RHEL 9.0.0 Alpha bootstrap
The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/checkpolicy#611818c50ab52cb1d01890df4a3296b290b7fd82
This commit is contained in:
parent
e7043d2ad3
commit
e92b874fda
107
.gitignore
vendored
107
.gitignore
vendored
@ -0,0 +1,107 @@
|
|||||||
|
checkpolicy-1.17.2.tgz
|
||||||
|
checkpolicy-1.17.3.tgz
|
||||||
|
checkpolicy-1.17.4.tgz
|
||||||
|
checkpolicy-1.17.5.tgz
|
||||||
|
checkpolicy-1.18.1.tgz
|
||||||
|
checkpolicy-1.19.1.tgz.tgz
|
||||||
|
checkpolicy-1.19.2.tgz
|
||||||
|
checkpolicy-1.20.1.tgz
|
||||||
|
checkpolicy-1.20.2.tgz
|
||||||
|
checkpolicy-1.21.3.tgz
|
||||||
|
checkpolicy-1.21.4.tgz
|
||||||
|
checkpolicy-1.22.tgz
|
||||||
|
checkpolicy-1.23.1.tgz
|
||||||
|
checkpolicy-1.23.2.tgz
|
||||||
|
checkpolicy-1.23.3.tgz
|
||||||
|
checkpolicy-1.23.4.tgz
|
||||||
|
checkpolicy-1.25.2.tgz
|
||||||
|
checkpolicy-1.25.3.tgz
|
||||||
|
checkpolicy-1.25.5.tgz
|
||||||
|
checkpolicy-1.25.8.tgz
|
||||||
|
checkpolicy-1.25.10.tgz
|
||||||
|
checkpolicy-1.25.11.tgz
|
||||||
|
checkpolicy-1.25.12.tgz
|
||||||
|
checkpolicy-1.26.tgz
|
||||||
|
checkpolicy-1.27.1.tgz
|
||||||
|
checkpolicy-1.27.2.tgz
|
||||||
|
checkpolicy-1.27.4.tgz
|
||||||
|
checkpolicy-1.27.5.tgz
|
||||||
|
checkpolicy-1.27.6.tgz
|
||||||
|
checkpolicy-1.27.7.tgz
|
||||||
|
checkpolicy-1.27.8.tgz
|
||||||
|
checkpolicy-1.27.9.tgz
|
||||||
|
checkpolicy-1.27.10.tgz
|
||||||
|
checkpolicy-1.27.11.tgz
|
||||||
|
checkpolicy-1.27.16.tgz
|
||||||
|
checkpolicy-1.27.17.tgz
|
||||||
|
checkpolicy-1.27.19.tgz
|
||||||
|
checkpolicy-1.27.20.tgz
|
||||||
|
checkpolicy-1.28.tgz
|
||||||
|
checkpolicy-1.29.1.tgz
|
||||||
|
checkpolicy-1.29.2.tgz
|
||||||
|
checkpolicy-1.29.4.tgz
|
||||||
|
checkpolicy-1.29.5.tgz
|
||||||
|
checkpolicy-1.30.tgz
|
||||||
|
checkpolicy-1.30.1.tgz
|
||||||
|
checkpolicy-1.30.3.tgz
|
||||||
|
checkpolicy-1.30.4.tgz
|
||||||
|
checkpolicy-1.30.5.tgz
|
||||||
|
checkpolicy-1.30.9.tgz
|
||||||
|
checkpolicy-1.30.10.tgz
|
||||||
|
checkpolicy-1.30.11.tgz
|
||||||
|
checkpolicy-1.30.12.tgz
|
||||||
|
checkpolicy-1.32.tgz
|
||||||
|
checkpolicy-1.33.1.tgz
|
||||||
|
checkpolicy-1.34.0.tgz
|
||||||
|
checkpolicy-2.0.0.tgz
|
||||||
|
checkpolicy-2.0.1.tgz
|
||||||
|
checkpolicy-2.0.2.tgz
|
||||||
|
checkpolicy-2.0.3.tgz
|
||||||
|
checkpolicy-2.0.4.tgz
|
||||||
|
checkpolicy-2.0.5.tgz
|
||||||
|
checkpolicy-2.0.6.tgz
|
||||||
|
checkpolicy-2.0.7.tgz
|
||||||
|
checkpolicy-2.0.8.tgz
|
||||||
|
checkpolicy-2.0.9.tgz
|
||||||
|
checkpolicy-2.0.10.tgz
|
||||||
|
checkpolicy-2.0.13.tgz
|
||||||
|
checkpolicy-2.0.14.tgz
|
||||||
|
checkpolicy-2.0.15.tgz
|
||||||
|
checkpolicy-2.0.16.tgz
|
||||||
|
checkpolicy-2.0.17.tgz
|
||||||
|
checkpolicy-2.0.18.tgz
|
||||||
|
checkpolicy-2.0.19.tgz
|
||||||
|
checkpolicy-2.0.20.tgz
|
||||||
|
checkpolicy-2.0.21.tgz
|
||||||
|
checkpolicy-2.0.22.tgz
|
||||||
|
/checkpolicy-2.0.23.tgz
|
||||||
|
/checkpolicy-2.0.24.tgz
|
||||||
|
/checkpolicy-2.0.26.tgz
|
||||||
|
/checkpolicy-2.1.0.tgz
|
||||||
|
/checkpolicy-2.1.1.tgz
|
||||||
|
/checkpolicy-2.1.3.tgz
|
||||||
|
/checkpolicy-2.1.4.tgz
|
||||||
|
/checkpolicy-2.1.5.tgz
|
||||||
|
/checkpolicy-2.1.6.tgz
|
||||||
|
/checkpolicy-2.1.7.tgz
|
||||||
|
/checkpolicy-2.1.8.tgz
|
||||||
|
/checkpolicy-2.1.9.tgz
|
||||||
|
/checkpolicy-2.1.10.tgz
|
||||||
|
/checkpolicy-2.1.11.tgz
|
||||||
|
/checkpolicy-2.1.12.tgz
|
||||||
|
/checkpolicy-2.2.tgz
|
||||||
|
/checkpolicy-2.3.tgz
|
||||||
|
/checkpolicy-2.4.tar.gz
|
||||||
|
/checkpolicy-2.5-rc1.tar.gz
|
||||||
|
/checkpolicy-2.5.tar.gz
|
||||||
|
/checkpolicy-2.6.tar.gz
|
||||||
|
/checkpolicy-2.7.tar.gz
|
||||||
|
/checkpolicy-2.8-rc1.tar.gz
|
||||||
|
/checkpolicy-2.8-rc3.tar.gz
|
||||||
|
/checkpolicy-2.8.tar.gz
|
||||||
|
/checkpolicy-2.9-rc1.tar.gz
|
||||||
|
/checkpolicy-2.9-rc2.tar.gz
|
||||||
|
/checkpolicy-2.9.tar.gz
|
||||||
|
/checkpolicy-3.0-rc1.tar.gz
|
||||||
|
/checkpolicy-3.0.tar.gz
|
||||||
|
/checkpolicy-3.1.tar.gz
|
954
checkpolicy.spec
Normal file
954
checkpolicy.spec
Normal file
@ -0,0 +1,954 @@
|
|||||||
|
%define libselinuxver 3.1
|
||||||
|
%define libsepolver 3.1
|
||||||
|
|
||||||
|
Summary: SELinux policy compiler
|
||||||
|
Name: checkpolicy
|
||||||
|
Version: 3.1
|
||||||
|
Release: 3%{?dist}
|
||||||
|
License: GPLv2
|
||||||
|
Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/checkpolicy-3.1.tar.gz
|
||||||
|
# $ git clone https://github.com/fedora-selinux/selinux.git
|
||||||
|
# $ cd selinux
|
||||||
|
# $ git format-patch -N checkpolicy-3.1 -- checkpolicy
|
||||||
|
# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
|
||||||
|
# Patch list start
|
||||||
|
# Patch list end
|
||||||
|
BuildRequires: gcc
|
||||||
|
BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel >= %{libselinuxver}
|
||||||
|
|
||||||
|
%description
|
||||||
|
Security-enhanced Linux is a feature of the Linux® kernel and a number
|
||||||
|
of utilities with enhanced security functionality designed to add
|
||||||
|
mandatory access controls to Linux. The Security-enhanced Linux
|
||||||
|
kernel contains new architectural components originally developed to
|
||||||
|
improve the security of the Flask operating system. These
|
||||||
|
architectural components provide general support for the enforcement
|
||||||
|
of many kinds of mandatory access control policies, including those
|
||||||
|
based on the concepts of Type Enforcement®, Role-based Access
|
||||||
|
Control, and Multi-level Security.
|
||||||
|
|
||||||
|
This package contains checkpolicy, the SELinux policy compiler.
|
||||||
|
Only required for building policies.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -p 2 -n checkpolicy-%{version}
|
||||||
|
|
||||||
|
%build
|
||||||
|
|
||||||
|
%set_build_flags
|
||||||
|
|
||||||
|
%make_build LIBDIR="%{_libdir}"
|
||||||
|
cd test
|
||||||
|
%make_build LIBDIR="%{_libdir}"
|
||||||
|
|
||||||
|
