Re: [PATCH v2] checkpolicy: add round-trip tests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Nov 2, 2023 at 10:39 AM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Wed, Nov 1, 2023 at 12:37 PM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> >
> > Add round-trip tests for checkpolicy(8).
> > Test standard and MLS minimal policies as well as SELinux and Xen
> > policies with each available statement.
> > The output is checked against an expected result and then then checked
> > for idempotence.
> >
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Acked-by: James Carter <jwcart2@xxxxxxxxx>
>

Merged.
Thanks,
Jim

> > ---
> > v2:
> >    drop usage of removed role dominance rules
> > ---
> >  checkpolicy/.gitignore                        |  2 +
> >  checkpolicy/Makefile                          |  6 +-
> >  checkpolicy/tests/policy_allonce.conf         | 79 ++++++++++++++++
> >  .../tests/policy_allonce.expected.conf        | 76 ++++++++++++++++
> >  .../tests/policy_allonce.expected_opt.conf    | 76 ++++++++++++++++
> >  checkpolicy/tests/policy_allonce_mls.conf     | 91 +++++++++++++++++++
> >  .../tests/policy_allonce_mls.expected.conf    | 88 ++++++++++++++++++
> >  .../policy_allonce_mls.expected_opt.conf      | 88 ++++++++++++++++++
> >  checkpolicy/tests/policy_allonce_xen.conf     | 62 +++++++++++++
> >  .../tests/policy_allonce_xen.expected.conf    | 65 +++++++++++++
> >  .../policy_allonce_xen.expected_opt.conf      | 61 +++++++++++++
> >  checkpolicy/tests/policy_minimal.conf         | 10 ++
> >  checkpolicy/tests/policy_minimal_mls.conf     | 15 +++
> >  checkpolicy/tests/test_roundtrip.sh           | 41 +++++++++
> >  14 files changed, 759 insertions(+), 1 deletion(-)
> >  create mode 100644 checkpolicy/tests/policy_allonce.conf
> >  create mode 100644 checkpolicy/tests/policy_allonce.expected.conf
> >  create mode 100644 checkpolicy/tests/policy_allonce.expected_opt.conf
> >  create mode 100644 checkpolicy/tests/policy_allonce_mls.conf
> >  create mode 100644 checkpolicy/tests/policy_allonce_mls.expected.conf
> >  create mode 100644 checkpolicy/tests/policy_allonce_mls.expected_opt.conf
> >  create mode 100644 checkpolicy/tests/policy_allonce_xen.conf
> >  create mode 100644 checkpolicy/tests/policy_allonce_xen.expected.conf
> >  create mode 100644 checkpolicy/tests/policy_allonce_xen.expected_opt.conf
> >  create mode 100644 checkpolicy/tests/policy_minimal.conf
> >  create mode 100644 checkpolicy/tests/policy_minimal_mls.conf
> >  create mode 100755 checkpolicy/tests/test_roundtrip.sh
> >
> > diff --git a/checkpolicy/.gitignore b/checkpolicy/.gitignore
> > index a7bd076d..01a694d4 100644
> > --- a/checkpolicy/.gitignore
> > +++ b/checkpolicy/.gitignore
> > @@ -3,3 +3,5 @@ checkpolicy
> >  lex.yy.c
> >  y.tab.c
> >  y.tab.h
> > +tests/testpol.bin
> > +tests/testpol.conf
> > diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile
> > index c37e0310..281d15be 100644
> > --- a/checkpolicy/Makefile
> > +++ b/checkpolicy/Makefile
> > @@ -50,6 +50,10 @@ y.tab.c: policy_parse.y
> >  lex.yy.c: policy_scan.l y.tab.c
> >         $(LEX) policy_scan.l
> >
> > +.PHONY: test
> > +test: checkpolicy
> > +       ./tests/test_roundtrip.sh
> > +
> >  install: all
> >         -mkdir -p $(DESTDIR)$(BINDIR)
> >         -mkdir -p $(DESTDIR)$(MANDIR)/man8
> > @@ -68,7 +72,7 @@ relabel: install
> >         /sbin/restorecon $(DESTDIR)$(BINDIR)/checkmodule
> >
> >  clean:
> > -       -rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c y.tab.h lex.yy.c
> > +       -rm -f $(TARGETS) $(CHECKPOLOBJS) $(CHECKMODOBJS) y.tab.c y.tab.h lex.yy.c tests/testpol.conf tests/testpol.bin
> >         $(MAKE) -C test clean
> >
> >  indent:
> > diff --git a/checkpolicy/tests/policy_allonce.conf b/checkpolicy/tests/policy_allonce.conf
> > new file mode 100644
> > index 00000000..34e6402d
> > --- /dev/null
> > +++ b/checkpolicy/tests/policy_allonce.conf
> > @@ -0,0 +1,79 @@
> > +# handle_unknown deny
> > +class CLASS1
> > +class CLASS2
> > +class CLASS3
> > +class dir
> > +class file
> > +class process
> > +sid kernel
> > +common COMMON1 { CPERM1 }
> > +class CLASS1 { PERM1 ioctl }
> > +class CLASS2 inherits COMMON1
> > +class CLASS3 inherits COMMON1 { PERM1 }
> > +default_user { CLASS1 } source;
> > +default_role { CLASS2 } target;
> > +default_type { CLASS3 } source;
> > +policycap open_perms;
