From: Garrett Cooper <yanegomi@gmail.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>,
Eric Paris <eparis@parisplace.org>,
ltp-list@lists.sourceforge.net
Subject: Re: [LTP] regression: selinux testsuite broken since October
Date: Tue, 12 Jan 2010 22:54:17 -0800 [thread overview]
Message-ID: <364299f41001122254o557f376fx146f3f22b728ac3e@mail.gmail.com> (raw)
In-Reply-To: <364299f41001122251v49ec2743j6c57ada7bd6eaf3f@mail.gmail.com>
On Tue, Jan 12, 2010 at 10:51 PM, Garrett Cooper <yanegomi@gmail.com> wrote:
> On Tue, Jan 12, 2010 at 11:12 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On Tue, 2010-01-12 at 09:26 -0800, Garrett Cooper wrote:
>>> > Also, if you guys can try out this patch for refpolicy/Makefile, I'd
>>> > prefer to check it in (it unifies the RHEL 4.x and `generic' refpolicy
>>> > Make logic):
>>> >
>>> > Index: refpolicy/Makefile
>>> > ===================================================================
>>> > RCS file: /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/Makefile,v
>>> > retrieving revision 1.12
>>> > diff -u -r1.12 Makefile
>>> > --- refpolicy/Makefile 8 Jan 2010 09:39:20 -0000 1.12
>>> > +++ refpolicy/Makefile 12 Jan 2010 17:17:27 -0000
>>> > @@ -17,7 +17,7 @@
>>> > # with this program; if not, write to the Free Software Foundation, Inc.,
>>> > # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
>>> > #
>>> > -# Garrett Cooper, August 2009
>>> > +# Garrett Cooper, January 2010
>>> > #
>>> >
>>> > top_srcdir ?= ../../../../..
>>> > @@ -32,6 +32,7 @@
>>> >
>>> > DISTRO_VER := $(shell $(top_srcdir)/scripts/detect_distro.sh $(ARGS))
>>> >
>>> > +# Avoid empty strings.
>>> > ifeq ($(strip $(DISTRO_VER)),)
>>> > DISTRO_VER := generic
>>> > endif
>>> > @@ -41,10 +42,17 @@
>>> > POLICY_DEVEL_DIR ?= $(DESTDIR)/usr/share/selinux/devel
>>> > SEMODULE ?= $(DESTDIR)/usr/sbin/semodule
>>> >
>>> > -INSTALL_DIR := testcases/kernel/security/selinux-testsuite
>>> > +INSTALL_DIR := testcases/selinux-testsuite/refpolicy
>>> >
>>> > TEST_POLICY_DIR := $(abs_srcdir)/policy_files
>>> >
>>> > +# Do we have a special set of policies in the SCM to install?
>>> > +ifneq ($(wildcard $(TEST_POLICY_DIR)/$(DISTRO_VER)/),)
>>> > +TEST_POLICY_DIR := $(TEST_POLICY_DIR)/$(DISTRO_VER)
>>> > +else
>>> > +TEST_POLICY_DIR := $(TEST_POLICY_DIR)/generic
>>> > +endif
>>> > +
>>> > .PHONY: all clean cleanup install load
>>> >
>>> > CLEAN_DEPS := cleanup
>>> > @@ -55,34 +63,24 @@
>>> > -$(SEMODULE) -r test_policy
>>> > $(RM) -f $(POLICY_DEVEL_DIR)/test_policy.* test_policy.te
>>> >
>>> > -ifneq ($(wildcard $(TEST_POLICY_DIR)/$(DISTRO_VER)/Makefile),)
>>> > -MAKE_TARGETS :=
>>> > -
>>> > -TEST_POLICY_DIR := $(TEST_POLICY_DIR)/$(DISTRO_VER)
>>> > -
>>> > -# load remains for backwards compatibility...
>>> > -load:
>>> > - $(MAKE) -C $(TEST_POLICY_DIR)
>>> > -else
>>> > -
>>> > MAKE_TARGETS := test_policy.te
>>> >
>>> > -TEST_POLICY_DIR := $(TEST_POLICY_DIR)/generic
>>> > -
>>> > -POLICY_FILES := test_global.te $(filter-out test_global.te,$(notdir
>>> > $(wildcard $(TEST_POLICY_DIR)/*.te)))
>>> > -
>>> > ifneq ($(CHECKPOLICY_VERS),24)
>>> > POLICY_FILES := $(filter-out test_bounds.te,$(POLICY_FILES))
>>> > endif
>>> >
>>> > +# This is being done to preserve precedence; test_global.te must come first.
