search

SELinuxProject / selinux-testsuite

This is the upstream SELinux testsuite which is designed as a basic set of regression tests for the SELinux kernel functionality.
GNU General Public License v2.0
54 stars 43 forks source link

overlay: Remove bad entry point test for context mounts #36

Closed rhvgoyal closed 6 years ago

rhvgoyal commented 6 years ago

Current bad entry point test for context mounts does not make much sense. During the test we are mounting overlay with context=...rwx_t. And that means process will see this label on overlay inode and that should allow entry.

We are expecting entry to fail. But, given process is seeing rwx_t, and as per policy entrypoint into that is allowed. So this test case in current form does not make much sense for context mounts.

Why it works currently, because selinux is actually checking the label of lower file (ro_t) instead of label of overlay inode (rwx_t) and that's why entrypoint fails. But this is wrong expectations.

So get rid of this test. New overlay patches are proposed where it will soon start failing.

Signed-off-by: Vivek Goyal vgoyal@redhat.com

rhvgoyal commented 6 years ago

cc @rhatdan @stephensmalley

rhvgoyal commented 6 years ago

@stephensmalley I fixed the test. Mounted overlay one more time with ro_t label. @rhatdan mentioned that this label has exec permission but not entrypoint permission. PTAL.

pcmoore commented 6 years ago

No objections from me, and since I see @stephensmalley gave this a thumbs up I'll go ahead and merge this now ...

pcmoore commented 6 years ago

Merged via f9a6abae74a3caefd60e12fcdde245e15986fdcb, thanks @rhvgoyal for the fix!