[PATCH testsuite 0/4] Various CI-related testsuite fixes

[PATCH testsuite 0/4] Various CI-related testsuite fixes

[Ondrej Mosnacek]

There are some warnings and non-fatal errors reported during CI runs.
Additionally, the CI gets stuck when there is a force-push on some
upstream repo that is cached. This series fixes these issues.

Testing Travis run:
https://travis-ci.org/github/WOnder93/selinux-testsuite/builds/698848141

Ondrej Mosnacek (4):
  Makefiles: remove bashisms
  travis: add missing node to fake selinuxfs
  travis: fix git/cache handling
  tests: stop using deprecated security_context_t

 .travis.yml                         |  2 ++
 policy/Makefile                     |  4 +++-
 tests/Makefile                      |  8 ++++++--
 tests/bounds/thread.c               |  4 ++--
 tests/dyntrace/parent.c             |  2 +-
 tests/dyntrans/parent.c             |  2 +-
 tests/execshare/parent.c            |  2 +-
 tests/exectrace/parent.c            |  2 +-
 tests/inherit/parent.c              |  2 +-
 tests/prlimit/parent.c              |  2 +-
 tests/setnice/parent.c              |  2 +-
 travis-ci/setup-policy-fedora.sh    | 10 ++++++----
 travis-ci/setup-policy-refpolicy.sh |  4 +++-
 13 files changed, 29 insertions(+), 17 deletions(-)

-- 
2.26.2

[PATCH testsuite 1/4] Makefiles: remove bashisms

[Ondrej Mosnacek]

In Travis CI (Ubuntu), the shell used by Make doesn't understand
bashisms like [[ ... ]]. Replace them with plain [ ... ] and also break
up the conditionals for better readabilty.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/Makefile | 4 +++-
 tests/Makefile  | 8 ++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/policy/Makefile b/policy/Makefile
index 672733e..6c49091 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -37,13 +37,15 @@ endif
 
 ifeq ($(SUPPORTS_CIL),y)
 CIL_TARGETS = test_mlsconstrain.cil test_overlay_defaultrange.cil
-ifeq ($(shell [[ $(MAX_KERNEL_POLICY) -ge 32 && $(POL_VERS) -ge 32 ]] && echo true),true)
+ifeq ($(shell [ $(MAX_KERNEL_POLICY) -ge 32 ] && echo true),true)
+ifeq ($(shell [ $(POL_VERS) -ge 32 ] && echo true),true)
 # If other MLS tests get written this can be moved outside of the glblub test
 ifeq ($(POL_TYPE), MLS)
 CIL_TARGETS += test_glblub.cil
 else ifeq ($(POL_TYPE), MCS)
 CIL_TARGETS += test_add_levels.cil test_glblub.cil
 endif # POL_TYPE
+endif # POL_VERS
 endif # MAX_KERNEL_POLICY
 endif # SUPPORTS_CIL
 
diff --git a/tests/Makefile b/tests/Makefile
index bdbdf3e..919335b 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -68,9 +68,13 @@ ifeq ($(shell grep -q key_socket $(POLDEV)/include/support/all_perms.spt && test
 SUBDIRS += key_socket
 endif
 
-ifeq ($(shell [[ $(MAX_KERNEL_POLICY) -ge 32 && ( $(POL_TYPE) == 'MLS' || $(POL_TYPE) == 'MCS' ) && $(POL_VERS) -ge 32 ]]  && echo true),true)
+ifeq ($(shell [ $(MAX_KERNEL_POLICY) -ge 32 ] && echo true),true)
+ifeq ($(shell [ $(POL_TYPE) = 'MLS' ] || [ $(POL_TYPE) = 'MCS' ] && echo true),true)
+ifeq ($(shell [ $(POL_VERS) -ge 32 ] && echo true),true)
 SUBDIRS += glblub
-endif
+endif # POL_VERS
+endif # POL_TYPE
+endif # MAX_KERNEL_POLICY
 
 ifeq ($(shell grep "^SELINUX_INFINIBAND_ENDPORT_TEST=" infiniband_endport/ibendport_test.conf | cut -d'=' -f 2),1)
 SUBDIRS += infiniband_endport
-- 
2.26.2

