[LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing()

[LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing()

[Petr Vorel]

Co-developed-by: Mete Durlu <meted@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Hi,

@Li, Cyril:
1) I guess we want to distinguish EACCES for SELinux enforcing, right?
If not, this commit would be dropped and second commit would just use

	const int exp_errs[] = {tc->expected_errno, EACCES};

	TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
			 tc->mask.flags, dirfd, path),
			 exp_errs);

2) Some time ago I proposed to merge some lib/*.c files, not
just have so many files with single functions in the library. E.g.
lib/tst_fips.c, lib/tst_selinux.c, lib/tst_lockdown.c could be merged
into lib/tst_security.c. Or do we want to have these separate?

When I proposed this, I wanted to merge files, which have the same name
as the single function in the file (e.g. tst_dir_is_empty.c,
tst_path_has_mnt_flags.c), having them as single file does not help much
with searching for the content.

Kind regards,
Petr

 include/tst_selinux.h | 10 ++++++++++
 lib/tst_selinux.c     | 25 +++++++++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 include/tst_selinux.h
 create mode 100644 lib/tst_selinux.c

diff --git a/include/tst_selinux.h b/include/tst_selinux.h
new file mode 100644
index 000000000..18bbcff21
--- /dev/null
+++ b/include/tst_selinux.h
@@ -0,0 +1,10 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later
+ * Copyright (c) Linux Test Project, 2024
+ */
+
+#ifndef TST_SELINUX_H__
+#define TST_SELINUX_H__
+
+int tst_selinux_enforcing(void);
+
+#endif /* TST_SELINUX_H__ */
diff --git a/lib/tst_selinux.c b/lib/tst_selinux.c
new file mode 100644
index 000000000..2219b85d4
--- /dev/null
+++ b/lib/tst_selinux.c
@@ -0,0 +1,25 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) Linux Test Project, 2024
+ */
+
+#define TST_NO_DEFAULT_MAIN
+
+#define SELINUX_STATUS_PATH "/sys/fs/selinux/enforce"
+
+#include <fcntl.h>
+#include <stdlib.h>
+#include "tst_test.h"
+#include "tst_selinux.h"
+
+int tst_selinux_enforcing(void)
+{
+	int res = 0;
+
+	if (access(SELINUX_STATUS_PATH, F_OK) == 0)
+		SAFE_FILE_SCANF(SELINUX_STATUS_PATH, "%d", &res);
+
+	tst_res(TINFO, "SELinux enforcing: %s", res ? "on" : "off");
+
+	return res;
+}
-- 
2.43.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH v3 2/2] fanotify14: fix anonymous pipe testcases

[Petr Vorel]

From: Mete Durlu <meted@linux.ibm.com>

When SElinux is in enforcing state and SEpolicies disallow anonymous
pipe usage with fanotify_mark(), related fanotify14 testcases fail with
EACCES instead of EINVAL. Accept both errnos when SElinux is in
enforcing state to correctly evaluate test results.

Replace TST_EXP_FD_OR_FAIL with TST_EXP_FAIL when testing
fanotify_mark() as it returns -1 on failure and 0 on success not a file
descriptor.

Co-developed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mete Durlu <meted@linux.ibm.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
Hi,

this is a replacement of Mete's v2 fanotify14: fix anonymous pipe testcases:
https://lore.kernel.org/ltp/20240312120829.178305-2-meted@linux.ibm.com/

Kind regards,
Petr

 .../kernel/syscalls/fanotify/fanotify14.c     | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/testcases/kernel/syscalls/fanotify/fanotify14.c b/testcases/kernel/syscalls/fanotify/fanotify14.c
index d02d81495..b554af22a 100644
--- a/testcases/kernel/syscalls/fanotify/fanotify14.c
+++ b/testcases/kernel/syscalls/fanotify/fanotify14.c
@@ -30,6 +30,7 @@
 
 #ifdef HAVE_SYS_FANOTIFY_H
 #include "fanotify.h"
+#include "tst_selinux.h"
 
