Re: [LTP] [PATCH] Fix running of the selinux tests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Quoting Jiri Palecek > ("<jirka"@debian.POK.IBM.COM):
> Hello,
> 
> while running the ltp selinux tests on Debian, I found some problems:
> 
> 1) the testdomain attribute cannot have setcurrent permission to itself. This is because in Debian refpolicy, only domains with attribute set_curr_context can have setcurrent permission on own processes (otherwise, it's forbidden by neverallow). And AFAIK, it's impossible to specify that domains having attribute testdomain also have attribute set_curr_context. Moreover, I found only two tests (dyntrans and dyntrace) that actually need it so far, so I'm not convinced it has to be granted globally.
> 
> 2) the testscripts (eg. selinux_file.sh) have the test_file_t context, but they are to be run as sysadm_t. Sysadm_t therefore needs execute_no_trans permission on the test files.
> 
> Please correct me if I'm wrong.

Well we knew from the start that this method of trying to distribute
test policy wasn't going to be sustainable, but I think it's at the
point where we have to address it.

The way we were trying to handle policy changes over time was by
having 'misc/update_policy.sh' make distro- and version-specific
changes to the base refpolicy/ directory.  Jiri, if your part (1)
is a debian-specific fix, then another patch under misc/ probably
should've been used.  But as I say I think it's time to stop that
nonsense.  (I also notice a patch applied on Feb 2 by James which
makes some of the changes which misc/sbin_deprecated.patch also
does, thereby breaking its application.)

Chris, is it at all possible to distribute a module, never built
into the policy, but shipped with the sources, for the testsuite?
Then anyone who wanted to run the ltp testcases would install the
distro policy sources (yum install selinux-policy-sources,
apt-get source selinux-policy, whatever), compile the selinux-test
module, and the testsuite would

	semodule -i selinux-test.pp; run-tests; semodule -r selinux-test

?

The testcases don't really change (as far as i know) so that's not
where the churn is.  (If it was, then keeping them in uptream policy
would be more painful)  The policy just needs to change to reflect
changes in the base policy.

thanks,
-serge

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux