On Wed, Mar 4, 2020 at 3:56 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Wed, Mar 4, 2020 at 12:18 PM Joshua Brindle > <joshua.brindle@xxxxxxxxxxxxxxx> wrote: > > It's been a while so I'm just rereading mine, I also attempted to > > differentiate between MLS and MCS policies on the system running the > > tests so that they could run on the MLS policies directly (which is > > where glblub support is utilized), and I also verify the default (non > > glblub) behavior to ensure we didn't impact normal computations. > > > > Unless there is a compelling reason I think mine should be merged > > rather than this one. > > Comparing the two: > - As you said, yours in theory supports a system running mls or > neither-mls-nor-mcs policy. > However, I'm unclear that one can run the testsuite under anything > other than targeted policy w/ mcs currently. > Is that something you have actually done? I think so but it has been a long time. Presumably I needed more modules than come with the stock RHEL MLS policy. > - As you said, yours tests non-glblub behavior too. However this > makes an assumption about the base policy default_range rules > that might not be true? They might not be true but I used an object class that doesn't have defaults set in any policy that I've seen in public. I suppose another tool to validate the assumption could be written. > - Ondrej's uses the more compact (range c0 c1023) notation in the cil policy. Easily fixed, obviously I didn't know range c0 c1023 was valid in sensitivitycategory statements. Pretty nice actually. > - Ondrej's checks that checkpolicy supports policy version 32 in > addition to the kernel, necessary to build the policy. I suppose that should be added. I'm not currently set up to re-test this but could fix it up next week.
