On 4.8-rc5, Paul Moore reported the following test failure:
file/test ............... 8/16 # Test 8 got: "256" (file/test at line 85)
file/test ............... Failed 1/16 subtests
... this happens to be the SIGIO/good test. Running the test by hand
yields the following AVC:
type=AVC msg=audit(1473785577.548:448): avc: denied { execute } for
pid=2336 comm="wait_io"
path="/root/sources/selinux-testsuite/tests/file/wait_io"
dev="sda3" ino=399656
scontext=unconfined_u:unconfined_r:fileop_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fileop_exec_t:s0
tclass=file permissive=0
commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 ("binfmt_elf: switch to new
creds when switching to new mm") moved the switching of credentials before
mapping the executable, and therefore triggers a file execute check between
the new domain and the executable type on domain transitions.
Switch the test policy to use domain_entry_file() rather than a
handcoded allow rule, thereby allowing both permissions.
Reported-by: Paul Moore <paul@xxxxxxxxxxxxxx>
Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
---
policy/test_file.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/test_file.te b/policy/test_file.te
index eb93a49..24c8b16 100644
--- a/policy/test_file.te
+++ b/policy/test_file.te
@@ -66,7 +66,7 @@ userdom_sysadm_entry_spec_domtrans_to(fileopdomain)
corecmd_bin_entry_type(fileopdomain)
sysadm_bin_spec_domtrans_to(fileopdomain)
-allow fileop_t fileop_exec_t:file entrypoint;
+domain_entry_file(fileop_t, fileop_exec_t)
domain_auto_trans(test_fileop_t, fileop_exec_t, fileop_t)
allow test_fileop_t fileop_t:fd use;
allow fileop_t test_fileop_t:fd use;
--
2.7.4
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
