Re: [LTP] ltp selinux patch

Serge E. Hallyn Thu, 31 Jan 2008 14:43:39 -0800

Quoting Subrata Modak ([EMAIL PROTECTED]):
> Sergei,
> 
> I have merged Stephen?? Patches sent on 24/01/2008, which modifies:
> 
> ltp/testcases/kernel/security/selinux-testsuite/README
> ltp/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch
> 
> Could you let me know whether this replaces the need for your Patch, or
> your Patch (sent on 29/01/2008) is still needed to be applied. If


Sigh, this gets to be a pain since I'm sending a patch to a patch :)
But attached are two patches still needed on top of today's cvs.

Stephen, actually with these patches the testsuite hangs at
selinux_create.  I need unconfined_runs_test() to give $1
unconfined_t:process { sigchld}, which the patch I sent earlier did.
The patch you had sent out didn't, so I just wnat to make sure - is
there a reason not to do that?

If not, I'll just send out another patch fater Subrata applies these
two to add that one line.

thanks,
-serge

> modifications need to be done, then please send me an updated one, diff
> of present ltp cvs. Thanks
> 
> --Subrata
> 
> 
> > Quoting Stephen Smalley ([EMAIL PROTECTED]):
> > > 
> > > On Wed, 2008-01-30 at 11:37 -0600, Serge E. Hallyn wrote:
> > > > Quoting Stephen Smalley ([EMAIL PROTECTED]):
> > > > > 
> > > > > On Wed, 2008-01-30 at 07:20 -0500, Stephen Smalley wrote:
> > > > > > On Tue, 2008-01-29 at 18:21 -0600, Serge E. Hallyn wrote:
> > > > > > > Here is a patch against this morning's ltp cvs snapshot to 
> > > > > > > implement
> > > > > > > Stephen's suggestion of setting expand-check=0 for the duration of
> > > > > > > the policy load.  This allowed me to get rid of the hack
> > > > > > > ++domain_type(test_create_no_t) in refpolicy/test_task_create.te, 
> > > > > > > also
> > > > > > > done in this patch.
> > > > > > > 
> > > > > > > (I think it also inlines a patch Stephen sent on jan 23 which
> > > > > > > wasn't yet in ltp cvs)
> > > > > > 
> > > > > > As far as I can tell, no one has merged the two patches that I sent
> > > > > > earlier, which explains why you are still seeing failures (the one 
> > > > > > patch
> > > > > > I sent added permissions needed for the tests).  I've seen no reply 
> > > > > > to
> > > > > > my patches, although I've seen other patches responded to.
> > > > > 
> > > > > Actually, I see that your patch does include the permissions from my
> > > > > patch (still not sure why my patch hasn't been merged), so I don't 
> > > > > know
> > > > > why you'd still be seeing failures.   I only get 3 failures with my
> > > > > patch applied, on inherit and fdreceive (due to Fedora 8 policy 
> > > > > granting
> > > > > fd:use permission liberally to all domains) and on task_create (due to
> > > > > the refpolicy granting process:fork to all domains), so I would only
> > > > > expect you to get 2 failures after your patch.
> > > > 
> > > > Interesting.  I'll look into some these on Friday.  Here is the list of
> > > > failures btw:
> > > 
> > > Are you running mcstrans?  If not, start it first.
> > > 
> > > Original testsuite predates MCS/MLS and thus when it fabricates security
> > > contexts, it doesn't include a MCS/MLS level.  mcstrans makes that
> > > transparent and thus it just works.  Alternatively, the test scripts
> > > could be made a bit smarter.
> > 
> > Ah, that brought my # failures down to 5 :)
> > 
> > t Start Time: Wed Jan 30 09:39:18 2008
> > -----------------------------------------
> > Testcase                       Result     Exit Value
> > --------                       ------     ----------
> > SELinux01                      PASS       0    
> > SELinux02                      PASS       0    
> > SELinux03                      PASS       0    
> > SELinux04                      PASS       0    
> > SELinux05                      PASS       0    
> > SELinux06                      PASS       0    
> > SELinux07                      PASS       0    
> > SELinux08                      PASS       0    
> > SELinux09                      FAIL       1    
> > SELinux10                      FAIL       2    
> > SELinux11                      FAIL       1    
> > SELinux12                      PASS       0    
> > SELinux13                      PASS       0    
> > SELinux14                      FAIL       1    
> > SELinux15                      PASS       0    
> > SELinux16                      PASS       0    
> > SELinux17                      PASS       0    
> > SELinux18                      PASS       0    
> > SELinux19                      FAIL       1    
> > SELinux20                      PASS       0    
> > SELinux21                      PASS       0    
> > SELinux22                      PASS       0    
> > SELinux23                      PASS       0    
> > SELinux24                      PASS       0    
> > SELinux25                      PASS       0    
> > SELinux26                      PASS       0    
> > SELinux27                      PASS       0    
> > SELinux28                      PASS       0    
> > SELinux29                      PASS       0    
> > SELinux30                      PASS       0    
> > SELinux31                      PASS       0    
> > SELinux32                      PASS       0    
> > SELinux33                      PASS       0    
> > SELinux34                      PASS       0    
> > SELinux35                      PASS       0    
> > SELinux36                      PASS       0    
> > SELinux37                      PASS       0    
> > SELinux38                      PASS       0    
> > 
> > -----------------------------------------------
> > Total Tests: 38
> > Total Failures: 5
> > Kernel Version: 2.6.23.1-42.fc8
> > Machine Architecture: i686
> > Hostname: localhost.localdomain
> > 
> > thanks,
> > -serge
> > 
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > _______________________________________________
> > Ltp-list mailing list
> > Ltp-list@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/ltp-list

>From d6b524bad188461c94893eb23f7b9a39a9a84718 Mon Sep 17 00:00:00 2001
From: root <[EMAIL PROTECTED]>
Date: Thu, 31 Jan 2008 08:37:16 -0500
Subject: [PATCH 2/2] don't call domain_type() on test_create_no_t

We knew it was the wrong thing to do but needed it for the policy to
load.  Now that we set expand-check=0 for policy load, we don't need
it any more, so get rid of it.

Signed-off-by: root <[EMAIL PROTECTED]>
---
 .../selinux-testsuite/misc/sbin_deprecated.patch   |  226 ++++++++++----------
 1 files changed, 110 insertions(+), 116 deletions(-)

diff --git 
a/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch 
b/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch
index 4af85d3..2ee2d5c 100644
--- a/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch
+++ b/testcases/kernel/security/selinux-testsuite/misc/sbin_deprecated.patch
@@ -1,6 +1,6 @@
-diff -Nrup refpolicy/test_capable_file.te refpolicy.new/test_capable_file.te
---- refpolicy/test_capable_file.te     2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_capable_file.te 2007-12-31 05:57:36.000000000 -0500
+diff -Nrup refpolicy/test_capable_file.te 
refpolicy.patched/test_capable_file.te
+--- refpolicy/test_capable_file.te     2007-12-20 04:32:55.000000000 -0500
++++ refpolicy.patched/test_capable_file.te     2008-01-31 08:32:27.000000000 
-0500
 @@ -14,28 +14,35 @@ type test_fcap_t;
  typeattribute test_fcap_t capabledomain;
  typeattribute test_fcap_t testdomain;
@@ -38,9 +38,9 @@ diff -Nrup refpolicy/test_capable_file.te 
refpolicy.new/test_capable_file.te
  domain_exec_all_entry_files(capabledomain)
  files_exec_etc_files(capabledomain)
  libs_use_ld_so(capabledomain)
-diff -Nrup refpolicy/test_capable_net.te refpolicy.new/test_capable_net.te
---- refpolicy/test_capable_net.te      2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_capable_net.te  2007-12-31 05:57:36.000000000 -0500
+diff -Nrup refpolicy/test_capable_net.te refpolicy.patched/test_capable_net.te
+--- refpolicy/test_capable_net.te      2007-12-20 04:32:55.000000000 -0500
++++ refpolicy.patched/test_capable_net.te      2008-01-31 08:32:27.000000000 
-0500
 @@ -7,12 +7,16 @@
  # Type for process that is allowed certain capabilities
  type test_ncap_t;
@@ -78,9 +78,9 @@ diff -Nrup refpolicy/test_capable_net.te 
refpolicy.new/test_capable_net.te
  
  require {
        type ifconfig_exec_t;
-diff -Nrup refpolicy/test_capable_sys.te refpolicy.new/test_capable_sys.te
---- refpolicy/test_capable_sys.te      2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_capable_sys.te  2007-12-31 05:57:36.000000000 -0500
+diff -Nrup refpolicy/test_capable_sys.te refpolicy.patched/test_capable_sys.te
+--- refpolicy/test_capable_sys.te      2006-03-22 16:30:29.000000000 -0500
++++ refpolicy.patched/test_capable_sys.te      2008-01-31 08:32:27.000000000 
-0500
 @@ -7,12 +7,16 @@
  # Type for process that is allowed certain capabilities
  type test_scap_t;
@@ -98,9 +98,9 @@ diff -Nrup refpolicy/test_capable_sys.te 
refpolicy.new/test_capable_sys.te
  typeattribute test_noscap_t capabledomain;
  typeattribute test_noscap_t testdomain;
  
-diff -Nrup refpolicy/test_dyntrace.te refpolicy.new/test_dyntrace.te
---- refpolicy/test_dyntrace.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_dyntrace.te     2007-12-31 05:57:36.000000000 -0500
+diff -Nrup refpolicy/test_dyntrace.te refpolicy.patched/test_dyntrace.te
+--- refpolicy/test_dyntrace.te 2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_dyntrace.te 2008-01-31 08:32:27.000000000 -0500
 @@ -8,6 +8,8 @@ attribute dyntracedomain;
  # Domain for parent process.
  type test_dyntrace_parent_t;
@@ -128,9 +128,9 @@ diff -Nrup refpolicy/test_dyntrace.te 
refpolicy.new/test_dyntrace.te
  typeattribute test_dyntrace_notchild_t dyntracedomain;
  typeattribute test_dyntrace_notchild_t testdomain;
  
