From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: Kohei KaiGai <kaigai@kaigai.gr.jp>
Cc: Stephen Smalley <sds@tycho.ncsc.mil>,
SELinux-NSA <selinux@tycho.nsa.gov>
Subject: Re: regression test of security policy
Date: Tue, 15 May 2012 11:55:46 -0400 [thread overview]
Message-ID: <4FB27C82.2000005@tresys.com> (raw)
In-Reply-To: <CADyhKSU=0nDupacpDFHXcw_ypARGMQdgoGJAXQm7v21jt3MoGQ@mail.gmail.com>
On 05/11/12 08:59, Kohei KaiGai wrote:
> 2012/5/10 Christopher J. PeBenito <cpebenito@tresys.com>:
>> On 05/06/12 14:51, Kohei KaiGai wrote:
>>> I'd like to have such kind of test in the reference policy, to cover
>>> wider range test cases at security policy side.
>>> It helps to improve the quality and to reduce the burden for testing.
>>> (In fact, I found a few bugs in mcs/mls rules during this development...)
>>
>> I'm not adverse to this for refpolicy, but what worries me is the size
>> and maintainability of the tests. What you have in your patch for
>> testing sepostgresql looks several times bigger than the sepostgresql
>> policy itself. It seems that the tests would be larger than the policy
>> itself so that the constraints can be checked. Additionally, the
>> community (I'm including myself) isn't exactly good about keeping
>> tests up to date (see tests in the toolchain, for example).
>>
> I could understand the maintenance burden.
>
> How about your opinion to add Makefile support to run external
> test cases? It will help contributors test their own patches being
> submitted.
>
> In my idea, it adds a new make target "regtest" with TESTCASE
> argument that points to the *.test file.
>
> $ make TYPE=xxx MONOLITHIC=y TESTCASE=/path/to/testcases regtest
>
> Then, makefile generates a monolithic policy chunk and kicks
> checkpolicy with the new -s option that takes processed testcase
> by m4.
>
> The reason why I want refpolicy to provide such kind of infrastructure
> is utilization of existing macro definitions to generate multiple
> testcases from a single source.
> Do you think it is reasonable to improve the quality of policy?
It sounds fine. We can discuss the implementation on the refpolicy mail list.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2012-05-15 15:55 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-05-04 13:48 regression test of security policy Kohei KaiGai
2012-05-04 14:00 ` Stephen Smalley
2012-05-04 15:44 ` Kohei KaiGai
2012-05-06 18:51 ` Kohei KaiGai
2012-05-10 13:20 ` Christopher J. PeBenito
2012-05-11 12:59 ` Kohei KaiGai
2012-05-15 15:55 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FB27C82.2000005@tresys.com \
--to=cpebenito@tresys.com \
--cc=kaigai@kaigai.gr.jp \
--cc=sds@tycho.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.