On Thu, 2009-01-29 at 08:42 -0500, Christopher J. PeBenito wrote:
> On Thu, 2009-01-29 at 21:32 +1100, James Morris wrote:
> > I'm trying to run the LTP SELinux tests using the latest CVS version of
> > LTP and current Fedora development, and get the following policy
> > compilation error:
> >
> > ----
> > Compiling targeted test_policy module
> >
> > test_policy.te:1730: Warning: r_dir_perms is deprecated please use list_dir_perms instead.
> > test_policy.te:1731: Warning: r_file_perms is deprecated please use read_file_perms instead.
> > [lots of warnings similar to the above]
> >
> > /usr/bin/checkmodule: loading policy configuration from
> > tmp/test_policy.tmp
> > test_policy.te":16:ERROR 'syntax error' at token
> > 'userdom_use_sysadm_terms' on line 3198:
> > userdom_use_sysadm_terms(testdomain)
> > # This allows read and write sysadm ttys and ptys.
> > /usr/bin/checkmodule: error(s) encountered while parsing configuration
> > make[1]: *** [tmp/test_policy.mod] Error 1
> > make[1]: Leaving directory `/usr/share/selinux/devel'
> > make: *** [load] Error 2
> > Failed to build and load test_policy module, aborting test run.
> > ----
> >
> > Is this likely to be fixed soon, and/or any suggestions for a workaround?
>
> It won't compile with the current trunk refpolicy, since the current
> release was a major, API breaking change. I'll try to get a patch out
> shortly.
I updated the policy since its fairly old, though I didn't convert its
raw rules over to use interfaces. However this didn't completely fix
it, as there is usage of a "unconfined_runs_test()", which isn't in the
upstream refpolicy nor the fedora policy, as far as I can see. One of
the updates includes use of sysadm_entry_spec_domtrans_to(), which is in
the upstream refpolicy, but doesn't seem to have made its way downstream
to the fedora policy. I have attached my work so someone familiar with
the LTP test cases can use it to complete the fix.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_file.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_file.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_file.te 2007-12-20 04:32:55.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_file.te 2009-01-29 11:45:26.000000000 -0500
@@ -35,7 +35,6 @@
# Allow execution of helper programs.
corecmd_exec_bin(capabledomain)
-corecmd_exec_sbin(capabledomain)
domain_exec_all_entry_files(capabledomain)
files_exec_etc_files(capabledomain)
libs_use_ld_so(capabledomain)
@@ -45,9 +44,9 @@
# Allow test_file_t and bin_t to be entered from sysadm role
miscfiles_domain_entry_test_files(capabledomain)
-userdom_sysadm_entry_spec_domtrans_to(capabledomain)
+sysadm_entry_spec_domtrans_to(capabledomain)
corecmd_bin_entry_type(capabledomain)
-userdom_sysadm_bin_spec_domtrans_to(capabledomain)
+sysadm_bin_spec_domtrans_to(capabledomain)
# Allow these domains to create a temporay file.
allow capabledomain test_file_t:file { setattr rw_file_perms };
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_net.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_net.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_net.te 2007-12-20 04:32:55.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_capable_net.te 2009-01-29 11:23:45.000000000 -0500
@@ -28,7 +28,7 @@
corenet_raw_sendrecv_all_nodes(capabledomain)
corenet_tcp_sendrecv_all_ports(capabledomain)
corenet_udp_sendrecv_all_ports(capabledomain)
-corenet_non_ipsec_sendrecv(capabledomain)
+corenet_all_recvfrom_unlabeled(capabledomain)
corenet_tcp_bind_all_nodes(capabledomain)
corenet_udp_bind_all_nodes(capabledomain)
sysnet_read_config(capabledomain)
@@ -43,9 +43,9 @@
}
allow capabledomain hi_reserved_port_t:tcp_socket name_bind;
-# Allow sbin_t to be entered from admin via certain utils.
-corecmd_sbin_entry_type(capabledomain)
-userdom_sysadm_sbin_spec_domtrans_to(capabledomain)
+# Allow bin_t to be entered from admin via certain utils.