-diff -Nrup refpolicy/test_dyntrans.te refpolicy.new/test_dyntrans.te
---- refpolicy/test_dyntrans.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_dyntrans.te     2007-12-31 05:57:36.000000000 -0500
+diff -Nrup refpolicy/test_dyntrans.te refpolicy.patched/test_dyntrans.te
+--- refpolicy/test_dyntrans.te 2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_dyntrans.te 2008-01-31 08:32:27.000000000 -0500
 @@ -8,18 +8,24 @@ attribute dyntransdomain;
  # Domain for process that is allowed to transition to the new domain.
  type test_dyntrans_fromdomain_t;
@@ -156,9 +156,9 @@ diff -Nrup refpolicy/test_dyntrans.te 
refpolicy.new/test_dyntrans.te
  typeattribute test_dyntrans_todomain_t dyntransdomain;
  typeattribute test_dyntrans_todomain_t testdomain;
  
-diff -Nrup refpolicy/test_entrypoint.te refpolicy.new/test_entrypoint.te
---- refpolicy/test_entrypoint.te       2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_entrypoint.te   2007-12-31 05:57:36.000000000 -0500
+diff -Nrup refpolicy/test_entrypoint.te refpolicy.patched/test_entrypoint.te
+--- refpolicy/test_entrypoint.te       2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_entrypoint.te       2008-01-31 08:32:27.000000000 
-0500
 @@ -10,6 +10,8 @@ files_type(test_entrypoint_execute_t)
  # Test domain that can only be entered via the type above.
  type test_entrypoint_t;
@@ -168,9 +168,9 @@ diff -Nrup refpolicy/test_entrypoint.te 
refpolicy.new/test_entrypoint.te
  typeattribute test_entrypoint_t testdomain;
  
  # Allow execution of true.
-diff -Nrup refpolicy/test_execshare.te refpolicy.new/test_execshare.te
---- refpolicy/test_execshare.te        2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_execshare.te    2007-12-31 05:57:36.000000000 -0500
+diff -Nrup refpolicy/test_execshare.te refpolicy.patched/test_execshare.te
+--- refpolicy/test_execshare.te        2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_execshare.te        2008-01-31 08:32:27.000000000 
-0500
 @@ -8,18 +8,24 @@ attribute execsharedomain;
  # Domain for parent process.
  type test_execshare_parent_t;
@@ -196,9 +196,9 @@ diff -Nrup refpolicy/test_execshare.te 
refpolicy.new/test_execshare.te
  typeattribute test_execshare_notchild_t execsharedomain;
  typeattribute test_execshare_notchild_t testdomain;
  
-diff -Nrup refpolicy/test_exectrace.te refpolicy.new/test_exectrace.te
---- refpolicy/test_exectrace.te        2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_exectrace.te    2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_exectrace.te refpolicy.patched/test_exectrace.te
+--- refpolicy/test_exectrace.te        2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_exectrace.te        2008-01-31 08:32:27.000000000 
-0500
 @@ -8,6 +8,8 @@ attribute exectracedomain;
  # Domain for parent process.
  type test_exectrace_parent_t;
@@ -225,9 +225,9 @@ diff -Nrup refpolicy/test_exectrace.te 
refpolicy.new/test_exectrace.te
  typeattribute test_exectrace_notchild_t exectracedomain;
  typeattribute test_exectrace_notchild_t testdomain;
  
-diff -Nrup refpolicy/test_execute_no_trans.te 
refpolicy.new/test_execute_no_trans.te
---- refpolicy/test_execute_no_trans.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_execute_no_trans.te     2007-12-31 05:57:37.000000000 
-0500
+diff -Nrup refpolicy/test_execute_no_trans.te 
refpolicy.patched/test_execute_no_trans.te
+--- refpolicy/test_execute_no_trans.te 2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_execute_no_trans.te 2008-01-31 08:32:27.000000000 
-0500
 @@ -15,6 +15,8 @@ files_type(test_execute_notrans_denied_t
  # Test domain that can only be entered via the types above.
  type test_execute_notrans_t;
@@ -237,9 +237,9 @@ diff -Nrup refpolicy/test_execute_no_trans.te 
refpolicy.new/test_execute_no_tran
  typeattribute test_execute_notrans_t testdomain;
  
