Re: [LTP] regression: selinux testsuite broken since October

From: Garrett Cooper <yanegomi@gmail.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>,
	Eric Paris <eparis@parisplace.org>,
	ltp-list@lists.sourceforge.net
Subject: Re: [LTP] regression: selinux testsuite broken since October
Date: Tue, 12 Jan 2010 09:24:07 -0800	[thread overview]
Message-ID: <364299f41001120924x7432d67h770e591e32490a6b@mail.gmail.com> (raw)
In-Reply-To: <364299f41001120919w3b56bfefoc5b7a1e6a4e96f1@mail.gmail.com>

On Tue, Jan 12, 2010 at 9:19 AM, Garrett Cooper <yanegomi@gmail.com> wrote:
> On Tue, Jan 12, 2010 at 8:55 AM, Garrett Cooper <yanegomi@gmail.com> wrote:
>> On Tue, Jan 12, 2010 at 5:16 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>> On Mon, 2010-01-11 at 15:31 -0600, Serge E. Hallyn wrote:
>>>> Quoting Serge E. Hallyn (serue@us.ibm.com):
>>>> > Quoting Serge E. Hallyn (serue@us.ibm.com):
>>>> > > Quoting Serge E. Hallyn (serue@us.ibm.com):
>>>> > > > Quoting Stephen Smalley (sds@tycho.nsa.gov):
>>>> > > > > On Mon, 2010-01-11 at 13:50 -0600, Serge E. Hallyn wrote:
>>>> > > > > > > Fails with:
>>>> > > > > > > cp: cannot stat
>>>> > > > > > > `/home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/policy_files/generic/test_policy.*': No such file or directory
>>>> > > > > >
>>>> > > > > > You ran /home/sds/ltp/testscripts/test_selinux.sh, right?
>>>> > > > > >
>>>> > > > > > I think we are supposed to actually be running
>>>> > > > > > /opt/ltp/testscripts/test_selinux.sh.  So then the first question for
>>>> > > > > > Garrett is how should we deduce /home/sds/ltp as $LTP_SRCDIR from a
>>>> > > > > > testscript?  Or should the policy sources be copied into /opt?
>>>> > > > >
>>>> > > > > Ok, but regardless:  the refpolicy Makefile is still broken.
>>>> > > >
>>>> > > > Yup.
>>>> > >
>>>> > > All right, baby-steps.
>>>> > >
>>>> > > The attached test_selinux.diff is not to be applied, but something
>>>> > > like it is needed.  Should we have the ltp 'make install' fill in
>>>> > > TOP_SRCDIR in /opt/ltp/testscripts/test_selinux.sh?  BTW, Garrett,
>>>> > > that is the issue I was saying is shared between test_selinux.sh
>>>> > > and some others including test_robind.sh.  That's why I'm not just
>>>> > > sending a patch to make it work, bc i think we need more general
>>>> > > guidance.
>>>> > >
>>>> > > The second match makes the 'make load' part of test_selinux.sh
>>>> > > succeed on rhel5.4.  Stephen, how does it do on fedora?
>>>> > >
>>>> > > After loading policy it fails to execute ltp-pan, but I figure let's
>>>> > > get policy loading working first.
>>>>
>>>> All right well just doing
>>>>
>>>> --- /root/ltp_cvs_orig/ltp/testscripts/test_selinux.sh        2009-05-19 05:39:11.000000000 -0400
>>>> +++ /opt/ltp/testscripts/test_selinux.sh      2010-01-11 16:26:12.000000000 -0500
>>>> @@ -115,7 +117,7 @@
>>>>  SAVEBINTYPE=`ls -Zd $LTPROOT/testcases/bin | awk '{ print $4 }' | awk -F: '{ print $3 }'`
>>>>  /usr/bin/chcon -t test_file_t $LTPROOT/testcases/bin
>>>>
>>>> -$LTPROOT/pan/ltp-pan -S -a $LTPROOT/results/selinux -n ltp-selinux -l $LTPROOT/results/selinux.logfile -o $LTPROOT/results/selinux.outfile -p -f $LTPROOT/runtest/selinux
>>>> +$LTPROOT/bin/ltp-pan -S -a $LTPROOT/results/selinux -n ltp-selinux -l $LTPROOT/results/selinux.logfile -o $LTPROOT/results/selinux.outfile -p -f $LTPROOT/runtest/selinux
>>>>
>>>>  # cleanup before exiting
>>>>
>>>> ================================================================
>>>> in test_selinux.sh makes the testsuite mostly pass (test 39 fails, all
>>>> up to then pass)
>>>>
>>>> Again this is on RHEL5.4.
>>>
>>> test39 isn't supposed to be run on RHEL5.4.
>>> The old tests/Makefile had conditional logic to exclude certain tests on
>>> RHEL4 and on RHEL5, as their kernels wouldn't support newer tests.
>>
>>
