Re: regression test of security policy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.ncsc.mil>
To: Kohei KaiGai <kaigai@kaigai.gr.jp>
Cc: SELinux-NSA <selinux@tycho.nsa.gov>
Subject: Re: regression test of security policy
Date: Fri, 04 May 2012 10:00:13 -0400	[thread overview]
Message-ID: <1336140013.24121.13.camel@moss-pluto> (raw)
In-Reply-To: <CADyhKSVyfCxx9dAziaR0bcbPvXW4C6FnV4J-Jux7gaMrT+-L+g@mail.gmail.com>

On Fri, 2012-05-04 at 15:48 +0200, Kohei KaiGai wrote:
> Does anyone have a tool to run regression test when we construct a patch?
> (Or, is it available to construct using existing tools?)
> 
> Right now, I have to replace a working policy by the modified one whenever
> I prepare to submit a patch towards reference policy. However, the default
> security policy of Fedora is optimized to Fedora environment, thus, it often
> mismatch with the latest upstream policy.
> For example, "allow_execmem" is not defined at Fedora, so, I could not
> load the staff.pp being constructed based on the upstream policy
> 
> So, the solution I'm looking for is a tool that loads a monolithic policy and
> checks its access control decision towards a certain pair of subject context
> and target context according to catalog files, then it prints the result of
> diff commands between the computed one and expected one.

Possibly you could derive such a tool from checkpolicy -d, switching
from a menu-driven interface to a scriptable one.

checkpolicy -Mdb /etc/selinux/targeted/policy/policy.24

setools would be the other option, but sesearch only deals with TE
rules.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2012-05-04 14:18 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-05-04 13:48 regression test of security policy Kohei KaiGai
2012-05-04 14:00 ` Stephen Smalley [this message]
2012-05-04 15:44   ` Kohei KaiGai
2012-05-06 18:51     ` Kohei KaiGai
2012-05-10 13:20       ` Christopher J. PeBenito
2012-05-11 12:59         ` Kohei KaiGai
2012-05-15 15:55           ` Christopher J. PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1336140013.24121.13.camel@moss-pluto \
    --to=sds@tycho.ncsc.mil \
    --cc=kaigai@kaigai.gr.jp \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.