On 1/14/20 8:46 AM, Stephen Smalley wrote:
On 1/14/20 8:39 AM, Richard Haines wrote:
On Tue, 2020-01-14 at 08:30 -0500, Stephen Smalley wrote:
On 1/14/20 7:28 AM, Richard Haines wrote:
These tests should cover all the areas in selinux/hooks.c that
touch
the 'filesystem' class. Each hooks.c function is listed in the
'test'
script as there are some permissions that are checked in multiple
places.
Tested on Fedora 31 and Rawhide (5.5 for the new watch perm).
V4 Changes:
1) Test non-name based type transition rule.
2) Test two different name-based type transition rules that only
differ
in name.
Sorry, I guess my wording was confusing. What I meant was that the
inputs to the two name-based type transition rules were identical
except
for the name, but you would want them to have different
output/result
types so that you can tell whether it actually distinguished them.
So would this be ok as policy rules:
type_transition test_filesystem_t test_filesystem_t:file
test_filesystem_filenametranscon1_t "name_trans_test_file1";
type_transition test_filesystem_t test_filesystem_t:file
test_filesystem_filenametranscon2_t "name_trans_test_file2";
Yes. It looks a little odd in that usually the source context is a
process context and the target context is a parent directory context so
it is unusual that they'd be the same in any real-world policy
(generally that would only happen for /proc/pid and you can't create
files there). But I guess that's a side effect of the way the other
tests work / using context mounts?
That's fine btw - no need to change it just noting it.