 #define MNTPOINT "mntpoint"
 #define FILE1 MNTPOINT"/file1"
@@ -47,6 +48,7 @@ static int pipes[2] = {-1, -1};
 static int fanotify_fd;
 static int ignore_mark_unsupported;
 static int filesystem_mark_unsupported;
+static int se_enforcing;
 static unsigned int supported_init_flags;
 
 struct test_case_flags_t {
@@ -283,9 +285,18 @@ static void do_test(unsigned int number)
 
 	tst_res(TINFO, "Testing %s with %s",
 		tc->mark.desc, tc->mask.desc);
-	TST_EXP_FD_OR_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
-					 tc->mask.flags, dirfd, path),
-					 tc->expected_errno);
+
+	if (tc->pfd && se_enforcing) {
+		const int exp_errs[] = {tc->expected_errno, EACCES};
+
+		TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
+				 tc->mask.flags, dirfd, path),
+				 exp_errs);
+	} else {
+		TST_EXP_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
+						 tc->mask.flags, dirfd, path),
+						 tc->expected_errno);
+	}
 
 	/*
 	 * ENOTDIR are errors for events/flags not allowed on a non-dir inode.
@@ -334,6 +345,8 @@ static void do_setup(void)
 	SAFE_FILE_PRINTF(FILE1, "0");
 	/* Create anonymous pipes to place marks on */
 	SAFE_PIPE2(pipes, O_CLOEXEC);
+
+	se_enforcing = tst_selinux_enforcing();
 }
 
 static void do_cleanup(void)
-- 
2.43.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v3 2/2] fanotify14: fix anonymous pipe testcases

[Amir Goldstein]

On Wed, Mar 20, 2024 at 8:32 AM Petr Vorel <pvorel@suse.cz> wrote:
>
> From: Mete Durlu <meted@linux.ibm.com>
>
> When SElinux is in enforcing state and SEpolicies disallow anonymous
> pipe usage with fanotify_mark(), related fanotify14 testcases fail with
> EACCES instead of EINVAL. Accept both errnos when SElinux is in
> enforcing state to correctly evaluate test results.
>
> Replace TST_EXP_FD_OR_FAIL with TST_EXP_FAIL when testing
> fanotify_mark() as it returns -1 on failure and 0 on success not a file
> descriptor.
>
> Co-developed-by: Petr Vorel <pvorel@suse.cz>
> Signed-off-by: Mete Durlu <meted@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Reviewed-by: Amir Goldstein <amir73il@gmail.com>

> ---
> Hi,
>
> this is a replacement of Mete's v2 fanotify14: fix anonymous pipe testcases:
> https://lore.kernel.org/ltp/20240312120829.178305-2-meted@linux.ibm.com/
>
> Kind regards,
> Petr
>
>  .../kernel/syscalls/fanotify/fanotify14.c     | 19 ++++++++++++++++---
>  1 file changed, 16 insertions(+), 3 deletions(-)
>
> diff --git a/testcases/kernel/syscalls/fanotify/fanotify14.c b/testcases/kernel/syscalls/fanotify/fanotify14.c
> index d02d81495..b554af22a 100644
> --- a/testcases/kernel/syscalls/fanotify/fanotify14.c
> +++ b/testcases/kernel/syscalls/fanotify/fanotify14.c
> @@ -30,6 +30,7 @@
>
>  #ifdef HAVE_SYS_FANOTIFY_H
>  #include "fanotify.h"
> +#include "tst_selinux.h"
>
>  #define MNTPOINT "mntpoint"
>  #define FILE1 MNTPOINT"/file1"
> @@ -47,6 +48,7 @@ static int pipes[2] = {-1, -1};
>  static int fanotify_fd;
>  static int ignore_mark_unsupported;
>  static int filesystem_mark_unsupported;
> +static int se_enforcing;
>  static unsigned int supported_init_flags;
>
>  struct test_case_flags_t {
> @@ -283,9 +285,18 @@ static void do_test(unsigned int number)
>
>         tst_res(TINFO, "Testing %s with %s",
>                 tc->mark.desc, tc->mask.desc);
> -       TST_EXP_FD_OR_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> -                                        tc->mask.flags, dirfd, path),
> -                                        tc->expected_errno);
> +
> +       if (tc->pfd && se_enforcing) {
> +               const int exp_errs[] = {tc->expected_errno, EACCES};
> +
> +               TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> +                                tc->mask.flags, dirfd, path),
> +                                exp_errs);
> +       } else {
> +               TST_EXP_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> +                                                tc->mask.flags, dirfd, path),
> +                                                tc->expected_errno);
> +       }
>
>         /*
>          * ENOTDIR are errors for events/flags not allowed on a non-dir inode.
> @@ -334,6 +345,8 @@ static void do_setup(void)
>         SAFE_FILE_PRINTF(FILE1, "0");
>         /* Create anonymous pipes to place marks on */
>         SAFE_PIPE2(pipes, O_CLOEXEC);
> +
> +       se_enforcing = tst_selinux_enforcing();
>  }
>
>  static void do_cleanup(void)
> --
> 2.43.0
>

