On Mon, Jan 16, 2023 at 10:48 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > files_list_pids() has been superseded and marked deprecated in the > Reference Policy since Jun 2020[1]. In the latest release it has been > completely removed[2]. > > Grant the necessary permissions via raw rules to support recent > Refpolicy versions as well as old ones without the replacement > interface files_list_runtime(). It seems the permissions aren't actually needed, at least on current Fedoras. Simply removing the call passes the CI: https://github.com/WOnder93/selinux-testsuite/commit/d0883a56d2583800a1fa79490097e73b842cec17 Do you have an environment with refpolicy where you can test it? It would be better to just remove the interface call if it's not needed. > > [1]: https://github.com/SELinuxProject/refpolicy/commit/be04bb3e7e63671ed8a3c501a2ee76e11c3b92bb > [2]: https://github.com/SELinuxProject/refpolicy/commit/3ca0cd59d7a9b531dd3620a02940396343fe2ed5 > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > --- > policy/test_global.te | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/policy/test_global.te b/policy/test_global.te > index e95102a..4bf30f8 100644 > --- a/policy/test_global.te > +++ b/policy/test_global.te > @@ -121,7 +121,6 @@ allow testsuite_domain proc_t:file { getattr read open }; > files_list_var(testsuite_domain) > files_list_home(testsuite_domain) > dev_read_rand(testsuite_domain) > -files_list_pids(testsuite_domain) > require { > type root_t; > type etc_t; > @@ -136,8 +135,12 @@ require { > type init_t; > type initrc_t; > type console_device_t; > + type var_t; > + type var_run_t; > } > -allow testsuite_domain { root_t etc_t bin_t sbin_t lib_t usr_t devpts_t }:dir list_dir_perms; > +allow testsuite_domain { root_t etc_t bin_t sbin_t lib_t usr_t devpts_t var_run_t }:dir list_dir_perms; > +allow testsuite_domain var_t:dir search_dir_perms; > +allow testsuite_domain { var_t var_run_t }:lnk_file read_lnk_file_perms; > allow testsuite_domain lib_t:file read_file_perms; > allow testsuite_domain lib_t:lnk_file read; > allow testsuite_domain etc_t:file read_file_perms; > -- > 2.39.0 > -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
