Here is a patch against this morning's ltp cvs snapshot to implement Stephen's suggestion of setting expand-check=0 for the duration of the policy load. This allowed me to get rid of the hack ++domain_type(test_create_no_t) in refpolicy/test_task_create.te, also done in this patch.
(I think it also inlines a patch Stephen sent on jan 23 which wasn't yet in ltp cvs) Now I can compile and run the selinux testsuite on Fedora 8. There are 10 failures remaining. I'll start looking at those in spare time, but hopefully Joy or George can also be looking into those a bit. thanks -serge diff -Nrup ltp/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch ltp.p3/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch --- ltp/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch 2008-01-02 06:58:15.000000000 -0500 +++ ltp.p3/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch 2008-01-29 11:57:32.000000000 -0500 @@ -1,6 +1,6 @@ diff -Nrup refpolicy/test_capable_file.te refpolicy.new/test_capable_file.te ---- refpolicy/test_capable_file.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_capable_file.te 2007-12-31 05:57:36.000000000 -0500 +--- refpolicy/test_capable_file.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_capable_file.te 2008-01-29 11:40:09.000000000 -0500 @@ -14,28 +14,35 @@ type test_fcap_t; typeattribute test_fcap_t capabledomain; typeattribute test_fcap_t testdomain; @@ -39,8 +39,8 @@ diff -Nrup refpolicy/test_capable_file.t files_exec_etc_files(capabledomain) libs_use_ld_so(capabledomain) diff -Nrup refpolicy/test_capable_net.te refpolicy.new/test_capable_net.te ---- refpolicy/test_capable_net.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_capable_net.te 2007-12-31 05:57:36.000000000 -0500 +--- refpolicy/test_capable_net.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_capable_net.te 2008-01-29 11:40:09.000000000 -0500 @@ -7,12 +7,16 @@ # Type for process that is allowed certain capabilities type test_ncap_t; @@ -79,8 +79,8 @@ diff -Nrup refpolicy/test_capable_net.te require { type ifconfig_exec_t; diff -Nrup refpolicy/test_capable_sys.te refpolicy.new/test_capable_sys.te ---- refpolicy/test_capable_sys.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_capable_sys.te 2007-12-31 05:57:36.000000000 -0500 +--- refpolicy/test_capable_sys.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_capable_sys.te 2008-01-29 11:40:09.000000000 -0500 @@ -7,12 +7,16 @@ # Type for process that is allowed certain capabilities type test_scap_t; @@ -99,8 +99,8 @@ diff -Nrup refpolicy/test_capable_sys.te typeattribute test_noscap_t testdomain; diff -Nrup refpolicy/test_dyntrace.te refpolicy.new/test_dyntrace.te ---- refpolicy/test_dyntrace.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_dyntrace.te 2007-12-31 05:57:36.000000000 -0500 +--- refpolicy/test_dyntrace.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_dyntrace.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,6 +8,8 @@ attribute dyntracedomain; # Domain for parent process. type test_dyntrace_parent_t; @@ -129,8 +129,8 @@ diff -Nrup refpolicy/test_dyntrace.te re typeattribute test_dyntrace_notchild_t testdomain; diff -Nrup refpolicy/test_dyntrans.te refpolicy.new/test_dyntrans.te ---- refpolicy/test_dyntrans.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_dyntrans.te 2007-12-31 05:57:36.000000000 -0500 +--- refpolicy/test_dyntrans.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_dyntrans.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,18 +8,24 @@ attribute dyntransdomain; # Domain for process that is allowed to transition to the new domain. type test_dyntrans_fromdomain_t; @@ -157,8 +157,8 @@ diff -Nrup refpolicy/test_dyntrans.te re typeattribute test_dyntrans_todomain_t testdomain; diff -Nrup refpolicy/test_entrypoint.te refpolicy.new/test_entrypoint.te ---- refpolicy/test_entrypoint.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_entrypoint.te 2007-12-31 05:57:36.000000000 -0500 +--- refpolicy/test_entrypoint.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_entrypoint.te 2008-01-29 11:40:09.000000000 -0500 @@ -10,6 +10,8 @@ files_type(test_entrypoint_execute_t) # Test domain that can only be entered via the type above. type test_entrypoint_t; @@ -169,8 +169,8 @@ diff -Nrup refpolicy/test_entrypoint.te # Allow execution of true. diff -Nrup refpolicy/test_execshare.te refpolicy.new/test_execshare.te ---- refpolicy/test_execshare.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_execshare.te 2007-12-31 05:57:36.000000000 -0500 +--- refpolicy/test_execshare.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_execshare.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,18 +8,24 @@ attribute execsharedomain; # Domain for parent process. type test_execshare_parent_t; @@ -197,8 +197,8 @@ diff -Nrup refpolicy/test_execshare.te r typeattribute test_execshare_notchild_t testdomain; diff -Nrup refpolicy/test_exectrace.te refpolicy.new/test_exectrace.te ---- refpolicy/test_exectrace.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_exectrace.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_exectrace.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_exectrace.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,6 +8,8 @@ attribute exectracedomain; # Domain for parent process. type test_exectrace_parent_t; @@ -226,8 +226,8 @@ diff -Nrup refpolicy/test_exectrace.te r typeattribute test_exectrace_notchild_t testdomain; diff -Nrup refpolicy/test_execute_no_trans.te refpolicy.new/test_execute_no_trans.te ---- refpolicy/test_execute_no_trans.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_execute_no_trans.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_execute_no_trans.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_execute_no_trans.te 2008-01-29 11:40:09.000000000 -0500 @@ -15,6 +15,8 @@ files_type(test_execute_notrans_denied_t # Test domain that can only be entered via the types above. type test_execute_notrans_t; @@ -238,8 +238,8 @@ diff -Nrup refpolicy/test_execute_no_tra # Allow this domain to be entered via the shell. diff -Nrup refpolicy/test_fdreceive.te refpolicy.new/test_fdreceive.te ---- refpolicy/test_fdreceive.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_fdreceive.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_fdreceive.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_fdreceive.te 2008-01-29 11:40:09.000000000 -0500 @@ -16,12 +16,16 @@ files_type(test_fdreceive_file2_t) # Domain for client process. type test_fdreceive_client_t; @@ -267,8 +267,8 @@ diff -Nrup refpolicy/test_fdreceive.te r typeattribute test_fdreceive_server_t testdomain; diff -Nrup refpolicy/test_file.te refpolicy.new/test_file.te ---- refpolicy/test_file.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_file.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_file.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_file.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,6 +8,8 @@ attribute fileopdomain; # Domain for process that is allowed to perform operations. type test_fileop_t; @@ -315,8 +315,8 @@ diff -Nrup refpolicy/test_file.te refpol domain_auto_trans(test_fileop_t, fileop_exec_t, fileop_t) allow test_fileop_t fileop_t:fd use; diff -Nrup refpolicy/test_inherit.te refpolicy.new/test_inherit.te ---- refpolicy/test_inherit.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_inherit.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_inherit.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_inherit.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,6 +8,8 @@ attribute inheritdomain; # Domain for parent process. type test_inherit_parent_t; @@ -354,8 +354,8 @@ diff -Nrup refpolicy/test_inherit.te ref typeattribute test_inherit_nowrite_t testdomain; diff -Nrup refpolicy/test_ioctl.te refpolicy.new/test_ioctl.te ---- refpolicy/test_ioctl.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_ioctl.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_ioctl.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_ioctl.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,12 +8,16 @@ attribute ioctldomain; # Domain for process that is allowed to perform ioctl. type test_ioctl_t; @@ -382,8 +382,8 @@ diff -Nrup refpolicy/test_ioctl.te refpo files_exec_etc_files(ioctldomain) libs_use_ld_so(ioctldomain) diff -Nrup refpolicy/test_ipc.te refpolicy.new/test_ipc.te ---- refpolicy/test_ipc.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_ipc.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_ipc.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_ipc.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,6 +8,8 @@ attribute ipcdomain; # Base domain for IPC tests, has all IPC permissions type test_ipc_base_t; @@ -419,8 +419,8 @@ diff -Nrup refpolicy/test_ipc.te refpoli typeattribute test_ipc_associate_t testdomain; diff -Nrup refpolicy/test_link.te refpolicy.new/test_link.te ---- refpolicy/test_link.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_link.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_link.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_link.te 2008-01-29 11:40:09.000000000 -0500 @@ -16,6 +16,8 @@ files_type(test_link_file_t) # Domain for process that can create hard links to the file. type test_link_t; @@ -476,8 +476,8 @@ diff -Nrup refpolicy/test_link.te refpol typeattribute test_nounlink2_t testdomain; allow test_nounlink2_t test_link_dir_t:dir { search getattr write }; diff -Nrup refpolicy/test_mkdir.te refpolicy.new/test_mkdir.te ---- refpolicy/test_mkdir.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_mkdir.