> > +attribute ATTR1;
> > +attribute ATTR2;
> > +expandattribute ATTR1 true;
> > +expandattribute ATTR2 false;
> > +type TYPE1;
> > +type TYPE2, ATTR1;
> > +type TYPE3 alias { TYPEALIAS3A TYPEALIAS3B };
> > +type TYPE4 alias TYPEALIAS4, ATTR2;
> > +typealias TYPE1 alias TYPEALIAS1;
> > +typeattribute TYPE1 ATTR1;
> > +typebounds TYPE4 TYPE3;
> > +bool BOOL1 true;
> > +tunable TUNABLE1 false;
> > +tunable TUNABLE2 true;
> > +type_transition TYPE1 TYPE2 : CLASS1 TYPE3;
> > +type_transition { TYPE1 TYPE2 } { TYPE3 TYPE4 } : CLASS1 TYPE1 "FILENAME";
> > +type_member TYPE1 TYPE2 : CLASS1 TYPE2;
> > +type_change TYPE1 TYPE2 : CLASS1 TYPE3;
> > +allow TYPE1 self : CLASS1 { PERM1 };
> > +auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 };
> > +dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 };
> > +neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 };
> > +allowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x1;
> > +auditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2;
> > +dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
> > +neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;
> > +permissive TYPE1;
> > +attribute_role ROLE_ATTR1;
> > +role ROLE1;
> > +role ROLE3;
> > +role ROLE2, ROLE_ATTR1;
> > +role_transition ROLE1 TYPE1 ROLE2;
> > +role_transition ROLE1 TYPE1 : CLASS1 ROLE2;
> > +allow ROLE1 ROLE2;
> > +roleattribute ROLE3 ROLE_ATTR1;
> > +role ROLE1 types { TYPE1 };
> > +if ! BOOL1 { allow TYPE1 self: CLASS1 *; }
> > +if TUNABLE1 xor TUNABLE2 { allow TYPE1 self: CLASS2 *; } else { allow TYPE1 self: CLASS3 *; }
> > +optional { require { class CLASS2 { CPERM1 }; } allow TYPE1 self: CLASS2 *; }
> > +user USER1 roles ROLE1;
> > +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> > +# sameuser will be turned into (u1 == u2)
> > +validatetrans CLASS2 sameuser and t3 == ATTR1;
> > +sid kernel USER1:ROLE1:TYPE1
> > +# fscon statements are not dumped
> > +fscon 2 3 USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
> > +fs_use_xattr btrfs USER1:ROLE1:TYPE1;
> > +fs_use_trans devpts USER1:ROLE1:TYPE1;
> > +fs_use_task pipefs USER1:ROLE1:TYPE1;
> > +# paths will be turned into quoted strings
> > +genfscon proc / -d USER1:ROLE1:TYPE1
> > +genfscon proc "/file1" -- USER1:ROLE1:TYPE1
> > +genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
> > +portcon tcp 80 USER1:ROLE1:TYPE1
> > +portcon udp 100-200 USER1:ROLE1:TYPE1
> > +netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
> > +nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
> > +nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1
> > +# hex numbers will be turned in decimal ones
> > +ibpkeycon fe80:: 0xFFFF USER1:ROLE1:TYPE1
> > +ibpkeycon fe80:: 0-0x10 USER1:ROLE1:TYPE1
> > +ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1
> > +ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1
> > diff --git a/checkpolicy/tests/policy_allonce.expected.conf b/checkpolicy/tests/policy_allonce.expected.conf
> > new file mode 100644
> > index 00000000..63739e1f
> > --- /dev/null
> > +++ b/checkpolicy/tests/policy_allonce.expected.conf
> > @@ -0,0 +1,76 @@
> > +# handle_unknown deny
> > +class CLASS1
> > +class CLASS2
> > +class CLASS3
> > +class dir
> > +class file
> > +class process
> > +sid kernel
> > +common COMMON1 { CPERM1 }
> > +class CLASS1 { PERM1 ioctl }
> > +class CLASS2 inherits COMMON1
> > +class CLASS3 inherits COMMON1 { PERM1 }
> > +default_user { CLASS1 } source;
> > +default_role { CLASS2 } target;
> > +default_type { CLASS3 } source;
> > +policycap open_perms;
> > +attribute ATTR1;
> > +attribute ATTR2;
> > +bool BOOL1 true;
> > +type TYPE1;
> > +type TYPE2;
> > +type TYPE3;
> > +type TYPE4;
> > +typealias TYPE1 alias TYPEALIAS1;
> > +typealias TYPE3 alias TYPEALIAS3A;
> > +typealias TYPE3 alias TYPEALIAS3B;
> > +typealias TYPE4 alias TYPEALIAS4;
> > +typebounds TYPE4 TYPE3;
> > +typeattribute TYPE4 ATTR2;
> > +permissive TYPE1;
> > +allow TYPE1 self:CLASS1 { PERM1 };
> > +allow TYPE1 self:CLASS2 { CPERM1 };
> > +auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
> > +auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
> > +dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
> > +dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
> > +allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
> > +auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