[PATCH testsuite 2/4] travis: add missing node to fake selinuxfs

[Ondrej Mosnacek]

Since commit e95fe9503816 ("Add tests for default_range glblub") we look
at $(SELINUXFS)/initial_contexts/kernel to determine the type of the
policy. However, this node is not provided by the fake selinuxfs created
by our CI scripts, leading to non-fatal errors like this:

[...]
make[1]: Entering directory '/home/travis/build/WOnder93/selinux-testsuite/policy'
cat: /tmp/fake-selinuxfs/initial_contexts/kernel: No such file or directory
[...]

Create that node and fill it with the ussual kernel context to silence
the errors.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 .travis.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.travis.yml b/.travis.yml
index 18ab6b9..ae08c66 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -55,6 +55,8 @@ before_install:
   # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
   - mkdir -p /tmp/fake-selinuxfs/policy_capabilities
   - echo 1 > /tmp/fake-selinuxfs/policy_capabilities/extended_socket_class
+  - mkdir -p /tmp/fake-selinuxfs/initial_contexts
+  - echo system_u:system_r:kernel_t:s0 > /tmp/fake-selinuxfs/initial_contexts/kernel
   - echo 999 >/tmp/fake-selinuxfs/policyvers
 
 script:
-- 
2.26.2

[PATCH testsuite 3/4] travis: fix git/cache handling

[Ondrej Mosnacek]

The current way of fetching new changes from git blows up when there has
been a force-push. Switch to just fetching and then checking out the
remote branch directly rather than using git pull.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 travis-ci/setup-policy-fedora.sh    | 10 ++++++----
 travis-ci/setup-policy-refpolicy.sh |  4 +++-
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/travis-ci/setup-policy-fedora.sh b/travis-ci/setup-policy-fedora.sh
index d2793f0..bce8698 100644
--- a/travis-ci/setup-policy-fedora.sh
+++ b/travis-ci/setup-policy-fedora.sh
@@ -4,11 +4,12 @@ set -ex
 
 if ! [ -d selinux-policy/.git ]; then
 	git clone --recursive https://github.com/fedora-selinux/selinux-policy
-	(cd selinux-policy/policy/modules/contrib && git checkout rawhide)
 else
-	(cd selinux-policy && git pull || { git checkout '*' && git pull; })
-	(cd selinux-policy/policy/modules/contrib && git pull)
+	git -C selinux-policy fetch origin
+	git -C selinux-policy/policy/modules/contrib fetch origin
 fi
+git -C selinux-policy checkout origin/rawhide
+git -C selinux-policy/policy/modules/contrib checkout origin/rawhide
 
 if ! [ -d container-selinux/.git ]; then
 	git clone https://github.com/containers/container-selinux.git
@@ -17,8 +18,9 @@ if ! [ -d container-selinux/.git ]; then
 			selinux-policy/policy/modules/contrib/$f
 	done
 else
-	(cd container-selinux && git pull)
+	git -C container-selinux fetch origin
 fi
+git -C container-selinux checkout origin/master
 
 cd selinux-policy
 
diff --git a/travis-ci/setup-policy-refpolicy.sh b/travis-ci/setup-policy-refpolicy.sh
index abd4ca4..3010467 100644
--- a/travis-ci/setup-policy-refpolicy.sh
+++ b/travis-ci/setup-policy-refpolicy.sh
@@ -5,11 +5,13 @@ set -ex
 if ! [ -d refpolicy/.git ]; then
 	git clone https://github.com/SELinuxProject/refpolicy
 else
-	git pull || { git checkout '*' && git pull; }
+	git -C refpolicy fetch origin
 fi
 
 cd refpolicy
 
+git checkout origin/master
+
 [ -f policy/modules.conf ] || make conf
 
 make -j`nproc --all` BINDIR=/usr/local/bin SBINDIR=/usr/local/sbin
-- 
2.26.2

[PATCH testsuite 4/4] tests: stop using deprecated security_context_t

[Ondrej Mosnacek]

