Re: [PATCH] selinux-testsuite: fix file/test failure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Sep 13, 2016 at 2:57 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> On 4.8-rc5, Paul Moore reported the following test failure:
>
> file/test ............... 8/16 # Test 8 got: "256" (file/test at line 85)
> file/test ............... Failed 1/16 subtests
>
> ... this happens to be the SIGIO/good test.  Running the test by hand
> yields the following AVC:
>
> type=AVC msg=audit(1473785577.548:448): avc:  denied  { execute } for
>  pid=2336 comm="wait_io"
>  path="/root/sources/selinux-testsuite/tests/file/wait_io"
>  dev="sda3" ino=399656
>  scontext=unconfined_u:unconfined_r:fileop_t:s0-s0:c0.c1023
>  tcontext=system_u:object_r:fileop_exec_t:s0
>  tclass=file permissive=0
>
> commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 ("binfmt_elf: switch to new
> creds when switching to new mm") moved the switching of credentials before
> mapping the executable, and therefore triggers a file execute check between
> the new domain and the executable type on domain transitions.
>
> Switch the test policy to use domain_entry_file() rather than a
> handcoded allow rule, thereby allowing both permissions.
>
> Reported-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
> ---
>  policy/test_file.te | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Great, thanks for fixing that while I was at lunch :)

I can confirm that this fixes the problem.

> diff --git a/policy/test_file.te b/policy/test_file.te
> index eb93a49..24c8b16 100644
> --- a/policy/test_file.te
> +++ b/policy/test_file.te
> @@ -66,7 +66,7 @@ userdom_sysadm_entry_spec_domtrans_to(fileopdomain)
>  corecmd_bin_entry_type(fileopdomain)
>  sysadm_bin_spec_domtrans_to(fileopdomain)
>
> -allow fileop_t fileop_exec_t:file entrypoint;
> +domain_entry_file(fileop_t, fileop_exec_t)
>  domain_auto_trans(test_fileop_t, fileop_exec_t, fileop_t)
>  allow test_fileop_t fileop_t:fd use;
>  allow fileop_t test_fileop_t:fd use;
> --
> 2.7.4

-- 
paul moore
www.paul-moore.com
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux