Here is a patch against this morning's ltp cvs snapshot to implement
Stephen's suggestion of setting expand-check=0 for the duration of
the policy load. This allowed me to get rid of the hack
++domain_type(test_create_no_t) in refpolicy/test_task_create.te, also
done in this patch.
(I think it also inlines a patch Stephen sent on jan 23 which
wasn't yet in ltp cvs)
Now I can compile and run the selinux testsuite on Fedora 8. There are
10 failures remaining. I'll start looking at those in spare time, but
hopefully Joy or George can also be looking into those a bit.
thanks
-serge
diff -Nrup
ltp/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch
ltp.p3/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch
--- ltp/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch
2008-01-02 06:58:15.000000000 -0500
+++
ltp.p3/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch
2008-01-29 11:57:32.000000000 -0500
@@ -1,6 +1,6 @@
diff -Nrup refpolicy/test_capable_file.te refpolicy.new/test_capable_file.te
---- refpolicy/test_capable_file.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_capable_file.te 2007-12-31 05:57:36.000000000 -0500
+--- refpolicy/test_capable_file.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_capable_file.te 2008-01-29 11:40:09.000000000 -0500
@@ -14,28 +14,35 @@ type test_fcap_t;
typeattribute test_fcap_t capabledomain;
typeattribute test_fcap_t testdomain;
@@ -39,8 +39,8 @@ diff -Nrup refpolicy/test_capable_file.t
files_exec_etc_files(capabledomain)
libs_use_ld_so(capabledomain)
diff -Nrup refpolicy/test_capable_net.te refpolicy.new/test_capable_net.te
---- refpolicy/test_capable_net.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_capable_net.te 2007-12-31 05:57:36.000000000 -0500
+--- refpolicy/test_capable_net.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_capable_net.te 2008-01-29 11:40:09.000000000 -0500
@@ -7,12 +7,16 @@
# Type for process that is allowed certain capabilities
type test_ncap_t;
@@ -79,8 +79,8 @@ diff -Nrup refpolicy/test_capable_net.te
require {
type ifconfig_exec_t;
diff -Nrup refpolicy/test_capable_sys.te refpolicy.new/test_capable_sys.te
---- refpolicy/test_capable_sys.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_capable_sys.te 2007-12-31 05:57:36.000000000 -0500
+--- refpolicy/test_capable_sys.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_capable_sys.te 2008-01-29 11:40:09.000000000 -0500
@@ -7,12 +7,16 @@
# Type for process that is allowed certain capabilities
type test_scap_t;
@@ -99,8 +99,8 @@ diff -Nrup refpolicy/test_capable_sys.te
typeattribute test_noscap_t testdomain;
diff -Nrup refpolicy/test_dyntrace.te refpolicy.new/test_dyntrace.te
---- refpolicy/test_dyntrace.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_dyntrace.te 2007-12-31 05:57:36.000000000 -0500
+--- refpolicy/test_dyntrace.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_dyntrace.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,6 +8,8 @@ attribute dyntracedomain;
# Domain for parent process.
type test_dyntrace_parent_t;
@@ -129,8 +129,8 @@ diff -Nrup refpolicy/test_dyntrace.te re
typeattribute test_dyntrace_notchild_t testdomain;
diff -Nrup refpolicy/test_dyntrans.te refpolicy.new/test_dyntrans.te
---- refpolicy/test_dyntrans.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_dyntrans.te 2007-12-31 05:57:36.000000000 -0500
+--- refpolicy/test_dyntrans.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_dyntrans.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,18 +8,24 @@ attribute dyntransdomain;
