrans_to() is available even as far back as RHEL-6 and also in refpolicy, so remove the whole fallback implementation. Signed-off-by: Ondrej Mosnacek --- policy/test_global.te | 2 +- policy/test_policy.if | 13 ------------- 2 files changed, 1 insertion(+), 14 deletions(-) diff --git a/policy/test_global.te b/policy/test_global.te index 667c272..aceac48 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -41,7 +41,7 @@ allow testsuite_domain init_t:fd use; allow testsuite_domain initrc_t:fd use; # Allow the test domain to be entered from sysadm_t -userdom_sysadm_entry_spec_domtrans_to(testsuite_domain) +sysadm_entry_spec_domtrans_to(testsuite_domain) # Allow the test domains to access the test directory and files # even if they are not root owned. diff --git a/policy/test_policy.if b/policy/test_policy.if index 6cef8dd..89ab6f7 100644 --- a/policy/test_policy.if +++ b/policy/test_policy.if @@ -17,19 +17,6 @@ ## # -ifdef(`userdom_sysadm_entry_spec_domtrans_to',`', ` dnl -interface(`userdom_sysadm_entry_spec_domtrans_to',` - gen_require(` - type sysadm_t; - ') - - domain_entry_file_spec_domtrans(sysadm_t, $1) - allow $1 sysadm_t:fd use; - allow $1 sysadm_t:fifo_file rw_file_perms; - allow $1 sysadm_t:process sigchld; -') -') - interface(`testsuite_domain_type_common',` gen_require(` attribute testsuite_domain; From patchwork Fri Jul 29 12:02:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932372 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 88FA3C00144 for ; Fri, 29 Jul 2022 12:02:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235959AbiG2MC4 (ORCPT ); Fri, 29 Jul 2022 08:02:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40816 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235751AbiG2MCz (ORCPT ); Fri, 29 Jul 2022 08:02:55 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id AF8C7863DF for ; Fri, 29 Jul 2022 05:02:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096173; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=AMpM46hByXSHkPlVjlvwfNHdJ1v64qmFISvJRE+NWD8=; b=eyXZDuLsWmPm7gHNxSMfUEVu5X1DL/+I14KzpToOK6y6Wgl0RhjEXtERePqUb5hJNDcF78 poa5unK0UjXLgbsuSlVKOFUz8Yrq0qUmc24vwzTDDBOyG/rLwvinHInzA3MvI5L+PmqK5Q 561UVwrihfNJbyrlxalKpzOv4kZVDtg= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-658-LrE6qk16PB6fY8_CelZpSA-1; Fri, 29 Jul 2022 08:02:52 -0400 X-MC-Unique: LrE6qk16PB6fY8_CelZpSA-1 Received: by mail-wr1-f72.google.com with SMTP id w17-20020adfbad1000000b0021f0acd5398so1049038wrg.1 for ; Fri, 29 Jul 2022 05:02:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=AMpM46hByXSHkPlVjlvwfNHdJ1v64qmFISvJRE+NWD8=; b=khHeqrV0IuefqTSAlASBSdMl8EI8Q8PLbUL8xovpLJD0M4jGyCYc//yGccuuEK4GZL 2nRdRH6fJOQxE+EJXy26MXd4SGdCL1hx/+CS902B4f8LOJX0BjVluy7H+xqtLysh25ni XkxEMS8bhu0Mn/al2mAWwdO+ORXzQ6ezA++/VWhAzJKkr34lFzZJyzKt2kO2XC0riw/4 ZfoQIhrJLf3MkyQDet+poOPniWv75DCaXmOuteKdFBpjXTQF+wXJdJQjNBM38M6b3VEu EJqbuCyfVnIni3GLNUtp1XfykZzTbkLahG8lb2SPXO0QgUKwIuftVnd50nFqOoaJGMmz UtAQ== X-Gm-Message-State: AJIora9TktsMBsWNFxEYQs+fCpyiX1DsRgyakkSjrw408Gpx1Pg1tG/Q iVzB1o8xQotkTe43vijMWQbdR06EuPONqmBiMZ9nlbaliPcgW4tupm1HExfiZzDFiLeGWYppl9L WbLEn5/zulQtIz/+oRaNO3r2YdR8Ua1GVkgABQhvEcpX0vYzVvnHpsfyp9FJzImNCKLlf4A== X-Received: by 2002:a05:600c:3845:b0:3a3:227d:c1c6 with SMTP id s5-20020a05600c384500b003a3227dc1c6mr2653557wmr.9.1659096170331; Fri, 29 Jul 2022 05:02:50 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vuJ/LRn/4vikKE9LM0ulCI+6/MkRBoJ2r7388tQM2zahlI2lI1ttKCdrzMkWmwFPU0zUOwdQ== X-Received: by 2002:a05:600c:3845:b0:3a3:227d:c1c6 with SMTP id s5-20020a05600c384500b003a3227dc1c6mr2653537wmr.9.1659096170009; Fri, 29 Jul 2022 05:02:50 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:48 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 11/24] test_general.te: move sysadm-related rules into an optional block Date: Fri, 29 Jul 2022 14:02:16 +0200 Message-Id: <20220729120229.207584-12-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org That should allow running selinux-testsuite with the sysadm module disabled. Signed-off-by: Ondrej Mosnacek --- policy/test_global.te | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/policy/test_global.te b/policy/test_global.te index aceac48..3862ee7 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -25,12 +25,21 @@ optional_policy(` dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh }; ') -gen_require(` - role sysadm_r; -') +optional_policy(` + gen_require(` + role sysadm_r; + ') + + # Authorize sysadm_r for the test domains. + role sysadm_r types testsuite_domain; -# Authorize sysadm_r for the test domains. -role sysadm_r types testsuite_domain; + # Allow the test domain to be entered from sysadm_t + sysadm_entry_spec_domtrans_to(testsuite_domain) + + # Let sysadm_t use runcon to run the test programs in various domains. + #allow sysadm_t self:process setexec; + #selinux_get_fs_mount(sysadm_t) +') # Allow the test domains to access the sysadm terminal. # This allows read and write sysadm ttys and ptys. @@ -40,17 +49,10 @@ term_use_all_terms(testsuite_domain) allow testsuite_domain init_t:fd use; allow testsuite_domain initrc_t:fd use; -# Allow the test domain to be entered from sysadm_t -sysadm_entry_spec_domtrans_to(testsuite_domain) - # Allow the test domains to access the test directory and files # even if they are not root owned. allow testsuite_domain self:capability { dac_override dac_read_search }; -# Let sysadm_t use runcon to run the test programs in various domains. -#allow sysadm_t self:process setexec; -#selinux_get_fs_mount(sysadm_t) - # Let all test domains read test directories and files and to use test # files as entry points. miscfiles_read_test_files(testsuite_domain) From patchwork Fri Jul 29 12:02:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932373 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E02BC00144 for ; Fri, 29 Jul 2022 12:02:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235867AbiG2MC5 (ORCPT ); Fri, 29 Jul 2022 08:02:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40840 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230456AbiG2MC5 (ORCPT ); Fri, 29 Jul 2022 08:02:57 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 61AC7863DF for ; Fri, 29 Jul 2022 05:02:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096175; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=a5EhKEszb9HRRMcqbAiShYxIGCu2o2tljuJt8lp8NE8=; b=QGTv4ivb4GGRhcnQzOymxfkIYbOAqw8SUDLQwwGLkE5XGMKJCbXXPYFFC9IaGLsMZl1VQK 7dXtAov2H/iFyCbTlVr9YLxea2exX8KsByYk5cjFjvCpljaVug55G9T9Rj3dAuXQnMknfR uV8Ej8uEwOSVQvLYDL1380gZ9O4ySLU= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-61-O7-9ICYLPomvFMh1kI3hag-1; Fri, 29 Jul 2022 08:02:54 -0400 X-MC-Unique: O7-9ICYLPomvFMh1kI3hag-1 Received: by mail-wr1-f69.google.com with SMTP id h18-20020adfaa92000000b0021ec200d50fso1143286wrc.14 for ; Fri, 29 Jul 2022 05:02:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=a5EhKEszb9HRRMcqbAiShYxIGCu2o2tljuJt8lp8NE8=; b=hO7TjxuUCz72EhNNk++0Z7YoL/Zk1A3Jgn6f2uAf8YYXKmx0SDx2/849k/iYHxtDYM GrM3wB0wDG0Q/ZzSTdtaftE2EuQZ9ZfmfHZwepcCNaT5zB4b/nEOyW2qAKCz1SA+Rkgb flZPo15O7/d5ncJbpsxjcmHChu1fjXwbglnSwka+G5zPIhDi5iFMrLl0Y97i9bLSM0n8 fAP+pUyDyEal1huZp+ZsNzwWIzuukoGqQi+3Hc5n9YBr0TbdLbGt7EMFkPnQsMfskAAH FsWVcvvlQvVuMW00qMqkh9d7OAxZINRHa3MP2r6SpjiCyVK6XpbabgZyB/HLvIo/asP3 IR6Q== X-Gm-Message-State: AJIora+Sk2zNivaXgJyp3pPs+FVJVkURN0zSFKTaMxh8Pav5ehaig/Li u+dJvVUpTeVd8/mCFJpetJ94gZKA/wXKXdqKGd3z6kjpTxzPXhQxg3goPsdftr4w9F5pDik+X/9 rSLuQ71vahXuKN6tB0EHK60TQSykNS/T9yaejiiJxDCSInpz7iW06Hr8u0S4R8qX59q3Q0Q== X-Received: by 2002:a05:600c:1c83:b0:3a3:2631:2fec with SMTP id k3-20020a05600c1c8300b003a326312fecmr2185964wms.155.1659096172356; Fri, 29 Jul 2022 05:02:52 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vUb6WsemWxZsDgcJTl5rXBJgaVLK3H/5w6jWO0VVYq3RBCzXlOUHZVIa/mnxtCdJXY9FQb0Q== X-Received: by 2002:a05:600c:1c83:b0:3a3:2631:2fec with SMTP id k3-20020a05600c1c8300b003a326312fecmr2185935wms.155.1659096172003; Fri, 29 Jul 2022 05:02:52 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:50 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 12/24] test_filesystem.te: remove redundant dontaudit rules Date: Fri, 29 Jul 2022 14:02:17 +0200 Message-Id: <20220729120229.207584-13-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org These accesses should already be allowed to unconfined_t via files_type(). Signed-off-by: Ondrej Mosnacek --- policy/test_filesystem.te | 2 -- policy/test_filesystem_name_trans.te | 4 +--- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te index 5de489c..4942e0d 100644 --- a/policy/test_filesystem.te +++ b/policy/test_filesystem.te @@ -57,7 +57,6 @@ allow test_filesystem_t test_filesystem_filecon_t:file { open read getattr relab fs_associate(test_filesystem_filetranscon_t) type_transition test_filesystem_t test_filesystem_file_t:file test_filesystem_filetranscon_t; allow test_filesystem_t test_filesystem_filetranscon_t:file { create getattr open write relabelfrom }; -dontaudit unconfined_t test_filesystem_filetranscon_t:file { getattr read }; # For NFS type_transition test_filesystem_t test_file_t:file test_filesystem_filetranscon_t; @@ -268,7 +267,6 @@ fs_associate(test_filesystem_inode_setxattr_no_associate_t) # Create test file allow test_filesystem_inode_setxattr_no_associate_t self:file { create relabelfrom relabelto }; # neverallow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem { associate }; -dontaudit unconfined_t test_filesystem_filecon_t:file { getattr read }; allow test_filesystem_inode_setxattr_no_associate_t unconfined_t:dir { add_name write }; allow test_filesystem_inode_setxattr_no_associate_t unconfined_t:file { create relabelfrom relabelto }; diff --git a/policy/test_filesystem_name_trans.te b/policy/test_filesystem_name_trans.te index 7e336e4..9956c07 100644 --- a/policy/test_filesystem_name_trans.te +++ b/policy/test_filesystem_name_trans.te @@ -12,12 +12,10 @@ files_type(test_filesystem_filenametranscon2_t) fs_associate(test_filesystem_filenametranscon1_t) type_transition test_filesystem_t test_filesystem_file_t:file test_filesystem_filenametranscon1_t "name_trans_test_file1"; allow test_filesystem_t test_filesystem_filenametranscon1_t:file { create getattr open write }; -dontaudit unconfined_t test_filesystem_filenametranscon1_t:file { getattr read }; -# + fs_associate(test_filesystem_filenametranscon2_t) type_transition test_filesystem_t test_filesystem_file_t:file test_filesystem_filenametranscon2_t "name_trans_test_file2"; allow test_filesystem_t test_filesystem_filenametranscon2_t:file { create getattr open write }; -dontaudit unconfined_t test_filesystem_filenametranscon2_t:file { getattr read }; ### NFS Rules ########## type_transition test_filesystem_t test_file_t:file test_filesystem_filenametranscon1_t "name_trans_test_file1"; From patchwork Fri Jul 29 12:02:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932374 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CDC8C19F2D for ; Fri, 29 Jul 2022 12:02:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230456AbiG2MC6 (ORCPT ); Fri, 29 Jul 2022 08:02:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40850 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235751AbiG2MC5 (ORCPT ); Fri, 29 Jul 2022 08:02:57 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 33AAC863E0 for ; Fri, 29 Jul 2022 05:02:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096176; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/g4KdbrfQrpiJaYWhcxsqfMuvp6LnddOW2zQzTFx9Bg=; b=QIyqg9ur2bXn2tMz3rPn65ZOJPP8bIeEl1osmTdOy52U+jQkdzH1eqj6pOajW07c2MglAu Mp30Z9s8O+hzR1j6pP7rdMgFrOKvhqtZr6wscMxa5M/nb3uoYvE4VVeU9SKxB+xb1udDnG 4NWl+4yWT/cmi7HN2C3Ibjg7O8c1ZeI= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-586-Aqrd76MvPtKkKQzkXL5NbA-1; Fri, 29 Jul 2022 08:02:55 -0400 X-MC-Unique: Aqrd76MvPtKkKQzkXL5NbA-1 Received: by mail-wr1-f72.google.com with SMTP id t13-20020adfe10d000000b0021bae3def1eso1130648wrz.3 for ; Fri, 29 Jul 2022 05:02:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=/g4KdbrfQrpiJaYWhcxsqfMuvp6LnddOW2zQzTFx9Bg=; b=UZ3pbNjaxCuFs8RrPlTN6q+4RGmaoQ61SDXBO3Jc89y5pgt6PB9A5jf3wUIR25zaJR XSzOAKEs4m0ZRXPhrcUZFkUoTB+p5T87RQUA2grXAHYlneRt3nXCdae6KFd61KxL80hi W3oltLVxG8B4c1pdg9pwG9exZ7GPhgy724/xEz9dN5+EjIXnNukQURJYEjEAuX/Vg790 LR+j5lsJvEPmhvdSGSnP0W8dJy0FSJg5+w12L/o02qteTYRoTgi1UzYT1nLfRCTAiN4d shAA2SU4fuJcr8ijXbrmHZloORHD0sf7zeULFyL/OaAkIWBEsxO7XYBe8uObOxd941ne osEw== X-Gm-Message-State: ACgBeo2GhnhbsmcBazvj51M6wN5r35b9aN0cCU0NjH0Lh/ov0LCrcwu/ ixNXkP8xNTfD/sk0y7th1uDV0ioaKVG5EemWAIS1Ec2mbmN5Fu6IA+DeAJC57MaaIZnIKCBoXPb N/uld89y6hTFv/3i2tiXGvKoAA/7I9jgKLmWA21ogfa/csZ8mcjGv3qpMtT9zLdnpatOIew== X-Received: by 2002:a5d:5223:0:b0:21e:fc10:b818 with SMTP id i3-20020a5d5223000000b0021efc10b818mr2219543wra.676.1659096173237; Fri, 29 Jul 2022 05:02:53 -0700 (PDT) X-Google-Smtp-Source: AA6agR6XL/V3Tq4t2XBhT2W4HGpz+hlANmazydhPyvgrUPi/TkCXyLMyNcqrlsPe/IdaoVBOcH8new== X-Received: by 2002:a5d:5223:0:b0:21e:fc10:b818 with SMTP id i3-20020a5d5223000000b0021efc10b818mr2219517wra.676.1659096172914; Fri, 29 Jul 2022 05:02:52 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:52 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 13/24] test_filesystem.te: remove suspicious rules Date: Fri, 29 Jul 2022 14:02:18 +0200 Message-Id: <20220729120229.207584-14-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org These don't seem to make sense. Get rid of them. Signed-off-by: Ondrej Mosnacek --- policy/test_filesystem.te | 6 ------ 1 file changed, 6 deletions(-) diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te index 4942e0d..d8c5c51 100644 --- a/policy/test_filesystem.te +++ b/policy/test_filesystem.te @@ -126,7 +126,6 @@ fs_getattr_xattr_fs(test_filesystem_may_create_no_associate_t) # Create test file # neverallow unlabeled_t test_filesystem_may_create_no_associate_t:filesystem { associate }; allow test_filesystem_may_create_no_associate_t self:file { create relabelfrom relabelto }; -allow test_filesystem_may_create_no_associate_t unconfined_t:file { open read write }; allow test_filesystem_may_create_no_associate_t unlabeled_t:dir { add_name search write }; allow test_filesystem_may_create_no_associate_t unlabeled_t:file { create open relabelfrom write }; @@ -266,9 +265,6 @@ fs_associate(test_filesystem_inode_setxattr_no_associate_t) # Create test file allow test_filesystem_inode_setxattr_no_associate_t self:file { create relabelfrom relabelto }; -# neverallow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem { associate }; -allow test_filesystem_inode_setxattr_no_associate_t unconfined_t:dir { add_name write }; -allow test_filesystem_inode_setxattr_no_associate_t unconfined_t:file { create relabelfrom relabelto }; ################# Test process { setfscreate } ############# type test_setfscreatecon_t; @@ -357,7 +353,6 @@ allow test_filesystem_sb_relabel_no_relabelfrom_t self:filesystem { mount relabe allow test_filesystem_sb_relabel_no_relabelfrom_t self:filesystem { mount }; allow test_filesystem_may_create_no_associate_t nfs_t:filesystem { associate }; -allow test_filesystem_may_create_no_associate_t unconfined_t:file { getattr relabelto }; allow test_filesystem_may_create_no_associate_t test_file_t:dir { add_name }; allow test_filesystem_may_create_no_associate_t test_file_t:file { create write relabelfrom }; allow test_filesystem_may_create_no_associate_t test_filesystem_file_t:filesystem { mount unmount relabelto }; @@ -365,7 +360,6 @@ allow test_file_t test_filesystem_may_create_no_associate_t:filesystem { associa allow unconfined_t test_filesystem_may_create_no_associate_t:filesystem { getattr mount relabelto unmount }; # neverallow unconfined_t test_filesystem_may_create_no_associate_t:filesystem { associate }; -allow test_filesystem_inode_setxattr_no_associate_t unconfined_t:file { getattr open read write }; allow test_filesystem_inode_setxattr_no_associate_t nfs_t:filesystem { associate }; allow test_filesystem_inode_setxattr_no_associate_t test_file_t:dir { add_name }; allow test_filesystem_inode_setxattr_no_associate_t test_file_t:file { create relabelfrom write }; From patchwork Fri Jul 29 12:02:19 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932377 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F5CCC00144 for ; Fri, 29 Jul 2022 12:03:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235978AbiG2MDB (ORCPT ); Fri, 29 Jul 2022 08:03:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40866 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235885AbiG2MDA (ORCPT ); Fri, 29 Jul 2022 08:03:00 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1BBA1863DF for ; Fri, 29 Jul 2022 05:02:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096178; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Cocu316jVRhoeyTW9cWYvYQslMZseX7yCYpwaa9v45w=; b=ZsU74dsL5WTjgovQnOXPBTGZKpLVeXpq84RERAPxZGIqF/+FD9AHBLJstEGu8tV77VOIr1 91kcTK3YWYgWQtbRdD334++xxJp8dgr5jJik/hkJlKjYr21tiR8U1Cbmn5+TEc6MXzzjxV rWOU1rCVMu51Ocg0Hnq6VAT0Z+4907Q= Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-517-5bDkV_AnMSSOpwGMOq7IMQ-1; Fri, 29 Jul 2022 08:02:56 -0400 X-MC-Unique: 5bDkV_AnMSSOpwGMOq7IMQ-1 Received: by mail-wr1-f70.google.com with SMTP id m2-20020adfc582000000b0021e28acded7so1141298wrg.13 for ; Fri, 29 Jul 2022 05:02:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=Cocu316jVRhoeyTW9cWYvYQslMZseX7yCYpwaa9v45w=; b=Z6fmh1wCwG2v69F0VM47SFmYKIeQkIl0VRNJGUEcMDwlveDpBl6W/0JjMgCU7bdQ4q rJlHGc0upxr+KS7/+EnylK/6gY5oqEDIfv7nnZLPoEh4azI+/FHZ9IdnLzRIAzTvJuVc +HK5WU6HEzRIyXNHZNpqYcf4ldgNHNkKy8pbwCg9y1zWqJicj/l1f/5DZWpmdT54I3Vb lvVCeQ9+bNoDZk512oOKBCwHhuFGsYggwUzE4VgcoVfvWo7ivO7zvb70OFECEVEG2yki 9OtaPg3tKmSWS2AFR+O2lMSCP8PRDTrBcvmC+dM8KvptMKEMgnfi6Mx4uRrqOXyjom4b 230A== X-Gm-Message-State: ACgBeo3DGtw12xxm5f0XzvopRsTr3/+kuBlAyFXUHRyPWcyZfziWD1yI 83BsDhDADbxh704yj6OVHcXtlrY7dB+10IOkDH6pH5BXeOybjpm3DxW4xJi19jmQEcduW2Gr1FJ UYhwYhzYhZnILwvg8pFDrmf/N2SohArNO7l3PTcQ1BhWlSUckTd2Tq87pDI9cIyioKhwzUQ== X-Received: by 2002:a5d:4704:0:b0:21e:c011:c7ce with SMTP id y4-20020a5d4704000000b0021ec011c7cemr2194231wrq.197.1659096175123; Fri, 29 Jul 2022 05:02:55 -0700 (PDT) X-Google-Smtp-Source: AA6agR4ljWnZBlNYNv+cZjyfmdoQSjWF1+Q97vld4Aac8+Gmno4kSMPjghlAnwyEzESl37T214J11Q== X-Received: by 2002:a5d:4704:0:b0:21e:c011:c7ce with SMTP id y4-20020a5d4704000000b0021ec011c7cemr2194191wrq.197.1659096174496; Fri, 29 Jul 2022 05:02:54 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:53 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 14/24] tests/nnp_nosuid: avoid hardcoding unconfined_t in the policy Date: Fri, 29 Jul 2022 14:02:19 +0200 Message-Id: <20220729120229.207584-15-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add an intermediate domain which is entered first to avoid the need to reference the calling domain in the policy. Signed-off-by: Ondrej Mosnacek --- policy/test_nnp_nosuid.te | 26 +++++++++++++--------- tests/nnp_nosuid/test | 45 +++++++++++++++++++++++---------------- 2 files changed, 43 insertions(+), 28 deletions(-) diff --git a/policy/test_nnp_nosuid.te b/policy/test_nnp_nosuid.te index ad5f742..8d5a1c6 100644 --- a/policy/test_nnp_nosuid.te +++ b/policy/test_nnp_nosuid.te @@ -3,19 +3,25 @@ # Policy for testing NO_NEW_PRIVS and nosuid transitions. # +# An intermediate domain to avoid referencing the caller domain. +type test_intermediate_t; +testsuite_domain_type(test_intermediate_t) +# executes runcon +corecmd_exec_bin(test_intermediate_t) + # A domain bounded by the unconfined domain. type test_bounded_t; testsuite_domain_type(test_bounded_t) -typebounds unconfined_t test_bounded_t; +typebounds test_intermediate_t test_bounded_t; # The entrypoint type for this domain. type test_bounded_exec_t; files_type(test_bounded_exec_t) domain_entry_file(test_bounded_t, test_bounded_exec_t) -domain_entry_file(unconfined_t, test_bounded_exec_t) +domain_entry_file(test_intermediate_t, test_bounded_exec_t) # Run