%install
|
||||||
|
mkdir -p ${RPM_BUILD_ROOT}%{_bindir}
|
||||||
|
%make_install LIBDIR="%{_libdir}"
|
||||||
|
install test/dismod ${RPM_BUILD_ROOT}%{_bindir}/sedismod
|
||||||
|
install test/dispol ${RPM_BUILD_ROOT}%{_bindir}/sedispol
|
||||||
|
|
||||||
|
%files
|
||||||
|
%{!?_licensedir:%global license %%doc}
|
||||||
|
%license COPYING
|
||||||
|
%{_bindir}/checkpolicy
|
||||||
|
%{_bindir}/checkmodule
|
||||||
|
%{_mandir}/man8/checkpolicy.8.gz
|
||||||
|
%{_mandir}/man8/checkmodule.8.gz
|
||||||
|
%{_mandir}/ru/man8/checkpolicy.8.gz
|
||||||
|
%{_mandir}/ru/man8/checkmodule.8.gz
|
||||||
|
%{_bindir}/sedismod
|
||||||
|
%{_bindir}/sedispol
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.1-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 3.1-2
|
||||||
|
- Use make macros
|
||||||
|
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
||||||
|
|
||||||
|
* Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
|
||||||
|
- SELinux userspace 3.1 release
|
||||||
|
|
||||||
|
* Tue Jan 28 2020 Petr Lautrbach <plautrba@redhat.com> - 3.0-3
|
||||||
|
- Fix -fno-common issues discovered by GCC 10
|
||||||
|
|
||||||
|
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Dec 6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
|
||||||
|
- SELinux userspace 3.0 release
|
||||||
|
|
||||||
|
* Mon Nov 11 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-0.rc1.1
|
||||||
|
- SELinux userspace 3.0-rc1 release candidate
|
||||||
|
|
||||||
|
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
|
||||||
|
- SELinux userspace 2.9 release
|
||||||
|
|
||||||
|
* Mon Mar 11 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc2.1
|
||||||
|
- SELinux userspace 2.9-rc2 release
|
||||||
|
|
||||||
|
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-0.rc1.1.1
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
|
||||||
|
- SELinux userspace 2.9-rc1 release
|
||||||
|
|
||||||
|
* Mon Jan 21 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-3
|
||||||
|
- Check the result value of hashtable_search
|
||||||
|
- Destroy the class datum if it fails to initialize
|
||||||
|
|
||||||
|
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri May 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1
|
||||||
|
- SELinux userspace 2.8 release
|
||||||
|
|
||||||
|
* Tue May 15 2018 Petr Lautrbach <plautrba@workstation> - 2.8-0.rc3.1
|
||||||
|
- SELinux userspace 2.8-rc3 release candidate
|
||||||
|
|
||||||
|
* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc1.1
|
||||||
|
- SELinux userspace 2.8-rc1 release candidate
|
||||||
|
|
||||||
|
* Wed Mar 21 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-7
|
||||||
|
- Add support for the SCTP portcon keyword
|
||||||
|
|
||||||
|
* Tue Mar 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-6
|
||||||
|
- build: follow standard semantics for DESTDIR and PREFIX
|
||||||
|
|
||||||
|
* Thu Feb 22 2018 Florian Weimer <fweimer@redhat.com> - 2.7-5
|
||||||
|
- Use LDFLAGS from redhat-rpm-config
|
||||||
|
|
||||||
|
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.7-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Nov 22 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-3
|
||||||
|
- Rebuild with libsepol-2.7-3 and libselinux-2.7-6
|
||||||
|
|
||||||
|
* Fri Oct 20 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-2
|
||||||
|
- Rebuilt with libsepol-2.7-2
|
||||||
|
|
||||||
|
* Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-1
|
||||||
|
- Update to upstream release 2017-08-04
|
||||||
|
|
||||||
|
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Feb 15 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-1
|
||||||
|
- Update to upstream release 2016-10-14
|
||||||
|
|
||||||
|
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.5-9
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Oct 03 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-8
|
||||||
|
- Add types associated to a role in the current scope when parsing
|
||||||
|
|
||||||
|
* Mon Aug 01 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-7
|
||||||
|
- Extend checkpolicy pathname matching
|
||||||
|
- Rebuilt with libsepol-2.5-9
|
||||||
|
|
||||||
|
* Mon Jun 27 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-6
|
||||||
|
- Fix typos in sedispol
|
||||||
|
|
||||||
|
* Thu Jun 23 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-5
|
||||||
|
- Set flex as default lexer
|
||||||
|
- Fix checkmodule output message
|
||||||
|
|
||||||
|
* Wed May 11 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-4
|
||||||
|
- Rebuilt with libsepol-2.5-6
|
||||||
|
|
||||||
|
* Fri Apr 29 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
|
||||||
|
- Build policy on systems not supporting DCCP protocol
|
||||||
|
- Fail if module name different than output base filename
|
||||||
|
|
||||||
|
* Fri Apr 08 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-2
|
||||||
|
- Add support for portcon dccp protocol
|
||||||
|
|
||||||
|
* Tue Feb 23 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-1
|
||||||
|
- Update to upstream release 2016-02-23
|
||||||
|
|
||||||
|
* Sun Feb 21 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-0.1.rc1
|
||||||
|
- Update to upstream rc1 release 2016-01-07
|
||||||
|
|
||||||
|
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.4-2.1
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jul 21 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-1.1
|
||||||
|
- Update to 2.4 release
|
||||||
|
|
||||||
|
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Jul 11 2014 Tom Callaway <spot@fedoraproject.org> - 2.3-3
|
||||||
|
- fix license handling
|
||||||
|
|
||||||
|
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue May 6 2014 Dan Walsh <dwalsh@redhat.com> - 2.3-1
|
||||||
|
- Update to upstream
|
||||||
|
* Add Android support for building dispol.
|
||||||
|
* Report source file and line information for neverallow failures.
|
||||||
|
* Prevent incompatible option combinations for checkmodule.
|
||||||
|
* Drop -lselinux from LDLIBS for test programs; not used.
|
||||||
|
* Add debug feature to display constraints/validatetrans from Richard Haines.
|
||||||
|
|
||||||
|
* Thu Oct 31 2013 Dan Walsh <dwalsh@redhat.com> - 2.2-1
|
||||||
|
- Update to upstream
|
||||||
|
* Fix hyphen usage in man pages from Laurent Bigonville.
|
||||||
|
* handle-unknown / -U required argument fix from Laurent Bigonville.
|
||||||
|
* Support overriding Makefile PATH and LIBDIR from Laurent Bigonville.
|
||||||
|
* Support space and : in filenames from Dan Walsh.
|
||||||
|
|
||||||
|
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.12-5
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jul 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-4
|
||||||
|
- Fix a segmentation fault if the --handle-unknown option was set without
|
||||||
|
arguments.
|
||||||
|
- Thanks to Alexandre Rebert and his team at Carnegie Mellon University
|
||||||
|
for detecting this crash.
|
||||||
|
|
||||||
|
* Tue Mar 19 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-3
|
||||||
|
- ":" should be allowed for file trans names
|
||||||
|
|
||||||
|
* Tue Mar 12 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-2
|
||||||
|
- Space should be allowed for file trans names
|
||||||
|
|
||||||
|
* Thu Feb 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-1
|
||||||
|
- Update to upstream
|
||||||
|
* Fix errors found by coverity
|
||||||
|
* implement default type policy syntax
|
||||||
|
* Free allocated memory when clean up / exit.
|
||||||
|
|
||||||
|
* Sat Jan 5 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.11-3
|
||||||
|
- Update to latest patches from eparis/Upstream
|
||||||
|
- checkpolicy: libsepol: implement default type policy syntax
|
||||||
|
-
|
||||||
|
- We currently have a mechanism in which the default user, role, and range
|
||||||
|
- can be picked up from the source or the target object. This implements
|
||||||
|
- the same thing for types. The kernel will override this with type
|
||||||
|
- transition rules and similar. This is just the default if nothing
|
||||||
|
- specific is given.
|
||||||
|
|
||||||
|
|
||||||
|
* Wed Sep 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-2
|
||||||
|
- Rebuild with fixed libsepol
|
||||||
|
|
||||||
|
* Thu Sep 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-1
|
||||||
|
- Update to upstream
|
||||||
|
* fd leak reading policy
|
||||||
|
* check return code on ebitmap_set_bit
|
||||||
|
|
||||||
|
* Mon Jul 30 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-4
|
||||||
|
- Rebuild to grab latest libsepol
|
||||||
|
|
||||||
|
* Tue Jul 24 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-3
|
||||||
|
- Rebuild to grab latest libsepol
|
||||||
|
|
||||||
|
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.10-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jul 4 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-1
|
||||||
|
- Update to upstream
|
||||||
|
* sepolgen: We need to support files that have a + in them
|
||||||
|
* Android/MacOS X build support
|
||||||
|
|
||||||
|
* Mon Apr 23 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-4
|
||||||
|
- Rebuild to get latest libsepol which fixes the file_name transition problems
|
||||||
|
|
||||||
|
* Tue Apr 17 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-3
|
||||||
|
- Recompile with libsepol that has support for ptrace_child
|
||||||
|
|
||||||
|
* Tue Apr 3 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-2
|
||||||
|
- Allow checkpolicy to use + in a file name
|
||||||
|
|
||||||
|
* Thu Mar 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-1
|
||||||
|
- Update to upstream
|
||||||
|
* implement new default labeling behaviors for usr, role, range
|
||||||
|
* Fix dead links to www.nsa.gov/selinux
|
||||||
|
|
||||||
|
* Mon Jan 16 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.8-3
|
||||||
|
- Fix man page to link to www.nsa.giv/research/selinux
|
||||||
|
|
||||||
|
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.8-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-1
|
||||||
|
-Update to upstream
|
||||||
|
* add ignoredirs config for genhomedircon
|
||||||
|
* Fallback_user_level can be NULL if you are not using MLS
|
||||||
|
|
||||||
|
* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-3
|
||||||
|
- default_rules should be optional
|
||||||
|
|
||||||
|
* Thu Dec 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-2
|
||||||
|
- Rebuild with latest libsepol
|
||||||
|
|
||||||
|
* Tue Dec 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-1
|
||||||
|
- Upgrade to upstream
|
||||||
|
* dis* fixed signed vs unsigned errors
|
||||||
|
* dismod: fix unused parameter errors
|
||||||
|
* test: Makefile: include -W and -Werror
|
||||||
|
* allow ~ in filename transition rules
|
||||||
|
- Allow policy to specify the source of target for generating the default user,role
|
||||||
|
- or mls label for a new target.
