From mboxrd@z Thu Jan  1 00:00:00 1970
From: jason@perfinion.com (Jason Zaman)
Date: Tue, 23 Aug 2016 13:16:50 +0800
Subject: [refpolicy] Testing in the Reference Policy
In-Reply-To: <CAPTk+saaN++8Qhu4U-7TPmh1zDgY+C+jAVYH3s1vJgqd5YDFjg@mail.gmail.com>
References: <CAPTk+saaN++8Qhu4U-7TPmh1zDgY+C+jAVYH3s1vJgqd5YDFjg@mail.gmail.com>
Message-ID: <CAPuKSJanXg4GnS7XvC-313SGzevOvJxWrx2tdMPoV_=vtbkakg@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 23 Aug 2016 01:53, "Naftuli Tzvi Kay via refpolicy" <
refpolicy@oss.tresys.com> wrote:
>
> I'm currently working on a reference policy addition to restrict access
for a given application. Up until now, I've been testing my application on
a Fedora 24 Vagrant VM, compiling a non-base module and loading it into the
kernel, running, testing, auditing, etc.
>
> What I found is that I ended up using a lot of RedHat specific downstream
macros, which aren't supported here upstream.
>
> Is there a recommended way of testing reference policy code? How can I
alter my Fedora Vagrant VM setup to cover the use case I'm after? Should I
just compile the reference policy in my VM, relabel the filesystem, and
then reboot and load the reference policy into the kernel?
>
> My host OS is running Ubuntu 14.04, so it's not very useful for debugging
SELinux things; I once tried getting SELinux running on my desktop, but X
wouldn't start, etc. and I imagine the policy is pretty out of date.
>
> How can I create an environment in which I can test my policy against the
program I'm aiming to constrain? (Syncthing)

On my phone so not gonna be a long answer. For CI testing Travis is setup
for both refpol and the gentoo repo.
If you want a more full test you can take the gentoo hardened SELinux
stage3 tarballs and start that in a VM. Look under experimental on the
distfiles mirrors or ping me on IRC for more up to date ones. Releng is
going to be generating official weekly SELinux stage3's real-soon-now.

gentoo policy is quite a bit closer to refpol and targeted, strict, MCS
work for X and xfce. I don't use KDE or gnome so not 100? sure on their
status. MLS works mostly for console only, not tried X.

The xdg_config_* interfaces are also in gentoo and are the ones that I will
upstream soon if you wanted to target that directly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20160823/3f7a9b63/attachment.html