Quoting Stephen Smalley ([EMAIL PROTECTED]): > > On Wed, 2008-04-02 at 13:07 -0500, Serge E. Hallyn wrote: > > Quoting Stephen Smalley ([EMAIL PROTECTED]): > > > This patch, which is independent of Jeff's patch, updates the selinux > > > testsuite to run under Fedora 9, and does no harm on Fedora 8. > > > > > > While creating this, I noticed two other things that ultimately need > > > fixing: > > > 1) The sbin_deprecated.patch adds domain_dyntrans_type() to all the test > > > domains. If that was truly desired, we should just put it into > > > unconfined_runs_test(). But it shouldn't be necessary - only the > > > test_dyntrans.te and test_dyntrace.te domains should require permissions > > > for dynamic transitions. I'll let Serge confirm that. > > > > Oh dyntrans means a domain transition outside of an exec? > > Yes - a setcon(3) call, aka a write to /proc/self/current. > > > I don't have access to my test machine at the moment, but what you say > > sounds right. I say make the change and when it hits ltp cvs (or > > next week, whichever comes later) i'll give it a testrun. > > > > > 2) The test scripts are presently relabeling /tmp to test_file_t for the > > > duration of the test. That's insane - it could break any other running > > > process that tries to access /tmp during the test. That was not part of > > > our original selinux testsuite and seems to have been introduced when > > > IBM ported it to LTP. If you are worried about lacking search > > > permission to /tmp in the test domains, then create your own > > > private /test directory or something. Or just give all test domains > > > permission to search tmp either via unconfined_runs_test() or in > > > test_global.te using the testdomain attribute. > > > > Agreed. I don't remember Joy saying anything about doing that, but > > more importantly when I test the above I'll see about addressing > > this. I assume using /tmp/selinuxltptest/ should be fine? > > Well, the scripts do create a /tmp/selinux and use that, but they also > relabel the top-level /tmp directory temporarily. Presumably to ensure > that the test scripts can search to reach /tmp/selinux. But just > allowing search to tmp_t:dir seems harmless.
Ok, will look at these when Subrata says your patch has hit cvs. thanks, -serge ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Ltp-list mailing list Ltp-list@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ltp-list