+corecmd_bin_entry_type(capabledomain)
+sysadm_bin_spec_domtrans_to(capabledomain)
require {
type ifconfig_exec_t;
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrace.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrace.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrace.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrace.te 2009-01-29 11:23:45.000000000 -0500
@@ -28,7 +28,7 @@
# Allow test_files_t to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(dyntracedomain)
-userdom_sysadm_entry_spec_domtrans_to(dyntracedomain)
+sysadm_entry_spec_domtrans_to(dyntracedomain)
miscfiles_exec_test_files(dyntracedomain)
# Grant the necessary permissions for the child domain.
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrans.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrans.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrans.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_dyntrans.te 2009-01-29 11:23:45.000000000 -0500
@@ -28,5 +28,5 @@
# Allow all of these domains to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(dyntransdomain)
-userdom_sysadm_entry_spec_domtrans_to(dyntransdomain)
+sysadm_entry_spec_domtrans_to(dyntransdomain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_entrypoint.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_entrypoint.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_entrypoint.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_entrypoint.te 2009-01-29 11:23:45.000000000 -0500
@@ -17,5 +17,5 @@
# Allow this domain to be entered via its entrypoint type.
domain_entry_file(test_entrypoint_t, test_entrypoint_execute_t)
-userdom_sysadm_entry_spec_domtrans_to(test_entrypoint_t)
+sysadm_entry_spec_domtrans_to(test_entrypoint_t)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_execshare.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_execshare.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_execshare.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_execshare.te 2009-01-29 11:23:45.000000000 -0500
@@ -25,7 +25,7 @@
# Allow all of these domains to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(execsharedomain)
-userdom_sysadm_entry_spec_domtrans_to(execsharedomain)
+sysadm_entry_spec_domtrans_to(execsharedomain)
# Grant the necessary permissions for the child domain.
domain_entry_file_spec_domtrans(test_execshare_parent_t, test_execshare_child_t)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_exectrace.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_exectrace.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_exectrace.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_exectrace.te 2009-01-29 11:23:45.000000000 -0500
@@ -28,7 +28,7 @@
# Allow all of these domains to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(exectracedomain)
-userdom_sysadm_entry_spec_domtrans_to(exectracedomain)
+sysadm_entry_spec_domtrans_to(exectracedomain)
# Grant the necessary permissions for the child domain.
domain_entry_file_spec_domtrans(test_exectrace_parent_t, test_exectrace_child_t)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_execute_no_trans.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_execute_no_trans.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_execute_no_trans.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_execute_no_trans.te 2009-01-29 11:23:45.000000000 -0500
@@ -19,8 +19,8 @@
# Allow this domain to be entered via the shell.
corecmd_shell_entry_type(test_execute_notrans_t)
-userdom_sysadm_entry_spec_domtrans_to(test_execute_notrans_t)
+sysadm_entry_spec_domtrans_to(test_execute_notrans_t)
#Allow test_execute_notrans permissions to the allowed type
can_exec(test_execute_notrans_t,test_execute_notrans_allowed_t)
-allow test_execute_notrans_t test_execute_notrans_denied_t:file rx_file_perms;
+allow test_execute_notrans_t test_execute_notrans_denied_t:file { mmap_file_perms lock ioctl };
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_fdreceive.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_fdreceive.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_fdreceive.te 2008-06-11 04:11:31.000000000 -0400
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_fdreceive.te 2009-01-29 11:23:45.000000000 -0500
@@ -35,7 +35,7 @@
# Allow all of these domains to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(fdreceivedomain)
-userdom_sysadm_entry_spec_domtrans_to(fdreceivedomain)
+sysadm_entry_spec_domtrans_to(fdreceivedomain)
# Grant the necessary permissions for the server domain.
## Create the Unix domain socket file.
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_file.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_file.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_file.te 2007-12-20 04:32:56.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_file.te 2009-01-29 11:23:45.000000000 -0500
@@ -43,7 +43,6 @@
# Allow execution of helper programs.
corecmd_exec_bin(fileopdomain)
-corecmd_exec_sbin(fileopdomain)
domain_exec_all_entry_files(fileopdomain)
libs_use_ld_so(fileopdomain)
libs_use_shared_libs(fileopdomain)
@@ -52,13 +51,10 @@
# Allow all of these domains to be entered from sysadm domain
miscfiles_domain_entry_test_files(fileopdomain)
-userdom_sysadm_entry_spec_domtrans_to(fileopdomain)
+sysadm_entry_spec_domtrans_to(fileopdomain)
corecmd_bin_entry_type(fileopdomain)
-userdom_sysadm_bin_spec_domtrans_to(fileopdomain)
-
-corecmd_sbin_entry_type(fileopdomain)
-userdom_sysadm_sbin_spec_domtrans_to(fileopdomain)
+sysadm_bin_spec_domtrans_to(fileopdomain)
allow fileop_t fileop_exec_t:file entrypoint;
domain_auto_trans(test_fileop_t, fileop_exec_t, fileop_t)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te 2008-04-06 06:39:19.000000000 -0400
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te 2009-01-29 11:23:45.000000000 -0500
