From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
selinux@tycho.nsa.gov, Eric Paris <eparis@redhat.com>
Subject: Re: [PATCH] selinux-testsuite: Allow test domains to read /etc/passwd
Date: Tue, 18 Sep 2012 12:32:46 -0400 [thread overview]
Message-ID: <5058A22E.7010407@redhat.com> (raw)
In-Reply-To: <1347975902.29192.17.camel@moss-pluto.epoch.ncsc.mil>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/18/2012 09:45 AM, Stephen Smalley wrote:
> On Sat, 2012-09-15 at 02:22 +0000, Serge E. Hallyn wrote:
>> Quoting Daniel J Walsh (dwalsh@redhat.com):
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> On 09/13/2012 10:08 AM, Stephen Smalley wrote:
>>>> Several test cases require the ability to read /etc/passwd to look
>>>> up usernames. Recent Fedora introduced a separate type on
>>>> /etc/passwd and therefore we need to add an interface call to
>>>> test_global.te. Fixes three test failures on Fedora 17.
>>>>
>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> ---
>>>> policy/test_global.te | 2 ++ 1 file changed, 2 insertions(+)
>>>>
>>>> diff --git a/policy/test_global.te b/policy/test_global.te index
>>>> 77121ae..fdfd291 100644 --- a/policy/test_global.te +++
>>>> b/policy/test_global.te @@ -88,3 +88,5 @@
>>>> selinux_compute_access_vector(testdomain)
>>>> selinux_compute_create_context(testdomain)
>>>> selinux_compute_relabel_context(testdomain)
>>>> selinux_compute_user_contexts(testdomain) +
>>>> +auth_read_passwd(testdomain)
>>>>
>>> Probably should use
>>>
>>> auth_use_nsswitch(testdomain)
>>>
>>> Since this will handle cases where users are listed in ldap or use
>>> sssd.
>>
>> Stephen, would you like that instead?
>
> No, it doesn't work - you cannot pass an attribute name to that interface.
>
Ahh yes, you can not assign an attribute to an attribute. That is right up
there with no assigning an attribute within a boolean as my least liked things
about our policy compiler.
I guess you need to add auth_use_nsswitch() for each type that gets set to
test_domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBYoi4ACgkQrlYvE4MpobP60wCgl/6UDWf0MSTnjfr1psB6DsvB
hdIAoImqV09iWasmP1hnuNAiOl0Mf8O4
=lf6L
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2012-09-18 16:32 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-13 14:08 [PATCH] selinux-testsuite: Allow test domains to read /etc/passwd Stephen Smalley
2012-09-13 15:27 ` Daniel J Walsh
2012-09-14 18:29 ` [refpolicy] " Sven Vermeulen
2012-09-15 2:22 ` Serge E. Hallyn
2012-09-18 13:45 ` Stephen Smalley
2012-09-18 16:32 ` Daniel J Walsh [this message]
2012-09-18 17:20 ` Stephen Smalley
2012-09-20 16:31 ` Serge E. Hallyn
2012-09-21 8:46 ` Sven Vermeulen
2012-09-21 13:50 ` [PATCH] selinux-testsuite: Wrap auth_read_passwd with ifdef(`distro_redhat') Stephen Smalley
2012-09-25 16:47 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5058A22E.7010407@redhat.com \
--to=dwalsh@redhat.com \
--cc=eparis@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.