# Domain for process that is allowed to transition to the new domain.
type test_dyntrans_fromdomain_t;
@@ -157,8 +157,8 @@ diff -Nrup refpolicy/test_dyntrans.te re
typeattribute test_dyntrans_todomain_t testdomain;
diff -Nrup refpolicy/test_entrypoint.te refpolicy.new/test_entrypoint.te
---- refpolicy/test_entrypoint.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_entrypoint.te 2007-12-31 05:57:36.000000000 -0500
+--- refpolicy/test_entrypoint.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_entrypoint.te 2008-01-29 11:40:09.000000000 -0500
@@ -10,6 +10,8 @@ files_type(test_entrypoint_execute_t)
# Test domain that can only be entered via the type above.
type test_entrypoint_t;
@@ -169,8 +169,8 @@ diff -Nrup refpolicy/test_entrypoint.te
# Allow execution of true.
diff -Nrup refpolicy/test_execshare.te refpolicy.new/test_execshare.te
---- refpolicy/test_execshare.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_execshare.te 2007-12-31 05:57:36.000000000 -0500
+--- refpolicy/test_execshare.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_execshare.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,18 +8,24 @@ attribute execsharedomain;
# Domain for parent process.
type test_execshare_parent_t;
@@ -197,8 +197,8 @@ diff -Nrup refpolicy/test_execshare.te r
typeattribute test_execshare_notchild_t testdomain;
diff -Nrup refpolicy/test_exectrace.te refpolicy.new/test_exectrace.te
---- refpolicy/test_exectrace.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_exectrace.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_exectrace.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_exectrace.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,6 +8,8 @@ attribute exectracedomain;
# Domain for parent process.
type test_exectrace_parent_t;
@@ -226,8 +226,8 @@ diff -Nrup refpolicy/test_exectrace.te r
typeattribute test_exectrace_notchild_t testdomain;
diff -Nrup refpolicy/test_execute_no_trans.te
refpolicy.new/test_execute_no_trans.te
---- refpolicy/test_execute_no_trans.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_execute_no_trans.te 2007-12-31 05:57:37.000000000
-0500
+--- refpolicy/test_execute_no_trans.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_execute_no_trans.te 2008-01-29 11:40:09.000000000
-0500
@@ -15,6 +15,8 @@ files_type(test_execute_notrans_denied_t
# Test domain that can only be entered via the types above.
type test_execute_notrans_t;
@@ -238,8 +238,8 @@ diff -Nrup refpolicy/test_execute_no_tra
# Allow this domain to be entered via the shell.
diff -Nrup refpolicy/test_fdreceive.te refpolicy.new/test_fdreceive.te
---- refpolicy/test_fdreceive.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_fdreceive.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_fdreceive.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_fdreceive.te 2008-01-29 11:40:09.000000000 -0500
@@ -16,12 +16,16 @@ files_type(test_fdreceive_file2_t)
# Domain for client process.
type test_fdreceive_client_t;
@@ -267,8 +267,8 @@ diff -Nrup refpolicy/test_fdreceive.te r
typeattribute test_fdreceive_server_t testdomain;
diff -Nrup refpolicy/test_file.te refpolicy.new/test_file.te
---- refpolicy/test_file.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_file.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_file.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_file.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,6 +8,8 @@ attribute fileopdomain;
# Domain for process that is allowed to perform operations.
type test_fileop_t;
@@ -315,8 +315,8 @@ diff -Nrup refpolicy/test_file.te refpol
domain_auto_trans(test_fileop_t, fileop_exec_t, fileop_t)
allow test_fileop_t fileop_t:fd use;
diff -Nrup refpolicy/test_inherit.te refpolicy.new/test_inherit.te
---- refpolicy/test_inherit.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_inherit.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_inherit.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_inherit.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,6 +8,8 @@ attribute inheritdomain;
# Domain for parent process.
type test_inherit_parent_t;
@@ -354,8 +354,8 @@ diff -Nrup refpolicy/test_inherit.te ref
typeattribute test_inherit_nowrite_t testdomain;
diff -Nrup refpolicy/test_ioctl.te refpolicy.new/test_ioctl.te
---- refpolicy/test_ioctl.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_ioctl.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_ioctl.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_ioctl.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,12 +8,16 @@ attribute ioctldomain;
