search

SELinuxProject / selinux-testsuite

This is the upstream SELinux testsuite which is designed as a basic set of regression tests for the SELinux kernel functionality.
GNU General Public License v2.0
53 stars 43 forks source link

Clean up testsuite policy and support running as sysadm_t #82

Closed WOnder93 closed 2 years ago

WOnder93 commented 2 years ago

This series aims for two things:

  1. Refactor the policy so that it is easier to work with.
  2. Leverage the refactoring to fully support running the testsuite as sysadm_u:sysadm_r:sysadm_t.

The gist of this work lies in unifying how test domains are defined, deduplicating the various boilerplate spread out all across the individual files (and not even used consistently), and in abstracting the policy caller domain/role away from the individual test policies into testgeneral.te. Some tests also had to be massaged to not hard-code unconfined* and be generic against the context of the testsuite caller.

The series also extends the CI to test running the testsuite as sysadm_* and also verify that no unconfined_t/sysadm_t unexpected denials are produced (which would usually indicate a missing dontaudit rule in the testsuite policy).

Originally posted at https://lore.kernel.org/selinux/20220729120229.207584-1-omosnace@redhat.com/T/, but the mailing list bounced some of the patches, so I'm opening a PR instead...

dburgener commented 2 years ago

LGTM and seems like a really nice cleanup!

WOnder93 commented 2 years ago

Thanks for the interest and review! I'll keep this open for a couple more weekdays in case there is more feedback and then merge.