Hello,
A few months ago I saw that "make -C libsepol test" succeeded even
though it displayed what looked like a failure:
./libsepol-tests
CUnit - A unit testing framework for C - Version 2.1-3
http://cunit.sourceforge.net/
Suite: cond
Test: cond_expr_equal ...passed
Suite: linker
Test: linker_indexes ...passed
Test: linker_types ...passed
Test: linker_roles ...
role o1_b_role_1 has 0 types, 1 expected
role o1_b_role_1 has 0 types, 1 expected
role o1_m1_role_1 has 0 types, 1 expected
sym g_b_role_2 has 1 decls, 2 expected
Role o1_b_role_2 had type o1_b_type_1 not in types array
role o1_b_role_2 has 0 types, 1 expected
Role g_b_role_4 had type g_m1_type_2 not in types array
role g_b_role_4 has 0 types, 1 expected
role o3_b_role_1 has 0 types, 1 expected
role o3_b_role_1 has 0 types, 1 expected
role o4_b_role_1 has 0 types, 1 expected
Role o4_b_role_1 had type g_m1_type_1 not in types array
FAILED
1. test-common.c:216 - found == len
2. test-common.c:216 - found == len
3. test-common.c:216 - found == len
4. test-common.c:43 - scope->decl_ids_len == len
5. test-common.c:52 - found == 1
6. test-common.c:213 - new == 1
7. test-common.c:216 - found == len
8. test-common.c:213 - new == 1
9. test-common.c:216 - found == len
10. test-common.c:216 - found == len
11. test-common.c:216 - found == len
12. test-common.c:216 - found == len
13. test-common.c:213 - new == 1
Test: linker_cond ...passed
Suite: expander
Test: expander_indexes ...passed
Test: expander_attr_mapping ...passed
Test: expander_role_mapping ...passed
Test: expander_user_mapping ...passed
Test: expander_alias ...passed
Suite: deps
Test: deps_modreq_global ...passed
Test: deps_modreq_opt ...passed
Suite: downgrade
Test: downgrade ...passed
Run Summary: Type Total Ran Passed Failed Inactive
suites 5 5 n/a 0 0
tests 13 13 12 1 0
asserts 1269 1269 1256 13 n/a
Elapsed time = 1.420 seconds
I can see 3 reasons behind such a failure report:
* there is a bug somewhere in libsepol and the tests detect it,
* the tests are out-dated and they need to be either removed or updated, or
* my test system is configured in a way that make the tests fail even
though they should not.
Moreover, even though the tests are failing, it is quite disturbing that
"make test" is succeeding. This is because the CUnit tests only exit
with a failed error code when an error occured in the CUnit framework,
not in tests. The last patch of this series fixes this.
As I did not understood anything at first when I read the code of
libsepol tests, I wrote some code to dump some tables of the loaded
policy (p->symtab[SYM_ROLES], and
p->decl_val_to_struct[...]->symtab[SYM_ROLES])
Here is an extract of this dump:
p->p_roles[object_r]: scope 2 {1, 9, 14},
types { }
p->p_roles[g_b_role_1]: scope 2 {1},
types { g_b_type_1 },
dominates g_b_role_1
p->p_roles[o1_b_role_1]: scope 2 {2},
types { o1_b_type_1 }
p->p_roles[o3_b_role_1]: scope 2 {4, 12},
types { o3_b_type_1 o3_m1_type_1 }
p->p_roles[o4_b_role_1]: scope 2 {5, 9, 14},
types { g_m1_type_1 g_m1_type_2 g_m2_type_1 },
dominates o4_b_role_1
p->p_roles[g_b_role_3]: scope 2 {1, 9, 14},
types { g_b_type_2 g_m1_type_2 g_m2_type_2 },
dominates g_b_role_3
p->p_roles[g_b_role_2]: scope 2 {1},
types { g_b_type_2 g_m1_type_1 },
dominates g_b_role_2
p->p_roles[o1_b_role_2]: scope 2 {2, 9},
types { o1_b_type_1 g_m1_type_1 },
dominates o1_b_role_2
[...]
decl[2]->p_roles[o1_b_role_1]: scope 2 {2},
types { }, dominates o1_b_role_1
decl[2]->p_roles[o1_b_role_2]: scope 2 {2, 9},
types { }, dominates o1_b_role_2
decl[4]->p_roles[o3_b_role_1]: scope 2 {4, 12},
types { }, dominates o3_b_role_1
decl[5]->p_roles[o4_b_role_1]: scope 2 {5, 9, 14},
types { }, dominates o4_b_role_1
It seems strange that "p->p_roles" hashmap handles all role-types
associations but that the domination information lies in
"p->decl_val_to_struct[scope-1]->p_roles" for roles in optional blocks.
This association is performed in define_role_types() function in
checkpolicy/policy_define.c. Using the "local role" (result of
get_local_role function) there fixes most asserion failures. This is
what the first patch does.
Afterwards the only failure which remains is:
sym g_b_role_2 has 1 decls, 2 expected
Even though g_b_role_2 is used both in
tests/policies/test-linker/small-base.conf and
tests/policies/test-linker/module1.conf, it seems to only exists in the
scope of the base policy. The second patch updates the test
accordingly.
Nicolas Iooss (3):
checkpolicy: add types associated to a role in the current scope when
parsing
libsepol: tests: fix g_b_role_2 test
libsepol: make "make test" fails when a CUnit test fails
checkpolicy/policy_define.c | 1 +
libsepol/tests/libsepol-tests.c | 11 +++++++----
libsepol/tests/test-linker-roles.c | 3 +--
3 files changed, 9 insertions(+), 6 deletions(-)
--
2.9.3
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