# Domain for process that is allowed to perform ioctl.
type test_ioctl_t;
@@ -382,8 +382,8 @@ diff -Nrup refpolicy/test_ioctl.te refpo
files_exec_etc_files(ioctldomain)
libs_use_ld_so(ioctldomain)
diff -Nrup refpolicy/test_ipc.te refpolicy.new/test_ipc.te
---- refpolicy/test_ipc.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_ipc.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_ipc.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_ipc.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,6 +8,8 @@ attribute ipcdomain;
# Base domain for IPC tests, has all IPC permissions
type test_ipc_base_t;
@@ -419,8 +419,8 @@ diff -Nrup refpolicy/test_ipc.te refpoli
typeattribute test_ipc_associate_t testdomain;
diff -Nrup refpolicy/test_link.te refpolicy.new/test_link.te
---- refpolicy/test_link.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_link.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_link.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_link.te 2008-01-29 11:40:09.000000000 -0500
@@ -16,6 +16,8 @@ files_type(test_link_file_t)
# Domain for process that can create hard links to the file.
type test_link_t;
@@ -476,8 +476,8 @@ diff -Nrup refpolicy/test_link.te refpol
typeattribute test_nounlink2_t testdomain;
allow test_nounlink2_t test_link_dir_t:dir { search getattr write };
diff -Nrup refpolicy/test_mkdir.te refpolicy.new/test_mkdir.te
---- refpolicy/test_mkdir.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_mkdir.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_mkdir.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_mkdir.te 2008-01-29 11:40:09.000000000 -0500
@@ -12,6 +12,8 @@ files_type(test_mkdir_dir_t)
# Domain for process that has add_name permission to the test directory.
type test_addname_t;
@@ -524,8 +524,8 @@ diff -Nrup refpolicy/test_mkdir.te refpo
typeattribute test_nocreate_t testdomain;
domain_obj_id_change_exemption(test_nocreate_t)
diff -Nrup refpolicy/test_open.te refpolicy.new/test_open.te
---- refpolicy/test_open.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_open.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_open.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_open.te 2008-01-29 11:40:09.000000000 -0500
@@ -12,6 +12,8 @@ files_type(test_open_file_t)
# Domain for process that can open the test file for reading and writing.
type test_open_t;
@@ -554,9 +554,9 @@ diff -Nrup refpolicy/test_open.te refpol
typeattribute test_append_t testdomain;
allow test_append_t test_open_file_t:file { getattr append };
diff -Nrup refpolicy/test_policy.if refpolicy.new/test_policy.if
---- refpolicy/test_policy.if 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_policy.if 2007-12-31 06:05:59.000000000 -0500
-@@ -25,3 +25,11 @@
+--- refpolicy/test_policy.if 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_policy.if 2008-01-29 11:48:29.000000000 -0500
+@@ -25,3 +25,18 @@
## Domain allowed to transition.
## </param>
#
@@ -564,13 +564,20 @@ diff -Nrup refpolicy/test_policy.if refp
+interface(`unconfined_runs_test',`
+ gen_require(`
+ type unconfined_t;
++ type unconfined_devpts_t;
+ ')
+
++ # Transition from the caller to the test domain.
+ allow unconfined_t $1:process transition;
++ # Report back from the test domain to the caller.
++ allow $1 unconfined_t:fd use;
++ allow $1 unconfined_devpts_t:chr_file { read write ioctl getattr};
++ allow $1 unconfined_t:fifo_file { read write ioctl getattr };
++ allow $1 unconfined_t:process { sigchld };
+')
diff -Nrup refpolicy/test_ptrace.te refpolicy.new/test_ptrace.te
---- refpolicy/test_ptrace.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_ptrace.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_ptrace.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_ptrace.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,6 +8,8 @@ attribute ptracedomain;
