SELinux Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH testsuite] travis: improve selinuxfs mocking
@ 2019-11-27 13:46 Ondrej Mosnacek
  2019-11-27 15:21 ` Stephen Smalley
  2019-12-02 17:21 ` Stephen Smalley
  0 siblings, 2 replies; 3+ messages in thread
From: Ondrej Mosnacek @ 2019-11-27 13:46 UTC (permalink / raw)
  To: selinux

Modify all Makefiles to allow overriding the path to the selinuxfs
mountpoint via the SELINUXFS variable and use it in the Travis script to
allow more stuff to be built (namely the extended_socket_class subdir).

This patch also drops the auto-detection of selinuxfs mount from
policy/Makefile in favor of overriding it via the variable if it differs
from the usual /sys/fs/selinux/.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 .travis.yml     | 8 ++++----
 policy/Makefile | 2 +-
 tests/Makefile  | 5 +++--
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index d1e5056..2c8e416 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -51,15 +51,15 @@ before_install:
   - bash travis-ci/setup-policy-fedora.sh
   - bash travis-ci/setup-policy-refpolicy.sh
   # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
-  - sudo mkdir -p /tmp/fake-selinuxfs
-  - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
+  - mkdir -p /tmp/fake-selinuxfs/policy_capabilities
+  - echo 1 > /tmp/fake-selinuxfs/policy_capabilities/extended_socket_class
   - echo 999 >/tmp/fake-selinuxfs/policyvers
 
 script:
   - tools/check-syntax -f && git diff --exit-code
   - |
     bash travis-ci/enable-policy.sh targeted &&
-    make PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted
+    make SELINUXFS=/tmp/fake-selinuxfs PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted
   - |
     bash travis-ci/enable-policy.sh refpolicy &&
-    make PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy
+    make SELINUXFS=/tmp/fake-selinuxfs PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy
diff --git a/policy/Makefile b/policy/Makefile
index 87b2856..dda2e16 100644
--- a/policy/Makefile
+++ b/policy/Makefile
@@ -3,6 +3,7 @@ PREFIX ?= /usr
 BINDIR ?= $(PREFIX)/bin
 SBINDIR ?= $(PREFIX)/sbin
 POLDEV ?= $(PREFIX)/share/selinux/devel
+SELINUXFS ?= /sys/fs/selinux
 SEMODULE = $(SBINDIR)/semodule
 CHECKPOLICY = $(BINDIR)/checkpolicy
 CHECKMODULE = $(BINDIR)/checkmodule
@@ -11,7 +12,6 @@ DISTRO=$(shell ../tests/os_detect)
 
 POL_VERS := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
 MOD_POL_VERS := $(shell $(CHECKMODULE) -V |cut -f 2 -d '-')
-SELINUXFS := $(shell cat /proc/mounts | grep selinuxfs | cut -f 2 -d ' ')
 MAX_KERNEL_POLICY := $(shell cat $(SELINUXFS)/policyvers)
 
 TARGETS = \
diff --git a/tests/Makefile b/tests/Makefile
index 1cdb1ac..0d33fbf 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -1,5 +1,6 @@
 INCLUDEDIR ?= /usr/include
 POLDEV ?= /usr/share/selinux/devel
+SELINUXFS ?= /sys/fs/selinux
 
 export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE
 
@@ -19,11 +20,11 @@ SUBDIRS += cap_userns
 endif
 endif
 
-ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && grep -q 1 /sys/fs/selinux/policy_capabilities/extended_socket_class && echo true),true)
+ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && grep -q 1 $(SELINUXFS)/policy_capabilities/extended_socket_class && echo true),true)
 SUBDIRS += extended_socket_class
 endif
 
-ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/corenetwork.if && grep -q 1 /sys/fs/selinux/policy_capabilities/extended_socket_class && echo true),true)
+ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/corenetwork.if && grep -q 1 $(SELINUXFS)/policy_capabilities/extended_socket_class && echo true),true)
 ifneq ($(shell ./kvercmp $$(uname -r) 4.20.17),-1)
 SUBDIRS += sctp
 endif
-- 
2.23.0


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH testsuite] travis: improve selinuxfs mocking
  2019-11-27 13:46 [PATCH testsuite] travis: improve selinuxfs mocking Ondrej Mosnacek
@ 2019-11-27 15:21 ` Stephen Smalley
  2019-12-02 17:21 ` Stephen Smalley
  1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2019-11-27 15:21 UTC (permalink / raw)
  To: Ondrej Mosnacek, selinux

On 11/27/19 8:46 AM, Ondrej Mosnacek wrote:
> Modify all Makefiles to allow overriding the path to the selinuxfs
> mountpoint via the SELINUXFS variable and use it in the Travis script to
> allow more stuff to be built (namely the extended_socket_class subdir).
> 
> This patch also drops the auto-detection of selinuxfs mount from
> policy/Makefile in favor of overriding it via the variable if it differs
> from the usual /sys/fs/selinux/.