> > +dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
> > +type_transition TYPE1 TYPE2:CLASS1 TYPE3;
> > +type_member TYPE1 TYPE2:CLASS1 TYPE2;
> > +type_change TYPE1 TYPE2:CLASS1 TYPE3;
> > +type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
> > +if (BOOL1) {
> > +} else {
> > +    allow TYPE1 self:CLASS1 { PERM1 ioctl };
> > +}
> > +role ROLE1;
> > +role ROLE2;
> > +role ROLE3;
> > +role ROLE1 types { TYPE1 };
> > +role_transition ROLE1 TYPE1:CLASS1 ROLE2;
> > +role_transition ROLE1 TYPE1:process ROLE2;
> > +allow ROLE1 ROLE2;
> > +user USER1 roles ROLE1;
> > +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> > +validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
> > +sid kernel USER1:ROLE1:TYPE1
> > +fs_use_xattr btrfs USER1:ROLE1:TYPE1;
> > +fs_use_trans devpts USER1:ROLE1:TYPE1;
> > +fs_use_task pipefs USER1:ROLE1:TYPE1;
> > +genfscon proc "/" -d USER1:ROLE1:TYPE1
> > +genfscon proc "/file1" -- USER1:ROLE1:TYPE1
> > +genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
> > +portcon tcp 80 USER1:ROLE1:TYPE1
> > +portcon udp 100-200 USER1:ROLE1:TYPE1
> > +netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
> > +nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
> > +nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1
> > +ibpkeycon fe80:: 65535 USER1:ROLE1:TYPE1
> > +ibpkeycon fe80:: 0-16 USER1:ROLE1:TYPE1
> > +ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1
> > +ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1
> > diff --git a/checkpolicy/tests/policy_allonce.expected_opt.conf b/checkpolicy/tests/policy_allonce.expected_opt.conf
> > new file mode 100644
> > index 00000000..1c969961
> > --- /dev/null
> > +++ b/checkpolicy/tests/policy_allonce.expected_opt.conf
> > @@ -0,0 +1,76 @@
> > +# handle_unknown deny
> > +class CLASS1
> > +class CLASS2
> > +class CLASS3
> > +class dir
> > +class file
> > +class process
> > +sid kernel
> > +common COMMON1 { CPERM1 }
> > +class CLASS1 { PERM1 ioctl }
> > +class CLASS2 inherits COMMON1
> > +class CLASS3 inherits COMMON1 { PERM1 }
> > +default_user { CLASS1 } source;
> > +default_role { CLASS2 } target;
> > +default_type { CLASS3 } source;
> > +policycap open_perms;
> > +attribute ATTR1;
> > +attribute ATTR2;
> > +bool BOOL1 true;
> > +type TYPE1;
> > +type TYPE2;
> > +type TYPE3;
> > +type TYPE4;
> > +typealias TYPE1 alias TYPEALIAS1;
> > +typealias TYPE3 alias TYPEALIAS3A;
> > +typealias TYPE3 alias TYPEALIAS3B;
> > +typealias TYPE4 alias TYPEALIAS4;
> > +typebounds TYPE4 TYPE3;
> > +typeattribute TYPE4 ATTR2;
> > +permissive TYPE1;
> > +allow TYPE1 self:CLASS1 { PERM1 };
> > +allow TYPE1 self:CLASS2 { CPERM1 };
> > +auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
> > +auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
> > +dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
> > +dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
> > +allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
> > +auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
> > +dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
> > +type_transition TYPE1 TYPE2:CLASS1 TYPE3;
> > +type_member TYPE1 TYPE2:CLASS1 TYPE2;
> > +type_change TYPE1 TYPE2:CLASS1 TYPE3;
> > +type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
> > +if (BOOL1) {
> > +} else {
> > +    allow TYPE1 self:CLASS1 { ioctl };
> > +}
> > +role ROLE1;
> > +role ROLE2;
> > +role ROLE3;
> > +role ROLE1 types { TYPE1 };
> > +role_transition ROLE1 TYPE1:CLASS1 ROLE2;
> > +role_transition ROLE1 TYPE1:process ROLE2;
> > +allow ROLE1 ROLE2;
> > +user USER1 roles ROLE1;
> > +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> > +validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
> > +sid kernel USER1:ROLE1:TYPE1
> > +fs_use_xattr btrfs USER1:ROLE1:TYPE1;
> > +fs_use_trans devpts USER1:ROLE1:TYPE1;
> > +fs_use_task pipefs USER1:ROLE1:TYPE1;
> > +genfscon proc "/" -d USER1:ROLE1:TYPE1
> > +genfscon proc "/file1" -- USER1:ROLE1:TYPE1
> > +genfscon proc "/path/to/file" USER1:ROLE1:TYPE1
> > +portcon tcp 80 USER1:ROLE1:TYPE1
> > +portcon udp 100-200 USER1:ROLE1:TYPE1
> > +netifcon lo USER1:ROLE1:TYPE1 USER1:ROLE1:TYPE1
> > +nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1
> > +nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1
> > +ibpkeycon fe80:: 65535 USER1:ROLE1:TYPE1
> > +ibpkeycon fe80:: 0-16 USER1:ROLE1:TYPE1
