On 4/2/08, Serge E. Hallyn <[EMAIL PROTECTED]> wrote:
>
> Quoting Stephen Smalley ([EMAIL PROTECTED]):
> >
> > On Wed, 2008-04-02 at 13:07 -0500, Serge E. Hallyn wrote:
> > > Quoting Stephen Smalley ([EMAIL PROTECTED]):
> > > > This patch, which is independent of Jeff's patch, updates the
> selinux
> > > > testsuite to run under Fedora 9, and does no harm on Fedora 8.
> > > >
> > > > While creating this, I noticed two other things that ultimately need
> > > > fixing:
> > > > 1) The sbin_deprecated.patch adds domain_dyntrans_type() to all the
> test
> > > > domains. If that was truly desired, we should just put it into
> > > > unconfined_runs_test(). But it shouldn't be necessary - only the
> > > > test_dyntrans.te and test_dyntrace.te domains should require
> permissions
> > > > for dynamic transitions. I'll let Serge confirm that.
> > >
> > > Oh dyntrans means a domain transition outside of an exec?
> >
> > Yes - a setcon(3) call, aka a write to /proc/self/current.
> >
> > > I don't have access to my test machine at the moment, but what you say
> > > sounds right. I say make the change and when it hits ltp cvs (or
> > > next week, whichever comes later) i'll give it a testrun.
> > >
> > > > 2) The test scripts are presently relabeling /tmp to test_file_t for
> the
> > > > duration of the test. That's insane - it could break any other
> running
> > > > process that tries to access /tmp during the test. That was not
> part of
> > > > our original selinux testsuite and seems to have been introduced
> when
> > > > IBM ported it to LTP. If you are worried about lacking search
> > > > permission to /tmp in the test domains, then create your own
> > > > private /test directory or something. Or just give all test domains
> > > > permission to search tmp either via unconfined_runs_test() or in
> > > > test_global.te using the testdomain attribute.
> > >
> > > Agreed. I don't remember Joy saying anything about doing that, but
> > > more importantly when I test the above I'll see about addressing
> > > this. I assume using /tmp/selinuxltptest/ should be fine?
> >
> > Well, the scripts do create a /tmp/selinux and use that, but they also
> > relabel the top-level /tmp directory temporarily. Presumably to ensure
> > that the test scripts can search to reach /tmp/selinux. But just
> > allowing search to tmp_t:dir seems harmless.
>
> Ok, will look at these when Subrata says your patch has hit cvs.
This will soon hit the CVS. Thanks to all of you for providing the fixes, as
well as, proposing future fixes.
Regards--
Subrata
thanks,
> -serge
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
>
> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> _______________________________________________
> Ltp-list mailing list
> Ltp-list@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ltp-list
>
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
