On Tue, Jan 12, 2010 at 9:19 AM, Garrett Cooper <yaneg...@gmail.com> wrote:
> On Tue, Jan 12, 2010 at 8:55 AM, Garrett Cooper <yaneg...@gmail.com> wrote:
>> On Tue, Jan 12, 2010 at 5:16 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
>>> On Mon, 2010-01-11 at 15:31 -0600, Serge E. Hallyn wrote:
>>>> Quoting Serge E. Hallyn (se...@us.ibm.com):
>>>> > Quoting Serge E. Hallyn (se...@us.ibm.com):
>>>> > > Quoting Serge E. Hallyn (se...@us.ibm.com):
>>>> > > > Quoting Stephen Smalley (s...@tycho.nsa.gov):
>>>> > > > > On Mon, 2010-01-11 at 13:50 -0600, Serge E. Hallyn wrote:
>>>> > > > > > > Fails with:
>>>> > > > > > > cp: cannot stat
>>>> > > > > > > `/home/sds/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/policy_files/generic/test_policy.*':
>>>> > > > > > > No such file or directory
>>>> > > > > >
>>>> > > > > > You ran /home/sds/ltp/testscripts/test_selinux.sh, right?
>>>> > > > > >
>>>> > > > > > I think we are supposed to actually be running
>>>> > > > > > /opt/ltp/testscripts/test_selinux.sh. So then the first
>>>> > > > > > question for
>>>> > > > > > Garrett is how should we deduce /home/sds/ltp as $LTP_SRCDIR
>>>> > > > > > from a
>>>> > > > > > testscript? Or should the policy sources be copied into /opt?
>>>> > > > >
>>>> > > > > Ok, but regardless: the refpolicy Makefile is still broken.
>>>> > > >
>>>> > > > Yup.
>>>> > >
>>>> > > All right, baby-steps.
>>>> > >
>>>> > > The attached test_selinux.diff is not to be applied, but something
>>>> > > like it is needed. Should we have the ltp 'make install' fill in
>>>> > > TOP_SRCDIR in /opt/ltp/testscripts/test_selinux.sh? BTW, Garrett,
>>>> > > that is the issue I was saying is shared between test_selinux.sh
>>>> > > and some others including test_robind.sh. That's why I'm not just
>>>> > > sending a patch to make it work, bc i think we need more general
>>>> > > guidance.
>>>> > >
>>>> > > The second match makes the 'make load' part of test_selinux.sh
>>>> > > succeed on rhel5.4. Stephen, how does it do on fedora?
>>>> > >
>>>> > > After loading policy it fails to execute ltp-pan, but I figure let's
>>>> > > get policy loading working first.
>>>>
>>>> All right well just doing
>>>>
>>>> --- /root/ltp_cvs_orig/ltp/testscripts/test_selinux.sh 2009-05-19
>>>> 05:39:11.000000000 -0400
>>>> +++ /opt/ltp/testscripts/test_selinux.sh 2010-01-11
>>>> 16:26:12.000000000 -0500
>>>> @@ -115,7 +117,7 @@
>>>> SAVEBINTYPE=`ls -Zd $LTPROOT/testcases/bin | awk '{ print $4 }' | awk -F:
>>>> '{ print $3 }'`
>>>> /usr/bin/chcon -t test_file_t $LTPROOT/testcases/bin
>>>>
>>>> -$LTPROOT/pan/ltp-pan -S -a $LTPROOT/results/selinux -n ltp-selinux -l
>>>> $LTPROOT/results/selinux.logfile -o $LTPROOT/results/selinux.outfile -p -f
>>>> $LTPROOT/runtest/selinux
>>>> +$LTPROOT/bin/ltp-pan -S -a $LTPROOT/results/selinux -n ltp-selinux -l
>>>> $LTPROOT/results/selinux.logfile -o $LTPROOT/results/selinux.outfile -p -f
>>>> $LTPROOT/runtest/selinux
>>>>
>>>> # cleanup before exiting
>>>>
>>>> ================================================================
>>>> in test_selinux.sh makes the testsuite mostly pass (test 39 fails, all
>>>> up to then pass)
>>>>
>>>> Again this is on RHEL5.4.
>>>
>>> test39 isn't supposed to be run on RHEL5.4.
>>> The old tests/Makefile had conditional logic to exclude certain tests on
>>> RHEL4 and on RHEL5, as their kernels wouldn't support newer tests.
