[PATCH testsuite] policy: do not modify the allow_domain_fd

selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH testsuite] policy: do not modify the allow_domain_fd_use boolean
@ 2025-11-10 14:55 Stephen Smalley
  2025-11-10 16:41 ` Ondrej Mosnacek
  0 siblings, 1 reply; 2+ messages in thread
From: Stephen Smalley @ 2025-11-10 14:55 UTC (permalink / raw)
  To: selinux; +Cc: paul, omosnace, Stephen Smalley

Modifying the allow_domain_fd_use boolean value during testsuite
execution is increasingly triggering breakage on Fedora since its
policy defaults to 1/true, to the point that you can't ssh or even
console login to a VM while the testsuite is running or even afterward
if the testsuite encounters any failures. Instead of modifying this
boolean, just update the relevant test domains to use the _minimal
interface so they do not inherit this rule by default and add any
required allowed rules to them.

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
 policy/Makefile          | 6 ------
 policy/test_binder.te    | 3 ++-
 policy/test_fdreceive.te | 4 +++-
 policy/test_global.te    | 2 ++
 policy/test_inherit.te   | 3 ++-
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/policy/Makefile b/policy/Makefile
index 520f891..0446f87 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -219,16 +219,10 @@ build: $(TARGETS)
 
 load: expand_check all
 	# General policy load
-	@if /usr/sbin/getsebool allow_domain_fd_use 2> /dev/null; then \
-		/usr/sbin/setsebool allow_domain_fd_use=0; \
-	fi
 	$(SEMODULE) -i test_policy/test_policy.pp $(CIL_TARGETS)
 
 unload:
 	# General policy unload
-	@if /usr/sbin/getsebool allow_domain_fd_use 2> /dev/null; then \
-		/usr/sbin/setsebool allow_domain_fd_use=1; \
-	fi
 	$(SEMODULE) -r test_policy $(subst .cil,,$(CIL_TARGETS))
 
 clean:
diff --git a/policy/test_binder.te b/policy/test_binder.te
index 4c7974a..a267a85 100644
--- a/policy/test_binder.te
+++ b/policy/test_binder.te
@@ -42,7 +42,8 @@ allow test_binder_provider_no_fd_t test_file_t:fifo_file rw_file_perms;
 ################################# Client ####################################
 #
 type test_binder_client_t;
-testsuite_domain_type(test_binder_client_t)
+# Must use _minimal interface to avoid granting domain fd use permission
+testsuite_domain_type_minimal(test_binder_client_t)
 typeattribute test_binder_client_t binderdomain;
 allow test_binder_client_t test_binder_provider_t:binder { call impersonate };
 allow test_binder_client_t test_binder_mgr_t:binder { call };
diff --git a/policy/test_fdreceive.te b/policy/test_fdreceive.te
index df9e974..805e04e 100644
--- a/policy/test_fdreceive.te
+++ b/policy/test_fdreceive.te
@@ -27,7 +27,9 @@ typeattribute test_fdreceive_client2_t fdreceivedomain;
 # Can receive fds from client, not from client2.
 # Can access test file, not second test file.
 type test_fdreceive_server_t;
-testsuite_domain_type(test_fdreceive_server_t);
+# Use the _minimal interface to avoid allowing fd use by default
+testsuite_domain_type_minimal(test_fdreceive_server_t)
+allow test_fdreceive_server_t self:unix_stream_socket create_stream_socket_perms;
 typeattribute test_fdreceive_server_t fdreceivedomain;
 
 # Grant the necessary permissions for the server domain.
diff --git a/policy/test_global.te b/policy/test_global.te
index 0078485..4978993 100644
--- a/policy/test_global.te
+++ b/policy/test_global.te
@@ -23,6 +23,8 @@ optional_policy(`
 
 	# Transition from the caller to the test domain.
 	allow unconfined_t testsuite_domain:process transition;
+	# Kill the test domain as needed.
+	allow unconfined_t testsuite_domain:process sigkill;
 	role unconfined_r types testsuite_domain;
 	# Report back from the test domain to the caller.
 	allow testsuite_domain unconfined_t:fd use;
diff --git a/policy/test_inherit.te b/policy/test_inherit.te
index da26ea3..7e09534 100644
--- a/policy/test_inherit.te
+++ b/policy/test_inherit.te
@@ -22,7 +22,8 @@ typeattribute test_inherit_child_t inheritdomain;
 # Domain for child process that cannot inherit from parent due to lack
 # of fd use permission.
 type test_inherit_nouse_t;
-testsuite_domain_type(test_inherit_nouse_t)
+# Use the _minimal interface to avoid allowing fd use by default
+testsuite_domain_type_minimal(test_inherit_nouse_t)
 typeattribute test_inherit_nouse_t inheritdomain;
 
 # Domain for child process that cannot inherit r/w fd to test file
-- 
2.51.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH testsuite] policy: do not modify the allow_domain_fd_use boolean
  2025-11-10 14:55 [PATCH testsuite] policy: do not modify the allow_domain_fd_use boolean Stephen Smalley
@ 2025-11-10 16:41 ` Ondrej Mosnacek
  0 siblings, 0 replies; 2+ messages in thread
From: Ondrej Mosnacek @ 2025-11-10 16:41 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux, paul