>>> > +POLICY_FILES := test_global.te \
>>> > + $(filter-out test_global.te,$(notdir $(wildcard
>>> > $(TEST_POLICY_DIR)/*.te)))
>>> > +
>>> > load:
>>> > - @if [ -d "$(POLICY_DEVEL_DIR)" ]; then \
>>> > - cp -p $(TEST_POLICY_DIR)/test_policy.* $(POLICY_DEVEL_DIR); \
>>> > + @set -e; if [ -d "$(POLICY_DEVEL_DIR)" ]; then \
>>> > + cp -p test_policy.* $(POLICY_DEVEL_DIR); \
>>> > $(MAKE) -C $(POLICY_DEVEL_DIR) clean; \
>>> > $(MAKE) -C $(POLICY_DEVEL_DIR) test_policy.pp; \
>>> > $(SEMODULE) -i $(POLICY_DEVEL_DIR)/test_policy.pp; \
>>> > else \
>>> > - echo "ERROR: You must have selinux-policy-devel installed."; \
>>> > + echo "ERROR: You must have selinux-policy?-devel? installed."; \
>>> > false; \
>>> > fi
>>>
>>> There's a stray endif on line 90 of refpolicy/Makefile that needs to
>>> be deleted as well, FYI...
>>
>> Ok. test policy appears to build (on Fedora) when running make by hand
>> from the refpolicy directory, but you still can't run the tests, either
>> from /opt/ltp or from the source tree.
>>
>> # cd /opt/ltp/testscripts && ./test_selinux.sh
>> Running with security context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> /etc/selinux /opt/ltp
>> /opt/ltp
>> allow_domain_fd_use --> off
>> allow_domain_fd_use exists setting
>> building and installing test_policy module...
>> ./test_selinux.sh: line 92: cd: /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy: No such file or directory
>> make: *** No rule to make target `load'. Stop.
>> Failed to build and load test_policy module, aborting test run.
>> /etc/selinux /opt/ltp
>> /opt/ltp
>>
>> # cd LTP_SRCDIR/testscripts && ./test_selinux.sh
>> Running with security context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> /etc/selinux /home/sds/ltp
>> /home/sds/ltp
>> allow_domain_fd_use --> off
>> allow_domain_fd_use exists setting
>> building and installing test_policy module...
>> make[1]: Entering directory `/usr/share/selinux/devel'
>> rm -fR tmp
>> rm -f *.pp
>> make[1]: Leaving directory `/usr/share/selinux/devel'
>> make[1]: Entering directory `/usr/share/selinux/devel'
>> Compiling targeted test_policy module
>> /usr/bin/checkmodule: loading policy configuration from tmp/test_policy.tmp
>> /usr/bin/checkmodule: policy configuration loaded
>> /usr/bin/checkmodule: writing binary representation (version 10) to tmp/test_policy.mod
>> Creating targeted test_policy.pp policy package
>> rm tmp/test_policy.mod tmp/test_policy.mod.fc
>> make[1]: Leaving directory `/usr/share/selinux/devel'
>> Successfully built and loaded test_policy module.
>> /etc/selinux /home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy
>> /home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy
>> Running the SELinux testsuite...
>> ls: cannot access /home/sds/ltp/testcases/bin: No such file or directory
>> /usr/bin/chcon: cannot access `/home/sds/ltp/testcases/bin': No such file or directory
>> ./test_selinux.sh: line 119: /home/sds/ltp/bin/ltp-pan: No such file or directory
>> /usr/bin/chcon: missing operand
>> Try `/usr/bin/chcon --help' for more information.
>> Removing test_policy module...
>> /usr/sbin/semodule -r test_policy
>> rm -f -f /usr/share/selinux/devel/test_policy.* test_policy.te
>> allow_domain_fd_use --> off
>> allow_domain_fd_use exists setting
>> Done.
>>
>> Both test_selinux.sh and tests/runtest.sh need to be updated.
>>
>> --
>> Stephen Smalley
>> National Security Agency
>
> Ok, next patch then... Let me know how this goes (I took a quick
> look and I didn't see anything suspicious in the test scripts
> themselves..).
> Thanks,
> -Garrett
>
> Index: tests/runtest.sh
> ===================================================================
> RCS file: /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/tests/runtest.sh,v
> retrieving revision 1.2
> diff -u -r1.2 runtest.sh
> --- tests/runtest.sh 6 Apr 2008 10:27:36 -0000 1.2
> +++ tests/runtest.sh 13 Jan 2010 06:49:48 -0000
> @@ -12,7 +12,7 @@
> global_setup()
> {
> # Must be root to run the selinux testsuite
> - if [ $UID != 0 ]
> + if [ $(id -ru) -ne 0 ]
> then
> echo "FAILED: Must be root to execute this script"
> exit 1
> @@ -38,14 +38,14 @@
> exit
> fi
>
> - # Save and later restore /tmp's type.
> + # Save and later restore $TMP's type.
