On Tue, Jan 12, 2010 at 11:12 AM, Stephen Smalley <[email protected]> wrote:
> On Tue, 2010-01-12 at 09:26 -0800, Garrett Cooper wrote:
>> > Also, if you guys can try out this patch for refpolicy/Makefile, I'd
>> > prefer to check it in (it unifies the RHEL 4.x and `generic' refpolicy
>> > Make logic):
>> >
>> > Index: refpolicy/Makefile
>> > ===================================================================
>> > RCS file:
>> > /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/Makefile,v
>> > retrieving revision 1.12
>> > diff -u -r1.12 Makefile
>> > --- refpolicy/Makefile 8 Jan 2010 09:39:20 -0000 1.12
>> > +++ refpolicy/Makefile 12 Jan 2010 17:17:27 -0000
>> > @@ -17,7 +17,7 @@
>> > # with this program; if not, write to the Free Software Foundation,
>> > Inc.,
>> > # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
>> > #
>> > -# Garrett Cooper, August 2009
>> > +# Garrett Cooper, January 2010
>> > #
>> >
>> > top_srcdir ?= ../../../../..
>> > @@ -32,6 +32,7 @@
>> >
>> > DISTRO_VER := $(shell $(top_srcdir)/scripts/detect_distro.sh
>> > $(ARGS))
>> >
>> > +# Avoid empty strings.
>> > ifeq ($(strip $(DISTRO_VER)),)
>> > DISTRO_VER := generic
>> > endif
>> > @@ -41,10 +42,17 @@
>> > POLICY_DEVEL_DIR ?= $(DESTDIR)/usr/share/selinux/devel
>> > SEMODULE ?= $(DESTDIR)/usr/sbin/semodule
>> >
>> > -INSTALL_DIR := testcases/kernel/security/selinux-testsuite
>> > +INSTALL_DIR := testcases/selinux-testsuite/refpolicy
>> >
>> > TEST_POLICY_DIR := $(abs_srcdir)/policy_files
>> >
>> > +# Do we have a special set of policies in the SCM to install?
>> > +ifneq ($(wildcard $(TEST_POLICY_DIR)/$(DISTRO_VER)/),)
>> > +TEST_POLICY_DIR := $(TEST_POLICY_DIR)/$(DISTRO_VER)
>> > +else
>> > +TEST_POLICY_DIR := $(TEST_POLICY_DIR)/generic
>> > +endif
>> > +
>> > .PHONY: all clean cleanup install load
>> >
>> > CLEAN_DEPS := cleanup
>> > @@ -55,34 +63,24 @@
>> > -$(SEMODULE) -r test_policy
>> > $(RM) -f $(POLICY_DEVEL_DIR)/test_policy.* test_policy.te
>> >
>> > -ifneq ($(wildcard $(TEST_POLICY_DIR)/$(DISTRO_VER)/Makefile),)
>> > -MAKE_TARGETS :=
>> > -
>> > -TEST_POLICY_DIR := $(TEST_POLICY_DIR)/$(DISTRO_VER)
>> > -
>> > -# load remains for backwards compatibility...
>> > -load:
>> > - $(MAKE) -C $(TEST_POLICY_DIR)
>> > -else
>> > -
>> > MAKE_TARGETS := test_policy.te
>> >
>> > -TEST_POLICY_DIR := $(TEST_POLICY_DIR)/generic
>> > -
>> > -POLICY_FILES := test_global.te $(filter-out
>> > test_global.te,$(notdir
>> > $(wildcard $(TEST_POLICY_DIR)/*.te)))
>> > -
>> > ifneq ($(CHECKPOLICY_VERS),24)
>> > POLICY_FILES := $(filter-out test_bounds.te,$(POLICY_FILES))
>> > endif
>> >
>> > +# This is being done to preserve precedence; test_global.te must come
>> > first.
>> > +POLICY_FILES := test_global.te \
>> > + $(filter-out test_global.te,$(notdir $(wildcard
>> > $(TEST_POLICY_DIR)/*.te)))
>> > +
>> > load:
>> > - @if [ -d "$(POLICY_DEVEL_DIR)" ]; then \
>> > - cp -p $(TEST_POLICY_DIR)/test_policy.* $(POLICY_DEVEL_DIR); \
>> > + @set -e; if [ -d "$(POLICY_DEVEL_DIR)" ]; then \
>> > + cp -p test_policy.* $(POLICY_DEVEL_DIR); \
>> > $(MAKE) -C $(POLICY_DEVEL_DIR) clean; \
>> > $(MAKE) -C $(POLICY_DEVEL_DIR) test_policy.pp; \
>> > $(SEMODULE) -i $(POLICY_DEVEL_DIR)/test_policy.pp; \
>> > else \
>> > - echo "ERROR: You must have selinux-policy-devel installed."; \
>> > + echo "ERROR: You must have selinux-policy?-devel?
