On Mon, Nov 18, 2019 at 3:06 PM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 11/18/19 7:30 AM, Ondrej Mosnacek wrote: > > dev_rw_infiniband_dev() and mount_rw_pid_files() are not defined in > > refpolicy. Fall back to dev_rw_generic_files() and > > mount_rw_runtime_files() if they are not defined. > > > > Also, userdom_search_admin_dir() is not defined in refpolicy because it > > doesn't have admin_home_t. Fall back to > > userdom_search_user_home_content(), which should apply for root's home > > directory under refpolicy. > > > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > Is there a reason you didn't make the changes I suggested to > dev_rw_infiniband_dev()? No, sorry, I forgot to address that part... again :| > > > --- > > policy/test_policy.if | 21 +++++++++++++++++++++ > > 1 file changed, 21 insertions(+) > > > > diff --git a/policy/test_policy.if b/policy/test_policy.if > > index 939cd7e..38214a9 100644 > > --- a/policy/test_policy.if > > +++ b/policy/test_policy.if > > @@ -60,3 +60,24 @@ interface(`userdom_sysadm_entry_spec_domtrans_to',` > > allow $1 sysadm_t:process sigchld; > > ') > > ') > > + > > +# Workarounds for refpolicy: > > + > > +ifdef(`dev_rw_infiniband_dev', `', ` dnl > > +interface(`dev_rw_infiniband_dev', ` > > + dev_rw_generic_files($1) > > +') > > +') > > + > > +ifdef(`mount_rw_pid_files', `', ` dnl > > +interface(`mount_rw_pid_files', ` > > + mount_rw_runtime_files($1) > > +') > > +') > > + > > +# Refpolicy doesn't have admin_home_t - assume /root will be user_home_dir_t. > > +ifdef(`userdom_search_admin_dir', `', ` dnl > > +interface(`userdom_search_admin_dir', ` > > + userdom_search_user_home_content($1) > > +') > > +') > > > -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