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_mkdir.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_mkdir.te 2008-01-29 11:40:09.000000000 -0500 @@ -12,6 +12,8 @@ files_type(test_mkdir_dir_t) # Domain for process that has add_name permission to the test directory. type test_addname_t; @@ -524,8 +524,8 @@ diff -Nrup refpolicy/test_mkdir.te refpo typeattribute test_nocreate_t testdomain; domain_obj_id_change_exemption(test_nocreate_t) diff -Nrup refpolicy/test_open.te refpolicy.new/test_open.te ---- refpolicy/test_open.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_open.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_open.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_open.te 2008-01-29 11:40:09.000000000 -0500 @@ -12,6 +12,8 @@ files_type(test_open_file_t) # Domain for process that can open the test file for reading and writing. type test_open_t; @@ -554,9 +554,9 @@ diff -Nrup refpolicy/test_open.te refpol typeattribute test_append_t testdomain; allow test_append_t test_open_file_t:file { getattr append }; diff -Nrup refpolicy/test_policy.if refpolicy.new/test_policy.if ---- refpolicy/test_policy.if 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_policy.if 2007-12-31 06:05:59.000000000 -0500 -@@ -25,3 +25,11 @@ +--- refpolicy/test_policy.if 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_policy.if 2008-01-29 11:48:29.000000000 -0500 +@@ -25,3 +25,18 @@ ## Domain allowed to transition. ## </param> # @@ -564,13 +564,20 @@ diff -Nrup refpolicy/test_policy.if refp +interface(`unconfined_runs_test',` + gen_require(` + type unconfined_t; ++ type unconfined_devpts_t; + ') + ++ # Transition from the caller to the test domain. + allow unconfined_t $1:process transition; ++ # Report back from the test domain to the caller. ++ allow $1 unconfined_t:fd use; ++ allow $1 unconfined_devpts_t:chr_file { read write ioctl getattr}; ++ allow $1 unconfined_t:fifo_file { read write ioctl getattr }; ++ allow $1 unconfined_t:process { sigchld }; +') diff -Nrup refpolicy/test_ptrace.te refpolicy.new/test_ptrace.te ---- refpolicy/test_ptrace.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_ptrace.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_ptrace.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_ptrace.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,6 +8,8 @@ attribute ptracedomain; # Domain for process that is allowed to trace. type test_ptrace_tracer_t; @@ -599,8 +606,8 @@ diff -Nrup refpolicy/test_ptrace.te refp typeattribute test_ptrace_traced_t testdomain; diff -Nrup refpolicy/test_readlink.te refpolicy.new/test_readlink.te ---- refpolicy/test_readlink.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_readlink.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_readlink.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_readlink.te 2008-01-29 11:40:09.000000000 -0500 @@ -14,6 +14,8 @@ files_type(test_readlink_link_t) # Domain for process that can read and follow the symbolic link. type test_readlink_t; @@ -620,8 +627,8 @@ diff -Nrup refpolicy/test_readlink.te re typeattribute test_noreadlink_t testdomain; allow test_noreadlink_t test_readlink_file_t:file { getattr read }; diff -Nrup refpolicy/test_relabel.te refpolicy.new/test_relabel.te ---- refpolicy/test_relabel.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_relabel.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_relabel.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_relabel.te 2008-01-29 11:40:09.000000000 -0500 @@ -14,6 +14,8 @@ files_type(test_relabel_newtype_t) # Domain for process that can relabel the test file. type test_relabel_t; @@ -650,8 +657,8 @@ diff -Nrup refpolicy/test_relabel.te ref typeattribute test_norelabelto_t test_relabel_domain; typeattribute test_norelabelto_t testdomain; diff -Nrup refpolicy/test_rename.te refpolicy.new/test_rename.te ---- refpolicy/test_rename.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_rename.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_rename.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_rename.te 2008-01-29 11:40:09.000000000 -0500 @@ -20,6 +20,8 @@ files_type(test_rename_dir_t) # Domain for process that can rename the test file and directory. type test_rename_t; @@ -725,8 +732,8 @@ diff -Nrup refpolicy/test_rename.te refp typeattribute test_norename6_t testdomain; allow test_norename6_t test_rename_src_dir_t:dir { search getattr write remove_name }; diff -Nrup refpolicy/test_rxdir.te refpolicy.new/test_rxdir.te ---- refpolicy/test_rxdir.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_rxdir.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_rxdir.