> > +ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1
> > +ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1
> > diff --git a/checkpolicy/tests/policy_allonce_mls.conf b/checkpolicy/tests/policy_allonce_mls.conf
> > new file mode 100644
> > index 00000000..c88616b3
> > --- /dev/null
> > +++ b/checkpolicy/tests/policy_allonce_mls.conf
> > @@ -0,0 +1,91 @@
> > +# handle_unknown deny
> > +class CLASS1
> > +class CLASS2
> > +class CLASS3
> > +class dir
> > +class file
> > +class process
> > +sid kernel
> > +common COMMON1 { CPERM1 }
> > +class CLASS1 { PERM1 ioctl }
> > +class CLASS2 inherits COMMON1
> > +class CLASS3 inherits COMMON1 { PERM1 }
> > +default_user { CLASS1 } source;
> > +default_role { CLASS2 } target;
> > +default_type { CLASS3 } source;
> > +sensitivity s0;
> > +sensitivity s1;
> > +sensitivity s2 alias SENSALIAS;
> > +dominance { s0 s1 SENSALIAS }
> > +category c0;
> > +category c1 alias CATALIAS;
> > +level s0:c0;
> > +level s1:c0,c1;
> > +level s2;
> > +mlsconstrain CLASS1 { PERM1 } l1 == l2;
> > +mlsvalidatetrans CLASS1 r1 domby r2 and l1 incomp h2;
> > +policycap open_perms;
> > +attribute ATTR1;
> > +attribute ATTR2;
> > +expandattribute ATTR1 true;
> > +expandattribute ATTR2 false;
> > +type TYPE1;
> > +type TYPE2, ATTR1;
> > +type TYPE3 alias { TYPEALIAS3A TYPEALIAS3B };
> > +type TYPE4 alias TYPEALIAS4, ATTR2;
> > +typealias TYPE1 alias TYPEALIAS1;
> > +typeattribute TYPE1 ATTR1;
> > +typebounds TYPE4 TYPE3;
> > +bool BOOL1 true;
> > +tunable TUNABLE1 false;
> > +tunable TUNABLE2 true;
> > +type_transition TYPE1 TYPE2 : CLASS1 TYPE3;
> > +type_transition { TYPE1 TYPE2 } { TYPE3 TYPE4 } : CLASS1 TYPE1 "FILENAME";
> > +type_member TYPE1 TYPE2 : CLASS1 TYPE2;
> > +type_change TYPE1 TYPE2 : CLASS1 TYPE3;
> > +range_transition TYPE1 TYPE2 : CLASS1 s1:c0.c1;
> > +allow TYPE1 self : CLASS1 { PERM1 };
> > +auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 };
> > +dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 };
> > +neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 };
> > +allowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x1;
> > +auditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2;
> > +dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3;
> > +neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4;
> > +permissive TYPE1;
> > +attribute_role ROLE_ATTR1;
> > +role ROLE1;
> > +role ROLE3;
> > +role ROLE2, ROLE_ATTR1;
> > +role_transition ROLE1 TYPE1 ROLE2;
> > +role_transition ROLE1 TYPE1 : CLASS1 ROLE2;
> > +allow ROLE1 ROLE2;
> > +roleattribute ROLE3 ROLE_ATTR1;
> > +role ROLE1 types { TYPE1 };
> > +if ! BOOL1 { allow TYPE1 self: CLASS1 *; }
> > +if TUNABLE1 xor TUNABLE2 { allow TYPE1 self: CLASS2 *; } else { allow TYPE1 self: CLASS3 *; }
> > +optional { require { class CLASS2 { CPERM1 }; } allow TYPE1 self: CLASS2 *; }
> > +user USER1 roles ROLE1 level s0 range s0 - s1:c0.c1;
> > +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> > +# sameuser will be turned into (u1 == u2)
> > +validatetrans CLASS2 sameuser and t3 == ATTR1;
> > +sid kernel USER1:ROLE1:TYPE1:s0 - s1:c0.c1
> > +# fscon statements are not dumped
> > +fscon 2 3 USER1:ROLE1:TYPE1:s0 USER1:ROLE1:TYPE1:s0
> > +fs_use_xattr btrfs USER1:ROLE1:TYPE1:s0 - s1:c0.CATALIAS;
> > +fs_use_trans devpts USER1:ROLE1:TYPE1:s0 - s0;
> > +fs_use_task pipefs USER1:ROLE1:TYPE1:s0 - s1;
> > +# paths will be turned into quoted strings
> > +genfscon proc / -d USER1:ROLE1:TYPE1:s0
> > +genfscon proc "/file1" -- USER1:ROLE1:TYPE1:s0
> > +genfscon proc "/path/to/file" USER1:ROLE1:TYPE1:s0
> > +portcon tcp 80 USER1:ROLE1:TYPE1:s0
> > +portcon udp 100-200 USER1:ROLE1:TYPE1:s0
> > +netifcon lo USER1:ROLE1:TYPE1:s0 USER1:ROLE1:TYPE1:s0
> > +nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1:s0
> > +nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1:s0
> > +# hex numbers will be turned in decimal ones
> > +ibpkeycon fe80:: 0xFFFF USER1:ROLE1:TYPE1:s0
> > +ibpkeycon fe80:: 0-0x10 USER1:ROLE1:TYPE1:s0
> > +ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1:s0
> > +ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1:s0
> > diff --git a/checkpolicy/tests/policy_allonce_mls.expected.conf b/checkpolicy/tests/policy_allonce_mls.expected.conf
> > new file mode 100644
> > index 00000000..87c36f92
> > --- /dev/null
> > +++ b/checkpolicy/tests/policy_allonce_mls.expected.conf
