[refpolicy] [PATCH] Fix the Reference Policy integration with the SELinux testsuite

[refpolicy] [PATCH] Fix the Reference Policy integration with the SELinux testsuite

[Guido Trentalancia]

The SELinux testsuite expects the Makefile.devel file to be installed
in the top level share directory and not in its include subdirectory.

Such file is installed by the Makefile target "install-headers".

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 Makefile |    2 ++
 1 file changed, 2 insertions(+)

--- refpolicy-git-06082016-orig/Makefile	2016-08-06 21:26:43.257773849 +0200
+++ refpolicy-git-06082016/Makefile	2016-08-24 15:33:34.936218176 +0200
@@ -70,6 +70,7 @@ SECHECK ?= $(BINDIR)/sechecker
 AWK ?= gawk
 GREP ?= egrep
 INSTALL ?= install
+LN ?= ln
 M4 ?= m4
 PYTHON ?= python
 SED ?= sed
@@ -532,6 +533,7 @@ endif
 	$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
 	$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
 	$(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
+	$(verbose) $(LN) -sf $(headerdir)/Makefile $(modpkgdir)/Makefile
 
 ########################################
 #

[refpolicy] [PATCH] Fix the Reference Policy integration with the SELinux testsuite

[Chris PeBenito]

On 08/24/16 09:39, Guido Trentalancia via refpolicy wrote:
> The SELinux testsuite expects the Makefile.devel file to be installed
> in the top level share directory and not in its include subdirectory.
>
> Such file is installed by the Makefile target "install-headers".
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  Makefile |    2 ++
>  1 file changed, 2 insertions(+)
>
> --- refpolicy-git-06082016-orig/Makefile	2016-08-06 21:26:43.257773849 +0200
> +++ refpolicy-git-06082016/Makefile	2016-08-24 15:33:34.936218176 +0200
> @@ -70,6 +70,7 @@ SECHECK ?= $(BINDIR)/sechecker
>  AWK ?= gawk
>  GREP ?= egrep
>  INSTALL ?= install
> +LN ?= ln
>  M4 ?= m4
>  PYTHON ?= python
>  SED ?= sed
> @@ -532,6 +533,7 @@ endif
>  	$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >> $(headerdir)/build.conf
>  	$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >> $(headerdir)/build.conf
>  	$(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel $(headerdir)/Makefile
> +	$(verbose) $(LN) -sf $(headerdir)/Makefile $(modpkgdir)/Makefile

I think instead we should update the header install structure to be in 
line with what the distributions have done for years, i.e. install into 
/usr/share/selinux/devel.

-- 
Chris PeBenito

[refpolicy] [PATCH] Fix the Reference Policy integration with the SELinux testsuite

[Guido Trentalancia]

Hello Christopher! 

Thanks for getting back. 

We can change the destination directory from <policy_name> to "devel", keep the Makefile in the "include" subdirectory (they also have such subdirectory) and create a symbolic link to it in the parent directory (i.e. "devel").

As far as I remember, the SELinux testsuite only sources some variables from the Makefile, it doesn't run it through make. 

On the other end, removing it from the "include" subdirectory at the moment, might break something, I suppose. 

Should I create a patch or what? 

Regards, 

Guido 

On the 26th of August 2016 00:36:40 CEST, Chris PeBenito <pebenito@ieee.org> wrote:
>On 08/24/16 09:39, Guido Trentalancia via refpolicy wrote:
>> The SELinux testsuite expects the Makefile.devel file to be installed
>> in the top level share directory and not in its include subdirectory.
>>
>> Such file is installed by the Makefile target "install-headers".
>>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>>  Makefile |    2 ++
>>  1 file changed, 2 insertions(+)
>>
>> --- refpolicy-git-06082016-orig/Makefile	2016-08-06
>21:26:43.257773849 +0200
>> +++ refpolicy-git-06082016/Makefile	2016-08-24 15:33:34.936218176
>+0200
>> @@ -70,6 +70,7 @@ SECHECK ?= $(BINDIR)/sechecker
>>  AWK ?= gawk
>>  GREP ?= egrep
>>  INSTALL ?= install
>> +LN ?= ln
>>  M4 ?= m4
>>  PYTHON ?= python
>>  SED ?= sed
>> @@ -532,6 +533,7 @@ endif
>>  	$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >>
>$(headerdir)/build.conf
>>  	$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >>
>$(headerdir)/build.conf
>>  	$(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel
>$(headerdir)/Makefile
>> +	$(verbose) $(LN) -sf $(headerdir)/Makefile $(modpkgdir)/Makefile
>
>I think instead we should update the header install structure to be in 
>line with what the distributions have done for years, i.e. install into
>
>/usr/share/selinux/devel.

