On Fri, May 8, 2020 at 5:42 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
> Update the selinux testsuite to work on Debian and provide
> instructions for building and running it there.
>
> v4 splits the patch into one patch per logical change, updates
> some of the descriptions, drops an unnecessary constraint
> (only appear to need the peer recv constraint from Fedora for
> the current tests, not the packet/SECMARK constraint), cleans up
> the Makefile, and updates the test for noexec dev to match
> any "/dev .*noexec" instead of just devtmpfs since not everyone
> uses devtmpfs.
>
> Stephen Smalley (15):
> test_capable_net.te: remove corenet_tcp/udp_sendrecv_all_ports()
> test_execute_no_trans.te: stop using mmap_file_perms
> test_ibendport.te: use dev_rw_infiniband_mgmt_dev()
> test_global.te: allow test domains to statfs selinuxfs
> test_inet_socket.te: switch from generic_port to
> _all_unreserved_ports()
> test_sctp.te: make netlabel_peer_t a MCS-constrained type
> test_policy.if: use ptynode instead of unconfined_devpts_t
> test_overlayfs.te: allow test_overlay_mounter_t to read user tmp files
> policy: Add MCS constraint on peer recv
> policy: Add defaultrange rules for overlay tests
> test_filesystem.te,tests/{fs_}filesystem: do not force user identity
> to system_u
> policy/Makefile: conditionalize setting of allow_domain_fd_use
> tests/cap_userns: set /proc/sys/kernel/unprivileged_userns_clone if
> needed
> tests/mmap: skip /dev/zero tests if /dev is noexec
> README.md: Add instructions for Debian
With the exception of 07/15, on which I had a small comment:
Acked-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
(No need to respin the whole series in case you are going to respin
07. I can just splice it in before merging or apply on top.)
--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.