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_rxdir.te 2008-01-29 11:40:09.000000000 -0500 @@ -12,6 +12,8 @@ files_type(test_rxdir_dir_t) # Domain for process that can read but not search the directory. type test_rdir_t; @@ -746,8 +753,8 @@ diff -Nrup refpolicy/test_rxdir.te refpo typeattribute test_xdir_t testdomain; allow test_xdir_t test_rxdir_dir_t:dir { getattr search }; diff -Nrup refpolicy/test_setattr.te refpolicy.new/test_setattr.te ---- refpolicy/test_setattr.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_setattr.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_setattr.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_setattr.te 2008-01-29 11:40:09.000000000 -0500 @@ -12,6 +12,8 @@ files_type(test_setattr_file_t) # Domain for process that can set attributes on the test file. type test_setattr_t; @@ -767,8 +774,8 @@ diff -Nrup refpolicy/test_setattr.te ref typeattribute test_nosetattr_t testdomain; allow test_nosetattr_t self:capability chown; diff -Nrup refpolicy/test_setnice.te refpolicy.new/test_setnice.te ---- refpolicy/test_setnice.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_setnice.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_setnice.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_setnice.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,24 +8,29 @@ attribute setnicedomain; # Domain for process whose nice can be set. type test_setnice_set_t; @@ -801,8 +808,8 @@ diff -Nrup refpolicy/test_setnice.te ref files_exec_etc_files(setnicedomain) libs_use_ld_so(setnicedomain) diff -Nrup refpolicy/test_sigkill.te refpolicy.new/test_sigkill.te ---- refpolicy/test_sigkill.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_sigkill.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_sigkill.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_sigkill.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,12 +8,16 @@ attribute killdomain; # Domain for process that receives the signals. type test_kill_server_t; @@ -848,8 +855,8 @@ diff -Nrup refpolicy/test_sigkill.te ref typeattribute test_kill_signal_t testdomain; diff -Nrup refpolicy/test_stat.te refpolicy.new/test_stat.te ---- refpolicy/test_stat.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_stat.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_stat.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_stat.te 2008-01-29 11:40:09.000000000 -0500 @@ -12,6 +12,8 @@ files_type(test_stat_file_t) # Domain for process that can get attributes on the test file. type test_stat_t; @@ -869,8 +876,8 @@ diff -Nrup refpolicy/test_stat.te refpol typeattribute test_nostat_t testdomain; diff -Nrup refpolicy/test_sysctl.te refpolicy.new/test_sysctl.te ---- refpolicy/test_sysctl.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_sysctl.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_sysctl.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_sysctl.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,19 +8,23 @@ attribute sysctldomain; # Domain for process that is allowed to perform sysctl. type test_sysctl_t; @@ -898,8 +905,8 @@ diff -Nrup refpolicy/test_sysctl.te refp # Allow the first domain to perform sysctl operations. kernel_rw_all_sysctls(test_sysctl_t) diff -Nrup refpolicy/test_task_create.te refpolicy.new/test_task_create.te ---- refpolicy/test_task_create.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_task_create.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_task_create.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_task_create.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,6 +8,8 @@ attribute test_create_d; # Domain for process allowed to fork. type test_create_yes_t; @@ -909,23 +916,17 @@ diff -Nrup refpolicy/test_task_create.te typeattribute test_create_yes_t test_create_d; typeattribute test_create_yes_t testdomain; -@@ -20,7 +22,12 @@ type test_create_no_t; - # permission so we can test it, we omit the domain attribute. +@@ -21,6 +23,7 @@ type test_create_no_t; # Ideally, refpolicy would _not_ grant such permissions to every domain, # as it makes the permission effectively unusable in real policy. --#domain_type(test_create_no_t) -+# XXX This invalidates the test, but allows the policy to compile -+# The next two lines SHOULD be commented out according to the original -+# comment above. -+domain_type(test_create_no_t) + #domain_type(test_create_no_t) +unconfined_runs_test(test_create_no_t) -+domain_dyntrans_type(test_create_no_t) typeattribute test_create_no_t test_create_d; allow test_create_no_t self:process ~fork; diff -Nrup refpolicy/test_task_getpgid.te refpolicy.new/test_task_getpgid.te ---- refpolicy/test_task_getpgid.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_task_getpgid.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_task_getpgid.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_task_getpgid.