[refpolicy] [PATCH] Fix the Reference Policy integration with the SELinux testsuite

[Chris PeBenito]

On 08/25/16 18:56, Guido Trentalancia wrote:
> Hello Christopher!
>
> Thanks for getting back.
>
> We can change the destination directory from <policy_name> to "devel", keep the Makefile in the "include" subdirectory (they also have such subdirectory) and create a symbolic link to it in the parent directory (i.e. "devel").
>
> As far as I remember, the SELinux testsuite only sources some variables from the Makefile, it doesn't run it through make.
>
> On the other end, removing it from the "include" subdirectory at the moment, might break something, I suppose.

That's were we could have a symlink for backwards compatibility.


> Should I create a patch or what?

I've never heard anyone have problems with this before, so I assume 
everyone that runs the testsuite, run it on a Fedora system.  I'm fine 
leaving things alone.


>
> Regards,
>
> Guido
>
> On the 26th of August 2016 00:36:40 CEST, Chris PeBenito <pebenito@ieee.org> wrote:
>> On 08/24/16 09:39, Guido Trentalancia via refpolicy wrote:
>>> The SELinux testsuite expects the Makefile.devel file to be installed
>>> in the top level share directory and not in its include subdirectory.
>>>
>>> Such file is installed by the Makefile target "install-headers".
>>>
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>> ---
>>>  Makefile |    2 ++
>>>  1 file changed, 2 insertions(+)
>>>
>>> --- refpolicy-git-06082016-orig/Makefile	2016-08-06
>> 21:26:43.257773849 +0200
>>> +++ refpolicy-git-06082016/Makefile	2016-08-24 15:33:34.936218176
>> +0200
>>> @@ -70,6 +70,7 @@ SECHECK ?= $(BINDIR)/sechecker
>>>  AWK ?= gawk
>>>  GREP ?= egrep
>>>  INSTALL ?= install
>>> +LN ?= ln
>>>  M4 ?= m4
>>>  PYTHON ?= python
>>>  SED ?= sed
>>> @@ -532,6 +533,7 @@ endif
>>>  	$(verbose) echo "override MLS_CATS := $(MLS_CATS)" >>
>> $(headerdir)/build.conf
>>>  	$(verbose) echo "override MCS_CATS := $(MCS_CATS)" >>
>> $(headerdir)/build.conf
>>>  	$(verbose) $(INSTALL) -m 644 $(support)/Makefile.devel
>> $(headerdir)/Makefile
>>> +	$(verbose) $(LN) -sf $(headerdir)/Makefile $(modpkgdir)/Makefile
>>
>> I think instead we should update the header install structure to be in
>> line with what the distributions have done for years, i.e. install into
>>
>> /usr/share/selinux/devel.
>


-- 
Chris PeBenito

[refpolicy] [PATCH] Fix the Reference Policy integration with the SELinux testsuite

[Paul Moore]

On Sun, Aug 28, 2016 at 2:23 PM, Chris PeBenito via refpolicy
<refpolicy@oss.tresys.com> wrote:
> On 08/25/16 18:56, Guido Trentalancia wrote:
>> Hello Christopher!
>>
>> Thanks for getting back.
>>
>> We can change the destination directory from <policy_name> to "devel", keep the Makefile in the "include" subdirectory (they also have such subdirectory) and create a symbolic link to it in the parent directory (i.e. "devel").
>>
>> As far as I remember, the SELinux testsuite only sources some variables from the Makefile, it doesn't run it through make.
>>
>> On the other end, removing it from the "include" subdirectory at the moment, might break something, I suppose.
>
> That's were we could have a symlink for backwards compatibility.
>
>> Should I create a patch or what?
>
> I've never heard anyone have problems with this before, so I assume
> everyone that runs the testsuite, run it on a Fedora system.  I'm fine
> leaving things alone.

FWIW, I run the selinux-testsuite weekly (at a minimum) and I do it on
a Fedora Rawhide system using the current Rawhide SELinux policy.

-- 
paul moore
www.paul-moore.com

[refpolicy] [PATCH] Fix the Reference Policy integration with the SELinux testsuite

[Guido Trentalancia]

Hello Paul. 

As it is, the testsuite only runs on Fedora out of the box. 

That's why I proposed the Makefile patch that allows to run it more easily on other systems by just passing an appropriate POLDEV variable to make... 

However Christopher decided not to pursue the change because he says that people only run the testsuite on Fedora (I am not one of them).