> > @@ -0,0 +1,88 @@
> > +# handle_unknown deny
> > +class CLASS1
> > +class CLASS2
> > +class CLASS3
> > +class dir
> > +class file
> > +class process
> > +sid kernel
> > +common COMMON1 { CPERM1 }
> > +class CLASS1 { PERM1 ioctl }
> > +class CLASS2 inherits COMMON1
> > +class CLASS3 inherits COMMON1 { PERM1 }
> > +default_user { CLASS1 } source;
> > +default_role { CLASS2 } target;
> > +default_type { CLASS3 } source;
> > +sensitivity s0;
> > +sensitivity s1;
> > +sensitivity s2 alias SENSALIAS;
> > +dominance { s0 s1 s2 }
> > +category c0;
> > +category c1 alias CATALIAS;
> > +level s0:c0;
> > +level s1:c0,c1;
> > +level s2;
> > +mlsconstrain CLASS1 { PERM1 } l1 == l2;
> > +mlsvalidatetrans CLASS1 (r1 domby r2 and l1 incomp h2);
> > +policycap open_perms;
> > +attribute ATTR1;
> > +attribute ATTR2;
> > +bool BOOL1 true;
> > +type TYPE1;
> > +type TYPE2;
> > +type TYPE3;
> > +type TYPE4;
> > +typealias TYPE1 alias TYPEALIAS1;
> > +typealias TYPE3 alias TYPEALIAS3A;
> > +typealias TYPE3 alias TYPEALIAS3B;
> > +typealias TYPE4 alias TYPEALIAS4;
> > +typebounds TYPE4 TYPE3;
> > +typeattribute TYPE4 ATTR2;
> > +permissive TYPE1;
> > +allow TYPE1 self:CLASS1 { PERM1 };
> > +allow TYPE1 self:CLASS2 { CPERM1 };
> > +auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
> > +auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
> > +dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
> > +dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
> > +allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
> > +auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
> > +dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
> > +type_transition TYPE1 TYPE2:CLASS1 TYPE3;
> > +type_member TYPE1 TYPE2:CLASS1 TYPE2;
> > +type_change TYPE1 TYPE2:CLASS1 TYPE3;
> > +type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
> > +range_transition TYPE1 TYPE2:CLASS1 s1:c0,c1 - s1:c0,c1;
> > +if (BOOL1) {
> > +} else {
> > +    allow TYPE1 self:CLASS1 { PERM1 ioctl };
> > +}
> > +role ROLE1;
> > +role ROLE2;
> > +role ROLE3;
> > +role ROLE1 types { TYPE1 };
> > +role_transition ROLE1 TYPE1:CLASS1 ROLE2;
> > +role_transition ROLE1 TYPE1:process ROLE2;
> > +allow ROLE1 ROLE2;
> > +user USER1 roles ROLE1 level s0 range s0 - s1:c0,c1;
> > +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> > +validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
> > +sid kernel USER1:ROLE1:TYPE1:s0 - s1:c0,c1
> > +fs_use_xattr btrfs USER1:ROLE1:TYPE1:s0 - s1:c0,c1;
> > +fs_use_trans devpts USER1:ROLE1:TYPE1:s0 - s0;
> > +fs_use_task pipefs USER1:ROLE1:TYPE1:s0 - s1;
> > +genfscon proc "/" -d USER1:ROLE1:TYPE1:s0 - s0
> > +genfscon proc "/file1" -- USER1:ROLE1:TYPE1:s0 - s0
> > +genfscon proc "/path/to/file" USER1:ROLE1:TYPE1:s0 - s0
> > +portcon tcp 80 USER1:ROLE1:TYPE1:s0 - s0
> > +portcon udp 100-200 USER1:ROLE1:TYPE1:s0 - s0
> > +netifcon lo USER1:ROLE1:TYPE1:s0 - s0 USER1:ROLE1:TYPE1:s0 - s0
> > +nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1:s0 - s0
> > +nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1:s0 - s0
> > +ibpkeycon fe80:: 65535 USER1:ROLE1:TYPE1:s0 - s0
> > +ibpkeycon fe80:: 0-16 USER1:ROLE1:TYPE1:s0 - s0
> > +ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1:s0 - s0
> > +ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1:s0 - s0
> > diff --git a/checkpolicy/tests/policy_allonce_mls.expected_opt.conf b/checkpolicy/tests/policy_allonce_mls.expected_opt.conf
> > new file mode 100644
> > index 00000000..38176166
> > --- /dev/null
> > +++ b/checkpolicy/tests/policy_allonce_mls.expected_opt.conf
> > @@ -0,0 +1,88 @@
> > +# handle_unknown deny
> > +class CLASS1
> > +class CLASS2
> > +class CLASS3
> > +class dir
> > +class file
> > +class process
> > +sid kernel
> > +common COMMON1 { CPERM1 }
> > +class CLASS1 { PERM1 ioctl }
> > +class CLASS2 inherits COMMON1
> > +class CLASS3 inherits COMMON1 { PERM1 }
> > +default_user { CLASS1 } source;
> > +default_role { CLASS2 } target;
> > +default_type { CLASS3 } source;
> > +sensitivity s0;
> > +sensitivity s1;
> > +sensitivity s2 alias SENSALIAS;
> > +dominance { s0 s1 s2 }
> > +category c0;
> > +category c1 alias CATALIAS;
> > +level s0:c0;
> > +level s1:c0,c1;
> > +level s2;
> > +mlsconstrain CLASS1 { PERM1 } l1 == l2;
> > +mlsvalidatetrans CLASS1 (r1 domby r2 and l1 incomp h2);
> > +policycap open_perms;
> > +attribute ATTR1;
> > +attribute ATTR2;
> > +bool BOOL1 true;
> > +type TYPE1;
> > +type TYPE2;
> > +type TYPE3;
> > +type TYPE4;
> > +typealias TYPE1 alias TYPEALIAS1;
> > +typealias TYPE3 alias TYPEALIAS3A;
> > +typealias TYPE3 alias TYPEALIAS3B;
> > +typealias TYPE4 alias TYPEALIAS4;
> > +typebounds TYPE4 TYPE3;
> > +typeattribute TYPE4 ATTR2;
> > +permissive TYPE1;
> > +allow TYPE1 self:CLASS1 { PERM1 };
> > +allow TYPE1 self:CLASS2 { CPERM1 };
> > +auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
> > +auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
> > +dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
> > +dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
> > +allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 };
> > +auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 };
> > +dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 };
> > +type_transition TYPE1 TYPE2:CLASS1 TYPE3;
> > +type_member TYPE1 TYPE2:CLASS1 TYPE2;
> > +type_change TYPE1 TYPE2:CLASS1 TYPE3;
> > +type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
> > +range_transition TYPE1 TYPE2:CLASS1 s1:c0,c1 - s1:c0,c1;
> > +if (BOOL1) {
> > +} else {
> > +    allow TYPE1 self:CLASS1 { ioctl };
> > +}
> > +role ROLE1;
> > +role ROLE2;
> > +role ROLE3;
> > +role ROLE1 types { TYPE1 };
> > +role_transition ROLE1 TYPE1:CLASS1 ROLE2;
> > +role_transition ROLE1 TYPE1:process ROLE2;
> > +allow ROLE1 ROLE2;
> > +user USER1 roles ROLE1 level s0 range s0 - s1:c0,c1;
> > +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> > +validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
> > +sid kernel USER1:ROLE1:TYPE1:s0 - s1:c0,c1
> > +fs_use_xattr btrfs USER1:ROLE1:TYPE1:s0 - s1:c0,c1;
> > +fs_use_trans devpts USER1:ROLE1:TYPE1:s0 - s0;
> > +fs_use_task pipefs USER1:ROLE1:TYPE1:s0 - s1;
> > +genfscon proc "/" -d USER1:ROLE1:TYPE1:s0 - s0
> > +genfscon proc "/file1" -- USER1:ROLE1:TYPE1:s0 - s0
> > +genfscon proc "/path/to/file" USER1:ROLE1:TYPE1:s0 - s0
> > +portcon tcp 80 USER1:ROLE1:TYPE1:s0 - s0
> > +portcon udp 100-200 USER1:ROLE1:TYPE1:s0 - s0
> > +netifcon lo USER1:ROLE1:TYPE1:s0 - s0 USER1:ROLE1:TYPE1:s0 - s0
> > +nodecon 127.0.0.1 255.255.255.255 USER1:ROLE1:TYPE1:s0 - s0
> > +nodecon ::ffff:127.0.0.1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff USER1:ROLE1:TYPE1:s0 - s0
> > +ibpkeycon fe80:: 65535 USER1:ROLE1:TYPE1:s0 - s0
> > +ibpkeycon fe80:: 0-16 USER1:ROLE1:TYPE1:s0 - s0
> > +ibendportcon mlx4_0 2 USER1:ROLE1:TYPE1:s0 - s0
> > +ibendportcon mlx5_0 1 USER1:ROLE1:TYPE1:s0 - s0
> > diff --git a/checkpolicy/tests/policy_allonce_xen.conf b/checkpolicy/tests/policy_allonce_xen.conf
> > new file mode 100644
> > index 00000000..6402683a
> > --- /dev/null
> > +++ b/checkpolicy/tests/policy_allonce_xen.conf
> > @@ -0,0 +1,62 @@
> > +# handle_unknown deny
> > +class CLASS1
> > +class CLASS2
> > +class CLASS3
> > +class dir
> > +class file
> > +class process
> > +sid kernel
> > +common COMMON1 { CPERM1 }
> > +class CLASS1 { PERM1 }
> > +class CLASS2 inherits COMMON1
> > +class CLASS3 inherits COMMON1 { PERM1 }
> > +default_user { CLASS1 } source;
> > +default_role { CLASS2 } target;
> > +default_type { CLASS3 } source;
> > +attribute ATTR1;
> > +attribute ATTR2;
> > +expandattribute ATTR1 true;
> > +expandattribute ATTR2 false;
> > +type TYPE1;
> > +type TYPE2, ATTR1;
> > +type TYPE3 alias { TYPEALIAS3A TYPEALIAS3B };
> > +type TYPE4 alias TYPEALIAS4, ATTR2;
> > +typealias TYPE1 alias TYPEALIAS1;
> > +typeattribute TYPE1 ATTR1;
> > +typebounds TYPE4 TYPE3;
> > +bool BOOL1 true;
> > +tunable TUNABLE1 false;
> > +tunable TUNABLE2 true;
> > +type_transition TYPE1 TYPE2 : CLASS1 TYPE3;
> > +type_transition { TYPE1 TYPE2 } { TYPE3 TYPE4 } : CLASS1 TYPE1 "FILENAME";
> > +type_member TYPE1 TYPE2 : CLASS1 TYPE2;
> > +type_change TYPE1 TYPE2 : CLASS1 TYPE3;
> > +allow TYPE1 self : CLASS1 { PERM1 };
> > +auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 };
> > +dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 };
> > +neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 };
> > +permissive TYPE1;
> > +attribute_role ROLE_ATTR1;
> > +role ROLE1;
> > +role ROLE3;
> > +role ROLE2, ROLE_ATTR1;
> > +role_transition ROLE1 TYPE1 ROLE2;
> > +role_transition ROLE1 TYPE1 : CLASS1 ROLE2;
> > +allow ROLE1 ROLE2;
> > +roleattribute ROLE3 ROLE_ATTR1;
> > +role ROLE1 types { TYPE1 };
> > +if ! BOOL1 { allow TYPE1 self: CLASS1 *; }
> > +if TUNABLE1 xor TUNABLE2 { allow TYPE1 self: CLASS2 *; } else { allow TYPE1 self: CLASS3 *; }
> > +optional { require { class CLASS2 { CPERM1 }; } allow TYPE1 self: CLASS2 *; }
> > +policycap open_perms;
> > +user USER1 roles ROLE1;
> > +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> > +validatetrans CLASS2 sameuser and t3 == ATTR1;
> > +sid kernel USER1:ROLE1:TYPE1
> > +pirqcon 13 USER1:ROLE1:TYPE1
> > +iomemcon 13 USER1:ROLE1:TYPE1
> > +iomemcon 23-31 USER1:ROLE1:TYPE1
> > +ioportcon 13 USER1:ROLE1:TYPE1
> > +ioportcon 23-31 USER1:ROLE1:TYPE1
> > +pcidevicecon 13 USER1:ROLE1:TYPE1
> > +devicetreecon "/path/to/device" USER1:ROLE1:TYPE1
> > diff --git a/checkpolicy/tests/policy_allonce_xen.expected.conf b/checkpolicy/tests/policy_allonce_xen.expected.conf
> > new file mode 100644
> > index 00000000..a4573ccb
> > --- /dev/null
> > +++ b/checkpolicy/tests/policy_allonce_xen.expected.conf
> > @@ -0,0 +1,65 @@
> > +# handle_unknown deny
> > +class CLASS1
> > +class CLASS2
> > +class CLASS3
> > +class dir
> > +class file
> > +class process
> > +sid xen
> > +common COMMON1 { CPERM1 }
> > +class CLASS1 { PERM1 }
> > +class CLASS2 inherits COMMON1
> > +class CLASS3 inherits COMMON1 { PERM1 }
> > +default_user { CLASS1 } source;
> > +default_role { CLASS2 } target;
> > +default_type { CLASS3 } source;
> > +policycap open_perms;
> > +attribute ATTR1;
> > +attribute ATTR2;
> > +bool BOOL1 true;
> > +type TYPE1;
> > +type TYPE2;
> > +type TYPE3;
> > +type TYPE4;
> > +typealias TYPE1 alias TYPEALIAS1;
> > +typealias TYPE3 alias TYPEALIAS3A;
> > +typealias TYPE3 alias TYPEALIAS3B;
> > +typealias TYPE4 alias TYPEALIAS4;
> > +typebounds TYPE4 TYPE3;
> > +typeattribute TYPE4 ATTR2;
> > +permissive TYPE1;
> > +allow TYPE1 self:CLASS1 { PERM1 };
> > +allow TYPE1 self:CLASS2 { CPERM1 };
> > +auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
> > +auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
> > +dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
> > +dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
> > +type_transition TYPE1 TYPE2:CLASS1 TYPE3;
> > +type_member TYPE1 TYPE2:CLASS1 TYPE2;
> > +type_change TYPE1 TYPE2:CLASS1 TYPE3;
> > +type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
> > +if (BOOL1) {
> > +} else {
> > +    allow TYPE1 self:CLASS1 { PERM1 };
> > +}
> > +role ROLE1;
> > +role ROLE2;
> > +role ROLE3;
> > +role ROLE1 types { TYPE1 };
> > +role_transition ROLE1 TYPE1:CLASS1 ROLE2;
> > +role_transition ROLE1 TYPE1:process ROLE2;
> > +allow ROLE1 ROLE2;
> > +user USER1 roles ROLE1;
> > +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> > +validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
> > +sid xen USER1:ROLE1:TYPE1
> > +pirqcon 13 USER1:ROLE1:TYPE1
> > +iomemcon 0xd USER1:ROLE1:TYPE1
> > +iomemcon 0x17-0x1f USER1:ROLE1:TYPE1
> > +ioportcon 0xd USER1:ROLE1:TYPE1
> > +ioportcon 0x17-0x1f USER1:ROLE1:TYPE1
> > +pcidevicecon 0xd USER1:ROLE1:TYPE1
> > +devicetreecon "/path/to/device" USER1:ROLE1:TYPE1
> > diff --git a/checkpolicy/tests/policy_allonce_xen.expected_opt.conf b/checkpolicy/tests/policy_allonce_xen.expected_opt.conf
> > new file mode 100644
> > index 00000000..8fd3b226
> > --- /dev/null
> > +++ b/checkpolicy/tests/policy_allonce_xen.expected_opt.conf
> > @@ -0,0 +1,61 @@
> > +# handle_unknown deny
> > +class CLASS1
> > +class CLASS2
> > +class CLASS3
> > +class dir
> > +class file
> > +class process
> > +sid xen
> > +common COMMON1 { CPERM1 }
> > +class CLASS1 { PERM1 }
> > +class CLASS2 inherits COMMON1
> > +class CLASS3 inherits COMMON1 { PERM1 }
> > +default_user { CLASS1 } source;
> > +default_role { CLASS2 } target;
> > +default_type { CLASS3 } source;
> > +policycap open_perms;
> > +attribute ATTR1;
> > +attribute ATTR2;
> > +bool BOOL1 true;
> > +type TYPE1;
> > +type TYPE2;
> > +type TYPE3;
> > +type TYPE4;
> > +typealias TYPE1 alias TYPEALIAS1;
> > +typealias TYPE3 alias TYPEALIAS3A;
> > +typealias TYPE3 alias TYPEALIAS3B;
> > +typealias TYPE4 alias TYPEALIAS4;
> > +typebounds TYPE4 TYPE3;
> > +typeattribute TYPE4 ATTR2;
> > +permissive TYPE1;
> > +allow TYPE1 self:CLASS1 { PERM1 };
> > +allow TYPE1 self:CLASS2 { CPERM1 };
> > +auditallow TYPE1 TYPE3:CLASS1 { PERM1 };
> > +auditallow TYPE2 TYPE3:CLASS1 { PERM1 };
> > +dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 };
> > +dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 };
> > +type_transition TYPE1 TYPE2:CLASS1 TYPE3;
> > +type_member TYPE1 TYPE2:CLASS1 TYPE2;
> > +type_change TYPE1 TYPE2:CLASS1 TYPE3;
> > +type_transition TYPE1 TYPE3:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE1 TYPE4:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE2 TYPE3:CLASS1 TYPE1 "FILENAME";
> > +type_transition TYPE2 TYPE4:CLASS1 TYPE1 "FILENAME";
> > +role ROLE1;
> > +role ROLE2;
> > +role ROLE3;
> > +role ROLE1 types { TYPE1 };
> > +role_transition ROLE1 TYPE1:CLASS1 ROLE2;
> > +role_transition ROLE1 TYPE1:process ROLE2;
> > +allow ROLE1 ROLE2;
> > +user USER1 roles ROLE1;
> > +constrain CLASS1 { PERM1 } (u1 == u2 or (r1 == r2 and t1 == t2));
> > +validatetrans CLASS2 (u1 == u2 and t3 == ATTR1);
> > +sid xen USER1:ROLE1:TYPE1
> > +pirqcon 13 USER1:ROLE1:TYPE1
> > +iomemcon 0xd USER1:ROLE1:TYPE1
> > +iomemcon 0x17-0x1f USER1:ROLE1:TYPE1
> > +ioportcon 0xd USER1:ROLE1:TYPE1
> > +ioportcon 0x17-0x1f USER1:ROLE1:TYPE1
> > +pcidevicecon 0xd USER1:ROLE1:TYPE1
> > +devicetreecon "/path/to/device" USER1:ROLE1:TYPE1
> > diff --git a/checkpolicy/tests/policy_minimal.conf b/checkpolicy/tests/policy_minimal.conf
> > new file mode 100644
> > index 00000000..e8cff6df
> > --- /dev/null
> > +++ b/checkpolicy/tests/policy_minimal.conf
> > @@ -0,0 +1,10 @@
> > +# handle_unknown deny
> > +class CLASS1
> > +sid kernel
> > +class CLASS1 { PERM1 }
> > +type TYPE1;
> > +allow TYPE1 self:CLASS1 { PERM1 };
> > +role ROLE1;
> > +role ROLE1 types { TYPE1 };
> > +user USER1 roles ROLE1;
> > +sid kernel USER1:ROLE1:TYPE1
> > diff --git a/checkpolicy/tests/policy_minimal_mls.conf b/checkpolicy/tests/policy_minimal_mls.conf
> > new file mode 100644
> > index 00000000..9ea65169
> > --- /dev/null
> > +++ b/checkpolicy/tests/policy_minimal_mls.conf
> > @@ -0,0 +1,15 @@
> > +# handle_unknown deny
> > +class CLASS1
> > +sid kernel
> > +class CLASS1 { PERM1 }
> > +sensitivity s0;
> > +dominance { s0 }
> > +category c0;
> > +level s0:c0;
> > +mlsconstrain CLASS1 { PERM1 } l1 == l2;
> > +type TYPE1;
> > +allow TYPE1 self:CLASS1 { PERM1 };
> > +role ROLE1;
> > +role ROLE1 types { TYPE1 };
> > +user USER1 roles ROLE1 level s0 range s0 - s0:c0;
> > +sid kernel USER1:ROLE1:TYPE1:s0 - s0
> > diff --git a/checkpolicy/tests/test_roundtrip.sh b/checkpolicy/tests/test_roundtrip.sh
> > new file mode 100755
> > index 00000000..d05b36bb
> > --- /dev/null
> > +++ b/checkpolicy/tests/test_roundtrip.sh
> > @@ -0,0 +1,41 @@
> > +#!/bin/sh
> > +
> > +set -eu
> > +
> > +BASEDIR=$(dirname "$0")
> > +CHECKPOLICY="${BASEDIR}/../checkpolicy"
> > +
> > +check_policy() {
> > +       POLICY=$1
> > +       EXPECTED=$2
> > +       OPTS=$3
> > +
> > +       echo "==== Testing ${1}"
> > +
> > +       ${CHECKPOLICY} ${OPTS} "${BASEDIR}/${POLICY}" -o "${BASEDIR}/testpol.bin"
> > +       ${CHECKPOLICY} ${OPTS} -b -F "${BASEDIR}/testpol.bin" -o "${BASEDIR}/testpol.conf"
> > +       diff -u "${BASEDIR}/${EXPECTED}" "${BASEDIR}/testpol.conf"
> > +
> > +       ${CHECKPOLICY} ${OPTS} "${BASEDIR}/${EXPECTED}" -o "${BASEDIR}/testpol.bin"
> > +       ${CHECKPOLICY} ${OPTS} -b -F "${BASEDIR}/testpol.bin" -o "${BASEDIR}/testpol.conf"
> > +       diff -u "${BASEDIR}/${EXPECTED}" "${BASEDIR}/testpol.conf"
> > +
> > +       echo "==== ${1} success"
> > +       echo ""
> > +}
> > +
> > +
> > +check_policy  policy_minimal.conf      policy_minimal.conf                   '-E'
> > +check_policy  policy_minimal.conf      policy_minimal.conf                   '-E -S -O'
> > +
> > +check_policy  policy_minimal_mls.conf  policy_minimal_mls.conf               '-M -E'
> > +check_policy  policy_minimal_mls.conf  policy_minimal_mls.conf               '-M -E -S -O'
> > +
> > +check_policy  policy_allonce.conf      policy_allonce.expected.conf          ''
> > +check_policy  policy_allonce.conf      policy_allonce.expected_opt.conf      '-S -O'
> > +
> > +check_policy  policy_allonce_mls.conf  policy_allonce_mls.expected.conf      '-M'
> > +check_policy  policy_allonce_mls.conf  policy_allonce_mls.expected_opt.conf  '-M -S -O'
> > +
> > +check_policy  policy_allonce_xen.conf  policy_allonce_xen.expected.conf      '--target xen -c 30 -E'
> > +check_policy  policy_allonce_xen.conf  policy_allonce_xen.expected_opt.conf  '--target xen -c 30 -E -S -O'
> > --
> > 2.42.0
> >
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux