On Tue, 2008-01-29 at 18:21 -0600, Serge E. Hallyn wrote:
> Here is a patch against this morning's ltp cvs snapshot to implement
> Stephen's suggestion of setting expand-check=0 for the duration of
> the policy load. This allowed me to get rid of the hack
> ++domain_type(test_create_no_t) in refpolicy/test_task_create.te, also
> done in this patch.
>
> (I think it also inlines a patch Stephen sent on jan 23 which
> wasn't yet in ltp cvs)
As far as I can tell, no one has merged the two patches that I sent
earlier, which explains why you are still seeing failures (the one patch
I sent added permissions needed for the tests). I've seen no reply to
my patches, although I've seen other patches responded to.
> Now I can compile and run the selinux testsuite on Fedora 8. There are
> 10 failures remaining. I'll start looking at those in spare time, but
> hopefully Joy or George can also be looking into those a bit.
>
> thanks
> -serge
>
> diff -Nrup
> ltp/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch
> ltp.p3/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch
> ---
> ltp/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch
> 2008-01-02 06:58:15.000000000 -0500
> +++
> ltp.p3/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch
> 2008-01-29 11:57:32.000000000 -0500
> @@ -1,6 +1,6 @@
> diff -Nrup refpolicy/test_capable_file.te refpolicy.new/test_capable_file.te
> ---- refpolicy/test_capable_file.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_capable_file.te 2007-12-31 05:57:36.000000000
> -0500
> +--- refpolicy/test_capable_file.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_capable_file.te 2008-01-29 11:40:09.000000000
> -0500
> @@ -14,28 +14,35 @@ type test_fcap_t;
> typeattribute test_fcap_t capabledomain;
> typeattribute test_fcap_t testdomain;
> @@ -39,8 +39,8 @@ diff -Nrup refpolicy/test_capable_file.t
> files_exec_etc_files(capabledomain)
> libs_use_ld_so(capabledomain)
> diff -Nrup refpolicy/test_capable_net.te refpolicy.new/test_capable_net.te
> ---- refpolicy/test_capable_net.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_capable_net.te 2007-12-31 05:57:36.000000000
> -0500
> +--- refpolicy/test_capable_net.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_capable_net.te 2008-01-29 11:40:09.000000000
> -0500
> @@ -7,12 +7,16 @@
> # Type for process that is allowed certain capabilities
> type test_ncap_t;
> @@ -79,8 +79,8 @@ diff -Nrup refpolicy/test_capable_net.te
> require {
> type ifconfig_exec_t;
> diff -Nrup refpolicy/test_capable_sys.te refpolicy.new/test_capable_sys.te
> ---- refpolicy/test_capable_sys.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_capable_sys.te 2007-12-31 05:57:36.000000000
> -0500
> +--- refpolicy/test_capable_sys.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_capable_sys.te 2008-01-29 11:40:09.000000000
> -0500
> @@ -7,12 +7,16 @@
> # Type for process that is allowed certain capabilities
> type test_scap_t;
> @@ -99,8 +99,8 @@ diff -Nrup refpolicy/test_capable_sys.te
> typeattribute test_noscap_t testdomain;
>
> diff -Nrup refpolicy/test_dyntrace.te refpolicy.new/test_dyntrace.te
> ---- refpolicy/test_dyntrace.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_dyntrace.te 2007-12-31 05:57:36.000000000 -0500
> +--- refpolicy/test_dyntrace.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_dyntrace.te 2008-01-29 11:40:09.000000000 -0500
> @@ -8,6 +8,8 @@ attribute dyntracedomain;
> # Domain for parent process.
> type test_dyntrace_parent_t;
> @@ -129,8 +129,8 @@ diff -Nrup refpolicy/test_dyntrace.te re
> typeattribute test_dyntrace_notchild_t testdomain;
>
> diff -Nrup refpolicy/test_dyntrans.te refpolicy.new/test_dyntrans.te
> ---- refpolicy/test_dyntrans.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_dyntrans.te 2007-12-31 05:57:36.000000000 -0500
> +--- refpolicy/test_dyntrans.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_dyntrans.te 2008-01-29 11:40:09.000000000 -0500
> @@ -8,18 +8,24 @@ attribute dyntransdomain;
> # Domain for process that is allowed to transition to the new domain.
