On Tue, 2008-01-29 at 18:21 -0600, Serge E. Hallyn wrote: > Here is a patch against this morning's ltp cvs snapshot to implement > Stephen's suggestion of setting expand-check=0 for the duration of > the policy load. This allowed me to get rid of the hack > ++domain_type(test_create_no_t) in refpolicy/test_task_create.te, also > done in this patch. > > (I think it also inlines a patch Stephen sent on jan 23 which > wasn't yet in ltp cvs)
As far as I can tell, no one has merged the two patches that I sent earlier, which explains why you are still seeing failures (the one patch I sent added permissions needed for the tests). I've seen no reply to my patches, although I've seen other patches responded to. > Now I can compile and run the selinux testsuite on Fedora 8. There are > 10 failures remaining. I'll start looking at those in spare time, but > hopefully Joy or George can also be looking into those a bit. > > thanks > -serge > > diff -Nrup > ltp/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch > ltp.p3/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch > --- > ltp/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch > 2008-01-02 06:58:15.000000000 -0500 > +++ > ltp.p3/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch > 2008-01-29 11:57:32.000000000 -0500 > @@ -1,6 +1,6 @@ > diff -Nrup refpolicy/test_capable_file.te refpolicy.new/test_capable_file.te > ---- refpolicy/test_capable_file.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_capable_file.te 2007-12-31 05:57:36.000000000 > -0500 > +--- refpolicy/test_capable_file.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_capable_file.te 2008-01-29 11:40:09.000000000 > -0500 > @@ -14,28 +14,35 @@ type test_fcap_t; > typeattribute test_fcap_t capabledomain; > typeattribute test_fcap_t testdomain; > @@ -39,8 +39,8 @@ diff -Nrup refpolicy/test_capable_file.t > files_exec_etc_files(capabledomain) > libs_use_ld_so(capabledomain) > diff -Nrup refpolicy/test_capable_net.te refpolicy.new/test_capable_net.te > ---- refpolicy/test_capable_net.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_capable_net.te 2007-12-31 05:57:36.000000000 > -0500 > +--- refpolicy/test_capable_net.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_capable_net.te 2008-01-29 11:40:09.000000000 > -0500 > @@ -7,12 +7,16 @@ > # Type for process that is allowed certain capabilities > type test_ncap_t; > @@ -79,8 +79,8 @@ diff -Nrup refpolicy/test_capable_net.te > require { > type ifconfig_exec_t; > diff -Nrup refpolicy/test_capable_sys.te refpolicy.new/test_capable_sys.te > ---- refpolicy/test_capable_sys.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_capable_sys.te 2007-12-31 05:57:36.000000000 > -0500 > +--- refpolicy/test_capable_sys.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_capable_sys.te 2008-01-29 11:40:09.000000000 > -0500 > @@ -7,12 +7,16 @@ > # Type for process that is allowed certain capabilities > type test_scap_t; > @@ -99,8 +99,8 @@ diff -Nrup refpolicy/test_capable_sys.te > typeattribute test_noscap_t testdomain; > > diff -Nrup refpolicy/test_dyntrace.te refpolicy.new/test_dyntrace.te > ---- refpolicy/test_dyntrace.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_dyntrace.te 2007-12-31 05:57:36.000000000 -0500 > +--- refpolicy/test_dyntrace.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_dyntrace.te 2008-01-29 11:40:09.000000000 -0500 > @@ -8,6 +8,8 @@ attribute dyntracedomain; > # Domain for parent process. > type test_dyntrace_parent_t; > @@ -129,8 +129,8 @@ diff -Nrup refpolicy/test_dyntrace.te re > typeattribute test_dyntrace_notchild_t testdomain; > > diff -Nrup refpolicy/test_dyntrans.te refpolicy.new/test_dyntrans.te > ---- refpolicy/test_dyntrans.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_dyntrans.te 2007-12-31 05:57:36.000000000 -0500 > +--- refpolicy/test_dyntrans.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_dyntrans.te 2008-01-29 11:40:09.000000000 -0500 > @@ -8,18 +8,24 @@ attribute dyntransdomain; > # Domain for process that is allowed to transition to the new domain. > type test_dyntrans_fromdomain_t; > @@ -157,8 +157,8 @@ diff -Nrup refpolicy/test_dyntrans.te re > typeattribute test_dyntrans_todomain_t testdomain; > > diff -Nrup refpolicy/test_entrypoint.te refpolicy.new/test_entrypoint.te > ---- refpolicy/test_entrypoint.