it! This should succeed on v3.18 or later, fail on older kernels. -unconfined_run_to(test_bounded_t, test_bounded_exec_t) +domtrans_pattern(test_intermediate_t, test_bounded_exec_t, test_bounded_t) # A domain that is not bounded by the unconfined domain. type test_notbounded_t; @@ -27,7 +33,7 @@ files_type(test_notbounded_exec_t) domain_entry_file(test_notbounded_t, test_notbounded_exec_t) # Run it! This should fail always. -unconfined_run_to(test_notbounded_t, test_notbounded_exec_t) +domtrans_pattern(test_intermediate_t, test_notbounded_exec_t, test_notbounded_t) # A domain to which the unconfined domain is allowed nnp_transition. type test_nnptransition_t; @@ -39,9 +45,9 @@ files_type(test_nnptransition_exec_t) domain_entry_file(test_nnptransition_t, test_nnptransition_exec_t) # Run it! This should succeed on v4.14 or later. -unconfined_run_to(test_nnptransition_t, test_nnptransition_exec_t) +domtrans_pattern(test_intermediate_t, test_nnptransition_exec_t, test_nnptransition_t) ifdef(`nnp_nosuid_transition_permission_defined', ` -allow unconfined_t test_nnptransition_t:process2 nnp_transition; +allow test_intermediate_t test_nnptransition_t:process2 nnp_transition; ') # A domain to which the unconfined domain is allowed nosuid_transition. @@ -54,9 +60,9 @@ files_type(test_nosuidtransition_exec_t) domain_entry_file(test_nosuidtransition_t, test_nosuidtransition_exec_t) # Run it! This should succeed on v4.14 or later. -unconfined_run_to(test_nosuidtransition_t, test_nosuidtransition_exec_t) +domtrans_pattern(test_intermediate_t, test_nosuidtransition_exec_t, test_nosuidtransition_t) ifdef(`nnp_nosuid_transition_permission_defined', ` -allow unconfined_t test_nosuidtransition_t:process2 nosuid_transition; +allow test_intermediate_t test_nosuidtransition_t:process2 nosuid_transition; ') # A domain to which the unconfined domain is allowed both nosuid_transition and nnp_transition. @@ -69,7 +75,7 @@ files_type(test_nosuidtransition_exec_t) domain_entry_file(test_nnpnosuidtransition_t, test_nnpnosuidtransition_exec_t) # Run it! This should succeed on v4.14 or later. -unconfined_run_to(test_nnpnosuidtransition_t, test_nnpnosuidtransition_exec_t) +domtrans_pattern(test_intermediate_t, test_nnpnosuidtransition_exec_t, test_nnpnosuidtransition_t) ifdef(`nnp_nosuid_transition_permission_defined', ` -allow unconfined_t test_nnpnosuidtransition_t:process2 { nnp_transition nosuid_transition }; +allow test_intermediate_t test_nnpnosuidtransition_t:process2 { nnp_transition nosuid_transition }; ') diff --git a/tests/nnp_nosuid/test b/tests/nnp_nosuid/test index 4e13927..bebe575 100755 --- a/tests/nnp_nosuid/test +++ b/tests/nnp_nosuid/test @@ -31,31 +31,36 @@ system("chcon -t test_bounded_exec_t $basedir/checkcon"); # Create nosuid mount. system("mkdir -p $basedir/testdir"); system("mount -t tmpfs -o nosuid none $basedir/testdir"); +system("chcon -t test_file_t $basedir/testdir"); # Set entrypoint type for bounded domain under nosuid. system("cp $basedir/checkcon $basedir/testdir"); system("chcon -t test_bounded_exec_t $basedir/testdir/checkcon"); +# Run everything from test_intermediate_t (to simplify the policy) +$run = "runcon -t test_intermediate_t --"; + # Transition under NNP to bounded type via setexec. $result = system( -"$basedir/execnnp -n -- runcon -t test_bounded_t $basedir/checkcon test_bounded_t 2>&1" +"$run $basedir/execnnp -n -- runcon -t test_bounded_t $basedir/checkcon test_bounded_t 2>&1" ); ok( $result, 0 ); #this should pass # Transition on nosuid to bounded type via setexec. $result = system( -"$basedir/execnnp -- runcon -t test_bounded_t $basedir/testdir/checkcon test_bounded_t 2>&1" +"$run $basedir/execnnp -- runcon -t test_bounded_t $basedir/testdir/checkcon test_bounded_t 2>&1" ); ok( $result, 0 ); #this should pass # Automatic transition under NNP to bounded domain via exec. $result = - system("$basedir/execnnp -n -- $basedir/checkcon test_bounded_t 2>&1"); + system("$run $basedir/execnnp -n -- $basedir/checkcon test_bounded_t 2>&1"); ok( $result, 0 ); #this should pass # Automatic transition on nosuid to bounded domain via exec. $result = - system("$basedir/execnnp -- $basedir/testdir/checkcon test_bounded_t 2>&1"); + system( + "$run $basedir/execnnp -- $basedir/testdir/checkcon test_bounded_t 2>&1"); ok( $result, 0 ); #this should pass # Use true as an entrypoint program to test ability to exec at all. @@ -71,25 +76,28 @@ system( # Transition under NNP to notbounded domain via setexec. $result = system( - "$basedir/execnnp -n -- runcon -t test_notbounded_t $basedir/true 2>&1"); + "$run $basedir/execnnp -n -- runcon -t test_notbounded_t $basedir/true 2>&1" + ); ok($result); #this should fail # Transition on nosuid to notbounded domain via setexec. $result = system( - "$basedir/execnnp -- runcon -t test_notbounded_t $basedir/testdir/true 2>&1" +"$run $basedir/execnnp -- runcon -t test_notbounded_t $basedir/testdir/true 2>&1" ); ok($result); #this should fail # Automatic transition under NNP to notbounded domain via exec. $result = - system("$basedir/execnnp -n -- $basedir/checkcon test_notbounded_t 2>&1"); + system( + "$run $basedir/execnnp -n -- $basedir/checkcon test_notbounded_t 2>&1"); ok($result); #this should fail # Automatic transition on nosuid to notbounded domain via exec. $result = system( - "$basedir/execnnp -- $basedir/testdir/checkcon test_notbounded_t 2>&1"); + "$run $basedir/execnnp -- $basedir/testdir/checkcon test_notbounded_t 2>&1" + ); ok($result); #this should fail if ($test_nnp_nosuid_transition) { @@ -104,27 +112,28 @@ if ($test_nnp_nosuid_transition) { # Transition under NNP to nnptransition domain via setexec. $result = system( -"$basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/true 2>&1" +"$run $basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/true 2>&1" ); ok( $result, 0 ); #this should succeed # Transition under NNP+nosuid to nnptransition domain via setexec. $result = system( -"$basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/testdir/true 2>&1" +"$run $basedir/execnnp -n -- runcon -t test_nnptransition_t $basedir/testdir/true 2>&1" ); ok($result); #this should fail # Automatic transition under NNP to nnptransition domain via exec. $result = system( - "$basedir/execnnp -n -- $basedir/checkcon test_nnptransition_t 2>&1"); +"$run $basedir/execnnp -n -- $basedir/checkcon test_nnptransition_t 2>&1" + ); ok( $result, 0 ); #this should succeed # Automatic transition under NNP+nosuid to nnptransition domain via exec. $result = system( -"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nnptransition_t 2>&1" +"$run $basedir/execnnp -n -- $basedir/testdir/checkcon test_nnptransition_t 2>&1" ); ok($result); #this should fail @@ -136,28 +145,28 @@ if ($test_nnp_nosuid_transition) { # Transition under nosuid to nosuidtransition domain via setexec. $result = system( -"$basedir/execnnp -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1" +"$run $basedir/execnnp -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1" ); ok( $result, 0 ); #this should succeed # Transition under NNP+nosuid to nosuidtransition domain via setexec. $result = system( -"$basedir/execnnp -n -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1" +"$run $basedir/execnnp -n -- runcon -t test_nosuidtransition_t $basedir/testdir/true 2>&1" ); ok($result); #this should fail # Automatic transition under nosuid to nosuidtransition domain via exec. $result = system( -"$basedir/execnnp -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1" +"$run $basedir/execnnp -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1" ); ok( $result, 0 ); #this should succeed # Automatic transition under NNP+nosuid to nosuidtransition domain via exec. $result = system( -"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1" +"$run $basedir/execnnp -n -- $basedir/testdir/checkcon test_nosuidtransition_t 2>&1" ); ok($result); #this should fail @@ -169,14 +178,14 @@ if ($test_nnp_nosuid_transition) { # Transition under NNP+nosuid to nnpnosuidtransition domain via setexec. $result = system( -"$basedir/execnnp -n -- runcon -t test_nnpnosuidtransition_t $basedir/testdir/true 2>&1" +"$run $basedir/execnnp -n -- runcon -t test_nnpnosuidtransition_t $basedir/testdir/true 2>&1" ); ok( $result, 0 ); #this should succeed # Automatic transition under NNP+nosuid to nnpnosuidtransition domain via exec. $result = system( -"$basedir/execnnp -n -- $basedir/testdir/checkcon test_nnpnosuidtransition_t 2>&1" +"$run $basedir/execnnp -n -- $basedir/testdir/checkcon test_nnpnosuidtransition_t 2>&1" ); ok( $result, 0 ); #this should succeed } From patchwork Fri Jul 29 12:02:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932379 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 03773C19F2B for ; Fri, 29 Jul 2022 12:03:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235751AbiG2MDD (ORCPT ); Fri, 29 Jul 2022 08:03:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40884 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235885AbiG2MDB (ORCPT ); Fri, 29 Jul 2022 08:03:01 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B646A863DF for ; Fri, 29 Jul 2022 05:03:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096179; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SjOKJ5pSp0I4W+1qNscXMbSk+FLgh9TnZgXIW9UlBWY=; b=OojxMi98ynBE1QNZ9Rqlfbmg1MkP9Bu9hwYDUC+NgfAHdg/6hG0K9FJblk7wDKugw5Q/dX L+sPc1oyudGy0lB+xpYeFYgX/7AneX8H9RvJdxT16ryBBtAXCmKK1cnvX+yRvatKWdrjPT N75VtiGy0OBcLUig2QawkATTfZthwZk= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-134-5oo-vK3GNwq_OhR53Y7HBw-1; Fri, 29 Jul 2022 08:02:57 -0400 X-MC-Unique: 5oo-vK3GNwq_OhR53Y7HBw-1 Received: by mail-wm1-f69.google.com with SMTP id r8-20020a1c4408000000b003a2fdeea756so3431556wma.2 for ; Fri, 29 Jul 2022 05:02:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=SjOKJ5pSp0I4W+1qNscXMbSk+FLgh9TnZgXIW9UlBWY=; b=eirQw+wkOqZfmgQvCbiGoFxXmoA/2Wr0cruYTHUHEkWE0gxzQnn8qj6MiXOGBe4Nq8 