policy: allow all test domains to search user/admin home directories

The permissions are sometimes needed to resolve paths when running the testsuite from a user/admin home directory. To avoid cluttering individual policy files with macros that allow it, apply the macros to the whole testsuite_domain attribute. Thankfully this doesn't break the other tests. This also fixes the inet_socket test, which started to require these permissions after a recent change. While there, also remove userdom_read_user_tmp_files() from test_overlay_mounter_t, which doesn't seem to be needed. Fixes: 4dcea27 ("tests/inet_socket: cover the MPTCP protocol") Inspired-by: Stephen Smalley <[email protected]> Tested-by: Stephen Smalley <[email protected]> Signed-off-by: Ondrej Mosnacek <[email protected]>
SELinuxProject · Jul 18, 2023 · ab02919 · ab02919
1 parent 514e324
commit ab02919
Show file tree

Hide file tree

Showing 7 changed files with 7 additions and 19 deletions.
diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te
@@ -366,7 +366,6 @@ allow test_filesystem_inode_setxattr_no_associate_t test_file_t:file { create re
 #
 ############### Rules for NFS mount ##################
 #
-userdom_search_user_home_content(filesystemdomain)
 allow test_filesystem_t test_filesystem_file_t:filesystem { getattr mount remount unmount relabelto relabelfrom };
 allow test_filesystem_t test_file_t:file { create write relabelfrom };
 allow test_file_t test_filesystem_file_t:filesystem { associate };

diff --git a/policy/test_filesystem_notify.te b/policy/test_filesystem_notify.te
@@ -16,7 +16,6 @@ allow test_filesystem_t dosfs_t:filesystem { watch };
 #
 ############### Rules for NFS mount with rootcontext option #################
 #
-userdom_search_user_home_content(filesystemdomain)
 allow test_filesystem_no_watch_mount_t nfs_t:filesystem { unmount };
 allow test_filesystem_no_watch_mount_t test_filesystem_file_t:dir { search };
 allow test_filesystem_no_watch_sb_t nfs_t:filesystem { unmount watch };

diff --git a/policy/test_global.te b/policy/test_global.te
@@ -153,6 +153,13 @@ selinux_compute_create_context(testsuite_domain)
 selinux_compute_relabel_context(testsuite_domain)
 selinux_compute_user_contexts(testsuite_domain)
 
+userdom_search_user_home_content(testsuite_domain)
+# Refpolicy does not have admin_home_t - assume /root will be user_home_dir_t,
+# which is covered by the above call.
+ifdef(`userdom_search_admin_dir', `
+    userdom_search_admin_dir(testsuite_domain)
+')
+
 # Reference policy renamed files_list_pids() to files_list_runtime()
 ifdef(`files_list_pids', `
     files_list_pids(testsuite_domain)

diff --git a/policy/test_ipc.te b/policy/test_ipc.te
@@ -67,5 +67,3 @@ fs_rw_tmpfs_files(ipcdomain)
 
 allow test_ipc_base_t self:sem create_sem_perms;
 allow test_ipc_base_t self:shm create_shm_perms;
-# ipcrm needs this... 
-userdom_search_user_home_dirs(test_ipc_base_t)
diff --git a/policy/test_overlayfs.te b/policy/test_overlayfs.te
@@ -45,10 +45,6 @@ kernel_search_proc(test_overlay_mounter_t)
 fs_relabelfrom_xattr_fs(test_overlay_mounter_t)
 fs_mount_xattr_fs(test_overlay_mounter_t)
 
-userdom_search_admin_dir(test_overlay_mounter_t)
-userdom_search_user_home_content(test_overlay_mounter_t)
-userdom_read_user_tmp_files(test_overlay_mounter_t)
-
 mount_exec(test_overlay_mounter_t)
 mount_rw_pid_files(test_overlay_mounter_t)
 
@@ -113,9 +109,6 @@ mcs_constrained(test_overlay_client_t)
 kernel_read_system_state(test_overlay_client_t)
 kernel_read_proc_symlinks(test_overlay_client_t)
 
-userdom_search_admin_dir(test_overlay_client_t)
-userdom_search_user_home_content(test_overlay_client_t)
-
 fs_getattr_xattr_fs(test_overlay_client_t)
 
 selinux_getattr_fs(test_overlay_client_t)

diff --git a/policy/test_policy.if b/policy/test_policy.if
@@ -82,13 +82,6 @@ interface(`mount_rw_pid_files', `
 ')
 ')
 
-# Refpolicy does not have admin_home_t - assume /root will be user_home_dir_t.
-ifdef(`userdom_search_admin_dir', `', ` dnl
-interface(`userdom_search_admin_dir', `
-    userdom_search_user_home_content($1)
-')
-')
-
 # If the macro is not defined, then most probably module_request permission
 # is just not supported (and relevant operations should be just allowed).
 ifdef(`kernel_request_load_module', `', ` dnl

diff --git a/policy/test_ptrace.te b/policy/test_ptrace.te
@@ -27,7 +27,6 @@ allow test_ptrace_traced_t test_file_t:fifo_file rw_file_perms;
 
 # Allow the tracer domain to trace the traced domain.
 allow test_ptrace_tracer_t test_ptrace_traced_t:process ptrace;
-userdom_search_user_home_dirs(test_ptrace_traced_t)
 
 # Let the tracer wait on the traced domain.
 allow test_ptrace_traced_t test_ptrace_tracer_t:process sigchld;