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v3 2/2] fanotify14: fix anonymous pipe testcases

[Mete Durlu]

On 3/20/24 07:32, Petr Vorel wrote:
> From: Mete Durlu <meted@linux.ibm.com>
> 
> When SElinux is in enforcing state and SEpolicies disallow anonymous
> pipe usage with fanotify_mark(), related fanotify14 testcases fail with
> EACCES instead of EINVAL. Accept both errnos when SElinux is in
> enforcing state to correctly evaluate test results.
> 
> Replace TST_EXP_FD_OR_FAIL with TST_EXP_FAIL when testing
> fanotify_mark() as it returns -1 on failure and 0 on success not a file
> descriptor.
> 
> Co-developed-by: Petr Vorel <pvorel@suse.cz>
> Signed-off-by: Mete Durlu <meted@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Looks good to me! Thanks for handling this.

> ---
> Hi,
> 
> this is a replacement of Mete's v2 fanotify14: fix anonymous pipe testcases:
> https://lore.kernel.org/ltp/20240312120829.178305-2-meted@linux.ibm.com/
> 
> Kind regards,
> Petr
> 
>   .../kernel/syscalls/fanotify/fanotify14.c     | 19 ++++++++++++++++---
>   1 file changed, 16 insertions(+), 3 deletions(-)
> 
> diff --git a/testcases/kernel/syscalls/fanotify/fanotify14.c b/testcases/kernel/syscalls/fanotify/fanotify14.c
> index d02d81495..b554af22a 100644
> --- a/testcases/kernel/syscalls/fanotify/fanotify14.c
> +++ b/testcases/kernel/syscalls/fanotify/fanotify14.c
> @@ -30,6 +30,7 @@
>   
>   #ifdef HAVE_SYS_FANOTIFY_H
>   #include "fanotify.h"
> +#include "tst_selinux.h"
>   
>   #define MNTPOINT "mntpoint"
>   #define FILE1 MNTPOINT"/file1"
> @@ -47,6 +48,7 @@ static int pipes[2] = {-1, -1};
>   static int fanotify_fd;
>   static int ignore_mark_unsupported;
>   static int filesystem_mark_unsupported;
> +static int se_enforcing;
>   static unsigned int supported_init_flags;
>   
>   struct test_case_flags_t {
> @@ -283,9 +285,18 @@ static void do_test(unsigned int number)
>   
>   	tst_res(TINFO, "Testing %s with %s",
>   		tc->mark.desc, tc->mask.desc);
> -	TST_EXP_FD_OR_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> -					 tc->mask.flags, dirfd, path),
> -					 tc->expected_errno);
> +
> +	if (tc->pfd && se_enforcing) {
> +		const int exp_errs[] = {tc->expected_errno, EACCES};
> +
> +		TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> +				 tc->mask.flags, dirfd, path),
> +				 exp_errs);
> +	} else {
> +		TST_EXP_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> +						 tc->mask.flags, dirfd, path),
> +						 tc->expected_errno);
> +	}
>   
>   	/*
>   	 * ENOTDIR are errors for events/flags not allowed on a non-dir inode.
> @@ -334,6 +345,8 @@ static void do_setup(void)
>   	SAFE_FILE_PRINTF(FILE1, "0");
>   	/* Create anonymous pipes to place marks on */
>   	SAFE_PIPE2(pipes, O_CLOEXEC);
> +
> +	se_enforcing = tst_selinux_enforcing();
>   }
>   
>   static void do_cleanup(void)