> type test_dyntrans_fromdomain_t;
> @@ -157,8 +157,8 @@ diff -Nrup refpolicy/test_dyntrans.te re
> typeattribute test_dyntrans_todomain_t testdomain;
>
> diff -Nrup refpolicy/test_entrypoint.te refpolicy.new/test_entrypoint.te
> ---- refpolicy/test_entrypoint.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_entrypoint.te 2007-12-31 05:57:36.000000000 -0500
> +--- refpolicy/test_entrypoint.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_entrypoint.te 2008-01-29 11:40:09.000000000 -0500
> @@ -10,6 +10,8 @@ files_type(test_entrypoint_execute_t)
> # Test domain that can only be entered via the type above.
> type test_entrypoint_t;
> @@ -169,8 +169,8 @@ diff -Nrup refpolicy/test_entrypoint.te
>
> # Allow execution of true.
> diff -Nrup refpolicy/test_execshare.te refpolicy.new/test_execshare.te
> ---- refpolicy/test_execshare.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_execshare.te 2007-12-31 05:57:36.000000000 -0500
> +--- refpolicy/test_execshare.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_execshare.te 2008-01-29 11:40:09.000000000 -0500
> @@ -8,18 +8,24 @@ attribute execsharedomain;
> # Domain for parent process.
> type test_execshare_parent_t;
> @@ -197,8 +197,8 @@ diff -Nrup refpolicy/test_execshare.te r
> typeattribute test_execshare_notchild_t testdomain;
>
> diff -Nrup refpolicy/test_exectrace.te refpolicy.new/test_exectrace.te
> ---- refpolicy/test_exectrace.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_exectrace.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_exectrace.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_exectrace.te 2008-01-29 11:40:09.000000000 -0500
> @@ -8,6 +8,8 @@ attribute exectracedomain;
> # Domain for parent process.
> type test_exectrace_parent_t;
> @@ -226,8 +226,8 @@ diff -Nrup refpolicy/test_exectrace.te r
> typeattribute test_exectrace_notchild_t testdomain;
>
> diff -Nrup refpolicy/test_execute_no_trans.te
> refpolicy.new/test_execute_no_trans.te
> ---- refpolicy/test_execute_no_trans.te 2007-12-31 06:57:36.000000000
> -0500
> -+++ refpolicy.new/test_execute_no_trans.te 2007-12-31 05:57:37.000000000
> -0500
> +--- refpolicy/test_execute_no_trans.te 2008-01-29 11:51:21.000000000
> -0500
> ++++ refpolicy.new/test_execute_no_trans.te 2008-01-29 11:40:09.000000000
> -0500
> @@ -15,6 +15,8 @@ files_type(test_execute_notrans_denied_t
> # Test domain that can only be entered via the types above.
> type test_execute_notrans_t;
> @@ -238,8 +238,8 @@ diff -Nrup refpolicy/test_execute_no_tra
>
> # Allow this domain to be entered via the shell.
> diff -Nrup refpolicy/test_fdreceive.te refpolicy.new/test_fdreceive.te
> ---- refpolicy/test_fdreceive.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_fdreceive.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_fdreceive.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_fdreceive.te 2008-01-29 11:40:09.000000000 -0500
> @@ -16,12 +16,16 @@ files_type(test_fdreceive_file2_t)
> # Domain for client process.
> type test_fdreceive_client_t;
> @@ -267,8 +267,8 @@ diff -Nrup refpolicy/test_fdreceive.te r
> typeattribute test_fdreceive_server_t testdomain;
>
> diff -Nrup refpolicy/test_file.te refpolicy.new/test_file.te
> ---- refpolicy/test_file.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_file.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_file.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_file.te 2008-01-29 11:40:09.000000000 -0500
> @@ -8,6 +8,8 @@ attribute fileopdomain;
> # Domain for process that is allowed to perform operations.
> type test_fileop_t;
> @@ -315,8 +315,8 @@ diff -Nrup refpolicy/test_file.te refpol
> domain_auto_trans(test_fileop_t, fileop_exec_t, fileop_t)
> allow test_fileop_t fileop_t:fd use;
> diff -Nrup refpolicy/test_inherit.te refpolicy.new/test_inherit.te
> ---- refpolicy/test_inherit.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_inherit.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_inherit.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_inherit.te 2008-01-29 11:40:09.000000000 -0500
> @@ -8,6 +8,8 @@ attribute inheritdomain;
> # Domain for parent process.
