On Wed, Jan 13, 2010 at 11:49 AM, Stephen Smalley <[email protected]> wrote: > On Wed, 2010-01-13 at 11:37 -0800, Garrett Cooper wrote: >> On Wed, Jan 13, 2010 at 11:18 AM, Stephen Smalley <[email protected]> wrote: >> > On Wed, 2010-01-13 at 10:52 -0800, Garrett Cooper wrote: >> >> On Wed, Jan 13, 2010 at 5:43 AM, Stephen Smalley <[email protected]> >> >> wrote: >> >> > On Tue, 2010-01-12 at 22:51 -0800, Garrett Cooper wrote: >> >> >> On Tue, Jan 12, 2010 at 11:12 AM, Stephen Smalley <[email protected]> >> >> >> wrote: >> >> >> > On Tue, 2010-01-12 at 09:26 -0800, Garrett Cooper wrote: >> >> >> >> > Also, if you guys can try out this patch for refpolicy/Makefile, >> >> >> >> > I'd >> >> >> >> > prefer to check it in (it unifies the RHEL 4.x and `generic' >> >> >> >> > refpolicy >> >> >> >> > Make logic): >> >> >> >> > >> >> >> >> > Index: refpolicy/Makefile >> >> >> >> > =================================================================== >> >> >> >> > RCS file: >> >> >> >> > /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/Makefile,v >> >> >> >> > retrieving revision 1.12 >> >> >> >> > diff -u -r1.12 Makefile >> >> >> >> > --- refpolicy/Makefile 8 Jan 2010 09:39:20 -0000 1.12 >> >> >> >> > +++ refpolicy/Makefile 12 Jan 2010 17:17:27 -0000 >> >> >> >> > @@ -17,7 +17,7 @@ >> >> >> >> > # with this program; if not, write to the Free Software >> >> >> >> > Foundation, Inc., >> >> >> >> > # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. >> >> >> >> > # >> >> >> >> > -# Garrett Cooper, August 2009 >> >> >> >> > +# Garrett Cooper, January 2010 >> >> >> >> > # >> >> >> >> > >> >> >> >> > top_srcdir ?= ../../../../.. >> >> >> >> > @@ -32,6 +32,7 @@ >> >> >> >> > >> >> >> >> > DISTRO_VER := $(shell >> >> >> >> > $(top_srcdir)/scripts/detect_distro.sh $(ARGS)) >> >> >> >> > >> >> >> >> > +# Avoid empty strings. >> >> >> >> > ifeq ($(strip $(DISTRO_VER)),) >> >> >> >> > DISTRO_VER := generic >> >> >> >> > endif >> >> >> >> > @@ -41,10 +42,17 @@ >> >> >> >> > POLICY_DEVEL_DIR ?= $(DESTDIR)/usr/share/selinux/devel >> >> >> >> > SEMODULE ?= $(DESTDIR)/usr/sbin/semodule >> >> >> >> > >> >> >> >> > -INSTALL_DIR := >> >> >> >> > testcases/kernel/security/selinux-testsuite >> >> >> >> > +INSTALL_DIR := testcases/selinux-testsuite/refpolicy >> >> >> >> > >> >> >> >> > TEST_POLICY_DIR := $(abs_srcdir)/policy_files >> >> >> >> > >> >> >> >> > +# Do we have a special set of policies in the SCM to install? >> >> >> >> > +ifneq ($(wildcard $(TEST_POLICY_DIR)/$(DISTRO_VER)/),) >> >> >> >> > +TEST_POLICY_DIR := >> >> >> >> > $(TEST_POLICY_DIR)/$(DISTRO_VER) >> >> >> >> > +else >> >> >> >> > +TEST_POLICY_DIR := $(TEST_POLICY_DIR)/generic >> >> >> >> > +endif >> >> >> >> > + >> >> >> >> > .PHONY: all clean cleanup install load >> >> >> >> > >> >> >> >> > CLEAN_DEPS := cleanup >> >> >> >> > @@ -55,34 +63,24 @@ >> >> >> >> > -$(SEMODULE) -r test_policy >> >> >> >> > $(RM) -f $(POLICY_DEVEL_DIR)/test_policy.* test_policy.te >> >> >> >> > >> >> >> >> > -ifneq ($(wildcard $(TEST_POLICY_DIR)/$(DISTRO_VER)/Makefile),) >> >> >> >> > -MAKE_TARGETS := >> >> >> >> > - >> >> >> >> > -TEST_POLICY_DIR := >> >> >> >> > $(TEST_POLICY_DIR)/$(DISTRO_VER) >> >> >> >> > - >> >> >> >> > -# load remains for backwards compatibility... >> >> >> >> > -load: >> >> >> >> > - $(MAKE) -C $(TEST_POLICY_DIR) >> >> >> >> > -else >> >> >> >> > - >> >> >> >> > MAKE_TARGETS := test_policy.te >> >> >> >> > >> >> >> >> > -TEST_POLICY_DIR := $(TEST_POLICY_DIR)/generic >> >> >> >> > - >> >> >> >> > -POLICY_FILES := test_global.te $(filter-out >> >> >> >> > test_global.te,$(notdir >> >> >> >> > $(wildcard $(TEST_POLICY_DIR)/*.te))) >> >> >> >> > - >> >> >> >> > ifneq ($(CHECKPOLICY_VERS),24) >> >> >> >> > POLICY_FILES := $(filter-out >> >> >> >> > test_bounds.te,$(POLICY_FILES)) >> >> >> >> > endif >> >> >> >> > >> >> >> >> > +# This is being done to preserve precedence; test_global.te must >> >> >> >> > come first. >> >> >> >> > +POLICY_FILES := test_global.te \ >> >> >> >> > + $(filter-out test_global.te,$(notdir >> >> >> >> > $(wildcard >> >> >> >> > $(TEST_POLICY_DIR)/*.te))) >> >> >> >> > + >> >> >> >> > load: >> >> >> >> > - @if [ -d "$(POLICY_DEVEL_DIR)" ]; then \ >> >> >> >> > - cp -p $(TEST_POLICY_DIR)/test_policy.