f0Wqcjsiq/1rfI+GjSi7NjzFXrJEIHK2SWXLxSVeo/hWLIL4omxiJy79/SeXzoRLwPxd 7GNiQ6VEik8B82Jyss06smGd4P2fvACLeWHOgLAvUdtV0HiY+l1NO/3NHv/O3Po3ZAjj iJgz0SxmmWF1obL9XzH+r3I74SmubyxG5fAeacumbzB4D30WKUz4e3SjBKZhm7KKPS29 raaX/6eBuHxh4Fc4JXv8HepqPmoXwkKiTUmtg5LHd3oVP4dywQEPWLoicw36CCVyQCCZ 6AOw== X-Gm-Message-State: ACgBeo3q70gi0ArKbvYciswDzUGjJkOzpZceqy04cbnhfFtOj9ehjdjr TKhF1npfAigOwfUvd78lJB3qWP6AgyxqLvIH6+mqDc6cMj8LCKk8bO4r7D8Lw7TzTt36Tt+clQv zPoLtcJPHYlBz3bO0NxhBndi40e/H0n5d8coaGW0Z0WQKRjUFaoI0wg2I5S3g4UAC0+PSBw== X-Received: by 2002:a5d:624e:0:b0:21e:bd15:3e11 with SMTP id m14-20020a5d624e000000b0021ebd153e11mr2262085wrv.431.1659096175977; Fri, 29 Jul 2022 05:02:55 -0700 (PDT) X-Google-Smtp-Source: AA6agR6306bqtAGVYcHzngd1MsFLzM3QGjvABdRw6JhLshEcHEyAGwjNdIoFo8doU/7ZoEK2a1oj9Q== X-Received: by 2002:a5d:624e:0:b0:21e:bd15:3e11 with SMTP id m14-20020a5d624e000000b0021ebd153e11mr2262058wrv.431.1659096175478; Fri, 29 Jul 2022 05:02:55 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:54 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 15/24] tests/*filesystem: remove weird uses of unconfined_t Date: Fri, 29 Jul 2022 14:02:20 +0200 Message-Id: <20220729120229.207584-16-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org It seems more logical to drop the associate permission for test_file_t from the *_no_associate_t domains and use test_file_t in the tests instead of unconfined_t. This also fixes the tests as they weren't testing the associate permission (as the comments say), but in fact they were failing on the lack of relabelto unconfined_t permission instead. Signed-off-by: Ondrej Mosnacek --- policy/test_filesystem.te | 8 ++------ tests/filesystem/test | 4 ++-- tests/fs_filesystem/test | 4 ++-- tests/nfs_filesystem/test | 4 ++-- 4 files changed, 8 insertions(+), 12 deletions(-) diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te index d8c5c51..59eac2b 100644 --- a/policy/test_filesystem.te +++ b/policy/test_filesystem.te @@ -356,16 +356,12 @@ allow test_filesystem_may_create_no_associate_t nfs_t:filesystem { associate }; allow test_filesystem_may_create_no_associate_t test_file_t:dir { add_name }; allow test_filesystem_may_create_no_associate_t test_file_t:file { create write relabelfrom }; allow test_filesystem_may_create_no_associate_t test_filesystem_file_t:filesystem { mount unmount relabelto }; -allow test_file_t test_filesystem_may_create_no_associate_t:filesystem { associate }; -allow unconfined_t test_filesystem_may_create_no_associate_t:filesystem { getattr mount relabelto unmount }; -# neverallow unconfined_t test_filesystem_may_create_no_associate_t:filesystem { associate }; +# neverallow test_file_t test_filesystem_may_create_no_associate_t:filesystem { associate }; allow test_filesystem_inode_setxattr_no_associate_t nfs_t:filesystem { associate }; allow test_filesystem_inode_setxattr_no_associate_t test_file_t:dir { add_name }; allow test_filesystem_inode_setxattr_no_associate_t test_file_t:file { create relabelfrom write }; -allow test_file_t test_filesystem_inode_setxattr_no_associate_t:filesystem { associate }; -allow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem { getattr mount relabelfrom relabelto unmount }; -# neverallow unconfined_t test_filesystem_inode_setxattr_no_associate_t:filesystem { associate }; +# neverallow test_file_t test_filesystem_inode_setxattr_no_associate_t:filesystem { associate }; # ############### Rules for NFS mount ################## diff --git a/tests/filesystem/test b/tests/filesystem/test index c94deda..382923a 100755 --- a/tests/filesystem/test +++ b/tests/filesystem/test @@ -476,7 +476,7 @@ if ( not $nfs_enabled and not $vfat_enabled ) { print "Creating test file $basedir/mntpoint/mp1/test_file\n"; $result = system( -"runcon -t test_filesystem_may_create_no_associate_t $basedir/create_file_change_context -t unconfined_t -f $basedir/mntpoint/mp1/test_file $v 2>&1" +"runcon -t test_filesystem_may_create_no_associate_t $basedir/create_file_change_context -t test_file_t -f $basedir/mntpoint/mp1/test_file $v 2>&1" ); ok( $result >> 8 eq 13 ); # EACCES @@ -783,7 +783,7 @@ if ( not $nfs_enabled and not $vfat_enabled ) { ok( $result eq 0 ); $result = system( -"runcon -t test_filesystem_inode_setxattr_no_associate_t $basedir/create_file_change_context -t unconfined_t -f $basedir/mntpoint/mp1/test_file $v 2>&1" +"runcon -t test_filesystem_inode_setxattr_no_associate_t $basedir/create_file_change_context -t test_file_t -f $basedir/mntpoint/mp1/test_file $v 2>&1" ); ok( $result >> 8 eq 13 ); # EACCES diff --git a/tests/fs_filesystem/test b/tests/fs_filesystem/test index e706e42..9917c41 100755 --- a/tests/fs_filesystem/test +++ b/tests/fs_filesystem/test @@ -504,7 +504,7 @@ if ( not $nfs_enabled and not $vfat_enabled ) { print "Creating test file $basedir/mntpoint/mp1/test_file\n"; $result = system( -"runcon -t test_filesystem_may_create_no_associate_t $filesystem_dir/create_file_change_context -t unconfined_t -f $basedir/mntpoint/mp1/test_file $v 2>&1" +"runcon -t test_filesystem_may_create_no_associate_t $filesystem_dir/create_file_change_context -t test_file_t -f $basedir/mntpoint/mp1/test_file $v 2>&1" ); ok( $result >> 8 eq 13 ); # EACCES @@ -813,7 +813,7 @@ if ( not $nfs_enabled and not $vfat_enabled ) { ok( $result eq 0 ); $result = system( -"runcon -t test_filesystem_inode_setxattr_no_associate_t $filesystem_dir/create_file_change_context -t unconfined_t -f $basedir/mntpoint/mp1/test_file $v 2>&1" +"runcon -t test_filesystem_inode_setxattr_no_associate_t $filesystem_dir/create_file_change_context -t test_file_t -f $basedir/mntpoint/mp1/test_file $v 2>&1" ); ok( $result >> 8 eq 13 ); # EACCES diff --git a/tests/nfs_filesystem/test b/tests/nfs_filesystem/test index e43da67..fc8d525 100755 --- a/tests/nfs_filesystem/test +++ b/tests/nfs_filesystem/test @@ -240,7 +240,7 @@ while ( $i < 2 ) { ok( $result eq 0, $test_msg ); $result = system( -"runcon -t test_filesystem_may_create_no_associate_t $filesystem_dir/create_file_change_context $v -t unconfined_t -f $target/tests/nfs_filesystem/mntpoint/mp1/test_file 2>&1" +"runcon -t test_filesystem_may_create_no_associate_t $filesystem_dir/create_file_change_context $v -t test_file_t -f $target/tests/nfs_filesystem/mntpoint/mp1/test_file 2>&1" ); ok( $result >> 8 eq 13, $test_msg ); # EACCES @@ -264,7 +264,7 @@ while ( $i < 2 ) { ok( $result eq 0, $test_msg ); $result = system( -"runcon -t test_filesystem_inode_setxattr_no_associate_t $filesystem_dir/create_file_change_context $v -t unconfined_t -f $target/tests/nfs_filesystem/mntpoint/mp1/test_file 2>&1" +"runcon -t test_filesystem_inode_setxattr_no_associate_t $filesystem_dir/create_file_change_context $v -t test_file_t -f $target/tests/nfs_filesystem/mntpoint/mp1/test_file 2>&1" ); ok( $result >> 8 eq 13, $test_msg ); # EACCES From patchwork Fri Jul 29 12:02:21 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932382 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 11450C3F6B0 for ; Fri, 29 Jul 2022 12:03:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236038AbiG2MDH (ORCPT ); Fri, 29 Jul 2022 08:03:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40946 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236061AbiG2MDF (ORCPT ); Fri, 29 Jul 2022 08:03:05 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id AD7AF863E2 for ; Fri, 29 Jul 2022 05:03:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096183; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qWJKOvpkJrei2JznaxBHJz9W3S9SUpPaJmf8AqyOHLw=; b=AOJ73Gzhgq1ez9tgNrA/GWcUF70z3EUcFP2xfSIbRP0WodZ7GE5A7YmpH2HPufj/ADORLj Kjld9JC7lLEBXM8J1DEElAGHwOzYCDQlLZeSxaca+BKOWWNDyMj1oOgZm+qtPiRN5OUSAE sJisFNs0U3G8bbT22574y6J8R+MpMVw= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-581-gsIvZg_5N2-zmivjQif_kQ-1; Fri, 29 Jul 2022 08:02:58 -0400 X-MC-Unique: gsIvZg_5N2-zmivjQif_kQ-1 Received: by mail-wm1-f71.google.com with SMTP id r8-20020a1c4408000000b003a2fdeea756so3431572wma.2 for ; Fri, 29 Jul 2022 05:02:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=qWJKOvpkJrei2JznaxBHJz9W3S9SUpPaJmf8AqyOHLw=; b=U3/zmlJp7QxLOrZDAbfo9eEEL4pq3Rjq2Q3fHA0eo2Z8wHkEdqIhH3QeT9PJWDv5FI Ux5rCgb7K03FYbyYRPwC6P2DUYSnuuzWDSrYYwDeT6BnPZmDkaHHll7wQKUbWeIELNJ4 EJ8HCeAr8pFjHUoZqSPNm20+GeZD+YwKzj5BJOhy4bh2Q0KSgFeQJPGuStpjoVjhnCih vitksw+FZSfw/inBIoQkDl408ElWDByBfmrmH0ZKfAQfXf9XXGDLZllWvfnHi5AX6F90 KpUTtDh2Zvrtl0NSEhniyk5EskoP7qKVbd9Gh2gzZIf7vqWMaiMCbALoHDUxHHcTTbvS +Rzw== X-Gm-Message-State: ACgBeo1wTqlGDmcMWZPsME3f2BIrluSH1WXqN3HRCGHzwEjY2vhl8oOq t3jekC4G4+LVCkDeqT008L7RO/RC2ZWiIqjesrW2zFnXDN+AcNgNylTGwvif2VAQ18Gd85bK0Pg frNw2aUv7IfguFwz2qB8fEzpbb6xYsgbuOH1ehd2vcbBh5wEQLMpyIL9g2CD9npa9mZWgDQ== X-Received: by 2002:a05:6000:184f:b0:21e:8380:769a with SMTP id c15-20020a056000184f00b0021e8380769amr2276824wri.591.1659096177014; Fri, 29 Jul 2022 05:02:57 -0700 (PDT) X-Google-Smtp-Source: AA6agR7yJ5SgjnXmOqnYKZW1uo1w7CISduG02UzZUuG/TnCUHV5ULg8bGN89gz3YMN4Q0QmBAmLd7A== X-Received: by 2002:a05:6000:184f:b0:21e:8380:769a with SMTP id c15-20020a056000184f00b0021e8380769amr2276799wri.591.1659096176694; Fri, 29 Jul 2022 05:02:56 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:55 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 16/24] policy: remove last hardcoded references to unconfined_t Date: Fri, 29 Jul 2022 14:02:21 +0200 Message-Id: <20220729120229.207584-17-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Replace them with generic common interfaces. For sysdadm_t we need to allow certain stuff also to ifconfig_t and iptables_t domains due to type transitions. Signed-off-by: Ondrej Mosnacek --- policy/test_global.te | 24 ++++++++++++++++++++++++ policy/test_inet_socket.te | 8 ++------ policy/test_policy.if | 16 ++++++++++++++++ policy/test_sctp.te | 2 +- 4 files changed, 43 insertions(+), 7 deletions(-) diff --git a/policy/test_global.te b/policy/test_global.te