Re: [PATCH v2] checkpolicy: add round-trip tests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Nov 1, 2023 at 12:37 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Add round-trip tests for checkpolicy(8).
> Test standard and MLS minimal policies as well as SELinux and Xen
> policies with each available statement.
> The output is checked against an expected result and then then checked
> for idempotence.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

Acked-by: James Carter <jwcart2@xxxxxxxxx>

> ---
> v2:
>    drop usage of removed role dominance rules
> ---
>  checkpolicy/.gitignore                        |  2 +
>  checkpolicy/Makefile                          |  6 +-
>  checkpolicy/tests/policy_allonce.conf         | 79 ++++++++++++++++
>  .../tests/policy_allonce.expected.conf        | 76 ++++++++++++++++
>  .../tests/policy_allonce.expected_opt.conf    | 76 ++++++++++++++++
>  checkpolicy/tests/policy_allonce_mls.conf     | 91 +++++++++++++++++++
>  .../tests/policy_allonce_mls.expected.conf    | 88 ++++++++++++++++++
>  .../policy_allonce_mls.expected_opt.conf      | 88 ++++++++++++++++++
>  checkpolicy/tests/policy_allonce_xen.conf     | 62 +++++++++++++
>  .../tests/policy_allonce_xen.expected.conf    | 65 +++++++++++++
>  .../policy_allonce_xen.expected_opt.conf      | 61 +++++++++++++
>  checkpolicy/tests/policy_minimal.conf         | 10 ++
>  checkpolicy/tests/policy_minimal_mls.conf     | 15 +++
>  checkpolicy/tests/test_roundtrip.sh           | 41 +++++++++
>  14 files changed, 759 insertions(+), 1 deletion(-)
>  create mode 100644 checkpolicy/tests/policy_allonce.conf
>  create mode 100644 checkpolicy/tests/policy_allonce.expected.conf
>  create mode 100644 checkpolicy/tests/policy_allonce.expected_opt.conf
>  create mode 100644 checkpolicy/tests/policy_allonce_mls.conf
>  create mode 100644 checkpolicy/tests/policy_allonce_mls.expected.conf
>  create mode 100644 checkpolicy/tests/policy_allonce_mls.expected_opt.conf
>  create mode 100644 checkpolicy/tests/policy_allonce_xen.conf
>  create mode 100644 checkpolicy/tests/policy_allonce_xen.expected.conf
>  create mode 100644 checkpolicy/tests/policy_allonce_xen.expected_opt.conf
>  create mode 100644 checkpolicy/tests/policy_minimal.conf
>  create mode 100644 checkpolicy/tests/policy_minimal_mls.conf
>  create mode 100755 checkpolicy/tests/test_roundtrip.sh
>
> diff --git a/checkpolicy/.gitignore b/checkpolicy/.gitignore
> index a7bd076d..01a694d4 100644
> --- a/checkpolicy/.gitignore
> +++ b/checkpolicy/.gitignore
> @@ -3,3 +3,5 @@ checkpolicy
>  lex.yy.c
>  y.tab.c
>  y.tab.h
> +tests/testpol.bin
> +tests/testpol.conf
> diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile
> index c37e0310..281d15be 100644
> --- a/checkpolicy/Makefile
> +++ b/checkpolicy/Makefile
> @@ -50,6 +50,10 @@ y.tab.c: policy_parse.y
>  lex.yy.c: policy_scan.l y.tab.c
>         $(LEX) policy_scan.l
>
> +.PHONY: test
> +test: checkpolicy
> +       ./tests/test_roundtrip.sh
> +
>  install: all
>         -mkdir -p $(DESTDIR)$(BINDIR)
>         -mkdir -p $(DESTDIR)$(MANDIR)/man8
> @@ -68,7 +72,7 @@ relabel: install
>         /sbin/restorecon $(DESTDIR)$(BINDIR)/checkmodule
>
>  clean:
> -       -rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c y.tab.h lex.yy.c
> +       -rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c y.tab.h lex.yy.c tests/testpol.conf tests/testpol.bin
>         $(MAKE) -C test clean
>
>  indent:
> diff --git a/checkpolicy/tests/policy_allonce.conf b/checkpolicy/tests/policy_allonce.conf
> new file mode 100644
> index 00000000..34e6402d
> --- /dev/null
> +++ b/checkpolicy/tests/policy_allonce.conf
> @@ -0,0 +1,79 @@
> +# handle_unknown deny
> +class CLASS1
> +class CLASS2
> +class CLASS3
> +class dir
> +class file
> +class process
> +sid kernel
> +common COMMON1 { CPERM1 }
> +class CLASS1 { PERM1 ioctl }
> +class CLASS2 inherits COMMON1
> +class CLASS3 inherits COMMON1 { PERM1 }
> +default_user { CLASS1 } source;
> +default_role { CLASS2 } target;
> +default_type { CLASS3 } source;
> +policycap open_perms;
> +attribute ATTR1;
> +attribute ATTR2;
