Re: [PATCH testsuite] policy: allow inet socket test domains to search user home content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jul 14, 2023 at 8:07 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> This is necessary for resolving pathnames when running the testsuite
> from a user home directory.
>
> Reproducer:
> 1. Clone selinux-testsuite into home directory.
> 2. Try running it there.
>
> Before:
> inet_socket/tcp/test ........ Flag file open: Permission denied
> (test hangs)
>
> After:
> all tests complete and pass
>
> Fixes: 4dcea27ada77f51c2868095e951aab790374fba9 ("tests/inet_socket:
> cover the MPTCP protocol")
> Signed-off-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> ---
>  policy/test_inet_socket.te | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/policy/test_inet_socket.te b/policy/test_inet_socket.te
> index 47969fc..0eacb31 100644
> --- a/policy/test_inet_socket.te
> +++ b/policy/test_inet_socket.te
> @@ -154,3 +154,6 @@ allow test_inet_client_t test_server_packet_t:packet { send recv };
>  # Send/recv unlabeled packets.
>  kernel_sendrecv_unlabeled_packets(inetsocketdomain)
>  kernel_recvfrom_unlabeled_peer(inetsocketdomain)
> +
> +# Search user home directories (for running testsuite from one)
> +userdom_search_user_home_content(inetsocketdomain)
> --
> 2.40.1

Thank you for the patch, although this made me realize that we can
grant userdom_search_user_home_content()/userdom_search_admin_dir() to
the whole test_domain in test_general.te to simplify the policy (there
are a few other existing uses of them in other subtests).

I posted an alternative patch to the list - please let me know if
you're okay with it.

--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux