All of lore.kernel.org
 help / color / mirror / Atom feed
* [patch] policy regression tester and various fixes
@ 2003-07-16  4:41 Colin Walters
  2003-07-18 20:39 ` Colin Walters
  0 siblings, 1 reply; 2+ messages in thread
From: Colin Walters @ 2003-07-16  4:41 UTC (permalink / raw)
  To: selinux; +Cc: Russell Coker

[-- Attachment #1: Type: text/plain, Size: 779 bytes --]

Hi,

Whenever I started changing macros around, I found it was fairly easy to
break one domain in unused/ but not know about it (because "make policy"
only builds the core policy).

So I wrote a quick regression tester in Make.  It basically works by
symlinking each .te in unused and trying to compile the policy. 
However, because some .te files have strong dependencies on another
(e.g. postfix.te and mta.te), I also added the ability to specify a
Depends: header in the .te file.  The regression tester will also
symlink those files when doing a policy check.

The regression tester turned up a number of bugs in the policy where
ifdefs or Depends: were needed.  I've attached a patch which fixes most
of them.

To use, just patch your Makefile, then run "make check-all".


[-- Attachment #2: Makefile.patch --]
[-- Type: text/x-makefile, Size: 2405 bytes --]

--- policy-1.0/Makefile	2003-07-01 09:38:11.000000000 -0400
+++ selinux-policy-1.0/Makefile	2003-07-16 00:23:32.000000000 -0400
@@ -37,6 +37,8 @@
 POLICYFILES += users 
 POLICYFILES += tmp/constraints-contexts.m4
 
+UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
+
 FC = file_contexts/file_contexts
 FCFILES=file_contexts/types.fc $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te))
 
@@ -119,7 +121,7 @@
 	$(SETFILES) $(FC) `mount | awk '/ext[23]/{print $$3}'`
 
 reset:  $(FC) $(SETFILES)
-	$(SETFILES) -R $(FC) `mount | awk '/ext[23]/{print $$3}'`
+	$(SETFILES) -R $(FC) `mount | awk '/ext[23]/{print $$3}'`	
 
 $(FC): $(FCFILES) file_contexts/program 
 	cat $(FCFILES) > $@
@@ -128,3 +130,49 @@
 	rm -f policy.conf
 	rm -f tmp/*
 	rm -f $(FC)
+
+# Policy regression tester.
+# Written by Colin Walters <walters@debian.org>
+ifeq ($(MAKECMDGOALS),check-all)
+TESTED_TE_FILES := $(notdir $(UNUSED_TE_FILES))
+endif
+
+cur_te = $(filter-out %/,$(subst /,/ ,$@))
+
+define compute_depends
+  TE_DEPENDS_$(1) := $(shell egrep '^#[[:space:]]*Depends: ' domains/program/unused/$(1) | head -1 | sed -e 's/^.*Depends: //')
+endef
+
+# Compute dependencies.
+$(foreach f,$(TESTED_TE_FILES),$(eval $(call compute_depends,$(f))))
+
+define link_dependencies
+ifneq ($$(TE_DEPENDS_$(1)),)
+checkunused/$(1) ::
+	@echo Dependencies for $(1): $$(TE_DEPENDS_$$(cur_te))
+	@for x in $$(TE_DEPENDS_$$(cur_te)); do \
+	  if ! test -L domains/program/$$$$x ; then \
+	    cd domains/program && ln -s unused/$$$$x .; \
+	  fi; \
+	done
+endif
+endef
+$(foreach f,$(TESTED_TE_FILES),$(eval $(call link_dependencies,$(f))))
+
+$(patsubst %,checkunused/%,$(TESTED_TE_FILES)) :: checkunused/% :
+	@$(MAKE) -s clean # unfortunately necessary at the moment.
+	@echo "Testing $(cur_te)..."; \
+	if test -h "domains/program/$(cur_te)"; then rm -f "domains/program/$(cur_te)"; fi; \
+	( cd domains/program && ln -s "unused/$(cur_te)" "$(cur_te)" ); \
+	if ! make -s policy 1>/dev/null; then \
+	  echo "Testing $(cur_te)...FAILED"; \
+	  find "domains/program/" -maxdepth 1 -type l -exec rm {} \; ; \
+	  exit 1; \
+	fi; \
+	echo "Testing $(cur_te)...success."; \
+	find "domains/program/" -maxdepth 1 -type l -exec rm {} \; 
+
+check-all: $(patsubst %,checkunused/%,$(TESTED_TE_FILES))
+
+
+.PHONY: clean 

[-- Attachment #3: te-includes.patch --]
[-- Type: text/plain, Size: 11214 bytes --]

