From 21ada26daea538397029396099dce865267bae2f Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 29 Jul 2014 14:50:30 -0400
Subject: [PATCH] Fix neverallow rules to eliminate CTS SELinuxTest warnings.
Fix two neverallow rules that yield Invalid SELinux context
warnings from the CTS SELinuxTest.
For transitions from app domains, we only need to check
{ domain -appdomain } (i.e. domains other than app domains),
not ~appdomain (i.e. all types other than app domains). Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing since the target class is process,
and such contexts are invalid.
For keeping file_type and fs_type exclusive, we only need to
check associate permission, not all filesystem permissions, as
only associate takes a file type as the source context. Otherwise
SELinuxTest tries to generate contexts with the r role and
non-domain types for testing filesystem permissions other than
associate, since the source of such checks is normally a process
context.
Change-Id: I6c2f63f4786d75294a6938613ba14b64212fc802
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
app.te | 2 +-
file.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/app.te b/app.te
index 8288ea054..e24215249 100644
--- a/app.te
+++ b/app.te
@@ -255,7 +255,7 @@ neverallow appdomain { domain -appdomain }:process
# Transition to a non-app domain.
# Exception for the shell domain, can transition to runas, etc.
-neverallow { appdomain -shell } ~appdomain:process
+neverallow { appdomain -shell } { domain -appdomain }:process
{ transition dyntransition };
# Write to rootfs.
diff --git a/file.te b/file.te
index 99c383975..7df06d398 100644
--- a/file.te
+++ b/file.te
@@ -167,4 +167,4 @@ allow dev_type tmpfs:filesystem associate;
# type apk_data_file, file_type, data_file_type, fs_type;
# Should be:
# type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem *;
+neverallow fs_type file_type:filesystem associate;
--
GitLab