From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from sfi-mx-2.v28.ch3.sourceforge.com ([172.29.28.122] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.69) (envelope-from ) id 1NVmxw-0001Yt-9h for ltp-list@lists.sourceforge.net; Fri, 15 Jan 2010 14:15:56 +0000 Received: from msux-gh1-uea02.nsa.gov ([63.239.67.2]) by sfi-mx-2.v28.ch3.sourceforge.com with esmtp (Exim 4.69) id 1NVmxv-0004Z3-CY for ltp-list@lists.sourceforge.net; Fri, 15 Jan 2010 14:15:56 +0000 From: Stephen Smalley In-Reply-To: <1263564697.20826.16.camel@moss-pluto.epoch.ncsc.mil> References: <364299f41001120855r653842d3x630cdaa6ec4129b6@mail.gmail.com> <1263420212.901.64.camel@moss-pluto.epoch.ncsc.mil> <364299f41001131449w751889b8r98aca16ea1e8957a@mail.gmail.com> <1263478021.8548.3.camel@moss-pluto.epoch.ncsc.mil> <364299f41001141210o49c97980yc703601e7340362f@mail.gmail.com> <1263501350.8548.60.camel@moss-pluto.epoch.ncsc.mil> <1263501847.8548.65.camel@moss-pluto.epoch.ncsc.mil> <364299f41001141329j25c85101u37f2eda55faf04b9@mail.gmail.com> <364299f41001141332y62d5cb5pd4202c1baad5b78c@mail.gmail.com> <1263506364.8548.74.camel@moss-pluto.epoch.ncsc.mil> <364299f41001142044x7d797fc8h63e2a67386b89ab8@mail.gmail.com> <1263564697.20826.16.camel@moss-pluto.epoch.ncsc.mil> Date: Fri, 15 Jan 2010 09:17:31 -0500 Message-Id: <1263565051.20826.17.camel@moss-pluto.epoch.ncsc.mil> Mime-Version: 1.0 Subject: Re: [LTP] regression: selinux testsuite broken since October List-Id: Linux Test Project General Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ltp-list-bounces@lists.sourceforge.net To: Garrett Cooper Cc: Eric Paris , James Morris , ltp-list@lists.sourceforge.net On Fri, 2010-01-15 at 09:11 -0500, Stephen Smalley wrote: > On Thu, 2010-01-14 at 20:44 -0800, Garrett Cooper wrote: > > On Thu, Jan 14, 2010 at 1:59 PM, Stephen Smalley wrote: > > > On Thu, 2010-01-14 at 13:32 -0800, Garrett Cooper wrote: > > >> On Thu, Jan 14, 2010 at 1:29 PM, Garrett Cooper wrote: > > >> > On Thu, Jan 14, 2010 at 12:44 PM, Stephen Smalley wrote: > > >> >> On Thu, 2010-01-14 at 15:35 -0500, Stephen Smalley wrote: > > >> >>> I guess I'm not being clear. Most of the work presently done by 'load' > > >> >>> can be done during make all/install. In particular, everything except > > >> >>> for running semodule -i can be done during make all, and then make > > >> >>> install should just copy test_policy.pp (the output of make all) to > > >> >>> the /opt/ltp tree. Then test_selinux.sh only needs to run semodule > > >> >>> -i /path/to/test_policy.pp before the tests and semodule -r test_policy > > >> >>> afterward. We can also avoid copying test_policy.te to the system > > >> >>> policy devel directory altogether. Something like this patch (and > > >> >>> Makefile.selinux can then be removed altogether): > > >> >> > > >> >> Oops, wrong variable expansion syntax in test_selinux.sh. Corrected > > >> >> patch is below. This one actually runs ;) > > >> >> > > >> >> Index: testscripts/test_selinux.sh > > >> >> =================================================================== > > >> >> RCS file: /cvsroot/ltp/ltp/testscripts/test_selinux.sh,v > > >> >> retrieving revision 1.15 > > >> >> diff -u -r1.15 test_selinux.sh > > >> >> --- testscripts/test_selinux.sh 13 Jan 2010 18:50:53 -0000 1.15 > > >> >> +++ testscripts/test_selinux.sh 14 Jan 2010 20:41:22 -0000 > > >> >> @@ -89,11 +89,10 @@ > > >> >> config_allow_domain_fd_use 0 > > >> >> > > >> >> # build and install the test policy... > > >> >> -echo "building and installing test_policy module..." > > >> >> -cd $POLICYDIR > > >> >> -make load > > >> >> +echo "installing test_policy module..." > > >> >> +$SEMODULE -i $POLICYDIR/test_policy.pp > > >> >> if [ $? != 0 ]; then > > >> >> - echo "Failed to build and load test_policy module, aborting test run." > > >> >> + echo "Failed to install load test_policy module, aborting test run." > > >> >> config_unset_expandcheck > > >> >> exit 1 > > >> >> else > > >> >> @@ -126,8 +125,7 @@ > > >> >> /usr/bin/chcon -t $SAVEBINTYPE $LTPROOT/testcases/bin > > >> >> > > >> >> echo "Removing test_policy module..." > > >> >> -cd $POLICYDIR > > >> >> -make cleanup 2>&1 > > >> >> +$SEMODULE -r test_policy > > >> >> if [ $? != 0 ]; then > > >> >> echo "Failed to remove test_policy module." > > >> >> exit 1 > > >> >> Index: testcases/kernel/security/selinux-testsuite/refpolicy/Makefile > > >> >> =================================================================== > > >> >> RCS file: /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/Makefile,v > > >> >> retrieving revision 1.17 > > >> >> diff -u -r1.17 Makefile > > >> >> --- testcases/kernel/security/selinux-testsuite/refpolicy/Makefile 14 Jan 2010 12:40:58 -0000 1.17 > > >> >> +++ testcases/kernel/security/selinux-testsuite/refpolicy/Makefile 14 Jan 2010 20:41:22 -0000 > > >> >> @@ -39,10 +39,11 @@ > > >> >> > > >> >> CHECKPOLICY ?= $(DESTDIR)/usr/bin/checkpolicy > > >> >> CHECKPOLICY_VERS ?= $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') > > >> >> +POLICY_DEVEL_DIR ?= $(DESTDIR)/usr/share/selinux/devel > > >> >> > > >> >> INSTALL_DIR := testcases/kernel/security/selinux-testsuite/refpolicy > > >> >> > > >> >> -INSTALL_TARGETS := Makefile.selinux > > >> >> +INSTALL_TARGETS := test_policy.pp > > >> >> > > >> >> TEST_POLICY_DIR := $(abs_srcdir)/policy_files > > >> >> > > >> >> @@ -63,8 +64,17 @@ > > >> >> POLICY_FILES := test_global.te \ > > >> >> $(filter-out test_global.te,$(notdir $(wildcard $(TEST_POLICY_DIR)/*.te))) > > >> >> > > >> >> +all: test_policy.pp > > >> >> + > > >> >> +test_policy.pp: test_policy.te > > >> >> + @set -e; if [ -d "$(POLICY_DEVEL_DIR)" ]; then \ > > >> >> + $(MAKE) -f $(POLICY_DEVEL_DIR)/Makefile test_policy.pp; \ > > >> >> + else \ > > >> >> + echo "ERROR: You must have selinux-policy?-devel? installed."; \ > > >> >> + false; \ > > >> >> + fi > > >> >> + > > >> >> test_policy.te: $(addprefix $(TEST_POLICY_DIR)/,$(POLICY_FILES)) > > >> >> (cd "$(TEST_POLICY_DIR)" && cat $(POLICY_FILES)) > $@ > > >> >> > > >> >> include $(top_srcdir)/include/mk/generic_leaf_target.mk > > >> >> -include $(abs_srcdir)/Makefile.selinux > > >> > > > >> > Cool! This is a lot easier than I originally thought it would be. > > >> > > > >> > Everything specified with all should be specified instead with the > > >> > > >> s/Everything specified with all/All dependencies of all/ > > >> > > >> MAKE_TARGETS variable. This is because it adds everything in > > >> > MAKE_TARGETS to variables (CLEAN_TARGETS, INSTALL_TARGETS), which then > > >> > handle it appropriately via clean and install. > > >> > > > >> > All I have to do after this is resolve the (semodule?) security bit > > >> > enabling for the tests, and we'll be in good shape for all build, > > >> > install, and test scenarios with selinux. > > > > > > Further diff on top of the prior one to resolve a few remaining issues > > > in getting the tests to pass. With these two patches, all tests appear > > > to pass on Fedora 12. > > > > > > Things that remain unresolved: > > > - RHEL4 support. Is RHEL4 to be supported still by ltp, given > > > dependencies? RHEL4 has been using the test policy under policy/ and > > > has a different build/load process. > > > - Running individual tests manually. As described in the > > > selinux-testsuite README, it used to be possible to run individual tests > > > via tests/runtest.sh in order to more easily hunt down specific failures > > > and get more verbose output