Re: [PATCH v2] selinux-testsuite: update to work on Debian

Ondrej Mosnacek <omosnace@xxxxxxxxxx> · Thu, 7 May 2020 10:25:57 +0200

On Wed, May 6, 2020 at 11:14 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
[...]
> ---
> v2 improves the patch description and README.md and tries to provide
> greater compatibility with older systems. NB One must set SUPPORTS_CIL
> to n to disable loading the CIL modules; the alternative would be
> some kind of package version test but doing so in a distro-agnostic
> and backward-compatible manner looks painful.

Thanks! As I said in another reply, I agree that CIL support detection
wouldn't be worth it here.

>
>  README.md                            | 66 +++++++++++++++++++++++++++-
>  policy/Makefile                      | 13 +++++-
>  policy/test_capable_net.te           |  2 -
>  policy/test_execute_no_trans.te      |  3 +-
>  policy/test_filesystem.te            |  1 +
>  policy/test_global.te                |  1 +
>  policy/test_ibendport.te             |  9 ++--
>  policy/test_inet_socket.te           | 22 +++++-----
>  policy/test_mlsconstrain.cil         |  2 +
>  policy/test_overlay_defaultrange.cil |  7 +++
>  policy/test_overlayfs.te             |  1 +
>  policy/test_policy.if                |  4 +-
>  policy/test_sctp.te                  |  1 +
>  tests/cap_userns/test                |  8 ++++
>  tests/filesystem/test                |  2 +-
>  tests/fs_filesystem/test             |  2 +-
>  tests/mmap/test                      | 49 ++++++++++++++-------
>  17 files changed, 149 insertions(+), 44 deletions(-)
>  create mode 100644 policy/test_mlsconstrain.cil
>  create mode 100644 policy/test_overlay_defaultrange.cil
[...]
> diff --git a/policy/test_execute_no_trans.te b/policy/test_execute_no_trans.te
> index 79ba868..2c0346a 100644
> --- a/policy/test_execute_no_trans.te
> +++ b/policy/test_execute_no_trans.te
> @@ -24,4 +24,5 @@ userdom_sysadm_entry_spec_domtrans_to(test_execute_notrans_t)
>
>  #Allow test_execute_notrans permissions to the allowed type
>  can_exec(test_execute_notrans_t,test_execute_notrans_allowed_t)
> -allow test_execute_notrans_t test_execute_notrans_denied_t:file mmap_file_perms;
> +allow_map(test_execute_notrans_t, test_execute_notrans_denied_t, file)
> +allow test_execute_notrans_t test_execute_notrans_denied_t:file { getattr open read };

An alternative solution could be to use "mmap_file_perms" unless it is
not defined, in which case we can assume a non-legacy policy and use
the proper "mmap_exec_file_perms". But I'm fine with your approach as
well if you don't want to change it.

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.