Re: [PATCH testsuite 11/24] test_general.te: move sysadm-related rules into an optional block

[Ondrej Mosnacek <omosnace@redhat.com>]

On Tue, Aug 2, 2022 at 4:03 PM Daniel Burgener
<dburgener@linux.microsoft.com> wrote:
> On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote:
> > That should allow running selinux-testsuite with the sysadm module
> > disabled.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> >   policy/test_global.te | 26 ++++++++++++++------------
> >   1 file changed, 14 insertions(+), 12 deletions(-)
> >
> > diff --git a/policy/test_global.te b/policy/test_global.te
> > index aceac48..3862ee7 100644
> > --- a/policy/test_global.te
> > +++ b/policy/test_global.te
> > @@ -25,12 +25,21 @@ optional_policy(`
> >       dontaudit unconfined_t testsuite_domain:process { noatsecure rlimitinh siginh };
> >   ')
> >
> > -gen_require(`
> > -     role sysadm_r;
> > -')
> > +optional_policy(`
> > +     gen_require(`
> > +             role sysadm_r;
> > +     ')
> > +
> > +     # Authorize sysadm_r for the test domains.
> > +     role sysadm_r types testsuite_domain;
> >
> > -# Authorize sysadm_r for the test domains.
> > -role sysadm_r types testsuite_domain;
> > +     # Allow the test domain to be entered from sysadm_t
> > +     sysadm_entry_spec_domtrans_to(testsuite_domain)
> > +
> > +     # Let sysadm_t use runcon to run the test programs in various domains.
> > +     #allow sysadm_t self:process setexec;
> > +     #selinux_get_fs_mount(sysadm_t)
> > +')
>
> These commented out rules can probably just be removed entirely instead
> of being moved into the optional block?

Probably, but I didn't want to think about it and just preserved the
fossils :) I'll take a closer look and possibly remove them in a
separate commit.

--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.