[PATCH] selinux-testsuite: Fix policy to allow process { setfscreate } testing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The global test policy allows process { setfscreate } for all tests.
To specifically test this, need to remove it globally and update test
policy that rely on it (mkdir & mac_admin).

Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
---
 policy/test_global.te    | 1 -
 policy/test_mac_admin.te | 2 ++
 policy/test_mkdir.te     | 2 ++
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/policy/test_global.te b/policy/test_global.te
index 90f9b65..97f51e4 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -38,7 +38,6 @@ allow testdomain self:process setcurrent;
 #domain_dyntrans_type(testdomain)
 #selinux_get_fs_mount(testdomain)
 allow testdomain self:process setexec;
-allow testdomain self:process setfscreate;
 
 # General permissions commonly required for test operation.
 # general_domain_access
diff --git a/policy/test_mac_admin.te b/policy/test_mac_admin.te
index 579a017..790a731 100644
--- a/policy/test_mac_admin.te
+++ b/policy/test_mac_admin.te
@@ -10,6 +10,7 @@ domain_type(test_mac_admin_t)
 unconfined_runs_test(test_mac_admin_t)
 typeattribute test_mac_admin_t mac_admintestdomain;
 typeattribute test_mac_admin_t testdomain;
+allow test_mac_admin_t self:process { setfscreate };
 
 # Relabeling a file to an undefined label remaps it to the unlabeled context,
 # which may have a different SELinux user identity (e.g. system_u).
@@ -26,6 +27,7 @@ domain_type(test_no_mac_admin_t)
 unconfined_runs_test(test_no_mac_admin_t)
 typeattribute test_no_mac_admin_t mac_admintestdomain;
 typeattribute test_no_mac_admin_t testdomain;
+allow test_no_mac_admin_t self:process { setfscreate };
 
 # See above.
 domain_obj_id_change_exemption(test_no_mac_admin_t)
diff --git a/policy/test_mkdir.te b/policy/test_mkdir.te
index 1410a96..a5ba9b1 100644
--- a/policy/test_mkdir.te
+++ b/policy/test_mkdir.te
@@ -45,6 +45,7 @@ unconfined_runs_test(test_create_t)
 typeattribute test_create_t test_mkdir_domain;
 typeattribute test_create_t testdomain;
 domain_obj_id_change_exemption(test_create_t)
+allow test_create_t self:process { setfscreate };
 allow test_create_t test_mkdir_dir_t:dir { search getattr write add_name };
 allow test_create_t test_create_dir_t:dir { search getattr write create };
 
@@ -56,6 +57,7 @@ unconfined_runs_test(test_nocreate_t)
 typeattribute test_nocreate_t test_mkdir_domain;
 typeattribute test_nocreate_t testdomain;
 domain_obj_id_change_exemption(test_nocreate_t)
+allow test_nocreate_t self:process { setfscreate };
 allow test_nocreate_t test_mkdir_dir_t:dir { search getattr write add_name };
 allow test_nocreate_t test_create_dir_t:dir { search getattr };
 
-- 
2.23.0
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux