* [PATCH 0/3] Make libsepol tests pass again
@ 2016-08-27 9:21 Nicolas Iooss
2016-08-27 9:21 ` [PATCH 1/3] checkpolicy: add types associated to a role in the current scope when parsing Nicolas Iooss
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Nicolas Iooss @ 2016-08-27 9:21 UTC (permalink / raw)
To: selinux
Hello,
A few months ago I saw that "make -C libsepol test" succeeded even
though it displayed what looked like a failure:
./libsepol-tests
CUnit - A unit testing framework for C - Version 2.1-3
http://cunit.sourceforge.net/
Suite: cond
Test: cond_expr_equal ...passed
Suite: linker
Test: linker_indexes ...passed
Test: linker_types ...passed
Test: linker_roles ...
role o1_b_role_1 has 0 types, 1 expected
role o1_b_role_1 has 0 types, 1 expected
role o1_m1_role_1 has 0 types, 1 expected
sym g_b_role_2 has 1 decls, 2 expected
Role o1_b_role_2 had type o1_b_type_1 not in types array
role o1_b_role_2 has 0 types, 1 expected
Role g_b_role_4 had type g_m1_type_2 not in types array
role g_b_role_4 has 0 types, 1 expected
role o3_b_role_1 has 0 types, 1 expected
role o3_b_role_1 has 0 types, 1 expected
role o4_b_role_1 has 0 types, 1 expected
Role o4_b_role_1 had type g_m1_type_1 not in types array
FAILED
1. test-common.c:216 - found == len
2. test-common.c:216 - found == len
3. test-common.c:216 - found == len
4. test-common.c:43 - scope->decl_ids_len == len
5. test-common.c:52 - found == 1
6. test-common.c:213 - new == 1
7. test-common.c:216 - found == len
8. test-common.c:213 - new == 1
9. test-common.c:216 - found == len
10. test-common.c:216 - found == len
11. test-common.c:216 - found == len
12. test-common.c:216 - found == len
13. test-common.c:213 - new == 1
Test: linker_cond ...passed
Suite: expander
Test: expander_indexes ...passed
Test: expander_attr_mapping ...passed
Test: expander_role_mapping ...passed
Test: expander_user_mapping ...passed
Test: expander_alias ...passed
Suite: deps
Test: deps_modreq_global ...passed
Test: deps_modreq_opt ...passed
Suite: downgrade
Test: downgrade ...passed
Run Summary: Type Total Ran Passed Failed Inactive
suites 5 5 n/a 0 0
tests 13 13 12 1 0
asserts 1269 1269 1256 13 n/a
Elapsed time = 1.420 seconds
I can see 3 reasons behind such a failure report:
* there is a bug somewhere in libsepol and the tests detect it,
* the tests are out-dated and they need to be either removed or updated, or
* my test system is configured in a way that make the tests fail even
though they should not.
Moreover, even though the tests are failing, it is quite disturbing that
"make test" is succeeding. This is because the CUnit tests only exit
with a failed error code when an error occured in the CUnit framework,
not in tests. The last patch of this series fixes this.
As I did not understood anything at first when I read the code of
libsepol tests, I wrote some code to dump some tables of the loaded
policy (p->symtab[SYM_ROLES], and
p->decl_val_to_struct[...]->symtab[SYM_ROLES])
Here is an extract of this dump:
p->p_roles[object_r]: scope 2 {1, 9, 14},
types { }
p->p_roles[g_b_role_1]: scope 2 {1},
types { g_b_type_1 },
dominates g_b_role_1
p->p_roles[o1_b_role_1]: scope 2 {2},
types { o1_b_type_1 }
p->p_roles[o3_b_role_1]: scope 2 {4, 12},
types { o3_b_type_1 o3_m1_type_1 }
p->p_roles[o4_b_role_1]: scope 2 {5, 9, 14},
types { g_m1_type_1 g_m1_type_2 g_m2_type_1 },
dominates o4_b_role_1
p->p_roles[g_b_role_3]: scope 2 {1, 9, 14},
types { g_b_type_2 g_m1_type_2 g_m2_type_2 },
dominates g_b_role_3
p->p_roles[g_b_role_2]: scope 2 {1},
types { g_b_type_2 g_m1_type_1 },
dominates g_b_role_2
p->p_roles[o1_b_role_2]: scope 2 {2, 9},
types { o1_b_type_1 g_m1_type_1 },
dominates o1_b_role_2
[...]
