[PATCH] selinux-testsuite: update the dependencies in README.md

[PATCH] selinux-testsuite: update the dependencies in README.md

[Paul Moore]

From: Paul Moore <paul@paul-moore.com>

The new kernel module tests added in a68d583c2a70 ("selinux-testsuite:
Add kernel module tests") require the kernel-devel package on Fedora,
make sure we list that in the README.md file.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 README.md |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index e845df8..4352796 100644
--- a/README.md
+++ b/README.md
@@ -53,6 +53,7 @@ similar dependencies):
 * attr _(tools used by the overlayfs tests)_
 * libbpf-devel _(tools used by the bpf tests)_
 * keyutils-libs-devel _(tools used by the keys tests)_
+* kernel-devel _(used by the kernel module tests)_
 
 On a modern Fedora system you can install these dependencies with the
 following command:
@@ -69,7 +70,8 @@ following command:
 		lksctp-tools-devel \
 		attr \
 		libbpf-devel \
-		keyutils-libs-devel
+		keyutils-libs-devel \
+		kernel-devel
 
 The testsuite requires a pre-existing base policy configuration of SELinux,
 using either the old example policy or the reference policy as the baseline.

Re: [PATCH] selinux-testsuite: update the dependencies in README.md

[Ondrej Mosnacek]

On Wed, Nov 27, 2019 at 3:47 PM Paul Moore <paul@paul-moore.com> wrote:
> From: Paul Moore <paul@paul-moore.com>
>
> The new kernel module tests added in a68d583c2a70 ("selinux-testsuite:
> Add kernel module tests") require the kernel-devel package on Fedora,
> make sure we list that in the README.md file.

Thanks, I should have thought of this when reviewing the patch :)

>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  README.md |    4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/README.md b/README.md
> index e845df8..4352796 100644
> --- a/README.md
> +++ b/README.md
> @@ -53,6 +53,7 @@ similar dependencies):
>  * attr _(tools used by the overlayfs tests)_
>  * libbpf-devel _(tools used by the bpf tests)_
>  * keyutils-libs-devel _(tools used by the keys tests)_
> +* kernel-devel _(used by the kernel module tests)_
>
>  On a modern Fedora system you can install these dependencies with the
>  following command:
> @@ -69,7 +70,8 @@ following command:
>                 lksctp-tools-devel \
>                 attr \
>                 libbpf-devel \
> -               keyutils-libs-devel
> +               keyutils-libs-devel \
> +               kernel-devel

I'm wondering whether we should rather put kernel-devel-$(uname -r)
here, to make sure that the right package is installed that
corresponds to the running kernel version (which may not be the latest
version that dnf will fetch). Or if the use of shell expansion feels
too clever, then we should at last document that the command may not
always install the version that is needed.

>
>  The testsuite requires a pre-existing base policy configuration of SELinux,
>  using either the old example policy or the reference policy as the baseline.

--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.

Re: [PATCH] selinux-testsuite: update the dependencies in README.md

[Stephen Smalley]

On 11/27/19 10:21 AM, Ondrej Mosnacek wrote:
> On Wed, Nov 27, 2019 at 3:47 PM Paul Moore <paul@paul-moore.com> wrote:
>> From: Paul Moore <paul@paul-moore.com>
>>
>> The new kernel module tests added in a68d583c2a70 ("selinux-testsuite:
>> Add kernel module tests") require the kernel-devel package on Fedora,
>> make sure we list that in the README.md file.
> 
> Thanks, I should have thought of this when reviewing the patch :)
> 
>>
>> Signed-off-by: Paul Moore <paul@paul-moore.com>
>> ---
>>   README.md |    4 +++-
>>   1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/README.md b/README.md
>> index e845df8..4352796 100644
>> --- a/README.md
>> +++ b/README.md
>> @@ -53,6 +53,7 @@ similar dependencies):
>>   * attr _(tools used by the overlayfs tests)_
>>   * libbpf-devel _(tools used by the bpf tests)_
>>   * keyutils-libs-devel _(tools used by the keys tests)_
>> +* kernel-devel _(used by the kernel module tests)_
>>
>>   On a modern Fedora system you can install these dependencies with the
>>   following command:
>> @@ -69,7 +70,8 @@ following command:
>>                  lksctp-tools-devel \
>>                  attr \
>>                  libbpf-devel \
>> -               keyutils-libs-devel
>> +               keyutils-libs-devel \
>> +               kernel-devel
> 
> I'm wondering whether we should rather put kernel-devel-$(uname -r)
> here, to make sure that the right package is installed that
> corresponds to the running kernel version (which may not be the latest
> version that dnf will fetch). Or if the use of shell expansion feels
> too clever, then we should at last document that the command may not
> always install the version that is needed.

I'm often testing kernels I build myself and not via rpm.