> type test_inherit_parent_t;
> @@ -354,8 +354,8 @@ diff -Nrup refpolicy/test_inherit.te ref
> typeattribute test_inherit_nowrite_t testdomain;
>
> diff -Nrup refpolicy/test_ioctl.te refpolicy.new/test_ioctl.te
> ---- refpolicy/test_ioctl.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_ioctl.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_ioctl.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_ioctl.te 2008-01-29 11:40:09.000000000 -0500
> @@ -8,12 +8,16 @@ attribute ioctldomain;
> # Domain for process that is allowed to perform ioctl.
> type test_ioctl_t;
> @@ -382,8 +382,8 @@ diff -Nrup refpolicy/test_ioctl.te refpo
> files_exec_etc_files(ioctldomain)
> libs_use_ld_so(ioctldomain)
> diff -Nrup refpolicy/test_ipc.te refpolicy.new/test_ipc.te
> ---- refpolicy/test_ipc.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_ipc.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_ipc.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_ipc.te 2008-01-29 11:40:09.000000000 -0500
> @@ -8,6 +8,8 @@ attribute ipcdomain;
> # Base domain for IPC tests, has all IPC permissions
> type test_ipc_base_t;
> @@ -419,8 +419,8 @@ diff -Nrup refpolicy/test_ipc.te refpoli
> typeattribute test_ipc_associate_t testdomain;
>
> diff -Nrup refpolicy/test_link.te refpolicy.new/test_link.te
> ---- refpolicy/test_link.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_link.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_link.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_link.te 2008-01-29 11:40:09.000000000 -0500
> @@ -16,6 +16,8 @@ files_type(test_link_file_t)
> # Domain for process that can create hard links to the file.
> type test_link_t;
> @@ -476,8 +476,8 @@ diff -Nrup refpolicy/test_link.te refpol
> typeattribute test_nounlink2_t testdomain;
> allow test_nounlink2_t test_link_dir_t:dir { search getattr write };
> diff -Nrup refpolicy/test_mkdir.te refpolicy.new/test_mkdir.te
> ---- refpolicy/test_mkdir.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_mkdir.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_mkdir.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_mkdir.te 2008-01-29 11:40:09.000000000 -0500
> @@ -12,6 +12,8 @@ files_type(test_mkdir_dir_t)
> # Domain for process that has add_name permission to the test directory.
> type test_addname_t;
> @@ -524,8 +524,8 @@ diff -Nrup refpolicy/test_mkdir.te refpo
> typeattribute test_nocreate_t testdomain;
> domain_obj_id_change_exemption(test_nocreate_t)
> diff -Nrup refpolicy/test_open.te refpolicy.new/test_open.te
> ---- refpolicy/test_open.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_open.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_open.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_open.te 2008-01-29 11:40:09.000000000 -0500
> @@ -12,6 +12,8 @@ files_type(test_open_file_t)
> # Domain for process that can open the test file for reading and writing.
> type test_open_t;
> @@ -554,9 +554,9 @@ diff -Nrup refpolicy/test_open.te refpol
> typeattribute test_append_t testdomain;
> allow test_append_t test_open_file_t:file { getattr append };
> diff -Nrup refpolicy/test_policy.if refpolicy.new/test_policy.if
> ---- refpolicy/test_policy.if 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_policy.if 2007-12-31 06:05:59.000000000 -0500
> -@@ -25,3 +25,11 @@
> +--- refpolicy/test_policy.if 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_policy.if 2008-01-29 11:48:29.000000000 -0500
> +@@ -25,3 +25,18 @@
> ## Domain allowed to transition.
> ## </param>
> #
> @@ -564,13 +564,20 @@ diff -Nrup refpolicy/test_policy.if refp
> +interface(`unconfined_runs_test',`
> + gen_require(`
> + type unconfined_t;
> ++ type unconfined_devpts_t;
> + ')
> +
> ++ # Transition from the caller to the test domain.
> + allow unconfined_t $1:process transition;
> ++ # Report back from the test domain to the caller.
> ++ allow $1 unconfined_t:fd use;
> ++ allow $1 unconfined_devpts_t:chr_file { read write ioctl getattr};
> ++ allow $1 unconfined_t:fifo_file { read write ioctl getattr };
> ++ allow $1 unconfined_t:process { sigchld };
> +')
> diff -Nrup refpolicy/test_ptrace.te refpolicy.new/test_ptrace.te
> ---- refpolicy/test_ptrace.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_ptrace.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_ptrace.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_ptrace.te 2008-01-29 11:40:09.000000000 -0500
> @@ -8,6 +8,8 @@ attribute ptracedomain;
> # Domain for process that is allowed to trace.