> # We need to change it's type to work within test domain
> - SAVETMPTYPE=`ls -Zd /tmp | awk '{ print $4 }' | awk -F: '{ print $3 }'`
> - chcon -t test_file_t /tmp
> + SAVETMPTYPE=`ls -Zd $TMP | awk '{ print $4 }' | awk -F: '{ print $3 }'`
> + chcon -t test_file_t $TMP
>
> - mkdir /tmp/selinux > /dev/null 2>&1
> - chcon -t test_file_t /tmp/selinux
> - export SELINUXTMPDIR=/tmp/selinux
> + mkdir $TMP/selinux > /dev/null 2>&1
> + chcon -t test_file_t $TMP/selinux
> + export SELINUXTMPDIR=$TMP/selinux
>
> # It seems LTP wants executables to reside in the
> # $LTPROOT/testcases/bin directory. However, this directory
> @@ -61,9 +61,9 @@
> global_cleanup()
> {
>
> - # Restore original type of /tmp
> - chcon -t $SAVETMPTYPE /tmp
> - rm -rf /tmp/selinux
> + # Restore original type of $TMP
> + chcon -t $SAVETMPTYPE $TMP
> + rm -rf $TMP/selinux
>
> # Restore original type of .../testcases/bin directory
> chcon -t $SAVEBINTYPE $LTPBIN
> @@ -71,6 +71,7 @@
> exit 0
> }
>
> +export TMP=${TMP:-/tmp}
> global_setup
> -./$1/selinux_$1.sh
> +selinux_$1.sh
> global_cleanup
> Index: ../../../../testscripts/test_selinux.sh
> ===================================================================
> RCS file: /cvsroot/ltp/ltp/testscripts/test_selinux.sh,v
> retrieving revision 1.14
> diff -u -r1.14 test_selinux.sh
> --- ../../../../testscripts/test_selinux.sh 12 Jan 2010 08:35:59 -0000 1.14
> +++ ../../../../testscripts/test_selinux.sh 13 Jan 2010 06:49:48 -0000
> @@ -1,4 +1,4 @@
> -#!/bin/bash
> +#!/bin/sh
> #
> # Copyright (c) International Business Machines Corp., 2005
> #
> @@ -23,32 +23,33 @@
> }
>
> config_allow_domain_fd_use () {
> - setval=$1
> - /usr/sbin/getsebool allow_domain_fd_use
> - getseRC=$?
> - if [ "$getseRC" -eq "0" ]; then
> - echo "allow_domain_fd_use exists setting"
> - /usr/sbin/setsebool allow_domain_fd_use=$setval
> - fi
> + setval=$1
> + if /usr/sbin/getsebool allow_domain_fd_use; then
> + echo "allow_domain_fd_use exists setting"
> + /usr/sbin/setsebool allow_domain_fd_use=$setval
> + fi
> }
>
> # Must be root to run the selinux testsuite
> -if [ $UID != 0 ]
> +if [ $(id -ru) -ne 0 ]
> then
> echo "FAILED: Must be root to execute this script"
> exit 1
> fi
>
> # set the LTPROOT directory
> -cd `dirname $0`
> -LTPROOT=${PWD}
> -TMP=${TMP:-/tmp}
> -echo $LTPROOT | grep testscripts > /dev/null 2>&1
> -if [ $? -eq 0 ]
> +LTPROOT=${LTPROOT:=${0%/*}}
> +cd "$LTPROOT"
> +export TMP=${TMP:-/tmp}
> +# If we're in the testscripts directory, go down a dir..
> +LTPROOT_TMP=${LTPROOT%/testscripts}
> +if [ "x${LTPROOT_TMP}" != "x${LTPROOT}" ]
> then
> cd ..
> - LTPROOT=${PWD}
> + LTPROOT=$LTPROOT_TMP
> fi
> +export LTPROOT
> +unset LTPROOT_TMP
>
> # set the PATH to include testcase/bin
>
> @@ -57,11 +58,8 @@
>
> # We will store the logfiles in $LTPROOT/results, so make sure
> # it exists.
> -if [ ! -d $LTPROOT/results ]
> -then
> - /bin/mkdir $LTPROOT/results
> -fi
> -
> +test -d $LTPROOT/results || /bin/mkdir $LTPROOT/results
> +
> # Check the role and mode testsuite is being executed under.
>
> SELINUX_CONTEXT=`/usr/bin/id | sed 's/.* //'`
> @@ -78,10 +76,12 @@
>
> SEMODULE="/usr/sbin/semodule"
>
> -if [ -f $SEMODULE ]; then
> - POLICYDIR="$LTPROOT/testcases/selinux-testsuite/refpolicy"
> +POLICYDIR="$LTPROOT/testcases/kernel/security/selinux-testsuite"
> +
> +if [ -x $SEMODULE ]; then
> + POLICYDIR="$POLICYDIR/refpolicy"
> else
> - POLICYDIR="$LTPROOT/testcases/selinux-testsuite/policy"
> + POLICYDIR="$POLICYDIR/policy"
> fi
>
> config_set_expandcheck
> @@ -137,4 +137,3 @@
>
> cd $LTPROOT
> echo "Done."