>> Something that fell through the cracks because I didn't take the time
>> to actually determine _what_ the requirements were for the tests so
>> they would report configuration failure instead of failure. Please try
>> this (I properly pasted it this time instead of using my xterm window
>> and paste):
>>
>> Index: tests/Makefile
>> ===================================================================
>> RCS file: /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/tests/Makefile,v
>> retrieving revision 1.7
>> diff -u -r1.7 Makefile
>> --- tests/Makefile      9 Oct 2009 17:55:51 -0000       1.7
>> +++ tests/Makefile      12 Jan 2010 16:53:57 -0000
>> @@ -24,11 +24,26 @@
>>
>>  include        $(top_srcdir)/include/mk/env_pre.mk
>>
>> -RECURSIVE_TARGETS      := install
>> +ARGS                   = -m
>> +# Don't want to pass the -d option unless DESTDIR is a non-zero length string.
>> +ifneq ($(strip $(DESTDIR)),)
>> +ARGS                   += -d $(DESTDIR)
>> +endif
>>
>> -include $(top_srcdir)/include/mk/generic_trunk_target.mk
>> +DISTRO_VER             := $(shell $(top_srcdir)/scripts/detect_distro.sh $(ARGS))
>> +
>> +#
>> +# Certain tests should be excluded on RHEL [45].x as their kernels don't
>> +# support the tests.
>> +#
>> +# XXX (garrcoop): actually complete the work to add proper checks to the tests
>> +# to report TCONF on configuration failure.
>> +#
>> +ifneq ($(findstring $(DISTRO_VER),redhat-4 redhat-5),)
>> +FILTER_OUT_DIRS                += dyntrace dyntrans
>> +endif
>> +ifeq (redhat-4,$(DISTRO_VER))
>> +FILTER_OUT_DIRS                += bounds
>> +endif
>>
>> -all:
>> -       @set -e; for i in $(SUBDIRS); do \
>> -           $(MAKE) -C $$i $@; \
>> -       done
>> +include $(top_srcdir)/include/mk/generic_trunk_target.mk
>>
>
> The conditional checks didn't make sense with what Stephen mentioned
> above to you Serge, so I respun the diff:
>
> Index: tests/Makefile
> ===================================================================
> RCS file: /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/tests/Makefile,v
> retrieving revision 1.7
> diff -u -r1.7 Makefile
> --- tests/Makefile      9 Oct 2009 17:55:51 -0000       1.7
> +++ tests/Makefile      12 Jan 2010 17:16:09 -0000
> @@ -24,11 +24,28 @@
>
>  include        $(top_srcdir)/include/mk/env_pre.mk
>
> -RECURSIVE_TARGETS      := install
> +ARGS                   = -m
> +# Don't want to pass the -d option unless DESTDIR is a non-zero length string.
> +ifneq ($(strip $(DESTDIR)),)
> +ARGS                   += -d $(DESTDIR)
> +endif
>
> -include $(top_srcdir)/include/mk/generic_trunk_target.mk
> +DISTRO_VER             := $(shell $(top_srcdir)/scripts/detect_distro.sh $(ARGS))
> +
> +#
> +# Certain tests should be excluded on RHEL [45].x as their kernels don't
> +# support the tests.
> +#
> +# XXX (garrcoop): actually complete the work to add proper checks to the tests
> +# to report TCONF on configuration failure.
>
> -all:
> -       @set -e; for i in $(SUBDIRS); do \
> -           $(MAKE) -C $$i $@; \
> -       done
> +# RHEL 4.x doesn't support the dyntrace and dyntrans tests.
> +ifneq ($(findstring $(DISTRO_VER),redhat-4),)
> +FILTER_OUT_DIRS                += dyntrace dyntrans
> +endif
> +# RHEL 5.x doesn't support the bounds test.
> +ifeq (redhat-5,$(DISTRO_VER))
> +FILTER_OUT_DIRS                += bounds
> +endif

Man, my brain's a bit groggy this morning. The previous conditional
was correct -- the directories / versions to filter out were just
flip-flopped -_-. If you do:

+# RHEL 4.x and 5.x don't support the bounds test.
+ifneq ($(findstring $(DISTRO_VER),redhat-4 redhat-5),)
+FILTER_OUT_DIRS                += bounds
+endif
+# RHEL 4.x doesn't support the dyntrace and dyntrans tests.
+ifeq (redhat-4,$(DISTRO_VER))
+FILTER_OUT_DIRS                += dyntrace dyntrans
+endif

That should end up with the final desired result.