@@ -13,7 +13,7 @@
# Allow the test domains to access the sysadm terminal.
# This allows read and write sysadm ttys and ptys.
-userdom_use_sysadm_terms(testdomain)
+userdom_use_user_terminals(testdomain)
# Allow the test domains to access the test directory and files
# even if they are not root owned.
@@ -64,9 +64,10 @@
type null_device_t;
type zero_device_t;
}
-allow testdomain { root_t etc_t bin_t sbin_t lib_t usr_t devpts_t }:dir r_dir_perms;
-allow testdomain lib_t:{ file lnk_file } r_file_perms;
-allow testdomain etc_t:file r_file_perms;
+allow testdomain { root_t etc_t bin_t sbin_t lib_t usr_t devpts_t }:dir list_dir_perms;
+allow testdomain lib_t:file read_file_perms;
+allow testdomain lib_t:lnk_file read_lnk_file_perms;
+allow testdomain etc_t:file read_file_perms;
allow testdomain { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
miscfiles_read_localization(testdomain)
domain_use_interactive_fds(testdomain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_inherit.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_inherit.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_inherit.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_inherit.te 2009-01-29 11:23:45.000000000 -0500
@@ -37,7 +37,7 @@
# Allow all of these domains to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(inheritdomain)
-userdom_sysadm_entry_spec_domtrans_to(inheritdomain)
+sysadm_entry_spec_domtrans_to(inheritdomain)
# Grant the necessary permissions for the parent domain.
allow test_inherit_parent_t test_inherit_file_t:file rw_file_perms;
@@ -61,4 +61,4 @@
allow test_inherit_nowrite_t test_inherit_parent_t:fd use;
allow test_inherit_nowrite_t test_inherit_parent_t:fifo_file rw_file_perms;
allow test_inherit_nowrite_t test_inherit_parent_t:process sigchld;
-allow test_inherit_nowrite_t test_inherit_file_t:file r_file_perms;
+allow test_inherit_nowrite_t test_inherit_file_t:file read_file_perms;
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_ioctl.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_ioctl.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_ioctl.te 2007-12-20 04:32:56.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_ioctl.te 2009-01-29 11:46:39.000000000 -0500
@@ -23,7 +23,6 @@
# Allow execution of helper programs.
corecmd_exec_bin(ioctldomain)
-corecmd_exec_sbin(ioctldomain)
domain_exec_all_entry_files(ioctldomain)
files_exec_etc_files(ioctldomain)
libs_use_ld_so(ioctldomain)
@@ -34,9 +33,9 @@
# Allow all of these domains to be entered from sysadm domain
# via a shell script in the test directory or by....
miscfiles_domain_entry_test_files(ioctldomain)
-userdom_sysadm_entry_spec_domtrans_to(ioctldomain)
+sysadm_entry_spec_domtrans_to(ioctldomain)
corecmd_bin_entry_type(ioctldomain)
-userdom_sysadm_bin_spec_domtrans_to(ioctldomain)
+sysadm_bin_spec_domtrans_to(ioctldomain)
# Allow the test domains some access to the temp file
allow test_ioctl_t test_ioctl_file_t:file { read getattr setattr ioctl };
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_ipc.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_ipc.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_ipc.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_ipc.te 2009-01-29 11:23:45.000000000 -0500
@@ -72,12 +72,12 @@
# Allow all of these domains to be entered from user domains.
# via a shell script in the test directory or by another program.
miscfiles_domain_entry_test_files(ipcdomain)
-userdom_sysadm_entry_spec_domtrans_to(ipcdomain)
+sysadm_entry_spec_domtrans_to(ipcdomain)
corecmd_bin_entry_type(ipcdomain)
-userdom_sysadm_bin_spec_domtrans_to(ipcdomain)
+sysadm_bin_spec_domtrans_to(ipcdomain)
allow test_ipc_base_t self:sem create_sem_perms;
allow test_ipc_base_t self:shm create_sem_perms;
allow test_ipc_base_t self:shm lock;