decl[2]->p_roles[o1_b_role_1]: scope 2 {2},
types { }, dominates o1_b_role_1
decl[2]->p_roles[o1_b_role_2]: scope 2 {2, 9},
types { }, dominates o1_b_role_2
decl[4]->p_roles[o3_b_role_1]: scope 2 {4, 12},
types { }, dominates o3_b_role_1
decl[5]->p_roles[o4_b_role_1]: scope 2 {5, 9, 14},
types { }, dominates o4_b_role_1
It seems strange that "p->p_roles" hashmap handles all role-types
associations but that the domination information lies in
"p->decl_val_to_struct[scope-1]->p_roles" for roles in optional blocks.
This association is performed in define_role_types() function in
checkpolicy/policy_define.c. Using the "local role" (result of
get_local_role function) there fixes most asserion failures. This is
what the first patch does.
Afterwards the only failure which remains is:
sym g_b_role_2 has 1 decls, 2 expected
Even though g_b_role_2 is used both in
tests/policies/test-linker/small-base.conf and
tests/policies/test-linker/module1.conf, it seems to only exists in the
scope of the base policy. The second patch updates the test
accordingly.
Nicolas Iooss (3):
checkpolicy: add types associated to a role in the current scope when
parsing
libsepol: tests: fix g_b_role_2 test
libsepol: make "make test" fails when a CUnit test fails
checkpolicy/policy_define.c | 1 +
libsepol/tests/libsepol-tests.c | 11 +++++++----
libsepol/tests/test-linker-roles.c | 3 +--
3 files changed, 9 insertions(+), 6 deletions(-)
--
2.9.3
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/3] checkpolicy: add types associated to a role in the current scope when parsing
2016-08-27 9:21 [PATCH 0/3] Make libsepol tests pass again Nicolas Iooss
@ 2016-08-27 9:21 ` Nicolas Iooss
2016-08-27 9:21 ` [PATCH 2/3] libsepol: tests: fix g_b_role_2 test Nicolas Iooss
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Nicolas Iooss @ 2016-08-27 9:21 UTC (permalink / raw)
To: selinux
This fixes most of the errors reported in "make -C libsepol test":
./libsepol-tests
CUnit - A unit testing framework for C - Version 2.1-3
http://cunit.sourceforge.net/
Suite: cond
Test: cond_expr_equal ...passed
Suite: linker
Test: linker_indexes ...passed
Test: linker_types ...passed
Test: linker_roles ...
role o1_b_role_1 has 0 types, 1 expected
role o1_b_role_1 has 0 types, 1 expected
role o1_m1_role_1 has 0 types, 1 expected
sym g_b_role_2 has 1 decls, 2 expected
Role o1_b_role_2 had type o1_b_type_1 not in types array
role o1_b_role_2 has 0 types, 1 expected
Role g_b_role_4 had type g_m1_type_2 not in types array
role g_b_role_4 has 0 types, 1 expected
role o3_b_role_1 has 0 types, 1 expected
role o3_b_role_1 has 0 types, 1 expected
role o4_b_role_1 has 0 types, 1 expected
Role o4_b_role_1 had type g_m1_type_1 not in types array
FAILED
1. test-common.c:216 - found == len
2. test-common.c:216 - found == len
3. test-common.c:216 - found == len
4. test-common.c:43 - scope->decl_ids_len == len
5. test-common.c:52 - found == 1
6. test-common.c:213 - new == 1
7. test-common.c:216 - found == len
8. test-common.c:213 - new == 1
9. test-common.c:216 - found == len
10. test-common.c:216 - found == len
11. test-common.c:216 - found == len
12. test-common.c:216 - found == len
13. test-common.c:213 - new == 1
Test: linker_cond ...passed
Suite: expander
Test: expander_indexes ...passed
Test: expander_attr_mapping ...passed
Test: expander_role_mapping ...passed
Test: expander_user_mapping ...passed
Test: expander_alias ...passed
Suite: deps
Test: deps_modreq_global ...passed
Test: deps_modreq_opt ...passed
Suite: downgrade
Test: downgrade ...passed
Run Summary: Type Total Ran Passed Failed Inactive
suites 5 5 n/a 0 0
tests 13 13 12 1 0
asserts 1269 1269 1256 13 n/a
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
checkpolicy/policy_define.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 100e517820f9..128869c675be 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -2614,6 +2614,7 @@ int define_role_types(void)
free(id);
return -1;
}
+ role = get_local_role(id, role->s.value, (role->flavor == ROLE_ATTRIB));
while ((id = queue_remove(id_queue))) {
if (set_types(&role->types, id, &add, 0))
--
2.9.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/3] libsepol: tests: fix g_b_role_2 test
2016-08-27 9:21 [PATCH 0/3] Make libsepol tests pass again Nicolas Iooss
2016-08-27 9:21 ` [PATCH 1/3] checkpolicy: add types associated to a role in the current scope when parsing Nicolas Iooss
@ 2016-08-27 9:21 ` Nicolas Iooss
2016-08-27 9:21 ` [PATCH 3/3] libsepol: make "make test" fails when a CUnit test fails Nicolas Iooss
2016-09-06 15:16 ` [PATCH 0/3] Make libsepol tests pass again Stephen Smalley
3 siblings, 0 replies; 5+ messages in thread
From: Nicolas Iooss @ 2016-08-27 9:21 UTC (permalink / raw)
To: selinux
Even though g_b_role_2 is used both in
tests/policies/test-linker/small-base.conf and
tests/policies/test-linker/module1.conf, it seems to only exists in the
scope of the base policy.