index 3862ee7..3536fbb 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -7,6 +7,9 @@ policy_module(test_policy,1.0.0) # attribute testsuite_domain; +attribute testsuite_caller_domain; +attribute testsuite_caller_ifconfig_domain; +attribute testsuite_caller_iptables_domain; optional_policy(` gen_require(` @@ -14,6 +17,10 @@ optional_policy(` role unconfined_r; ') + typeattribute unconfined_t testsuite_caller_domain; + typeattribute unconfined_t testsuite_caller_ifconfig_domain; + typeattribute unconfined_t testsuite_caller_iptables_domain; + # Transition from the caller to the test domain. allow unconfined_t testsuite_domain:process transition; role unconfined_r types testsuite_domain; @@ -27,9 +34,26 @@ optional_policy(` optional_policy(` gen_require(` + type sysadm_t; role sysadm_r; ') + typeattribute sysadm_t testsuite_caller_domain; + typeattribute sysadm_t testsuite_caller_ifconfig_domain; + typeattribute sysadm_t testsuite_caller_iptables_domain; + optional_policy(` + gen_require(` + type ifconfig_t; + ') + typeattribute ifconfig_t testsuite_caller_ifconfig_domain; + ') + optional_policy(` + gen_require(` + type iptables_t; + ') + typeattribute iptables_t testsuite_caller_iptables_domain; + ') + # Authorize sysadm_r for the test domains. role sysadm_r types testsuite_domain; diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te index 5feb801..47969fc 100644 --- a/policy/test_inet_socket.te +++ b/policy/test_inet_socket.te @@ -130,12 +130,8 @@ corenet_inout_generic_node(test_inet_no_name_connect_t) # # For ipsec-load/ipsec-flush. -gen_require(` - type unconfined_t; -') type test_spd_t; -allow unconfined_t inetsocketdomain:association setcontext; -allow unconfined_t test_spd_t:association setcontext; +testsuite_caller_association_setcontext({ inetsocketdomain test_spd_t }) # Each of the test client domains must match against the SPD entry # in order to use labeled IPSEC. @@ -147,7 +143,7 @@ allow test_inet_bad_client_t test_spd_t:association polmatch; # type test_server_packet_t; -allow unconfined_t test_server_packet_t:packet relabelto; +testsuite_caller_packet_relabelto(test_server_packet_t) allow test_inet_server_t test_server_packet_t:packet { send recv }; allow test_inet_client_t test_server_packet_t:packet { send recv }; diff --git a/policy/test_policy.if b/policy/test_policy.if index 89ab6f7..5458f6c 100644 --- a/policy/test_policy.if +++ b/policy/test_policy.if @@ -51,6 +51,22 @@ interface(`testsuite_domain_type_minimal',` dontaudit $1 setrans_var_run_t:dir search; ') +interface(`testsuite_caller_association_setcontext',` + gen_require(` + attribute testsuite_caller_ifconfig_domain; + ') + + allow testsuite_caller_ifconfig_domain $1:association setcontext; +') + +interface(`testsuite_caller_packet_relabelto',` + gen_require(` + attribute testsuite_caller_iptables_domain; + ') + + allow testsuite_caller_iptables_domain $1:packet relabelto; +') + # Workarounds for refpolicy: ifdef(`dev_rw_infiniband_dev', `', ` dnl diff --git a/policy/test_sctp.te b/policy/test_sctp.te index e276153..8db84a3 100644 --- a/policy/test_sctp.te +++ b/policy/test_sctp.te @@ -213,7 +213,7 @@ corenet_inout_generic_if(sctp_asconf_deny_param_add_client_t) ######################### SECMARK-specific policy ############################ # type test_sctp_server_packet_t; -allow unconfined_t test_sctp_server_packet_t:packet { relabelto }; +testsuite_caller_packet_relabelto(test_sctp_server_packet_t) allow test_sctp_server_t test_sctp_server_packet_t:packet { send recv }; allow test_sctp_client_t test_sctp_server_packet_t:packet { send recv }; From patchwork Fri Jul 29 12:02:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932380 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54F96C19F2D for ; Fri, 29 Jul 2022 12:03:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235885AbiG2MDD (ORCPT ); Fri, 29 Jul 2022 08:03:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40910 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236061AbiG2MDD (ORCPT ); Fri, 29 Jul 2022 08:03:03 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 20023863E5 for ; Fri, 29 Jul 2022 05:03:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096181; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zc1lKGjGRsBCtJZ/bO+/ZDXit8olBIR9WB+N7ny77AI=; b=QPs5FMUBqUpOpqTcfpxRqyuO8TBsI9PGuaC8tELvuedSvQVPcqEl9MROdsRj8dx7vgv0gn oYr0bKMJ93ALdeB/gRX/q49AcMSNtVBlBn1cocXpwgqbUgyI5EYt4vzWwfOKiP7JvV9rHy uROS/wQ9Sry+5chhyMSZ3BtDo2snPDk= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-618-OQEzQ8PkN7uuALsE5ovY5w-1; Fri, 29 Jul 2022 08:03:00 -0400 X-MC-Unique: OQEzQ8PkN7uuALsE5ovY5w-1 Received: by mail-wr1-f69.google.com with SMTP id j4-20020adfa544000000b0021ebac13bf3so1132545wrb.19 for ; Fri, 29 Jul 2022 05:02:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=zc1lKGjGRsBCtJZ/bO+/ZDXit8olBIR9WB+N7ny77AI=; b=A3wp/mzehx3bT3jsrqcMir0Av08qqSJlgfyk62fvcYUTe0A/6iFJkK6dNMEIyneZdQ lEUKJPGHd6cbnt7GO0sGcsyFHMGWVz76VQZ7ynSf1IZrj73yiy+Gh/SOE/Ttfu2qraBx txtpRxLVGXbjWk7+IK3vR9ctE1LXeQVBgaY1C0eRTzDPiKfApngkkVyFagD8JW58GvvN jtWVg85zCQSHU3bq0io0Q3tFdPXtuOhj+/F9yt/+inOYYsROm9A5sNyy0HSMtj4cabqB VxpdgjEGMhIRIhnCPUhhhvvce+hqqV2j/4rWnWtC4TlHGPMxLXyEiL+jRbWwstMjts8U FLbw== X-Gm-Message-State: ACgBeo1rLBZaLBRhhDsDYZ/qijgEqysuJyNq6MYo2YZCm8rXb0vRKaHc UBipqSz0CjWJ+GDCPXfCsjW8c2xOXHZhj0EnNzHj4vyDld/Bnv/wwT9OtChvm/LyQOIbtvpke+b p7J2DY1GpxAprRoYIFKPPiJGmfOw1PoN/ChHmKCccLxaMMBTc3HERSQj0pY4RbPHSD9Snjg== X-Received: by 2002:a05:6000:3c2:b0:21e:a306:a9db with SMTP id b2-20020a05600003c200b0021ea306a9dbmr2280000wrg.174.1659096178534; Fri, 29 Jul 2022 05:02:58 -0700 (PDT) X-Google-Smtp-Source: AA6agR6JlgPS55wvKNra0ZBAAl5ZT5QEYqbvO8A0EWeNIwJ+x667mP8ClB1/O0OPEaoouB0NhWxahw== X-Received: by 2002:a05:6000:3c2:b0:21e:a306:a9db with SMTP id b2-20020a05600003c200b0021ea306a9dbmr2279970wrg.174.1659096178177; Fri, 29 Jul 2022 05:02:58 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:57 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 17/24] test_general.te: generalize the dontaudit rule Date: Fri, 29 Jul 2022 14:02:22 +0200 Message-Id: <20220729120229.207584-18-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org The unconfined_t-specific dontaudit rule here is actually also needed for sysadm_t, so generalize it to the whole testsuite_caller_domain. Signed-off-by: Ondrej Mosnacek --- policy/test_global.te | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/policy/test_global.te b/policy/test_global.te index 3536fbb..91bddd8 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -28,8 +28,6 @@ optional_policy(` allow testsuite_domain unconfined_t:fd use; allow testsuite_domain unconfined_t:fifo_file { read write ioctl getattr }; allow testsuite_domain unconfined_t:process { sigchld }; - # needed for domains outside domain_type() - dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh }; ') optional_policy(` @@ -65,6 +63,9 @@ optional_policy(` #selinux_get_fs_mount(sysadm_t) ') +# Needed for domains outside domain_type() +dontaudit testsuite_caller_domain testsuite_domain:process { noatsecure rlimitinh siginh }; + # Allow the test domains to access the sysadm terminal. # This allows read and write sysadm ttys and ptys. term_use_all_terms(testsuite_domain) From patchwork Fri Jul 29 12:02:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932381 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AF720C19F29 for ; Fri, 29 Jul 2022 12:03:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235996AbiG2MDG (ORCPT ); Fri, 29 Jul 2022 08:03:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40942 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236038AbiG2MDF (ORCPT ); Fri, 29 Jul 2022 08:03:05 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A5447863DF for ; Fri, 29 Jul 2022 05:03:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096183; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=LCF9DGlA9T4PWbunOsop8821ncNHZnLOj3MQvujaMv4=; b=MBOWZ3KpstogPo1kopzMWkyyB8HQTnTVv2A4Ky6ot4nbQ+unJZld86mcUgRE8Jhgc9nT1t 0YykTf1xPqE+uLc9Gd0oiVzxkP2GvPSXA/DsrjTPzi9lnOkWs26bU6udi1PaAKRmUE+4Pm nsm6IHJRTmS7AfDZ6jVfOtKQy4PNvZ4= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-635-3rp0qJnVM1qxWRkS_n59rg-1; Fri, 29 Jul 2022 08:03:02 -0400 X-MC-Unique: 3rp0qJnVM1qxWRkS_n59rg-1 Received: by mail-wm1-f71.google.com with SMTP id h189-20020a1c21c6000000b003a2fdf9bd2aso2107837wmh.8 for ; Fri, 29 Jul 2022 05:03:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=LCF9DGlA9T4PWbunOsop8821ncNHZnLOj3MQvujaMv4=; b=nPVrICQPzQ3tMsphMOQPxPpeqcSuamIq9FzY6yJWzMUbmWWNay+h4IlSclxWNL9cRT ipD/mHXqQRzoEqBEyx4j16Rdx7r3JlhyRxdFaB3vMSIdfeuQNyL2NjITQ86YQmMpkOPj RnkmfKXUDBfOa8HqRM3Xi8dXCp2U2JiH+54j7ROMsVw03lIg+lDRMJmIweY+YOvHTWWI 7gp2sOsFqGzz5pbes9p81VwyR38+6kF6J952m8PJUb52/XeFUv5WP/sHNHMy8XE0CZfK qx0VA9i89cgvWdDi5PI4BFphnb+Z7IImtI0bWkMrnZ0wgNosySdh/GCVZZkOWCgPhLA1 U34A== X-Gm-Message-State: ACgBeo3vkEBtTm9WNNAmgbzrBMKwyhpASz9pe61DIHh3b3BpLLqboJlZ 1RYQDllOi4s8tOBf7PP6o5i5wKe0aUEGLZyLamBlqrb5g/KgmaceacfYIQ2I2S/dMUYE2PhkvWP PbFVSFAKMTyVCwYAdq5prsVvX3A/TtTQy2hV0E+HXsfZUp9BH8BQx8OFktYayUCwkc4AYbA== X-Received: by 2002:a05:6000:1789:b0:21e:87cd:beba with SMTP id e9-20020a056000178900b0021e87cdbebamr2309243wrg.252.1659096180590; Fri, 29 Jul 2022 05:03:00 -0700 (PDT) X-Google-Smtp-Source: AA6agR6LWcSeZ/2dyMJOgdPJKSxU/lbRqcgCBH76GA/oNNfjSQK/sI346EGv1/DQ/IxVUS2craAT5A== X-Received: by 2002:a05:6000:1789:b0:21e:87cd:beba with SMTP id e9-20020a056000178900b0021e87cdbebamr2309181wrg.252.1659096179732; Fri, 29 Jul 2022 05:02:59 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:02:58 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 18/24] policy: don't audit testsuite programs searching the caller's keys Date: Fri, 29 Jul 2022 14:02:23 +0200 Message-Id: <20220729120229.207584-19-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org During the test such denials may occur. Since they don't affect testing, prevent them from being audited to have a cleaner AVC log. Signed-off-by: Ondrej Mosnacek --- policy/test_global.