On Sun, 15 May 2016, Ondrej Moris wrote:
Our problem was that we couldn't easilly add fips=1 on a per-test basis
to the VM. Similarly, we need a MLS on/off method so we can run the MLS
labeled ipsec tests. We might be able to virt-install a FIPS and
FIPS+MLS image, eg east-fips, west-fips, and then use those.
I see, well there is still --impair-force-fips for per-test FIPS
testing. Sure, it is not the "FIPS product" when kernel is not in FIPS
mode but for testing user-space it should be sufficient.
yes, I added --impair-force-fips to avoid issues of not being really in
FIPS mode, and /usr/local vs /usr installs and .hmac files. It works
if you seprately put NSS in FIPS mode. It can test IKE algorithms, but
it is not good to test how we respond to the kernel refusing an item
we asked for because of FIPS mode.
MLS would be a much bigger step I guess.
yes. Currently the KVM images are COW images, so switching a machine
between MLS and non-MLS, even if we scripted that in swantest, would
cause some dramatic COW write increases and slowdown. I think it is
better to add those as a separate virt-install image.
At least in Fedora since almost nobody cares
about selinux-mls-policy there. We recently started the same testing we
did for Common Criteria in RHEL in Fedora 23 and there are tons of
selinux denials. In RHEL both FIPS and MLS testing should be possible.
I would like to move to RHEL7 on host and guest testing :)
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