In Travis CI, GCC reports in several places:

gcc -g -O0 -Wall -D_GNU_SOURCE -DHAVE_BPF    parent.c  -lselinux -o parent
parent.c: In function ‘main’:
parent.c:25:2: warning: ‘security_context_t’ is deprecated [-Wdeprecated-declarations]
  security_context_t context_s;
  ^~~~~~~~~~~~~~~~~~

Fix this by using plain char * instead of security_context_t.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 tests/bounds/thread.c    | 4 ++--
 tests/dyntrace/parent.c  | 2 +-
 tests/dyntrans/parent.c  | 2 +-
 tests/execshare/parent.c | 2 +-
 tests/exectrace/parent.c | 2 +-
 tests/inherit/parent.c   | 2 +-
 tests/prlimit/parent.c   | 2 +-
 tests/setnice/parent.c   | 2 +-
 8 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/tests/bounds/thread.c b/tests/bounds/thread.c
index d09a634..acb976f 100644
--- a/tests/bounds/thread.c
+++ b/tests/bounds/thread.c
@@ -19,7 +19,7 @@ static int thread_status = 0;
 
 static void *worker(void *datap)
 {
-	security_context_t security_context = datap;
+	char *security_context = datap;
 	int rc;
 
 	rc = setcon(security_context);
@@ -31,7 +31,7 @@ static void *worker(void *datap)
 
 int main(int argc, char *argv[])
 {
-	security_context_t security_context;
+	char *security_context;
 	context_t context;
 	pthread_t thread;
 	int rc;
diff --git a/tests/dyntrace/parent.c b/tests/dyntrace/parent.c
index a3a644e..63cbd76 100644
--- a/tests/dyntrace/parent.c
+++ b/tests/dyntrace/parent.c
@@ -12,7 +12,7 @@
 int main(int argc, char **argv)
 {
 	int pid, rc, status;
-	security_context_t context_s;
+	char *context_s;
 	context_t context;
 	char *child_argv[3];
 
diff --git a/tests/dyntrans/parent.c b/tests/dyntrans/parent.c
index 660a1d5..c8320cc 100644
--- a/tests/dyntrans/parent.c
+++ b/tests/dyntrans/parent.c
@@ -11,7 +11,7 @@
 int main(int argc, char **argv)
 {
 	int rc;
-	security_context_t context_s;
+	char *context_s;
 	context_t context;
 
 	if (argc != 2) {
diff --git a/tests/execshare/parent.c b/tests/execshare/parent.c
index 2357265..5b9bd80 100644
--- a/tests/execshare/parent.c
+++ b/tests/execshare/parent.c
@@ -22,7 +22,7 @@ int main(int argc, char **argv)
 	int pagesize;
 	void *clone_stack, *page;
 	int pid, rc, status, cloneflags;
-	security_context_t context_s;
+	char *context_s;
 	context_t context;
 
 	if (argc != 4) {
diff --git a/tests/exectrace/parent.c b/tests/exectrace/parent.c
index 88adb56..6906ee9 100644
--- a/tests/exectrace/parent.c
+++ b/tests/exectrace/parent.c
@@ -11,7 +11,7 @@
 int main(int argc, char **argv)
 {
 	int pid, rc, status;
-	security_context_t context_s;
+	char *context_s;
 	context_t context;
 
 	if (argc != 3) {
diff --git a/tests/inherit/parent.c b/tests/inherit/parent.c
index be48b79..10b59b4 100644
--- a/tests/inherit/parent.c
+++ b/tests/inherit/parent.c
@@ -9,7 +9,7 @@
 int main(int argc, char **argv)
 {
 	char **childargv;
-	security_context_t context_s;
+	char *context_s;
 	context_t context;
 	int rc, fd;
 
