On Fri, Jul 14, 2023 at 8:07 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > This is necessary for resolving pathnames when running the testsuite > from a user home directory. > > Reproducer: > 1. Clone selinux-testsuite into home directory. > 2. Try running it there. > > Before: > inet_socket/tcp/test ........ Flag file open: Permission denied > (test hangs) > > After: > all tests complete and pass > > Fixes: 4dcea27ada77f51c2868095e951aab790374fba9 ("tests/inet_socket: > cover the MPTCP protocol") > Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > --- > policy/test_inet_socket.te | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te > index 47969fc..0eacb31 100644 > --- a/policy/test_inet_socket.te > +++ b/policy/test_inet_socket.te > @@ -154,3 +154,6 @@ allow test_inet_client_t test_server_packet_t:packet { send recv }; > # Send/recv unlabeled packets. > kernel_sendrecv_unlabeled_packets(inetsocketdomain) > kernel_recvfrom_unlabeled_peer(inetsocketdomain) > + > +# Search user home directories (for running testsuite from one) > +userdom_search_user_home_content(inetsocketdomain) > -- > 2.40.1 Thank you for the patch, although this made me realize that we can grant userdom_search_user_home_content()/userdom_search_admin_dir() to the whole test_domain in test_general.te to simplify the policy (there are a few other existing uses of them in other subtests). I posted an alternative patch to the list - please let me know if you're okay with it. -- Ondrej Mosnacek Senior Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.