than we get from any of the results/* files. > > > > > > diff -u testscripts/test_selinux.sh testscripts/test_selinux.sh > > > --- testscripts/test_selinux.sh 14 Jan 2010 20:41:22 -0000 > > > +++ testscripts/test_selinux.sh 14 Jan 2010 21:48:15 -0000 > > > @@ -113,7 +113,7 @@ > > > # The ../testcases/bin directory needs to have the test_file_t type. > > > # Save and restore later. > > > SAVEBINTYPE=`ls -Zd $LTPROOT/testcases/bin | awk '{ print $4 }' | awk -F: '{ print $3 }'` > > > -/usr/bin/chcon -t test_file_t $LTPROOT/testcases/bin > > > +/usr/bin/chcon -R -t test_file_t $LTPROOT/testcases/bin > > > > > > $LTPROOT/bin/ltp-pan -S -a $LTPROOT/results/selinux -n ltp-selinux -l $LTPROOT/results/selinux.logfile -o $LTPROOT/results/selinux.outfile -p -f $LTPROOT/runtest/selinux > > > > > > @@ -122,7 +122,7 @@ > > > rm -rf $TMP/selinux > > > > > > # Restore type of .../testcases/bin directory > > > -/usr/bin/chcon -t $SAVEBINTYPE $LTPROOT/testcases/bin > > > +/usr/bin/chcon -R -t $SAVEBINTYPE $LTPROOT/testcases/bin > > > > > > echo "Removing test_policy module..." > > > $SEMODULE -r test_policy > > > only in patch2: > > > unchanged: > > > --- testcases/kernel/security/selinux-testsuite/tests/file/selinux_file.sh 11 May 2009 06:39:46 -0000 1.7 > > > +++ testcases/kernel/security/selinux-testsuite/tests/file/selinux_file.sh 14 Jan 2010 21:48:15 -0000 > > > @@ -193,7 +193,7 @@ > > > fi > > > > > > # return to $LTPROOT directory > > > - cd ${PWD} > > > + cd ${SAVEPWD} > > > > > > return $RC > > > } > > > only in patch2: > > > unchanged: > > > --- testcases/kernel/security/selinux-testsuite/tests/inherit/Makefile 9 Oct 2009 17:55:51 -0000 1.2 > > > +++ testcases/kernel/security/selinux-testsuite/tests/inherit/Makefile 14 Jan 2010 21:48:15 -0000 > > > @@ -25,8 +25,6 @@ > > > include $(top_srcdir)/include/mk/env_pre.mk > > > include $(abs_srcdir)/../Makefile.inc > > > > > > -LDFLAGS += -static > > > - > > > LDLIBS += -lselinux > > > > > > include $(top_srcdir)/include/mk/generic_leaf_target.mk > > > only in patch2: > > > unchanged: > > > --- testcases/kernel/security/selinux-testsuite/tests/inherit/selinux_inherit.sh 21 Apr 2009 09:39:58 -0000 1.4 > > > +++ testcases/kernel/security/selinux-testsuite/tests/inherit/selinux_inherit.sh 14 Jan 2010 21:48:15 -0000 > > > @@ -25,6 +25,7 @@ > > > > > > # run tests in $LTPROOT/testcases/bin directory > > > SAVEPWD=${PWD} > > > + LTPBIN=${LTPBIN:-$LTPROOT/testcases/bin} > > > cd ${LTPBIN} > > > CURRENTDIR="." > > > } > > > @@ -39,7 +40,7 @@ > > > # the test_file from test_inherit_parent_t. > > > # Should fail on fd use permission. > > > > > > - runcon -t test_inherit_parent_t -- selinux_inherit_parent test_inherit_nouse_t $SELINUXTMPDIR/test_file selinux_inherit_child 2>&1 > > > + runcon -t test_inherit_parent_t -- $CURRENTDIR/selinux_inherit_parent test_inherit_nouse_t $SELINUXTMPDIR/test_file $CURRENTDIR/selinux_inherit_child 2>&1 > > > RC=$? > > > if [ $RC -ne 0 ] > > > then > > > > Ok -- the rest of this has been committed -- please let me know > > how everything goes tomorrow! > > It seems rather broken. Specifically: > - policy/Makefile and refpolicy/Makefile still contain references to > Makefile.selinux. > - test_selinux.sh seems to have a wrong notion of LTPROOT and/or to be > running in the wrong cwd and thus cannot execute pan and friends. It > also cannot both cd to $POLICYDIR and still use $POLICYDIR in the path > to test_policy.pp. If you have a working Fedora VM, you really ought to be able to run this yourself there without any special setup - SELinux is enabled by default in Fedora and should work out of the box. -- Stephen Smalley National Security Agency ------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list