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_entrypoint.te 2007-12-31 05:57:36.000000000 -0500 > +--- refpolicy/test_entrypoint.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_entrypoint.te 2008-01-29 11:40:09.000000000 -0500 > @@ -10,6 +10,8 @@ files_type(test_entrypoint_execute_t) > # Test domain that can only be entered via the type above. > type test_entrypoint_t; > @@ -169,8 +169,8 @@ diff -Nrup refpolicy/test_entrypoint.te > > # Allow execution of true. > diff -Nrup refpolicy/test_execshare.te refpolicy.new/test_execshare.te > ---- refpolicy/test_execshare.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_execshare.te 2007-12-31 05:57:36.000000000 -0500 > +--- refpolicy/test_execshare.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_execshare.te 2008-01-29 11:40:09.000000000 -0500 > @@ -8,18 +8,24 @@ attribute execsharedomain; > # Domain for parent process. > type test_execshare_parent_t; > @@ -197,8 +197,8 @@ diff -Nrup refpolicy/test_execshare.te r > typeattribute test_execshare_notchild_t testdomain; > > diff -Nrup refpolicy/test_exectrace.te refpolicy.new/test_exectrace.te > ---- refpolicy/test_exectrace.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_exectrace.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_exectrace.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_exectrace.te 2008-01-29 11:40:09.000000000 -0500 > @@ -8,6 +8,8 @@ attribute exectracedomain; > # Domain for parent process. > type test_exectrace_parent_t; > @@ -226,8 +226,8 @@ diff -Nrup refpolicy/test_exectrace.te r > typeattribute test_exectrace_notchild_t testdomain; > > diff -Nrup refpolicy/test_execute_no_trans.te > refpolicy.new/test_execute_no_trans.te > ---- refpolicy/test_execute_no_trans.te 2007-12-31 06:57:36.000000000 > -0500 > -+++ refpolicy.new/test_execute_no_trans.te 2007-12-31 05:57:37.000000000 > -0500 > +--- refpolicy/test_execute_no_trans.te 2008-01-29 11:51:21.000000000 > -0500 > ++++ refpolicy.new/test_execute_no_trans.te 2008-01-29 11:40:09.000000000 > -0500 > @@ -15,6 +15,8 @@ files_type(test_execute_notrans_denied_t > # Test domain that can only be entered via the types above. > type test_execute_notrans_t; > @@ -238,8 +238,8 @@ diff -Nrup refpolicy/test_execute_no_tra > > # Allow this domain to be entered via the shell. > diff -Nrup refpolicy/test_fdreceive.te refpolicy.new/test_fdreceive.te > ---- refpolicy/test_fdreceive.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_fdreceive.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_fdreceive.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_fdreceive.te 2008-01-29 11:40:09.000000000 -0500 > @@ -16,12 +16,16 @@ files_type(test_fdreceive_file2_t) > # Domain for client process. > type test_fdreceive_client_t; > @@ -267,8 +267,8 @@ diff -Nrup refpolicy/test_fdreceive.te r > typeattribute test_fdreceive_server_t testdomain; > > diff -Nrup refpolicy/test_file.te refpolicy.new/test_file.te > ---- refpolicy/test_file.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_file.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_file.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_file.te 2008-01-29 11:40:09.000000000 -0500 > @@ -8,6 +8,8 @@ attribute fileopdomain; > # Domain for process that is allowed to perform operations. > type test_fileop_t; > @@ -315,8 +315,8 @@ diff -Nrup refpolicy/test_file.te refpol > domain_auto_trans(test_fileop_t, fileop_exec_t, fileop_t) > allow test_fileop_t fileop_t:fd use; > diff -Nrup refpolicy/test_inherit.te refpolicy.new/test_inherit.te > ---- refpolicy/test_inherit.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_inherit.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_inherit.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_inherit.te 2008-01-29 11:40:09.000000000 -0500 > @@ -8,6 +8,8 @@ attribute inheritdomain; > # Domain for parent process. > type test_inherit_parent_t; > @@ -354,8 +354,8 @@ diff -Nrup refpolicy/test_inherit.te ref > typeattribute test_inherit_nowrite_t testdomain; > > diff -Nrup refpolicy/test_ioctl.te refpolicy.new/test_ioctl.te > ---- refpolicy/test_ioctl.