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/test_global.te b/policy/test_global.te index 91bddd8..7d399e6 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -66,6 +66,9 @@ optional_policy(` # Needed for domains outside domain_type() dontaudit testsuite_caller_domain testsuite_domain:process { noatsecure rlimitinh siginh }; +# keys test may trigger search AVCs for root's keys +dontaudit testsuite_domain testsuite_caller_domain:key { search }; + # Allow the test domains to access the sysadm terminal. # This allows read and write sysadm ttys and ptys. term_use_all_terms(testsuite_domain) From patchwork Fri Jul 29 12:02:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932383 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A246C00144 for ; Fri, 29 Jul 2022 12:03:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236061AbiG2MDI (ORCPT ); Fri, 29 Jul 2022 08:03:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40950 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236073AbiG2MDF (ORCPT ); Fri, 29 Jul 2022 08:03:05 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B9A66863E5 for ; Fri, 29 Jul 2022 05:03:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096183; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=GbCjmxUiP/tIech4xXkc3qjysK5htqEa2Co7tm7TyO0=; b=IAqxRob6NurnAPDFxhv2o7lzM3PO040Hnt3hzwHBRfMXURPf3BBr/OwGO3VD3jaPGsfTOz uvvE/6hPkECB4lWwbGdauqZP0zAgK54EnVPFE9/Pi9HYStnqDFn5aFX9DwpWiQcsddNCQK WNMUGuTXP1CNSjrO4kUl0aUaRktyCq0= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-635-6gQGMfE1NxW8YBNMn7jquw-1; Fri, 29 Jul 2022 08:03:02 -0400 X-MC-Unique: 6gQGMfE1NxW8YBNMn7jquw-1 Received: by mail-wr1-f72.google.com with SMTP id h18-20020adfaa92000000b0021ec200d50fso1143407wrc.14 for ; Fri, 29 Jul 2022 05:03:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=GbCjmxUiP/tIech4xXkc3qjysK5htqEa2Co7tm7TyO0=; b=TUSLESBpHVn2O81AgttP8czZU/eU6qcsjTHYvjwYax3aFr+MboRYTh2LsYhEeXiswC H56pEQ+gE18zLS8v7s5k0CLX6PLAxspTHkikeRcoxwlIC4s8BzUpOjVofih5DrIDXt0S CYCx6Nc+mBsfORrLepVWZrhEKAXk4CYt2SOXf0nALcbDQN6WczRNPKg01UXRZ0O73UW2 +ga940sIhrCChdPfMXakX5EI6ar8O0iLKEQO8jZ5cdJFRPpU6ByBfmwM4KW3+SyzKctr gLmT97trFxowvyLztw/4B7G8qqR+Xg341mxmQTtzLZTqT/EDwjCzxDk5VwJ2EurL7sHc ll6A== X-Gm-Message-State: ACgBeo3d0HA09yOPfCH04Ry4vb9LJ57INx6nFBYPD7QiJuN3eEIMqPOk J4UEyHuBXGXdCj04F8okU8B2WvdjqHKGIIEAHdFJNiutfohVkm5ruMjLgVrH9mL6qvPPPRNSh81 f3xRqoC7XiKSRtKJ2yZWd0cOZp0BV/D6GbF7b0H0jrqRXqt09SfJ6ulpgF5kQxJz0UUD3yQ== X-Received: by 2002:a05:6000:38c:b0:21e:b38d:6bad with SMTP id u12-20020a056000038c00b0021eb38d6badmr2236564wrf.130.1659096180992; Fri, 29 Jul 2022 05:03:00 -0700 (PDT) X-Google-Smtp-Source: AA6agR5dqebbAA9IMbPa6Q9JdE/1o7qR1uP8aU5mYYqxQYniWCclb1Ndz4znfDJlle25M1v9Y2iCNQ== X-Received: by 2002:a05:6000:38c:b0:21e:b38d:6bad with SMTP id u12-20020a056000038c00b0021eb38d6badmr2236541wrf.130.1659096180706; Fri, 29 Jul 2022 05:03:00 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.02.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:03:00 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 19/24] ci: check for unconfined_t AVCs Date: Fri, 29 Jul 2022 14:02:24 +0200 Message-Id: <20220729120229.207584-20-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org These would likely signify a bug in the testsuite policy. Make sure there are none. Signed-off-by: Ondrej Mosnacek --- .github/workflows/checks.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 59076cb..96843e4 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -38,5 +38,7 @@ jobs: run: while ! vagrant ssh -- true; do sleep 1s; done - name: Run SELinux testsuite run: vagrant ssh -- sudo make -C /root/testsuite test + - name: Check unwanted denials + run: vagrant ssh -- '! sudo ausearch -m avc -i X-Patchwork-Id: 12932388 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4DC88C00144 for ; Fri, 29 Jul 2022 12:04:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230456AbiG2ME0 (ORCPT ); Fri, 29 Jul 2022 08:04:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42030 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236168AbiG2MEY (ORCPT ); Fri, 29 Jul 2022 08:04:24 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9355587F7B for ; Fri, 29 Jul 2022 05:04:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096259; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Lekwp2+k18inaPiX9G1L4k74QP1pdsetvo6xop+Kblk=; b=bqmzrtds+japEd0so9Q6StfNeaj/fYtuHjevH4vBmw4Idup3UFyAeqh7bYMceWhBgUsrHr BWN0yFWjMd6LlrJFuh5jjHCGV8SjS0S9aOfL3W4hMjW3c9/8Bbgl3aONxsmFwlf31kRndR v3nswR/wJNXJbN15qqfkPYqKZKvSXdY= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-152-G6I6YKwSP6eTjpCDIsQNtA-1; Fri, 29 Jul 2022 08:03:04 -0400 X-MC-Unique: G6I6YKwSP6eTjpCDIsQNtA-1 Received: by mail-wr1-f69.google.com with SMTP id c7-20020adfc6c7000000b0021db3d6961bso1142344wrh.23 for ; Fri, 29 Jul 2022 05:03:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=Lekwp2+k18inaPiX9G1L4k74QP1pdsetvo6xop+Kblk=; b=79u3rUq63XEAsiTMNdhx3E44L2U4W+jmJ+Ht7/+ZlRv2Sk/UYo7tdLZhmGsky/q9bI PSKpOPksH0hFFPeqKyDk1QKxT9P+n2Ke+aDFdvtVEsyDYYaBPzGivPRBW8wEKfNpEGKO HPWCAodYVaGC1tFlabOwYXA68PLs5S3k7jICOkZPV1xVPQ0iujybpKMSGfTMzidMzZRK 8RV7hBihmIIXCtoE6mGYHpDK90Sa1PJbzPPpHPybP048kWZ5QSBr8U9dyhoo5tdFXnYL feA44bdH91U+11VcCAH2y4g+UqI/9EyZ3NdjUvM8u5jbSCCxGmaZ/Ffja9Z64RlytGZj 0xLQ== X-Gm-Message-State: ACgBeo3aXcF756YyAddVS5/MQBQsAbdnCLxFeMcSrDM5gy8Q28rN+u22 1E8feG/Mh4l5wX34fA2FMfcBxW+ZBbIKFiAlOUhmEo8hhBJXByRJkFdrQeomZKi/1mHc+Q2Of1d aBG197AMIyE+K9z6s/IN30H4vUFcDNAjv94Ig0tePeUfZBj0e9wpEiZ87zySRLWGxxTncrg== X-Received: by 2002:a5d:4b81:0:b0:21e:e3c8:7055 with SMTP id b1-20020a5d4b81000000b0021ee3c87055mr2236430wrt.519.1659096182625; Fri, 29 Jul 2022 05:03:02 -0700 (PDT) X-Google-Smtp-Source: AA6agR7me49zztZdpVQFIFzKAHxXaFT9wECAIKhpfMbyg/nsOr5ruTLA9LIJyaUNqcFwCBjf3ZxJpw== X-Received: by 2002:a5d:4b81:0:b0:21e:e3c8:7055 with SMTP id b1-20020a5d4b81000000b0021ee3c87055mr2236406wrt.519.1659096182319; Fri, 29 Jul 2022 05:03:02 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.03.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:03:01 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 20/24] tests/binder: check only the type part of the context Date: Fri, 29 Jul 2022 14:02:25 +0200 Message-Id: <20220729120229.207584-21-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org This will allow running the testsuite from other contexts than the usual unconfined. Signed-off-by: Ondrej Mosnacek --- tests/binder/binder_common.h | 1 + tests/binder/service_provider.c | 31 +++++++++++++++++++------------ tests/binder/test | 2 +- 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/tests/binder/binder_common.h b/tests/binder/binder_common.h index 319b5dd..e516617 100644 --- a/tests/binder/binder_common.h +++ b/tests/binder/binder_common.h @@ -14,6 +14,7 @@ #include #include #include +#include #include #if HAVE_BINDERFS #include diff --git a/tests/binder/service_provider.c b/tests/binder/service_provider.c index 56d8a43..f47365c 100644 --- a/tests/binder/service_provider.c +++ b/tests/binder/service_provider.c @@ -1,14 +1,14 @@ #include "binder_common.h" -static char *expected_ctx; +static char *expected_type; static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size); static void usage(char *progname) { fprintf(stderr, - "usage: %s -e expected_ctx] [-f file] [-n] [-m|-p|-t] [-v]\n" + "usage: %s [-e expected_type] [-f file] [-n] [-m|-p|-t] [-v]\n" "Where:\n\t" - "-e Expected security context.\n\t" + "-e Expected security type.\n\t" "-f Write a line to the file when listening starts.\n\t" "-n Use the /dev/binderfs name service.\n\t" "-m Use BPF map fd for transfer.\n\t" @@ -162,23 +162,30 @@ static int binder_parse(int fd, binder_uintptr_t ptr, binder_size_t size) case BR_TRANSACTION_SEC_CTX: { struct binder_transaction_data_secctx *txn_ctx = (struct binder_transaction_data_secctx *)ptr; - if (verbose) { printf("\tclient context:\n\t\t%s\n", (char *)txn_ctx->secctx); print_trans_data(&txn_ctx->transaction_data); } - if (expected_ctx) { - int result = strcmp(expected_ctx, - (char *)txn_ctx->secctx); - if (result) { + if (expected_type) { + context_t ctx = context_new((const char *)txn_ctx->secctx); + + if (!ctx) { + fprintf(stderr, + "Service Provider context_new: %s\n", + strerror(errno)); + exit(82); + } + + if (strcmp(expected_type, context_type_get(ctx))) { fprintf(stderr, "Service Provider received incorrect context:\n"); fprintf(stderr, "Expected: %s\nReceived: %s\n", - expected_ctx, - (char *)txn_ctx->secctx); + expected_type, + context_type_get(ctx)); exit(80); } + context_free(ctx); } if (txn_ctx->transaction_data.code == TEST_SERVICE_SEND_FD) @@ -240,14 +247,14 @@ int main(int argc, char **argv) } __attribute__((packed)) writebuf; unsigned int readbuf[32]; - expected_ctx = NULL; + expected_type = NULL; fd_type = BINDER_FD; fd_type_str = "SP"; while ((opt = getopt(argc, argv, "e:f:nvmpt")) != -1) { switch (opt) { case 'e': - expected_ctx = optarg; + expected_type = optarg; break; case 'f': flag_file = optarg; diff --git a/tests/binder/test b/tests/binder/test index 9914759..95af41a 100755 --- a/tests/binder/test +++ b/tests/binder/test @@ -163,7 +163,7 @@ if ($test_binder_ctx) { $sp_pid = service_start( "service_provider", "-t test_binder_provider_t", - "$n $v -e unconfined_u:unconfined_r:test_binder_client_t:s0-s0:c0.c1023" + "$n $v -e test_binder_client_t" ); # 8 Verify that authorized client and service provider can communicate with the binder service manager. From patchwork Fri Jul 29 12:02:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932387 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2942DC00144 for ; Fri, 29 Jul 2022 12:04:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234954AbiG2MEX (ORCPT ); Fri, 29 Jul 2022 08:04:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42014 