On Fri, Jul 29, 2022 at 2:02 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > This series aim for two things: > 1. Refactor the policy so that it is easier to work with. > 2. Leverage the refactoring to fully support running the testsuite > as sysadm_u:sysadm_r:sysadm_t. > > The gist of this work lies in unifying how test domains are defined, > deduplicating the various boilerplate spread out all across the > individual files (and not even used consistently), and in abstracting > the policy caller domain/role away from the individual test policies > into test_general.te. Some tests also had to be massaged to not > hard-code unconfined_* and be generic against the context of the > testsuite caller. > > The series also extends the CI to test running the testsuite as sysadm_* > and also verify that no unconfined_t/sysadm_t unexpected denials are > produced (which would usually indicate a missing dontaudit rule in the > testsuite policy). Lol, I got a bounce for patches 4 and 5 because they are too long :D Hopefully the list owners can approve them manually. If not, I'll submit this series as a GitHub PR and post a link here. -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
