All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: selinux@vger.kernel.org
Cc: omosnace@redhat.com, paul@paul-moore.com,
	Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: [PATCH v4 testsuite 08/15] test_overlayfs.te: allow test_overlay_mounter_t to read user tmp files
Date: Fri,  8 May 2020 11:41:31 -0400	[thread overview]
Message-ID: <20200508154138.24217-9-stephen.smalley.work@gmail.com> (raw)
In-Reply-To: <20200508154138.24217-1-stephen.smalley.work@gmail.com>

During setup-overlay, a shell is run in test_overlay_mounter_t from
a "here document" i.e. an inline input.  This creates a temporary file
that is inherited by the shell and must be readable.  Allow it.
This is apparently being allowed somehow in the base Fedora policy
for all domains but not in Debian.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/test_overlayfs.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te
index 6f1756e..b29621e 100644
--- a/policy/test_overlayfs.te
+++ b/policy/test_overlayfs.te
@@ -52,6 +52,7 @@ corecmd_exec_bin(test_overlay_mounter_t)
 
 userdom_search_admin_dir(test_overlay_mounter_t)
 userdom_search_user_home_content(test_overlay_mounter_t)
+userdom_read_user_tmp_files(test_overlay_mounter_t)
 
 mount_exec(test_overlay_mounter_t)
 mount_rw_pid_files(test_overlay_mounter_t)
-- 
2.23.1


  parent reply	other threads:[~2020-05-08 15:42 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-08 15:41 [PATCH v4 testsuite 00/15] Update to work on Debian Stephen Smalley
2020-05-08 15:41 ` [PATCH v4 testsuite 01/15] test_capable_net.te: remove corenet_tcp/udp_sendrecv_all_ports() Stephen Smalley
2020-05-08 15:41 ` [PATCH v4 testsuite 02/15] test_execute_no_trans.te: stop using mmap_file_perms Stephen Smalley
2020-05-08 15:41 ` [PATCH v4 testsuite 03/15] test_ibendport.te: use dev_rw_infiniband_mgmt_dev() Stephen Smalley
2020-05-08 15:41 ` [PATCH v4 testsuite 04/15] test_global.te: allow test domains to statfs selinuxfs Stephen Smalley
2020-05-08 15:41 ` [PATCH v4 testsuite 05/15] test_inet_socket.te: switch from generic_port to _all_unreserved_ports() Stephen Smalley
2020-05-08 15:41 ` [PATCH v4 testsuite 06/15] test_sctp.te: make netlabel_peer_t a MCS-constrained type Stephen Smalley
2020-05-08 15:41 ` [PATCH v4 testsuite 07/15] test_policy.if: use ptynode instead of unconfined_devpts_t Stephen Smalley
2020-05-12  8:59   ` Ondrej Mosnacek
2020-05-08 15:41 ` Stephen Smalley [this message]
2020-05-08 15:41 ` [PATCH v4 testsuite 09/15] policy: Add MCS constraint on peer recv Stephen Smalley
2020-05-08 15:41 ` [PATCH v4 testsuite 10/15] policy: Add defaultrange rules for overlay tests Stephen Smalley
2020-05-08 15:41 ` [PATCH v4 testsuite 11/15] test_filesystem.te,tests/{fs_}filesystem: do not force user identity to system_u Stephen Smalley
2020-05-08 15:41 ` [PATCH v4 testsuite 12/15] policy/Makefile: conditionalize setting of allow_domain_fd_use Stephen Smalley
2020-05-08 15:41 ` [PATCH v4 testsuite 13/15] tests/cap_userns: set /proc/sys/kernel/unprivileged_userns_clone if needed Stephen Smalley
2020-05-08 15:41 ` [PATCH v4 testsuite 14/15] tests/mmap: skip /dev/zero tests if /dev is noexec Stephen Smalley
2020-05-08 15:41 ` [PATCH v4 testsuite 15/15] README.md: Add instructions for Debian Stephen Smalley
2020-05-08 19:54 ` [PATCH v4 testsuite 00/15] Update to work on Debian Stephen Smalley
2020-05-12  9:43 ` Ondrej Mosnacek
2020-05-13 11:57   ` Ondrej Mosnacek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200508154138.24217-9-stephen.smalley.work@gmail.com \
    --to=stephen.smalley.work@gmail.com \
    --cc=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.