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230456AbiG2MEW (ORCPT ); Fri, 29 Jul 2022 08:04:22 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 8803187F78 for ; Fri, 29 Jul 2022 05:04:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096255; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KRxjHHqzHBqY4RziYhDHZxHV/fCKj6E/Apg+1qTky88=; b=DA6v6f5LeJqHZ2VdWyg/HuEVUzQAnZk8fZKrJw0n7SuCiLv0DLIhA3fm7r5K/74vhGTNp1 Ix4pKSkCoRdS+5f14IQ8qI1gZq0ker6UWP/VRW1bH2hSzz8lG+ptdDjcuhtaRHQ8LhaM1+ tO+zy4DQ8gdWTA1Wx/xhujDvAaVJ6Gg= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-257-Pcp24iJIMC2KZzlcr9iMbg-1; Fri, 29 Jul 2022 08:03:06 -0400 X-MC-Unique: Pcp24iJIMC2KZzlcr9iMbg-1 Received: by mail-wr1-f72.google.com with SMTP id x5-20020adfbb45000000b0021ee56506dfso1150122wrg.11 for ; Fri, 29 Jul 2022 05:03:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=KRxjHHqzHBqY4RziYhDHZxHV/fCKj6E/Apg+1qTky88=; b=KMn8V/8NAAeHlexOTtciqJOuC2a2Ah7e/P63reoIghBB483QB3AahZwh7OpEn49CqP /p5mepeFMiljPe0PDLOn/lDsWatfMIPmmoLxlcaKr5iDl0rRJ+uhonicnjSI+/dGNk+m Ivj4nqVtTeyGVt6xg7EqHZPrIiMI8j4ekoR7h7LMA7tbMP0PbCrNig1mMGPBPHfgqZa6 DTC3+r7fIUIpBIiEGp1ng/yVXPZjFY4wvBU0rxywIeTZbVjSmD8A81GKTHmD2gjwhVh6 mM9EE4YqOANrlmlWhJnbpNAH5/rVDj+CJIDMolAZSEiEc0UULAcv9VAYc3e0VwLTfbVY SYtg== X-Gm-Message-State: ACgBeo3Zfe0HLVvRyZGGR5/YVSE9xga58TWBsZiJ4BpcTmJXC9qOVCT1 DDy/lnRvKxIkZ88KPTFeIhbEz5A2WoI6QBOg4pePx2ov4Tv1GV5ZK/GnpAwiiKsYk/TJ6dpZcHS lLzHg9f668GUJMsbqwRQZyFA1sDrVvAjVYLBWPuR2iJ58GI01IC7piyDoPjIW/s4MHeTrjg== X-Received: by 2002:a5d:6608:0:b0:21f:127d:6f8c with SMTP id n8-20020a5d6608000000b0021f127d6f8cmr1448864wru.75.1659096184349; Fri, 29 Jul 2022 05:03:04 -0700 (PDT) X-Google-Smtp-Source: AA6agR58kdwYip8qx1eyOJ1ZEWncXLKx+bj6ZULlFn7RmmFxUhlX4DPIJA33z7zVe0peraMN04dZhA== X-Received: by 2002:a5d:6608:0:b0:21f:127d:6f8c with SMTP id n8-20020a5d6608000000b0021f127d6f8cmr1448833wru.75.1659096183998; Fri, 29 Jul 2022 05:03:03 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.03.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:03:02 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 21/24] tests/overlay: don't hard-code SELinux user of the caller Date: Fri, 29 Jul 2022 14:02:26 +0200 Message-Id: <20220729120229.207584-22-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org We want to allow the testsuite caller to be other than unconfined, so extract the user from current context and use it instead of hard-coding unconfined_u. Signed-off-by: Ondrej Mosnacek --- tests/overlay/setup-overlay | 2 +- tests/overlay/test | 34 ++++++++++++++++------------------ 2 files changed, 17 insertions(+), 19 deletions(-) diff --git a/tests/overlay/setup-overlay b/tests/overlay/setup-overlay index 4fcd023..3f33499 100755 --- a/tests/overlay/setup-overlay +++ b/tests/overlay/setup-overlay @@ -41,7 +41,7 @@ setup () { # Create upper, work, and overlay directories per container. mkdir -p $BASEDIR/container1/upper $BASEDIR/container1/work $BASEDIR/container1/merged - chcon -R unconfined_u:object_r:test_overlay_files_ro_t:s0:c10,c20 $BASEDIR/container1 + chcon -R -t test_overlay_files_ro_t -l s0:c10,c20 $BASEDIR/container1 # Label the container directories to match the container context. # This is simply to ensure correct label inheritance on new file diff --git a/tests/overlay/test b/tests/overlay/test index 2b28c47..c8367dd 100755 --- a/tests/overlay/test +++ b/tests/overlay/test @@ -5,6 +5,10 @@ BEGIN { $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; + $seuser = `id -Z`; + chop($seuser); + $seuser =~ s|^(\w+):.*$|$1|; + $isnfs = `stat -f --print %T $basedir`; # check if kernel supports overlayfs and SELinux labeling @@ -92,7 +96,7 @@ sub test_4_0 { $output = getfilecon("$basedir/container1/upper/writefile"); # Newly created writefile should have s0 MCS Label since it was copied up - ok( $output eq "unconfined_u:object_r:test_overlay_files_rwx_t:s0" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0" ); } sub test_4_0_ctx { @@ -100,8 +104,7 @@ sub test_4_0_ctx { $output = getfilecon("$basedir/container1/upper/writefile"); # Newly created writefile should have s0 MCS Label since it was copied up - ok( $output eq - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); } sub test_5 { @@ -127,8 +130,7 @@ sub test_5_1 { $output = getfilecon("$basedir/container1/upper/newdir"); # Newly created writedir should have s0:c10,c20 since it was created new - ok( $output eq - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); } sub test_5_2 { @@ -146,8 +148,7 @@ sub test_5_3 { $output = getfilecon("$basedir/container1/upper/newdir/touchlink"); # Newly created writelink should have s0:c10,c20 since it was created new - ok( $output eq - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); } sub test_6 { @@ -173,7 +174,7 @@ sub test_7_0 { $output = getfilecon("$basedir/container1/upper/writedir/bar"); # Newly created bar should have s0:c10,c20 since it was created new - ok( $output eq "unconfined_u:object_r:test_overlay_files_rwx_t:s0" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0" ); } sub test_7_0_ctx { @@ -181,8 +182,7 @@ sub test_7_0_ctx { $output = getfilecon("$basedir/container1/upper/writedir/bar"); # Newly created bar should have s0:c10,c20 since it was created new - ok( $output eq - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); } sub test_7_1 { @@ -200,7 +200,7 @@ sub test_7_1_0 { $output = getfilecon("$basedir/container1/upper/writedir/writelink"); # Newly created writelink should have s0:c10,c20 since it was created new - ok( $output eq "unconfined_u:object_r:test_overlay_files_rwx_t:s0" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0" ); } sub test_7_1_0_ctx { @@ -208,8 +208,7 @@ sub test_7_1_0_ctx { $output = getfilecon("$basedir/container1/upper/writedir/writelink"); # Newly created writelink should have s0:c10,c20 since it was created new - ok( $output eq - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); } sub test_7_2 { @@ -445,7 +444,7 @@ sub test_42 { # Newly created writeout should have s0:c10,c20 since it was created new ok( $output eq - "unconfined_u:object_r:test_overlay_transition_files_t:s0:c10,c20" ); + "$seuser:object_r:test_overlay_transition_files_t:s0:c10,c20" ); } sub test_42_ctx { @@ -453,8 +452,7 @@ sub test_42_ctx { $output = getfilecon("$basedir/container1/upper/transition"); # Newly created writeout should have s0:c10,c20 since it was created new - ok( $output eq - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); } sub test_43 { @@ -822,7 +820,7 @@ sub nocontext_test { sub context_test { cleanup(); - $context = "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20"; + $context = "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20"; print "\n\n=====================================================\n"; print "Testing mounting overlayfs with context switch\n"; print "context=$context\n"; @@ -943,7 +941,7 @@ sub context_test { sub context_rot_t_test { cleanup(); - $context = "unconfined_u:object_r:test_overlay_files_ro_t:s0:c10,c20"; + $context = "$seuser:object_r:test_overlay_files_ro_t:s0:c10,c20"; print "\n\n=====================================================\n"; print "Testing mounting overlayfs with context switch\n"; print "context=$context\n"; From patchwork Fri Jul 29 12:02:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932384 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6524BC00144 for ; Fri, 29 Jul 2022 12:03:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236073AbiG2MDL (ORCPT ); Fri, 29 Jul 2022 08:03:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40992 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236075AbiG2MDK (ORCPT ); Fri, 29 Jul 2022 08:03:10 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id AC116863E2 for ; Fri, 29 Jul 2022 05:03:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096188; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/0v6kgSPND0wGwGMQ1gkLK9NWV1wmbK/hF/O5NZhRTg=; b=RrW3UxxqQwrFOHsM3KMsdilgI/W7+LmMSuSz5WMmvFxFSRMoXmcfeccPAOweLv+P8Yhit8 ZEPCiZNolzIw2XUhEG7+3dqjpUEnYBLpAtUp76Fh0nXcA+PWw57Ocy2i0TiHB4Lj2fBNEt gyUNyEHuCH4BF97DDtso2juThQw0xG8= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-512-8AWD11AXOJitksZtZQJfDA-1; Fri, 29 Jul 2022 08:03:07 -0400 X-MC-Unique: 8AWD11AXOJitksZtZQJfDA-1 Received: by mail-wr1-f69.google.com with SMTP id x5-20020adfbb45000000b0021ee56506dfso1150143wrg.11 for ; Fri, 29 Jul 2022 05:03:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=/0v6kgSPND0wGwGMQ1gkLK9NWV1wmbK/hF/O5NZhRTg=; b=nX8QcpEaUzK13BnLS3uwdVstgtwRPaU8z1BFoVto7m9HB6RwV3kGv1dKiN3UxzRlzw ak3S+xbkO/l0x2CbGnk0e8lZjODKZYgjYuPjqHp6yq3iorsviJlGZbhWl6Y4R5nz0/jx Pp8/sUsITxCyVBkFU81E67RZl+5CtRzKuhK2nVzF6Xa2yvtxEqM3jw1jmcAFWFdv/ux3 taQIpOmAHgVBscug+y2u8eqajS7/czFLPDCdQRzrDS7FrvwHjHRwLrB+/NvRmAENmyIg /zBgQWpfgDup6HATae0BsyosJUA22iaQSKYNH1LXYb6y1rCzW/fyl1kDjR0WvHN62Gex l1pQ== X-Gm-Message-State: ACgBeo05GlSecTv6Rmv01WsCX5mNUnJ16yuuyYmKMopNmwzKhFDq2Hn3 y4FcWJnEHUwdCBoNpR9vF2gBlvfxsy+l+RRrH1LhdW6oCRqO0MZ6nFBWKkf22B0Tn5KXkoss65f WAw6wQbBXTiO8Sbi8fGgLy82iGYQYwTdOYNwnk4xpMAdDKNbZHgdlEtDgGCEJyP2sdjWQJA== X-Received: by 2002:a5d:5c0c:0:b0:21e:7098:1903 with SMTP id cc12-20020a5d5c0c000000b0021e70981903mr2130074wrb.623.1659096185927; Fri, 29 Jul 2022 05:03:05 -0700 (PDT) X-Google-Smtp-Source: AA6agR76JzRD6l6Wxlubn7snz8T+pfF0rAQTCBCgPkfgJw2jknBpMl3zju5ytsp/abv2TJLhyqMrPA== X-Received: by 2002:a5d:5c0c:0:b0:21e:7098:1903 with SMTP id cc12-20020a5d5c0c000000b0021e70981903mr2130054wrb.623.1659096185612; Fri, 29 Jul 2022 05:03:05 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.03.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:03:04 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 22/24] policy: give sysadm_t perms needed to run quotacheck(8) Date: Fri, 29 Jul 2022 14:02:27 +0200 Message-Id: <20220729120229.207584-23-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Unfortunately this is not allowed in the Fedora policy currently, so we need to work around it. Signed-off-by: Ondrej Mosnacek --- policy/test_global.