# ipcrm needs this...
-userdom_search_generic_user_home_dirs(test_ipc_base_t)
+userdom_search_user_home_dirs(test_ipc_base_t)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_link.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_link.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_link.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_link.te 2009-01-29 11:23:45.000000000 -0500
@@ -69,5 +69,5 @@
# Allow all of these domains to be entered from sysadm domain
corecmd_bin_entry_type(test_link_domain)
-userdom_sysadm_bin_spec_domtrans_to(test_link_domain)
+sysadm_bin_spec_domtrans_to(test_link_domain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_mkdir.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_mkdir.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_mkdir.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_mkdir.te 2009-01-29 11:23:45.000000000 -0500
@@ -56,4 +56,4 @@
# Allow all of these domains to be entered from sysadm domain
corecmd_bin_entry_type(test_mkdir_domain)
-userdom_sysadm_bin_spec_domtrans_to(test_mkdir_domain)
+sysadm_bin_spec_domtrans_to(test_mkdir_domain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_open.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_open.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_open.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_open.te 2009-01-29 11:23:45.000000000 -0500
@@ -32,4 +32,4 @@
# Allow all of these domains to be entered from sysadm domain
miscfiles_domain_entry_test_files(test_open_domain)
-userdom_sysadm_entry_spec_domtrans_to(test_open_domain)
+sysadm_entry_spec_domtrans_to(test_open_domain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_ptrace.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_ptrace.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_ptrace.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_ptrace.te 2009-01-29 11:23:45.000000000 -0500
@@ -27,7 +27,7 @@
# Allow the tracer domain to trace the traced domain.
allow test_ptrace_tracer_t test_ptrace_traced_t:process ptrace;
-userdom_search_generic_user_home_dirs(test_ptrace_traced_t)
+userdom_search_user_home_dirs(test_ptrace_traced_t)
# Let the tracer wait on the traced domain.
allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;
@@ -35,4 +35,4 @@
# Allow all of these domains to be entered from the sysadm domains.
# via a program in the test directory.
miscfiles_domain_entry_test_files(ptracedomain)
-userdom_sysadm_entry_spec_domtrans_to(ptracedomain)
+sysadm_entry_spec_domtrans_to(ptracedomain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_relabel.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_relabel.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_relabel.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_relabel.te 2009-01-29 11:23:45.000000000 -0500
@@ -40,5 +40,5 @@
# Allow all of these domains to be entered from sysadm domain
corecmd_bin_entry_type(test_relabel_domain)
-userdom_sysadm_bin_spec_domtrans_to(test_relabel_domain)
+sysadm_bin_spec_domtrans_to(test_relabel_domain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_rename.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_rename.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_rename.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_rename.te 2009-01-29 11:23:45.000000000 -0500
@@ -103,5 +103,5 @@
# Allow all of these domains to be entered from sysadm domain
corecmd_bin_entry_type(test_rename_domain)
-userdom_sysadm_bin_spec_domtrans_to(test_rename_domain)
+sysadm_bin_spec_domtrans_to(test_rename_domain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_setattr.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_setattr.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_setattr.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_setattr.te 2009-01-29 11:23:45.000000000 -0500
@@ -27,5 +27,5 @@
# Allow all of these domains to be entered from sysadm domain
corecmd_bin_entry_type(test_setattr_domain)
-userdom_sysadm_bin_spec_domtrans_to(test_setattr_domain)
+sysadm_bin_spec_domtrans_to(test_setattr_domain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_setnice.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_setnice.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_setnice.te 2007-12-20 04:32:56.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_setnice.te 2009-01-29 11:46:48.000000000 -0500
@@ -25,7 +25,6 @@
# Allow execution of helper programs.
corecmd_exec_bin(setnicedomain)
-corecmd_exec_sbin(setnicedomain)
domain_exec_all_entry_files(setnicedomain)
files_exec_etc_files(setnicedomain)
libs_use_ld_so(setnicedomain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_sigkill.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_sigkill.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_sigkill.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_sigkill.te 2009-01-29 11:23:45.000000000 -0500
@@ -43,7 +43,7 @@
# Allow all of these domains to be entered from the sysadm domains,
# via kill or a program in the test directory.
miscfiles_domain_entry_test_files(killdomain)
-userdom_sysadm_entry_spec_domtrans_to(killdomain)
+sysadm_entry_spec_domtrans_to(killdomain)
corecmd_bin_entry_type(killdomain)
-userdom_sysadm_bin_spec_domtrans_to(killdomain)
+sysadm_bin_spec_domtrans_to(killdomain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_sysctl.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_sysctl.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_sysctl.te 2007-12-20 04:32:56.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_sysctl.te 2009-01-29 11:23:45.000000000 -0500