> -exit 0
One other thing before I go off for a while ... I think it's a bad
idea to be invoking make as part of the test itself. Do you oppose the
idea of moving load and cleanup into proper bourne shell scripts, and
then have them run as setup and teardown for the tests? That way: a)
folks can build and install everything into an LTP install tree
without being root, b) folks that have selinux support, but not make
tools can actually run the tests.
Thanks,
-Garrett
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
next prev parent reply other threads:[~2010-01-13 6:54 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-06 15:25 [LTP] regression: selinux testsuite broken since October Stephen Smalley
2010-01-06 17:18 ` Serge E. Hallyn
2010-01-07 9:04 ` Garrett Cooper
2010-01-06 18:50 ` Serge E. Hallyn
2010-01-07 19:40 ` Stephen Smalley
2010-01-08 18:20 ` Garrett Cooper
2010-01-08 18:45 ` Stephen Smalley
2010-01-08 18:50 ` Stephen Smalley
2010-01-08 21:38 ` Garrett Cooper
2010-01-08 22:00 ` Stephen Smalley
2010-01-08 22:08 ` Garrett Cooper
2010-01-09 7:27 ` Garrett Cooper
2010-01-11 19:12 ` Stephen Smalley
2010-01-11 19:50 ` Serge E. Hallyn
2010-01-11 19:55 ` Stephen Smalley
2010-01-11 20:19 ` Serge E. Hallyn
2010-01-11 20:58 ` Serge E. Hallyn
2010-01-11 21:00 ` Serge E. Hallyn
2010-01-11 21:31 ` Serge E. Hallyn
2010-01-12 8:36 ` Garrett Cooper
2010-01-12 13:16 ` Stephen Smalley
2010-01-12 16:55 ` Garrett Cooper
2010-01-12 17:19 ` Garrett Cooper
2010-01-12 17:24 ` Garrett Cooper
2010-01-12 17:26 ` Garrett Cooper
2010-01-12 19:12 ` Stephen Smalley
2010-01-13 6:51 ` Garrett Cooper
2010-01-13 6:54 ` Garrett Cooper [this message]
2010-01-13 13:43 ` Stephen Smalley
2010-01-13 18:52 ` Garrett Cooper
2010-01-13 19:18 ` Stephen Smalley
2010-01-13 19:37 ` Garrett Cooper
2010-01-13 19:49 ` Stephen Smalley
2010-01-13 21:58 ` Garrett Cooper
2010-01-13 22:00 ` Serge E. Hallyn
2010-01-13 22:03 ` Stephen Smalley
2010-01-13 22:49 ` Garrett Cooper
2010-01-14 14:07 ` Stephen Smalley
2010-01-14 20:10 ` Garrett Cooper
2010-01-14 20:35 ` Stephen Smalley
2010-01-14 20:44 ` Stephen Smalley
2010-01-14 21:29 ` Garrett Cooper
2010-01-14 21:32 ` Garrett Cooper
2010-01-14 21:59 ` Stephen Smalley
2010-01-14 22:31 ` Stephen Smalley
2010-01-15 4:22 ` Garrett Cooper
2010-01-15 4:44 ` Garrett Cooper
2010-01-15 14:11 ` Stephen Smalley
2010-01-15 14:17 ` Stephen Smalley
2010-01-12 8:29 ` Garrett Cooper
2010-01-12 13:00 ` Stephen Smalley
2010-01-12 15:38 ` Serge E. Hallyn
2010-01-12 16:56 ` Garrett Cooper
2010-01-12 18:51 ` Stephen Smalley
2010-01-15 17:48 ` Garrett Cooper
2010-01-26 8:31 ` Garrett Cooper
2010-01-26 14:30 ` Stephen Smalley
2010-01-27 6:34 ` Garrett Cooper
2010-01-27 19:12 ` Stephen Smalley
2010-01-27 22:37 ` Garrett Cooper
2010-01-28 5:56 ` Garrett Cooper
2010-01-28 14:02 ` Stephen Smalley
2010-01-28 15:10 ` Garrett Cooper
2010-01-12 8:43 ` Garrett Cooper
2010-01-12 13:08 ` Stephen Smalley
2010-01-06 18:58 ` Serge E. Hallyn
2010-01-07 9:05 ` Garrett Cooper
2010-01-07 19:23 ` Stephen Smalley
2010-01-07 9:18 ` Garrett Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=364299f41001122254o557f376fx146f3f22b728ac3e@mail.gmail.com \
--to=yanegomi@gmail.com \
--cc=eparis@parisplace.org \
--cc=jmorris@namei.org \
--cc=ltp-list@lists.sourceforge.net \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.