[PATCH testsuite] policy: do not rebuild policy package if already built

selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH testsuite] policy: do not rebuild policy package if already built
@ 2019-09-23  9:58 Ondrej Mosnacek
  2019-09-23 10:01 ` Ondrej Mosnacek
  2019-09-23 14:11 ` Stephen Smalley
  0 siblings, 2 replies; 6+ messages in thread
From: Ondrej Mosnacek @ 2019-09-23  9:58 UTC (permalink / raw)
  To: selinux

Right now, test_policy.pp is rebuilt on every make invocation. Tweak the
Makefile so that it is only build when it hasn't been built, it has been
cleaned, or the source files changed.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 policy/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/Makefile b/policy/Makefile
index a5942b3..cc0f140 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -86,7 +86,7 @@ ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
 TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS))
 endif
 
-all: build
+all: test_policy/test_policy.pp
 
 expand_check:
 	# Test for "expand-check = 0" in /etc/selinux/semanage.conf
@@ -94,7 +94,7 @@ expand_check:
 		(echo "ERROR: set 'expand-check = 0' in /etc/selinux/semanage.conf"; \
 		 /bin/false)
 
-build: $(TARGETS)
+test_policy/test_policy.pp: $(TARGETS) test_policy.if
 	# General policy build
 	@if [ -d $(POLDEV) ]; then \
 		mkdir -p test_policy; \
-- 
2.21.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH testsuite] policy: do not rebuild policy package if already built
  2019-09-23  9:58 [PATCH testsuite] policy: do not rebuild policy package if already built Ondrej Mosnacek
@ 2019-09-23 10:01 ` Ondrej Mosnacek
  2019-09-23 14:11 ` Stephen Smalley
  1 sibling, 0 replies; 6+ messages in thread
From: Ondrej Mosnacek @ 2019-09-23 10:01 UTC (permalink / raw)
  To: SElinux list

On Mon, Sep 23, 2019 at 11:58 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> Right now, test_policy.pp is rebuilt on every make invocation. Tweak the
> Makefile so that it is only build when it hasn't been built, it has been
> cleaned, or the source files changed.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>  policy/Makefile | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policy/Makefile b/policy/Makefile
> index a5942b3..cc0f140 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -86,7 +86,7 @@ ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
>  TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS))
>  endif
>
> -all: build
> +all: test_policy/test_policy.pp
>
>  expand_check:
>         # Test for "expand-check = 0" in /etc/selinux/semanage.conf
> @@ -94,7 +94,7 @@ expand_check:
>                 (echo "ERROR: set 'expand-check = 0' in /etc/selinux/semanage.conf"; \
>                  /bin/false)
>
> -build: $(TARGETS)
> +test_policy/test_policy.pp: $(TARGETS) test_policy.if
>         # General policy build
>         @if [ -d $(POLDEV) ]; then \
>                 mkdir -p test_policy; \
> --
> 2.21.0
>

This doesn't make much of a difference performance-wise, but the
behavior is more logical this way.

-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH testsuite] policy: do not rebuild policy package if already built
  2019-09-23  9:58 [PATCH testsuite] policy: do not rebuild policy package if already built Ondrej Mosnacek
  2019-09-23 10:01 ` Ondrej Mosnacek
@ 2019-09-23 14:11 ` Stephen Smalley
  2019-09-24 10:51   ` Ondrej Mosnacek
  1 sibling, 1 reply; 6+ messages in thread
From: Stephen Smalley @ 2019-09-23 14:11 UTC (permalink / raw)
  To: Ondrej Mosnacek, selinux

On 9/23/19 5:58 AM, Ondrej Mosnacek wrote:
> Right now, test_policy.pp is rebuilt on every make invocation. Tweak the
> Makefile so that it is only build when it hasn't been built, it has been
> cleaned, or the source files changed.

It also needs to be rebuilt if anything under 
/usr/share/selinux/devel/include has changed e.g. upon an update of 
selinux-policy-devel.

> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>   policy/Makefile | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/Makefile b/policy/Makefile
> index a5942b3..cc0f140 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -86,7 +86,7 @@ ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
>   TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS))
>   endif
>   
> -all: build
> +all: test_policy/test_policy.pp
>   
>   expand_check:
>   	# Test for "expand-check = 0" in /etc/selinux/semanage.conf
> @@ -94,7 +94,7 @@ expand_check:
>   		(echo "ERROR: set 'expand-check = 0' in /etc/selinux/semanage.conf"; \
>   		 /bin/false)
>   
> -build: $(TARGETS)
> +test_policy/test_policy.pp: $(TARGETS) test_policy.if
>   	# General policy build
>   	@if [ -d $(POLDEV) ]; then \
>   		mkdir -p test_policy; \
> 


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH testsuite] policy: do not rebuild policy package if already built
  2019-09-23 14:11 ` Stephen Smalley
@ 2019-09-24 10:51   ` Ondrej Mosnacek
  2019-09-24 13:58     ` Stephen Smalley
  0 siblings, 1 reply; 6+ messages in thread
From: Ondrej Mosnacek @ 2019-09-24 10:51 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: SElinux list

On Mon, Sep 23, 2019 at 4:11 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 9/23/19 5:58 AM, Ondrej Mosnacek wrote:
> > Right now, test_policy.pp is rebuilt on every make invocation. Tweak the
> > Makefile so that it is only build when it hasn't been built, it has been
> > cleaned, or the source files changed.
>
> It also needs to be rebuilt if anything under
> /usr/share/selinux/devel/include has changed e.g. upon an update of
> selinux-policy-devel.

I am now testing a version that always executes the `$(MAKE) -C
test_policy -f $(POLDEV)/Makefile test_policy.pp` step, relying on the
system Makefile to rebuild the pp as needed (there already are proper
dependencies on the include files). However, the package manager on
Fedora preserves the timestamps of the installed files (from package
build time), which means that make doesn't always detect that the
files are newer than the already built policy package.

So it looks like we don't have any other choice than to always rebuild
if we really need to auto-react to changing system files.

>
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> >   policy/Makefile | 4 ++--
> >   1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/policy/Makefile b/policy/Makefile
> > index a5942b3..cc0f140 100644
> > --- a/policy/Makefile
> > +++ b/policy/Makefile
> > @@ -86,7 +86,7 @@ ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
> >   TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS))
> >   endif
> >
> > -all: build
> > +all: test_policy/test_policy.pp
> >
> >   expand_check:
> >       # Test for "expand-check = 0" in /etc/selinux/semanage.conf
> > @@ -94,7 +94,7 @@ expand_check:
> >               (echo "ERROR: set 'expand-check = 0' in /etc/selinux/semanage.conf"; \
> >                /bin/false)
> >
> > -build: $(TARGETS)
> > +test_policy/test_policy.pp: $(TARGETS) test_policy.if
> >       # General policy build
> >       @if [ -d $(POLDEV) ]; then \
> >               mkdir -p test_policy; \
> >
>


-- 
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH testsuite] policy: do not rebuild policy package if already built
  2019-09-24 10:51   ` Ondrej Mosnacek
@ 2019-09-24 13:58     ` Stephen Smalley
  2019-09-24 17:24       ` Paul Moore
  0 siblings, 1 reply; 6+ messages in thread
From: Stephen Smalley @ 2019-09-24 13:58 UTC (permalink / raw)
  To: Ondrej Mosnacek; +Cc: SElinux list

On 9/24/19 6:51 AM, Ondrej Mosnacek wrote:
> On Mon, Sep 23, 2019 at 4:11 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 9/23/19 5:58 AM, Ondrej Mosnacek wrote:
>>> Right now, test_policy.pp is rebuilt on every make invocation. Tweak the
>>> Makefile so that it is only build when it hasn't been built, it has been
>>> cleaned, or the source files changed.
>>
>> It also needs to be rebuilt if anything under
>> /usr/share/selinux/devel/include has changed e.g. upon an update of
>> selinux-policy-devel.
> 
> I am now testing a version that always executes the `$(MAKE) -C
> test_policy -f $(POLDEV)/Makefile test_policy.pp` step, relying on the
> system Makefile to rebuild the pp as needed (there already are proper
> dependencies on the include files). However, the package manager on
> Fedora preserves the timestamps of the installed files (from package
> build time), which means that make doesn't always detect that the
> files are newer than the already built policy package.
> 
> So it looks like we don't have any other choice than to always rebuild
> if we really need to auto-react to changing system files.

