Closed rhvgoyal closed 6 years ago
cc @rhatdan @stephensmalley
@stephensmalley I fixed the test. Mounted overlay one more time with ro_t label. @rhatdan mentioned that this label has exec permission but not entrypoint permission. PTAL.
No objections from me, and since I see @stephensmalley gave this a thumbs up I'll go ahead and merge this now ...
Merged via f9a6abae74a3caefd60e12fcdde245e15986fdcb, thanks @rhvgoyal for the fix!
Current bad entry point test for context mounts does not make much sense. During the test we are mounting overlay with context=...rwx_t. And that means process will see this label on overlay inode and that should allow entry.
We are expecting entry to fail. But, given process is seeing rwx_t, and as per policy entrypoint into that is allowed. So this test case in current form does not make much sense for context mounts.
Why it works currently, because selinux is actually checking the label of lower file (ro_t) instead of label of overlay inode (rwx_t) and that's why entrypoint fails. But this is wrong expectations.
So get rid of this test. New overlay patches are proposed where it will soon start failing.
Signed-off-by: Vivek Goyal vgoyal@redhat.com