* >> >> >> >> > $(POLICY_DEVEL_DIR); \ >> >> >> >> > + @set -e; if [ -d "$(POLICY_DEVEL_DIR)" ]; then \ >> >> >> >> > + cp -p test_policy.* $(POLICY_DEVEL_DIR); \ >> >> >> >> > $(MAKE) -C $(POLICY_DEVEL_DIR) clean; \ >> >> >> >> > $(MAKE) -C $(POLICY_DEVEL_DIR) test_policy.pp; \ >> >> >> >> > $(SEMODULE) -i $(POLICY_DEVEL_DIR)/test_policy.pp; \ >> >> >> >> > else \ >> >> >> >> > - echo "ERROR: You must have selinux-policy-devel >> >> >> >> > installed."; \ >> >> >> >> > + echo "ERROR: You must have selinux-policy?-devel? >> >> >> >> > installed."; \ >> >> >> >> > false; \ >> >> >> >> > fi >> >> >> >> >> >> >> >> There's a stray endif on line 90 of refpolicy/Makefile that needs to >> >> >> >> be deleted as well, FYI... >> >> >> > >> >> >> > Ok. test policy appears to build (on Fedora) when running make by >> >> >> > hand >> >> >> > from the refpolicy directory, but you still can't run the tests, >> >> >> > either >> >> >> > from /opt/ltp or from the source tree. >> >> >> > >> >> >> > # cd /opt/ltp/testscripts && ./test_selinux.sh >> >> >> > Running with security >> >> >> > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> >> >> > /etc/selinux /opt/ltp >> >> >> > /opt/ltp >> >> >> > allow_domain_fd_use --> off >> >> >> > allow_domain_fd_use exists setting >> >> >> > building and installing test_policy module... >> >> >> > ./test_selinux.sh: line 92: cd: >> >> >> > /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy: No >> >> >> > such file or directory >> >> >> > make: *** No rule to make target `load'. Stop. >> >> >> > Failed to build and load test_policy module, aborting test run. >> >> >> > /etc/selinux /opt/ltp >> >> >> > /opt/ltp >> >> >> > >> >> >> > # cd LTP_SRCDIR/testscripts && ./test_selinux.sh >> >> >> > Running with security >> >> >> > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> >> >> > /etc/selinux /home/sds/ltp >> >> >> > /home/sds/ltp >> >> >> > allow_domain_fd_use --> off >> >> >> > allow_domain_fd_use exists setting >> >> >> > building and installing test_policy module... >> >> >> > make[1]: Entering directory `/usr/share/selinux/devel' >> >> >> > rm -fR tmp >> >> >> > rm -f *.pp >> >> >> > make[1]: Leaving directory `/usr/share/selinux/devel' >> >> >> > make[1]: Entering directory `/usr/share/selinux/devel' >> >> >> > Compiling targeted test_policy module >> >> >> > /usr/bin/checkmodule: loading policy configuration from >> >> >> > tmp/test_policy.tmp >> >> >> > /usr/bin/checkmodule: policy configuration loaded >> >> >> > /usr/bin/checkmodule: writing binary representation (version 10) to >> >> >> > tmp/test_policy.mod >> >> >> > Creating targeted test_policy.pp policy package >> >> >> > rm tmp/test_policy.mod tmp/test_policy.mod.fc >> >> >> > make[1]: Leaving directory `/usr/share/selinux/devel' >> >> >> > Successfully built and loaded test_policy module. >> >> >> > /etc/selinux >> >> >> > /home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy >> >> >> > /home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy >> >> >> > Running the SELinux testsuite... >> >> >> > ls: cannot access /home/sds/ltp/testcases/bin: No such file or >> >> >> > directory >> >> >> > /usr/bin/chcon: cannot access `/home/sds/ltp/testcases/bin': No such >> >> >> > file or directory >> >> >> > ./test_selinux.sh: line 119: /home/sds/ltp/bin/ltp-pan: No such file >> >> >> > or directory >> >> >> > /usr/bin/chcon: missing operand >> >> >> > Try `/usr/bin/chcon --help' for more information. >> >> >> > Removing test_policy module... >> >> >> > /usr/sbin/semodule -r test_policy >> >> >> > rm -f -f /usr/share/selinux/devel/test_policy.