> +expandattribute ATTR1 true;
> +expandattribute ATTR2 false;
> +type TYPE1;
> +type TYPE2, ATTR1;
> +type TYPE3 alias { TYPEALIAS3A TYPEALIAS3B };
> +type TYPE4 alias TYPEALIAS4, ATTR2;
> +typealias TYPE1 alias TYPEALIAS1;
> +typeattribute TYPE1 ATTR1;
> +typebounds TYPE4 TYPE3;
> +bool BOOL1 true;
> +tunable TUNABLE1 false;
> +tunable TUNABLE2 true;
> +type_transition TYPE1 TYPE2 : CLASS1 TYPE3;
> +type_transition { TYPE1 TYPE2 } { TYPE3 TYPE4 } : CLASS1 TYPE1 "FILENAME";
> +type_member TYPE1 TYPE2 : CLASS1 TYPE2;
> +type_change TYPE1 TYPE2 : CLASS1 TYPE3;
> +allow TYPE1 self : CLASS1 { PERM1 };
> +auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 };
> +dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 };
> +neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 };
> +allowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x1;
> +auditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2;
> +dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
> +neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;
> +permissive TYPE1;
> +attribute_role ROLE_ATTR1;
> +role ROLE1;
> +role ROLE3;
> +role ROLE2, ROLE_ATTR1;
> +role_transition ROLE1 TYPE1 ROLE2;
> +role_transition ROLE1 TYPE1 : CLASS1 ROLE2;
> +allow ROLE1 ROLE2;
> +roleattribute ROLE3 ROLE_ATTR1;
> +role ROLE1 types { TYPE1 };
> +if ! BOOL1 { allow TYPE1 self: CLASS1 *; }
> +if TUNABLE1 xor TUNABLE2 { allow TYPE1 self: CLASS2 *; } else { allow TYPE1 self: CLASS3 *; }
> +optional { require { class CLASS2 { CPERM1 }; } allow TYPE1 self: CLASS2 *; }
> +user USER1 roles ROLE1;
> +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> +# sameuser will be turned into (u1 == u2)
> +validatetrans CLASS2 sameuser and t3 == ATTR1;
> +sid kernel USER1:ROLE1:TYPE1
> +# fscon statements are not dumped
> +fscon 2 3 USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
> +fs_use_xattr btrfs USER1:ROLE1:TYPE1;
> +fs_use_trans devpts USER1:ROLE1:TYPE1;
> +fs_use_task pipefs USER1:ROLE1:TYPE1;
> +# paths will be turned into quoted strings
> +genfscon proc / -d USER1:ROLE1:TYPE1
> +genfscon proc "/file1" -- USER1:ROLE1:TYPE1
> +genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
> +portcon tcp 80 USER1:ROLE1:TYPE1
> +portcon udp 100-200 USER1:ROLE1:TYPE1
> +netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
> +nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
> +nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1
> +# hex numbers will be turned in decimal ones
> +ibpkeycon fe80:: 0xFFFF USER1:ROLE1:TYPE1
> +ibpkeycon fe80:: 0-0x10 USER1:ROLE1:TYPE1
> +ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1
> +ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1
> diff --git a/checkpolicy/tests/policy_allonce.expected.conf b/checkpolicy/tests/policy_allonce.expected.conf
> new file mode 100644
> index 00000000..63739e1f
> --- /dev/null
> +++ b/checkpolicy/tests/policy_allonce.expected.conf
> @@ -0,0 +1,76 @@
> +# handle_unknown deny
> +class CLASS1
> +class CLASS2
> +class CLASS3
> +class dir
> +class file
> +class process
> +sid kernel
> +common COMMON1 { CPERM1 }
> +class CLASS1 { PERM1 ioctl }
> +class CLASS2 inherits COMMON1
> +class CLASS3 inherits COMMON1 { PERM1 }
> +default_user { CLASS1 } source;
> +default_role { CLASS2 } target;
> +default_type { CLASS3 } source;
> +policycap open_perms;
> +attribute ATTR1;
> +attribute ATTR2;
> +bool BOOL1 true;
> +type TYPE1;
> +type TYPE2;
> +type TYPE3;
> +type TYPE4;
> +typealias TYPE1 alias TYPEALIAS1;
> +typealias TYPE3 alias TYPEALIAS3A;
> +typealias TYPE3 alias TYPEALIAS3B;
> +typealias TYPE4 alias TYPEALIAS4;
> +typebounds TYPE4 TYPE3;
> +typeattribute TYPE4 ATTR2;
> +permissive TYPE1;
> +allow TYPE1 self:CLASS1 { PERM1 };
> +allow TYPE1 self:CLASS2 { CPERM1 };
> +auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
> +auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
> +dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
> +dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
> +allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
> +auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