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_ioctl.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_ioctl.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_ioctl.te 2008-01-29 11:40:09.000000000 -0500 > @@ -8,12 +8,16 @@ attribute ioctldomain; > # Domain for process that is allowed to perform ioctl. > type test_ioctl_t; > @@ -382,8 +382,8 @@ diff -Nrup refpolicy/test_ioctl.te refpo > files_exec_etc_files(ioctldomain) > libs_use_ld_so(ioctldomain) > diff -Nrup refpolicy/test_ipc.te refpolicy.new/test_ipc.te > ---- refpolicy/test_ipc.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_ipc.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_ipc.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_ipc.te 2008-01-29 11:40:09.000000000 -0500 > @@ -8,6 +8,8 @@ attribute ipcdomain; > # Base domain for IPC tests, has all IPC permissions > type test_ipc_base_t; > @@ -419,8 +419,8 @@ diff -Nrup refpolicy/test_ipc.te refpoli > typeattribute test_ipc_associate_t testdomain; > > diff -Nrup refpolicy/test_link.te refpolicy.new/test_link.te > ---- refpolicy/test_link.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_link.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_link.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_link.te 2008-01-29 11:40:09.000000000 -0500 > @@ -16,6 +16,8 @@ files_type(test_link_file_t) > # Domain for process that can create hard links to the file. > type test_link_t; > @@ -476,8 +476,8 @@ diff -Nrup refpolicy/test_link.te refpol > typeattribute test_nounlink2_t testdomain; > allow test_nounlink2_t test_link_dir_t:dir { search getattr write }; > diff -Nrup refpolicy/test_mkdir.te refpolicy.new/test_mkdir.te > ---- refpolicy/test_mkdir.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_mkdir.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_mkdir.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_mkdir.te 2008-01-29 11:40:09.000000000 -0500 > @@ -12,6 +12,8 @@ files_type(test_mkdir_dir_t) > # Domain for process that has add_name permission to the test directory. > type test_addname_t; > @@ -524,8 +524,8 @@ diff -Nrup refpolicy/test_mkdir.te refpo > typeattribute test_nocreate_t testdomain; > domain_obj_id_change_exemption(test_nocreate_t) > diff -Nrup refpolicy/test_open.te refpolicy.new/test_open.te > ---- refpolicy/test_open.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_open.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_open.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_open.te 2008-01-29 11:40:09.000000000 -0500 > @@ -12,6 +12,8 @@ files_type(test_open_file_t) > # Domain for process that can open the test file for reading and writing. > type test_open_t; > @@ -554,9 +554,9 @@ diff -Nrup refpolicy/test_open.te refpol > typeattribute test_append_t testdomain; > allow test_append_t test_open_file_t:file { getattr append }; > diff -Nrup refpolicy/test_policy.if refpolicy.new/test_policy.if > ---- refpolicy/test_policy.if 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_policy.if 2007-12-31 06:05:59.000000000 -0500 > -@@ -25,3 +25,11 @@ > +--- refpolicy/test_policy.if 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_policy.if 2008-01-29 11:48:29.000000000 -0500 > +@@ -25,3 +25,18 @@ > ## Domain allowed to transition. > ## </param> > # > @@ -564,13 +564,20 @@ diff -Nrup refpolicy/test_policy.if refp > +interface(`unconfined_runs_test',` > + gen_require(` > + type unconfined_t; > ++ type unconfined_devpts_t; > + ') > + > ++ # Transition from the caller to the test domain. > + allow unconfined_t $1:process transition; > ++ # Report back from the test domain to the caller. > ++ allow $1 unconfined_t:fd use; > ++ allow $1 unconfined_devpts_t:chr_file { read write ioctl getattr}; > ++ allow $1 unconfined_t:fifo_file { read write ioctl getattr }; > ++ allow $1 unconfined_t:process { sigchld }; > +') > diff -Nrup refpolicy/test_ptrace.te refpolicy.new/test_ptrace.te > ---- refpolicy/test_ptrace.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_ptrace.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_ptrace.