  # Allow this domain to be entered via the shell.
-diff -Nrup refpolicy/test_fdreceive.te refpolicy.new/test_fdreceive.te
---- refpolicy/test_fdreceive.te        2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_fdreceive.te    2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_fdreceive.te refpolicy.patched/test_fdreceive.te
+--- refpolicy/test_fdreceive.te        2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_fdreceive.te        2008-01-31 08:32:27.000000000 
-0500
 @@ -16,12 +16,16 @@ files_type(test_fdreceive_file2_t)
  # Domain for client process.
  type test_fdreceive_client_t;
@@ -266,9 +266,9 @@ diff -Nrup refpolicy/test_fdreceive.te 
refpolicy.new/test_fdreceive.te
  typeattribute test_fdreceive_server_t fdreceivedomain;
  typeattribute test_fdreceive_server_t testdomain;
  
-diff -Nrup refpolicy/test_file.te refpolicy.new/test_file.te
---- refpolicy/test_file.te     2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_file.te 2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_file.te refpolicy.patched/test_file.te
+--- refpolicy/test_file.te     2007-12-20 04:32:56.000000000 -0500
++++ refpolicy.patched/test_file.te     2008-01-31 08:32:27.000000000 -0500
 @@ -8,6 +8,8 @@ attribute fileopdomain;
  # Domain for process that is allowed to perform operations.
  type test_fileop_t;
@@ -314,9 +314,9 @@ diff -Nrup refpolicy/test_file.te refpolicy.new/test_file.te
  allow fileop_t fileop_exec_t:file entrypoint;
  domain_auto_trans(test_fileop_t, fileop_exec_t, fileop_t)
  allow test_fileop_t fileop_t:fd use;
-diff -Nrup refpolicy/test_inherit.te refpolicy.new/test_inherit.te
---- refpolicy/test_inherit.te  2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_inherit.te      2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_inherit.te refpolicy.patched/test_inherit.te
+--- refpolicy/test_inherit.te  2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_inherit.te  2008-01-31 08:32:27.000000000 -0500
 @@ -8,6 +8,8 @@ attribute inheritdomain;
  # Domain for parent process.
  type test_inherit_parent_t;
@@ -353,9 +353,9 @@ diff -Nrup refpolicy/test_inherit.te 
refpolicy.new/test_inherit.te
  typeattribute test_inherit_nowrite_t inheritdomain;
  typeattribute test_inherit_nowrite_t testdomain;
  
-diff -Nrup refpolicy/test_ioctl.te refpolicy.new/test_ioctl.te
---- refpolicy/test_ioctl.te    2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_ioctl.te        2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_ioctl.te refpolicy.patched/test_ioctl.te
+--- refpolicy/test_ioctl.te    2007-12-20 04:32:56.000000000 -0500
++++ refpolicy.patched/test_ioctl.te    2008-01-31 08:32:27.000000000 -0500
 @@ -8,12 +8,16 @@ attribute ioctldomain;
  # Domain for process that is allowed to perform ioctl.
  type test_ioctl_t;
@@ -381,9 +381,9 @@ diff -Nrup refpolicy/test_ioctl.te 
refpolicy.new/test_ioctl.te
  domain_exec_all_entry_files(ioctldomain)
  files_exec_etc_files(ioctldomain)
  libs_use_ld_so(ioctldomain)
-diff -Nrup refpolicy/test_ipc.te refpolicy.new/test_ipc.te
---- refpolicy/test_ipc.te      2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_ipc.te  2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_ipc.te refpolicy.patched/test_ipc.te
+--- refpolicy/test_ipc.te      2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_ipc.te      2008-01-31 08:32:27.000000000 -0500
 @@ -8,6 +8,8 @@ attribute ipcdomain;
  # Base domain for IPC tests, has all IPC permissions 
  type test_ipc_base_t;
@@ -418,9 +418,9 @@ diff -Nrup refpolicy/test_ipc.te refpolicy.new/test_ipc.te
  typeattribute test_ipc_associate_t ipcdomain;
  typeattribute test_ipc_associate_t testdomain;
  
