Quoting Subrata Modak ([EMAIL PROTECTED]):
> On 4/2/08, Serge E. Hallyn <[EMAIL PROTECTED]> wrote:
> >
> > Quoting Stephen Smalley ([EMAIL PROTECTED]):
> > >
> > > On Wed, 2008-04-02 at 13:07 -0500, Serge E. Hallyn wrote:
> > > > Quoting Stephen Smalley ([EMAIL PROTECTED]):
> > > > > This patch, which is independent of Jeff's patch, updates the
> > selinux
> > > > > testsuite to run under Fedora 9, and does no harm on Fedora 8.
> > > > >
> > > > > While creating this, I noticed two other things that ultimately need
> > > > > fixing:
> > > > > 1) The sbin_deprecated.patch adds domain_dyntrans_type() to all the
> > test
> > > > > domains. If that was truly desired, we should just put it into
> > > > > unconfined_runs_test(). But it shouldn't be necessary - only the
> > > > > test_dyntrans.te and test_dyntrace.te domains should require
> > permissions
> > > > > for dynamic transitions. I'll let Serge confirm that.
> > > >
> > > > Oh dyntrans means a domain transition outside of an exec?
> > >
> > > Yes - a setcon(3) call, aka a write to /proc/self/current.
> > >
> > > > I don't have access to my test machine at the moment, but what you say
> > > > sounds right. I say make the change and when it hits ltp cvs (or
> > > > next week, whichever comes later) i'll give it a testrun.
> > > >
> > > > > 2) The test scripts are presently relabeling /tmp to test_file_t for
> > the
> > > > > duration of the test. That's insane - it could break any other
> > running
> > > > > process that tries to access /tmp during the test. That was not
> > part of
> > > > > our original selinux testsuite and seems to have been introduced
> > when
> > > > > IBM ported it to LTP. If you are worried about lacking search
> > > > > permission to /tmp in the test domains, then create your own
> > > > > private /test directory or something. Or just give all test domains
> > > > > permission to search tmp either via unconfined_runs_test() or in
> > > > > test_global.te using the testdomain attribute.
> > > >
> > > > Agreed. I don't remember Joy saying anything about doing that, but
> > > > more importantly when I test the above I'll see about addressing
> > > > this. I assume using /tmp/selinuxltptest/ should be fine?
> > >
> > > Well, the scripts do create a /tmp/selinux and use that, but they also
> > > relabel the top-level /tmp directory temporarily. Presumably to ensure
> > > that the test scripts can search to reach /tmp/selinux. But just
> > > allowing search to tmp_t:dir seems harmless.
> >
> > Ok, will look at these when Subrata says your patch has hit cvs.
>
>
>
> This will soon hit the CVS. Thanks to all of you for providing the fixes, as
> well as, proposing future fixes.
Ok here is a first small patch to stop relabeling /tmp as Stephen
suggested. It should be no more complicated to get rid of the
unneeded dyntrans_types, but I messed up somewhere generating the
patch and subsequent test bombed. So I'll just do that next week
or whenever this patch hits cvs (for simplicity).
thanks,
-serge
Subject: selinux testsuite: don't relabel /tmp
There's no need for the selinux testsuite to relabel /tmp for
the duration of the test. It uses /tmp/selinux anyway. Just
need to be sure to have search perms to tmp_t.
Signed-off-by: Serge Hallyn <[EMAIL PROTECTED]>
---
diff -Nrup
ltp.pristine/testcases/kernel/security/selinux-testsuite/policy/test_global.te
ltp.tmpt/testcases/kernel/security/selinux-testsuite/policy/test_global.te
---
ltp.pristine/testcases/kernel/security/selinux-testsuite/policy/test_global.te
2005-11-17 11:10:31.000000000 -0500
+++ ltp.tmpt/testcases/kernel/security/selinux-testsuite/policy/test_global.te
2008-04-04 14:56:21.000000000 -0400
@@ -49,6 +49,7 @@ allow testdomain random_device_t:chr_fil
allow testdomain locale_t:dir r_dir_perms;
allow testdomain locale_t:{ file lnk_file } r_file_perms;
allow testdomain privfd:fd use;
+allow testdomain tmp_t:dir r_dir_perms;
r_dir_file(testdomain, selinux_config_t)
can_getsecurity(testdomain)
diff -Nrup
ltp.pristine/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te
ltp.tmpt/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te
---
ltp.pristine/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te
2007-12-20 04:32:56.000000000 -0500
+++
ltp.tmpt/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te
2008-04-04 15:10:02.000000000 -0400
@@ -41,6 +41,7 @@ allow testdomain self:fifo_file rw_file_
allow testdomain self:unix_dgram_socket create_socket_perms;
allow testdomain self:unix_stream_socket create_stream_socket_perms;
allow testdomain self:unix_dgram_socket sendto;
+files_search_tmp(testdomain)
# permission to use shared library
libs_use_ld_so(testdomain)
diff -Nrup ltp.pristine/testscripts/test_selinux.sh
ltp.tmpt/testscripts/test_selinux.sh
--- ltp.pristine/testscripts/test_selinux.sh 2008-02-05 06:05:16.000000000
-0500
+++ ltp.tmpt/testscripts/test_selinux.sh 2008-04-04 13:52:54.000000000
-0400
@@ -98,10 +98,6 @@ cd $LTPROOT
echo "Running the SELinux testsuite..."
-# Save and later restore /tmp's type.
-SAVETMPTYPE=`ls -Zd /tmp | awk '{ print $4 }' | awk -F: '{ print $3 }'`
-/usr/bin/chcon -t test_file_t /tmp
-
mkdir /tmp/selinux > /dev/null 2>&1
/usr/bin/chcon -t test_file_t /tmp/selinux
export SELINUXTMPDIR=/tmp/selinux
@@ -115,8 +111,6 @@ $LTPROOT/pan/pan -S -a $LTPROOT/results/
# cleanup before exiting
-# Restore type of /tmp
-/usr/bin/chcon -t $SAVETMPTYPE /tmp
rm -rf /tmp/selinux
# Restore type of .../testcases/bin directory
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Register now and save $200. Hurry, offer ends at 11:59 p.m.,
Monday, April 7! Use priority code J8TLD2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