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v3 2/2] fanotify14: fix anonymous pipe testcases

[Jan Kara]

On Wed 20-03-24 07:32:17, Petr Vorel wrote:
> From: Mete Durlu <meted@linux.ibm.com>
> 
> When SElinux is in enforcing state and SEpolicies disallow anonymous
> pipe usage with fanotify_mark(), related fanotify14 testcases fail with
> EACCES instead of EINVAL. Accept both errnos when SElinux is in
> enforcing state to correctly evaluate test results.
> 
> Replace TST_EXP_FD_OR_FAIL with TST_EXP_FAIL when testing
> fanotify_mark() as it returns -1 on failure and 0 on success not a file
> descriptor.
> 
> Co-developed-by: Petr Vorel <pvorel@suse.cz>
> Signed-off-by: Mete Durlu <meted@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Looks good. Feel free to add:

Reviewed-by: Jan Kara <jack@suse.cz>

								Honza

> ---
> Hi,
> 
> this is a replacement of Mete's v2 fanotify14: fix anonymous pipe testcases:
> https://lore.kernel.org/ltp/20240312120829.178305-2-meted@linux.ibm.com/
> 
> Kind regards,
> Petr
> 
>  .../kernel/syscalls/fanotify/fanotify14.c     | 19 ++++++++++++++++---
>  1 file changed, 16 insertions(+), 3 deletions(-)
> 
> diff --git a/testcases/kernel/syscalls/fanotify/fanotify14.c b/testcases/kernel/syscalls/fanotify/fanotify14.c
> index d02d81495..b554af22a 100644
> --- a/testcases/kernel/syscalls/fanotify/fanotify14.c
> +++ b/testcases/kernel/syscalls/fanotify/fanotify14.c
> @@ -30,6 +30,7 @@
>  
>  #ifdef HAVE_SYS_FANOTIFY_H
>  #include "fanotify.h"
> +#include "tst_selinux.h"
>  
>  #define MNTPOINT "mntpoint"
>  #define FILE1 MNTPOINT"/file1"
> @@ -47,6 +48,7 @@ static int pipes[2] = {-1, -1};
>  static int fanotify_fd;
>  static int ignore_mark_unsupported;
>  static int filesystem_mark_unsupported;
> +static int se_enforcing;
>  static unsigned int supported_init_flags;
>  
>  struct test_case_flags_t {
> @@ -283,9 +285,18 @@ static void do_test(unsigned int number)
>  
>  	tst_res(TINFO, "Testing %s with %s",
>  		tc->mark.desc, tc->mask.desc);
> -	TST_EXP_FD_OR_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> -					 tc->mask.flags, dirfd, path),
> -					 tc->expected_errno);
> +
> +	if (tc->pfd && se_enforcing) {
> +		const int exp_errs[] = {tc->expected_errno, EACCES};
> +
> +		TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> +				 tc->mask.flags, dirfd, path),
> +				 exp_errs);
> +	} else {
> +		TST_EXP_FAIL(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags,
> +						 tc->mask.flags, dirfd, path),
> +						 tc->expected_errno);
> +	}
>  
>  	/*
>  	 * ENOTDIR are errors for events/flags not allowed on a non-dir inode.
> @@ -334,6 +345,8 @@ static void do_setup(void)
>  	SAFE_FILE_PRINTF(FILE1, "0");
>  	/* Create anonymous pipes to place marks on */
>  	SAFE_PIPE2(pipes, O_CLOEXEC);
> +
> +	se_enforcing = tst_selinux_enforcing();
>  }
>  
>  static void do_cleanup(void)
> -- 
> 2.43.0
> 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing()