--- orig/domains/program/unused/amanda.te
+++ mod/domains/program/unused/amanda.te
@@ -4,6 +4,7 @@
 # and amrecover 
 #
 # X-Debian-Packages: amanda-common amanda-server
+# Depends: inetd.te
 # Author     :  Carsten Grohmann <carstengrohmann@gmx.de>
 #
 # License    :  GPL
--- orig/domains/program/unused/calamaris.te
+++ mod/domains/program/unused/calamaris.te
@@ -2,6 +2,7 @@
 #
 # Author:  Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: calamaris
+# Depends: squid.te
 #
 
 #################################
--- orig/domains/program/unused/cups.te
+++ mod/domains/program/unused/cups.te
@@ -2,6 +2,7 @@
 #
 # Created cups policy from lpd policy: Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: cupsys cupsys-client cupsys-bsd
+# Depends: lpd.te
 
 #################################
 #
--- orig/domains/program/unused/fingerd.te
+++ mod/domains/program/unused/fingerd.te
@@ -26,15 +26,14 @@
 allow fingerd_t fingerd_port_t:tcp_socket name_bind;
 ifdef(`inetd.te', `
 allow inetd_t fingerd_port_t:tcp_socket name_bind;
+# can be run from inetd
+domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t)
+allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl };
 ')
 ifdef(`tcpd.te', `
 domain_auto_trans_read(tcpd_t, fingerd_exec_t, fingerd_t)
 ')
 
-# can be run from inetd
-domain_auto_trans(inetd_t, fingerd_exec_t, fingerd_t)
-allow fingerd_t inetd_t:tcp_socket { read write getattr ioctl };
-
 allow fingerd_t self:capability { setgid setuid };
 # for gzip from logrotate
 dontaudit fingerd_t self:capability fsetid;
--- orig/domains/program/unused/ftpd.te
+++ mod/domains/program/unused/ftpd.te
@@ -30,6 +30,7 @@
 allow ftpd_t ftp_port_t:tcp_socket name_bind;
 can_tcp_connect(userdomain, ftpd_t)
 ', `
+ifdef(`inetd.te',
 # Use sockets inherited from inetd.
 allow ftpd_t inetd_t:fd use;
 allow ftpd_t inetd_t:tcp_socket rw_stream_socket_perms;
@@ -37,6 +38,7 @@
 # Send SIGCHLD to inetd on death.
 allow ftpd_t inetd_t:process sigchld;
 ')
+')
 
 ifdef(`ftp_shm', `
 allow ftpd_t tmpfs_t:file { read write };
@@ -47,7 +49,9 @@
 allow ftpd_t ftpd_t:capability { net_bind_service setuid setgid fowner fsetid chown sys_resource sys_chroot };
 
 # Connect to inetd.
+ifdef(`inetd.te',
 can_tcp_connect(ftpd_t,inetd_t)
+')
 
 # Append to /var/log/wtmp.
 allow ftpd_t wtmp_t:file { getattr append };
--- orig/domains/program/unused/openca-ca.te
+++ mod/domains/program/unused/openca-ca.te
@@ -2,6 +2,7 @@
 #
 # Author:  Brian May <bam@snoopy.apana.org.au>
 # X-Debian-Packages:
+# Depends: apache.te
 #
 
 #################################
--- orig/domains/program/unused/portslave.te
+++ mod/domains/program/unused/portslave.te
@@ -2,6 +2,7 @@
 #
 # Author:  Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: portslave
+# Depends: pppd.te
 #
 
 #################################
--- orig/domains/program/unused/postfix.te
+++ mod/domains/program/unused/postfix.te
@@ -2,6 +2,7 @@
 #
 # Author:  Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: postfix
+# Depends: mta.te
 #
 
 # Type for files created during execution of postfix.
--- orig/domains/program/unused/postgresql.te
+++ mod/domains/program/unused/postgresql.te
@@ -45,7 +45,9 @@
 tmp_domain(postgresql);
 file_type_auto_trans(postgresql_t, tmpfs_t, postgresql_tmp_t)
 
+ifdef(`dpkg.te', `
 can_exec(postgresql_t, dpkg_exec_t)
+')
 
 # Use the network.
 can_network(postgresql_t)
--- orig/domains/program/unused/qmail.te
+++ mod/domains/program/unused/qmail.te
@@ -6,7 +6,9 @@
 
 
 # bug
+ifdef(`tcpd.te', `
 can_exec(tcpd_t, tcpd_exec_t)
+')
 
 # Type for files created during execution of qmail.
 type qmail_var_run_t, file_type, sysadmfile, pidfile;
@@ -114,10 +116,13 @@
 allow qmail_local_t devtty_t:chr_file rw_file_perms;
 allow qmail_local_t { etc_runtime_t proc_t }:file { getattr read };
 