# Domain for process that is allowed to trace.
type test_ptrace_tracer_t;
@@ -599,8 +606,8 @@ diff -Nrup refpolicy/test_ptrace.te refp
typeattribute test_ptrace_traced_t testdomain;
diff -Nrup refpolicy/test_readlink.te refpolicy.new/test_readlink.te
---- refpolicy/test_readlink.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_readlink.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_readlink.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_readlink.te 2008-01-29 11:40:09.000000000 -0500
@@ -14,6 +14,8 @@ files_type(test_readlink_link_t)
# Domain for process that can read and follow the symbolic link.
type test_readlink_t;
@@ -620,8 +627,8 @@ diff -Nrup refpolicy/test_readlink.te re
typeattribute test_noreadlink_t testdomain;
allow test_noreadlink_t test_readlink_file_t:file { getattr read };
diff -Nrup refpolicy/test_relabel.te refpolicy.new/test_relabel.te
---- refpolicy/test_relabel.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_relabel.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_relabel.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_relabel.te 2008-01-29 11:40:09.000000000 -0500
@@ -14,6 +14,8 @@ files_type(test_relabel_newtype_t)
# Domain for process that can relabel the test file.
type test_relabel_t;
@@ -650,8 +657,8 @@ diff -Nrup refpolicy/test_relabel.te ref
typeattribute test_norelabelto_t test_relabel_domain;
typeattribute test_norelabelto_t testdomain;
diff -Nrup refpolicy/test_rename.te refpolicy.new/test_rename.te
---- refpolicy/test_rename.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_rename.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_rename.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_rename.te 2008-01-29 11:40:09.000000000 -0500
@@ -20,6 +20,8 @@ files_type(test_rename_dir_t)
# Domain for process that can rename the test file and directory.
type test_rename_t;
@@ -725,8 +732,8 @@ diff -Nrup refpolicy/test_rename.te refp
typeattribute test_norename6_t testdomain;
allow test_norename6_t test_rename_src_dir_t:dir { search getattr write
remove_name };
diff -Nrup refpolicy/test_rxdir.te refpolicy.new/test_rxdir.te
---- refpolicy/test_rxdir.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_rxdir.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_rxdir.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_rxdir.te 2008-01-29 11:40:09.000000000 -0500
@@ -12,6 +12,8 @@ files_type(test_rxdir_dir_t)
# Domain for process that can read but not search the directory.
type test_rdir_t;
@@ -746,8 +753,8 @@ diff -Nrup refpolicy/test_rxdir.te refpo
typeattribute test_xdir_t testdomain;
allow test_xdir_t test_rxdir_dir_t:dir { getattr search };
diff -Nrup refpolicy/test_setattr.te refpolicy.new/test_setattr.te
---- refpolicy/test_setattr.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_setattr.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_setattr.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_setattr.te 2008-01-29 11:40:09.000000000 -0500
@@ -12,6 +12,8 @@ files_type(test_setattr_file_t)
# Domain for process that can set attributes on the test file.
type test_setattr_t;
@@ -767,8 +774,8 @@ diff -Nrup refpolicy/test_setattr.te ref
typeattribute test_nosetattr_t testdomain;
allow test_nosetattr_t self:capability chown;
diff -Nrup refpolicy/test_setnice.te refpolicy.new/test_setnice.te
---- refpolicy/test_setnice.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_setnice.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_setnice.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_setnice.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,24 +8,29 @@ attribute setnicedomain;
# Domain for process whose nice can be set.
type test_setnice_set_t;
@@ -801,8 +808,8 @@ diff -Nrup refpolicy/test_setnice.te ref
files_exec_etc_files(setnicedomain)
libs_use_ld_so(setnicedomain)
diff -Nrup refpolicy/test_sigkill.te refpolicy.new/test_sigkill.te
---- refpolicy/test_sigkill.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_sigkill.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_sigkill.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_sigkill.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,12 +8,16 @@ attribute killdomain;