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,18 +8,24 @@ attribute test_getpgid_d; # Domain for the target process type test_getpgid_target_t; @@ -952,8 +953,8 @@ diff -Nrup refpolicy/test_task_getpgid.t typeattribute test_getpgid_no_t testdomain; diff -Nrup refpolicy/test_task_getsched.te refpolicy.new/test_task_getsched.te ---- refpolicy/test_task_getsched.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_task_getsched.te 2007-12-31 05:57:37.000000000 -0500 +--- refpolicy/test_task_getsched.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_task_getsched.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,18 +8,24 @@ attribute test_getsched_d; # Domain for the target process type test_getsched_target_t; @@ -980,8 +981,8 @@ diff -Nrup refpolicy/test_task_getsched. typeattribute test_getsched_no_t testdomain; diff -Nrup refpolicy/test_task_getsid.te refpolicy.new/test_task_getsid.te ---- refpolicy/test_task_getsid.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_task_getsid.te 2007-12-31 05:57:38.000000000 -0500 +--- refpolicy/test_task_getsid.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_task_getsid.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,18 +8,24 @@ attribute test_getsid_d; # Domain for the target process type test_getsid_target_t; @@ -1008,8 +1009,8 @@ diff -Nrup refpolicy/test_task_getsid.te typeattribute test_getsid_no_t testdomain; diff -Nrup refpolicy/test_task_setpgid.te refpolicy.new/test_task_setpgid.te ---- refpolicy/test_task_setpgid.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_task_setpgid.te 2007-12-31 05:57:38.000000000 -0500 +--- refpolicy/test_task_setpgid.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_task_setpgid.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,6 +8,8 @@ attribute test_setpgid_d; # Domain for process allowed to setpgid type test_setpgid_yes_t; @@ -1029,8 +1030,8 @@ diff -Nrup refpolicy/test_task_setpgid.t allow test_setpgid_no_t self:process ~{ setpgid setcurrent }; diff -Nrup refpolicy/test_task_setsched.te refpolicy.new/test_task_setsched.te ---- refpolicy/test_task_setsched.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_task_setsched.te 2007-12-31 05:57:38.000000000 -0500 +--- refpolicy/test_task_setsched.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_task_setsched.te 2008-01-29 11:40:09.000000000 -0500 @@ -9,18 +9,24 @@ attribute test_setsched_d; # Domain for the target process type test_setsched_target_t; @@ -1057,8 +1058,8 @@ diff -Nrup refpolicy/test_task_setsched. typeattribute test_setsched_no_t testdomain; diff -Nrup refpolicy/test_transition.te refpolicy.new/test_transition.te ---- refpolicy/test_transition.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_transition.te 2007-12-31 05:57:38.000000000 -0500 +--- refpolicy/test_transition.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_transition.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,18 +8,24 @@ attribute transitiondomain; # Domain for process that is allowed to transition to the new domain. type test_transition_fromdomain_t; @@ -1085,8 +1086,8 @@ diff -Nrup refpolicy/test_transition.te typeattribute test_transition_todomain_t testdomain; diff -Nrup refpolicy/test_wait.te refpolicy.new/test_wait.te ---- refpolicy/test_wait.te 2007-12-31 06:57:36.000000000 -0500 -+++ refpolicy.new/test_wait.te 2007-12-31 05:57:38.000000000 -0500 +--- refpolicy/test_wait.te 2008-01-29 11:51:21.000000000 -0500 ++++ refpolicy.new/test_wait.te 2008-01-29 11:40:09.000000000 -0500 @@ -8,18 +8,24 @@ attribute waitdomain; # Domain for parent process. type test_wait_parent_t; diff -Nrup ltp/testscripts/test_selinux.sh ltp.p3/testscripts/test_selinux.sh --- ltp/testscripts/test_selinux.sh 2008-01-02 06:58:16.000000000 -0500 +++ ltp.p3/testscripts/test_selinux.sh 2008-01-29 11:56:57.000000000 -0500 @@ -9,6 +9,19 @@ # # test_selinux.sh - Run the selinux test suite. +config_set_expandcheck() { + pushd /etc/selinux + cp --preserve semanage.conf semanage.conf.orig + echo "expand-check=0" >> semanage.conf + popd +} + +config_unset_expandcheck() { + pushd /etc/selinux + mv semanage.conf.orig semanage.conf + popd +} + # Must be root to run the selinux testsuite if [ $UID != 0 ] then @@ -64,17 +77,22 @@ pushd $LTPROOT/testcases/kernel/security sh ./update_refpolicy.sh popd +config_set_expandcheck + # build and install the test policy... echo "building and installing test_policy module..." cd $LTPROOT/testcases/kernel/security/selinux-testsuite/refpolicy make load if [ $? != 0 ]; then echo "Failed to build and load test_policy module, aborting test run." + config_unset_expandcheck exit 1 else echo "Successfully built and loaded test_policy module." fi +config_unset_expandcheck + # go back to test's root directory cd $LTPROOT ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list