On Fri, 2008-04-04 at 22:18 -0500, Serge E. Hallyn wrote:
> Quoting Subrata Modak ([EMAIL PROTECTED]):
> > On 4/2/08, Serge E. Hallyn <[EMAIL PROTECTED]> wrote:
> > >
> > > Quoting Stephen Smalley ([EMAIL PROTECTED]):
> > > >
> > > > On Wed, 2008-04-02 at 13:07 -0500, Serge E. Hallyn wrote:
> > > > > Quoting Stephen Smalley ([EMAIL PROTECTED]):
> > > > > > This patch, which is independent of Jeff's patch, updates the
> > > selinux
> > > > > > testsuite to run under Fedora 9, and does no harm on Fedora 8.
> > > > > >
> > > > > > While creating this, I noticed two other things that ultimately need
> > > > > > fixing:
> > > > > > 1) The sbin_deprecated.patch adds domain_dyntrans_type() to all the
> > > test
> > > > > > domains. If that was truly desired, we should just put it into
> > > > > > unconfined_runs_test(). But it shouldn't be necessary - only the
> > > > > > test_dyntrans.te and test_dyntrace.te domains should require
> > > permissions
> > > > > > for dynamic transitions. I'll let Serge confirm that.
> > > > >
> > > > > Oh dyntrans means a domain transition outside of an exec?
> > > >
> > > > Yes - a setcon(3) call, aka a write to /proc/self/current.
> > > >
> > > > > I don't have access to my test machine at the moment, but what you say
> > > > > sounds right. I say make the change and when it hits ltp cvs (or
> > > > > next week, whichever comes later) i'll give it a testrun.
> > > > >
> > > > > > 2) The test scripts are presently relabeling /tmp to test_file_t for
> > > the
> > > > > > duration of the test. That's insane - it could break any other
> > > running
> > > > > > process that tries to access /tmp during the test. That was not
> > > part of
> > > > > > our original selinux testsuite and seems to have been introduced
> > > when
> > > > > > IBM ported it to LTP. If you are worried about lacking search
> > > > > > permission to /tmp in the test domains, then create your own
> > > > > > private /test directory or something. Or just give all test domains
> > > > > > permission to search tmp either via unconfined_runs_test() or in
> > > > > > test_global.te using the testdomain attribute.
> > > > >
> > > > > Agreed. I don't remember Joy saying anything about doing that, but
> > > > > more importantly when I test the above I'll see about addressing
> > > > > this. I assume using /tmp/selinuxltptest/ should be fine?
> > > >
> > > > Well, the scripts do create a /tmp/selinux and use that, but they also
> > > > relabel the top-level /tmp directory temporarily. Presumably to ensure
> > > > that the test scripts can search to reach /tmp/selinux. But just
> > > > allowing search to tmp_t:dir seems harmless.
> > >
> > > Ok, will look at these when Subrata says your patch has hit cvs.
> >
> >
> >
> > This will soon hit the CVS. Thanks to all of you for providing the fixes, as
> > well as, proposing future fixes.
>
> Ok here is a first small patch to stop relabeling /tmp as Stephen
> suggested. It should be no more complicated to get rid of the
> unneeded dyntrans_types, but I messed up somewhere generating the
> patch and subsequent test bombed. So I'll just do that next week
> or whenever this patch hits cvs (for simplicity).
>
> thanks,
> -serge
>
> Subject: selinux testsuite: don't relabel /tmp
>
> There's no need for the selinux testsuite to relabel /tmp for
> the duration of the test. It uses /tmp/selinux anyway. Just
> need to be sure to have search perms to tmp_t.
>
> Signed-off-by: Serge Hallyn <[EMAIL PROTECTED]>
This also is through. No major issue(s) except some Hunk Succeeded
Displays, probably because your´s, Stephen´s and Jeff´s Patch updates
the Same Code File(s). Rest should be fine.
Regards--
Subrata
> ---
>
> diff -Nrup
> ltp.pristine/testcases/kernel/security/selinux-testsuite/policy/test_global.te
> ltp.tmpt/testcases/kernel/security/selinux-testsuite/policy/test_global.te
> ---
> ltp.pristine/testcases/kernel/security/selinux-testsuite/policy/test_global.te
> 2005-11-17 11:10:31.000000000 -0500
> +++
> ltp.tmpt/testcases/kernel/security/selinux-testsuite/policy/test_global.te
> 2008-04-04 14:56:21.000000000 -0400
> @@ -49,6 +49,7 @@ allow testdomain random_device_t:chr_fil
> allow testdomain locale_t:dir r_dir_perms;
> allow testdomain locale_t:{ file lnk_file } r_file_perms;
> allow testdomain privfd:fd use;
> +allow testdomain tmp_t:dir r_dir_perms;
>
> r_dir_file(testdomain, selinux_config_t)
> can_getsecurity(testdomain)
> diff -Nrup
> ltp.pristine/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te
> ltp.tmpt/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te
> ---
> ltp.pristine/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te
> 2007-12-20 04:32:56.000000000 -0500
> +++
> ltp.tmpt/testcases/kernel/security/selinux-testsuite/refpolicy/test_global.te
> 2008-04-04 15:10:02.000000000 -0400
> @@ -41,6 +41,7 @@ allow testdomain self:fifo_file rw_file_
> allow testdomain self:unix_dgram_socket create_socket_perms;
> allow testdomain self:unix_stream_socket create_stream_socket_perms;
> allow testdomain self:unix_dgram_socket sendto;
> +files_search_tmp(testdomain)
>
> # permission to use shared library
> libs_use_ld_so(testdomain)
> diff -Nrup ltp.pristine/testscripts/test_selinux.sh
> ltp.tmpt/testscripts/test_selinux.sh
> --- ltp.pristine/testscripts/test_selinux.sh 2008-02-05 06:05:16.000000000
> -0500
> +++ ltp.tmpt/testscripts/test_selinux.sh 2008-04-04 13:52:54.000000000
> -0400
> @@ -98,10 +98,6 @@ cd $LTPROOT
>
> echo "Running the SELinux testsuite..."
>
> -# Save and later restore /tmp's type.
> -SAVETMPTYPE=`ls -Zd /tmp | awk '{ print $4 }' | awk -F: '{ print $3 }'`
> -/usr/bin/chcon -t test_file_t /tmp
> -
> mkdir /tmp/selinux > /dev/null 2>&1
> /usr/bin/chcon -t test_file_t /tmp/selinux
> export SELINUXTMPDIR=/tmp/selinux
> @@ -115,8 +111,6 @@ $LTPROOT/pan/pan -S -a $LTPROOT/results/
>
> # cleanup before exiting
>
> -# Restore type of /tmp
> -/usr/bin/chcon -t $SAVETMPTYPE /tmp
> rm -rf /tmp/selinux
>
> # Restore type of .../testcases/bin directory
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Register now and save $200. Hurry, offer ends at 11:59 p.m.,
> Monday, April 7! Use priority code J8TLD2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Ltp-list mailing list
> Ltp-list@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ltp-list
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Register now and save $200. Hurry, offer ends at 11:59 p.m.,
Monday, April 7! Use priority code J8TLD2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