diff --git a/tests/prlimit/parent.c b/tests/prlimit/parent.c
index 11c0c25..b735445 100644
--- a/tests/prlimit/parent.c
+++ b/tests/prlimit/parent.c
@@ -26,7 +26,7 @@ int main(int argc, char **argv)
 {
 	char buf[1];
 	int pid, rc, fd[2], fd2[2], opt;
-	security_context_t context_s;
+	char *context_s;
 	context_t context;
 	struct rlimit newrlim, oldrlim, *newrlimp = NULL, *oldrlimp = NULL;
 	bool get = false, set = false, soft = false;
diff --git a/tests/setnice/parent.c b/tests/setnice/parent.c
index b010aa0..bbb0c7f 100644
--- a/tests/setnice/parent.c
+++ b/tests/setnice/parent.c
@@ -14,7 +14,7 @@ int main(int argc, char **argv)
 {
 	char buf[1];
 	int pid, rc, rc2, fd[2], fd2[2];
-	security_context_t context_s;
+	char *context_s;
 	context_t context;
 
 	if (argc != 3) {
-- 
2.26.2

Re: [PATCH testsuite 1/4] Makefiles: remove bashisms

[Stephen Smalley]

On Tue, Jun 23, 2020 at 8:37 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> In Travis CI (Ubuntu), the shell used by Make doesn't understand
> bashisms like [[ ... ]]. Replace them with plain [ ... ] and also break
> up the conditionals for better readabilty.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

When I ran into these issues (along with some similar problems with
bashisms in some of the test scripts) in getting the testsuite to pass
on Debian and Ubuntu, I addressed it by running dkpg-reconfigure dash
and switching the default shell to bash (as noted in the README.md).
Not objecting to changing it but just noting that there are further
bashisms in the testsuite beyond the Makefiles.

In any event,
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Re: [PATCH testsuite 2/4] travis: add missing node to fake selinuxfs

[Stephen Smalley]

On Tue, Jun 23, 2020 at 8:37 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> Since commit e95fe9503816 ("Add tests for default_range glblub") we look
> at $(SELINUXFS)/initial_contexts/kernel to determine the type of the
> policy. However, this node is not provided by the fake selinuxfs created
> by our CI scripts, leading to non-fatal errors like this:
>
> [...]
> make[1]: Entering directory '/home/travis/build/WOnder93/selinux-testsuite/policy'
> cat: /tmp/fake-selinuxfs/initial_contexts/kernel: No such file or directory
> [...]
>
> Create that node and fill it with the ussual kernel context to silence
> the errors.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Not objecting to fixing this but wondered if you had considered
extending the .travis.yml to actually run the testsuite in a
SELinux-enabled VM as per the selinux .travis.yml.

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Re: [PATCH testsuite 3/4] travis: fix git/cache handling

[Stephen Smalley]

On Tue, Jun 23, 2020 at 8:37 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> The current way of fetching new changes from git blows up when there has
> been a force-push. Switch to just fetching and then checking out the
> remote branch directly rather than using git pull.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Re: [PATCH testsuite 4/4] tests: stop using deprecated security_context_t

[Stephen Smalley]

On Tue, Jun 23, 2020 at 8:37 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> In Travis CI, GCC reports in several places:
>
> gcc -g -O0 -Wall -D_GNU_SOURCE -DHAVE_BPF    parent.c  -lselinux -o parent
> parent.c: In function ‘main’:
> parent.c:25:2: warning: ‘security_context_t’ is deprecated [-Wdeprecated-declarations]
>   security_context_t context_s;
>   ^~~~~~~~~~~~~~~~~~
>
> Fix this by using plain char * instead of security_context_t.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Re: [PATCH testsuite 1/4] Makefiles: remove bashisms

[Paul Moore]

On Tue, Jun 23, 2020 at 9:10 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
> On Tue, Jun 23, 2020 at 8:37 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >
> > In Travis CI (Ubuntu), the shell used by Make doesn't understand
> > bashisms like [[ ... ]]. Replace them with plain [ ... ] and also break
> > up the conditionals for better readabilty.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>
> When I ran into these issues (along with some similar problems with
> bashisms in some of the test scripts) in getting the testsuite to pass
> on Debian and Ubuntu, I addressed it by running dkpg-reconfigure dash
> and switching the default shell to bash (as noted in the README.md).
> Not objecting to changing it but just noting that there are further
> bashisms in the testsuite beyond the Makefiles.

