On Mon, Jul 17, 2023 at 8:28 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>
> The permissions are sometimes needed to resolve paths when running the
> testsuite from a user/admin home directory. To avoid cluttering
> individual policy files with macros that allow it, apply the macros to
> the whole testsuite_domain attribute. Thankfully this doesn't break the
> other tests.
>
> This also fixes the inet_socket test, which started to require these
> permissions after a recent change.
>
> While there, also remove userdom_read_user_tmp_files() from
> test_overlay_mounter_t, which doesn't seem to be needed.
>
> Fixes: 4dcea27ada77 ("tests/inet_socket: cover the MPTCP protocol")
> Inspired-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
All tests pass with this applied, thanks.
Tested-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> ---
> policy/test_filesystem.te | 1 -
> policy/test_filesystem_notify.te | 1 -
> policy/test_global.te | 7 +++++++
> policy/test_ipc.te | 2 --
> policy/test_overlayfs.te | 7 -------
> policy/test_policy.if | 7 -------
> policy/test_ptrace.te | 1 -
> 7 files changed, 7 insertions(+), 19 deletions(-)
>
> diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
> index 59eac2b..efe1f4d 100644
> --- a/policy/test_filesystem.te
> +++ b/policy/test_filesystem.te
> @@ -366,7 +366,6 @@ allow test_filesystem_inode_setxattr_no_associate_t test_file_t:file { create re
> #
> ############### Rules for NFS mount ##################
> #
> -userdom_search_user_home_content(filesystemdomain)
> allow test_filesystem_t test_filesystem_file_t:filesystem { getattr mount remount unmount relabelto relabelfrom };
> allow test_filesystem_t test_file_t:file { create write relabelfrom };
> allow test_file_t test_filesystem_file_t:filesystem { associate };
> diff --git a/policy/test_filesystem_notify.te b/policy/test_filesystem_notify.te
> index 30056e4..77d46ae 100644
> --- a/policy/test_filesystem_notify.te
> +++ b/policy/test_filesystem_notify.te
> @@ -16,7 +16,6 @@ allow test_filesystem_t dosfs_t:filesystem { watch };
> #
> ############### Rules for NFS mount with rootcontext option #################
> #
> -userdom_search_user_home_content(filesystemdomain)
> allow test_filesystem_no_watch_mount_t nfs_t:filesystem { unmount };
> allow test_filesystem_no_watch_mount_t test_filesystem_file_t:dir { search };
> allow test_filesystem_no_watch_sb_t nfs_t:filesystem { unmount watch };
> diff --git a/policy/test_global.te b/policy/test_global.te
> index 052c7dd..0078485 100644
> --- a/policy/test_global.te
> +++ b/policy/test_global.te
> @@ -153,6 +153,13 @@ selinux_compute_create_context(testsuite_domain)
> selinux_compute_relabel_context(testsuite_domain)
> selinux_compute_user_contexts(testsuite_domain)
>
> +userdom_search_user_home_content(testsuite_domain)
> +# Refpolicy does not have admin_home_t - assume /root will be user_home_dir_t,
> +# which is covered by the above call.
> +ifdef(`userdom_search_admin_dir', `
> + userdom_search_admin_dir(testsuite_domain)
> +')
> +
> # Reference policy renamed files_list_pids() to files_list_runtime()
> ifdef(`files_list_pids', `
> files_list_pids(testsuite_domain)
> diff --git a/policy/test_ipc.te b/policy/test_ipc.te
> index 678eca8..5e26384 100644
> --- a/policy/test_ipc.te
> +++ b/policy/test_ipc.te
> @@ -67,5 +67,3 @@ fs_rw_tmpfs_files(ipcdomain)
>
> allow test_ipc_base_t self:sem create_sem_perms;
> allow test_ipc_base_t self:shm create_shm_perms;
> -# ipcrm needs this...
> -userdom_search_user_home_dirs(test_ipc_base_t)
> diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te
> index ab589bb..c09b577 100644
> --- a/policy/test_overlayfs.te
> +++ b/policy/test_overlayfs.te
> @@ -45,10 +45,6 @@ kernel_search_proc(test_overlay_mounter_t)
> fs_relabelfrom_xattr_fs(test_overlay_mounter_t)
> fs_mount_xattr_fs(test_overlay_mounter_t)
>
> -userdom_search_admin_dir(test_overlay_mounter_t)
> -userdom_search_user_home_content(test_overlay_mounter_t)
> -userdom_read_user_tmp_files(test_overlay_mounter_t)
> -
> mount_exec(test_overlay_mounter_t)
> mount_rw_pid_files(test_overlay_mounter_t)
>
> @@ -113,9 +109,6 @@ mcs_constrained(test_overlay_client_t)
> kernel_read_system_state(test_overlay_client_t)
> kernel_read_proc_symlinks(test_overlay_client_t)
>
> -userdom_search_admin_dir(test_overlay_client_t)
> -userdom_search_user_home_content(test_overlay_client_t)
> -
> fs_getattr_xattr_fs(test_overlay_client_t)
>
> selinux_getattr_fs(test_overlay_client_t)
> diff --git a/policy/test_policy.if b/policy/test_policy.if
> index 5458f6c..b20baad 100644
> --- a/policy/test_policy.if
> +++ b/policy/test_policy.if
> @@ -82,13 +82,6 @@ interface(`mount_rw_pid_files', `
> ')
> ')
>
> -# Refpolicy does not have admin_home_t - assume /root will be user_home_dir_t.
> -ifdef(`userdom_search_admin_dir', `', ` dnl
> -interface(`userdom_search_admin_dir', `
> - userdom_search_user_home_content($1)
> -')
> -')
> -
> # If the macro is not defined, then most probably module_request permission
> # is just not supported (and relevant operations should be just allowed).
> ifdef(`kernel_request_load_module', `', ` dnl
> diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te
> index 352ead5..1a8a10d 100644
> --- a/policy/test_ptrace.te
> +++ b/policy/test_ptrace.te
> @@ -27,7 +27,6 @@ allow test_ptrace_traced_t test_file_t:fifo_file rw_file_perms;
>
> # Allow the tracer domain to trace the traced domain.
> allow test_ptrace_tracer_t test_ptrace_traced_t:process ptrace;
> -userdom_search_user_home_dirs(test_ptrace_traced_t)
>
> # Let the tracer wait on the traced domain.
> allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;
> --
> 2.41.0
>
