On Tue, 2008-02-26 at 11:08 -0600, Serge E. Hallyn wrote:
> Quoting Jeff Burke ([EMAIL PROTECTED]):
> > Jeff Burke wrote:
> > > Stephen Smalley wrote:
> > >> On Tue, 2008-02-26 at 08:48 -0500, Jeff Burke wrote:
> > >>> Subrata Modak wrote:
> > >>>> On Mon, 2008-02-25 at 09:08 -0500, Stephen Smalley wrote:
> > >>>>> On Mon, 2008-02-25 at 18:56 +0530, Subrata Modak wrote:
> > >>>>>> Stephen,
> > >>>>>>
> > >>>>>> Any new Patches for LTP-Selinux ?
> > >>>>> I don't have any updates, no.
> > >>>>>
> > >>>>> I have noticed that on x86_64, there are a number of FAILs that are
> > >>>>> not
> > >>>>> present on x86, in particular in the System V IPC tests (msg, sem,
> > >>>>> shm).
> > >>>>> I don't know if that has always been the case or not, as the tests
> > >>>>> were
> > >>>>> all originally written and tested on x86 only.
> > >>>> Turing this on to Jeff and Sergei, who used these test cases a lot on
> > >>>> their machines.
> > >>> Subrata,
> > >>> Currently I don't have any patches. But I am still running the
> > >>> ltp-full-20071231 release. I am primarily focusing on RHEL so we still
> > >>> may have issues the selinux test and Fedora. At the current time we are
> > >>> in a "lock down" mode for the release of RHEL5.2 so I can't change the
> > >>> baseline tests that are being used.
> > >>>
> > >>> One thing that I did discover is that with the release of
> > >>> SELinux that
> > >>> is in 5.2 and they way the test is run we have to set a boolean for the
> > >>> test to pass. If the boolean exists
> > >>> /usr/sbin/setsebool allow_domain_fd_use=0 We may want to add that to the
> > >>> README.
> > >> Ok, that's due to a policy change by Dan in the base policy.
> > >>
> > >>> Here is what I think still needs to be done. Currently there is
> > >>> no way
> > >>> to put the system back into the state it was before the test ran. This
> > >>> should be handled as part of the testcase. At this point in time we make
> > >>> sure that this is the last test that gets run on that system.
> > >> Not sure what you mean - the test_selinux.sh script removes the test
> > >> policy module after running the tests. Also, Serge submitted patches to
> > >> automatically save, modify, and restore semanage.conf in test_selinux.sh
> > >> so that it doesn't require manual modification. test_selinux.sh could
> > >> also handle the setting and restoring of that boolean, although it needs
> > >> to gracefully proceed if that boolean happens to not exist in the
> > >> particular system being tested.
> > > Stephen,
> > > Not sure when Serge added that stuff to the test_selinux.sh. But I am
> > > currently behind (ltp-full-20071231) in my baseline. So I may not have
> > > those changes you have mentioned. I will compare it with what is
> > > currently in CVS.
> > Here is the diff:
> > --------------------------------------------------------
> > diff ./ltp-full-20071231/testscripts/test_selinux.sh
> > /local_data/sandbox/LTP/ltp/testscripts/test_selinux.sh
> > 11a12,24
> > > config_set_expandcheck() {
> > > pushd /etc/selinux
> > > cp --preserve semanage.conf semanage.conf.orig
> > > echo "expand-check=0" >> semanage.conf
> > > popd
> > > }
> > >
> > > config_unset_expandcheck() {
> > > pushd /etc/selinux
> > > mv semanage.conf.orig semanage.conf
> > > popd
> > > }
> > >
> > 61a75,81
> > > # Update test policy if needed
> > > pushd $LTPROOT/testcases/kernel/security/selinux-testsuite/misc
> > > sh ./update_refpolicy.sh
> > > popd
> > >
> > > config_set_expandcheck
> > >
> > 67a88
> > > config_unset_expandcheck
> > 72a94,95
> > > config_unset_expandcheck
> > >
> > --------------------------------------------------------
> > >
> > > If in fact they are the same, I will send out the information on what
> > > problems I am seeing. I will also send along a patch for the boolean
> > > change in test_selinux.sh
> > Let me know if you still want the results.
>
> I assume expand-check won't ignore booleans, so I should think your
> patch will still be needed for 5.2.
Correct. Just make sure that if you don't bail out of the test script
altogether if the boolean doesn't exist in the policy (possibly call
getsebool first on it).
>
> thanks,
> -serge
>
> > > Thanks,
> > > Jeff
> > >>> Comment or questions?
> > >>> Jeff
> > >>>> --Subrata
> > >>>>>> Regards--
> > >>>>>> Subrata
> > >>>>>>
> > >>>>>> On Wed, 2008-01-30 at 07:20 -0500, Stephen Smalley wrote:
> > >>>>>>> On Tue, 2008-01-29 at 18:21 -0600, Serge E. Hallyn wrote:
> > >>>>>>>> Here is a patch against this morning's ltp cvs snapshot to
> > >>>>>>>> implement
> > >>>>>>>> Stephen's suggestion of setting expand-check=0 for the duration of
> > >>>>>>>> the policy load. This allowed me to get rid of the hack
> > >>>>>>>> ++domain_type(test_create_no_t) in refpolicy/test_task_create.te,
> > >>>>>>>> also
> > >>>>>>>> done in this patch.
> > >>>>>>>>
> > >>>>>>>> (I think it also inlines a patch Stephen sent on jan 23 which
> > >>>>>>>> wasn't yet in ltp cvs)
> >
> > -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > _______________________________________________
> > Ltp-list mailing list
> > Ltp-list@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/ltp-list
--
Stephen Smalley
National Security Agency
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