> +dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
> +type_transition TYPE1 TYPE2:CLASS1 TYPE3;
> +type_member TYPE1 TYPE2:CLASS1 TYPE2;
> +type_change TYPE1 TYPE2:CLASS1 TYPE3;
> +type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
> +if (BOOL1) {
> +} else {
> +    allow TYPE1 self:CLASS1 { PERM1 ioctl };
> +}
> +role ROLE1;
> +role ROLE2;
> +role ROLE3;
> +role ROLE1 types { TYPE1 };
> +role_transition ROLE1 TYPE1:CLASS1 ROLE2;
> +role_transition ROLE1 TYPE1:process ROLE2;
> +allow ROLE1 ROLE2;
> +user USER1 roles ROLE1;
> +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> +validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
> +sid kernel USER1:ROLE1:TYPE1
> +fs_use_xattr btrfs USER1:ROLE1:TYPE1;
> +fs_use_trans devpts USER1:ROLE1:TYPE1;
> +fs_use_task pipefs USER1:ROLE1:TYPE1;
> +genfscon proc "/" -d USER1:ROLE1:TYPE1
> +genfscon proc "/file1" -- USER1:ROLE1:TYPE1
> +genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
> +portcon tcp 80 USER1:ROLE1:TYPE1
> +portcon udp 100-200 USER1:ROLE1:TYPE1
> +netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
> +nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
> +nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1
> +ibpkeycon fe80:: 65535 USER1:ROLE1:TYPE1
> +ibpkeycon fe80:: 0-16 USER1:ROLE1:TYPE1
> +ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1
> +ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1
> diff --git a/checkpolicy/tests/policy_allonce.expected_opt.conf b/checkpolicy/tests/policy_allonce.expected_opt.conf
> new file mode 100644
> index 00000000..1c969961
> --- /dev/null
> +++ b/checkpolicy/tests/policy_allonce.expected_opt.conf
> @@ -0,0 +1,76 @@
> +# handle_unknown deny
> +class CLASS1
> +class CLASS2
> +class CLASS3
> +class dir
> +class file
> +class process
> +sid kernel
> +common COMMON1 { CPERM1 }
> +class CLASS1 { PERM1 ioctl }
> +class CLASS2 inherits COMMON1
> +class CLASS3 inherits COMMON1 { PERM1 }
> +default_user { CLASS1 } source;
> +default_role { CLASS2 } target;
> +default_type { CLASS3 } source;
> +policycap open_perms;
> +attribute ATTR1;
> +attribute ATTR2;
> +bool BOOL1 true;
> +type TYPE1;
> +type TYPE2;
> +type TYPE3;
> +type TYPE4;
> +typealias TYPE1 alias TYPEALIAS1;
> +typealias TYPE3 alias TYPEALIAS3A;
> +typealias TYPE3 alias TYPEALIAS3B;
> +typealias TYPE4 alias TYPEALIAS4;
> +typebounds TYPE4 TYPE3;
> +typeattribute TYPE4 ATTR2;
> +permissive TYPE1;
> +allow TYPE1 self:CLASS1 { PERM1 };
> +allow TYPE1 self:CLASS2 { CPERM1 };
> +auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
> +auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
> +dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
> +dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
> +allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
> +auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
> +dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
> +type_transition TYPE1 TYPE2:CLASS1 TYPE3;
> +type_member TYPE1 TYPE2:CLASS1 TYPE2;
> +type_change TYPE1 TYPE2:CLASS1 TYPE3;
> +type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
> +if (BOOL1) {
> +} else {
> +    allow TYPE1 self:CLASS1 { ioctl };
> +}
> +role ROLE1;
> +role ROLE2;
> +role ROLE3;
> +role ROLE1 types { TYPE1 };
> +role_transition ROLE1 TYPE1:CLASS1 ROLE2;
> +role_transition ROLE1 TYPE1:process ROLE2;
> +allow ROLE1 ROLE2;
> +user USER1 roles ROLE1;
> +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> +validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
> +sid kernel USER1:ROLE1:TYPE1
> +fs_use_xattr btrfs USER1:ROLE1:TYPE1;
> +fs_use_trans devpts USER1:ROLE1:TYPE1;
> +fs_use_task pipefs USER1:ROLE1:TYPE1;
> +genfscon proc "/" -d USER1:ROLE1:TYPE1
> +genfscon proc "/file1" -- USER1:ROLE1:TYPE1
> +genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
> +portcon tcp 80 USER1:ROLE1:TYPE1
> +portcon udp 100-200 USER1:ROLE1:TYPE1
> +netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
> +nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
> +nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1
> +ibpkeycon fe80:: 65535 USER1:ROLE1:TYPE1
> +ibpkeycon fe80:: 0-16 USER1:ROLE1:TYPE1