> type test_ptrace_tracer_t;
> @@ -599,8 +606,8 @@ diff -Nrup refpolicy/test_ptrace.te refp
> typeattribute test_ptrace_traced_t testdomain;
>
> diff -Nrup refpolicy/test_readlink.te refpolicy.new/test_readlink.te
> ---- refpolicy/test_readlink.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_readlink.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_readlink.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_readlink.te 2008-01-29 11:40:09.000000000 -0500
> @@ -14,6 +14,8 @@ files_type(test_readlink_link_t)
> # Domain for process that can read and follow the symbolic link.
> type test_readlink_t;
> @@ -620,8 +627,8 @@ diff -Nrup refpolicy/test_readlink.te re
> typeattribute test_noreadlink_t testdomain;
> allow test_noreadlink_t test_readlink_file_t:file { getattr read };
> diff -Nrup refpolicy/test_relabel.te refpolicy.new/test_relabel.te
> ---- refpolicy/test_relabel.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_relabel.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_relabel.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_relabel.te 2008-01-29 11:40:09.000000000 -0500
> @@ -14,6 +14,8 @@ files_type(test_relabel_newtype_t)
> # Domain for process that can relabel the test file.
> type test_relabel_t;
> @@ -650,8 +657,8 @@ diff -Nrup refpolicy/test_relabel.te ref
> typeattribute test_norelabelto_t test_relabel_domain;
> typeattribute test_norelabelto_t testdomain;
> diff -Nrup refpolicy/test_rename.te refpolicy.new/test_rename.te
> ---- refpolicy/test_rename.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_rename.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_rename.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_rename.te 2008-01-29 11:40:09.000000000 -0500
> @@ -20,6 +20,8 @@ files_type(test_rename_dir_t)
> # Domain for process that can rename the test file and directory.
> type test_rename_t;
> @@ -725,8 +732,8 @@ diff -Nrup refpolicy/test_rename.te refp
> typeattribute test_norename6_t testdomain;
> allow test_norename6_t test_rename_src_dir_t:dir { search getattr write
> remove_name };
> diff -Nrup refpolicy/test_rxdir.te refpolicy.new/test_rxdir.te
> ---- refpolicy/test_rxdir.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_rxdir.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_rxdir.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_rxdir.te 2008-01-29 11:40:09.000000000 -0500
> @@ -12,6 +12,8 @@ files_type(test_rxdir_dir_t)
> # Domain for process that can read but not search the directory.
> type test_rdir_t;
> @@ -746,8 +753,8 @@ diff -Nrup refpolicy/test_rxdir.te refpo
> typeattribute test_xdir_t testdomain;
> allow test_xdir_t test_rxdir_dir_t:dir { getattr search };
> diff -Nrup refpolicy/test_setattr.te refpolicy.new/test_setattr.te
> ---- refpolicy/test_setattr.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_setattr.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_setattr.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_setattr.te 2008-01-29 11:40:09.000000000 -0500
> @@ -12,6 +12,8 @@ files_type(test_setattr_file_t)
> # Domain for process that can set attributes on the test file.
> type test_setattr_t;
> @@ -767,8 +774,8 @@ diff -Nrup refpolicy/test_setattr.te ref
> typeattribute test_nosetattr_t testdomain;
> allow test_nosetattr_t self:capability chown;
> diff -Nrup refpolicy/test_setnice.te refpolicy.new/test_setnice.te
> ---- refpolicy/test_setnice.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_setnice.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_setnice.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_setnice.te 2008-01-29 11:40:09.000000000 -0500
> @@ -8,24 +8,29 @@ attribute setnicedomain;
> # Domain for process whose nice can be set.
> type test_setnice_set_t;
> @@ -801,8 +808,8 @@ diff -Nrup refpolicy/test_setnice.te ref
> files_exec_etc_files(setnicedomain)
> libs_use_ld_so(setnicedomain)
> diff -Nrup refpolicy/test_sigkill.te refpolicy.new/test_sigkill.te
> ---- refpolicy/test_sigkill.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_sigkill.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_sigkill.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_sigkill.te 2008-01-29 11:40:09.000000000 -0500
> @@ -8,12 +8,16 @@ attribute killdomain;
> # Domain for process that receives the signals.