@@ -19,8 +19,8 @@
# Allow all of these domains to be entered from sysadm domain
# via /sbin/sysctl.
-corecmd_sbin_entry_type(sysctldomain)
-userdom_sysadm_sbin_spec_domtrans_to(sysctldomain)
+corecmd_bin_entry_type(sysctldomain)
+sysadm_bin_spec_domtrans_to(sysctldomain)
# Allow the first domain to perform sysctl operations.
kernel_rw_all_sysctls(test_sysctl_t)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_create.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_create.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_create.te 2007-12-20 04:32:56.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_create.te 2009-01-29 11:23:45.000000000 -0500
@@ -24,10 +24,14 @@
typeattribute test_create_no_t test_create_d;
allow test_create_no_t self:process ~fork;
-allow test_create_no_t proc_t:dir r_dir_perms;
+allow test_create_no_t proc_t:dir list_dir_perms;
allow test_create_no_t proc_t:lnk_file read;
-allow test_create_no_t self:dir r_dir_perms;
-allow test_create_no_t self:notdevfile_class_set r_file_perms;
+allow test_create_no_t self:dir list_dir_perms;
+allow test_create_no_t self:dir list_dir_perms;
+allow test_create_no_t self:file read_file_perms;
+allow test_create_no_t self:lnk_file read_lnk_file_perms;
+allow test_create_no_t self:fifo_file read_fifo_file_perms;
+allow test_create_no_t self:sock_file read_sock_file_perms;
libs_use_ld_so(test_create_no_t)
libs_use_shared_libs(test_create_no_t)
@@ -35,14 +39,14 @@
allow test_create_no_t self:process setexec;
selinux_get_fs_mount(test_create_no_t)
-allow test_create_no_t { root_t bin_t sbin_t lib_t locale_t usr_t devpts_t home_root_t }:dir r_dir_perms;
-allow test_create_no_t lib_t:lnk_file r_file_perms;
+allow test_create_no_t { root_t bin_t sbin_t lib_t locale_t usr_t devpts_t home_root_t }:dir list_dir_perms;
+allow test_create_no_t lib_t:lnk_file read_lnk_file_perms;
allow test_create_no_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
-allow test_create_no_t locale_t:dir r_dir_perms;
-allow test_create_no_t locale_t:{ file lnk_file } r_file_perms;
+allow test_create_no_t locale_t:dir list_dir_perms;
+allow test_create_no_t locale_t:file read_file_perms;
+allow test_create_no_t locale_t:lnk_file read_lnk_file_perms;
allow test_create_no_t privfd:fd use;
-userdom_use_sysadm_ptys(test_create_no_t)
-userdom_use_sysadm_ttys(test_create_no_t)
+userdom_use_user_terminals(test_create_no_t)
# General rules for the test_create_d
@@ -50,4 +54,4 @@
role sysadm_r types test_create_d;
role system_r types test_create_d;
miscfiles_domain_entry_test_files(test_create_d)
-userdom_sysadm_entry_spec_domtrans_to(test_create_d)
+sysadm_entry_spec_domtrans_to(test_create_d)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getpgid.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getpgid.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getpgid.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getpgid.te 2009-01-29 11:23:45.000000000 -0500
@@ -25,7 +25,7 @@
# Allow domain to be entered from the sysadm domain
miscfiles_domain_entry_test_files(test_getpgid_d)
-userdom_sysadm_entry_spec_domtrans_to(test_getpgid_d)
+sysadm_entry_spec_domtrans_to(test_getpgid_d)
# Give test_getpgid_yes_t the permission needed.
allow test_getpgid_yes_t test_getpgid_target_t:process getpgid;
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsched.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsched.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsched.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsched.te 2009-01-29 11:23:45.000000000 -0500
@@ -25,7 +25,7 @@
# Allow domain to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(test_getsched_d)
-userdom_sysadm_entry_spec_domtrans_to(test_getsched_d)
+sysadm_entry_spec_domtrans_to(test_getsched_d)
# Give test_getsched_yes_t the permission needed.
allow test_getsched_yes_t test_getsched_target_t:process getsched;
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsid.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsid.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsid.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_getsid.te 2009-01-29 11:23:45.000000000 -0500
@@ -25,7 +25,7 @@
# Allow domain to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(test_getsid_d)
-userdom_sysadm_entry_spec_domtrans_to(test_getsid_d)
+sysadm_entry_spec_domtrans_to(test_getsid_d)
