On Tue, Jan 12, 2010 at 10:51 PM, Garrett Cooper <[email protected]> wrote:
> On Tue, Jan 12, 2010 at 11:12 AM, Stephen Smalley <[email protected]> wrote:
>> On Tue, 2010-01-12 at 09:26 -0800, Garrett Cooper wrote:
>>> > Also, if you guys can try out this patch for refpolicy/Makefile, I'd
>>> > prefer to check it in (it unifies the RHEL 4.x and `generic' refpolicy
>>> > Make logic):
>>> >
>>> > Index: refpolicy/Makefile
>>> > ===================================================================
>>> > RCS file:
>>> > /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/Makefile,v
>>> > retrieving revision 1.12
>>> > diff -u -r1.12 Makefile
>>> > --- refpolicy/Makefile 8 Jan 2010 09:39:20 -0000 1.12
>>> > +++ refpolicy/Makefile 12 Jan 2010 17:17:27 -0000
>>> > @@ -17,7 +17,7 @@
>>> > # with this program; if not, write to the Free Software Foundation,
>>> > Inc.,
>>> > # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
>>> > #
>>> > -# Garrett Cooper, August 2009
>>> > +# Garrett Cooper, January 2010
>>> > #
>>> >
>>> > top_srcdir ?= ../../../../..
>>> > @@ -32,6 +32,7 @@
>>> >
>>> > DISTRO_VER := $(shell $(top_srcdir)/scripts/detect_distro.sh
>>> > $(ARGS))
>>> >
>>> > +# Avoid empty strings.
>>> > ifeq ($(strip $(DISTRO_VER)),)
>>> > DISTRO_VER := generic
>>> > endif
>>> > @@ -41,10 +42,17 @@
>>> > POLICY_DEVEL_DIR ?= $(DESTDIR)/usr/share/selinux/devel
>>> > SEMODULE ?= $(DESTDIR)/usr/sbin/semodule
>>> >
>>> > -INSTALL_DIR := testcases/kernel/security/selinux-testsuite
>>> > +INSTALL_DIR := testcases/selinux-testsuite/refpolicy
>>> >
>>> > TEST_POLICY_DIR := $(abs_srcdir)/policy_files
>>> >
>>> > +# Do we have a special set of policies in the SCM to install?
>>> > +ifneq ($(wildcard $(TEST_POLICY_DIR)/$(DISTRO_VER)/),)
>>> > +TEST_POLICY_DIR := $(TEST_POLICY_DIR)/$(DISTRO_VER)
>>> > +else
>>> > +TEST_POLICY_DIR := $(TEST_POLICY_DIR)/generic
>>> > +endif
>>> > +
>>> > .PHONY: all clean cleanup install load
>>> >
>>> > CLEAN_DEPS := cleanup
>>> > @@ -55,34 +63,24 @@
>>> > -$(SEMODULE) -r test_policy
>>> > $(RM) -f $(POLICY_DEVEL_DIR)/test_policy.* test_policy.te
>>> >
>>> > -ifneq ($(wildcard $(TEST_POLICY_DIR)/$(DISTRO_VER)/Makefile),)
>>> > -MAKE_TARGETS :=
>>> > -
>>> > -TEST_POLICY_DIR := $(TEST_POLICY_DIR)/$(DISTRO_VER)
>>> > -
>>> > -# load remains for backwards compatibility...
>>> > -load:
>>> > - $(MAKE) -C $(TEST_POLICY_DIR)
>>> > -else
>>> > -
>>> > MAKE_TARGETS := test_policy.te
>>> >
>>> > -TEST_POLICY_DIR := $(TEST_POLICY_DIR)/generic
>>> > -
>>> > -POLICY_FILES := test_global.te $(filter-out
>>> > test_global.te,$(notdir
>>> > $(wildcard $(TEST_POLICY_DIR)/*.te)))
>>> > -
>>> > ifneq ($(CHECKPOLICY_VERS),24)
>>> > POLICY_FILES := $(filter-out test_bounds.te,$(POLICY_FILES))
>>> > endif
>>> >
>>> > +# This is being done to preserve precedence; test_global.te must come
>>> > first.
>>> > +POLICY_FILES := test_global.te \
>>> > + $(filter-out test_global.te,$(notdir $(wildcard
>>> > $(TEST_POLICY_DIR)/*.te)))
>>> > +
>>> > load:
>>> > - @if [ -d "$(POLICY_DEVEL_DIR)" ]; then \
>>> > - cp -p $(TEST_POLICY_DIR)/test_policy.* $(POLICY_DEVEL_DIR); \
>>> > + @set -e; if [ -d "$(POLICY_DEVEL_DIR)" ]; then \
>>> > + cp -p test_policy.* $(POLICY_DEVEL_DIR); \
>>> > $(MAKE) -C $(POLICY_DEVEL_DIR) clean; \
>>> > $(MAKE) -C $(POLICY_DEVEL_DIR) test_policy.pp; \
>>> > $(SEMODULE) -i $(POLICY_DEVEL_DIR)/test_policy.pp; \
>>> > else \
>>> > - echo "ERROR: You must have selinux-policy-devel installed.";
>>> > \
>>> > + echo "ERROR: You must have selinux-policy?-devel?
>>> > installed."; \
>>> > false; \
>>> > fi
>>>
>>> There's a stray endif on line 90 of refpolicy/Makefile that needs to
>>> be deleted as well, FYI...
>>
>> Ok. test policy appears to build (on Fedora) when running make by hand
>> from the refpolicy directory, but you still can't run the tests, either
>> from /opt/ltp or from the source tree.
>>
>> # cd /opt/ltp/testscripts && ./test_selinux.sh
>> Running with security
>> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> /etc/selinux /opt/ltp
>> /opt/ltp
>> allow_domain_fd_use --> off
>> allow_domain_fd_use exists setting
>> building and installing test_policy module...
>> ./test_selinux.sh: line 92: cd:
>> /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy: No such file
>> or directory
>> make: *** No rule to make target `load'. Stop.
>> Failed to build and load test_policy module, aborting test run.
>> /etc/selinux /opt/ltp
>> /opt/ltp
>>
>> # cd LTP_SRCDIR/testscripts && ./test_selinux.sh
>> Running with security
>> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> /etc/selinux /home/sds/ltp
>> /home/sds/ltp
>> allow_domain_fd_use --> off
>> allow_domain_fd_use exists setting
>> building and installing test_policy module...
>> make[1]: Entering directory `/usr/share/selinux/devel'
>> rm -fR tmp
>> rm -f *.pp
>> make[1]: Leaving directory `/usr/share/selinux/devel'
>> make[1]: Entering directory `/usr/share/selinux/devel'
>> Compiling targeted test_policy module
>> /usr/bin/checkmodule: loading policy configuration from tmp/test_policy.tmp
>> /usr/bin/checkmodule: policy configuration loaded
>> /usr/bin/checkmodule: writing binary representation (version 10) to
>> tmp/test_policy.mod
>> Creating targeted test_policy.pp policy package
>> rm tmp/test_policy.mod tmp/test_policy.mod.fc
>> make[1]: Leaving directory `/usr/share/selinux/devel'
>> Successfully built and loaded test_policy module.
>> /etc/selinux
>> /home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy
>> /home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy
>> Running the SELinux testsuite...
>> ls: cannot access /home/sds/ltp/testcases/bin: No such file or directory
>> /usr/bin/chcon: cannot access `/home/sds/ltp/testcases/bin': No such file or
>> directory
>> ./test_selinux.sh: line 119: /home/sds/ltp/bin/ltp-pan: No such file or
>> directory
>> /usr/bin/chcon: missing operand
>> Try `/usr/bin/chcon --help' for more information.
>> Removing test_policy module...
>> /usr/sbin/semodule -r test_policy
>> rm -f -f /usr/share/selinux/devel/test_policy.* test_policy.te
>> allow_domain_fd_use --> off
>> allow_domain_fd_use exists setting
>> Done.
>>
>> Both test_selinux.sh and tests/runtest.sh need to be updated.
>>
>> --
>> Stephen Smalley
>> National Security Agency
>
> Ok, next patch then... Let me know how this goes (I took a quick
> look and I didn't see anything suspicious in the test scripts
> themselves..).
> Thanks,
> -Garrett
>
> Index: tests/runtest.sh
> ===================================================================
> RCS file:
> /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/tests/runtest.sh,v
> retrieving revision 1.2
> diff -u -r1.2 runtest.sh
> --- tests/runtest.sh 6 Apr 2008 10:27:36 -0000 1.2
> +++ tests/runtest.sh 13 Jan 2010 06:49:48 -0000
> @@ -12,7 +12,7 @@
> global_setup()
> {
> # Must be root to run the selinux testsuite
> - if [ $UID != 0 ]
> + if [ $(id -ru) -ne 0 ]
> then
> echo "FAILED: Must be root to execute this script"
> exit 1
> @@ -38,14 +38,14 @@
> exit
> fi
>
> - # Save and later restore /tmp's type.
> + # Save and later restore $TMP's type.
> # We need to change it's type to work within test domain
> - SAVETMPTYPE=`ls -Zd /tmp | awk '{ print $4 }' | awk -F: '{ print $3
> }'`
> - chcon -t test_file_t /tmp
> + SAVETMPTYPE=`ls -Zd $TMP | awk '{ print $4 }' | awk -F: '{ print $3
> }'`
> + chcon -t test_file_t $TMP
>
> - mkdir /tmp/selinux > /dev/null 2>&1
> - chcon -t test_file_t /tmp/selinux
> - export SELINUXTMPDIR=/tmp/selinux
> + mkdir $TMP/selinux > /dev/null 2>&1
> + chcon -t test_file_t $TMP/selinux
> + export SELINUXTMPDIR=$TMP/selinux
>
> # It seems LTP wants executables to reside in the
> # $LTPROOT/testcases/bin directory. However, this directory
> @@ -61,9 +61,9 @@
> global_cleanup()
> {
>
> - # Restore original type of /tmp
> - chcon -t $SAVETMPTYPE /tmp
> - rm -rf /tmp/selinux
> + # Restore original type of $TMP
> + chcon -t $SAVETMPTYPE $TMP
> + rm -rf $TMP/selinux
>
> # Restore original type of .../testcases/bin directory
> chcon -t $SAVEBINTYPE $LTPBIN
> @@ -71,6 +71,7 @@
> exit 0
> }
>
> +export TMP=${TMP:-/tmp}
> global_setup
> -./$1/selinux_$1.sh
> +selinux_$1.sh
> global_cleanup
> Index: ../../../../testscripts/test_selinux.sh
> ===================================================================
> RCS file: /cvsroot/ltp/ltp/testscripts/test_selinux.sh,v
> retrieving revision 1.14
> diff -u -r1.14 test_selinux.sh
> --- ../../../../testscripts/test_selinux.sh 12 Jan 2010 08:35:59 -0000
> 1.14
> +++ ../../../../testscripts/test_selinux.sh 13 Jan 2010 06:49:48 -0000
> @@ -1,4 +1,4 @@
> -#!/bin/bash
> +#!/bin/sh
> #
> # Copyright (c) International Business Machines Corp., 2005
> #
> @@ -23,32 +23,33 @@
> }
>
> config_allow_domain_fd_use () {
> - setval=$1
> - /usr/sbin/getsebool allow_domain_fd_use
> - getseRC=$?
> - if [ "$getseRC" -eq "0" ]; then
> - echo "allow_domain_fd_use exists setting"
> - /usr/sbin/setsebool allow_domain_fd_use=$setval
> - fi
> + setval=$1
> + if /usr/sbin/getsebool allow_domain_fd_use; then
> + echo "allow_domain_fd_use exists setting"
> + /usr/sbin/setsebool allow_domain_fd_use=$setval
> + fi
> }
>
> # Must be root to run the selinux testsuite
> -if [ $UID != 0 ]
> +if [ $(id -ru) -ne 0 ]
> then
> echo "FAILED: Must be root to execute this script"
> exit 1
> fi
>
> # set the LTPROOT directory
> -cd `dirname $0`
> -LTPROOT=${PWD}
> -TMP=${TMP:-/tmp}
> -echo $LTPROOT | grep testscripts > /dev/null 2>&1
> -if [ $? -eq 0 ]
> +LTPROOT=${LTPROOT:=${0%/*}}
> +cd "$LTPROOT"
> +export TMP=${TMP:-/tmp}
> +# If we're in the testscripts directory, go down a dir..
> +LTPROOT_TMP=${LTPROOT%/testscripts}
> +if [ "x${LTPROOT_TMP}" != "x${LTPROOT}" ]
> then
> cd ..
> - LTPROOT=${PWD}
> + LTPROOT=$LTPROOT_TMP
> fi
> +export LTPROOT
> +unset LTPROOT_TMP
>
> # set the PATH to include testcase/bin
>
> @@ -57,11 +58,8 @@
>
> # We will store the logfiles in $LTPROOT/results, so make sure
> # it exists.
> -if [ ! -d $LTPROOT/results ]
> -then
> - /bin/mkdir $LTPROOT/results
> -fi
> -
> +test -d $LTPROOT/results || /bin/mkdir $LTPROOT/results
> +
> # Check the role and mode testsuite is being executed under.
>
> SELINUX_CONTEXT=`/usr/bin/id | sed 's/.* //'`
> @@ -78,10 +76,12 @@
>
> SEMODULE="/usr/sbin/semodule"
>
> -if [ -f $SEMODULE ]; then
> - POLICYDIR="$LTPROOT/testcases/selinux-testsuite/refpolicy"
> +POLICYDIR="$LTPROOT/testcases/kernel/security/selinux-testsuite"
> +
> +if [ -x $SEMODULE ]; then
> + POLICYDIR="$POLICYDIR/refpolicy"
> else
> - POLICYDIR="$LTPROOT/testcases/selinux-testsuite/policy"
> + POLICYDIR="$POLICYDIR/policy"
> fi
>
> config_set_expandcheck
> @@ -137,4 +137,3 @@
>
> cd $LTPROOT
> echo "Done."
> -exit 0
One other thing before I go off for a while ... I think it's a bad
idea to be invoking make as part of the test itself. Do you oppose the
idea of moving load and cleanup into proper bourne shell scripts, and
then have them run as setup and teardown for the tests? That way: a)
folks can build and install everything into an LTP install tree
without being root, b) folks that have selinux support, but not make
tools can actually run the tests.
Thanks,
-Garrett
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Ltp-list mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ltp-list
