Re: [TESTSUITE PATCH] policy: drop usage of files_list_pids()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jan 16, 2023 at 10:48 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
> files_list_pids() has been superseded and marked deprecated in the
> Reference Policy since Jun 2020[1].  In the latest release it has been
> completely removed[2].
>
> Grant the necessary permissions via raw rules to support recent
> Refpolicy versions as well as old ones without the replacement
> interface files_list_runtime().

It seems the permissions aren't actually needed, at least on current
Fedoras. Simply removing the call passes the CI:
https://github.com/WOnder93/selinux-testsuite/commit/d0883a56d2583800a1fa79490097e73b842cec17

Do you have an environment with refpolicy where you can test it? It
would be better to just remove the interface call if it's not needed.

>
> [1]: https://github.com/SELinuxProject/refpolicy/commit/be04bb3e7e63671ed8a3c501a2ee76e11c3b92bb
> [2]: https://github.com/SELinuxProject/refpolicy/commit/3ca0cd59d7a9b531dd3620a02940396343fe2ed5
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
>  policy/test_global.te | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/policy/test_global.te b/policy/test_global.te
> index e95102a..4bf30f8 100644
> --- a/policy/test_global.te
> +++ b/policy/test_global.te
> @@ -121,7 +121,6 @@ allow testsuite_domain proc_t:file { getattr read open };
>  files_list_var(testsuite_domain)
>  files_list_home(testsuite_domain)
>  dev_read_rand(testsuite_domain)
> -files_list_pids(testsuite_domain)
>  require {
>         type root_t;
>         type etc_t;
> @@ -136,8 +135,12 @@ require {
>         type init_t;
>         type initrc_t;
>         type console_device_t;
> +       type var_t;
> +       type var_run_t;
>  }
> -allow testsuite_domain { root_t etc_t bin_t sbin_t lib_t usr_t devpts_t }:dir list_dir_perms;
> +allow testsuite_domain { root_t etc_t bin_t sbin_t lib_t usr_t devpts_t var_run_t }:dir list_dir_perms;
> +allow testsuite_domain var_t:dir search_dir_perms;
> +allow testsuite_domain { var_t var_run_t }:lnk_file read_lnk_file_perms;
>  allow testsuite_domain lib_t:file read_file_perms;
>  allow testsuite_domain lib_t:lnk_file read;
>  allow testsuite_domain etc_t:file read_file_perms;
> --
> 2.39.0
>

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux