On Wed, May 6, 2020 at 3:57 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Wed, May 6, 2020 at 3:37 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > On Wed, May 6, 2020 at 2:54 AM Stephen Smalley > > <stephen.smalley.work@xxxxxxxxx> wrote: > > > diff --git a/policy/Makefile b/policy/Makefile > > > index dfe601b..f86aac4 100644 > > > --- a/policy/Makefile > > > +++ b/policy/Makefile > > > @@ -40,6 +40,8 @@ CIL_TARGETS = test_add_levels.cil test_glblub.cil > > > endif > > > endif # GLBLUB > > > > > > +CIL_TARGETS += test_mlsconstrain.cil test_overlay_defaultrange.cil > > > > This causes a problem on RHEL-6, since it doesn't understand CIL > > modules. We'll probably need to detect if semodule supports CIL before > > trying to add the modules. > > I thought we had stopped worrying about RHEL compatibility in the > upstream testsuite going forward and deferring all of those tweaks to > downstream? I'm not fundamentally opposed but that was the impression > I had received earlier. If we are still carrying RHEL support, then > how old of RHEL do we still care about? RHEL-6 is six months away > from regular EOL? Also not sure what we would test here to determine whether CIL is supported. It isn't directly linked to a particular kernel or module binary policy version, and the version of libsepol that first introduced it in RHEL-7 probably differs from upstream (assuming it was back-ported there). > > > > diff --git a/policy/test_execute_no_trans.te b/policy/test_execute_no_trans.te > > > index 79ba868..f699f56 100644 > > > --- a/policy/test_execute_no_trans.te > > > +++ b/policy/test_execute_no_trans.te > > > @@ -24,4 +24,4 @@ userdom_sysadm_entry_spec_domtrans_to(test_execute_notrans_t) > > > > > > #Allow test_execute_notrans permissions to the allowed type > > > can_exec(test_execute_notrans_t,test_execute_notrans_allowed_t) > > > -allow test_execute_notrans_t test_execute_notrans_denied_t:file mmap_file_perms; > > > +allow test_execute_notrans_t test_execute_notrans_denied_t:file mmap_exec_file_perms; > > > > This causes the testsuite to fail on RHEL-7, since there > > mmap_exec_file_perms includes execute_no_trans for some reason. And on > > RHEL-6 mmap_exec_file_perms is not defined at all. Can we solve this > > bz defining mmap_exec_file_perms as mmap_file_perms in test_policy.if > > if mmap_exec_file_perms is not defined? > > Yes, if we are still providing RHEL-7 compatibility for the testsuite, > that's easy enough. Actually on second thought that seems problematic since RHEL-7 defines it but defines it differently. So essentially I'd just need to undefine it and redefine it always, or just inline the definition itself here.
