On Fri, May 8, 2020 at 5:42 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
> refpolicy does not define an unconfined_devpts_t type instead
> assigning user_devpts_t to unconfined ptys. Switch to using ptynode
> in the test policy to provide compatibility across both refpolicy and
> Fedora. ptynode is an attribute that includes all pty types.
>
> Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> ---
> policy/test_policy.if | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policy/test_policy.if b/policy/test_policy.if
> index cefc8fb..f0400f5 100644
> --- a/policy/test_policy.if
> +++ b/policy/test_policy.if
> @@ -29,7 +29,7 @@
> interface(`unconfined_runs_test',`
> gen_require(`
> type unconfined_t;
> - type unconfined_devpts_t;
> + attribute ptynode;
> role unconfined_r;
> ')
>
> @@ -38,7 +38,7 @@ interface(`unconfined_runs_test',`
> role unconfined_r types $1;
> # Report back from the test domain to the caller.
> allow $1 unconfined_t:fd use;
> - allow $1 unconfined_devpts_t:chr_file { read write ioctl getattr };
> + allow $1 ptynode:chr_file { read write ioctl getattr };
How about using term_use_all_ptys($1) instead? It allows a few extra
permissions (open, append, lock), but it doesn't seem to influence the
tests. It would allow us to remove the 'attribute ptynode' from the
gen_require block.
> allow $1 unconfined_t:fifo_file { read write ioctl getattr };
> allow $1 unconfined_t:process { sigchld };
>
> --
> 2.23.1
>
--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.