This fixes the following failure of "make -C libsepol test":
./libsepol-tests
CUnit - A unit testing framework for C - Version 2.1-3
http://cunit.sourceforge.net/
Suite: cond
Test: cond_expr_equal ...passed
Suite: linker
Test: linker_indexes ...passed
Test: linker_types ...passed
Test: linker_roles ...sym g_b_role_2 has 1 decls, 2 expected
FAILED
1. test-common.c:43 - scope->decl_ids_len == len
2. test-common.c:52 - found == 1
Test: linker_cond ...passed
Suite: expander
Test: expander_indexes ...passed
Test: expander_attr_mapping ...passed
Test: expander_role_mapping ...passed
Test: expander_user_mapping ...passed
Test: expander_alias ...passed
Suite: deps
Test: deps_modreq_global ...passed
Test: deps_modreq_opt ...passed
Suite: downgrade
Test: downgrade ...passed
Run Summary: Type Total Ran Passed Failed Inactive
suites 5 5 n/a 0 0
tests 13 13 12 1 0
asserts 1274 1274 1272 2 n/a
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
libsepol/tests/test-linker-roles.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libsepol/tests/test-linker-roles.c b/libsepol/tests/test-linker-roles.c
index 2c4a804704d6..569e2ccf5ee7 100644
--- a/libsepol/tests/test-linker-roles.c
+++ b/libsepol/tests/test-linker-roles.c
@@ -132,8 +132,7 @@ void module_role_tests(policydb_t * base)
/**** test for type added to base role in module 1 (global) ****/
decls[0] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_b"))->decl_id;
- decls[1] = (test_find_decl_by_sym(base, SYM_TYPES, "tag_g_m1"))->decl_id;
- test_sym_presence(base, "g_b_role_2", SYM_ROLES, SCOPE_DECL, decls, 2);
+ test_sym_presence(base, "g_b_role_2", SYM_ROLES, SCOPE_DECL, decls, 1);
/* make sure it has the correct type set (g_m1_type_1, no negset, no flags) */
types[0] = "g_b_type_2"; /* added in base when declared */
types[1] = "g_m1_type_1"; /* added in module */
--
2.9.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/3] libsepol: make "make test" fails when a CUnit test fails
2016-08-27 9:21 [PATCH 0/3] Make libsepol tests pass again Nicolas Iooss
2016-08-27 9:21 ` [PATCH 1/3] checkpolicy: add types associated to a role in the current scope when parsing Nicolas Iooss
2016-08-27 9:21 ` [PATCH 2/3] libsepol: tests: fix g_b_role_2 test Nicolas Iooss
@ 2016-08-27 9:21 ` Nicolas Iooss
2016-09-06 15:16 ` [PATCH 0/3] Make libsepol tests pass again Stephen Smalley
3 siblings, 0 replies; 5+ messages in thread
From: Nicolas Iooss @ 2016-08-27 9:21 UTC (permalink / raw)
To: selinux
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
libsepol/tests/libsepol-tests.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/libsepol/tests/libsepol-tests.c b/libsepol/tests/libsepol-tests.c
index 9302f7206d54..544c792d2ab5 100644
--- a/libsepol/tests/libsepol-tests.c
+++ b/libsepol/tests/libsepol-tests.c
@@ -28,6 +28,7 @@
#include <CUnit/Console.h>
#include <CUnit/TestDB.h>
+#include <stdbool.h>
#include <stdio.h>
#include <getopt.h>
#include <stdlib.h>
@@ -51,9 +52,10 @@ static void usage(char *progname)
printf("\t-i, --interactive\t\tinteractive console\n");
}
-static int do_tests(int interactive, int verbose)
+static bool do_tests(int interactive, int verbose)
{
CU_pSuite suite = NULL;
+ unsigned int num_failures;
if (CUE_SUCCESS != CU_initialize_registry())
return CU_get_error();
@@ -73,8 +75,9 @@ static int do_tests(int interactive, int verbose)
