On Thu, 2020-01-16 at 10:00 +0100, Ondrej Mosnacek wrote:
> On Wed, Jan 15, 2020 at 10:09 PM Stephen Smalley <sds@xxxxxxxxxxxxx>
> wrote:
> > On 1/14/20 9:44 AM, Richard Haines wrote:
> > > Test filesystem permissions, setfscreatecon(3), file { quotaon }
> > > and
> > > changing file context via non and name-based type_transition
> > > rules.
> > >
> > > From kernels 5.5 filesystem { watch } is also tested.
> > >
> > > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> >
> > This looks good to me and passes travis-ci and testing on Fedora.
> > Ondrej, how does it fare on RHEL?
>
> Thanks for asking! Unfortunately the policy fails to build on RHEL-6
> due to lack of support for filename-based transitions... That part of
> the test needs to be somehow conditioned on $(MOD_POL_VERS) >= 11 and
> $(POL_VERS) >= 25. After I removed the two filetrans rules, only the
> expected two subtests failed, so the rest seems to be fine.
>
Okay I'll fix this.
I'm also reworking the policy to make some of the contexts a bit more
sensible. Also trying to differentiate between these in the audit log
for denials:
hooks.c may_context_mount_inode_relabel() FILESYSTEM__ASSOCIATE
type: test_filesystem_inode_relabel_no_associate_t
hooks.c may_create() FILESYSTEM__ASSOCIATE
type: test_filesystem_may_create_no_associate_t
hooks.c selinux_inode_setxattr() FILESYSTEM__ASSOCIATE
type: test_filesystem_inode_setxattr_no_associate_t
hooks.c may_context_mount_inode_relabel() FILESYSTEM__RELABELFROM
type: test_filesystem_no_inode_no_relabelfrom_t
hooks.c may_context_mount_sb_relabel() FILESYSTEM__RELABELFROM
type: test_filesystem_sb_relabel_no_relabelfrom_t