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_ptrace.te 2008-01-29 11:40:09.000000000 -0500 > @@ -8,6 +8,8 @@ attribute ptracedomain; > # Domain for process that is allowed to trace. > type test_ptrace_tracer_t; > @@ -599,8 +606,8 @@ diff -Nrup refpolicy/test_ptrace.te refp > typeattribute test_ptrace_traced_t testdomain; > > diff -Nrup refpolicy/test_readlink.te refpolicy.new/test_readlink.te > ---- refpolicy/test_readlink.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_readlink.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_readlink.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_readlink.te 2008-01-29 11:40:09.000000000 -0500 > @@ -14,6 +14,8 @@ files_type(test_readlink_link_t) > # Domain for process that can read and follow the symbolic link. > type test_readlink_t; > @@ -620,8 +627,8 @@ diff -Nrup refpolicy/test_readlink.te re > typeattribute test_noreadlink_t testdomain; > allow test_noreadlink_t test_readlink_file_t:file { getattr read }; > diff -Nrup refpolicy/test_relabel.te refpolicy.new/test_relabel.te > ---- refpolicy/test_relabel.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_relabel.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_relabel.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_relabel.te 2008-01-29 11:40:09.000000000 -0500 > @@ -14,6 +14,8 @@ files_type(test_relabel_newtype_t) > # Domain for process that can relabel the test file. > type test_relabel_t; > @@ -650,8 +657,8 @@ diff -Nrup refpolicy/test_relabel.te ref > typeattribute test_norelabelto_t test_relabel_domain; > typeattribute test_norelabelto_t testdomain; > diff -Nrup refpolicy/test_rename.te refpolicy.new/test_rename.te > ---- refpolicy/test_rename.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_rename.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_rename.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_rename.te 2008-01-29 11:40:09.000000000 -0500 > @@ -20,6 +20,8 @@ files_type(test_rename_dir_t) > # Domain for process that can rename the test file and directory. > type test_rename_t; > @@ -725,8 +732,8 @@ diff -Nrup refpolicy/test_rename.te refp > typeattribute test_norename6_t testdomain; > allow test_norename6_t test_rename_src_dir_t:dir { search getattr write > remove_name }; > diff -Nrup refpolicy/test_rxdir.te refpolicy.new/test_rxdir.te > ---- refpolicy/test_rxdir.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_rxdir.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_rxdir.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_rxdir.te 2008-01-29 11:40:09.000000000 -0500 > @@ -12,6 +12,8 @@ files_type(test_rxdir_dir_t) > # Domain for process that can read but not search the directory. > type test_rdir_t; > @@ -746,8 +753,8 @@ diff -Nrup refpolicy/test_rxdir.te refpo > typeattribute test_xdir_t testdomain; > allow test_xdir_t test_rxdir_dir_t:dir { getattr search }; > diff -Nrup refpolicy/test_setattr.te refpolicy.new/test_setattr.te > ---- refpolicy/test_setattr.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_setattr.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_setattr.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_setattr.te 2008-01-29 11:40:09.000000000 -0500 > @@ -12,6 +12,8 @@ files_type(test_setattr_file_t) > # Domain for process that can set attributes on the test file. > type test_setattr_t; > @@ -767,8 +774,8 @@ diff -Nrup refpolicy/test_setattr.te ref > typeattribute test_nosetattr_t testdomain; > allow test_nosetattr_t self:capability chown; > diff -Nrup refpolicy/test_setnice.te refpolicy.new/test_setnice.te > ---- refpolicy/test_setnice.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_setnice.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_setnice.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_setnice.te 2008-01-29 11:40:09.000000000 -0500 > @@ -8,24 +8,29 @@ attribute setnicedomain; > # Domain for process whose nice can be set. > type test_setnice_set_t; > @@ -801,8 +808,8 @@ diff -Nrup refpolicy/test_setnice.te ref > files_exec_etc_files(setnicedomain) > libs_use_ld_so(setnicedomain) > diff -Nrup refpolicy/test_sigkill.te refpolicy.new/test_sigkill.te > ---- refpolicy/test_sigkill.