# Domain for process that receives the signals.
type test_kill_server_t;
@@ -848,8 +855,8 @@ diff -Nrup refpolicy/test_sigkill.te ref
typeattribute test_kill_signal_t testdomain;
diff -Nrup refpolicy/test_stat.te refpolicy.new/test_stat.te
---- refpolicy/test_stat.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_stat.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_stat.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_stat.te 2008-01-29 11:40:09.000000000 -0500
@@ -12,6 +12,8 @@ files_type(test_stat_file_t)
# Domain for process that can get attributes on the test file.
type test_stat_t;
@@ -869,8 +876,8 @@ diff -Nrup refpolicy/test_stat.te refpol
typeattribute test_nostat_t testdomain;
diff -Nrup refpolicy/test_sysctl.te refpolicy.new/test_sysctl.te
---- refpolicy/test_sysctl.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_sysctl.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_sysctl.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_sysctl.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,19 +8,23 @@ attribute sysctldomain;
# Domain for process that is allowed to perform sysctl.
type test_sysctl_t;
@@ -898,8 +905,8 @@ diff -Nrup refpolicy/test_sysctl.te refp
# Allow the first domain to perform sysctl operations.
kernel_rw_all_sysctls(test_sysctl_t)
diff -Nrup refpolicy/test_task_create.te refpolicy.new/test_task_create.te
---- refpolicy/test_task_create.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_task_create.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_task_create.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_task_create.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,6 +8,8 @@ attribute test_create_d;
# Domain for process allowed to fork.
type test_create_yes_t;
@@ -909,23 +916,17 @@ diff -Nrup refpolicy/test_task_create.te
typeattribute test_create_yes_t test_create_d;
typeattribute test_create_yes_t testdomain;
-@@ -20,7 +22,12 @@ type test_create_no_t;
- # permission so we can test it, we omit the domain attribute.
+@@ -21,6 +23,7 @@ type test_create_no_t;
# Ideally, refpolicy would _not_ grant such permissions to every domain,
# as it makes the permission effectively unusable in real policy.
--#domain_type(test_create_no_t)
-+# XXX This invalidates the test, but allows the policy to compile
-+# The next two lines SHOULD be commented out according to the original
-+# comment above.
-+domain_type(test_create_no_t)
+ #domain_type(test_create_no_t)
+unconfined_runs_test(test_create_no_t)
-+domain_dyntrans_type(test_create_no_t)
typeattribute test_create_no_t test_create_d;
allow test_create_no_t self:process ~fork;
diff -Nrup refpolicy/test_task_getpgid.te refpolicy.new/test_task_getpgid.te
---- refpolicy/test_task_getpgid.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_task_getpgid.te 2007-12-31 05:57:37.000000000 -0500
+--- refpolicy/test_task_getpgid.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_task_getpgid.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,18 +8,24 @@ attribute test_getpgid_d;
# Domain for the target process
type test_getpgid_target_t;
@@ -952,8 +953,8 @@ diff -Nrup refpolicy/test_task_getpgid.t
typeattribute test_getpgid_no_t testdomain;
diff -Nrup refpolicy/test_task_getsched.te refpolicy.new/test_task_getsched.te
---- refpolicy/test_task_getsched.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_task_getsched.te 2007-12-31 05:57:37.000000000
-0500
+--- refpolicy/test_task_getsched.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_task_getsched.te 2008-01-29 11:40:09.000000000
-0500
@@ -8,18 +8,24 @@ attribute test_getsched_d;
# Domain for the target process
type test_getsched_target_t;
@@ -980,8 +981,8 @@ diff -Nrup refpolicy/test_task_getsched.
