2012/5/4 Stephen Smalley <sds@xxxxxxxxxxxxxx>: > On Fri, 2012-05-04 at 15:48 +0200, Kohei KaiGai wrote: >> Does anyone have a tool to run regression test when we construct a patch? >> (Or, is it available to construct using existing tools?) >> >> Right now, I have to replace a working policy by the modified one whenever >> I prepare to submit a patch towards reference policy. However, the default >> security policy of Fedora is optimized to Fedora environment, thus, it often >> mismatch with the latest upstream policy. >> For example, "allow_execmem" is not defined at Fedora, so, I could not >> load the staff.pp being constructed based on the upstream policy >> >> So, the solution I'm looking for is a tool that loads a monolithic policy and >> checks its access control decision towards a certain pair of subject context >> and target context according to catalog files, then it prints the result of >> diff commands between the computed one and expected one. > > Possibly you could derive such a tool from checkpolicy -d, switching > from a menu-driven interface to a scriptable one. > > checkpolicy -Mdb /etc/selinux/targeted/policy/policy.24 > > setools would be the other option, but sesearch only deals with TE > rules. > Thanks for your suggestion. I totally agree with the idea to expand checkpolicy to accept a script that describes a set of patterns to be checked. I'll try to investigate it in this weekend. Thanks, -- KaiGai Kohei <kaigai@xxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