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_sigkill.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_sigkill.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_sigkill.te 2008-01-29 11:40:09.000000000 -0500 > @@ -8,12 +8,16 @@ attribute killdomain; > # Domain for process that receives the signals. > type test_kill_server_t; > @@ -848,8 +855,8 @@ diff -Nrup refpolicy/test_sigkill.te ref > typeattribute test_kill_signal_t testdomain; > > diff -Nrup refpolicy/test_stat.te refpolicy.new/test_stat.te > ---- refpolicy/test_stat.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_stat.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_stat.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_stat.te 2008-01-29 11:40:09.000000000 -0500 > @@ -12,6 +12,8 @@ files_type(test_stat_file_t) > # Domain for process that can get attributes on the test file. > type test_stat_t; > @@ -869,8 +876,8 @@ diff -Nrup refpolicy/test_stat.te refpol > typeattribute test_nostat_t testdomain; > > diff -Nrup refpolicy/test_sysctl.te refpolicy.new/test_sysctl.te > ---- refpolicy/test_sysctl.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_sysctl.te 2007-12-31 05:57:37.000000000 -0500 > +--- refpolicy/test_sysctl.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_sysctl.te 2008-01-29 11:40:09.000000000 -0500 > @@ -8,19 +8,23 @@ attribute sysctldomain; > # Domain for process that is allowed to perform sysctl. > type test_sysctl_t; > @@ -898,8 +905,8 @@ diff -Nrup refpolicy/test_sysctl.te refp > # Allow the first domain to perform sysctl operations. > kernel_rw_all_sysctls(test_sysctl_t) > diff -Nrup refpolicy/test_task_create.te refpolicy.new/test_task_create.te > ---- refpolicy/test_task_create.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_task_create.te 2007-12-31 05:57:37.000000000 > -0500 > +--- refpolicy/test_task_create.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_task_create.te 2008-01-29 11:40:09.000000000 > -0500 > @@ -8,6 +8,8 @@ attribute test_create_d; > # Domain for process allowed to fork. > type test_create_yes_t; > @@ -909,23 +916,17 @@ diff -Nrup refpolicy/test_task_create.te > typeattribute test_create_yes_t test_create_d; > typeattribute test_create_yes_t testdomain; > > -@@ -20,7 +22,12 @@ type test_create_no_t; > - # permission so we can test it, we omit the domain attribute. > +@@ -21,6 +23,7 @@ type test_create_no_t; > # Ideally, refpolicy would _not_ grant such permissions to every domain, > # as it makes the permission effectively unusable in real policy. > --#domain_type(test_create_no_t) > -+# XXX This invalidates the test, but allows the policy to compile > -+# The next two lines SHOULD be commented out according to the original > -+# comment above. > -+domain_type(test_create_no_t) > + #domain_type(test_create_no_t) > +unconfined_runs_test(test_create_no_t) > -+domain_dyntrans_type(test_create_no_t) > typeattribute test_create_no_t test_create_d; > > allow test_create_no_t self:process ~fork; > diff -Nrup refpolicy/test_task_getpgid.te refpolicy.new/test_task_getpgid.te > ---- refpolicy/test_task_getpgid.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_task_getpgid.te 2007-12-31 05:57:37.000000000 > -0500 > +--- refpolicy/test_task_getpgid.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_task_getpgid.te 2008-01-29 11:40:09.000000000 > -0500 > @@ -8,18 +8,24 @@ attribute test_getpgid_d; > # Domain for the target process > type test_getpgid_target_t; > @@ -952,8 +953,8 @@ diff -Nrup refpolicy/test_task_getpgid.t > typeattribute test_getpgid_no_t testdomain; > > diff -Nrup refpolicy/test_task_getsched.te > refpolicy.new/test_task_getsched.te > ---- refpolicy/test_task_getsched.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_task_getsched.te 2007-12-31 05:57:37.000000000 > -0500 > +--- refpolicy/test_task_getsched.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_task_getsched.te 2008-01-29 11:40:09.000000000 > -0500 > @@ -8,18 +8,24 @@ attribute test_getsched_d; > # Domain for the target process > type test_getsched_target_t; > @@ -980,8 +981,8 @@ diff -Nrup refpolicy/test_task_getsched. > typeattribute test_getsched_no_t testdomain; > > diff -Nrup refpolicy/test_task_getsid.te refpolicy.new/test_task_getsid.te > ---- refpolicy/test_task_getsid.