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/test_global.te b/policy/test_global.te index 7d399e6..2592553 100644 --- a/policy/test_global.te +++ b/policy/test_global.te @@ -58,6 +58,10 @@ optional_policy(` # Allow the test domain to be entered from sysadm_t sysadm_entry_spec_domtrans_to(testsuite_domain) + # Needed for quotacheck(8) in the filesystem test to succeed + fs_remount_xattr_fs(sysadm_t) + storage_raw_read_fixed_disk(sysadm_t) + # Let sysadm_t use runcon to run the test programs in various domains. #allow sysadm_t self:process setexec; #selinux_get_fs_mount(sysadm_t) From patchwork Fri Jul 29 12:02:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932385 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2294CC19F2B for ; Fri, 29 Jul 2022 12:03:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236108AbiG2MDM (ORCPT ); Fri, 29 Jul 2022 08:03:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41012 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236087AbiG2MDL (ORCPT ); Fri, 29 Jul 2022 08:03:11 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 299F0863E0 for ; Fri, 29 Jul 2022 05:03:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096190; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MITRSNKuPb1vWt0LZiXyGZgE8zuzgaQAgHwdhsgWlSk=; b=YxdDYGOrWb7gptoR8CHmijz0mIMfw3d74USXaAN++Ry7V8kLXk290aFhRxgDXWRx/0AIWo qMZ+aoYtdTZB3ld4FWpyZRn1wTtvZdhmTI0L9qfsfIj9DkEadW3dJNYD3oDX7zGoAeBkSn 18QNnuA67xGJ9mZNJ9E2JXSsd+qW6Cg= Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-78-983pvsL7OemsK9zu3iO86g-1; Fri, 29 Jul 2022 08:03:08 -0400 X-MC-Unique: 983pvsL7OemsK9zu3iO86g-1 Received: by mail-wr1-f69.google.com with SMTP id h9-20020adfa4c9000000b0021ee4a48ea7so1143914wrb.10 for ; Fri, 29 Jul 2022 05:03:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=MITRSNKuPb1vWt0LZiXyGZgE8zuzgaQAgHwdhsgWlSk=; b=bMorE99cOLiZPcy889nOcyXoWZb/Gmlbs6kqNL57uhgl8VKL1RgyvZ0X9dk/jNZaMU YPUZkFoCWCjjR8qBeHZ7fBV43W6qomkaj4dFVomUcXN+GYB1q/lvRUObe4dQU6U8GfRh MrbILwLGHIYsV4Y2C7yaGily214QEAx4aCqoWG+plxOhZKEz50Hg+Jn0cyNkmdM+Cjlq q9RNTPPEy8ni2xdp0gT/5TRAlTc7UXns/UKPg2PZC+f9XhSIvTk91IGch6b9db8WzMiG 8Y/e3Qxvw0QpmtftBg4NUJ/1xcpzc6IuCjcUjzpbA0nJHTlfF7RKUIaCzJsSbvYo5Tek ZKUQ== X-Gm-Message-State: ACgBeo3IF1mZ3mf5PcaMFk9EsnJ5qSzgSdLcNqezg7vlNadiSV8GbhsE M9YJZPAzStDVzDudCSmjgFAPecz0UjVTVaUuOO9RbycKHumx/UB5sQqDQanHD1Tck+rIKXhFoB+ lmPEwb2D6f7VEhD4Hfuoz4RFPtacLgWJ91k0Rhcb7ktAxGV70Seb4XcWsAxr62AJ+N//qDA== X-Received: by 2002:a05:6000:1841:b0:21e:fa04:61f4 with SMTP id c1-20020a056000184100b0021efa0461f4mr2180531wri.491.1659096187346; Fri, 29 Jul 2022 05:03:07 -0700 (PDT) X-Google-Smtp-Source: AA6agR40BDgtE/6MV9fG/1HxdXVbn5aR0sHo8248j7Wf2Q0QSkw+QDr1Rg4xnqanOg0Bdo5s1giNJQ== X-Received: by 2002:a05:6000:1841:b0:21e:fa04:61f4 with SMTP id c1-20020a056000184100b0021efa0461f4mr2180510wri.491.1659096187002; Fri, 29 Jul 2022 05:03:07 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.03.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:03:06 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 23/24] tests/vsock_socket: use modprobe to check vsock availability Date: Fri, 29 Jul 2022 14:02:28 +0200 Message-Id: <20220729120229.207584-24-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org On Fedora sysadm_t is not allowed to create vsock sockets, so the check would fail. Since modprobing the relevant kernel modules is also a reliable way to check the general vsock support, use that instead of the more direct check. Signed-off-by: Ondrej Mosnacek --- tests/vsock_socket/.gitignore | 1 - tests/vsock_socket/Makefile | 2 +- tests/vsock_socket/check_vsock.c | 47 -------------------------------- tests/vsock_socket/test | 11 ++------ 4 files changed, 4 insertions(+), 57 deletions(-) delete mode 100644 tests/vsock_socket/check_vsock.c diff --git a/tests/vsock_socket/.gitignore b/tests/vsock_socket/.gitignore index 13eeb1b..f2ad853 100644 --- a/tests/vsock_socket/.gitignore +++ b/tests/vsock_socket/.gitignore @@ -1,3 +1,2 @@ client server -check_vsock diff --git a/tests/vsock_socket/Makefile b/tests/vsock_socket/Makefile index bf6ec7b..5266096 100644 --- a/tests/vsock_socket/Makefile +++ b/tests/vsock_socket/Makefile @@ -1,4 +1,4 @@ -TARGETS=client server check_vsock +TARGETS=client server LDLIBS+= -lselinux diff --git a/tests/vsock_socket/check_vsock.c b/tests/vsock_socket/check_vsock.c deleted file mode 100644 index 6eecd62..0000000 --- a/tests/vsock_socket/check_vsock.c +++ /dev/null @@ -1,47 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include - -// Must be included after sys/socket.h -#include - -int main(int argc, char **argv) -{ - int sock; - struct sockaddr_vm svm; - - sock = socket(AF_VSOCK, SOCK_STREAM, 0); - if (sock < 0) { - if (errno == EAFNOSUPPORT) { - // AF_VSOCK not supported - exit(2); - } else { - perror("socket"); - exit(1); - } - } - - bzero(&svm, sizeof(svm)); - svm.svm_family = AF_VSOCK; - svm.svm_port = VMADDR_PORT_ANY; - svm.svm_cid = VMADDR_CID_LOCAL; - - if (bind(sock, (struct sockaddr *)&svm, sizeof(svm)) < 0) { - if (errno == EADDRNOTAVAIL) { - // vsock_loopback not supported - close(sock); - exit(3); - } else { - perror("bind"); - close(sock); - exit(1); - } - } - - close(sock); - exit(0); -} diff --git a/tests/vsock_socket/test b/tests/vsock_socket/test index f05b972..9a0d72c 100755 --- a/tests/vsock_socket/test +++ b/tests/vsock_socket/test @@ -6,19 +6,14 @@ BEGIN { $basedir =~ s|(.*)/[^/]*|$1|; # check if vsock and vsock_loopback are available - $rc = system("$basedir/check_vsock"); - - if ( $rc eq 0 ) { - plan tests => 12; - } - elsif ( $rc eq 2 << 8 ) { + if ( system("modprobe vsock 2>/dev/null") ne 0 ) { plan skip_all => "vsock socket family not supported"; } - elsif ( $rc eq 3 << 8 ) { + elsif ( system("modprobe vsock_loopback 2>/dev/null") ne 0 ) { plan skip_all => "vsock_loopback transport not supported"; } else { - plan skip_all => "unexpected error when checking vsock support"; + plan tests => 12; } } From patchwork Fri Jul 29 12:02:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 12932386 X-Patchwork-Delegate: omosnacek@gmail.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7123C19F2B for ; Fri, 29 Jul 2022 12:03:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236075AbiG2MDQ (ORCPT ); Fri, 29 Jul 2022 08:03:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41050 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236133AbiG2MDO (ORCPT ); Fri, 29 Jul 2022 08:03:14 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D5B4C863E0 for ; Fri, 29 Jul 2022 05:03:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1659096192; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DATQCWIR03hU/ccPvSYPy3tgByaOjFMT4pg9Mm9t3a0=; b=HkrsECdg7XDJFVgXyruOKdOZTze48fbzbahpU7uyKdVvxvLFKyWFRGoHz0vyln59h41dcm uPsshuWKjrAKcGD/G9jkRy+vsnMj/jX4LD0luNGZSpdC/U862tYSG4QGEMa/9O4e3ausQf hhKyROG3JyoU3gsAihEnN5qBjyLNlvQ= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-547-Ao09-mDrMaG29C04PKAd5Q-1; Fri, 29 Jul 2022 08:03:10 -0400 X-MC-Unique: Ao09-mDrMaG29C04PKAd5Q-1 Received: by mail-wm1-f69.google.com with SMTP id c17-20020a7bc011000000b003a2bfaf8d3dso2131690wmb.0 for ; Fri, 29 Jul 2022 05:03:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc; bh=DATQCWIR03hU/ccPvSYPy3tgByaOjFMT4pg9Mm9t3a0=; b=0a7PvZ+kFQGISQHi3WbLeqASGVK8Vm8ve0Md++LMW5TnjrNM5Sne+csqSVUYR5RpZO PuuMqP4jnZnOFYs7PT3m9EmIRZUxXzPq7oSRhdeRRMyWLqlEKtaxHxAsyy33jOt2R+Sr fK9jExB1wGRW2Pqc0F/e1212RvmV6a3Yauj5EvhZiHHDJZnjw0P5TpSLyxud0rnA25J9 ZI/zmsoCquaxY/X9mY42bHXhD3EiA0u+LPGCAzWZcl33subzF0Shz9nlQPaSz0zmBGxD WRijrXu1T1rtH4WmMolg9fgJYSpa1wxAoQV08uxancBYD03a9onfqEF6oAxvfWbYpdQA yqTQ== X-Gm-Message-State: ACgBeo2N0W6ezu0MHadM2vKclKkPf6PNmRwHYOIL/RQOoGoBtx2Xo8hg 7xIlIiLFTG6yNNm/QruodJ1/zOK6je/PFrUOhiNo9gnYgkJNkUhfZjv/wV/aMOflctjPYChzVQP 6yolPMPK0X24BGCRnyDDmsdaeC/Obt4PT/uUIAjM4KPBzfA7+Iqp9YN8YmicPeuTi+5HZFw== X-Received: by 2002:a05:6000:1789:b0:21e:87cd:beba with SMTP id e9-20020a056000178900b0021e87cdbebamr2309754wrg.252.1659096188756; Fri, 29 Jul 2022 05:03:08 -0700 (PDT) X-Google-Smtp-Source: AA6agR6qs9ELY4tw1dw/oOZqfgtljlmCa5fhFtzPsZLPu4Bf5BzcrheUa5czdw5x4BZglbAobrZCZQ== X-Received: by 2002:a05:6000:1789:b0:21e:87cd:beba with SMTP id e9-20020a056000178900b0021e87cdbebamr2309736wrg.252.1659096188494; Fri, 29 Jul 2022 05:03:08 -0700 (PDT) Received: from localhost.localdomain ([2a02:8308:b106:e300:32b0:6ebb:8ca4:d4d3]) by smtp.gmail.com with ESMTPSA id i3-20020a05600c354300b003a2e92edeccsm9590622wmq.46.2022.07.29.05.03.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jul 2022 05:03:07 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Subject: [PATCH testsuite 24/24] ci: add sysadm_t to the test matrix Date: Fri, 29 Jul 2022 14:02:29 +0200 Message-Id: <20220729120229.207584-25-omosnace@redhat.com> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220729120229.207584-1-omosnace@redhat.com> References: <20220729120229.207584-1-omosnace@redhat.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org The testsuite should now be passing under the sysadm user as well, so test it. Signed-off-by: Ondrej Mosnacek --- .github/workflows/checks.yml | 4 +++- Vagrantfile | 16 ++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 96843e4..37455ea 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -15,6 +15,7 @@ jobs: strategy: fail-fast: false matrix: + domain: [unconfined_t, sysadm_t] env: - { version: 35, kernel: default } - { version: 36, kernel: default } @@ -22,6 +23,7 @@ jobs: env: FEDORA_VERSION: ${{ matrix.env.version }} KERNEL_TYPE: ${{ matrix.env.kernel }} + ROOT_DOMAIN: ${{ matrix.domain }} steps: - uses: actions/checkout@v2 # macOS sometimes allows symlinks to have permissions other than 777, @@ -39,6 +41,6 @@ jobs: - name: Run SELinux testsuite run: vagrant ssh -- sudo make -C /root/testsuite test - name: Check unwanted denials - run: vagrant ssh -- '! sudo ausearch -m avc -i