CU_console_run_tests();
else
CU_basic_run_tests();
+ num_failures = CU_get_number_of_tests_failed();
CU_cleanup_registry();
- return CU_get_error();
+ return CU_get_error() == CUE_SUCCESS && num_failures == 0;
}
@@ -106,12 +109,12 @@ int main(int argc, char **argv)
/* first do the non-mls tests */
mls = 0;
- if (do_tests(interactive, verbose))
+ if (!do_tests(interactive, verbose))
return -1;
/* then with mls */
mls = 1;
- if (do_tests(interactive, verbose))
+ if (!do_tests(interactive, verbose))
return -1;
return 0;
--
2.9.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/3] Make libsepol tests pass again
2016-08-27 9:21 [PATCH 0/3] Make libsepol tests pass again Nicolas Iooss
` (2 preceding siblings ...)
2016-08-27 9:21 ` [PATCH 3/3] libsepol: make "make test" fails when a CUnit test fails Nicolas Iooss
@ 2016-09-06 15:16 ` Stephen Smalley
3 siblings, 0 replies; 5+ messages in thread
From: Stephen Smalley @ 2016-09-06 15:16 UTC (permalink / raw)
To: Nicolas Iooss, selinux
On 08/27/2016 05:21 AM, Nicolas Iooss wrote:
> Hello,
>
> A few months ago I saw that "make -C libsepol test" succeeded even
> though it displayed what looked like a failure:
>
> ./libsepol-tests
> CUnit - A unit testing framework for C - Version 2.1-3
> http://cunit.sourceforge.net/
> Suite: cond
> Test: cond_expr_equal ...passed
> Suite: linker
> Test: linker_indexes ...passed
> Test: linker_types ...passed
> Test: linker_roles ...
> role o1_b_role_1 has 0 types, 1 expected
> role o1_b_role_1 has 0 types, 1 expected
> role o1_m1_role_1 has 0 types, 1 expected
> sym g_b_role_2 has 1 decls, 2 expected
> Role o1_b_role_2 had type o1_b_type_1 not in types array
> role o1_b_role_2 has 0 types, 1 expected
> Role g_b_role_4 had type g_m1_type_2 not in types array
> role g_b_role_4 has 0 types, 1 expected
> role o3_b_role_1 has 0 types, 1 expected
> role o3_b_role_1 has 0 types, 1 expected
> role o4_b_role_1 has 0 types, 1 expected
> Role o4_b_role_1 had type g_m1_type_1 not in types array
>
> FAILED
> 1. test-common.c:216 - found == len
> 2. test-common.c:216 - found == len
> 3. test-common.c:216 - found == len
> 4. test-common.c:43 - scope->decl_ids_len == len
> 5. test-common.c:52 - found == 1
> 6. test-common.c:213 - new == 1
> 7. test-common.c:216 - found == len
> 8. test-common.c:213 - new == 1
> 9. test-common.c:216 - found == len
> 10. test-common.c:216 - found == len
> 11. test-common.c:216 - found == len
> 12. test-common.c:216 - found == len
> 13. test-common.c:213 - new == 1
> Test: linker_cond ...passed
> Suite: expander
> Test: expander_indexes ...passed
> Test: expander_attr_mapping ...passed
> Test: expander_role_mapping ...passed
> Test: expander_user_mapping ...passed
> Test: expander_alias ...passed
> Suite: deps
> Test: deps_modreq_global ...passed
> Test: deps_modreq_opt ...passed
> Suite: downgrade
> Test: downgrade ...passed
>
> Run Summary: Type Total Ran Passed Failed Inactive
> suites 5 5 n/a 0 0
> tests 13 13 12 1 0
> asserts 1269 1269 1256 13 n/a
> Elapsed time = 1.420 seconds
>
> I can see 3 reasons behind such a failure report:
>
> * there is a bug somewhere in libsepol and the tests detect it,
> * the tests are out-dated and they need to be either removed or updated, or
> * my test system is configured in a way that make the tests fail even
> though they should not.
