On Mon, Mar 16, 2020 at 10:08 AM James Carter <jwcart2@xxxxxxxxx> wrote: > > On Mon, Mar 16, 2020 at 5:55 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > Add a simple test for secilc -O to make sure that it produces the > > expected output. This might produce some false positives when the output > > of secilc/checkpolicy changes slightly, in which case the expected CIL > > will need to be updated along with the change. > > > > The test should normally work even with a checkpolicy built from an > > older tree, as long as it produces the same CIL output, so it uses the > > checkpolicy it finds in PATH by default. > > > > The test policy is taken from an e-mail from James Carter: > > https://lore.kernel.org/selinux/CAP+JOzTQQx6aM81QyVe0yoiPJeDU+7xE6nn=0UMAB1EZ_c9ryA@xxxxxxxxxxxxxx/T/ > > > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > Acked-by: James Carter <jwcart2@xxxxxxxxx> > Applied. Thanks, Jim > > --- > > > > v2: > > - move test policies to the 'test' subdirectory > > - use a simplified test policy supplied by James > > > > secilc/.gitignore | 2 ++ > > secilc/Makefile | 9 +++++ > > secilc/test/opt-expected.cil | 57 +++++++++++++++++++++++++++++++ > > secilc/test/opt-input.cil | 65 ++++++++++++++++++++++++++++++++++++ > > 4 files changed, 133 insertions(+) > > create mode 100644 secilc/test/opt-expected.cil > > create mode 100644 secilc/test/opt-input.cil > > > > diff --git a/secilc/.gitignore b/secilc/.gitignore > > index 2d3ff405..164523b0 100644 > > --- a/secilc/.gitignore > > +++ b/secilc/.gitignore > > @@ -7,3 +7,5 @@ file_contexts > > docs/html > > docs/pdf > > docs/tmp > > +opt-actual.bin > > +opt-actual.cil > > diff --git a/secilc/Makefile b/secilc/Makefile > > index 16640098..d4a1c35a 100644 > > --- a/secilc/Makefile > > +++ b/secilc/Makefile > > @@ -13,6 +13,10 @@ SECIL2CONF_OBJS := $(patsubst %.c,%.o,$(SECIL2CONF_SRCS)) > > SECILC_MANPAGE = secilc.8 > > SECIL2CONF_MANPAGE = secil2conf.8 > > XMLTO = xmlto > > +DIFF = diff > > + > > +CHECKPOLICY = checkpolicy > > +POL_VERS = $(shell $(CHECKPOLICY) -V | cut -f 1 -d ' ') > > > > CFLAGS ?= -Wall -Wshadow -Wextra -Wundef -Wmissing-format-attribute -Wcast-align -Wstrict-prototypes -Wpointer-arith -Wunused > > > > @@ -26,6 +30,9 @@ $(SECILC): $(SECILC_OBJS) > > > > test: $(SECILC) > > ./$(SECILC) test/policy.cil > > + ./$(SECILC) -c $(POL_VERS) -O -M 1 -f /dev/null -o opt-actual.bin test/opt-input.cil > > + $(CHECKPOLICY) -b -C -M -o opt-actual.cil opt-actual.bin >/dev/null > > + $(DIFF) test/opt-expected.cil opt-actual.cil > > > > $(SECIL2CONF): $(SECIL2CONF_OBJS) > > $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS) > > @@ -58,6 +65,8 @@ clean: > > rm -f file_contexts > > rm -f $(SECILC_MANPAGE) > > rm -f $(SECIL2CONF_MANPAGE) > > + rm -f opt-actual.cil > > + rm -f opt-actual.bin > > $(MAKE) -C docs clean > > > > relabel: > > diff --git a/secilc/test/opt-expected.cil b/secilc/test/opt-expected.cil > > new file mode 100644 > > index 00000000..73ac9045 > > --- /dev/null > > +++ b/secilc/test/opt-expected.cil > > @@ -0,0 +1,57 @@ > > +(handleunknown deny) > > +(class cl01 (p01a p01b p11a p11b)) > > +(classorder (cl01)) > > +(sid kernel) > > +(sidorder (kernel)) > > +(mls true) > > +(sensitivity s01) > > +(sensitivityorder (s01)) > > +(category c01) > > +(categoryorder (c01)) > > +(sensitivitycategory s01 (c01)) > > +(typeattribute at02) > > +(boolean b01 false) > > +(type tp01) > > +(type tp02) > > +(type tp04) > > +(type