policy/test_secretmem.te: add anon_inode perms required in Linux v6.16-rc5

pcmoore · WOnder93 · commit 72e60b601832 · 2025-07-09T09:11:37.000+02:00
Starting with Linux v6.16-rc5 and commit cbe4134ea4bc
("fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass")
secretmem's anonymous inodes are no longer marked as S_PRIVATE which
means they are subject to a number of SELinux permission checks that
has been previously skipped.  This patch updates the test policy to
account for these new checks and allows for a clean test run on Linux
kernel builds with the above mentioned patch.

It is worth noting that there are still some capability/ipc_lock AVC
denials when running the secretmem tests, but granting access to
CAP_IPC_LOCK proved not to be strictly necessary for a clean test run so
those rules were omitted from this patch.

Suggested-by: Shivank Garg &lt;shivankg@amd.com&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
[OM: drop an unnecessary execute permission + added Suggested-by]
Signed-off-by: Ondrej Mosnacek &lt;omosnace@redhat.com&gt;
diff --git a/policy/test_secretmem.te b/policy/test_secretmem.te
@@ -13,12 +13,12 @@ testsuite_domain_type_minimal(test_nocreate_secretmem_t)
 # Domain allowed to create secret memory with the own domain type
 type test_create_secretmem_t;
 testsuite_domain_type_minimal(test_create_secretmem_t)
-allow test_create_secretmem_t self:anon_inode create;
+allow test_create_secretmem_t self:anon_inode { create map read write };
 
 # Domain allowed to create secret memory with the own domain type and allowed to map WX
 type test_create_wx_secretmem_t;
 testsuite_domain_type_minimal(test_create_wx_secretmem_t)
-allow test_create_wx_secretmem_t self:anon_inode create;
+allow test_create_wx_secretmem_t self:anon_inode { create map read write };
 allow test_create_wx_secretmem_t self:process execmem;
 
 # Domain not allowed to create secret memory via a type transition to a private type
@@ -30,4 +30,4 @@ type_transition test_nocreate_transition_secretmem_t test_nocreate_transition_se
 type test_create_transition_secretmem_t;
 testsuite_domain_type_minimal(test_create_transition_secretmem_t)
 type_transition test_create_transition_secretmem_t test_create_transition_secretmem_t:anon_inode test_secretmem_inode_t "[secretmem]";
-allow test_create_transition_secretmem_t test_secretmem_inode_t:anon_inode create;
+allow test_create_transition_secretmem_t test_secretmem_inode_t:anon_inode { create map read write };