> 
>>
>>   The testsuite requires a pre-existing base policy configuration of SELinux,
>>   using either the old example policy or the reference policy as the baseline.
> 
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Software Engineer, Security Technologies
> Red Hat, Inc.
> 

Re: [PATCH] selinux-testsuite: update the dependencies in README.md

[Ondrej Mosnacek]

On Wed, Nov 27, 2019 at 4:24 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 11/27/19 10:21 AM, Ondrej Mosnacek wrote:
> > On Wed, Nov 27, 2019 at 3:47 PM Paul Moore <paul@paul-moore.com> wrote:
> >> From: Paul Moore <paul@paul-moore.com>
> >>
> >> The new kernel module tests added in a68d583c2a70 ("selinux-testsuite:
> >> Add kernel module tests") require the kernel-devel package on Fedora,
> >> make sure we list that in the README.md file.
> >
> > Thanks, I should have thought of this when reviewing the patch :)
> >
> >>
> >> Signed-off-by: Paul Moore <paul@paul-moore.com>
> >> ---
> >>   README.md |    4 +++-
> >>   1 file changed, 3 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/README.md b/README.md
> >> index e845df8..4352796 100644
> >> --- a/README.md
> >> +++ b/README.md
> >> @@ -53,6 +53,7 @@ similar dependencies):
> >>   * attr _(tools used by the overlayfs tests)_
> >>   * libbpf-devel _(tools used by the bpf tests)_
> >>   * keyutils-libs-devel _(tools used by the keys tests)_
> >> +* kernel-devel _(used by the kernel module tests)_
> >>
> >>   On a modern Fedora system you can install these dependencies with the
> >>   following command:
> >> @@ -69,7 +70,8 @@ following command:
> >>                  lksctp-tools-devel \
> >>                  attr \
> >>                  libbpf-devel \
> >> -               keyutils-libs-devel
> >> +               keyutils-libs-devel \
> >> +               kernel-devel
> >
> > I'm wondering whether we should rather put kernel-devel-$(uname -r)
> > here, to make sure that the right package is installed that
> > corresponds to the running kernel version (which may not be the latest
> > version that dnf will fetch). Or if the use of shell expansion feels
> > too clever, then we should at last document that the command may not
> > always install the version that is needed.
>
> I'm often testing kernels I build myself and not via rpm.

Right, then the command would just fail... :/ But it might be slightly
faster to realize that you can just delete the kernel-devel line from
the command when you're running a local kernel build, than figuring
out why the test failed to build after a successful run of the command
(in the non-latest stock kernel scenario). But I'm fine with just
documenting it if we want to keep it simple.

>
> >
> >>
> >>   The testsuite requires a pre-existing base policy configuration of SELinux,
> >>   using either the old example policy or the reference policy as the baseline.
> >
> > --
> > Ondrej Mosnacek <omosnace at redhat dot com>
> > Software Engineer, Security Technologies
> > Red Hat, Inc.

--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.

Re: [PATCH] selinux-testsuite: update the dependencies in README.md

[Paul Moore]

On Wed, Nov 27, 2019 at 10:39 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Wed, Nov 27, 2019 at 4:24 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > On 11/27/19 10:21 AM, Ondrej Mosnacek wrote:
> > > On Wed, Nov 27, 2019 at 3:47 PM Paul Moore <paul@paul-moore.com> wrote:
> > >> From: Paul Moore <paul@paul-moore.com>
> > >>
> > >> The new kernel module tests added in a68d583c2a70 ("selinux-testsuite:
> > >> Add kernel module tests") require the kernel-devel package on Fedora,
> > >> make sure we list that in the README.md file.
> > >
> > > Thanks, I should have thought of this when reviewing the patch :)
> > >
> > >>
> > >> Signed-off-by: Paul Moore <paul@paul-moore.com>
> > >> ---
> > >>   README.md |    4 +++-
> > >>   1 file changed, 3 insertions(+), 1 deletion(-)
> > >>
> > >> diff --git a/README.md b/README.md
> > >> index e845df8..4352796 100644
> > >> --- a/README.md
> > >> +++ b/README.md
> > >> @@ -53,6 +53,7 @@ similar dependencies):
> > >>   * attr _(tools used by the overlayfs tests)_
> > >>   * libbpf-devel _(tools used by the bpf tests)_
> > >>   * keyutils-libs-devel _(tools used by the keys tests)_
> > >> +* kernel-devel _(used by the kernel module tests)_
> > >>
> > >>   On a modern Fedora system you can install these dependencies with the
> > >>   following command:
> > >> @@ -69,7 +70,8 @@ following command:
> > >>                  lksctp-tools-devel \
> > >>                  attr \
> > >>                  libbpf-devel \
> > >> -               keyutils-libs-devel
> > >> +               keyutils-libs-devel \
> > >> +               kernel-devel
> > >
> > > I'm wondering whether we should rather put kernel-devel-$(uname -r)
> > > here, to make sure that the right package is installed that
> > > corresponds to the running kernel version (which may not be the latest
> > > version that dnf will fetch). Or if the use of shell expansion feels
> > > too clever, then we should at last document that the command may not
> > > always install the version that is needed.
> >
> > I'm often testing kernels I build myself and not via rpm.
>
> Right, then the command would just fail... :/ But it might be slightly
> faster to realize that you can just delete the kernel-devel line from
> the command when you're running a local kernel build, than figuring
> out why the test failed to build after a successful run of the command
> (in the non-latest stock kernel scenario). But I'm fine with just
> documenting it if we want to keep it simple.

I don't feel that strongly about it either way, but one could argue
that if start versioning the kernel-devel package, why not all the
other packages?  What if you have a locally modified BPF userspace?
Infiniband?  I think you get the idea.

My opinion is that if you are going off into the weeds by replacing
the kernel or portions of your userspace, you should know well enough
how to ensure that they are properly installed ;)

-- 
paul moore
www.paul-moore.com

Re: [PATCH] selinux-testsuite: update the dependencies in README.md

[Stephen Smalley]

On 11/27/19 9:47 AM, Paul Moore wrote:
> From: Paul Moore <paul@paul-moore.com>
> 
> The new kernel module tests added in a68d583c2a70 ("selinux-testsuite:
> Add kernel module tests") require the kernel-devel package on Fedora,
> make sure we list that in the README.md file.
> 
> Signed-off-by: Paul Moore <paul@paul-moore.com>

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

> ---
>   README.md |    4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/README.md b/README.md
> index e845df8..4352796 100644
> --- a/README.md
> +++ b/README.md
> @@ -53,6 +53,7 @@ similar dependencies):
>   * attr _(tools used by the overlayfs tests)_
>   * libbpf-devel _(tools used by the bpf tests)_
>   * keyutils-libs-devel _(tools used by the keys tests)_
> +* kernel-devel _(used by the kernel module tests)_
>   
>   On a modern Fedora system you can install these dependencies with the
>   following command:
> @@ -69,7 +70,8 @@ following command:
>   		lksctp-tools-devel \
>   		attr \
>   		libbpf-devel \
> -		keyutils-libs-devel
> +		keyutils-libs-devel \
> +		kernel-devel
>   
>   The testsuite requires a pre-existing base policy configuration of SELinux,
>   using either the old example policy or the reference policy as the baseline.
> 

Re: [PATCH] selinux-testsuite: update the dependencies in README.md

[Stephen Smalley]

On 11/27/19 9:47 AM, Paul Moore wrote:
> From: Paul Moore <paul@paul-moore.com>
> 
> The new kernel module tests added in a68d583c2a70 ("selinux-testsuite:
> Add kernel module tests") require the kernel-devel package on Fedora,
> make sure we list that in the README.md file.
> 
> Signed-off-by: Paul Moore <paul@paul-moore.com>

Thanks, applied.

> ---
>   README.md |    4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/README.md b/README.md
> index e845df8..4352796 100644
> --- a/README.md
> +++ b/README.md
> @@ -53,6 +53,7 @@ similar dependencies):
>   * attr _(tools used by the overlayfs tests)_
>   * libbpf-devel _(tools used by the bpf tests)_
>   * keyutils-libs-devel _(tools used by the keys tests)_
> +* kernel-devel _(used by the kernel module tests)_
>   
>   On a modern Fedora system you can install these dependencies with the
>   following command:
> @@ -69,7 +70,8 @@ following command:
>   		lksctp-tools-devel \
>   		attr \
>   		libbpf-devel \
> -		keyutils-libs-devel
> +		keyutils-libs-devel \
> +		kernel-devel
>   
>   The testsuite requires a pre-existing base policy configuration of SELinux,
>   using either the old example policy or the reference policy as the baseline.
> 

[PATCH] selinux-testsuite: update the dependencies in README.md

[Paul Moore]

The overlayfs tests require setfattr and getfattr which are part of
the attr package in Fedora.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 README.md |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 2c871d3..cf90ef6 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,7 @@ similar dependencies):
 * netlabel\_tools _(to load NetLabel configuration during `inet_socket` tests)_
 * iptables _(to load the `iptables SECMARK` rules during `inet_socket` tests)_
 * lksctp-tools-devel _(to build the SCTP test programs)_
+* attr _(tools used by the overlayfs tests)_
 
 On a modern Fedora system you can install these dependencies with the
 following command:
@@ -63,7 +64,8 @@ following command:
 		net-tools \
 		netlabel_tools \
 		iptables \
-		lksctp-tools-devel
+		lksctp-tools-devel \
+		attr
 
 The testsuite requires a pre-existing base policy configuration of SELinux,
 using either the old example policy or the reference policy as the baseline.