[Li Wang]

Hi Petr,

On Wed, Mar 20, 2024 at 2:32 PM Petr Vorel <pvorel@suse.cz> wrote:

> Co-developed-by: Mete Durlu <meted@linux.ibm.com>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
>

This patch is doing the same work as security_getenforce() which provides
by 'selinux/selinux.h', but it is still worth having it because we do not
want ltp
has many extra dependencies (e.g. libselinux-devel).

Reviewed-by: Li Wang <liwang@redhat.com>



> ---
> Hi,
>
> @Li, Cyril:
> 1) I guess we want to distinguish EACCES for SELinux enforcing, right?
> If not, this commit would be dropped and second commit would just use
>
>         const int exp_errs[] = {tc->expected_errno, EACCES};
>
>         TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD |
> tc->mark.flags,
>                          tc->mask.flags, dirfd, path),
>                          exp_errs);
>
> 2) Some time ago I proposed to merge some lib/*.c files, not
> just have so many files with single functions in the library. E.g.
> lib/tst_fips.c, lib/tst_selinux.c, lib/tst_lockdown.c could be merged
> into lib/tst_security.c. Or do we want to have these separate?
>

I think the answer is Yes. There are more and more lib/*.c files with
some trivial features, which bring troubles for reading/managing the
library. It is necessary to archive and merge the same thing.



>
> When I proposed this, I wanted to merge files, which have the same name
> as the single function in the file (e.g. tst_dir_is_empty.c,
> tst_path_has_mnt_flags.c), having them as single file does not help much
> with searching for the content.
>

+1

And the most important is we need to give a good name for the
achieved header file.


-- 
Regards,
Li Wang

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing()

[Petr Vorel]

Hi Li, all,

> Hi Petr,

> On Wed, Mar 20, 2024 at 2:32 PM Petr Vorel <pvorel@suse.cz> wrote:

> > Co-developed-by: Mete Durlu <meted@linux.ibm.com>
> > Signed-off-by: Petr Vorel <pvorel@suse.cz>


> This patch is doing the same work as security_getenforce() which provides
> by 'selinux/selinux.h', but it is still worth having it because we do not
> want ltp
> has many extra dependencies (e.g. libselinux-devel).

+1

> Reviewed-by: Li Wang <liwang@redhat.com>

Thanks!

> > ---
> > Hi,

> > @Li, Cyril:
> > 1) I guess we want to distinguish EACCES for SELinux enforcing, right?
> > If not, this commit would be dropped and second commit would just use

> >         const int exp_errs[] = {tc->expected_errno, EACCES};

> >         TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD |
> > tc->mark.flags,
> >                          tc->mask.flags, dirfd, path),
> >                          exp_errs);

> > 2) Some time ago I proposed to merge some lib/*.c files, not
> > just have so many files with single functions in the library. E.g.
> > lib/tst_fips.c, lib/tst_selinux.c, lib/tst_lockdown.c could be merged
> > into lib/tst_security.c. Or do we want to have these separate?


> I think the answer is Yes. There are more and more lib/*.c files with

I read "Yes" as to keep lib/tst_selinux.c, lib/tst_lockdown.c as separate.

I'm not sure myself (quite separate things, although they are all "security"),
what bothers me more are these tst_dir_is_empty.c, tst_path_has_mnt_flags.c
files.

> some trivial features, which bring troubles for reading/managing the
> library. It is necessary to archive and merge the same thing.


> > When I proposed this, I wanted to merge files, which have the same name
> > as the single function in the file (e.g. tst_dir_is_empty.c,
> > tst_path_has_mnt_flags.c), having them as single file does not help much
> > with searching for the content.


> +1

> And the most important is we need to give a good name for the
> achieved header file.