> type test_kill_server_t;
> @@ -848,8 +855,8 @@ diff -Nrup refpolicy/test_sigkill.te ref
> typeattribute test_kill_signal_t testdomain;
>
> diff -Nrup refpolicy/test_stat.te refpolicy.new/test_stat.te
> ---- refpolicy/test_stat.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_stat.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_stat.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_stat.te 2008-01-29 11:40:09.000000000 -0500
> @@ -12,6 +12,8 @@ files_type(test_stat_file_t)
> # Domain for process that can get attributes on the test file.
> type test_stat_t;
> @@ -869,8 +876,8 @@ diff -Nrup refpolicy/test_stat.te refpol
> typeattribute test_nostat_t testdomain;
>
> diff -Nrup refpolicy/test_sysctl.te refpolicy.new/test_sysctl.te
> ---- refpolicy/test_sysctl.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_sysctl.te 2007-12-31 05:57:37.000000000 -0500
> +--- refpolicy/test_sysctl.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_sysctl.te 2008-01-29 11:40:09.000000000 -0500
> @@ -8,19 +8,23 @@ attribute sysctldomain;
> # Domain for process that is allowed to perform sysctl.
> type test_sysctl_t;
> @@ -898,8 +905,8 @@ diff -Nrup refpolicy/test_sysctl.te refp
> # Allow the first domain to perform sysctl operations.
> kernel_rw_all_sysctls(test_sysctl_t)
> diff -Nrup refpolicy/test_task_create.te refpolicy.new/test_task_create.te
> ---- refpolicy/test_task_create.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_task_create.te 2007-12-31 05:57:37.000000000
> -0500
> +--- refpolicy/test_task_create.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_task_create.te 2008-01-29 11:40:09.000000000
> -0500
> @@ -8,6 +8,8 @@ attribute test_create_d;
> # Domain for process allowed to fork.
> type test_create_yes_t;
> @@ -909,23 +916,17 @@ diff -Nrup refpolicy/test_task_create.te
> typeattribute test_create_yes_t test_create_d;
> typeattribute test_create_yes_t testdomain;
>
> -@@ -20,7 +22,12 @@ type test_create_no_t;
> - # permission so we can test it, we omit the domain attribute.
> +@@ -21,6 +23,7 @@ type test_create_no_t;
> # Ideally, refpolicy would _not_ grant such permissions to every domain,
> # as it makes the permission effectively unusable in real policy.
> --#domain_type(test_create_no_t)
> -+# XXX This invalidates the test, but allows the policy to compile
> -+# The next two lines SHOULD be commented out according to the original
> -+# comment above.
> -+domain_type(test_create_no_t)
> + #domain_type(test_create_no_t)
> +unconfined_runs_test(test_create_no_t)
> -+domain_dyntrans_type(test_create_no_t)
> typeattribute test_create_no_t test_create_d;
>
> allow test_create_no_t self:process ~fork;
> diff -Nrup refpolicy/test_task_getpgid.te refpolicy.new/test_task_getpgid.te
> ---- refpolicy/test_task_getpgid.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_task_getpgid.te 2007-12-31 05:57:37.000000000
> -0500
> +--- refpolicy/test_task_getpgid.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_task_getpgid.te 2008-01-29 11:40:09.000000000
> -0500
> @@ -8,18 +8,24 @@ attribute test_getpgid_d;
> # Domain for the target process
> type test_getpgid_target_t;
> @@ -952,8 +953,8 @@ diff -Nrup refpolicy/test_task_getpgid.t
> typeattribute test_getpgid_no_t testdomain;
>
> diff -Nrup refpolicy/test_task_getsched.te
> refpolicy.new/test_task_getsched.te
> ---- refpolicy/test_task_getsched.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_task_getsched.te 2007-12-31 05:57:37.000000000
> -0500
> +--- refpolicy/test_task_getsched.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_task_getsched.te 2008-01-29 11:40:09.000000000
> -0500
> @@ -8,18 +8,24 @@ attribute test_getsched_d;
> # Domain for the target process
> type test_getsched_target_t;
> @@ -980,8 +981,8 @@ diff -Nrup refpolicy/test_task_getsched.