I'd rather err on the side of rebuilding too often than using stale policy.

> 
>>
>>>
>>> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
>>> ---
>>>    policy/Makefile | 4 ++--
>>>    1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/policy/Makefile b/policy/Makefile
>>> index a5942b3..cc0f140 100644
>>> --- a/policy/Makefile
>>> +++ b/policy/Makefile
>>> @@ -86,7 +86,7 @@ ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
>>>    TARGETS:=$(filter-out test_overlayfs.te test_mqueue.te test_ibpkey.te, $(TARGETS))
>>>    endif
>>>
>>> -all: build
>>> +all: test_policy/test_policy.pp
>>>
>>>    expand_check:
>>>        # Test for "expand-check = 0" in /etc/selinux/semanage.conf
>>> @@ -94,7 +94,7 @@ expand_check:
>>>                (echo "ERROR: set 'expand-check = 0' in /etc/selinux/semanage.conf"; \
>>>                 /bin/false)
>>>
>>> -build: $(TARGETS)
>>> +test_policy/test_policy.pp: $(TARGETS) test_policy.if
>>>        # General policy build
>>>        @if [ -d $(POLDEV) ]; then \
>>>                mkdir -p test_policy; \
>>>
>>
> 
> 


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH testsuite] policy: do not rebuild policy package if already built
  2019-09-24 13:58     ` Stephen Smalley
@ 2019-09-24 17:24       ` Paul Moore
  0 siblings, 0 replies; 6+ messages in thread
From: Paul Moore @ 2019-09-24 17:24 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: Ondrej Mosnacek, SElinux list

On Tue, Sep 24, 2019 at 9:58 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 9/24/19 6:51 AM, Ondrej Mosnacek wrote:
> > On Mon, Sep 23, 2019 at 4:11 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >> On 9/23/19 5:58 AM, Ondrej Mosnacek wrote:
> >>> Right now, test_policy.pp is rebuilt on every make invocation. Tweak the
> >>> Makefile so that it is only build when it hasn't been built, it has been
> >>> cleaned, or the source files changed.
> >>
> >> It also needs to be rebuilt if anything under
> >> /usr/share/selinux/devel/include has changed e.g. upon an update of
> >> selinux-policy-devel.
> >
> > I am now testing a version that always executes the `$(MAKE) -C
> > test_policy -f $(POLDEV)/Makefile test_policy.pp` step, relying on the
> > system Makefile to rebuild the pp as needed (there already are proper
> > dependencies on the include files). However, the package manager on
> > Fedora preserves the timestamps of the installed files (from package
> > build time), which means that make doesn't always detect that the
> > files are newer than the already built policy package.
> >
> > So it looks like we don't have any other choice than to always rebuild
> > if we really need to auto-react to changing system files.
>
> I'd rather err on the side of rebuilding too often than using stale policy.

That would be my preference as well.  In fact, I actually recommend
doing a 'make clean' before building and running the tests simply to
make sure everything in the dependency list and toolchain is still
working properly with the bits in the test suite.

-- 
paul moore
www.paul-moore.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2019-09-24 17:24 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-23  9:58 [PATCH testsuite] policy: do not rebuild policy package if already built Ondrej Mosnacek
2019-09-23 10:01 ` Ondrej Mosnacek
2019-09-23 14:11 ` Stephen Smalley
2019-09-24 10:51   ` Ondrej Mosnacek
2019-09-24 13:58     ` Stephen Smalley
2019-09-24 17:24       ` Paul Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).