> +ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1
> +ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1
> diff --git a/checkpolicy/tests/policy_allonce_mls.conf b/checkpolicy/tests/policy_allonce_mls.conf
> new file mode 100644
> index 00000000..c88616b3
> --- /dev/null
> +++ b/checkpolicy/tests/policy_allonce_mls.conf
> @@ -0,0 +1,91 @@
> +# handle_unknown deny
> +class CLASS1
> +class CLASS2
> +class CLASS3
> +class dir
> +class file
> +class process
> +sid kernel
> +common COMMON1 { CPERM1 }
> +class CLASS1 { PERM1 ioctl }
> +class CLASS2 inherits COMMON1
> +class CLASS3 inherits COMMON1 { PERM1 }
> +default_user { CLASS1 } source;
> +default_role { CLASS2 } target;
> +default_type { CLASS3 } source;
> +sensitivity s0;
> +sensitivity s1;
> +sensitivity s2 alias SENSALIAS;
> +dominance { s0 s1 SENSALIAS }
> +category c0;
> +category c1 alias CATALIAS;
> +level s0:c0;
> +level s1:c0,c1;
> +level s2;
> +mlsconstrain CLASS1 { PERM1 } l1 == l2;
> +mlsvalidatetrans CLASS1 r1 domby r2 and l1 incomp h2;
> +policycap open_perms;
> +attribute ATTR1;
> +attribute ATTR2;
> +expandattribute ATTR1 true;
> +expandattribute ATTR2 false;
> +type TYPE1;
> +type TYPE2, ATTR1;
> +type TYPE3 alias { TYPEALIAS3A TYPEALIAS3B };
> +type TYPE4 alias TYPEALIAS4, ATTR2;
> +typealias TYPE1 alias TYPEALIAS1;
> +typeattribute TYPE1 ATTR1;
> +typebounds TYPE4 TYPE3;
> +bool BOOL1 true;
> +tunable TUNABLE1 false;
> +tunable TUNABLE2 true;
> +type_transition TYPE1 TYPE2 : CLASS1 TYPE3;
> +type_transition { TYPE1 TYPE2 } { TYPE3 TYPE4 } : CLASS1 TYPE1 "FILENAME";
> +type_member TYPE1 TYPE2 : CLASS1 TYPE2;
> +type_change TYPE1 TYPE2 : CLASS1 TYPE3;
> +range_transition TYPE1 TYPE2 : CLASS1 s1:c0.c1;
> +allow TYPE1 self : CLASS1 { PERM1 };
> +auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 };
> +dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 };
> +neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 };
> +allowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x1;
> +auditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2;
> +dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
> +neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;
> +permissive TYPE1;
> +attribute_role ROLE_ATTR1;
> +role ROLE1;
> +role ROLE3;
> +role ROLE2, ROLE_ATTR1;
> +role_transition ROLE1 TYPE1 ROLE2;
> +role_transition ROLE1 TYPE1 : CLASS1 ROLE2;
> +allow ROLE1 ROLE2;
> +roleattribute ROLE3 ROLE_ATTR1;
> +role ROLE1 types { TYPE1 };
> +if ! BOOL1 { allow TYPE1 self: CLASS1 *; }
> +if TUNABLE1 xor TUNABLE2 { allow TYPE1 self: CLASS2 *; } else { allow TYPE1 self: CLASS3 *; }
> +optional { require { class CLASS2 { CPERM1 }; } allow TYPE1 self: CLASS2 *; }
> +user USER1 roles ROLE1 level s0 range s0 - s1:c0.c1;
> +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> +# sameuser will be turned into (u1 == u2)
> +validatetrans CLASS2 sameuser and t3 == ATTR1;
> +sid kernel USER1:ROLE1:TYPE1:s0 - s1:c0.c1
> +# fscon statements are not dumped
> +fscon 2 3 USER1:ROLE1:TYPE1:s0 USER1:ROLE1:TYPE1:s0
> +fs_use_xattr btrfs USER1:ROLE1:TYPE1:s0 - s1:c0.CATALIAS;
> +fs_use_trans devpts USER1:ROLE1:TYPE1:s0 - s0;
> +fs_use_task pipefs USER1:ROLE1:TYPE1:s0 - s1;
> +# paths will be turned into quoted strings
> +genfscon proc / -d USER1:ROLE1:TYPE1:s0
> +genfscon proc "/file1" -- USER1:ROLE1:TYPE1:s0
> +genfscon proc "/path/to/file" USER1:ROLE1:TYPE1:s0
> +portcon tcp 80 USER1:ROLE1:TYPE1:s0
> +portcon udp 100-200 USER1:ROLE1:TYPE1:s0
> +netifcon lo USER1:ROLE1:TYPE1:s0 USER1:ROLE1:TYPE1:s0
> +nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1:s0
> +nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1:s0
> +# hex numbers will be turned in decimal ones
> +ibpkeycon fe80:: 0xFFFF USER1:ROLE1:TYPE1:s0
> +ibpkeycon fe80:: 0-0x10 USER1:ROLE1:TYPE1:s0
> +ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1:s0
> +ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1:s0
> diff --git a/checkpolicy/tests/policy_allonce_mls.expected.conf b/checkpolicy/tests/policy_allonce_mls.expected.conf
> new file mode 100644
> index 00000000..87c36f92
> --- /dev/null
