Re: [PATCH V2 1/1] selinux-testsuite: Add filesystem tests

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Richard Haines <richard_c_haines@btinternet.com>,
	selinux@vger.kernel.org
Cc: omosnace@redhat.com
Subject: Re: [PATCH V2 1/1] selinux-testsuite: Add filesystem tests
Date: Thu, 9 Jan 2020 12:46:13 -0500	[thread overview]
Message-ID: <1da42584-042b-9e71-34b0-aa51dd64d4ad@tycho.nsa.gov> (raw)
In-Reply-To: <20200109150709.360345-2-richard_c_haines@btinternet.com>

On 1/9/20 10:07 AM, Richard Haines wrote:
> Test filesystem permissions and setfscreatecon(3).
> 
>  From kernels 5.5 filesystem { watch } is also tested.
> 
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---

> diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
> new file mode 100644
> index 0000000..2eee1fc
> --- /dev/null
> +++ b/policy/test_filesystem.te
<snip>
> +#################### Deny filesystem { quotamod } ######################
> +type test_filesystem_no_quotamod_t;
> +domain_type(test_filesystem_no_quotamod_t)
> +unconfined_runs_test(test_filesystem_no_quotamod_t)
> +typeattribute test_filesystem_no_quotamod_t testdomain;
> +typeattribute test_filesystem_no_quotamod_t filesystemdomain;
> +
> +allow test_filesystem_no_quotamod_t self:capability { sys_admin };
> +allow test_filesystem_no_quotamod_t self:filesystem { quotaget relabelto mount unmount};
> +fs_mount_all_fs(test_filesystem_no_quotamod_t)
> +fs_relabelfrom_all_fs(test_filesystem_no_quotamod_t)
> +fs_associate(test_filesystem_no_quotamod_t)
> +# Required as $private_path to quota files
> +files_search_all(test_filesystem_no_quotamod_t)
> +allow test_filesystem_no_quotamod_t self:dir { mounton };
> +allow test_filesystem_no_quotamod_t test_file_t:dir { mounton write remove_name rmdir };
> +dontaudit test_filesystem_no_quotamod_t kernel_t:process { setsched };
> +
> +#################### Deny filesystem { quotaget } ######################
> +type test_filesystem_no_quotaget_t;
> +domain_type(test_filesystem_no_quotaget_t)
> +unconfined_runs_test(test_filesystem_no_quotaget_t)
> +typeattribute test_filesystem_no_quotaget_t testdomain;
> +typeattribute test_filesystem_no_quotaget_t filesystemdomain;
> +
> +allow test_filesystem_no_quotaget_t self:capability { sys_admin };
> +allow test_filesystem_no_quotaget_t self:filesystem { quotamod relabelto mount unmount relabelfrom };
> +allow test_filesystem_no_quotaget_t self:dir { mounton };
> +allow test_filesystem_no_quotaget_t test_file_t:dir { mounton write remove_name rmdir };
> +allow test_filesystem_no_quotaget_t self:file { quotaon };
> +fs_mount_all_fs(test_filesystem_no_quotaget_t)
> +fs_relabelfrom_all_fs(test_filesystem_no_quotaget_t)
> +fs_associate(test_filesystem_no_quotaget_t)
> +# Required as $private_path to quota files
> +files_search_all(test_filesystem_no_quotaget_t)
> +# For running quotacheck(8)
> +files_type(test_filesystem_no_quotaget_t)
> +dontaudit test_filesystem_no_quotaget_t kernel_t:process { setsched };
> +

I'd recommend adding a test of quotaon as well.  It isn't technically a 
"filesystem" permission but you are already exercising the check as part 
of testing the other quota permissions and we don't yet have a test of 
it.  Then we'll be able to fully close 
https://github.com/SELinuxProject/selinux-testsuite/issues/26 when this 
gets merged.

Similarly, if you add a type_transition rule to your test policy and 
test that it is applied, we will be able to fully close 
https://github.com/SELinuxProject/selinux-testsuite/issues/22 along with
https://github.com/SELinuxProject/selinux-testsuite/issues/20.

Three for the price of one!