On Tue, Jan 17, 2023 at 5:13 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > On Tue, 17 Jan 2023 at 11:00, Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > On Mon, Jan 16, 2023 at 10:48 PM Christian Göttsche > > <cgzones@xxxxxxxxxxxxxx> wrote: > > > files_list_pids() has been superseded and marked deprecated in the > > > Reference Policy since Jun 2020[1]. In the latest release it has been > > > completely removed[2]. > > > > > > Grant the necessary permissions via raw rules to support recent > > > Refpolicy versions as well as old ones without the replacement > > > interface files_list_runtime(). > > > > It seems the permissions aren't actually needed, at least on current > > Fedoras. Simply removing the call passes the CI: > > https://github.com/WOnder93/selinux-testsuite/commit/d0883a56d2583800a1fa79490097e73b842cec17 > > On Fedora the call of `auth_read_passwd(testsuite_domain)`[1] leads to > a call of `sssd_stream_connect()`[2], which includes > `files_search_pids()`[3]. > > There is no indirect call in the Debian version of Refpolicy though: Ok, so let's keep the rules then. > > type=PROCTITLE msg=audit(17/01/23 16:41:13.404:577) : > proctitle=keys/keyctl_relabel system_u:object_r:test_newcon_key_t:s0 > type=PATH msg=audit(17/01/23 16:41:13.404:577) : item=0 > name=/var/run/setrans/.setrans-unix nametype=UNKNOWN cap_fp=none > cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 > type=CWD msg=audit(17/01/23 16:41:13.404:577) : > cwd=/root/workspace/selinux/selinux-testsuite/tests > type=SYSCALL msg=audit(17/01/23 16:41:13.404:577) : arch=x86_64 > syscall=access success=no exit=EACCES(Permission denied) > a0=0x7ea1b2255068 a1=F_OK a2=0x7ffd39131fb0 a3=0xa9ab59f33f82d0d9 > items=1 ppid=4569 pid=4593 auid=root uid=root gid=root euid=root > suid=root fsuid=ro > ot egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=keyctl_relabel > exe=/root/workspace/selinux/selinux-testsuite/tests/keys/keyctl_relabel > subj=unconfined_u:unconfined_r:test_key_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(17/01/23 16:41:13.404:577) : avc: denied { > read } for pid=4593 comm=keyctl_relabel name=run dev="vda1" > ino=390346 scontext=unconfined_u:unconfined_r:test_key_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:var_run_t:s0 tclass=lnk_file permissive=0 > > The tessuite passes nevertheless, so one could ignore or explicitly > dontaudit them. > > An alternative would be to call the interfaces conditionally: > > ifdef(`files_list_pids', ` > files_list_pids(testsuite_domain) > ') > ifdef(`files_list_runtime', ` > files_list_runtime(testsuite_domain) > ') Yeah, I'd prefer the conditional calls, with a comment explaining that Refpolicy has renamed the interface. Thanks, -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
