From: Ondrej Mosnacek <omosnace@redhat.com>
To: Daniel Burgener <dburgener@linux.microsoft.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH testsuite 21/24] tests/overlay: don't hard-code SELinux user of the caller
Date: Wed, 3 Aug 2022 11:00:35 +0200 [thread overview]
Message-ID: <CAFqZXNsbEfvVOea_1WO2uWxKsAy7HrE5085OORDazf0BBneZAA@mail.gmail.com> (raw)
In-Reply-To: <0822dcba-f25d-9443-0ba8-bf518630e9a8@linux.microsoft.com>
On Tue, Aug 2, 2022 at 7:16 PM Daniel Burgener
<dburgener@linux.microsoft.com> wrote:
> On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote:
> > We want to allow the testsuite caller to be other than unconfined, so
> > extract the user from current context and use it instead of hard-coding
> > unconfined_u.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> > tests/overlay/setup-overlay | 2 +-
> > tests/overlay/test | 34 ++++++++++++++++------------------
> > 2 files changed, 17 insertions(+), 19 deletions(-)
> >
> > diff --git a/tests/overlay/setup-overlay b/tests/overlay/setup-overlay
> > index 4fcd023..3f33499 100755
> > --- a/tests/overlay/setup-overlay
> > +++ b/tests/overlay/setup-overlay
> > @@ -41,7 +41,7 @@ setup () {
> >
> > # Create upper, work, and overlay directories per container.
> > mkdir -p $BASEDIR/container1/upper $BASEDIR/container1/work $BASEDIR/container1/merged
> > - chcon -R unconfined_u:object_r:test_overlay_files_ro_t:s0:c10,c20 $BASEDIR/container1
> > + chcon -R -t test_overlay_files_ro_t -l s0:c10,c20 $BASEDIR/container1
> >
> > # Label the container directories to match the container context.
> > # This is simply to ensure correct label inheritance on new file
> > diff --git a/tests/overlay/test b/tests/overlay/test
> > index 2b28c47..c8367dd 100755
> > --- a/tests/overlay/test
> > +++ b/tests/overlay/test
> > @@ -5,6 +5,10 @@ BEGIN {
> > $basedir = $0;
> > $basedir =~ s|(.*)/[^/]*|$1|;
> >
> > + $seuser = `id -Z`;
> > + chop($seuser);
> > + $seuser =~ s|^(\w+):.*$|$1|;
>
> Is chop actually needed here? My perl is a little rusty, so there may
> be some perl regex-y reason, but you're discarding everything after the
> first ":" anyways.
Yeah, it's actually not needed, but I'd rather leave it there to
document that one needs to account for the line ending in the initial
value. Otherwise people changing the regex in the future may get
bitten by it.
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
next prev parent reply other threads:[~2022-08-03 9:00 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-29 12:02 [PATCH testsuite 00/24] Clean up testsuite policy and support running as sysadm_t Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 01/24] keys: change test_newcon_key_t to be just an object context Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 02/24] test_global.te: remove unused role require Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 03/24] test_global.te: don't add domains to system_r Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 06/24] test_policy.if: remove weird rule from testsuite_domain_type_minimal() Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 07/24] policy: move unconfined_t-related dontaudit rule to where it fits better Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 08/24] policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy Ondrej Mosnacek
2022-08-02 13:55 ` Daniel Burgener
2022-08-03 8:53 ` Ondrej Mosnacek
2022-08-04 11:54 ` Ondrej Mosnacek
2022-08-04 13:31 ` Daniel Burgener
2022-07-29 12:02 ` [PATCH testsuite 09/24] policy: move miscfiles_domain_entry_test_files() " Ondrej Mosnacek
2022-08-02 13:58 ` Daniel Burgener
2022-07-29 12:02 ` [PATCH testsuite 10/24] policy: substitute userdom_sysadm_entry_spec_domtrans_to() Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 11/24] test_general.te: move sysadm-related rules into an optional block Ondrej Mosnacek
2022-08-02 14:03 ` Daniel Burgener
2022-08-03 9:03 ` Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 12/24] test_filesystem.te: remove redundant dontaudit rules Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 13/24] test_filesystem.te: remove suspicious rules Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 14/24] tests/nnp_nosuid: avoid hardcoding unconfined_t in the policy Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 15/24] tests/*filesystem: remove weird uses of unconfined_t Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 16/24] policy: remove last hardcoded references to unconfined_t Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 17/24] test_general.te: generalize the dontaudit rule Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 18/24] policy: don't audit testsuite programs searching the caller's keys Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 19/24] ci: check for unconfined_t AVCs Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 20/24] tests/binder: check only the type part of the context Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 21/24] tests/overlay: don't hard-code SELinux user of the caller Ondrej Mosnacek
2022-08-02 17:16 ` Daniel Burgener
2022-08-03 9:00 ` Ondrej Mosnacek [this message]
2022-07-29 12:02 ` [PATCH testsuite 22/24] policy: give sysadm_t perms needed to run quotacheck(8) Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 23/24] tests/vsock_socket: use modprobe to check vsock availability Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 24/24] ci: add sysadm_t to the test matrix Ondrej Mosnacek
2022-07-30 20:13 ` Topi Miettinen
2022-08-01 7:57 ` Ondrej Mosnacek
2022-07-29 12:27 ` [PATCH testsuite 00/24] Clean up testsuite policy and support running as sysadm_t Ondrej Mosnacek
2022-08-01 8:02 ` Ondrej Mosnacek
2022-08-11 11:28 ` Ondrej Mosnacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFqZXNsbEfvVOea_1WO2uWxKsAy7HrE5085OORDazf0BBneZAA@mail.gmail.com \
--to=omosnace@redhat.com \
--cc=dburgener@linux.microsoft.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).