> +include $(top_srcdir)/include/mk/generic_trunk_target.mk
>
> Also, if you guys can try out this patch for refpolicy/Makefile, I'd
> prefer to check it in (it unifies the RHEL 4.x and `generic' refpolicy
> Make logic):
>
> Index: refpolicy/Makefile
> ===================================================================
> RCS file: /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/Makefile,v
> retrieving revision 1.12
> diff -u -r1.12 Makefile
> --- refpolicy/Makefile  8 Jan 2010 09:39:20 -0000       1.12
> +++ refpolicy/Makefile  12 Jan 2010 17:17:27 -0000
> @@ -17,7 +17,7 @@
>  #    with this program; if not, write to the Free Software Foundation, Inc.,
>  #    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
>  #
> -# Garrett Cooper, August 2009
> +# Garrett Cooper, January 2010
>  #
>
>  top_srcdir             ?= ../../../../..
> @@ -32,6 +32,7 @@
>
>  DISTRO_VER             := $(shell $(top_srcdir)/scripts/detect_distro.sh $(ARGS))
>
> +# Avoid empty strings.
>  ifeq ($(strip $(DISTRO_VER)),)
>  DISTRO_VER             := generic
>  endif
> @@ -41,10 +42,17 @@
>  POLICY_DEVEL_DIR       ?= $(DESTDIR)/usr/share/selinux/devel
>  SEMODULE               ?= $(DESTDIR)/usr/sbin/semodule
>
> -INSTALL_DIR            := testcases/kernel/security/selinux-testsuite
> +INSTALL_DIR            := testcases/selinux-testsuite/refpolicy
>
>  TEST_POLICY_DIR                := $(abs_srcdir)/policy_files
>
> +# Do we have a special set of policies in the SCM to install?
> +ifneq ($(wildcard $(TEST_POLICY_DIR)/$(DISTRO_VER)/),)
> +TEST_POLICY_DIR                := $(TEST_POLICY_DIR)/$(DISTRO_VER)
> +else
> +TEST_POLICY_DIR                := $(TEST_POLICY_DIR)/generic
> +endif
> +
>  .PHONY: all clean cleanup install load
>
>  CLEAN_DEPS             := cleanup
> @@ -55,34 +63,24 @@
>        -$(SEMODULE) -r test_policy
>        $(RM) -f $(POLICY_DEVEL_DIR)/test_policy.* test_policy.te
>
> -ifneq ($(wildcard $(TEST_POLICY_DIR)/$(DISTRO_VER)/Makefile),)
> -MAKE_TARGETS           :=
> -
> -TEST_POLICY_DIR                := $(TEST_POLICY_DIR)/$(DISTRO_VER)
> -
> -# load remains for backwards compatibility...
> -load:
> -       $(MAKE) -C $(TEST_POLICY_DIR)
> -else
> -
>  MAKE_TARGETS           := test_policy.te
>
> -TEST_POLICY_DIR                := $(TEST_POLICY_DIR)/generic
> -
> -POLICY_FILES           := test_global.te $(filter-out test_global.te,$(notdir
> $(wildcard $(TEST_POLICY_DIR)/*.te)))
> -
>  ifneq ($(CHECKPOLICY_VERS),24)
>  POLICY_FILES           := $(filter-out test_bounds.te,$(POLICY_FILES))
>  endif
>
> +# This is being done to preserve precedence; test_global.te must come first.
> +POLICY_FILES           := test_global.te \
> +                          $(filter-out test_global.te,$(notdir $(wildcard
> $(TEST_POLICY_DIR)/*.te)))
> +
>  load:
> -       @if [ -d "$(POLICY_DEVEL_DIR)" ]; then \
> -           cp -p $(TEST_POLICY_DIR)/test_policy.* $(POLICY_DEVEL_DIR); \
> +       @set -e; if [ -d "$(POLICY_DEVEL_DIR)" ]; then \
> +           cp -p test_policy.* $(POLICY_DEVEL_DIR); \
>            $(MAKE) -C $(POLICY_DEVEL_DIR) clean; \
>            $(MAKE) -C $(POLICY_DEVEL_DIR) test_policy.pp; \
>            $(SEMODULE) -i $(POLICY_DEVEL_DIR)/test_policy.pp; \
>        else \
> -            echo "ERROR: You must have selinux-policy-devel installed."; \
> +            echo "ERROR: You must have selinux-policy?-devel? installed."; \
>            false; \
>        fi
>

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev 
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list