-diff -Nrup refpolicy/test_link.te refpolicy.new/test_link.te
---- refpolicy/test_link.te     2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_link.te 2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_link.te refpolicy.patched/test_link.te
+--- refpolicy/test_link.te     2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_link.te     2008-01-31 08:32:27.000000000 -0500
 @@ -16,6 +16,8 @@ files_type(test_link_file_t)
  # Domain for process that can create hard links to the file.
  type test_link_t;
@@ -475,9 +475,9 @@ diff -Nrup refpolicy/test_link.te refpolicy.new/test_link.te
  typeattribute test_nounlink2_t test_link_domain;
  typeattribute test_nounlink2_t testdomain;
  allow test_nounlink2_t test_link_dir_t:dir { search getattr write };
-diff -Nrup refpolicy/test_mkdir.te refpolicy.new/test_mkdir.te
---- refpolicy/test_mkdir.te    2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_mkdir.te        2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_mkdir.te refpolicy.patched/test_mkdir.te
+--- refpolicy/test_mkdir.te    2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_mkdir.te    2008-01-31 08:32:27.000000000 -0500
 @@ -12,6 +12,8 @@ files_type(test_mkdir_dir_t)
  # Domain for process that has add_name permission to the test directory.
  type test_addname_t;
@@ -523,9 +523,9 @@ diff -Nrup refpolicy/test_mkdir.te 
refpolicy.new/test_mkdir.te
  typeattribute test_nocreate_t test_mkdir_domain;
  typeattribute test_nocreate_t testdomain;
  domain_obj_id_change_exemption(test_nocreate_t)
-diff -Nrup refpolicy/test_open.te refpolicy.new/test_open.te
---- refpolicy/test_open.te     2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_open.te 2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_open.te refpolicy.patched/test_open.te
+--- refpolicy/test_open.te     2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_open.te     2008-01-31 08:32:27.000000000 -0500
 @@ -12,6 +12,8 @@ files_type(test_open_file_t)
  # Domain for process that can open the test file for reading and writing.
  type test_open_t;
@@ -553,9 +553,9 @@ diff -Nrup refpolicy/test_open.te refpolicy.new/test_open.te
  typeattribute test_append_t test_open_domain;
  typeattribute test_append_t testdomain;
  allow test_append_t test_open_file_t:file { getattr append };
-diff -Nrup refpolicy/test_policy.if refpolicy.new/test_policy.if
---- refpolicy/test_policy.if   2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_policy.if       2007-12-31 06:05:59.000000000 -0500
+diff -Nrup refpolicy/test_policy.if refpolicy.patched/test_policy.if
+--- refpolicy/test_policy.if   2006-03-22 16:30:29.000000000 -0500
++++ refpolicy.patched/test_policy.if   2008-01-31 08:32:27.000000000 -0500
 @@ -25,3 +25,17 @@
  ##      Domain allowed to transition.
  ## </param>
@@ -574,9 +574,9 @@ diff -Nrup refpolicy/test_policy.if 
refpolicy.new/test_policy.if
 +      allow $1 unconfined_devpts_t:chr_file { read write ioctl getattr };
 +      allow $1 unconfined_t:fifo_file { read write ioctl getattr };
 +')
-diff -Nrup refpolicy/test_ptrace.te refpolicy.new/test_ptrace.te
---- refpolicy/test_ptrace.te   2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_ptrace.te       2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_ptrace.te refpolicy.patched/test_ptrace.te
+--- refpolicy/test_ptrace.te   2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_ptrace.te   2008-01-31 08:32:27.000000000 -0500
 @@ -8,6 +8,8 @@ attribute ptracedomain;
  # Domain for process that is allowed to trace.
  type test_ptrace_tracer_t;
@@ -604,9 +604,9 @@ diff -Nrup refpolicy/test_ptrace.te 
refpolicy.new/test_ptrace.te
  typeattribute test_ptrace_traced_t ptracedomain;
  typeattribute test_ptrace_traced_t testdomain;
  