On Mon, Nov 10, 2025 at 3:56 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> Modifying the allow_domain_fd_use boolean value during testsuite
> execution is increasingly triggering breakage on Fedora since its
> policy defaults to 1/true, to the point that you can't ssh or even
> console login to a VM while the testsuite is running or even afterward
> if the testsuite encounters any failures. Instead of modifying this
> boolean, just update the relevant test domains to use the _minimal
> interface so they do not inherit this rule by default and add any
> required allowed rules to them.
>
> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> ---
>  policy/Makefile          | 6 ------
>  policy/test_binder.te    | 3 ++-
>  policy/test_fdreceive.te | 4 +++-
>  policy/test_global.te    | 2 ++
>  policy/test_inherit.te   | 3 ++-
>  5 files changed, 9 insertions(+), 9 deletions(-)

I like this idea! Needs one small tweak to not break running the suite
from sysadm_t, though (see below).

>
> diff --git a/policy/Makefile b/policy/Makefile
> index 520f891..0446f87 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -219,16 +219,10 @@ build: $(TARGETS)
>
>  load: expand_check all
>         # General policy load
> -       @if /usr/sbin/getsebool allow_domain_fd_use 2> /dev/null; then \
> -               /usr/sbin/setsebool allow_domain_fd_use=0; \
> -       fi
>         $(SEMODULE) -i test_policy/test_policy.pp $(CIL_TARGETS)
>
>  unload:
>         # General policy unload
> -       @if /usr/sbin/getsebool allow_domain_fd_use 2> /dev/null; then \
> -               /usr/sbin/setsebool allow_domain_fd_use=1; \
> -       fi
>         $(SEMODULE) -r test_policy $(subst .cil,,$(CIL_TARGETS))
>
>  clean:
> diff --git a/policy/test_binder.te b/policy/test_binder.te
> index 4c7974a..a267a85 100644
> --- a/policy/test_binder.te
> +++ b/policy/test_binder.te
> @@ -42,7 +42,8 @@ allow test_binder_provider_no_fd_t test_file_t:fifo_file rw_file_perms;
>  ################################# Client ####################################
>  #
>  type test_binder_client_t;
> -testsuite_domain_type(test_binder_client_t)
> +# Must use _minimal interface to avoid granting domain fd use permission
> +testsuite_domain_type_minimal(test_binder_client_t)
>  typeattribute test_binder_client_t binderdomain;
>  allow test_binder_client_t test_binder_provider_t:binder { call impersonate };
>  allow test_binder_client_t test_binder_mgr_t:binder { call };
> diff --git a/policy/test_fdreceive.te b/policy/test_fdreceive.te
> index df9e974..805e04e 100644
> --- a/policy/test_fdreceive.te
> +++ b/policy/test_fdreceive.te
> @@ -27,7 +27,9 @@ typeattribute test_fdreceive_client2_t fdreceivedomain;
>  # Can receive fds from client, not from client2.
>  # Can access test file, not second test file.
>  type test_fdreceive_server_t;
> -testsuite_domain_type(test_fdreceive_server_t);
> +# Use the _minimal interface to avoid allowing fd use by default
> +testsuite_domain_type_minimal(test_fdreceive_server_t)
> +allow test_fdreceive_server_t self:unix_stream_socket create_stream_socket_perms;
>  typeattribute test_fdreceive_server_t fdreceivedomain;
>
>  # Grant the necessary permissions for the server domain.
> diff --git a/policy/test_global.te b/policy/test_global.te
> index 0078485..4978993 100644
> --- a/policy/test_global.te
> +++ b/policy/test_global.te
> @@ -23,6 +23,8 @@ optional_policy(`
>
>         # Transition from the caller to the test domain.
>         allow unconfined_t testsuite_domain:process transition;
> +       # Kill the test domain as needed.
> +       allow unconfined_t testsuite_domain:process sigkill;

This actually needs to be:

allow testsuite_caller_domain testsuite_domain:process sigkill;

...otherwise running the testsuite under sysadm_t becomes broken.

>         role unconfined_r types testsuite_domain;
>         # Report back from the test domain to the caller.
>         allow testsuite_domain unconfined_t:fd use;
> diff --git a/policy/test_inherit.te b/policy/test_inherit.te
> index da26ea3..7e09534 100644
> --- a/policy/test_inherit.te
> +++ b/policy/test_inherit.te
> @@ -22,7 +22,8 @@ typeattribute test_inherit_child_t inheritdomain;
>  # Domain for child process that cannot inherit from parent due to lack
>  # of fd use permission.
>  type test_inherit_nouse_t;
> -testsuite_domain_type(test_inherit_nouse_t)
> +# Use the _minimal interface to avoid allowing fd use by default
> +testsuite_domain_type_minimal(test_inherit_nouse_t)
>  typeattribute test_inherit_nouse_t inheritdomain;
>
>  # Domain for child process that cannot inherit r/w fd to test file
> --
> 2.51.1
>

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-11-10 16:42 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-10 14:55 [PATCH testsuite] policy: do not modify the allow_domain_fd_use boolean Stephen Smalley
2025-11-10 16:41 ` Ondrej Mosnacek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).