On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote:
That should allow running selinux-testsuite with the sysadm module
disabled.
Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
policy/test_global.te | 26 ++++++++++++++------------
1 file changed, 14 insertions(+), 12 deletions(-)
diff --git a/policy/test_global.te b/policy/test_global.te
index aceac48..3862ee7 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -25,12 +25,21 @@ optional_policy(`
dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh };
')
-gen_require(`
- role sysadm_r;
-')
+optional_policy(`
+ gen_require(`
+ role sysadm_r;
+ ')
+
+ # Authorize sysadm_r for the test domains.
+ role sysadm_r types testsuite_domain;
-# Authorize sysadm_r for the test domains.
-role sysadm_r types testsuite_domain;
+ # Allow the test domain to be entered from sysadm_t
+ sysadm_entry_spec_domtrans_to(testsuite_domain)
+
+ # Let sysadm_t use runcon to run the test programs in various domains.
+ #allow sysadm_t self:process setexec;
+ #selinux_get_fs_mount(sysadm_t)
+')
These commented out rules can probably just be removed entirely instead
of being moved into the optional block?
-Daniel
# Allow the test domains to access the sysadm terminal.
# This allows read and write sysadm ttys and ptys.
@@ -40,17 +49,10 @@ term_use_all_terms(testsuite_domain)
allow testsuite_domain init_t:fd use;
allow testsuite_domain initrc_t:fd use;
-# Allow the test domain to be entered from sysadm_t
-sysadm_entry_spec_domtrans_to(testsuite_domain)
-
# Allow the test domains to access the test directory and files
# even if they are not root owned.
allow testsuite_domain self:capability { dac_override dac_read_search };
-# Let sysadm_t use runcon to run the test programs in various domains.
-#allow sysadm_t self:process setexec;
-#selinux_get_fs_mount(sysadm_t)
-
# Let all test domains read test directories and files and to use test
# files as entry points.
miscfiles_read_test_files(testsuite_domain)