-diff -Nrup refpolicy/test_readlink.te refpolicy.new/test_readlink.te
---- refpolicy/test_readlink.te 2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_readlink.te     2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_readlink.te refpolicy.patched/test_readlink.te
+--- refpolicy/test_readlink.te 2007-12-13 04:55:13.000000000 -0500
++++ refpolicy.patched/test_readlink.te 2008-01-31 08:32:27.000000000 -0500
 @@ -14,6 +14,8 @@ files_type(test_readlink_link_t)
  # Domain for process that can read and follow the symbolic link.
  type test_readlink_t;
@@ -625,9 +625,9 @@ diff -Nrup refpolicy/test_readlink.te 
refpolicy.new/test_readlink.te
  typeattribute test_noreadlink_t test_readlink_domain;
  typeattribute test_noreadlink_t testdomain;
  allow test_noreadlink_t test_readlink_file_t:file { getattr read };
-diff -Nrup refpolicy/test_relabel.te refpolicy.new/test_relabel.te
---- refpolicy/test_relabel.te  2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_relabel.te      2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_relabel.te refpolicy.patched/test_relabel.te
+--- refpolicy/test_relabel.te  2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_relabel.te  2008-01-31 08:32:27.000000000 -0500
 @@ -14,6 +14,8 @@ files_type(test_relabel_newtype_t)
  # Domain for process that can relabel the test file.
  type test_relabel_t;
@@ -655,9 +655,9 @@ diff -Nrup refpolicy/test_relabel.te 
refpolicy.new/test_relabel.te
  domain_obj_id_change_exemption(test_norelabelto_t)
  typeattribute test_norelabelto_t test_relabel_domain;
  typeattribute test_norelabelto_t testdomain;
-diff -Nrup refpolicy/test_rename.te refpolicy.new/test_rename.te
---- refpolicy/test_rename.te   2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_rename.te       2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_rename.te refpolicy.patched/test_rename.te
+--- refpolicy/test_rename.te   2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_rename.te   2008-01-31 08:32:27.000000000 -0500
 @@ -20,6 +20,8 @@ files_type(test_rename_dir_t)
  # Domain for process that can rename the test file and directory.
  type test_rename_t;
@@ -730,9 +730,9 @@ diff -Nrup refpolicy/test_rename.te 
refpolicy.new/test_rename.te
  typeattribute test_norename6_t test_rename_domain;
  typeattribute test_norename6_t testdomain;
  allow test_norename6_t test_rename_src_dir_t:dir { search getattr write 
remove_name };
-diff -Nrup refpolicy/test_rxdir.te refpolicy.new/test_rxdir.te
---- refpolicy/test_rxdir.te    2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_rxdir.te        2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_rxdir.te refpolicy.patched/test_rxdir.te
+--- refpolicy/test_rxdir.te    2007-12-13 04:55:13.000000000 -0500
++++ refpolicy.patched/test_rxdir.te    2008-01-31 08:32:27.000000000 -0500
 @@ -12,6 +12,8 @@ files_type(test_rxdir_dir_t)
  # Domain for process that can read but not search the directory.
  type test_rdir_t;
@@ -751,9 +751,9 @@ diff -Nrup refpolicy/test_rxdir.te 
refpolicy.new/test_rxdir.te
  typeattribute test_xdir_t test_rxdir_domain;
  typeattribute test_xdir_t testdomain;
  allow test_xdir_t test_rxdir_dir_t:dir { getattr search };
-diff -Nrup refpolicy/test_setattr.te refpolicy.new/test_setattr.te
---- refpolicy/test_setattr.te  2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_setattr.te      2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_setattr.te refpolicy.patched/test_setattr.te
+--- refpolicy/test_setattr.te  2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_setattr.te  2008-01-31 08:32:27.000000000 -0500
 @@ -12,6 +12,8 @@ files_type(test_setattr_file_t)
  # Domain for process that can set attributes on the test file.
  type test_setattr_t;
@@ -772,9 +772,9 @@ diff -Nrup refpolicy/test_setattr.te 
refpolicy.new/test_setattr.te
  typeattribute test_nosetattr_t test_setattr_domain;
  typeattribute test_nosetattr_t testdomain;
  allow test_nosetattr_t self:capability chown;
-diff -Nrup refpolicy/test_setnice.te refpolicy.new/test_setnice.te
---- refpolicy/test_setnice.te  2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_setnice.te      2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_setnice.te refpolicy.patched/test_setnice.te
+--- refpolicy/test_setnice.te  2007-12-20 04:32:56.000000000 -0500
++++ refpolicy.patched/test_setnice.te  2008-01-31 08:32:27.000000000 -0500
 @@ -8,24 +8,29 @@ attribute setnicedomain;
  # Domain for process whose nice can be set.
  type test_setnice_set_t;
@@ -806,9 +806,9 @@ diff -Nrup refpolicy/test_setnice.te 
refpolicy.new/test_setnice.te
  domain_exec_all_entry_files(setnicedomain)
  files_exec_etc_files(setnicedomain)
  libs_use_ld_so(setnicedomain)
-diff -Nrup refpolicy/test_sigkill.te refpolicy.new/test_sigkill.te
---- refpolicy/test_sigkill.te  2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_sigkill.te      2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_sigkill.te refpolicy.patched/test_sigkill.te
+--- refpolicy/test_sigkill.te  2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_sigkill.te  2008-01-31 08:32:27.000000000 -0500
 @@ -8,12 +8,16 @@ attribute killdomain;
  # Domain for process that receives the signals.
  type test_kill_server_t;
@@ -853,9 +853,9 @@ diff -Nrup refpolicy/test_sigkill.te 
refpolicy.new/test_sigkill.te
  typeattribute test_kill_signal_t killdomain;
  typeattribute test_kill_signal_t testdomain;
  
-diff -Nrup refpolicy/test_stat.te refpolicy.new/test_stat.te
---- refpolicy/test_stat.te     2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_stat.te 2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_stat.te refpolicy.patched/test_stat.te
+--- refpolicy/test_stat.te     2007-12-13 04:55:13.000000000 -0500
++++ refpolicy.patched/test_stat.te     2008-01-31 08:32:27.000000000 -0500
 @@ -12,6 +12,8 @@ files_type(test_stat_file_t)
  # Domain for process that can get attributes on the test file.
  type test_stat_t;
@@ -874,9 +874,9 @@ diff -Nrup refpolicy/test_stat.te refpolicy.new/test_stat.te
  typeattribute test_nostat_t test_stat_domain;
  typeattribute test_nostat_t testdomain;
  
-diff -Nrup refpolicy/test_sysctl.te refpolicy.new/test_sysctl.te
---- refpolicy/test_sysctl.te   2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_sysctl.te       2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_sysctl.te refpolicy.patched/test_sysctl.te
+--- refpolicy/test_sysctl.te   2007-12-20 04:32:56.000000000 -0500
++++ refpolicy.patched/test_sysctl.te   2008-01-31 08:32:27.000000000 -0500
 @@ -8,19 +8,23 @@ attribute sysctldomain;
  # Domain for process that is allowed to perform sysctl.
  type test_sysctl_t;
@@ -903,9 +903,9 @@ diff -Nrup refpolicy/test_sysctl.te 
refpolicy.new/test_sysctl.te
  