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_task_getsid.te 2007-12-31 05:57:38.000000000 > -0500 > +--- refpolicy/test_task_getsid.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_task_getsid.te 2008-01-29 11:40:09.000000000 > -0500 > @@ -8,18 +8,24 @@ attribute test_getsid_d; > # Domain for the target process > type test_getsid_target_t; > @@ -1008,8 +1009,8 @@ diff -Nrup refpolicy/test_task_getsid.te > typeattribute test_getsid_no_t testdomain; > > diff -Nrup refpolicy/test_task_setpgid.te refpolicy.new/test_task_setpgid.te > ---- refpolicy/test_task_setpgid.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_task_setpgid.te 2007-12-31 05:57:38.000000000 > -0500 > +--- refpolicy/test_task_setpgid.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_task_setpgid.te 2008-01-29 11:40:09.000000000 > -0500 > @@ -8,6 +8,8 @@ attribute test_setpgid_d; > # Domain for process allowed to setpgid > type test_setpgid_yes_t; > @@ -1029,8 +1030,8 @@ diff -Nrup refpolicy/test_task_setpgid.t > > allow test_setpgid_no_t self:process ~{ setpgid setcurrent }; > diff -Nrup refpolicy/test_task_setsched.te > refpolicy.new/test_task_setsched.te > ---- refpolicy/test_task_setsched.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_task_setsched.te 2007-12-31 05:57:38.000000000 > -0500 > +--- refpolicy/test_task_setsched.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_task_setsched.te 2008-01-29 11:40:09.000000000 > -0500 > @@ -9,18 +9,24 @@ attribute test_setsched_d; > # Domain for the target process > type test_setsched_target_t; > @@ -1057,8 +1058,8 @@ diff -Nrup refpolicy/test_task_setsched. > typeattribute test_setsched_no_t testdomain; > > diff -Nrup refpolicy/test_transition.te refpolicy.new/test_transition.te > ---- refpolicy/test_transition.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_transition.te 2007-12-31 05:57:38.000000000 -0500 > +--- refpolicy/test_transition.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_transition.te 2008-01-29 11:40:09.000000000 -0500 > @@ -8,18 +8,24 @@ attribute transitiondomain; > # Domain for process that is allowed to transition to the new domain. > type test_transition_fromdomain_t; > @@ -1085,8 +1086,8 @@ diff -Nrup refpolicy/test_transition.te > typeattribute test_transition_todomain_t testdomain; > > diff -Nrup refpolicy/test_wait.te refpolicy.new/test_wait.te > ---- refpolicy/test_wait.te 2007-12-31 06:57:36.000000000 -0500 > -+++ refpolicy.new/test_wait.te 2007-12-31 05:57:38.000000000 -0500 > +--- refpolicy/test_wait.te 2008-01-29 11:51:21.000000000 -0500 > ++++ refpolicy.new/test_wait.te 2008-01-29 11:40:09.000000000 -0500 > @@ -8,18 +8,24 @@ attribute waitdomain; > # Domain for parent process. > type test_wait_parent_t; > diff -Nrup ltp/testscripts/test_selinux.sh ltp.p3/testscripts/test_selinux.sh > --- ltp/testscripts/test_selinux.sh 2008-01-02 06:58:16.000000000 -0500 > +++ ltp.p3/testscripts/test_selinux.sh 2008-01-29 11:56:57.000000000 > -0500 > @@ -9,6 +9,19 @@ > # > # test_selinux.sh - Run the selinux test suite. > > +config_set_expandcheck() { > + pushd /etc/selinux > + cp --preserve semanage.conf semanage.conf.orig > + echo "expand-check=0" >> semanage.conf > + popd > +} > + > +config_unset_expandcheck() { > + pushd /etc/selinux > + mv semanage.conf.orig semanage.conf > + popd > +} > + > # Must be root to run the selinux testsuite > if [ $UID != 0 ] > then > @@ -64,17 +77,22 @@ pushd $LTPROOT/testcases/kernel/security > sh ./update_refpolicy.sh > popd > > +config_set_expandcheck > + > # build and install the test policy... > echo "building and installing test_policy module..." > cd $LTPROOT/testcases/kernel/security/selinux-testsuite/refpolicy > make load > if [ $? != 0 ]; then > echo "Failed to build and load test_policy module, aborting test run." > + config_unset_expandcheck > exit 1 > else > echo "Successfully built and loaded test_policy module." > fi > > +config_unset_expandcheck > + > # go back to test's root directory > cd $LTPROOT > -- Stephen Smalley National Security Agency ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list