> +++ b/checkpolicy/tests/policy_allonce_mls.expected.conf
> @@ -0,0 +1,88 @@
> +# handle_unknown deny
> +class CLASS1
> +class CLASS2
> +class CLASS3
> +class dir
> +class file
> +class process
> +sid kernel
> +common COMMON1 { CPERM1 }
> +class CLASS1 { PERM1 ioctl }
> +class CLASS2 inherits COMMON1
> +class CLASS3 inherits COMMON1 { PERM1 }
> +default_user { CLASS1 } source;
> +default_role { CLASS2 } target;
> +default_type { CLASS3 } source;
> +sensitivity s0;
> +sensitivity s1;
> +sensitivity s2 alias SENSALIAS;
> +dominance { s0 s1 s2 }
> +category c0;
> +category c1 alias CATALIAS;
> +level s0:c0;
> +level s1:c0,c1;
> +level s2;
> +mlsconstrain CLASS1 { PERM1 } l1 == l2;
> +mlsvalidatetrans CLASS1 (r1 domby r2 and l1 incomp h2);
> +policycap open_perms;
> +attribute ATTR1;
> +attribute ATTR2;
> +bool BOOL1 true;
> +type TYPE1;
> +type TYPE2;
> +type TYPE3;
> +type TYPE4;
> +typealias TYPE1 alias TYPEALIAS1;
> +typealias TYPE3 alias TYPEALIAS3A;
> +typealias TYPE3 alias TYPEALIAS3B;
> +typealias TYPE4 alias TYPEALIAS4;
> +typebounds TYPE4 TYPE3;
> +typeattribute TYPE4 ATTR2;
> +permissive TYPE1;
> +allow TYPE1 self:CLASS1 { PERM1 };
> +allow TYPE1 self:CLASS2 { CPERM1 };
> +auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
> +auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
> +dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
> +dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
> +allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
> +auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
> +dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
> +type_transition TYPE1 TYPE2:CLASS1 TYPE3;
> +type_member TYPE1 TYPE2:CLASS1 TYPE2;
> +type_change TYPE1 TYPE2:CLASS1 TYPE3;
> +type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
> +range_transition TYPE1 TYPE2:CLASS1 s1:c0,c1 - s1:c0,c1;
> +if (BOOL1) {
> +} else {
> +    allow TYPE1 self:CLASS1 { PERM1 ioctl };
> +}
> +role ROLE1;
> +role ROLE2;
> +role ROLE3;
> +role ROLE1 types { TYPE1 };
> +role_transition ROLE1 TYPE1:CLASS1 ROLE2;
> +role_transition ROLE1 TYPE1:process ROLE2;
> +allow ROLE1 ROLE2;
> +user USER1 roles ROLE1 level s0 range s0 - s1:c0,c1;
> +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> +validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
> +sid kernel USER1:ROLE1:TYPE1:s0 - s1:c0,c1
> +fs_use_xattr btrfs USER1:ROLE1:TYPE1:s0 - s1:c0,c1;
> +fs_use_trans devpts USER1:ROLE1:TYPE1:s0 - s0;
> +fs_use_task pipefs USER1:ROLE1:TYPE1:s0 - s1;
> +genfscon proc "/" -d USER1:ROLE1:TYPE1:s0 - s0
> +genfscon proc "/file1" -- USER1:ROLE1:TYPE1:s0 - s0
> +genfscon proc "/path/to/file" USER1:ROLE1:TYPE1:s0 - s0
> +portcon tcp 80 USER1:ROLE1:TYPE1:s0 - s0
> +portcon udp 100-200 USER1:ROLE1:TYPE1:s0 - s0
> +netifcon lo USER1:ROLE1:TYPE1:s0 - s0 USER1:ROLE1:TYPE1:s0 - s0
> +nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1:s0 - s0
> +nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1:s0 - s0
> +ibpkeycon fe80:: 65535 USER1:ROLE1:TYPE1:s0 - s0
> +ibpkeycon fe80:: 0-16 USER1:ROLE1:TYPE1:s0 - s0
> +ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1:s0 - s0
> +ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1:s0 - s0
> diff --git a/checkpolicy/tests/policy_allonce_mls.expected_opt.conf b/checkpolicy/tests/policy_allonce_mls.expected_opt.conf
> new file mode 100644
> index 00000000..38176166
> --- /dev/null
> +++ b/checkpolicy/tests/policy_allonce_mls.expected_opt.conf
> @@ -0,0 +1,88 @@
> +# handle_unknown deny
> +class CLASS1
> +class CLASS2
> +class CLASS3
> +class dir
> +class file
> +class process
> +sid kernel
> +common COMMON1 { CPERM1 }
> +class CLASS1 { PERM1 ioctl }
> +class CLASS2 inherits COMMON1
> +class CLASS3 inherits COMMON1 { PERM1 }
> +default_user { CLASS1 } source;
> +default_role { CLASS2 } target;
> +default_type { CLASS3 } source;
> +sensitivity s0;
> +sensitivity s1;
> +sensitivity s2 alias SENSALIAS;
> +dominance { s0 s1 s2 }
> +category c0;
> +category c1 alias CATALIAS;
> +level s0:c0;
> +level s1:c0,c1;
> +level s2;
> +mlsconstrain CLASS1 { PERM1 } l1 == l2;
> +mlsvalidatetrans CLASS1 (r1 domby r2 and l1 incomp h2);
