On Mon, May 14, 2018 at 09:58:03AM -0400, Vivek Goyal wrote: [..] > Talked to Dan and he mentioned that he was trying to test entrypoint > failure (and not exec failure) and that's whey he might have allowed exec > to mounter. > > I think that current entrypoint test's expectations are wrong. > User process sees overlay inode lablel which is rwx_t and that means > overlay layer will allow entrypoint into that executable. This will be the > behavior on a normal file system where underlying file's label will be > completely overridden by context=. > > So in my opinion, we should modify testsuite and not run this test with > context= mounts. Miklos, now a fix has been merged to the tests so that test passes both with current kernels and proposed changes. https://github.com/SELinuxProject/selinux-testsuite/pull/36 Thanks Dan Walsh, Stephen Smalley and Paul More. Vivek
