Re: [LTP] regression: selinux testsuite broken since October

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Garrett Cooper <yanegomi@gmail.com>
Cc: Eric Paris <eparis@parisplace.org>,
	James Morris <jmorris@namei.org>,
	ltp-list@lists.sourceforge.net
Subject: Re: [LTP] regression: selinux testsuite broken since October
Date: Thu, 14 Jan 2010 17:31:20 -0500	[thread overview]
Message-ID: <1263508280.8548.82.camel@moss-pluto.epoch.ncsc.mil> (raw)
In-Reply-To: <1263506364.8548.74.camel@moss-pluto.epoch.ncsc.mil>

On Thu, 2010-01-14 at 16:59 -0500, Stephen Smalley wrote:
> On Thu, 2010-01-14 at 13:32 -0800, Garrett Cooper wrote:
> > On Thu, Jan 14, 2010 at 1:29 PM, Garrett Cooper <yanegomi@gmail.com> wrote:
> > > On Thu, Jan 14, 2010 at 12:44 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > >> On Thu, 2010-01-14 at 15:35 -0500, Stephen Smalley wrote:
> > >>> I guess I'm not being clear.  Most of the work presently done by 'load'
> > >>> can be done during make all/install.  In particular, everything except
> > >>> for running semodule -i can be done during make all, and then make
> > >>> install should just copy test_policy.pp (the output of make all) to
> > >>> the /opt/ltp tree.  Then test_selinux.sh only needs to run semodule
> > >>> -i /path/to/test_policy.pp before the tests and semodule -r test_policy
> > >>> afterward.  We can also avoid copying test_policy.te to the system
> > >>> policy devel directory altogether.  Something like this patch (and
> > >>> Makefile.selinux can then be removed altogether):
> > >>
> > >> Oops, wrong variable expansion syntax in test_selinux.sh.  Corrected
> > >> patch is below.  This one actually runs ;)
> > >>
> > >> Index: testscripts/test_selinux.sh
> > >> ===================================================================
> > >> RCS file: /cvsroot/ltp/ltp/testscripts/test_selinux.sh,v
> > >> retrieving revision 1.15
> > >> diff -u -r1.15 test_selinux.sh
> > >> --- testscripts/test_selinux.sh 13 Jan 2010 18:50:53 -0000      1.15
> > >> +++ testscripts/test_selinux.sh 14 Jan 2010 20:41:22 -0000
> > >> @@ -89,11 +89,10 @@
> > >>  config_allow_domain_fd_use 0
> > >>
> > >>  # build and install the test policy...
> > >> -echo "building and installing test_policy module..."
> > >> -cd $POLICYDIR
> > >> -make load
> > >> +echo "installing test_policy module..."
> > >> +$SEMODULE -i $POLICYDIR/test_policy.pp
> > >>  if [ $? != 0 ]; then
> > >> -       echo "Failed to build and load test_policy module, aborting test run."
> > >> +       echo "Failed to install load test_policy module, aborting test run."
> > >>        config_unset_expandcheck
> > >>        exit 1
> > >>  else
> > >> @@ -126,8 +125,7 @@
> > >>  /usr/bin/chcon -t $SAVEBINTYPE $LTPROOT/testcases/bin
> > >>
> > >>  echo "Removing test_policy module..."
> > >> -cd $POLICYDIR
> > >> -make cleanup 2>&1
> > >> +$SEMODULE -r test_policy
> > >>  if [ $? != 0 ]; then
> > >>        echo "Failed to remove test_policy module."
> > >>        exit 1
> > >> Index: testcases/kernel/security/selinux-testsuite/refpolicy/Makefile
> > >> ===================================================================
> > >> RCS file: /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/Makefile,v
> > >> retrieving revision 1.17
> > >> diff -u -r1.17 Makefile
> > >> --- testcases/kernel/security/selinux-testsuite/refpolicy/Makefile      14 Jan 2010 12:40:58 -0000      1.17
> > >> +++ testcases/kernel/security/selinux-testsuite/refpolicy/Makefile      14 Jan 2010 20:41:22 -0000
> > >> @@ -39,10 +39,11 @@
> > >>
> > >>  CHECKPOLICY            ?= $(DESTDIR)/usr/bin/checkpolicy
> > >>  CHECKPOLICY_VERS       ?= $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
> > >> +POLICY_DEVEL_DIR       ?= $(DESTDIR)/usr/share/selinux/devel
> > >>
> > >>  INSTALL_DIR            := testcases/kernel/security/selinux-testsuite/refpolicy
> > >>
> > >> -INSTALL_TARGETS                := Makefile.selinux
> > >> +INSTALL_TARGETS                := test_policy.pp
> > >>
> > >>  TEST_POLICY_DIR                := $(abs_srcdir)/policy_files
> > >>
> > >> @@ -63,8 +64,17 @@
> > >>  POLICY_FILES           := test_global.te \
> > >>                           $(filter-out test_global.te,$(notdir $(wildcard $(TEST_POLICY_DIR)/*.te)))
> > >>
> > >> +all: test_policy.pp
> > >> +
> > >> +test_policy.pp: test_policy.te
> > >> +       @set -e; if [ -d "$(POLICY_DEVEL_DIR)" ]; then \
> > >> +           $(MAKE) -f $(POLICY_DEVEL_DIR)/Makefile test_policy.pp; \
> > >> +       else \
> > >> +            echo "ERROR: You must have selinux-policy?-devel? installed."; \
> > >> +           false; \
> > >> +       fi
> > >> +
> > >>  test_policy.te: $(addprefix $(TEST_POLICY_DIR)/,$(POLICY_FILES))
> > >>        (cd "$(TEST_POLICY_DIR)" && cat $(POLICY_FILES)) > $@
> > >>
> > >>  include $(top_srcdir)/include/mk/generic_leaf_target.mk
> > >> -include $(abs_srcdir)/Makefile.selinux
> > >
> > > Cool! This is a lot easier than I originally thought it would be.
> > >
> > > Everything specified with all should be specified instead with the
> > 
> > s/Everything specified with all/All dependencies of all/
> > 
> > MAKE_TARGETS variable. This is because it adds everything in
> > > MAKE_TARGETS to variables (CLEAN_TARGETS, INSTALL_TARGETS), which then
> > > handle it appropriately via clean and install.
> > >
> > > All I have to do after this is resolve the (semodule?) security bit
> > > enabling for the tests, and we'll be in good shape for all build,
> > > install, and test scenarios with selinux.
> 
> Further diff on top of the prior one to resolve a few remaining issues
> in getting the tests to pass.  With these two patches, all tests appear
> to pass on Fedora 12.
> 
> Things that remain unresolved:
> - RHEL4 support.  Is RHEL4 to be supported still by ltp, given
> dependencies?  RHEL4 has been using the test policy under policy/ and
> has a different build/load process.
> - Running individual tests manually.  As described in the
> selinux-testsuite README, it used to be possible to run individual tests
> via tests/runtest.sh in order to more easily hunt down specific failures
> and get more verbose output than we get from any of the results/* files.

Possibly we should just extend test_selinux.sh to handle the individual
test execution case as well, since it already has the setup and cleanup
logic.  If the caller passes a specific test on the command line to it,
it can just execute that one outside of pan.  That would avoid
duplication with runtest.sh.

-- 
Stephen Smalley
National Security Agency

------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list