+1

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing()

[Li Wang]

On Wed, Mar 20, 2024 at 3:56 PM Petr Vorel <pvorel@suse.cz> wrote:

> Hi Li, all,
>
> > Hi Petr,
>
> > On Wed, Mar 20, 2024 at 2:32 PM Petr Vorel <pvorel@suse.cz> wrote:
>
> > > Co-developed-by: Mete Durlu <meted@linux.ibm.com>
> > > Signed-off-by: Petr Vorel <pvorel@suse.cz>
>
>
> > This patch is doing the same work as security_getenforce() which provides
> > by 'selinux/selinux.h', but it is still worth having it because we do not
> > want ltp
> > has many extra dependencies (e.g. libselinux-devel).
>
> +1
>
> > Reviewed-by: Li Wang <liwang@redhat.com>
>
> Thanks!
>
> > > ---
> > > Hi,
>
> > > @Li, Cyril:
> > > 1) I guess we want to distinguish EACCES for SELinux enforcing, right?
> > > If not, this commit would be dropped and second commit would just use
>
> > >         const int exp_errs[] = {tc->expected_errno, EACCES};
>
> > >         TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD |
> > > tc->mark.flags,
> > >                          tc->mask.flags, dirfd, path),
> > >                          exp_errs);
>
> > > 2) Some time ago I proposed to merge some lib/*.c files, not
> > > just have so many files with single functions in the library. E.g.
> > > lib/tst_fips.c, lib/tst_selinux.c, lib/tst_lockdown.c could be merged
> > > into lib/tst_security.c. Or do we want to have these separate?
>
>
> > I think the answer is Yes. There are more and more lib/*.c files with
>
> I read "Yes" as to keep lib/tst_selinux.c, lib/tst_lockdown.c as separate.
>

Ohh, sorry, I don't mean that. More separate (boring!!!) files should be
avoided.

I think I should step away from the keyboard now, watching too much screen
time makes me foolish :).


-- 
Regards,
Li Wang

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH 1/2] lib: Add tst_selinux_enforcing()

[Petr Vorel]

> On Wed, Mar 20, 2024 at 3:56 PM Petr Vorel <pvorel@suse.cz> wrote:

> > Hi Li, all,

> > > Hi Petr,

> > > On Wed, Mar 20, 2024 at 2:32 PM Petr Vorel <pvorel@suse.cz> wrote:

> > > > Co-developed-by: Mete Durlu <meted@linux.ibm.com>
> > > > Signed-off-by: Petr Vorel <pvorel@suse.cz>


> > > This patch is doing the same work as security_getenforce() which provides
> > > by 'selinux/selinux.h', but it is still worth having it because we do not
> > > want ltp
> > > has many extra dependencies (e.g. libselinux-devel).

> > +1

> > > Reviewed-by: Li Wang <liwang@redhat.com>

> > Thanks!

> > > > ---
> > > > Hi,

> > > > @Li, Cyril:
> > > > 1) I guess we want to distinguish EACCES for SELinux enforcing, right?
> > > > If not, this commit would be dropped and second commit would just use

> > > >         const int exp_errs[] = {tc->expected_errno, EACCES};

> > > >         TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD |
> > > > tc->mark.flags,
> > > >                          tc->mask.flags, dirfd, path),
> > > >                          exp_errs);

> > > > 2) Some time ago I proposed to merge some lib/*.c files, not
> > > > just have so many files with single functions in the library. E.g.
> > > > lib/tst_fips.c, lib/tst_selinux.c, lib/tst_lockdown.c could be merged
> > > > into lib/tst_security.c. Or do we want to have these separate?


> > > I think the answer is Yes. There are more and more lib/*.c files with

> > I read "Yes" as to keep lib/tst_selinux.c, lib/tst_lockdown.c as separate.


> Ohh, sorry, I don't mean that. More separate (boring!!!) files should be
> avoided.

Thank for info. I'll send this another version, which merge these two files.
I guess we could merge it soon.

Kind regards,
Petr

> I think I should step away from the keyboard now, watching too much screen
> time makes me foolish :).

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp