On Fri, Jul 14, 2023 at 8:07 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> This is necessary for resolving pathnames when running the testsuite
> from a user home directory.
>
> Reproducer:
> 1. Clone selinux-testsuite into home directory.
> 2. Try running it there.
>
> Before:
> inet_socket/tcp/test ........ Flag file open: Permission denied
> (test hangs)
>
> After:
> all tests complete and pass
>
> Fixes: 4dcea27ada77f51c2868095e951aab790374fba9 ("tests/inet_socket:
> cover the MPTCP protocol")
> Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> ---
> policy/test_inet_socket.te | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te
> index 47969fc..0eacb31 100644
> --- a/policy/test_inet_socket.te
> +++ b/policy/test_inet_socket.te
> @@ -154,3 +154,6 @@ allow test_inet_client_t test_server_packet_t:packet { send recv };
> # Send/recv unlabeled packets.
> kernel_sendrecv_unlabeled_packets(inetsocketdomain)
> kernel_recvfrom_unlabeled_peer(inetsocketdomain)
> +
> +# Search user home directories (for running testsuite from one)
> +userdom_search_user_home_content(inetsocketdomain)
> --
> 2.40.1
Thank you for the patch, although this made me realize that we can
grant userdom_search_user_home_content()/userdom_search_admin_dir() to
the whole test_domain in test_general.te to simplify the policy (there
are a few other existing uses of them in other subtests).
I posted an alternative patch to the list - please let me know if
you're okay with it.
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