> +policycap open_perms;
> +attribute ATTR1;
> +attribute ATTR2;
> +bool BOOL1 true;
> +type TYPE1;
> +type TYPE2;
> +type TYPE3;
> +type TYPE4;
> +typealias TYPE1 alias TYPEALIAS1;
> +typealias TYPE3 alias TYPEALIAS3A;
> +typealias TYPE3 alias TYPEALIAS3B;
> +typealias TYPE4 alias TYPEALIAS4;
> +typebounds TYPE4 TYPE3;
> +typeattribute TYPE4 ATTR2;
> +permissive TYPE1;
> +allow TYPE1 self:CLASS1 { PERM1 };
> +allow TYPE1 self:CLASS2 { CPERM1 };
> +auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
> +auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
> +dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
> +dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
> +allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
> +auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
> +dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
> +type_transition TYPE1 TYPE2:CLASS1 TYPE3;
> +type_member TYPE1 TYPE2:CLASS1 TYPE2;
> +type_change TYPE1 TYPE2:CLASS1 TYPE3;
> +type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
> +range_transition TYPE1 TYPE2:CLASS1 s1:c0,c1 - s1:c0,c1;
> +if (BOOL1) {
> +} else {
> +    allow TYPE1 self:CLASS1 { ioctl };
> +}
> +role ROLE1;
> +role ROLE2;
> +role ROLE3;
> +role ROLE1 types { TYPE1 };
> +role_transition ROLE1 TYPE1:CLASS1 ROLE2;
> +role_transition ROLE1 TYPE1:process ROLE2;
> +allow ROLE1 ROLE2;
> +user USER1 roles ROLE1 level s0 range s0 - s1:c0,c1;
> +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> +validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
> +sid kernel USER1:ROLE1:TYPE1:s0 - s1:c0,c1
> +fs_use_xattr btrfs USER1:ROLE1:TYPE1:s0 - s1:c0,c1;
> +fs_use_trans devpts USER1:ROLE1:TYPE1:s0 - s0;
> +fs_use_task pipefs USER1:ROLE1:TYPE1:s0 - s1;
> +genfscon proc "/" -d USER1:ROLE1:TYPE1:s0 - s0
> +genfscon proc "/file1" -- USER1:ROLE1:TYPE1:s0 - s0
> +genfscon proc "/path/to/file" USER1:ROLE1:TYPE1:s0 - s0
> +portcon tcp 80 USER1:ROLE1:TYPE1:s0 - s0
> +portcon udp 100-200 USER1:ROLE1:TYPE1:s0 - s0
> +netifcon lo USER1:ROLE1:TYPE1:s0 - s0 USER1:ROLE1:TYPE1:s0 - s0
> +nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1:s0 - s0
> +nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1:s0 - s0
> +ibpkeycon fe80:: 65535 USER1:ROLE1:TYPE1:s0 - s0
> +ibpkeycon fe80:: 0-16 USER1:ROLE1:TYPE1:s0 - s0
> +ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1:s0 - s0
> +ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1:s0 - s0
> diff --git a/checkpolicy/tests/policy_allonce_xen.conf b/checkpolicy/tests/policy_allonce_xen.conf
> new file mode 100644
> index 00000000..6402683a
> --- /dev/null
> +++ b/checkpolicy/tests/policy_allonce_xen.conf
> @@ -0,0 +1,62 @@
> +# handle_unknown deny
> +class CLASS1
> +class CLASS2
> +class CLASS3
> +class dir
> +class file
> +class process
> +sid kernel
> +common COMMON1 { CPERM1 }
> +class CLASS1 { PERM1 }
> +class CLASS2 inherits COMMON1
> +class CLASS3 inherits COMMON1 { PERM1 }
> +default_user { CLASS1 } source;
> +default_role { CLASS2 } target;
> +default_type { CLASS3 } source;
> +attribute ATTR1;
> +attribute ATTR2;
> +expandattribute ATTR1 true;
> +expandattribute ATTR2 false;
> +type TYPE1;
> +type TYPE2, ATTR1;
> +type TYPE3 alias { TYPEALIAS3A TYPEALIAS3B };
> +type TYPE4 alias TYPEALIAS4, ATTR2;
> +typealias TYPE1 alias TYPEALIAS1;
> +typeattribute TYPE1 ATTR1;
> +typebounds TYPE4 TYPE3;
> +bool BOOL1 true;
> +tunable TUNABLE1 false;
> +tunable TUNABLE2 true;
> +type_transition TYPE1 TYPE2 : CLASS1 TYPE3;
> +type_transition { TYPE1 TYPE2 } { TYPE3 TYPE4 } : CLASS1 TYPE1 "FILENAME";
> +type_member TYPE1 TYPE2 : CLASS1 TYPE2;
> +type_change TYPE1 TYPE2 : CLASS1 TYPE3;
> +allow TYPE1 self : CLASS1 { PERM1 };
> +auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 };
> +dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 };
> +neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 };
> +permissive TYPE1;
> +attribute_role ROLE_ATTR1;
> +role ROLE1;
> +role ROLE3;
> +role ROLE2, ROLE_ATTR1;
> +role_transition ROLE1 TYPE1 ROLE2;
> +role_transition ROLE1 TYPE1 : CLASS1 ROLE2;
> +allow ROLE1 ROLE2;
> +roleattribute ROLE3 ROLE_ATTR1;