+ifdef(`tcpd.te', `
 qmaild_sub_domain(tcpd_t, qmail_tcp_env)
+ifdef(`inetd.te', `
 allow qmail_tcp_env_t inetd_t:fd use;
 allow qmail_tcp_env_t inetd_t:tcp_socket { read write getattr };
 allow qmail_tcp_env_t inetd_t:process sigchld;
+')
 allow qmail_tcp_env_t resolv_conf_t:file { read getattr };
 allow qmail_tcp_env_t sbin_t:dir search;
 can_network(qmail_tcp_env_t)
@@ -125,15 +130,18 @@
 qmaild_sub_domain(qmail_tcp_env_t, qmail_smtpd)
 allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
 can_network(qmail_smtpd_t)
+ifdef(`inetd.te', `
 allow qmail_smtpd_t inetd_t:fd use;
 allow qmail_smtpd_t inetd_t:tcp_socket { read write };
 allow qmail_smtpd_t inetd_t:process sigchld;
+')
 allow qmail_smtpd_t self:process { fork signal_perms };
 allow qmail_smtpd_t self:fifo_file write;
 allow qmail_smtpd_t self:tcp_socket create_socket_perms;
 allow qmail_smtpd_t sbin_t:dir search;
 domain_auto_trans(qmail_smtpd_t, qmail_queue_exec_t, qmail_queue_t)
 allow qmail_smtpd_t qmail_queue_exec_t:file read;
+')
 
 qmaild_sub_domain(user_mail_domain, qmail_inject, `, mta_user_agent')
 allow qmail_inject_t self:process { fork signal_perms };
@@ -160,8 +168,10 @@
 allow qmail_queue_t qmail_start_t:fifo_file { read write };
 allow qmail_queue_t privfd:fd use;
 allow qmail_queue_t crond_t:fifo_file { read write };
+ifdef(`inetd.te', `
 allow qmail_queue_t inetd_t:fd use;
 allow qmail_queue_t inetd_t:tcp_socket { read write };
+')
 allow qmail_queue_t sysadm_t:fd use;
 allow qmail_queue_t sysadm_t:fifo_file write;
 
--- orig/domains/program/unused/rlogind.te
+++ mod/domains/program/unused/rlogind.te
@@ -14,7 +14,9 @@
 uses_shlib(rlogind_t)
 can_network(rlogind_t)
 type rlogind_exec_t, file_type, sysadmfile, exec_type;
+ifdef(`inetd.te',`
 domain_auto_trans_read(inetd_t, rlogind_exec_t, rlogind_t)
+')
 ifdef(`tcpd.te', `
 domain_auto_trans_read(tcpd_t, rlogind_exec_t, rlogind_t)
 ')
@@ -25,11 +27,13 @@
 type rlogind_tmp_t, file_type, sysadmfile, tmpfile;
 file_type_auto_trans(rlogind_t, tmp_t, rlogind_tmp_t)
 
+ifdef(`inetd.te',`
 # Inherit and use descriptors from inetd.
 allow rlogind_t inetd_t:fd use;
 
 # Use sockets inherited from inetd.
 allow rlogind_t inetd_t:tcp_socket rw_stream_socket_perms;
+')
 
 # Use capabilities.
 allow rlogind_t rlogind_t:capability { net_bind_service setuid setgid fowner fsetid chown dac_override };
@@ -42,12 +46,15 @@
 
 # Run login in remote_login_t.
 allow rlogind_t bin_t:dir search;
+ifdef(`inetd.te',`
 allow remote_login_t inetd_t:fd use;
 allow remote_login_t inetd_t:tcp_socket rw_file_perms;
-domain_auto_trans_read(rlogind_t, login_exec_t, remote_login_t)
 
 # Send SIGCHLD to inetd on death.
 allow rlogind_t inetd_t:process sigchld;
+')
+
+domain_auto_trans_read(rlogind_t, login_exec_t, remote_login_t)
 
 allow rlogind_t proc_t:dir search;
 allow rlogind_t proc_t:lnk_file read;
--- orig/domains/program/unused/rpcd.te
+++ mod/domains/program/unused/rpcd.te
@@ -37,7 +37,9 @@
 allow rpcd_t fs_t:filesystem getattr;
 
 # rpcd_t needs to talk to the portmap_t domain
+ifdef(`portmap.te',`
 can_udp_send(rpcd_t, portmap_t)
+')
 
 # Use capabilities.
 allow rpcd_t self:capability { net_bind_service dac_override setgid setuid };
--- orig/domains/program/unused/rshd.te
+++ mod/domains/program/unused/rshd.te
@@ -2,6 +2,7 @@
 #
 # Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
 # X-Debian-Packages: rsh-server rsh-redone-server
+# Depends: inetd.te
 #
 
 #################################
--- orig/domains/program/unused/scannerdaemon.te
+++ mod/domains/program/unused/scannerdaemon.te
@@ -34,8 +34,10 @@
 allow scannerdaemon_t scannerdaemon_etc_t:file r_file_perms;
 