typeattribute test_getsched_no_t testdomain;
diff -Nrup refpolicy/test_task_getsid.te refpolicy.new/test_task_getsid.te
---- refpolicy/test_task_getsid.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_task_getsid.te 2007-12-31 05:57:38.000000000 -0500
+--- refpolicy/test_task_getsid.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_task_getsid.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,18 +8,24 @@ attribute test_getsid_d;
# Domain for the target process
type test_getsid_target_t;
@@ -1008,8 +1009,8 @@ diff -Nrup refpolicy/test_task_getsid.te
typeattribute test_getsid_no_t testdomain;
diff -Nrup refpolicy/test_task_setpgid.te refpolicy.new/test_task_setpgid.te
---- refpolicy/test_task_setpgid.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_task_setpgid.te 2007-12-31 05:57:38.000000000 -0500
+--- refpolicy/test_task_setpgid.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_task_setpgid.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,6 +8,8 @@ attribute test_setpgid_d;
# Domain for process allowed to setpgid
type test_setpgid_yes_t;
@@ -1029,8 +1030,8 @@ diff -Nrup refpolicy/test_task_setpgid.t
allow test_setpgid_no_t self:process ~{ setpgid setcurrent };
diff -Nrup refpolicy/test_task_setsched.te refpolicy.new/test_task_setsched.te
---- refpolicy/test_task_setsched.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_task_setsched.te 2007-12-31 05:57:38.000000000
-0500
+--- refpolicy/test_task_setsched.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_task_setsched.te 2008-01-29 11:40:09.000000000
-0500
@@ -9,18 +9,24 @@ attribute test_setsched_d;
# Domain for the target process
type test_setsched_target_t;
@@ -1057,8 +1058,8 @@ diff -Nrup refpolicy/test_task_setsched.
typeattribute test_setsched_no_t testdomain;
diff -Nrup refpolicy/test_transition.te refpolicy.new/test_transition.te
---- refpolicy/test_transition.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_transition.te 2007-12-31 05:57:38.000000000 -0500
+--- refpolicy/test_transition.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_transition.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,18 +8,24 @@ attribute transitiondomain;
# Domain for process that is allowed to transition to the new domain.
type test_transition_fromdomain_t;
@@ -1085,8 +1086,8 @@ diff -Nrup refpolicy/test_transition.te
typeattribute test_transition_todomain_t testdomain;
diff -Nrup refpolicy/test_wait.te refpolicy.new/test_wait.te
---- refpolicy/test_wait.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_wait.te 2007-12-31 05:57:38.000000000 -0500
+--- refpolicy/test_wait.te 2008-01-29 11:51:21.000000000 -0500
++++ refpolicy.new/test_wait.te 2008-01-29 11:40:09.000000000 -0500
@@ -8,18 +8,24 @@ attribute waitdomain;
# Domain for parent process.
type test_wait_parent_t;
diff -Nrup ltp/testscripts/test_selinux.sh ltp.p3/testscripts/test_selinux.sh
--- ltp/testscripts/test_selinux.sh 2008-01-02 06:58:16.000000000 -0500
+++ ltp.p3/testscripts/test_selinux.sh 2008-01-29 11:56:57.000000000 -0500
@@ -9,6 +9,19 @@
#
# test_selinux.sh - Run the selinux test suite.
+config_set_expandcheck() {
+ pushd /etc/selinux
+ cp --preserve semanage.conf semanage.conf.orig
+ echo "expand-check=0" >> semanage.conf
+ popd
+}
+
+config_unset_expandcheck() {
+ pushd /etc/selinux
+ mv semanage.conf.orig semanage.conf
+ popd
+}
+
# Must be root to run the selinux testsuite
if [ $UID != 0 ]
then
@@ -64,17 +77,22 @@ pushd $LTPROOT/testcases/kernel/security
sh ./update_refpolicy.sh
popd
+config_set_expandcheck
+
# build and install the test policy...
echo "building and installing test_policy module..."
cd $LTPROOT/testcases/kernel/security/selinux-testsuite/refpolicy
make load
if [ $? != 0 ]; then
echo "Failed to build and load test_policy module, aborting test run."
+ config_unset_expandcheck
exit 1
else
echo "Successfully built and loaded test_policy module."
fi
+config_unset_expandcheck
+
# go back to test's root directory
cd $LTPROOT
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