> +role ROLE1 types { TYPE1 };
> +if ! BOOL1 { allow TYPE1 self: CLASS1 *; }
> +if TUNABLE1 xor TUNABLE2 { allow TYPE1 self: CLASS2 *; } else { allow TYPE1 self: CLASS3 *; }
> +optional { require { class CLASS2 { CPERM1 }; } allow TYPE1 self: CLASS2 *; }
> +policycap open_perms;
> +user USER1 roles ROLE1;
> +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> +validatetrans CLASS2 sameuser and t3 == ATTR1;
> +sid kernel USER1:ROLE1:TYPE1
> +pirqcon 13 USER1:ROLE1:TYPE1
> +iomemcon 13 USER1:ROLE1:TYPE1
> +iomemcon 23-31 USER1:ROLE1:TYPE1
> +ioportcon 13 USER1:ROLE1:TYPE1
> +ioportcon 23-31 USER1:ROLE1:TYPE1
> +pcidevicecon 13 USER1:ROLE1:TYPE1
> +devicetreecon "/path/to/device" USER1:ROLE1:TYPE1
> diff --git a/checkpolicy/tests/policy_allonce_xen.expected.conf b/checkpolicy/tests/policy_allonce_xen.expected.conf
> new file mode 100644
> index 00000000..a4573ccb
> --- /dev/null
> +++ b/checkpolicy/tests/policy_allonce_xen.expected.conf
> @@ -0,0 +1,65 @@
> +# handle_unknown deny
> +class CLASS1
> +class CLASS2
> +class CLASS3
> +class dir
> +class file
> +class process
> +sid xen
> +common COMMON1 { CPERM1 }
> +class CLASS1 { PERM1 }
> +class CLASS2 inherits COMMON1
> +class CLASS3 inherits COMMON1 { PERM1 }
> +default_user { CLASS1 } source;
> +default_role { CLASS2 } target;
> +default_type { CLASS3 } source;
> +policycap open_perms;
> +attribute ATTR1;
> +attribute ATTR2;
> +bool BOOL1 true;
> +type TYPE1;
> +type TYPE2;
> +type TYPE3;
> +type TYPE4;
> +typealias TYPE1 alias TYPEALIAS1;
> +typealias TYPE3 alias TYPEALIAS3A;
> +typealias TYPE3 alias TYPEALIAS3B;
> +typealias TYPE4 alias TYPEALIAS4;
> +typebounds TYPE4 TYPE3;
> +typeattribute TYPE4 ATTR2;
> +permissive TYPE1;
> +allow TYPE1 self:CLASS1 { PERM1 };
> +allow TYPE1 self:CLASS2 { CPERM1 };
> +auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
> +auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
> +dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
> +dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
> +type_transition TYPE1 TYPE2:CLASS1 TYPE3;
> +type_member TYPE1 TYPE2:CLASS1 TYPE2;
> +type_change TYPE1 TYPE2:CLASS1 TYPE3;
> +type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
> +if (BOOL1) {
> +} else {
> +    allow TYPE1 self:CLASS1 { PERM1 };
> +}
> +role ROLE1;
> +role ROLE2;
> +role ROLE3;
> +role ROLE1 types { TYPE1 };
> +role_transition ROLE1 TYPE1:CLASS1 ROLE2;
> +role_transition ROLE1 TYPE1:process ROLE2;
> +allow ROLE1 ROLE2;
> +user USER1 roles ROLE1;
> +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> +validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
> +sid xen USER1:ROLE1:TYPE1
> +pirqcon 13 USER1:ROLE1:TYPE1
> +iomemcon 0xd USER1:ROLE1:TYPE1
> +iomemcon 0x17-0x1f USER1:ROLE1:TYPE1
> +ioportcon 0xd USER1:ROLE1:TYPE1
> +ioportcon 0x17-0x1f USER1:ROLE1:TYPE1
> +pcidevicecon 0xd USER1:ROLE1:TYPE1
> +devicetreecon "/path/to/device" USER1:ROLE1:TYPE1
> diff --git a/checkpolicy/tests/policy_allonce_xen.expected_opt.conf b/checkpolicy/tests/policy_allonce_xen.expected_opt.conf
> new file mode 100644
> index 00000000..8fd3b226
> --- /dev/null
> +++ b/checkpolicy/tests/policy_allonce_xen.expected_opt.conf
> @@ -0,0 +1,61 @@
> +# handle_unknown deny
> +class CLASS1
> +class CLASS2
> +class CLASS3
> +class dir
> +class file
> +class process
> +sid xen
> +common COMMON1 { CPERM1 }
> +class CLASS1 { PERM1 }
> +class CLASS2 inherits COMMON1
> +class CLASS3 inherits COMMON1 { PERM1 }
> +default_user { CLASS1 } source;
> +default_role { CLASS2 } target;
> +default_type { CLASS3 } source;
> +policycap open_perms;
> +attribute ATTR1;
> +attribute ATTR2;
> +bool BOOL1 true;
> +type TYPE1;
> +type TYPE2;
> +type TYPE3;
> +type TYPE4;
> +typealias TYPE1 alias TYPEALIAS1;
> +typealias TYPE3 alias TYPEALIAS3A;
> +typealias TYPE3 alias TYPEALIAS3B;
> +typealias TYPE4 alias TYPEALIAS4;
> +typebounds TYPE4 TYPE3;
> +typeattribute TYPE4 ATTR2;
> +permissive TYPE1;
> +allow TYPE1 self:CLASS1 { PERM1 };
> +allow TYPE1 self:CLASS2 { CPERM1 };
> +auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
> +auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