>>
>>
>> Something that fell through the cracks because I didn't take the time
>> to actually determine _what_ the requirements were for the tests so
>> they would report configuration failure instead of failure. Please try
>> this (I properly pasted it this time instead of using my xterm window
>> and paste):
>>
>> Index: tests/Makefile
>> ===================================================================
>> RCS file:
>> /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/tests/Makefile,v
>> retrieving revision 1.7
>> diff -u -r1.7 Makefile
>> --- tests/Makefile 9 Oct 2009 17:55:51 -0000 1.7
>> +++ tests/Makefile 12 Jan 2010 16:53:57 -0000
>> @@ -24,11 +24,26 @@
>>
>> include $(top_srcdir)/include/mk/env_pre.mk
>>
>> -RECURSIVE_TARGETS := install
>> +ARGS = -m
>> +# Don't want to pass the -d option unless DESTDIR is a non-zero length
>> string.
>> +ifneq ($(strip $(DESTDIR)),)
>> +ARGS += -d $(DESTDIR)
>> +endif
>>
>> -include $(top_srcdir)/include/mk/generic_trunk_target.mk
>> +DISTRO_VER := $(shell $(top_srcdir)/scripts/detect_distro.sh
>> $(ARGS))
>> +
>> +#
>> +# Certain tests should be excluded on RHEL [45].x as their kernels don't
>> +# support the tests.
>> +#
>> +# XXX (garrcoop): actually complete the work to add proper checks to the
>> tests
>> +# to report TCONF on configuration failure.
>> +#
>> +ifneq ($(findstring $(DISTRO_VER),redhat-4 redhat-5),)
>> +FILTER_OUT_DIRS += dyntrace dyntrans
>> +endif
>> +ifeq (redhat-4,$(DISTRO_VER))
>> +FILTER_OUT_DIRS += bounds
>> +endif
>>
>> -all:
>> - @set -e; for i in $(SUBDIRS); do \
>> - $(MAKE) -C $$i $@; \
>> - done
>> +include $(top_srcdir)/include/mk/generic_trunk_target.mk
>>
>
> The conditional checks didn't make sense with what Stephen mentioned
> above to you Serge, so I respun the diff:
>
> Index: tests/Makefile
> ===================================================================
> RCS file:
> /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/tests/Makefile,v
> retrieving revision 1.7
> diff -u -r1.7 Makefile
> --- tests/Makefile 9 Oct 2009 17:55:51 -0000 1.7
> +++ tests/Makefile 12 Jan 2010 17:16:09 -0000
> @@ -24,11 +24,28 @@
>
> include $(top_srcdir)/include/mk/env_pre.mk
>
> -RECURSIVE_TARGETS := install
> +ARGS = -m
> +# Don't want to pass the -d option unless DESTDIR is a non-zero length
> string.
> +ifneq ($(strip $(DESTDIR)),)
> +ARGS += -d $(DESTDIR)
> +endif
>
> -include $(top_srcdir)/include/mk/generic_trunk_target.mk
> +DISTRO_VER := $(shell $(top_srcdir)/scripts/detect_distro.sh
> $(ARGS))
> +
> +#
> +# Certain tests should be excluded on RHEL [45].x as their kernels don't
> +# support the tests.
> +#
> +# XXX (garrcoop): actually complete the work to add proper checks to the
> tests
> +# to report TCONF on configuration failure.
>
> -all:
> - @set -e; for i in $(SUBDIRS); do \
> - $(MAKE) -C $$i $@; \
> - done
> +# RHEL 4.x doesn't support the dyntrace and dyntrans tests.
> +ifneq ($(findstring $(DISTRO_VER),redhat-4),)
> +FILTER_OUT_DIRS += dyntrace dyntrans
> +endif
> +# RHEL 5.x doesn't support the bounds test.
> +ifeq (redhat-5,$(DISTRO_VER))
> +FILTER_OUT_DIRS += bounds
> +endif
Man, my brain's a bit groggy this morning. The previous conditional
was correct -- the directories / versions to filter out were just
flip-flopped -_-. If you do:
+# RHEL 4.x and 5.x don't support the bounds test.
+ifneq ($(findstring $(DISTRO_VER),redhat-4 redhat-5),)
+FILTER_OUT_DIRS += bounds
+endif
+# RHEL 4.x doesn't support the dyntrace and dyntrans tests.
+ifeq (redhat-4,$(DISTRO_VER))
+FILTER_OUT_DIRS += dyntrace dyntrans
+endif
That should end up with the final desired result.
