On 12/17/19 8:44 AM, Richard Haines wrote:
The global test policy allows process { setfscreate } for all tests.
To specifically test this, need to remove it globally and update test
policy that rely on it (mkdir & mac_admin).
Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
---
policy/test_global.te | 1 -
policy/test_mac_admin.te | 2 ++
policy/test_mkdir.te | 2 ++
3 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/test_global.te b/policy/test_global.te
index 90f9b65..97f51e4 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -38,7 +38,6 @@ allow testdomain self:process setcurrent;
#domain_dyntrans_type(testdomain)
#selinux_get_fs_mount(testdomain)
allow testdomain self:process setexec;
-allow testdomain self:process setfscreate;
# General permissions commonly required for test operation.
# general_domain_access
diff --git a/policy/test_mac_admin.te b/policy/test_mac_admin.te
index 579a017..790a731 100644
--- a/policy/test_mac_admin.te
+++ b/policy/test_mac_admin.te
@@ -10,6 +10,7 @@ domain_type(test_mac_admin_t)
unconfined_runs_test(test_mac_admin_t)
typeattribute test_mac_admin_t mac_admintestdomain;
typeattribute test_mac_admin_t testdomain;
+allow test_mac_admin_t self:process { setfscreate };
# Relabeling a file to an undefined label remaps it to the unlabeled context,
# which may have a different SELinux user identity (e.g. system_u).
@@ -26,6 +27,7 @@ domain_type(test_no_mac_admin_t)
unconfined_runs_test(test_no_mac_admin_t)
typeattribute test_no_mac_admin_t mac_admintestdomain;
typeattribute test_no_mac_admin_t testdomain;
+allow test_no_mac_admin_t self:process { setfscreate };
# See above.
domain_obj_id_change_exemption(test_no_mac_admin_t)
diff --git a/policy/test_mkdir.te b/policy/test_mkdir.te
index 1410a96..a5ba9b1 100644
--- a/policy/test_mkdir.te
+++ b/policy/test_mkdir.te
@@ -45,6 +45,7 @@ unconfined_runs_test(test_create_t)
typeattribute test_create_t test_mkdir_domain;
typeattribute test_create_t testdomain;
domain_obj_id_change_exemption(test_create_t)
+allow test_create_t self:process { setfscreate };
allow test_create_t test_mkdir_dir_t:dir { search getattr write add_name };
allow test_create_t test_create_dir_t:dir { search getattr write create };
@@ -56,6 +57,7 @@ unconfined_runs_test(test_nocreate_t)
typeattribute test_nocreate_t test_mkdir_domain;
typeattribute test_nocreate_t testdomain;
domain_obj_id_change_exemption(test_nocreate_t)
+allow test_nocreate_t self:process { setfscreate };
allow test_nocreate_t test_mkdir_dir_t:dir { search getattr write add_name };
allow test_nocreate_t test_create_dir_t:dir { search getattr };