On Wed, Mar 4, 2020 at 12:18 PM Joshua Brindle <joshua.brindle@xxxxxxxxxxxxxxx> wrote: > It's been a while so I'm just rereading mine, I also attempted to > differentiate between MLS and MCS policies on the system running the > tests so that they could run on the MLS policies directly (which is > where glblub support is utilized), and I also verify the default (non > glblub) behavior to ensure we didn't impact normal computations. > > Unless there is a compelling reason I think mine should be merged > rather than this one. Comparing the two: - As you said, yours in theory supports a system running mls or neither-mls-nor-mcs policy. However, I'm unclear that one can run the testsuite under anything other than targeted policy w/ mcs currently. Is that something you have actually done? - As you said, yours tests non-glblub behavior too. However this makes an assumption about the base policy default_range rules that might not be true? - Ondrej's uses the more compact (range c0 c1023) notation in the cil policy. - Ondrej's checks that checkpolicy supports policy version 32 in addition to the kernel, necessary to build the policy.
