Some of the overlay tests assume that files inherit their MCS/MLS labels from the parent directory rather than the process. This is true on Fedora which defines defaultrange rules for this purpose but not in refpolicy. Add the defaultrange rules explicitly to the test policy as a CIL module to provide consistent behavior on Debian. Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> --- policy/Makefile | 2 +- policy/test_overlay_defaultrange.cil | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 policy/test_overlay_defaultrange.cil diff --git a/policy/Makefile b/policy/Makefile index 8f43427..17e9da3 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -36,7 +36,7 @@ SUPPORTS_CIL = n endif ifeq ($(SUPPORTS_CIL),y) -CIL_TARGETS = test_mlsconstrain.cil +CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil ifeq ($(shell [[ $(MAX_KERNEL_POLICY) -ge 32 && $(POL_VERS) -ge 32 ]] && echo true),true) # If other MLS tests get written this can be moved outside of the glblub test ifeq ($(POL_TYPE), MLS) diff --git a/policy/test_overlay_defaultrange.cil b/policy/test_overlay_defaultrange.cil new file mode 100644 index 0000000..d1c18db --- /dev/null +++ b/policy/test_overlay_defaultrange.cil @@ -0,0 +1,7 @@ +(defaultrange file target low) +(defaultrange dir target low) +(defaultrange lnk_file target low) +(defaultrange chr_file target low) +(defaultrange blk_file target low) +(defaultrange sock_file target low) +(defaultrange fifo_file target low) -- 2.23.1