|
||||||
|
|
||||||
|
* Mon Nov 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-2
|
||||||
|
- Allow ~ in a filename
|
||||||
|
|
||||||
|
* Fri Nov 4 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-1
|
||||||
|
- Upgrade to upstream
|
||||||
|
* Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules"
|
||||||
|
* drop libsepol dynamic link in checkpolicy
|
||||||
|
|
||||||
|
* Tue Sep 20 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-2
|
||||||
|
- Fix checkpolicy to ignore '"' in filename trans rules
|
||||||
|
|
||||||
|
* Mon Sep 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-1
|
||||||
|
-Update to upstream
|
||||||
|
* Separate tunable from boolean during compile.
|
||||||
|
|
||||||
|
* Tue Aug 30 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-0
|
||||||
|
-Update to upstream
|
||||||
|
* checkpolicy: fix spacing in output message
|
||||||
|
|
||||||
|
* Thu Aug 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-0
|
||||||
|
* add missing ; to attribute_role_def
|
||||||
|
*Redo filename/filesystem syntax to support filename trans
|
||||||
|
|
||||||
|
* Wed Aug 3 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-0
|
||||||
|
-Update to upstream
|
||||||
|
* .gitignore changes
|
||||||
|
* dispol output of role trans
|
||||||
|
* man page update: build a module with an older policy version
|
||||||
|
|
||||||
|
* Thu Jul 28 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.1-0
|
||||||
|
-Update to upstream
|
||||||
|
* Minor updates to filename trans rule output in dis{mod,pol}
|
||||||
|
|
||||||
|
* Thu Jul 28 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.0-1
|
||||||
|
-Update to upstream
|
||||||
|
|
||||||
|
* Mon May 23 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.26-1
|
||||||
|
-Update to upstream
|
||||||
|
* Wrap file names in filename transitions with quotes by Steve Lawrence.
|
||||||
|
* Allow filesystem names to start with a digit by James Carter.
|
||||||
|
* Add support for using the last path compnent in type transitions by Eric
|
||||||
|
|
||||||
|
* Thu Apr 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.24-2
|
||||||
|
* Fixes for new role_transition class field by Eric Paris.
|
||||||
|
|
||||||
|
* Fri Apr 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.24-2
|
||||||
|
- Add "-" as a file type
|
||||||
|
|
||||||
|
* Tue Apr 12 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.24-1
|
||||||
|
-Update to upstream
|
||||||
|
* Add new class field in role_transition by Harry Ciao.
|
||||||
|
|
||||||
|
* Mon Apr 11 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.23-5
|
||||||
|
- Fix type_transition to allow all files
|
||||||
|
|
||||||
|
* Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.23-4
|
||||||
|
- Patches from Eric Paris
|
||||||
|
We just use random numbers to make menu selections. Use #defines and
|
||||||
|
names that make some sense instead.
|
||||||
|
|
||||||
|
This patch adds support for using the last path component as part of the
|
||||||
|
information in making labeling decisions for new objects. A example
|
||||||
|
rule looks like so:
|
||||||
|
|
||||||
|
type_transition unconfined_t etc_t:file system_conf_t eric;
|
||||||
|
|
||||||
|
This rule says if unconfined_t creates a file in a directory labeled
|
||||||
|
etc_t and the last path component is "eric" (no globbing, no matching
|
||||||
|
magic, just exact strcmp) it should be labeled system_conf_t.
|
||||||
|
|
||||||
|
The kernel and policy representation does not have support for such
|
||||||
|
rules in conditionals, and thus policy explicitly notes that fact if
|
||||||
|
such a rule is added to a conditional.
|
||||||
|
|
||||||
|
|
||||||
|
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.23-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jan 12 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.23-2
|
||||||
|
- Add James Carters Patch
|
||||||
|
*This patch is needed because some filesystem names (such as 9p) start
|
||||||
|
with a digit.
|
||||||
|
|
||||||
|
* Tue Dec 21 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.23-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Remove unused variables to fix compliation under GCC 4.6 by Justin Mattock
|
||||||
|
|
||||||
|
* Wed Dec 8 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.22-2
|
||||||
|
- Rebuild to make sure it will build in Fedora
|
||||||
|
|
||||||
|
* Wed Jun 16 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.22-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Update checkmodule man page and usage by Daniel Walsh and Steve Lawrence
|
||||||
|
- Allow policy version to be one number
|
||||||
|
|
||||||
|
* Mon May 3 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.21-2
|
||||||
|
- Fix checkmodule man page and usage statements
|
||||||
|
|
||||||
|
* Sun Nov 1 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.21-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Add support for building Xen policies from Paul Nuzzi.
|
||||||
|
* Add long options to checkpolicy and checkmodule by Guido
|
||||||
|
Trentalancia <guido@trentalancia.com>
|
||||||
|
|
||||||
|
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.19-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.19-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Feb 18 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.19-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Fix alias field in module format, caused by boundary format change
|
||||||
|
from Caleb Case.
|
||||||
|
|
||||||
|
* Fri Jan 30 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.18-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Properly escape regex symbols in the lexer from Stephen Smalley.
|
||||||
|
* Add bounds support from KaiGai Kohei.
|
||||||
|
|
||||||
|
* Tue Oct 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.16-4
|
||||||
|
|
||||||
|
* Mon Jul 7 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.16-3
|
||||||
|
- Rebuild with new libsepol
|
||||||
|
|
||||||
|
* Wed May 28 2008 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.16-2
|
||||||
|
- fix license tag
|
||||||
|
|
||||||
|
* Wed May 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.16-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Update checkpolicy for user and role mapping support from Joshua Brindle.
|
||||||
|
|
||||||
|
* Fri May 2 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.15-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Fix for policy module versions that look like IPv4 addresses from Jim Carter.
|
||||||
|
Resolves bug 444451.
|
||||||
|
|
||||||
|
* Fri May 2 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.14-2
|
||||||
|
- Allow modules with 4 sections or more
|
||||||
|
|
||||||
|
* Thu Mar 27 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.14-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Add permissive domain support from Eric Paris.
|
||||||
|
|
||||||
|
* Thu Mar 13 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.13-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Split out non-grammar parts of policy_parse.yacc into
|
||||||
|
policy_define.c and policy_define.h from Todd C. Miller.
|
||||||
|
* Initialize struct policy_file before using it, from Todd C. Miller.
|
||||||
|
* Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller.