Agreed.

I don't think requiring bash is the same problem that it may have been
~20 years ago; it would be even easier if Ubuntu hadn't decided to go
with dash (/me shakes fist).  Regardless of this patch, I think it
might be good to add a check to the test suite to warn (fail?) if the
current shell is not bash.

-- 
paul moore
www.paul-moore.com

Re: [PATCH testsuite 2/4] travis: add missing node to fake selinuxfs

[Ondrej Mosnacek]

On Tue, Jun 23, 2020 at 3:13 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
> On Tue, Jun 23, 2020 at 8:37 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >
> > Since commit e95fe9503816 ("Add tests for default_range glblub") we look
> > at $(SELINUXFS)/initial_contexts/kernel to determine the type of the
> > policy. However, this node is not provided by the fake selinuxfs created
> > by our CI scripts, leading to non-fatal errors like this:
> >
> > [...]
> > make[1]: Entering directory '/home/travis/build/WOnder93/selinux-testsuite/policy'
> > cat: /tmp/fake-selinuxfs/initial_contexts/kernel: No such file or directory
> > [...]
> >
> > Create that node and fill it with the ussual kernel context to silence
> > the errors.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>
> Not objecting to fixing this but wondered if you had considered
> extending the .travis.yml to actually run the testsuite in a
> SELinux-enabled VM as per the selinux .travis.yml.

Maybe eventually, but for now I wanted to at least fix what we have now,

-- 
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.

Re: [PATCH testsuite 2/4] travis: add missing node to fake selinuxfs

[Stephen Smalley]

On Tue, Jun 23, 2020 at 9:29 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> On Tue, Jun 23, 2020 at 3:13 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> > On Tue, Jun 23, 2020 at 8:37 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > >
> > > Since commit e95fe9503816 ("Add tests for default_range glblub") we look
> > > at $(SELINUXFS)/initial_contexts/kernel to determine the type of the
> > > policy. However, this node is not provided by the fake selinuxfs created
> > > by our CI scripts, leading to non-fatal errors like this:
> > >
> > > [...]
> > > make[1]: Entering directory '/home/travis/build/WOnder93/selinux-testsuite/policy'
> > > cat: /tmp/fake-selinuxfs/initial_contexts/kernel: No such file or directory
> > > [...]
> > >
> > > Create that node and fill it with the ussual kernel context to silence
> > > the errors.
> > >
> > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> >
> > Not objecting to fixing this but wondered if you had considered
> > extending the .travis.yml to actually run the testsuite in a
> > SELinux-enabled VM as per the selinux .travis.yml.
>
> Maybe eventually, but for now I wanted to at least fix what we have now,

Sure, no problem.  In an ideal world, we'd even run it on a Debian
and/or Ubuntu SELinux-enabled VM too as part of travis-ci (following
the README.md instructions and if on Ubuntu ignoring the two
kernel-config-induced failures) but that would require an extra
relabeling and reboot step to get the VM into a SELinux enabled state.

Re: [PATCH testsuite 0/4] Various CI-related testsuite fixes

[Stephen Smalley]

On Tue, Jun 23, 2020 at 8:37 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> There are some warnings and non-fatal errors reported during CI runs.
> Additionally, the CI gets stuck when there is a force-push on some
> upstream repo that is cached. This series fixes these issues.
>
> Testing Travis run:
> https://travis-ci.org/github/WOnder93/selinux-testsuite/builds/698848141
>
> Ondrej Mosnacek (4):
>   Makefiles: remove bashisms
>   travis: add missing node to fake selinuxfs
>   travis: fix git/cache handling
>   tests: stop using deprecated security_context_t

Applied.