>> > installed."; \
>> > false; \
>> > fi
>>
>> There's a stray endif on line 90 of refpolicy/Makefile that needs to
>> be deleted as well, FYI...
>
> Ok. test policy appears to build (on Fedora) when running make by hand
> from the refpolicy directory, but you still can't run the tests, either
> from /opt/ltp or from the source tree.
>
> # cd /opt/ltp/testscripts && ./test_selinux.sh
> Running with security
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> /etc/selinux /opt/ltp
> /opt/ltp
> allow_domain_fd_use --> off
> allow_domain_fd_use exists setting
> building and installing test_policy module...
> ./test_selinux.sh: line 92: cd:
> /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy: No such file
> or directory
> make: *** No rule to make target `load'. Stop.
> Failed to build and load test_policy module, aborting test run.
> /etc/selinux /opt/ltp
> /opt/ltp
>
> # cd LTP_SRCDIR/testscripts && ./test_selinux.sh
> Running with security
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> /etc/selinux /home/sds/ltp
> /home/sds/ltp
> allow_domain_fd_use --> off
> allow_domain_fd_use exists setting
> building and installing test_policy module...
> make[1]: Entering directory `/usr/share/selinux/devel'
> rm -fR tmp
> rm -f *.pp
> make[1]: Leaving directory `/usr/share/selinux/devel'
> make[1]: Entering directory `/usr/share/selinux/devel'
> Compiling targeted test_policy module
> /usr/bin/checkmodule: loading policy configuration from tmp/test_policy.tmp
> /usr/bin/checkmodule: policy configuration loaded
> /usr/bin/checkmodule: writing binary representation (version 10) to
> tmp/test_policy.mod
> Creating targeted test_policy.pp policy package
> rm tmp/test_policy.mod tmp/test_policy.mod.fc
> make[1]: Leaving directory `/usr/share/selinux/devel'
> Successfully built and loaded test_policy module.
> /etc/selinux
> /home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy
> /home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy
> Running the SELinux testsuite...
> ls: cannot access /home/sds/ltp/testcases/bin: No such file or directory
> /usr/bin/chcon: cannot access `/home/sds/ltp/testcases/bin': No such file or
> directory
> ./test_selinux.sh: line 119: /home/sds/ltp/bin/ltp-pan: No such file or
> directory
> /usr/bin/chcon: missing operand
> Try `/usr/bin/chcon --help' for more information.
> Removing test_policy module...
> /usr/sbin/semodule -r test_policy
> rm -f -f /usr/share/selinux/devel/test_policy.* test_policy.te
> allow_domain_fd_use --> off
> allow_domain_fd_use exists setting
> Done.
>
> Both test_selinux.sh and tests/runtest.sh need to be updated.
>
> --
> Stephen Smalley
> National Security Agency
Ok, next patch then... Let me know how this goes (I took a quick
look and I didn't see anything suspicious in the test scripts
themselves..).
Thanks,
-Garrett
Index: tests/runtest.sh
===================================================================
RCS file:
/cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/tests/runtest.sh,v
retrieving revision 1.2
diff -u -r1.2 runtest.sh
--- tests/runtest.sh 6 Apr 2008 10:27:36 -0000 1.2
+++ tests/runtest.sh 13 Jan 2010 06:49:48 -0000
@@ -12,7 +12,7 @@
global_setup()
{
# Must be root to run the selinux testsuite
- if [ $UID != 0 ]
+ if [ $(id -ru) -ne 0 ]
then
echo "FAILED: Must be root to execute this script"
exit 1
@@ -38,14 +38,14 @@
exit
fi
- # Save and later restore /tmp's type.
+ # Save and later restore $TMP's type.
