From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <5277B3FB.80405@redhat.com> Date: Mon, 04 Nov 2013 09:49:31 -0500 From: Daniel J Walsh MIME-Version: 1.0 To: Sven Vermeulen CC: Stephen Smalley , Eric Paris , SELinux Subject: Re: [PATCH 01/11] Add test suite for audit2allow and sepolgen_ifgen References: <1383231238-7637-1-git-send-email-dwalsh@redhat.com> <1383231238-7637-2-git-send-email-dwalsh@redhat.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/02/2013 12:51 PM, Sven Vermeulen wrote: > On Thu, Oct 31, 2013 at 3:53 PM, Dan Walsh wrote: >> +++ b/policycoreutils/audit2allow/test.log @@ -0,0 +1,36 @@ >> +node=bill.example.com type=AVC_PATH msg=audit(1166045975.667:1128): >> path="/usr/lib/libGL.so.1.2" +type=AVC msg=audit(1166045975.667:1129): >> avc: denied { write } for comm=local dev=dm-0 name=root.lock pid=10581 >> scontext=system_u:system_r:postfix_local_t:s0 tclass=file >> tcontext=system_u:object_r:mail_spool_t:s0 +node=bob.example.com >> type=PATH msg=audit(1166111074.191:74): item=0 name="/etc/auto.net" >> inode=16483485 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 >> obj=system_u:object_r:automount_lock_t:s0 type=CWD >> msg=audit(1166111074.191:74): cwd="/" +node=bob.example.com type=SYSCALL >> msg=audit(1166111074.191:74): arch=40000003 syscall=33 success=no >> exit=-13 a0=92c5288 a1=1 a2=154d50 a3=92c5120 items=1 ppid=13935 >> pid=13944 auid=3267 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> fsgid=0 tty=(none) comm="automount" exe="/usr/sbin/automount" >> subj=system_u:system_r:automount_t:s0 key=(null) > > Aren't those tests only possible when SELinux is enabled and the policy > modules for the given types (such as automount_lock_t, mail_spool_t, ...) > are loaded? > > Also, it seems like the test only supports MLS-enabled policies; in Gentoo > we also support non-MLS policies. > > May I suggest to - have a test-mls.log and test-nonmls.log with the AVC > information specific for those policies - use only types that are part of a > base policy (and not have types in there that might not be available on a > system) - only run the test if SELinux is enabled and a policy is loaded > > Wkr, Sven Vermeulen > > > -- This message was distributed to subscribers of the selinux mailing > list. If you no longer wish to subscribe, send mail to > majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes > as the message. > I was just grabbing the audit logs we test with setroubleshoot, so if you would like to give more generic tests that would be fine with me. Adding a policy.29 to test with it would seem to be a little heavy weight. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJ3s/sACgkQrlYvE4MpobM/CACfc3yklTZROuol2mWfho0Rkfua zcYAoN3TKfL8RawZLcOnN4AGpF1BWuHs =JJHz -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.