|
||||||
|
|
||||||
|
* Thu Feb 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.10-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Use yyerror2() where appropriate from Todd C. Miller.
|
||||||
|
- Build against latest libsepol
|
||||||
|
|
||||||
|
* Fri Feb 22 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.9-2
|
||||||
|
- Start shipping sedismod and sedispol
|
||||||
|
|
||||||
|
* Mon Feb 4 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.9-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Update dispol for libsepol avtab changes from Stephen Smalley.
|
||||||
|
|
||||||
|
* Fri Jan 25 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.8-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Deprecate role dominance in parser.
|
||||||
|
|
||||||
|
* Mon Jan 21 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.7-2
|
||||||
|
- Update to use libsepol-static library
|
||||||
|
|
||||||
|
* Fri Jan 11 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.7-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Added support for policy capabilities from Todd Miller.
|
||||||
|
|
||||||
|
* Thu Nov 15 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.6-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Initialize the source file name from the command line argument so that checkpolicy/checkmodule report something more useful than "unknown source".
|
||||||
|
* Merged remove use of REJECT and trailing context in lex rules; make ipv4 address parsing like ipv6 from James Carter.
|
||||||
|
|
||||||
|
* Tue Sep 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.4-1
|
||||||
|
* Merged handle unknown policydb flag support from Eric Paris.
|
||||||
|
Adds new command line options -U {allow, reject, deny} for selecting
|
||||||
|
the flag when a base module or kernel policy is built.
|
||||||
|
|
||||||
|
* Tue Aug 28 2007 Fedora Release Engineering <rel-eng at fedoraproject dot org> - 2.0.3-3
|
||||||
|
- Rebuild for selinux ppc32 issue.
|
||||||
|
|
||||||
|
* Mon Jun 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.3-2
|
||||||
|
- Rebuild with the latest libsepol
|
||||||
|
|
||||||
|
* Sun Jun 17 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.3-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Merged fix for segfault on duplicate require of sensitivity from Caleb Case.
|
||||||
|
* Merged fix for dead URLs in checkpolicy man pages from Dan Walsh.
|
||||||
|
|
||||||
|
* Thu Apr 12 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.2-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Merged checkmodule man page fix from Dan Walsh.
|
||||||
|
|
||||||
|
* Fri Mar 30 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-3
|
||||||
|
- Rebuild with new libsepol
|
||||||
|
|
||||||
|
* Wed Mar 28 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-2
|
||||||
|
- Rebuild with new libsepol
|
||||||
|
|
||||||
|
* Mon Nov 20 2006 Dan Walsh <dwalsh@redhat.com> - 2.0.1-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Merged patch to allow dots in class identifiers from Caleb Case.
|
||||||
|
|
||||||
|
* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> - 2.0.0-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Merged patch to use new libsepol error codes by Karl MacMillan.
|
||||||
|
* Updated version for stable branch.
|
||||||
|
|
||||||
|
* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.1-2
|
||||||
|
- Rebuild for new libraries
|
||||||
|
|
||||||
|
* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.1-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Collapse user identifiers and identifiers together.
|
||||||
|
|
||||||
|
* Tue Oct 17 2006 Dan Walsh <dwalsh@redhat.com> - 1.32-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Updated version for release.
|
||||||
|
|
||||||
|
* Thu Sep 28 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.12-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* Merged user and range_transition support for modules from
|
||||||
|
Darrel Goeddel
|
||||||
|
|
||||||
|
* Wed Sep 6 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.11-1
|
||||||
|
- Latest update from NSA
|
||||||
|
* merged range_transition enhancements and user module format
|
||||||
|
changes from Darrel Goeddel
|
||||||
|
* Merged symtab datum patch from Karl MacMillan.
|
||||||
|
|
||||||
|
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.30.9-1.1
|
||||||
|
- rebuild
|
||||||
|
|
||||||
|
* Tue Jul 4 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.8-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Lindent.
|
||||||
|
* Merged patch to remove TE rule conflict checking from the parser
|
||||||
|
from Joshua Brindle. This can only be done properly by the
|
||||||
|
expander.
|
||||||
|
* Merged patch to make checkpolicy/checkmodule handling of
|
||||||
|
duplicate/conflicting TE rules the same as the expander
|
||||||
|
from Joshua Brindle.
|
||||||
|
* Merged optionals in base take 2 patch set from Joshua Brindle.
|
||||||
|
|
||||||
|
* Tue May 23 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.5-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Merged compiler cleanup patch from Karl MacMillan.
|
||||||
|
* Merged fix warnings patch from Karl MacMillan.
|
||||||
|
|
||||||
|
* Wed Apr 5 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.4-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Changed require_class to reject permissions that have not been
|
||||||
|
declared if building a base module.
|
||||||
|
|
||||||
|
* Tue Mar 28 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.3-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Fixed checkmodule to call link_modules prior to expand_module
|
||||||
|
to handle optionals.
|
||||||
|
* Fixed require_class to avoid shadowing permissions already defined
|
||||||
|
in an inherited common definition.
|
||||||
|
|
||||||
|
* Mon Mar 27 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.1-2
|
||||||
|
- Rebuild with new libsepol
|
||||||
|
|
||||||
|
* Thu Mar 23 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.1-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Moved processing of role and user require statements to 2nd pass.
|
||||||
|
|
||||||
|
* Fri Mar 17 2006 Dan Walsh <dwalsh@redhat.com> - 1.30-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Updated version for release.
|
||||||
|
* Fixed bug in role dominance (define_role_dom).
|
||||||
|
|
||||||
|
* Fri Feb 17 2006 Dan Walsh <dwalsh@redhat.com> - 1.29.4-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Added a check for failure to declare each sensitivity in
|
||||||
|
a level definition.
|
||||||
|
* Changed to clone level data for aliased sensitivities to
|
||||||
|
avoid double free upon sens_destroy. Bug reported by Kevin
|
||||||
|
Carr of Tresys Technology.
|
||||||
|
|
||||||
|
* Mon Feb 13 2006 Dan Walsh <dwalsh@redhat.com> - 1.29.2-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Merged optionals in base patch from Joshua Brindle.
|
||||||
|
|
||||||
|
* Mon Feb 13 2006 Dan Walsh <dwalsh@redhat.com> - 1.29.1-1.2
|
||||||
|
- Need to build againi
|
||||||
|
|
||||||
|
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.29.1-1.1
|
||||||
|
- bump again for double-long bug on ppc(64)
|
||||||
|
|
||||||
|
* Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.1-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Merged sepol_av_to_string patch from Joshua Brindle.
|
||||||
|
|
||||||
|
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.28-5.1
|
||||||
|
- rebuilt for new gcc4.1 snapshot and glibc changes
|
||||||
|
|
||||||
|
* Fri Jan 13 2006 Dan Walsh <dwalsh@redhat.com> 1.28-5
|
||||||
|
- Rebuild to get latest libsepol
|
||||||
|
|
||||||
|
* Fri Jan 13 2006 Dan Walsh <dwalsh@redhat.com> 1.28-5
|
||||||
|
- Rebuild to get latest libsepol
|
||||||
|
|
||||||
|
* Thu Jan 5 2006 Dan Walsh <dwalsh@redhat.com> 1.28-4
|
||||||
|
- Rebuild to get latest libsepol
|
||||||
|
|
||||||
|
* Wed Jan 4 2006 Dan Walsh <dwalsh@redhat.com> 1.28-3
|
||||||
|
- Rebuild to get latest libsepol
|
||||||
|
|
||||||
|
* Fri Dec 16 2005 Dan Walsh <dwalsh@redhat.com> 1.28-2
|
||||||
|
- Rebuild to get latest libsepol
|
||||||
|
|
||||||
|
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
|
||||||
|
- rebuilt
|
||||||
|
|
||||||
|
* Fri Dec 9 2005 Dan Walsh <dwalsh@redhat.com> 1.28-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
|
||||||
|
* Sun Dec 4 2005 Dan Walsh <dwalsh@redhat.com> 1.27.20-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Merged checkmodule man page from Dan Walsh, and edited it.
|
||||||
|
|
||||||
|
* Thu Dec 1 2005 Dan Walsh <dwalsh@redhat.com> 1.27.19-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Added error checking of all ebitmap_set_bit calls for out of
|
||||||
|
memory conditions.
|
||||||
|
* Merged removal of compatibility handling of netlink classes
|
||||||
|
(requirement that policies with newer versions include the
|
||||||
|
netlink class definitions, remapping of fine-grained netlink
|
||||||
|
classes in newer source policies to single netlink class when
|
||||||
|
generating older policies) from George Coker.
|
||||||
|
|
||||||
|
* Tue Nov 8 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-7
|
||||||
|
- Rebuild to get latest libsepol
|
||||||
|
|
||||||
|
* Tue Oct 25 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Merged dismod fix from Joshua Brindle.
|
||||||
|
|
||||||
|
* Thu Oct 20 2005 Dan Walsh <dwalsh@redhat.com> 1.27.16-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Removed obsolete cond_check_type_rules() function and call and
|
||||||
|
cond_optimize_lists() call from checkpolicy.c; these are handled
|
||||||
|
during parsing and expansion now.
|
||||||
|
* Updated calls to expand_module for interface change.
|
||||||
|
* Changed checkmodule to verify that expand_module succeeds
|
||||||
|
when building base modules.
|
||||||
|
* Merged module compiler fixes from Joshua Brindle.
|
||||||
|
* Removed direct calls to hierarchy_check_constraints() and
|
||||||
|
check_assertions() from checkpolicy since they are now called
|
||||||
|
internally by expand_module().
|
||||||
|
|
||||||
|
* Tue Oct 18 2005 Dan Walsh <dwalsh@redhat.com> 1.27.11-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Updated for changes to sepol policydb_index_others interface.
|
||||||
|
|
||||||
|
* Tue Oct 18 2005 Dan Walsh <dwalsh@redhat.com> 1.27.10-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Updated for changes to sepol expand_module and link_modules interfaces.
|
||||||
|
* Sat Oct 15 2005 Dan Walsh <dwalsh@redhat.com> 1.27.9-2
|
||||||
|
- Rebuild to get latest libsepol
|
||||||
|
|
||||||
|
* Fri Oct 14 2005 Dan Walsh <dwalsh@redhat.com> 1.27.9-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Merged support for require blocks inside conditionals from
|
||||||
|
Joshua Brindle (Tresys).
|
||||||
|
|
||||||
|
* Wed Oct 12 2005 Karsten Hopp <karsten@redhat.de> 1.27.8-2
|
||||||
|
- add buildrequirement for libselinux-devel for dispol
|
||||||
|
|
||||||
|
* Mon Oct 10 2005 Dan Walsh <dwalsh@redhat.com> 1.27.8-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Updated for changes to libsepol.
|
||||||
|
|
||||||
|
* Fri Oct 7 2005 Dan Walsh <dwalsh@redhat.com> 1.27.7-2
|
||||||
|
- Rebuild to get latest libsepol
|
||||||
|
|
||||||
|
* Thu Oct 6 2005 Dan Walsh <dwalsh@redhat.com> 1.27.7-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Merged several bug fixes from Joshua Brindle (Tresys).
|
||||||
|
|
||||||
|
* Tue Oct 4 2005 Dan Walsh <dwalsh@redhat.com> 1.27.6-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Merged MLS in modules patch from Joshua Brindle (Tresys).
|
||||||
|
|
||||||
|
* Mon Oct 3 2005 Dan Walsh <dwalsh@redhat.com> 1.27.5-2
|
||||||
|
- Rebuild to get latest libsepol
|
||||||
|
|
||||||
|
* Wed Sep 28 2005 Dan Walsh <dwalsh@redhat.com> 1.27.5-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Merged error handling improvement in checkmodule from Karl MacMillan (Tresys).
|
||||||
|
|
||||||
|
* Tue Sep 27 2005 Dan Walsh <dwalsh@redhat.com> 1.27.4-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Merged bugfix for dup role transition error messages from
|
||||||
|
Karl MacMillan (Tresys).
|
||||||
|
|
||||||
|
* Fri Sep 23 2005 Dan Walsh <dwalsh@redhat.com> 1.27.3-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Merged policyver/modulever patches from Joshua Brindle (Tresys).
|
||||||
|
|
||||||
|
* Wed Sep 21 2005 Dan Walsh <dwalsh@redhat.com> 1.27.2-2
|
||||||
|
- Rebuild to get latest libsepol
|
||||||
|
|
||||||
|
* Wed Sep 21 2005 Dan Walsh <dwalsh@redhat.com> 1.27.2-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Fixed parse_categories handling of undefined category.
|
||||||
|
|
||||||
|
* Tue Sep 20 2005 Dan Walsh <dwalsh@redhat.com> 1.27.1-2
|
||||||
|
- Rebuild to get latest libsepol
|
||||||
|
|
||||||
|
* Sat Sep 17 2005 Dan Walsh <dwalsh@redhat.com> 1.27.1-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Merged bug fix for role dominance handling from Darrel Goeddel (TCS).
|
||||||
|
* Wed Sep 14 2005 Dan Walsh <dwalsh@redhat.com> 1.26-2
|
||||||
|
- Rebuild to get latest libsepol
|
||||||
|
|
||||||
|
* Mon Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-1
|
||||||
|
- Latest upgrade from NSA
|
||||||
|
* Updated version for release.
|
||||||
|
- Rebuild to get latest libsepol
|
||||||
|
|
||||||
|
* Thu Sep 1 2005 Dan Walsh <dwalsh@redhat.com> 1.25.12-3
|
||||||
|
- Rebuild to get latest libsepol
|
||||||
|
|
||||||
|
* Mon Aug 29 2005 Dan Walsh <dwalsh@redhat.com> 1.25.12-2
|
||||||
|
- Rebuild to get latest libsepol
|
||||||
|
|
||||||
|
* Mon Aug 22 2005 Dan Walsh <dwalsh@redhat.com> 1.25.12-1
|
||||||
|
- Update to NSA Release
|
||||||
|
* Fixed handling of validatetrans constraint expressions.
|
||||||
|
Bug reported by Dan Walsh for checkpolicy -M.
|
||||||
|
|
||||||
|
* Mon Aug 22 2005 Dan Walsh <dwalsh@redhat.com> 1.25.11-2
|
||||||
|
- Fix mls crash
|
||||||
|
|
||||||
|
* Fri Aug 19 2005 Dan Walsh <dwalsh@redhat.com> 1.25.11-1
|
||||||
|
- Update to NSA Release
|
||||||
|
* Merged use-after-free fix from Serge Hallyn (IBM).
|
||||||
|
Bug found by Coverity.
|
||||||
|
|
||||||
|
* Sun Aug 14 2005 Dan Walsh <dwalsh@redhat.com> 1.25.10-1
|
||||||
|
- Update to NSA Release
|
||||||
|
* Fixed further memory leaks found by valgrind.
|
||||||
|
* Changed checkpolicy to destroy the policydbs prior to exit
|
||||||
|
to allow leak detection.
|
||||||
|
* Fixed several memory leaks found by valgrind.
|
||||||
|
|
||||||
|
* Sun Aug 14 2005 Dan Walsh <dwalsh@redhat.com> 1.25.8-3
|
||||||
|
- Rebuild to get latest libsepol changes
|
||||||
|
|
||||||
|
* Sat Aug 13 2005 Dan Walsh <dwalsh@redhat.com> 1.25.8-2
|
||||||
|
- Rebuild to get latest libsepol changes
|
||||||
|
|
||||||
|
* Thu Aug 11 2005 Dan Walsh <dwalsh@redhat.com> 1.25.8-1
|
||||||
|
- Update to NSA Release
|
||||||
|
* Updated checkpolicy and dispol for the new avtab format.
|
||||||
|
Converted users of ebitmaps to new inline operators.
|
||||||
|
Note: The binary policy format version has been incremented to
|
||||||
|
version 20 as a result of these changes. To build a policy
|
||||||
|
for a kernel that does not yet include these changes, use
|
||||||
|
the -c 19 option to checkpolicy.
|
||||||
|
* Merged patch to prohibit use of "self" as a type name from Jason Tang (Tresys).
|
||||||
|
* Merged patch to fix dismod compilation from Joshua Brindle (Tresys).
|
||||||
|
|
||||||
|
* Wed Aug 10 2005 Dan Walsh <dwalsh@redhat.com> 1.25.5-1
|
||||||
|
- Update to NSA Release
|
||||||
|
* Fixed call to hierarchy checking code to pass the right policydb.
|
||||||
|
* Merged patch to update dismod for the relocation of the
|
||||||
|
module read/write code from libsemanage to libsepol, and
|
||||||
|
to enable build of test subdirectory from Jason Tang (Tresys).
|
||||||
|
|
||||||
|
* Thu Jul 28 2005 Dan Walsh <dwalsh@redhat.com> 1.25.3-1
|
||||||
|
- Update to NSA Release
|
||||||
|
* Merged hierarchy check fix from Joshua Brindle (Tresys).
|
||||||
|
|
||||||
|
* Thu Jul 7 2005 Dan Walsh <dwalsh@redhat.com> 1.25.2-1
|
||||||
|
- Update to NSA Release
|
||||||
|
* Merged loadable module support from Tresys Technology.
|
||||||
|
* Merged patch to prohibit the use of * and ~ in type sets
|
||||||
|
(other than in neverallow statements) and in role sets
|
||||||
|
from Joshua Brindle (Tresys).
|
||||||
|
* Updated version for release.
|
||||||
|
|
||||||
|
* Fri May 20 2005 Dan Walsh <dwalsh@redhat.com> 1.23-4-1
|
||||||
|
- Update to NSA Release
|
||||||
|
* Merged cleanup patch from Dan Walsh.
|
||||||
|
|
||||||
|
* Thu May 19 2005 Dan Walsh <dwalsh@redhat.com> 1.23-3-1
|
||||||
|
- Update to NSA Release
|
||||||
|
* Added sepol_ prefix to Flask types to avoid namespace
|
||||||
|
collision with libselinux.
|
||||||
|
|
||||||
|
* Sat May 7 2005 Dan Walsh <dwalsh@redhat.com> 1.23-2-1
|
||||||
|
- Update to NSA Release
|
||||||
|
* Merged identifier fix from Joshua Brindle (Tresys).
|
||||||
|
|
||||||
|
* Thu Apr 14 2005 Dan Walsh <dwalsh@redhat.com> 1.23,1-1
|
||||||
|
* Merged hierarchical type/role patch from Tresys Technology.
|
||||||
|
* Merged MLS fixes from Darrel Goeddel of TCS.
|
||||||
|
|
||||||
|
* Thu Mar 10 2005 Dan Walsh <dwalsh@redhat.com> 1.22-1
|
||||||
|
- Update to NSA Release
|
||||||
|
|
||||||
|
* Tue Mar 1 2005 Dan Walsh <dwalsh@redhat.com> 1.21.4-2
|
||||||
|
- Rebuild for FC4
|
||||||
|
|
||||||
|
* Thu Feb 17 2005 Dan Walsh <dwalsh@redhat.com> 1.21.4-1
|
||||||
|
* Merged define_user() cleanup patch from Darrel Goeddel (TCS).
|
||||||
|
* Moved genpolusers utility to libsepol.
|
||||||
|
* Merged range_transition support from Darrel Goeddel (TCS).
|
||||||
|
|
||||||
|
* Thu Feb 10 2005 Dan Walsh <dwalsh@redhat.com> 1.21.2-1
|
||||||
|
- Latest from NSA
|
||||||
|
* Changed relabel Makefile target to use restorecon.