> +include $(top_srcdir)/include/mk/generic_trunk_target.mk
>
> Also, if you guys can try out this patch for refpolicy/Makefile, I'd
> prefer to check it in (it unifies the RHEL 4.x and `generic' refpolicy
> Make logic):
>
> Index: refpolicy/Makefile
> ===================================================================
> RCS file:
> /cvsroot/ltp/ltp/testcases/kernel/security/selinux-testsuite/refpolicy/Makefile,v
> retrieving revision 1.12
> diff -u -r1.12 Makefile
> --- refpolicy/Makefile 8 Jan 2010 09:39:20 -0000 1.12
> +++ refpolicy/Makefile 12 Jan 2010 17:17:27 -0000
> @@ -17,7 +17,7 @@
> # with this program; if not, write to the Free Software Foundation, Inc.,
> # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> #
> -# Garrett Cooper, August 2009
> +# Garrett Cooper, January 2010
> #
>
> top_srcdir ?= ../../../../..
> @@ -32,6 +32,7 @@
>
> DISTRO_VER := $(shell $(top_srcdir)/scripts/detect_distro.sh
> $(ARGS))
>
> +# Avoid empty strings.
> ifeq ($(strip $(DISTRO_VER)),)
> DISTRO_VER := generic
> endif
> @@ -41,10 +42,17 @@
> POLICY_DEVEL_DIR ?= $(DESTDIR)/usr/share/selinux/devel
> SEMODULE ?= $(DESTDIR)/usr/sbin/semodule
>
> -INSTALL_DIR := testcases/kernel/security/selinux-testsuite
> +INSTALL_DIR := testcases/selinux-testsuite/refpolicy
>
> TEST_POLICY_DIR := $(abs_srcdir)/policy_files
>
> +# Do we have a special set of policies in the SCM to install?
> +ifneq ($(wildcard $(TEST_POLICY_DIR)/$(DISTRO_VER)/),)
> +TEST_POLICY_DIR := $(TEST_POLICY_DIR)/$(DISTRO_VER)
> +else
> +TEST_POLICY_DIR := $(TEST_POLICY_DIR)/generic
> +endif
> +
> .PHONY: all clean cleanup install load
>
> CLEAN_DEPS := cleanup
> @@ -55,34 +63,24 @@
> -$(SEMODULE) -r test_policy
> $(RM) -f $(POLICY_DEVEL_DIR)/test_policy.* test_policy.te
>
> -ifneq ($(wildcard $(TEST_POLICY_DIR)/$(DISTRO_VER)/Makefile),)
> -MAKE_TARGETS :=
> -
> -TEST_POLICY_DIR := $(TEST_POLICY_DIR)/$(DISTRO_VER)
> -
> -# load remains for backwards compatibility...
> -load:
> - $(MAKE) -C $(TEST_POLICY_DIR)
> -else
> -
> MAKE_TARGETS := test_policy.te
>
> -TEST_POLICY_DIR := $(TEST_POLICY_DIR)/generic
> -
> -POLICY_FILES := test_global.te $(filter-out test_global.te,$(notdir
> $(wildcard $(TEST_POLICY_DIR)/*.te)))
> -
> ifneq ($(CHECKPOLICY_VERS),24)
> POLICY_FILES := $(filter-out test_bounds.te,$(POLICY_FILES))
> endif
>
> +# This is being done to preserve precedence; test_global.te must come first.
> +POLICY_FILES := test_global.te \
> + $(filter-out test_global.te,$(notdir $(wildcard
> $(TEST_POLICY_DIR)/*.te)))
> +
> load:
> - @if [ -d "$(POLICY_DEVEL_DIR)" ]; then \
> - cp -p $(TEST_POLICY_DIR)/test_policy.* $(POLICY_DEVEL_DIR); \
> + @set -e; if [ -d "$(POLICY_DEVEL_DIR)" ]; then \
> + cp -p test_policy.* $(POLICY_DEVEL_DIR); \
> $(MAKE) -C $(POLICY_DEVEL_DIR) clean; \
> $(MAKE) -C $(POLICY_DEVEL_DIR) test_policy.pp; \
> $(SEMODULE) -i $(POLICY_DEVEL_DIR)/test_policy.pp; \
> else \
> - echo "ERROR: You must have selinux-policy-devel installed."; \
> + echo "ERROR: You must have selinux-policy?-devel? installed."; \
> false; \
> fi
>
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list