 # Access signature files.
+ifdef(`oav-update.te',
 allow scannerdaemon_t oav_update_var_lib_t:dir r_dir_perms;
 allow scannerdaemon_t oav_update_var_lib_t:file r_file_perms;
+')
 
 # Access scannerdaemon log files.
 file_type_auto_trans(scannerdaemon_t, var_log_t, scannerdaemon_log_t)
--- orig/domains/program/unused/tcpd.te
+++ mod/domains/program/unused/tcpd.te
@@ -13,7 +13,9 @@
 role system_r types tcpd_t;
 uses_shlib(tcpd_t)
 type tcpd_exec_t, file_type, sysadmfile, exec_type;
+ifdef(`inetd.te',
 domain_auto_trans_read(inetd_t, tcpd_exec_t, tcpd_t)
+')
 
 allow tcpd_t fs_t:filesystem getattr;
 
@@ -28,14 +30,17 @@
 
 tmp_domain(tcpd)
 
+ifdef(`inetd.te',
 # Use sockets inherited from inetd.
 allow tcpd_t inetd_t:tcp_socket rw_stream_socket_perms;
 
 # Run each daemon with a defined domain in its own domain.
 # These rules have been moved to each target domain .te file.
 
+domain_auto_trans(tcpd_t, inetd_child_exec_t, inetd_child_t)
+')
+
 # Run other daemons in the inetd_child_t domain.
 allow tcpd_t sbin_t:dir search;
-domain_auto_trans(tcpd_t, inetd_child_exec_t, inetd_child_t)
 
 allow tcpd_t device_t:dir search;
--- orig/domains/program/unused/usbmodules.te
+++ mod/domains/program/unused/usbmodules.te
@@ -15,10 +15,13 @@
 role sysadm_r types usbmodules_t;
 role system_r types usbmodules_t;
 
-domain_auto_trans_read({ initrc_t hotplug_t }, usbmodules_exec_t, usbmodules_t)
+domain_auto_trans_read(initrc_t, usbmodules_exec_t, usbmodules_t)
+ifdef(`hotplug.te',
+domain_auto_trans_read(hotplug_t, usbmodules_exec_t, usbmodules_t)
+allow usbmodules_t etc_hotplug_t:file r_file_perms;
+')
 allow usbmodules_t init_t:fd use;
 allow usbmodules_t console_device_t:chr_file { read write };
-allow usbmodules_t etc_hotplug_t:file r_file_perms;
 
 uses_shlib(usbmodules_t)
 
--- orig/domains/program/unused/vmware.te
+++ mod/domains/program/unused/vmware.te
@@ -182,11 +182,13 @@
 ifdef(`gnome-pty-helper.te', `
 allow vmware_user_t user_gph_t:fd use;
 ')
+ifdef(`xserver.te',`
 allow vmware_user_t user_xserver_tmp_t:sock_file { unlink write };
 allow vmware_user_t user_xserver_tmp_t:dir { search };
 allow vmware_user_t user_xserver_t:unix_stream_socket { connectto };
 allow user_xserver_t vmware_user_t:shm r_shm_perms;
 allow user_xserver_t vmware_user_t:fd use;
+')
 
 # Allow filesystem read access
 allow vmware_user_t fs_t:filesystem { getattr };
--- orig/domains/program/unused/xdm.te
+++ mod/domains/program/unused/xdm.te
@@ -3,6 +3,7 @@
 # Authors:  Mark Westerman mark.westerman@westcam.com
 #           Russell Coker <russell@coker.com.au>
 # X-Debian-Packages: gdm xdm wdm kdm
+# Depends: xserver.te
 #
 # Some wdm-specific changes by Tom Vogt <tom@lemuria.org>
 # 
--- orig/domains/program/unused/ypbind.te
+++ mod/domains/program/unused/ypbind.te
@@ -20,7 +20,9 @@
 can_network(ypbind_t)
 
 # Send to portmap and initrc.
+ifdef(`portmap.te',
 can_udp_send(ypbind_t, portmap_t)
+')
 can_udp_send(ypbind_t, initrc_t)
 
 # Read and write /var/yp.
--- orig/macros/program/x_client_macros.te
+++ mod/macros/program/x_client_macros.te
@@ -55,7 +55,9 @@
 # Use this type for files created in /tmp.
 file_type_auto_trans($1_$2_t, tmp_t, $1_$2_rw_t)
 
+ifdef(`xauth.te',`
 allow $1_$2_t $1_home_xauth_t:file { getattr read };
+')
 
 # Allow the user domain to relabel to or create files with this type
 # to provide the domain with write access to particular files.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2003-07-18 20:40 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-16  4:41 [patch] policy regression tester and various fixes Colin Walters
2003-07-18 20:39 ` Colin Walters

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.