Something went wrong on our end
-
Stephen Smalley authoredFix two neverallow rules that yield Invalid SELinux context warnings from the CTS SELinuxTest. For transitions from app domains, we only need to check { domain -appdomain } (i.e. domains other than app domains), not ~appdomain (i.e. all types other than app domains). Otherwise SELinuxTest tries to generate contexts with the r role and non-domain types for testing since the target class is process, and such contexts are invalid. For keeping file_type and fs_type exclusive, we only need to check associate permission, not all filesystem permissions, as only associate takes a file type as the source context. Otherwise SELinuxTest tries to generate contexts with the r role and non-domain types for testing filesystem permissions other than associate, since the source of such checks is normally a process context. Change-Id: I6c2f63f4786d75294a6938613ba14b64212fc802 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>Stephen Smalley authoredFix two neverallow rules that yield Invalid SELinux context warnings from the CTS SELinuxTest. For transitions from app domains, we only need to check { domain -appdomain } (i.e. domains other than app domains), not ~appdomain (i.e. all types other than app domains). Otherwise SELinuxTest tries to generate contexts with the r role and non-domain types for testing since the target class is process, and such contexts are invalid. For keeping file_type and fs_type exclusive, we only need to check associate permission, not all filesystem permissions, as only associate takes a file type as the source context. Otherwise SELinuxTest tries to generate contexts with the r role and non-domain types for testing filesystem permissions other than associate, since the source of such checks is normally a process context. Change-Id: I6c2f63f4786d75294a6938613ba14b64212fc802 Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>