tpr1) > > +(type tpr2) > > +(type tpr3) > > +(type tpr4) > > +(type tpr5) > > +(typeattributeset at02 (tp01 tp02)) > > +(allow at02 tpr1 (cl01 (p01a p01b p11a))) > > +(allow at02 tpr3 (cl01 (p01a p01b p11a))) > > +(allow tp01 self (cl01 (p01a p01b p11a p11b))) > > +(allow tp01 tpr1 (cl01 (p11b))) > > +(dontaudit at02 tpr2 (cl01 (p01a p01b p11a))) > > +(dontaudit at02 tpr4 (cl01 (p01a p01b p11a))) > > +(dontaudit tp01 tpr2 (cl01 (p11b))) > > +(booleanif b01 > > + (true > > + (allow tp01 tpr3 (cl01 (p11b))) > > + (allow tp01 tpr5 (cl01 (p01a p01b p11a p11b))) > > + (allow tp02 tpr5 (cl01 (p01a p11a))) > > + (dontaudit tp01 tpr4 (cl01 (p11b))) > > + ) > > + (false > > + (allow at02 tpr5 (cl01 (p01a p01b p11a))) > > + ) > > +) > > +(role object_r) > > +(role rl01) > > +(roletype rl01 tp01) > > +(roletype object_r tp01) > > +(roletype object_r tp02) > > +(roletype object_r tp04) > > +(roletype object_r tpr1) > > +(roletype object_r tpr2) > > +(roletype object_r tpr3) > > +(roletype object_r tpr4) > > +(roletype object_r tpr5) > > +(user us01) > > +(userrole us01 object_r) > > +(userrole us01 rl01) > > +(userlevel us01 (s01)) > > +(userrange us01 ((s01) (s01))) > > +(sidcontext kernel (us01 rl01 tp01 ((s01) (s01)))) > > diff --git a/secilc/test/opt-input.cil b/secilc/test/opt-input.cil > > new file mode 100644 > > index 00000000..5bb6c266 > > --- /dev/null > > +++ b/secilc/test/opt-input.cil > > @@ -0,0 +1,65 @@ > > +(handleunknown deny) > > +(class cl01 (p01a p01b p11a p11b)) > > +(classorder (cl01)) > > +(sid kernel) > > +(sidorder (kernel)) > > +(mls true) > > +(sensitivity s01) > > +(sensitivityorder (s01)) > > +(category c01) > > +(categoryorder (c01)) > > +(sensitivitycategory s01 (c01)) > > +(typeattribute at01) > > +(typeattribute at02) > > +(boolean b01 false) > > +(type tp01) > > +(type tp02) > > +(type tp04) > > +(type tpr1) > > +(type tpr2) > > +(type tpr3) > > +(type tpr4) > > +(type tpr5) > > +(typeattributeset at01 (tp01)) > > +(typeattributeset at02 (tp01 tp02)) > > +(allow at02 tpr1 (cl01 (p11a p01a p01b))) > > +(allow at02 tpr3 (cl01 (p11a p01a p01b))) > > +(allow tp01 at01 (cl01 (p11b))) > > +(allow tp01 self (cl01 (p11a p01a))) > > +(allow tp01 tp01 (cl01 (p01b))) > > +(allow tp01 tpr1 (cl01 (p11a p11b p01a p01b))) > > +(allow tp02 tpr1 (cl01 (p11a p01a))) > > +(dontaudit at02 tpr2 (cl01 (p11a p01a p01b))) > > +(dontaudit at02 tpr4 (cl01 (p11a p01a p01b))) > > +(dontaudit tp01 tpr2 (cl01 (p11a p11b p01a p01b))) > > +(dontaudit tp02 tpr2 (cl01 (p11a p01a))) > > +(booleanif (b01) > > + (true > > + (allow tp01 tpr3 (cl01 (p11a p11b p01a p01b))) > > + (allow tp01 tpr5 (cl01 (p11a p11b p01a p01b))) > > + (allow tp02 tpr3 (cl01 (p11a p01a))) > > + (allow tp02 tpr5 (cl01 (p11a p01a))) > > + (dontaudit tp01 tpr4 (cl01 (p11a p11b p01a p01b))) > > + (dontaudit tp02 tpr4 (cl01 (p11a p01a))) > > + ) > > + (false > > + (allow at02 tpr5 (cl01 (p11a p01a p01b))) > > + ) > > +) > > +(role object_r) > > +(role rl01) > > +(roletype rl01 tp01) > > +(roletype object_r tp01) > > +(roletype object_r tp02) > > +(roletype object_r tp04) > > +(roletype object_r tpr1) > > +(roletype object_r tpr2) > > +(roletype object_r tpr3) > > +(roletype object_r tpr4) > > +(roletype object_r tpr5) > > +(user us01) > > +(userrole us01 object_r) > > +(userrole us01 rl01) > > +(userlevel us01 (s01)) > > +(userrange us01 ((s01) (s01))) > > +(sidcontext kernel (us01 rl01 tp01 ((s01) (s01)))) > > -- > > 2.24.1 > >