* test_policy.te >> >> >> > allow_domain_fd_use --> off >> >> >> > allow_domain_fd_use exists setting >> >> >> > Done. >> >> >> > >> >> >> > Both test_selinux.sh and tests/runtest.sh need to be updated. >> >> >> > >> >> >> > -- >> >> >> > Stephen Smalley >> >> >> > National Security Agency >> >> >> >> >> >> Ok, next patch then... Let me know how this goes (I took a quick >> >> >> look and I didn't see anything suspicious in the test scripts >> >> >> themselves..). >> >> >> Thanks, >> >> >> -Garrett >> >> > >> >> > patching file ../../../../testscripts/test_selinux.sh >> >> > Hunk #2 FAILED at 23. >> >> > Hunk #3 FAILED at 57. >> >> > 2 out of 5 hunks FAILED -- saving rejects to file >> >> > ../../../../testscripts/test_selinux.sh.rej >> >> > >> >> > I think it would work better if you just committed all of the patches >> >> > thus far and I can just re-test cvs head. >> >> > >> >> > If you do post any further patches, please make them relative to the top >> >> > of the tree. >> >> >> >> Ugh, I hate CVS diffs too (so I understand)... I was trying to >> >> avoid committing intermediate work, but as long as this gets fixed >> >> before the next snapshot, I guess that's fine. Committed the next step >> >> to CVS. >> > >> > # cd /opt/ltp >> > # ./testscripts/test_selinux.sh >> > Running with security >> > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> > /etc/selinux /opt/ltp >> > /opt/ltp >> > allow_domain_fd_use --> off >> > allow_domain_fd_use exists setting >> > building and installing test_policy module... >> > make: *** No rule to make target `load'. Stop. >> > Failed to build and load test_policy module, aborting test run. >> > /etc/selinux /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy >> > /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy >> > >> > There is no Makefile >> > under /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy, >> > only in the source tree. >> >> Yeah, you're right. I was trying to beat around this bush by not >> copying these over, but it's better to have the test running and be >> improperly designed than it is for regressions to leak by today, until >> the day comes where these items are fixed. >> >> 1. So, Makefile is now copied over by default. >> 2. load is no longer done as part of all / install (test_selinux.sh >> was performing that function). >> >> So once the tests have been written to make and install independent of >> selinux-devel, etc... we'll be in good shape and I will switch these >> back to all / install dependent targets. I was trying to do it that >> way to avoid requiring make on the target under test, but I need to >> better understand the subject matter under test before we get to that >> point. > > Unfortunately, as the Makefile now includes other .mk files and those > are not copied over, it still doesn't work. > > Makefile:25: ../../../../../include/mk/env_pre.mk: No such file or directory > make: ../../../../../scripts/detect_distro.sh: Command not found > Makefile:90: ../../../../../include/mk/generic_leaf_target.mk: No such file > or directory > make: *** No rule to make target > `../../../../../include/mk/generic_leaf_target.mk'. Stop. > Failed to build and load test_policy module, aborting test run. > /etc/selinux /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy > /opt/ltp/testcases/kernel/security/selinux-testsuite/refpolicy > > I suppose you could perform the make load as part of all/install > (preferably install as we really shouldn't need to be root to run make > all - although that no longer seems to be the case for the main ltp > either), and drop it from test_selinux.sh. But then they will need to > know/remember to remove the test policy when finished testing.
Actually, there's a way to work around this... move the logic required for load into a separate Makefile, include that Makefile from the current one, and then install that copy / modify the script so that it can call load on the machine. This is still going to need to be cleaned up so load's entire operation is done as part of test_selinux.sh, but that's something that's going to be more time consuming to complete. I'll do this when I get back home which means you'll see a new version sometime tomorrow morning for test. Thanks! -Garrett ------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference _______________________________________________ Ltp-list mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ltp-list