What about the patch for the AF_ALG sockets? And what about the one for providing more meaningful conflicting type rules errors from libsepol? Have you had any time to look at them? They are very simple, yet very useful I suppose... 

Best regards, 

Guido 

On the 30th August 2016 19:52:57 CEST, Paul Moore <paul@paul-moore.com> wrote:
>On Sun, Aug 28, 2016 at 2:23 PM, Chris PeBenito via refpolicy
><refpolicy@oss.tresys.com> wrote:
>> On 08/25/16 18:56, Guido Trentalancia wrote:
>>> Hello Christopher!
>>>
>>> Thanks for getting back.
>>>
>>> We can change the destination directory from <policy_name> to
>"devel", keep the Makefile in the "include" subdirectory (they also
>have such subdirectory) and create a symbolic link to it in the parent
>directory (i.e. "devel").
>>>
>>> As far as I remember, the SELinux testsuite only sources some
>variables from the Makefile, it doesn't run it through make.
>>>
>>> On the other end, removing it from the "include" subdirectory at the
>moment, might break something, I suppose.
>>
>> That's were we could have a symlink for backwards compatibility.
>>
>>> Should I create a patch or what?
>>
>> I've never heard anyone have problems with this before, so I assume
>> everyone that runs the testsuite, run it on a Fedora system.  I'm
>fine
>> leaving things alone.
>
>FWIW, I run the selinux-testsuite weekly (at a minimum) and I do it on
>a Fedora Rawhide system using the current Rawhide SELinux policy.

[refpolicy] [PATCH] Fix the Reference Policy integration with the SELinux testsuite

[Paul Moore]

On Tue, Aug 30, 2016 at 2:07 PM, Guido Trentalancia
<guido@trentalancia.net> wrote:
> Hello Paul.
>
> As it is, the testsuite only runs on Fedora out of the box.
>
> That's why I proposed the Makefile patch that allows to run it more easily on other systems by just passing an appropriate POLDEV variable to make...
>
> However Christopher decided not to pursue the change because he says that people only run the testsuite on Fedora (I am not one of them).

Perhaps I misunderstood Chris' comments, but it looked like he
provided a way forward, although it was different from what you were
originally proposing.

> What about the patch for the AF_ALG sockets?

We discussed this already: I think there is value in making the
change, but only as part of a larger effort to include other address
families.  From what I recall you were open to the idea but needed
some time to deal with other non-SELinux issues first.

> And what about the one for providing more meaningful conflicting type rules errors from libsepol? Have you had any time to look at them? They are very simple, yet very useful I suppose...

Unfortunately I generally don't have time to look very closely at the
userspace patches.  The good news is that we have a number of people
who are well versed in the SELinux userspace and should be able to
review and comment on those patches.

-- 
paul moore
www.paul-moore.com

[refpolicy] [PATCH] Fix the Reference Policy integration with the SELinux testsuite

[Guido Trentalancia]

Hello Paul.

On Tue, 30/08/2016 at 14.17 -0400, Paul Moore wrote:
> On Tue, Aug 30, 2016 at 2:07 PM, Guido Trentalancia
> <guido@trentalancia.net> wrote:
> > 
> > Hello Paul.
> > 
> > As it is, the testsuite only runs on Fedora out of the box.
> > 
> > That's why I proposed the Makefile patch that allows to run it more
> > easily on other systems by just passing an appropriate POLDEV
> > variable to make...
> > 
> > However Christopher decided not to pursue the change because he
> > says that people only run the testsuite on Fedora (I am not one of
> > them).
> 
> Perhaps I misunderstood Chris' comments, but it looked like he
> provided a way forward, although it was different from what you were
> originally proposing.

Yes, initially he provided a way forward.

Today, I read, he's fine with leaving things alone.

> > What about the patch for the AF_ALG sockets?
> 
> We discussed this already: I think there is value in making the
> change, but only as part of a larger effort to include other address
> families.??From what I recall you were open to the idea but needed
> some time to deal with other non-SELinux issues first.

I cannot promise anything about the larger new sockets patch... For
sure the other commitments are not light ones and there is still open
problems with the policy. Let's wait and see.

> > And what about the one for providing more meaningful conflicting
> > type rules errors from libsepol? Have you had any time to look at
> > them? They are very simple, yet very useful I suppose...
> 
> Unfortunately I generally don't have time to look very closely at the
> userspace patches.??The good news is that we have a number of people
> who are well versed in the SELinux userspace and should be able to
> review and comment on those patches.

Ok, that's fine, I understand. Someone else will eventually have a look
at them...

Thanks for your time.

Best regards,

Guido