# We need to change it's type to work within test domain
- SAVETMPTYPE=`ls -Zd /tmp | awk '{ print $4 }' | awk -F: '{ print $3 }'`
- chcon -t test_file_t /tmp
+ SAVETMPTYPE=`ls -Zd $TMP | awk '{ print $4 }' | awk -F: '{ print $3 }'`
+ chcon -t test_file_t $TMP
- mkdir /tmp/selinux > /dev/null 2>&1
- chcon -t test_file_t /tmp/selinux
- export SELINUXTMPDIR=/tmp/selinux
+ mkdir $TMP/selinux > /dev/null 2>&1
+ chcon -t test_file_t $TMP/selinux
+ export SELINUXTMPDIR=$TMP/selinux
# It seems LTP wants executables to reside in the
# $LTPROOT/testcases/bin directory. However, this directory
@@ -61,9 +61,9 @@
global_cleanup()
{
- # Restore original type of /tmp
- chcon -t $SAVETMPTYPE /tmp
- rm -rf /tmp/selinux
+ # Restore original type of $TMP
+ chcon -t $SAVETMPTYPE $TMP
+ rm -rf $TMP/selinux
# Restore original type of .../testcases/bin directory
chcon -t $SAVEBINTYPE $LTPBIN
@@ -71,6 +71,7 @@
exit 0
}
+export TMP=${TMP:-/tmp}
global_setup
-./$1/selinux_$1.sh
+selinux_$1.sh
global_cleanup
Index: ../../../../testscripts/test_selinux.sh
===================================================================
RCS file: /cvsroot/ltp/ltp/testscripts/test_selinux.sh,v
retrieving revision 1.14
diff -u -r1.14 test_selinux.sh
--- ../../../../testscripts/test_selinux.sh 12 Jan 2010 08:35:59 -0000
1.14
+++ ../../../../testscripts/test_selinux.sh 13 Jan 2010 06:49:48 -0000
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
#
# Copyright (c) International Business Machines Corp., 2005
#
@@ -23,32 +23,33 @@
}
config_allow_domain_fd_use () {
- setval=$1
- /usr/sbin/getsebool allow_domain_fd_use
- getseRC=$?
- if [ "$getseRC" -eq "0" ]; then
- echo "allow_domain_fd_use exists setting"
- /usr/sbin/setsebool allow_domain_fd_use=$setval
- fi
+ setval=$1
+ if /usr/sbin/getsebool allow_domain_fd_use; then
+ echo "allow_domain_fd_use exists setting"
+ /usr/sbin/setsebool allow_domain_fd_use=$setval
+ fi
}
# Must be root to run the selinux testsuite
-if [ $UID != 0 ]
+if [ $(id -ru) -ne 0 ]
then
echo "FAILED: Must be root to execute this script"
exit 1
fi
# set the LTPROOT directory
-cd `dirname $0`
-LTPROOT=${PWD}
-TMP=${TMP:-/tmp}
-echo $LTPROOT | grep testscripts > /dev/null 2>&1
-if [ $? -eq 0 ]
+LTPROOT=${LTPROOT:=${0%/*}}
+cd "$LTPROOT"
+export TMP=${TMP:-/tmp}
+# If we're in the testscripts directory, go down a dir..
+LTPROOT_TMP=${LTPROOT%/testscripts}
+if [ "x${LTPROOT_TMP}" != "x${LTPROOT}" ]
then
cd ..
- LTPROOT=${PWD}
+ LTPROOT=$LTPROOT_TMP
fi
+export LTPROOT
+unset LTPROOT_TMP
# set the PATH to include testcase/bin
@@ -57,11 +58,8 @@
# We will store the logfiles in $LTPROOT/results, so make sure
# it exists.
-if [ ! -d $LTPROOT/results ]
-then
- /bin/mkdir $LTPROOT/results
-fi
-
+test -d $LTPROOT/results || /bin/mkdir $LTPROOT/results
+
# Check the role and mode testsuite is being executed under.
SELINUX_CONTEXT=`/usr/bin/id | sed 's/.* //'`
@@ -78,10 +76,12 @@
SEMODULE="/usr/sbin/semodule"
-if [ -f $SEMODULE ]; then
- POLICYDIR="$LTPROOT/testcases/selinux-testsuite/refpolicy"
+POLICYDIR="$LTPROOT/testcases/kernel/security/selinux-testsuite"
+
+if [ -x $SEMODULE ]; then
+ POLICYDIR="$POLICYDIR/refpolicy"
else
- POLICYDIR="$LTPROOT/testcases/selinux-testsuite/policy"
+ POLICYDIR="$POLICYDIR/policy"
fi
config_set_expandcheck
@@ -137,4 +137,3 @@
cd $LTPROOT
echo "Done."
-exit 0
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Ltp-list mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ltp-list