|
||||||
|
|
||||||
|
* Mon Feb 7 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-1
|
||||||
|
- Latest from NSA
|
||||||
|
* Merged enhanced MLS support from Darrel Goeddel (TCS).
|
||||||
|
|
||||||
|
* Fri Jan 7 2005 Dan Walsh <dwalsh@redhat.com> 1.20.1-1
|
||||||
|
- Update for version increase at NSA
|
||||||
|
|
||||||
|
* Mon Dec 20 2004 Dan Walsh <dwalsh@redhat.com> 1.19.2-1
|
||||||
|
- Latest from NSA
|
||||||
|
* Merged typeattribute statement patch from Darrel Goeddel of TCS.
|
||||||
|
* Changed genpolusers to handle multiple user config files.
|
||||||
|
* Merged nodecon ordering patch from Chad Hanson of TCS.
|
||||||
|
|
||||||
|
* Thu Nov 11 2004 Dan Walsh <dwalsh@redhat.com> 1.19.1-1
|
||||||
|
- Latest from NSA
|
||||||
|
* Merged nodecon ordering patch from Chad Hanson of TCS.
|
||||||
|
|
||||||
|
* Thu Nov 4 2004 Dan Walsh <dwalsh@redhat.com> 1.18.1-1
|
||||||
|
- Latest from NSA
|
||||||
|
* MLS build fix.
|
||||||
|
|
||||||
|
* Sat Sep 4 2004 Dan Walsh <dwalsh@redhat.com> 1.17.5-1
|
||||||
|
- Latest from NSA
|
||||||
|
* Fixed Makefile dependencies (Chris PeBenito).
|
||||||
|
|
||||||
|
* Sat Sep 4 2004 Dan Walsh <dwalsh@redhat.com> 1.17.4-1
|
||||||
|
- Latest from NSA
|
||||||
|
* Fixed Makefile dependencies (Chris PeBenito).
|
||||||
|
|
||||||
|
* Sat Sep 4 2004 Dan Walsh <dwalsh@redhat.com> 1.17.3-1
|
||||||
|
- Latest from NSA
|
||||||
|
* Merged fix for role dominance ordering issue from Chad Hanson of TCS.
|
||||||
|
|
||||||
|
* Mon Aug 30 2004 Dan Walsh <dwalsh@redhat.com> 1.17.2-1
|
||||||
|
- Latest from NSA
|
||||||
|
|
||||||
|
* Thu Aug 26 2004 Dan Walsh <dwalsh@redhat.com> 1.16.3-1
|
||||||
|
- Fix NSA package to not include y.tab files.
|
||||||
|
|
||||||
|
* Tue Aug 24 2004 Dan Walsh <dwalsh@redhat.com> 1.16.2-1
|
||||||
|
- Latest from NSA
|
||||||
|
- Allow port ranges to overlap
|
||||||
|
|
||||||
|
* Sun Aug 22 2004 Dan Walsh <dwalsh@redhat.com> 1.16.1-1
|
||||||
|
- Latest from NSA
|
||||||
|
|
||||||
|
* Mon Aug 16 2004 Dan Walsh <dwalsh@redhat.com> 1.15.6-1
|
||||||
|
- Latest from NSA
|
||||||
|
|
||||||
|
* Fri Aug 13 2004 Dan Walsh <dwalsh@redhat.com> 1.15.5-1
|
||||||
|
- Latest from NSA
|
||||||
|
|
||||||
|
* Wed Aug 11 2004 Dan Walsh <dwalsh@redhat.com> 1.15.4-1
|
||||||
|
- Latest from NSA
|
||||||
|
|
||||||
|
* Sat Aug 7 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-1
|
||||||
|
- Latest from NSA
|
||||||
|
|
||||||
|
* Wed Aug 4 2004 Dan Walsh <dwalsh@redhat.com> 1.15.2-1
|
||||||
|
- Latest from NSA
|
||||||
|
|
||||||
|
* Sat Jul 31 2004 Dan Walsh <dwalsh@redhat.com> 1.15.1-1
|
||||||
|
- Latest from NSA
|
||||||
|
|
||||||
|
* Tue Jul 27 2004 Dan Walsh <dwalsh@redhat.com> 1.14.2-1
|
||||||
|
- Latest from NSA
|
||||||
|
|
||||||
|
* Wed Jun 30 2004 Dan Walsh <dwalsh@redhat.com> 1.14.1-1
|
||||||
|
- Latest from NSA
|
||||||
|
|
||||||
|
* Fri Jun 18 2004 Dan Walsh <dwalsh@redhat.com> 1.12.2-1
|
||||||
|
- Latest from NSA
|
||||||
|
|
||||||
|
* Thu Jun 17 2004 Dan Walsh <dwalsh@redhat.com> 1.12.1-1
|
||||||
|
- Update to latest from NSA
|
||||||
|
|
||||||
|
* Wed Jun 16 2004 Dan Walsh <dwalsh@redhat.com> 1.12-1
|
||||||
|
- Update to latest from NSA
|
||||||
|
|
||||||
|
* Wed Jun 16 2004 Dan Walsh <dwalsh@redhat.com> 1.10-5
|
||||||
|
- Add nlclass patch
|
||||||
|
|
||||||
|
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
|
||||||
|
- rebuilt
|
||||||
|
|
||||||
|
* Fri Jun 4 2004 Dan Walsh <dwalsh@redhat.com> 1.10-3
|
||||||
|
- Add BuildRequires flex
|
||||||
|
|
||||||
|
* Thu Apr 8 2004 Dan Walsh <dwalsh@redhat.com> 1.10-2
|
||||||
|
- Add BuildRequires byacc
|
||||||
|
|
||||||
|
* Thu Apr 8 2004 Dan Walsh <dwalsh@redhat.com> 1.10-1
|
||||||
|
- Upgrade to the latest from NSA
|
||||||
|
|
||||||
|
* Mon Mar 15 2004 Dan Walsh <dwalsh@redhat.com> 1.8-1
|
||||||
|
- Upgrade to the latest from NSA
|
||||||
|
|
||||||
|
* Tue Feb 24 2004 Dan Walsh <dwalsh@redhat.com> 1.6-1
|
||||||
|
- Upgrade to the latest from NSA
|
||||||
|
|
||||||
|
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
|
||||||
|
- rebuilt
|
||||||
|
|
||||||
|
* Tue Jan 20 2004 Dan Walsh <dwalsh@redhat.com> 1.4-6
|
||||||
|
- Add typealias patch
|
||||||
|
|
||||||
|
* