This series aim for two things:
1. Refactor the policy so that it is easier to work with.
2. Leverage the refactoring to fully support running the testsuite
as sysadm_u:sysadm_r:sysadm_t.
The gist of this work lies in unifying how test domains are defined,
deduplicating the various boilerplate spread out all across the
individual files (and not even used consistently), and in abstracting
the policy caller domain/role away from the individual test policies
into test_general.te. Some tests also had to be massaged to not
hard-code unconfined_* and be generic against the context of the
testsuite caller.
The series also extends the CI to test running the testsuite as sysadm_*
and also verify that no unconfined_t/sysadm_t unexpected denials are
produced (which would usually indicate a missing dontaudit rule in the
testsuite policy).
Ondrej Mosnacek (24):
keys: change test_newcon_key_t to be just an object context
test_global.te: remove unused role require
test_global.te: don't add domains to system_r
policy: refactor declaring test domains
policy: get rid of unconfined_runs_test()
test_policy.if: remove weird rule from testsuite_domain_type_minimal()
policy: move unconfined_t-related dontaudit rule to where it fits
better
policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy
policy: move miscfiles_domain_entry_test_files() to general policy
policy: substitute userdom_sysadm_entry_spec_domtrans_to()
test_general.te: move sysadm-related rules into an optional block
test_filesystem.te: remove redundant dontaudit rules
test_filesystem.te: remove suspicious rules
tests/nnp_nosuid: avoid hardcoding unconfined_t in the policy
tests/*filesystem: remove weird uses of unconfined_t
policy: remove last hardcoded references to unconfined_t
test_general.te: generalize the dontaudit rule
policy: don't audit testsuite programs searching the caller's keys
ci: check for unconfined_t AVCs
tests/binder: check only the type part of the context
tests/overlay: don't hard-code SELinux user of the caller
policy: give sysadm_t perms needed to run quotacheck(8)
tests/vsock_socket: use modprobe to check vsock availability
ci: add sysadm_t to the test matrix
.github/workflows/checks.yml | 4 +
Vagrantfile | 16 +++
policy/test_atsecure.te | 15 +--
policy/test_attrib.te | 1 -
policy/test_binder.te | 38 ++-----
policy/test_binder_bpf.te | 22 +---
policy/test_bounds.te | 11 +-
policy/test_bpf.te | 30 +----
policy/test_cap_userns.te | 9 +-
policy/test_capable_file.te | 18 +--
policy/test_capable_net.te | 8 +-
policy/test_capable_sys.te | 8 +-
policy/test_dyntrace.te | 14 +--
policy/test_dyntrans.te | 17 +--
policy/test_entrypoint.te | 5 +-
policy/test_execshare.te | 16 +--
policy/test_exectrace.te | 16 +--
policy/test_execute_no_trans.te | 5 +-
policy/test_extended_socket_class.te | 12 +-
policy/test_fdreceive.te | 16 +--
policy/test_fdreceive_bpf.te | 16 +--
policy/test_file.te | 16 +--
policy/test_filesystem.te | 99 ++++-------------
policy/test_filesystem_name_trans.te | 4 +-
policy/test_filesystem_notify.te | 12 +-
policy/test_global.te | 157 ++++++++++++++++++---------
policy/test_ibendport.te | 8 +-
policy/test_ibpkey.te | 8 +-
policy/test_inet_socket.te | 44 ++------
policy/test_inherit.te | 20 +---
policy/test_ioctl.te | 10 +-
policy/test_ioctl_xperms.te | 8 +-
policy/test_ipc.te | 18 +--
policy/test_key_socket.te | 26 +----
policy/test_keys.te | 104 ++++--------------
policy/test_link.te | 24 +---
policy/test_mac_admin.te | 9 +-
policy/test_mkdir.te | 20 +---
policy/test_mmap.te | 79 ++++----------
policy/test_module_load.te | 47 ++------
policy/test_mqueue.te | 16 +--
policy/test_netlink_socket.te | 12 +-
policy/test_nnp_nosuid.te | 46 ++++----
policy/test_notify.te | 35 ++----
policy/test_open.te | 16 +--
policy/test_overlayfs.te | 15 +--
policy/test_perf_event.te | 38 ++-----
policy/test_policy.if | 71 ++++++------
policy/test_prlimit.te | 20 +---
policy/test_ptrace.te | 17 +--
policy/test_readlink.te | 8 +-
policy/test_relabel.te | 12 +-
policy/test_rename.te | 32 ++----
policy/test_rxdir.te | 8 +-
policy/test_sctp.te | 52 ++-------
policy/test_setattr.te | 8 +-
policy/test_setnice.te | 13 +--
policy/test_sigkill.te | 22 +---
policy/test_stat.te | 8 +-
policy/test_sysctl.te | 8 +-
policy/test_task_create.te | 38 +------
policy/test_task_getpgid.te | 16 +--
policy/test_task_getsched.te | 16 +--
policy/test_task_getsid.te | 16 +--
policy/test_task_setpgid.te | 34 +-----
policy/test_task_setsched.te | 16 +--
policy/test_transition.te | 15 +--
policy/test_tun_tap.te | 34 ++----
policy/test_unix_socket.te | 20 +---
policy/test_userfaultfd.te | 8 +-
policy/test_vsock_socket.te | 12 +-
policy/test_watchkey.te | 14 +--
tests/binder/binder_common.h | 1 +
tests/binder/service_provider.c | 31 ++++--
tests/binder/test | 2 +-
tests/filesystem/test | 4 +-
tests/fs_filesystem/test | 4 +-
tests/keys/test | 2 +-
tests/nfs_filesystem/test | 4 +-
tests/nnp_nosuid/test | 45 +++++---
tests/overlay/setup-overlay | 2 +-
tests/overlay/test | 34 +++---
tests/vsock_socket/.gitignore | 1 -
tests/vsock_socket/Makefile | 2 +-
tests/vsock_socket/check_vsock.c | 47 --------
tests/vsock_socket/test | 11 +-
86 files changed, 550 insertions(+), 1346 deletions(-)
delete mode 100644 tests/vsock_socket/check_vsock.c
--
2.37.1
