[refpolicy] Testing in the Reference Policy

[pebenito@ieee.org (Chris PeBenito)]

On 08/24/16 18:14, Naftuli Tzvi Kay wrote:
> I was thinking of making a Vagrant environment where users can test
> their applications on a system running the currently checked out master
> of refpolicy. This will make it easier for me to update my policy for
> Syncthing for instance.
>
> In short, an environment to:
>  1. compile the reference policy
>  2. install it in the running kernel
>  3. install applications and do integration tests of the policy against
> actual running binaries when developing new policies for applications

Will you be including configuration/scripts for provisioning too?  How 
would the provisioning be done?  Shell scripts?



> On Wed, Aug 24, 2016 at 3:12 PM, Chris PeBenito <pebenito@ieee.org
> <mailto:pebenito@ieee.org>> wrote:
>
>     On 08/23/16 23:35, Naftuli Tzvi Kay via refpolicy wrote:
>
>         Don't worry, I'm not giving up :) It might just take a while
>         before I
>         have something working.
>
>         Would the reference policy ever be interested in having a Vagrant VM
>         setup for testing policy rules and everything? I'd be happy to
>         contribute that back upstream.
>
>
>     What kind of testing did you have in mind?  Just a compile/link test
>     or something more?  If it's just compile/link then the CI tests are
>     sufficient.
>
>
>         On Tue, Aug 23, 2016 at 2:36 AM, Dominick Grift
>         <dac.override at gmail.com <mailto:dac.override@gmail.com>
>         <mailto:dac.override at gmail.com <mailto:dac.override@gmail.com>>>
>         wrote:
>
>             On 08/22/2016 07:52 PM, Naftuli Tzvi Kay via refpolicy wrote:
>             > I'm currently working on a reference policy addition to
>         restrict access for
>             > a given application. Up until now, I've been testing my
>         application on a
>             > Fedora 24 Vagrant VM, compiling a non-base module and
>         loading it into the
>             > kernel, running, testing, auditing, etc.
>             >
>             > What I found is that I ended up using a lot of RedHat
>         specific downstream
>             > macros, which aren't supported here upstream.
>             >
>             > Is there a recommended way of testing reference policy
>         code? How can I
>             > alter my Fedora Vagrant VM setup to cover the use case I'm
>         after? Should I
>             > just compile the reference policy in my VM, relabel the
>         filesystem, and
>             > then reboot and load the reference policy into the kernel?
>             >
>             > My host OS is running Ubuntu 14.04, so it's not very
>         useful for debugging
>             > SELinux things; I once tried getting SELinux running on my
>         desktop
>             > <https://rfkrocktk.github.io/2015/12/selinux-on-ubuntu
>         <https://rfkrocktk.github.io/2015/12/selinux-on-ubuntu>
>             <https://rfkrocktk.github.io/2015/12/selinux-on-ubuntu
>         <https://rfkrocktk.github.io/2015/12/selinux-on-ubuntu>>>, but X
>         wouldn't
>             > start, etc. and I imagine the policy is pretty out of date.
>             >
>             > How can I create an environment in which I can test my
>         policy against the
>             > program I'm aiming to constrain? (Syncthing)
>             >
>             >
>
>             I spent the morning recording the full procedure of
>         developing for
>             refpolicy on fedora.
>
>             I start with installing refpolicy, enabling it. then it
>         write a simple
>             module on top of the installation. This is what one would do
>         when one
>             wants to write a module atop of refpolicy.
>
>             I encourage you to not give up and take this final step. You
>         are very
>             close, and your module so far is pretty good.
>
>             Learning how to do what is in the video is the final piece
>         in the puzzle
>             i think.
>
>             The video might be long but its comprehensive (the video
>         might still be
>             processing on youtube but it will become available shortly:
>
>             https://www.youtube.com/watch?v=XIyxW4qT0UM
>         <https://www.youtube.com/watch?v=XIyxW4qT0UM>
>             <https://www.youtube.com/watch?v=XIyxW4qT0UM
>         <https://www.youtube.com/watch?v=XIyxW4qT0UM>>
>
>             If you have any questions, then please do not hesitate to ask
>
>             >
>             > _______________________________________________
>             > refpolicy mailing list
>             > refpolicy at oss.tresys.com <mailto:refpolicy@oss.tresys.com>
>         <mailto:refpolicy at oss.tresys.com <mailto:refpolicy@oss.tresys.com>>
>             > http://oss.tresys.com/mailman/listinfo/refpolicy
>         <http://oss.tresys.com/mailman/listinfo/refpolicy>
>             <http://oss.tresys.com/mailman/listinfo/refpolicy
>         <http://oss.tresys.com/mailman/listinfo/refpolicy>>
>             >
>
>
>             --
>             Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D
>         2C7B 6B02
>
>         https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>         <https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02>
>
>         <https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>         <https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02>>
>             Dominick Grift
>
>
>
>
>         _______________________________________________
>         refpolicy mailing list
>         refpolicy at oss.tresys.com <mailto:refpolicy@oss.tresys.com>
>         http://oss.tresys.com/mailman/listinfo/refpolicy
>         <http://oss.tresys.com/mailman/listinfo/refpolicy>
>
>
>
>     --
>     Chris PeBenito
>
>


-- 
Chris PeBenito