On Mon, Sep 30, 2019 at 3:24 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 9/30/19 6:48 AM, Ondrej Mosnacek wrote: > > Use userdom_search_generic_user_home_dirs(), which is always defined, > > and redefine it to match what overlayfs was doing (just in case), > > > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > --- > > policy/test_overlayfs.te | 6 ++---- > > policy/test_policy.if | 9 +++++++-- > > 2 files changed, 9 insertions(+), 6 deletions(-) > > > > diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te > > index 6f1756e..f56ef78 100644 > > --- a/policy/test_overlayfs.te > > +++ b/policy/test_overlayfs.te > > @@ -50,8 +50,7 @@ fs_mount_xattr_fs(test_overlay_mounter_t) > > corecmd_shell_entry_type(test_overlay_mounter_t) > > corecmd_exec_bin(test_overlay_mounter_t) > > > > -userdom_search_admin_dir(test_overlay_mounter_t) > > -userdom_search_user_home_content(test_overlay_mounter_t) > > +userdom_search_generic_user_home_dirs(test_overlay_mounter_t) > > > > mount_exec(test_overlay_mounter_t) > > mount_rw_pid_files(test_overlay_mounter_t) > > @@ -122,8 +121,7 @@ corecmd_exec_bin(test_overlay_client_t) > > kernel_read_system_state(test_overlay_client_t) > > kernel_read_proc_symlinks(test_overlay_client_t) > > > > -userdom_search_admin_dir(test_overlay_client_t) > > -userdom_search_user_home_content(test_overlay_client_t) > > +userdom_search_generic_user_home_dirs(test_overlay_client_t) > > > > fs_getattr_xattr_fs(test_overlay_client_t) > > > > diff --git a/policy/test_policy.if b/policy/test_policy.if > > index 5f4000f..40e7499 100644 > > --- a/policy/test_policy.if > > +++ b/policy/test_policy.if > > @@ -61,8 +61,13 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',` > > ') > > ') > > > > -ifdef(`userdom_search_generic_user_home_dirs', `', ` dnl > > +ifdef(`userdom_search_admin_dir', ` dnl > > interface(`userdom_search_generic_user_home_dirs', ` > > - userdom_search_user_home_dirs($1) > > + userdom_search_user_home_content($1) > > + userdom_search_admin_dir($1) > > +') > > +', ` dnl > > +interface(`userdom_search_generic_user_home_dirs', ` > > + userdom_search_user_home_content($1) > > ') > > ') > > Previously, if userdom_search_generic_user_home_dirs() was defined by > the base policy (as it used to be), we would use that definition, else > we would use userdom_search_user_home_dirs(). After, we will always > redefine it, and the redefinition is more expansive than just search > access to $HOME and its ancestors in the hierarchy. Might not affect > the tests themselves but it seems a bit confusing. You're right, I'm mixing up the semantics too much. Let me see if I can handle this more nicely... -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
