Fix running of the selinux tests: while running the ltp selinux tests on Debian, I found some problems: 1) the testdomain attribute cannot have setcurrent permission to itself. This is because in Debian refpolicy, only domains with attribute set_curr_context can have setcurrent permission on own processes (otherwise, it's forbidden by neverallow). And AFAIK, it's impossible to specify that domains having attribute testdomain also have attribute set_curr_context. Moreover, I found only two tests (dyntrans and dyntrace) that actually need it so far, so I'm not convinced it has to be granted globally. 2) the testscripts (eg. selinux_file.sh) have the test_file_t context, but they are to be run as sysadm_t. Sysadm_t therefore needs execute_no_trans permission on the test files. Please correct me if I'm wrong. - allow sysadm_t execute_no_trans on test_file_t to allow him to run the test shell scripts - get rid of setexec permission for testdomain, it conflicts with refpolicy and AFAIK is unneeded. Signed-off-by: Jiri Palecek <jpalecek@web.de>.
1 file changed