> +dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
> +dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
> +type_transition TYPE1 TYPE2:CLASS1 TYPE3;
> +type_member TYPE1 TYPE2:CLASS1 TYPE2;
> +type_change TYPE1 TYPE2:CLASS1 TYPE3;
> +type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
> +type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
> +role ROLE1;
> +role ROLE2;
> +role ROLE3;
> +role ROLE1 types { TYPE1 };
> +role_transition ROLE1 TYPE1:CLASS1 ROLE2;
> +role_transition ROLE1 TYPE1:process ROLE2;
> +allow ROLE1 ROLE2;
> +user USER1 roles ROLE1;
> +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> +validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
> +sid xen USER1:ROLE1:TYPE1
> +pirqcon 13 USER1:ROLE1:TYPE1
> +iomemcon 0xd USER1:ROLE1:TYPE1
> +iomemcon 0x17-0x1f USER1:ROLE1:TYPE1
> +ioportcon 0xd USER1:ROLE1:TYPE1
> +ioportcon 0x17-0x1f USER1:ROLE1:TYPE1
> +pcidevicecon 0xd USER1:ROLE1:TYPE1
> +devicetreecon "/path/to/device" USER1:ROLE1:TYPE1
> diff --git a/checkpolicy/tests/policy_minimal.conf b/checkpolicy/tests/policy_minimal.conf
> new file mode 100644
> index 00000000..e8cff6df
> --- /dev/null
> +++ b/checkpolicy/tests/policy_minimal.conf
> @@ -0,0 +1,10 @@
> +# handle_unknown deny
> +class CLASS1
> +sid kernel
> +class CLASS1 { PERM1 }
> +type TYPE1;
> +allow TYPE1 self:CLASS1 { PERM1 };
> +role ROLE1;
> +role ROLE1 types { TYPE1 };
> +user USER1 roles ROLE1;
> +sid kernel USER1:ROLE1:TYPE1
> diff --git a/checkpolicy/tests/policy_minimal_mls.conf b/checkpolicy/tests/policy_minimal_mls.conf
> new file mode 100644
> index 00000000..9ea65169
> --- /dev/null
> +++ b/checkpolicy/tests/policy_minimal_mls.conf
> @@ -0,0 +1,15 @@
> +# handle_unknown deny
> +class CLASS1
> +sid kernel
> +class CLASS1 { PERM1 }
> +sensitivity s0;
> +dominance { s0 }
> +category c0;
> +level s0:c0;
> +mlsconstrain CLASS1 { PERM1 } l1 == l2;
> +type TYPE1;
> +allow TYPE1 self:CLASS1 { PERM1 };
> +role ROLE1;
> +role ROLE1 types { TYPE1 };
> +user USER1 roles ROLE1 level s0 range s0 - s0:c0;
> +sid kernel USER1:ROLE1:TYPE1:s0 - s0
> diff --git a/checkpolicy/tests/test_roundtrip.sh b/checkpolicy/tests/test_roundtrip.sh
> new file mode 100755
> index 00000000..d05b36bb
> --- /dev/null
> +++ b/checkpolicy/tests/test_roundtrip.sh
> @@ -0,0 +1,41 @@
> +#!/bin/sh
> +
> +set -eu
> +
> +BASEDIR=$(dirname "$0")
> +CHECKPOLICY="${BASEDIR}/../checkpolicy"
> +
> +check_policy() {
> +       POLICY=$1
> +       EXPECTED=$2
> +       OPTS=$3
> +
> +       echo "==== Testing ${1}"
> +
> +       ${CHECKPOLICY} ${OPTS} "${BASEDIR}/${POLICY}" -o "${BASEDIR}/testpol.bin"
> +       ${CHECKPOLICY} ${OPTS} -b -F "${BASEDIR}/testpol.bin" -o "${BASEDIR}/testpol.conf"
> +       diff -u "${BASEDIR}/${EXPECTED}" "${BASEDIR}/testpol.conf"
> +
> +       ${CHECKPOLICY} ${OPTS} "${BASEDIR}/${EXPECTED}" -o "${BASEDIR}/testpol.bin"
> +       ${CHECKPOLICY} ${OPTS} -b -F "${BASEDIR}/testpol.bin" -o "${BASEDIR}/testpol.conf"
> +       diff -u "${BASEDIR}/${EXPECTED}" "${BASEDIR}/testpol.conf"
> +
> +       echo "==== ${1} success"
> +       echo ""
> +}
> +
> +
> +check_policy  policy_minimal.conf      policy_minimal.conf                   '-E'
> +check_policy  policy_minimal.conf      policy_minimal.conf                   '-E -S -O'
> +
> +check_policy  policy_minimal_mls.conf  policy_minimal_mls.conf               '-M -E'
> +check_policy  policy_minimal_mls.conf  policy_minimal_mls.conf               '-M -E -S -O'
> +
> +check_policy  policy_allonce.conf      policy_allonce.expected.conf          ''
> +check_policy  policy_allonce.conf      policy_allonce.expected_opt.conf      '-S -O'
> +
> +check_policy  policy_allonce_mls.conf  policy_allonce_mls.expected.conf      '-M'
> +check_policy  policy_allonce_mls.conf  policy_allonce_mls.expected_opt.conf  '-M -S -O'
> +
> +check_policy  policy_allonce_xen.conf  policy_allonce_xen.expected.conf      '--target xen -c 30 -E'
> +check_policy  policy_allonce_xen.conf  policy_allonce_xen.expected_opt.conf  '--target xen -c 30 -E -S -O'
> --
> 2.42.0
>
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux