On Wed, 2010-01-13 at 11:37 -0800, Garrett Cooper wrote: > On Wed, Jan 13, 2010 at 11:18 AM, Stephen Smalley <[email protected]> wrote: > > On Wed, 2010-01-13 at 10:52 -0800, Garrett Cooper wrote: > >> On Wed, Jan 13, 2010 at 5:43 AM, Stephen Smalley <[email protected]> > >> wrote: > >> > On Tue, 2010-01-12 at 22:51 -0800, Garrett Cooper wrote: > >> >> On Tue, Jan 12, 2010 at 11:12 AM, Stephen Smalley <[email protected]> > >> >> wrote: > >> >> > On Tue, 2010-01-12 at 09:26 -0800, Garrett Cooper wrote: > >> >> >> > Also, if you guys can try out this patch for refpolicy/Makefile, > >> >> >> > I'd > >> >> >> > prefer to check it in (it unifies the RHEL 4.x and `generic' > >> >> >> > refpolicy > >> >> >> > Make logic): > >> >> >> > > >> >> >> > Index: refpolicy/Makefile > >> >> >> > =================================================================== > >> >> >> > RCS file: > >> >> >> > /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/Makefile,v > >> >> >> > retrieving revision 1.12 > >> >> >> > diff -u -r1.12 Makefile > >> >> >> > --- refpolicy/Makefile 8 Jan 2010 09:39:20 -0000 1.12 > >> >> >> > +++ refpolicy/Makefile 12 Jan 2010 17:17:27 -0000 > >> >> >> > @@ -17,7 +17,7 @@ > >> >> >> > # with this program; if not, write to the Free Software > >> >> >> > Foundation, Inc., > >> >> >> > # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. > >> >> >> > # > >> >> >> > -# Garrett Cooper, August 2009 > >> >> >> > +# Garrett Cooper, January 2010 > >> >> >> > # > >> >> >> > > >> >> >> > top_srcdir ?= ../../../../.. > >> >> >> > @@ -32,6 +32,7 @@ > >> >> >> > > >> >> >> > DISTRO_VER := $(shell > >> >> >> > $(top_srcdir)/scripts/detect_distro.sh $(ARGS)) > >> >> >> > > >> >> >> > +# Avoid empty strings. > >> >> >> > ifeq ($(strip $(DISTRO_VER)),) > >> >> >> > DISTRO_VER := generic > >> >> >> > endif > >> >> >> > @@ -41,10 +42,17 @@ > >> >> >> > POLICY_DEVEL_DIR ?= $(DESTDIR)/usr/share/selinux/devel > >> >> >> > SEMODULE ?= $(DESTDIR)/usr/sbin/semodule > >> >> >> > > >> >> >> > -INSTALL_DIR := > >> >> >> > testcases/kernel/security/selinux-testsuite > >> >> >> > +INSTALL_DIR := testcases/selinux-testsuite/refpolicy > >> >> >> > > >> >> >> > TEST_POLICY_DIR := $(abs_srcdir)/policy_files > >> >> >> > > >> >> >> > +# Do we have a special set of policies in the SCM to install? > >> >> >> > +ifneq ($(wildcard $(TEST_POLICY_DIR)/$(DISTRO_VER)/),) > >> >> >> > +TEST_POLICY_DIR := $(TEST_POLICY_DIR)/$(DISTRO_VER) > >> >> >> > +else > >> >> >> > +TEST_POLICY_DIR := $(TEST_POLICY_DIR)/generic > >> >> >> > +endif > >> >> >> > + > >> >> >> > .PHONY: all clean cleanup install load > >> >> >> > > >> >> >> > CLEAN_DEPS := cleanup > >> >> >> > @@ -55,34 +63,24 @@ > >> >> >> > -$(SEMODULE) -r test_policy > >> >> >> > $(RM) -f $(POLICY_DEVEL_DIR)/test_policy.* test_policy.te > >> >> >> > > >> >> >> > -ifneq ($(wildcard $(TEST_POLICY_DIR)/$(DISTRO_VER)/Makefile),) > >> >> >> > -MAKE_TARGETS := > >> >> >> > - > >> >> >> > -TEST_POLICY_DIR := $(TEST_POLICY_DIR)/$(DISTRO_VER) > >> >> >> > - > >> >> >> > -# load remains for backwards compatibility... > >> >> >> > -load: > >> >> >> > - $(MAKE) -C $(TEST_POLICY_DIR) > >> >> >> > -else > >> >> >> > - > >> >> >> > MAKE_TARGETS := test_policy.te > >> >> >> > > >> >> >> > -TEST_POLICY_DIR := $(TEST_POLICY_DIR)/generic > >> >> >> > - > >> >> >> > -POLICY_FILES := test_global.te $(filter-out > >> >> >> > test_global.te,$(notdir > >> >> >> > $(wildcard $(TEST_POLICY_DIR)/*.te))) > >> >> >> > - > >> >> >> > ifneq ($(CHECKPOLICY_VERS),24) > >> >> >> > POLICY_FILES := $(filter-out > >> >> >> > test_bounds.te,$(POLICY_FILES)) > >> >> >> > endif > >> >> >> > > >> >> >> > +# This is being done to preserve precedence; test_global.te must > >> >> >> > come first. > >> >> >> > +POLICY_FILES := test_global.te \ > >> >> >> > + $(filter-out test_global.te,$(notdir > >> >> >> > $(wildcard > >> >> >> > $(TEST_POLICY_DIR)/*.te))) > >> >> >> > + > >> >> >> > load: > >> >> >> > - @if [ -d "$(POLICY_DEVEL_DIR)" ]; then \ > >> >> >> > - cp -p $(TEST_POLICY_DIR)/test_policy.* > >> >> >> > $(POLICY_DEVEL_DIR); \ > >> >> >> > + @set -e; if [ -d "$(POLICY_DEVEL_DIR)" ]; then \ > >> >> >> > + cp -p test_policy.* $(POLICY_DEVEL_DIR); \ > >> >> >> > $(MAKE) -C $(POLICY_DEVEL_DIR) clean; \ > >> >> >> > $(MAKE) -C $(POLICY_DEVEL_DIR) test_policy.pp; \ > >> >> >> > $(SEMODULE) -i $(POLICY_DEVEL_DIR)/test_policy.pp; \ > >> >> >> > else \ > >> >> >> > - echo "ERROR: You must have selinux-policy-devel > >> >> >> > installed."; \ > >> >> >> > + echo "ERROR: You must have selinux-policy?-devel? > >> >> >> > installed."; \ > >> >> >> > false; \ > >> >> >> > fi > >> >> >> > >> >> >> There's a stray endif on line 90 of refpolicy/Makefile that needs to > >> >> >> be deleted as well, FYI... > >> >> > > >> >> > Ok. test policy appears to build (on Fedora) when running make by > >> >> > hand > >> >> > from the refpolicy directory, but you still can't run the tests, > >> >> > either > >> >> > from /opt/ltp or from the source tree. > >> >> > > >> >> > # cd /opt/ltp/testscripts && ./test_selinux.sh > >> >> > Running with security > >> >> > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > >> >> > /etc/selinux /opt/ltp > >> >> > /opt/ltp > >> >> > allow_domain_fd_use --> off > >> >> > allow_domain_fd_use exists setting > >> >> > building and installing test_policy module... > >> >> > ./test_selinux.sh: line 92: cd: > >> >> > /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy: No > >> >> > such file or directory > >> >> > make: *** No rule to make target `load'. Stop. > >> >> > Failed to build and load test_policy module, aborting test run. > >> >> > /etc/selinux /opt/ltp > >> >> > /opt/ltp > >> >> > > >> >> > # cd LTP_SRCDIR/testscripts && ./test_selinux.sh > >> >> > Running with security > >> >> > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > >> >> > /etc/selinux /home/sds/ltp > >> >> > /home/sds/ltp > >> >> > allow_domain_fd_use --> off > >> >> > allow_domain_fd_use exists setting > >> >> > building and installing test_policy module... > >> >> > make[1]: Entering directory `/usr/share/selinux/devel' > >> >> > rm -fR tmp > >> >> > rm -f *.pp > >> >> > make[1]: Leaving directory `/usr/share/selinux/devel' > >> >> > make[1]: Entering directory `/usr/share/selinux/devel' > >> >> > Compiling targeted test_policy module > >> >> > /usr/bin/checkmodule: loading policy configuration from > >> >> > tmp/test_policy.tmp > >> >> > /usr/bin/checkmodule: policy configuration loaded > >> >> > /usr/bin/checkmodule: writing binary representation (version 10) to > >> >> > tmp/test_policy.mod > >> >> > Creating targeted test_policy.pp policy package > >> >> > rm tmp/test_policy.mod tmp/test_policy.mod.fc > >> >> > make[1]: Leaving directory `/usr/share/selinux/devel' > >> >> > Successfully built and loaded test_policy module. > >> >> > /etc/selinux > >> >> > /home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy > >> >> > /home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy > >> >> > Running the SELinux testsuite... > >> >> > ls: cannot access /home/sds/ltp/testcases/bin: No such file or > >> >> > directory > >> >> > /usr/bin/chcon: cannot access `/home/sds/ltp/testcases/bin': No such > >> >> > file or directory > >> >> > ./test_selinux.sh: line 119: /home/sds/ltp/bin/ltp-pan: No such file > >> >> > or directory > >> >> > /usr/bin/chcon: missing operand > >> >> > Try `/usr/bin/chcon --help' for more information. > >> >> > Removing test_policy module... > >> >> > /usr/sbin/semodule -r test_policy > >> >> > rm -f -f /usr/share/selinux/devel/test_policy.* test_policy.te > >> >> > allow_domain_fd_use --> off > >> >> > allow_domain_fd_use exists setting > >> >> > Done. > >> >> > > >> >> > Both test_selinux.sh and tests/runtest.sh need to be updated. > >> >> > > >> >> > -- > >> >> > Stephen Smalley > >> >> > National Security Agency > >> >> > >> >> Ok, next patch then... Let me know how this goes (I took a quick > >> >> look and I didn't see anything suspicious in the test scripts > >> >> themselves..). > >> >> Thanks, > >> >> -Garrett > >> > > >> > patching file ../../../../testscripts/test_selinux.sh > >> > Hunk #2 FAILED at 23. > >> > Hunk #3 FAILED at 57. > >> > 2 out of 5 hunks FAILED -- saving rejects to file > >> > ../../../../testscripts/test_selinux.sh.rej > >> > > >> > I think it would work better if you just committed all of the patches > >> > thus far and I can just re-test cvs head. > >> > > >> > If you do post any further patches, please make them relative to the top > >> > of the tree. > >> > >> Ugh, I hate CVS diffs too (so I understand)... I was trying to > >> avoid committing intermediate work, but as long as this gets fixed > >> before the next snapshot, I guess that's fine. Committed the next step > >> to CVS. > > > > # cd /opt/ltp > > # ./testscripts/test_selinux.sh > > Running with security > > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > /etc/selinux /opt/ltp > > /opt/ltp > > allow_domain_fd_use --> off > > allow_domain_fd_use exists setting > > building and installing test_policy module... > > make: *** No rule to make target `load'. Stop. > > Failed to build and load test_policy module, aborting test run. > > /etc/selinux /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy > > /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy > > > > There is no Makefile > > under /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy, > > only in the source tree. > > Yeah, you're right. I was trying to beat around this bush by not > copying these over, but it's better to have the test running and be > improperly designed than it is for regressions to leak by today, until > the day comes where these items are fixed. > > 1. So, Makefile is now copied over by default. > 2. load is no longer done as part of all / install (test_selinux.sh > was performing that function). > > So once the tests have been written to make and install independent of > selinux-devel, etc... we'll be in good shape and I will switch these > back to all / install dependent targets. I was trying to do it that > way to avoid requiring make on the target under test, but I need to > better understand the subject matter under test before we get to that > point.
Unfortunately, as the Makefile now includes other .mk files and those are not copied over, it still doesn't work. Makefile:25: ../../../../../include/mk/env_pre.mk: No such file or directory make: ../../../../../scripts/detect_distro.sh: Command not found Makefile:90: ../../../../../include/mk/generic_leaf_target.mk: No such file or directory make: *** No rule to make target `../../../../../include/mk/generic_leaf_target.mk'. Stop. Failed to build and load test_policy module, aborting test run. /etc/selinux /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy I suppose you could perform the make load as part of all/install (preferably install as we really shouldn't need to be root to run make all - although that no longer seems to be the case for the main ltp either), and drop it from test_selinux.sh. But then they will need to know/remember to remove the test policy when finished testing. -- Stephen Smalley National Security Agency ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Ltp-list mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ltp-list