>
> Moreover, even though the tests are failing, it is quite disturbing that
> "make test" is succeeding. This is because the CUnit tests only exit
> with a failed error code when an error occured in the CUnit framework,
> not in tests. The last patch of this series fixes this.
>
> As I did not understood anything at first when I read the code of
> libsepol tests, I wrote some code to dump some tables of the loaded
> policy (p->symtab[SYM_ROLES], and
> p->decl_val_to_struct[...]->symtab[SYM_ROLES])
> Here is an extract of this dump:
>
> p->p_roles[object_r]: scope 2 {1, 9, 14},
> types { }
> p->p_roles[g_b_role_1]: scope 2 {1},
> types { g_b_type_1 },
> dominates g_b_role_1
> p->p_roles[o1_b_role_1]: scope 2 {2},
> types { o1_b_type_1 }
> p->p_roles[o3_b_role_1]: scope 2 {4, 12},
> types { o3_b_type_1 o3_m1_type_1 }
> p->p_roles[o4_b_role_1]: scope 2 {5, 9, 14},
> types { g_m1_type_1 g_m1_type_2 g_m2_type_1 },
> dominates o4_b_role_1
> p->p_roles[g_b_role_3]: scope 2 {1, 9, 14},
> types { g_b_type_2 g_m1_type_2 g_m2_type_2 },
> dominates g_b_role_3
> p->p_roles[g_b_role_2]: scope 2 {1},
> types { g_b_type_2 g_m1_type_1 },
> dominates g_b_role_2
> p->p_roles[o1_b_role_2]: scope 2 {2, 9},
> types { o1_b_type_1 g_m1_type_1 },
> dominates o1_b_role_2
> [...]
> decl[2]->p_roles[o1_b_role_1]: scope 2 {2},
> types { }, dominates o1_b_role_1
> decl[2]->p_roles[o1_b_role_2]: scope 2 {2, 9},
> types { }, dominates o1_b_role_2
> decl[4]->p_roles[o3_b_role_1]: scope 2 {4, 12},
> types { }, dominates o3_b_role_1
> decl[5]->p_roles[o4_b_role_1]: scope 2 {5, 9, 14},
> types { }, dominates o4_b_role_1
>
> It seems strange that "p->p_roles" hashmap handles all role-types
> associations but that the domination information lies in
> "p->decl_val_to_struct[scope-1]->p_roles" for roles in optional blocks.
> This association is performed in define_role_types() function in
> checkpolicy/policy_define.c. Using the "local role" (result of
> get_local_role function) there fixes most asserion failures. This is
> what the first patch does.
>
> Afterwards the only failure which remains is:
>
> sym g_b_role_2 has 1 decls, 2 expected
>
> Even though g_b_role_2 is used both in
> tests/policies/test-linker/small-base.conf and
> tests/policies/test-linker/module1.conf, it seems to only exists in the
> scope of the base policy. The second patch updates the test
> accordingly.
>
>
> Nicolas Iooss (3):
> checkpolicy: add types associated to a role in the current scope when
> parsing
> libsepol: tests: fix g_b_role_2 test
> libsepol: make "make test" fails when a CUnit test fails
>
> checkpolicy/policy_define.c | 1 +
> libsepol/tests/libsepol-tests.c | 11 +++++++----
> libsepol/tests/test-linker-roles.c | 3 +--
> 3 files changed, 9 insertions(+), 6 deletions(-)
Thanks, applied all three.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-09-06 15:16 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-27 9:21 [PATCH 0/3] Make libsepol tests pass again Nicolas Iooss
2016-08-27 9:21 ` [PATCH 1/3] checkpolicy: add types associated to a role in the current scope when parsing Nicolas Iooss
2016-08-27 9:21 ` [PATCH 2/3] libsepol: tests: fix g_b_role_2 test Nicolas Iooss
2016-08-27 9:21 ` [PATCH 3/3] libsepol: make "make test" fails when a CUnit test fails Nicolas Iooss
2016-09-06 15:16 ` [PATCH 0/3] Make libsepol tests pass again Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).