From: Ondrej Mosnacek <omosnace@redhat.com>
To: Daniel Burgener <dburgener@linux.microsoft.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH testsuite 11/24] test_general.te: move sysadm-related rules into an optional block
Date: Wed, 3 Aug 2022 11:03:04 +0200 [thread overview]
Message-ID: <CAFqZXNvnpudTc4xSL=2AAwQy8rcBTiLMJvQAsrxBR0X5CHBMvg@mail.gmail.com> (raw)
In-Reply-To: <87618b9d-129f-5087-3010-52f5762b85f5@linux.microsoft.com>
On Tue, Aug 2, 2022 at 4:03 PM Daniel Burgener
<dburgener@linux.microsoft.com> wrote:
> On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote:
> > That should allow running selinux-testsuite with the sysadm module
> > disabled.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> > policy/test_global.te | 26 ++++++++++++++------------
> > 1 file changed, 14 insertions(+), 12 deletions(-)
> >
> > diff --git a/policy/test_global.te b/policy/test_global.te
> > index aceac48..3862ee7 100644
> > --- a/policy/test_global.te
> > +++ b/policy/test_global.te
> > @@ -25,12 +25,21 @@ optional_policy(`
> > dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh };
> > ')
> >
> > -gen_require(`
> > - role sysadm_r;
> > -')
> > +optional_policy(`
> > + gen_require(`
> > + role sysadm_r;
> > + ')
> > +
> > + # Authorize sysadm_r for the test domains.
> > + role sysadm_r types testsuite_domain;
> >
> > -# Authorize sysadm_r for the test domains.
> > -role sysadm_r types testsuite_domain;
> > + # Allow the test domain to be entered from sysadm_t
> > + sysadm_entry_spec_domtrans_to(testsuite_domain)
> > +
> > + # Let sysadm_t use runcon to run the test programs in various domains.
> > + #allow sysadm_t self:process setexec;
> > + #selinux_get_fs_mount(sysadm_t)
> > +')
>
> These commented out rules can probably just be removed entirely instead
> of being moved into the optional block?
Probably, but I didn't want to think about it and just preserved the
fossils :) I'll take a closer look and possibly remove them in a
separate commit.
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
next prev parent reply other threads:[~2022-08-03 9:03 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-29 12:02 [PATCH testsuite 00/24] Clean up testsuite policy and support running as sysadm_t Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 01/24] keys: change test_newcon_key_t to be just an object context Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 02/24] test_global.te: remove unused role require Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 03/24] test_global.te: don't add domains to system_r Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 06/24] test_policy.if: remove weird rule from testsuite_domain_type_minimal() Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 07/24] policy: move unconfined_t-related dontaudit rule to where it fits better Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 08/24] policy: move userdom_sysadm_entry_spec_domtrans_to() to general policy Ondrej Mosnacek
2022-08-02 13:55 ` Daniel Burgener
2022-08-03 8:53 ` Ondrej Mosnacek
2022-08-04 11:54 ` Ondrej Mosnacek
2022-08-04 13:31 ` Daniel Burgener
2022-07-29 12:02 ` [PATCH testsuite 09/24] policy: move miscfiles_domain_entry_test_files() " Ondrej Mosnacek
2022-08-02 13:58 ` Daniel Burgener
2022-07-29 12:02 ` [PATCH testsuite 10/24] policy: substitute userdom_sysadm_entry_spec_domtrans_to() Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 11/24] test_general.te: move sysadm-related rules into an optional block Ondrej Mosnacek
2022-08-02 14:03 ` Daniel Burgener
2022-08-03 9:03 ` Ondrej Mosnacek [this message]
2022-07-29 12:02 ` [PATCH testsuite 12/24] test_filesystem.te: remove redundant dontaudit rules Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 13/24] test_filesystem.te: remove suspicious rules Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 14/24] tests/nnp_nosuid: avoid hardcoding unconfined_t in the policy Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 15/24] tests/*filesystem: remove weird uses of unconfined_t Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 16/24] policy: remove last hardcoded references to unconfined_t Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 17/24] test_general.te: generalize the dontaudit rule Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 18/24] policy: don't audit testsuite programs searching the caller's keys Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 19/24] ci: check for unconfined_t AVCs Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 20/24] tests/binder: check only the type part of the context Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 21/24] tests/overlay: don't hard-code SELinux user of the caller Ondrej Mosnacek
2022-08-02 17:16 ` Daniel Burgener
2022-08-03 9:00 ` Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 22/24] policy: give sysadm_t perms needed to run quotacheck(8) Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 23/24] tests/vsock_socket: use modprobe to check vsock availability Ondrej Mosnacek
2022-07-29 12:02 ` [PATCH testsuite 24/24] ci: add sysadm_t to the test matrix Ondrej Mosnacek
2022-07-30 20:13 ` Topi Miettinen
2022-08-01 7:57 ` Ondrej Mosnacek
2022-07-29 12:27 ` [PATCH testsuite 00/24] Clean up testsuite policy and support running as sysadm_t Ondrej Mosnacek
2022-08-01 8:02 ` Ondrej Mosnacek
2022-08-11 11:28 ` Ondrej Mosnacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFqZXNvnpudTc4xSL=2AAwQy8rcBTiLMJvQAsrxBR0X5CHBMvg@mail.gmail.com' \
--to=omosnace@redhat.com \
--cc=dburgener@linux.microsoft.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).