This seems fine but note that several test scripts also access 
/sys/fs/selinux for various purposes:
tests/mkdir/test:    @locations = ( '/selinux', '/sys/fs/selinux' );
tests/nnp_nosuid/test:"grep -q 1 
/sys/fs/selinux/policy_capabilities/nnp_nosuid_transition 2> /dev/null"
tests/checkreqprot/default_value.sh:	grep -q 0 
/sys/fs/selinux/checkreqprot 2> /dev/null
tests/mmap/test:    if ( system("grep -q 0 /sys/fs/selinux/checkreqprot 
2> /dev/null") == 0 ) {
tests/mmap/test:    if ( -e '/sys/fs/selinux/class/file/perms/map' ) {

This won't matter until/unless we get to the point of actually running 
the testsuite on travis, in which case we should have a real 
/sys/fs/selinux so it may not matter.

> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

> ---
>   .travis.yml     | 8 ++++----
>   policy/Makefile | 2 +-
>   tests/Makefile  | 5 +++--
>   3 files changed, 8 insertions(+), 7 deletions(-)
> 
> diff --git a/.travis.yml b/.travis.yml
> index d1e5056..2c8e416 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -51,15 +51,15 @@ before_install:
>     - bash travis-ci/setup-policy-fedora.sh
>     - bash travis-ci/setup-policy-refpolicy.sh
>     # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
> -  - sudo mkdir -p /tmp/fake-selinuxfs
> -  - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
> +  - mkdir -p /tmp/fake-selinuxfs/policy_capabilities
> +  - echo 1 > /tmp/fake-selinuxfs/policy_capabilities/extended_socket_class
>     - echo 999 >/tmp/fake-selinuxfs/policyvers
>   
>   script:
>     - tools/check-syntax -f && git diff --exit-code
>     - |
>       bash travis-ci/enable-policy.sh targeted &&
> -    make PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted
> +    make SELINUXFS=/tmp/fake-selinuxfs PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted
>     - |
>       bash travis-ci/enable-policy.sh refpolicy &&
> -    make PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy
> +    make SELINUXFS=/tmp/fake-selinuxfs PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy
> diff --git a/policy/Makefile b/policy/Makefile
> index 87b2856..dda2e16 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -3,6 +3,7 @@ PREFIX ?= /usr
>   BINDIR ?= $(PREFIX)/bin
>   SBINDIR ?= $(PREFIX)/sbin
>   POLDEV ?= $(PREFIX)/share/selinux/devel
> +SELINUXFS ?= /sys/fs/selinux
>   SEMODULE = $(SBINDIR)/semodule
>   CHECKPOLICY = $(BINDIR)/checkpolicy
>   CHECKMODULE = $(BINDIR)/checkmodule
> @@ -11,7 +12,6 @@ DISTRO=$(shell ../tests/os_detect)
>   
>   POL_VERS := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
>   MOD_POL_VERS := $(shell $(CHECKMODULE) -V |cut -f 2 -d '-')
> -SELINUXFS := $(shell cat /proc/mounts | grep selinuxfs | cut -f 2 -d ' ')
>   MAX_KERNEL_POLICY := $(shell cat $(SELINUXFS)/policyvers)
>   
>   TARGETS = \
> diff --git a/tests/Makefile b/tests/Makefile
> index 1cdb1ac..0d33fbf 100644
> --- a/tests/Makefile
> +++ b/tests/Makefile
> @@ -1,5 +1,6 @@
>   INCLUDEDIR ?= /usr/include
>   POLDEV ?= /usr/share/selinux/devel
> +SELINUXFS ?= /sys/fs/selinux
>   
>   export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE
>   
> @@ -19,11 +20,11 @@ SUBDIRS += cap_userns
>   endif
>   endif
>   
> -ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && grep -q 1 /sys/fs/selinux/policy_capabilities/extended_socket_class && echo true),true)
> +ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && grep -q 1 $(SELINUXFS)/policy_capabilities/extended_socket_class && echo true),true)
>   SUBDIRS += extended_socket_class
>   endif
>   
> -ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/corenetwork.if && grep -q 1 /sys/fs/selinux/policy_capabilities/extended_socket_class && echo true),true)
> +ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/corenetwork.if && grep -q 1 $(SELINUXFS)/policy_capabilities/extended_socket_class && echo true),true)
>   ifneq ($(shell ./kvercmp $$(uname -r) 4.20.17),-1)
>   SUBDIRS += sctp
>   endif
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH testsuite] travis: improve selinuxfs mocking
  2019-11-27 13:46 [PATCH testsuite] travis: improve selinuxfs mocking Ondrej Mosnacek
  2019-11-27 15:21 ` Stephen Smalley
@ 2019-12-02 17:21 ` Stephen Smalley
  1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2019-12-02 17:21 UTC (permalink / raw)
  To: Ondrej Mosnacek, selinux

On 11/27/19 8:46 AM, Ondrej Mosnacek wrote:
> Modify all Makefiles to allow overriding the path to the selinuxfs
> mountpoint via the SELINUXFS variable and use it in the Travis script to
> allow more stuff to be built (namely the extended_socket_class subdir).
> 
> This patch also drops the auto-detection of selinuxfs mount from
> policy/Makefile in favor of overriding it via the variable if it differs
> from the usual /sys/fs/selinux/.
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

Thanks, applied.

> ---
>   .travis.yml     | 8 ++++----
>   policy/Makefile | 2 +-
>   tests/Makefile  | 5 +++--
>   3 files changed, 8 insertions(+), 7 deletions(-)
> 
> diff --git a/.travis.yml b/.travis.yml
> index d1e5056..2c8e416 100644
> --- a/.travis.yml
> +++ b/.travis.yml
> @@ -51,15 +51,15 @@ before_install:
>     - bash travis-ci/setup-policy-fedora.sh
>     - bash travis-ci/setup-policy-refpolicy.sh
>     # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs)
> -  - sudo mkdir -p /tmp/fake-selinuxfs
> -  - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs
> +  - mkdir -p /tmp/fake-selinuxfs/policy_capabilities
> +  - echo 1 > /tmp/fake-selinuxfs/policy_capabilities/extended_socket_class
>     - echo 999 >/tmp/fake-selinuxfs/policyvers
>   
>   script:
>     - tools/check-syntax -f && git diff --exit-code
>     - |
>       bash travis-ci/enable-policy.sh targeted &&
> -    make PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted
> +    make SELINUXFS=/tmp/fake-selinuxfs PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted
>     - |
>       bash travis-ci/enable-policy.sh refpolicy &&
> -    make PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy
> +    make SELINUXFS=/tmp/fake-selinuxfs PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy
> diff --git a/policy/Makefile b/policy/Makefile
> index 87b2856..dda2e16 100644
> --- a/policy/Makefile
> +++ b/policy/Makefile
> @@ -3,6 +3,7 @@ PREFIX ?= /usr
>   BINDIR ?= $(PREFIX)/bin
>   SBINDIR ?= $(PREFIX)/sbin
>   POLDEV ?= $(PREFIX)/share/selinux/devel
> +SELINUXFS ?= /sys/fs/selinux
>   SEMODULE = $(SBINDIR)/semodule
>   CHECKPOLICY = $(BINDIR)/checkpolicy
>   CHECKMODULE = $(BINDIR)/checkmodule
> @@ -11,7 +12,6 @@ DISTRO=$(shell ../tests/os_detect)
>   
>   POL_VERS := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
>   MOD_POL_VERS := $(shell $(CHECKMODULE) -V |cut -f 2 -d '-')
> -SELINUXFS := $(shell cat /proc/mounts | grep selinuxfs | cut -f 2 -d ' ')
>   MAX_KERNEL_POLICY := $(shell cat $(SELINUXFS)/policyvers)
>   
>   TARGETS = \
> diff --git a/tests/Makefile b/tests/Makefile
> index 1cdb1ac..0d33fbf 100644
> --- a/tests/Makefile
> +++ b/tests/Makefile
> @@ -1,5 +1,6 @@
>   INCLUDEDIR ?= /usr/include
>   POLDEV ?= /usr/share/selinux/devel
> +SELINUXFS ?= /sys/fs/selinux
>   
>   export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE
>   
> @@ -19,11 +20,11 @@ SUBDIRS += cap_userns
>   endif
>   endif
>   
> -ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && grep -q 1 /sys/fs/selinux/policy_capabilities/extended_socket_class && echo true),true)
> +ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && grep -q 1 $(SELINUXFS)/policy_capabilities/extended_socket_class && echo true),true)
>   SUBDIRS += extended_socket_class
>   endif
>   
> -ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/corenetwork.if && grep -q 1 /sys/fs/selinux/policy_capabilities/extended_socket_class && echo true),true)
> +ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/corenetwork.if && grep -q 1 $(SELINUXFS)/policy_capabilities/extended_socket_class && echo true),true)
>   ifneq ($(shell ./kvercmp $$(uname -r) 4.20.17),-1)
>   SUBDIRS += sctp
>   endif
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-27 13:46 [PATCH testsuite] travis: improve selinuxfs mocking Ondrej Mosnacek
2019-11-27 15:21 ` Stephen Smalley
2019-12-02 17:21 ` Stephen Smalley

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git