> typeattribute test_getsched_no_t testdomain;
>
> diff -Nrup refpolicy/test_task_getsid.te refpolicy.new/test_task_getsid.te
> ---- refpolicy/test_task_getsid.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_task_getsid.te 2007-12-31 05:57:38.000000000
> -0500
> +--- refpolicy/test_task_getsid.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_task_getsid.te 2008-01-29 11:40:09.000000000
> -0500
> @@ -8,18 +8,24 @@ attribute test_getsid_d;
> # Domain for the target process
> type test_getsid_target_t;
> @@ -1008,8 +1009,8 @@ diff -Nrup refpolicy/test_task_getsid.te
> typeattribute test_getsid_no_t testdomain;
>
> diff -Nrup refpolicy/test_task_setpgid.te refpolicy.new/test_task_setpgid.te
> ---- refpolicy/test_task_setpgid.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_task_setpgid.te 2007-12-31 05:57:38.000000000
> -0500
> +--- refpolicy/test_task_setpgid.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_task_setpgid.te 2008-01-29 11:40:09.000000000
> -0500
> @@ -8,6 +8,8 @@ attribute test_setpgid_d;
> # Domain for process allowed to setpgid
> type test_setpgid_yes_t;
> @@ -1029,8 +1030,8 @@ diff -Nrup refpolicy/test_task_setpgid.t
>
> allow test_setpgid_no_t self:process ~{ setpgid setcurrent };
> diff -Nrup refpolicy/test_task_setsched.te
> refpolicy.new/test_task_setsched.te
> ---- refpolicy/test_task_setsched.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_task_setsched.te 2007-12-31 05:57:38.000000000
> -0500
> +--- refpolicy/test_task_setsched.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_task_setsched.te 2008-01-29 11:40:09.000000000
> -0500
> @@ -9,18 +9,24 @@ attribute test_setsched_d;
> # Domain for the target process
> type test_setsched_target_t;
> @@ -1057,8 +1058,8 @@ diff -Nrup refpolicy/test_task_setsched.
> typeattribute test_setsched_no_t testdomain;
>
> diff -Nrup refpolicy/test_transition.te refpolicy.new/test_transition.te
> ---- refpolicy/test_transition.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_transition.te 2007-12-31 05:57:38.000000000 -0500
> +--- refpolicy/test_transition.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_transition.te 2008-01-29 11:40:09.000000000 -0500
> @@ -8,18 +8,24 @@ attribute transitiondomain;
> # Domain for process that is allowed to transition to the new domain.
> type test_transition_fromdomain_t;
> @@ -1085,8 +1086,8 @@ diff -Nrup refpolicy/test_transition.te
> typeattribute test_transition_todomain_t testdomain;
>
> diff -Nrup refpolicy/test_wait.te refpolicy.new/test_wait.te
> ---- refpolicy/test_wait.te 2007-12-31 06:57:36.000000000 -0500
> -+++ refpolicy.new/test_wait.te 2007-12-31 05:57:38.000000000 -0500
> +--- refpolicy/test_wait.te 2008-01-29 11:51:21.000000000 -0500
> ++++ refpolicy.new/test_wait.te 2008-01-29 11:40:09.000000000 -0500
> @@ -8,18 +8,24 @@ attribute waitdomain;
> # Domain for parent process.
> type test_wait_parent_t;
> diff -Nrup ltp/testscripts/test_selinux.sh ltp.p3/testscripts/test_selinux.sh
> --- ltp/testscripts/test_selinux.sh 2008-01-02 06:58:16.000000000 -0500
> +++ ltp.p3/testscripts/test_selinux.sh 2008-01-29 11:56:57.000000000
> -0500
> @@ -9,6 +9,19 @@
> #
> # test_selinux.sh - Run the selinux test suite.
>
> +config_set_expandcheck() {
> + pushd /etc/selinux
> + cp --preserve semanage.conf semanage.conf.orig
> + echo "expand-check=0" >> semanage.conf
> + popd
> +}
> +
> +config_unset_expandcheck() {
> + pushd /etc/selinux
> + mv semanage.conf.orig semanage.conf
> + popd
> +}
> +
> # Must be root to run the selinux testsuite
> if [ $UID != 0 ]
> then
> @@ -64,17 +77,22 @@ pushd $LTPROOT/testcases/kernel/security
> sh ./update_refpolicy.sh
> popd
>
> +config_set_expandcheck
> +
> # build and install the test policy...
> echo "building and installing test_policy module..."
> cd $LTPROOT/testcases/kernel/security/selinux-testsuite/refpolicy
> make load
> if [ $? != 0 ]; then
> echo "Failed to build and load test_policy module, aborting test run."
> + config_unset_expandcheck
> exit 1
> else
> echo "Successfully built and loaded test_policy module."
> fi
>
> +config_unset_expandcheck
> +
> # go back to test's root directory
> cd $LTPROOT
>
--
Stephen Smalley
National Security Agency
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