  # Allow the first domain to perform sysctl operations.
  kernel_rw_all_sysctls(test_sysctl_t)
-diff -Nrup refpolicy/test_task_create.te refpolicy.new/test_task_create.te
---- refpolicy/test_task_create.te      2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_task_create.te  2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_task_create.te refpolicy.patched/test_task_create.te
+--- refpolicy/test_task_create.te      2007-12-20 04:32:56.000000000 -0500
++++ refpolicy.patched/test_task_create.te      2008-01-31 08:33:19.000000000 
-0500
 @@ -8,6 +8,8 @@ attribute test_create_d;
  # Domain for process allowed to fork.
  type test_create_yes_t;
@@ -915,23 +915,17 @@ diff -Nrup refpolicy/test_task_create.te 
refpolicy.new/test_task_create.te
  typeattribute test_create_yes_t test_create_d;
  typeattribute test_create_yes_t testdomain;
  
-@@ -20,7 +22,12 @@ type test_create_no_t;
- # permission so we can test it, we omit the domain attribute. 
+@@ -21,6 +23,7 @@ type test_create_no_t;
  # Ideally, refpolicy would _not_ grant such permissions to every domain,
  # as it makes the permission effectively unusable in real policy.
--#domain_type(test_create_no_t)
-+# XXX This invalidates the test, but allows the policy to compile
-+# The next two lines SHOULD be commented out according to the original
-+# comment above.
-+domain_type(test_create_no_t)
+ #domain_type(test_create_no_t)
 +unconfined_runs_test(test_create_no_t)
-+domain_dyntrans_type(test_create_no_t)
  typeattribute test_create_no_t test_create_d;
  
  allow test_create_no_t self:process ~fork;
-diff -Nrup refpolicy/test_task_getpgid.te refpolicy.new/test_task_getpgid.te
---- refpolicy/test_task_getpgid.te     2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_task_getpgid.te 2007-12-31 05:57:37.000000000 -0500
+diff -Nrup refpolicy/test_task_getpgid.te 
refpolicy.patched/test_task_getpgid.te
+--- refpolicy/test_task_getpgid.te     2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_task_getpgid.te     2008-01-31 08:32:27.000000000 
-0500
 @@ -8,18 +8,24 @@ attribute test_getpgid_d;
  # Domain for the target process
  type test_getpgid_target_t;
@@ -957,9 +951,9 @@ diff -Nrup refpolicy/test_task_getpgid.te 
refpolicy.new/test_task_getpgid.te
  typeattribute test_getpgid_no_t test_getpgid_d;
  typeattribute test_getpgid_no_t testdomain;
  
-diff -Nrup refpolicy/test_task_getsched.te refpolicy.new/test_task_getsched.te
---- refpolicy/test_task_getsched.te    2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_task_getsched.te        2007-12-31 05:57:37.000000000 
-0500
+diff -Nrup refpolicy/test_task_getsched.te 
refpolicy.patched/test_task_getsched.te
+--- refpolicy/test_task_getsched.te    2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_task_getsched.te    2008-01-31 08:32:27.000000000 
-0500
 @@ -8,18 +8,24 @@ attribute test_getsched_d;
  # Domain for the target process
  type test_getsched_target_t;
@@ -985,9 +979,9 @@ diff -Nrup refpolicy/test_task_getsched.te 
refpolicy.new/test_task_getsched.te
  typeattribute test_getsched_no_t test_getsched_d;
  typeattribute test_getsched_no_t testdomain;
  
-diff -Nrup refpolicy/test_task_getsid.te refpolicy.new/test_task_getsid.te
---- refpolicy/test_task_getsid.te      2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_task_getsid.te  2007-12-31 05:57:38.000000000 -0500
+diff -Nrup refpolicy/test_task_getsid.te refpolicy.patched/test_task_getsid.te
+--- refpolicy/test_task_getsid.te      2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_task_getsid.te      2008-01-31 08:32:27.000000000 
-0500
 @@ -8,18 +8,24 @@ attribute test_getsid_d;
  # Domain for the target process
  type test_getsid_target_t;
@@ -1013,9 +1007,9 @@ diff -Nrup refpolicy/test_task_getsid.te 
refpolicy.new/test_task_getsid.te
  typeattribute test_getsid_no_t test_getsid_d;
  typeattribute test_getsid_no_t testdomain;
  
-diff -Nrup refpolicy/test_task_setpgid.te refpolicy.new/test_task_setpgid.te
---- refpolicy/test_task_setpgid.te     2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_task_setpgid.te 2007-12-31 05:57:38.000000000 -0500
+diff -Nrup refpolicy/test_task_setpgid.te 
refpolicy.patched/test_task_setpgid.te
+--- refpolicy/test_task_setpgid.te     2007-12-20 04:32:56.000000000 -0500
++++ refpolicy.patched/test_task_setpgid.te     2008-01-31 08:32:27.000000000 
-0500
 @@ -8,6 +8,8 @@ attribute test_setpgid_d;
  # Domain for process allowed to setpgid
  type test_setpgid_yes_t;
@@ -1034,9 +1028,9 @@ diff -Nrup refpolicy/test_task_setpgid.te 
refpolicy.new/test_task_setpgid.te
  typeattribute test_setpgid_no_t test_setpgid_d;
  
  allow test_setpgid_no_t self:process ~{ setpgid setcurrent };
-diff -Nrup refpolicy/test_task_setsched.te refpolicy.new/test_task_setsched.te
---- refpolicy/test_task_setsched.te    2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_task_setsched.te        2007-12-31 05:57:38.000000000 
-0500
+diff -Nrup refpolicy/test_task_setsched.te 
refpolicy.patched/test_task_setsched.te
+--- refpolicy/test_task_setsched.te    2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_task_setsched.te    2008-01-31 08:32:27.000000000 
-0500
 @@ -9,18 +9,24 @@ attribute test_setsched_d;
  # Domain for the target process
  type test_setsched_target_t;
@@ -1062,9 +1056,9 @@ diff -Nrup refpolicy/test_task_setsched.te 
refpolicy.new/test_task_setsched.te
  typeattribute test_setsched_no_t test_setsched_d;
  typeattribute test_setsched_no_t testdomain;
  
-diff -Nrup refpolicy/test_transition.te refpolicy.new/test_transition.te
---- refpolicy/test_transition.te       2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_transition.te   2007-12-31 05:57:38.000000000 -0500
+diff -Nrup refpolicy/test_transition.te refpolicy.patched/test_transition.te
+--- refpolicy/test_transition.te       2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_transition.te       2008-01-31 08:32:27.000000000 
-0500
 @@ -8,18 +8,24 @@ attribute transitiondomain;
  # Domain for process that is allowed to transition to the new domain.
  type test_transition_fromdomain_t;
@@ -1090,9 +1084,9 @@ diff -Nrup refpolicy/test_transition.te 
refpolicy.new/test_transition.te
  typeattribute test_transition_todomain_t transitiondomain;
  typeattribute test_transition_todomain_t testdomain;
  
-diff -Nrup refpolicy/test_wait.te refpolicy.new/test_wait.te
---- refpolicy/test_wait.te     2007-12-31 06:57:36.000000000 -0500
-+++ refpolicy.new/test_wait.te 2007-12-31 05:57:38.000000000 -0500
+diff -Nrup refpolicy/test_wait.te refpolicy.patched/test_wait.te
+--- refpolicy/test_wait.te     2006-03-27 11:55:48.000000000 -0500
++++ refpolicy.patched/test_wait.te     2008-01-31 08:32:27.000000000 -0500
 @@ -8,18 +8,24 @@ attribute waitdomain;
  # Domain for parent process.
  type test_wait_parent_t;
-- 
1.5.3.8

>From 91f7849a7edfd2676450fb7d141ed0d6de6a758f Mon Sep 17 00:00:00 2001
From: root <[EMAIL PROTECTED]>
Date: Thu, 31 Jan 2008 08:29:34 -0500
Subject: [PATCH 1/2] update test_selinux.sh to set expand-check=0

Have test_selinux.sh temporarily set expand-check=0 in
semanage.conf while loading the test policy.

Signed-off-by: root <[EMAIL PROTECTED]>
---
 testscripts/test_selinux.sh |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/testscripts/test_selinux.sh b/testscripts/test_selinux.sh
index e872c72..a959c55 100755
--- a/testscripts/test_selinux.sh
+++ b/testscripts/test_selinux.sh
@@ -9,6 +9,19 @@
 #
 # test_selinux.sh - Run the selinux test suite.
 
+config_set_expandcheck() {
+       pushd /etc/selinux
+       cp --preserve semanage.conf semanage.conf.orig
+       echo "expand-check=0" >> semanage.conf
+       popd
+}
+
+config_unset_expandcheck() {
+       pushd /etc/selinux
+       mv semanage.conf.orig semanage.conf
+       popd
+}
+
 # Must be root to run the selinux testsuite
 if [ $UID != 0 ]
 then
@@ -64,17 +77,22 @@ pushd 
$LTPROOT/testcases/kernel/security/selinux-testsuite/misc
 sh ./update_refpolicy.sh
 popd
 
+config_set_expandcheck
+
 # build and install the test policy...
 echo "building and installing test_policy module..."
 cd $LTPROOT/testcases/kernel/security/selinux-testsuite/refpolicy
 make load
 if [ $? != 0 ]; then
        echo "Failed to build and load test_policy module, aborting test run."
+       config_unset_expandcheck
        exit 1
 else
        echo "Successfully built and loaded test_policy module."
 fi
 
+config_unset_expandcheck
+
 # go back to test's root directory
 cd $LTPROOT
 
-- 
1.5.3.8

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Re: [LTP] ltp selinux patch

Reply via email to