# Give test_getsid_yes_t the permission needed.
allow test_getsid_yes_t test_getsid_target_t:process getsession;
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setpgid.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setpgid.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setpgid.te 2007-12-20 04:32:56.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setpgid.te 2009-01-29 11:23:45.000000000 -0500
@@ -18,27 +18,30 @@
typeattribute test_setpgid_no_t test_setpgid_d;
allow test_setpgid_no_t self:process ~{ setpgid setcurrent };
-allow test_setpgid_no_t proc_t:dir r_dir_perms;
+allow test_setpgid_no_t proc_t:dir list_dir_perms;
allow test_setpgid_no_t proc_t:lnk_file read;
-allow test_setpgid_no_t self:dir r_dir_perms;
-allow test_setpgid_no_t self:notdevfile_class_set r_file_perms;
+allow test_setpgid_no_t self:dir list_dir_perms;
+allow test_setpgid_no_t self:file read_file_perms;
+allow test_setpgid_no_t self:lnk_file read_lnk_file_perms;
+allow test_setpgid_no_t self:fifo_file read_fifo_file_perms;
+allow test_setpgid_no_t self:sock_file read_sock_file_perms;
libs_use_ld_so(test_setpgid_no_t)
libs_use_shared_libs(test_setpgid_no_t)
allow test_setpgid_no_t self:process setexec;
selinux_get_fs_mount(test_setpgid_no_t)
-allow test_setpgid_no_t { root_t bin_t sbin_t lib_t locale_t usr_t devpts_t home_root_t }:dir r_dir_perms;
-allow test_setpgid_no_t lib_t:lnk_file r_file_perms;
+allow test_setpgid_no_t { root_t bin_t sbin_t lib_t locale_t usr_t devpts_t home_root_t }:dir list_dir_perms;
+allow test_setpgid_no_t lib_t:lnk_file read_lnk_file_perms;
allow test_setpgid_no_t { devtty_t null_device_t zero_device_t }:chr_file rw_file_perms;
-allow test_setpgid_no_t locale_t:dir r_dir_perms;
-allow test_setpgid_no_t locale_t:{ file lnk_file } r_file_perms;
+allow test_setpgid_no_t locale_t:dir list_dir_perms;
+allow test_setpgid_no_t locale_t:file read_file_perms;
+allow test_setpgid_no_t locale_t:lnk_file read_lnk_file_perms;
allow test_setpgid_no_t privfd:fd use;
-userdom_use_sysadm_ptys(test_setpgid_no_t)
-userdom_use_sysadm_ttys(test_setpgid_no_t)
+userdom_use_user_terminals(test_setpgid_no_t)
# Allow domain to be entered from the sysadm domain.
role sysadm_r types test_setpgid_d;
role system_r types test_setpgid_d;
miscfiles_domain_entry_test_files(test_setpgid_d)
-userdom_sysadm_entry_spec_domtrans_to(test_setpgid_d)
+sysadm_entry_spec_domtrans_to(test_setpgid_d)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setsched.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setsched.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setsched.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_task_setsched.te 2009-01-29 11:23:45.000000000 -0500
@@ -26,7 +26,7 @@
# Allow domain to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(test_setsched_d)
-userdom_sysadm_entry_spec_domtrans_to(test_setsched_d)
+sysadm_entry_spec_domtrans_to(test_setsched_d)
# Allow these domains to execute renice.
corecmd_bin_entry_type(test_setsched_d)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_transition.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_transition.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_transition.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_transition.te 2009-01-29 11:23:45.000000000 -0500
@@ -30,4 +30,4 @@
allow test_transition_todomain_t test_transition_fromdomain_t:fd use;
# Allow all of these domains to be entered from the sysadm domain.
-userdom_sysadm_entry_spec_domtrans_to(transitiondomain)
+sysadm_entry_spec_domtrans_to(transitiondomain)
diff -urw ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_wait.te ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_wait.te
--- ltp-full-20081231.orig/testcases/kernel/security/selinux-testsuite/refpolicy/test_wait.te 2006-03-27 11:55:48.000000000 -0500
+++ ltp-full-20081231/testcases/kernel/security/selinux-testsuite/refpolicy/test_wait.te 2009-01-29 11:23:45.000000000 -0500
@@ -25,7 +25,7 @@
# Allow all of these domains to be entered from the sysadm domain.
miscfiles_domain_entry_test_files(waitdomain)
-userdom_sysadm_entry_spec_domtrans_to(waitdomain)
+sysadm_entry_spec_domtrans_to(waitdomain)
# Grant permissions for a domain transition from parent to child,
# including the ability to wait on the child.
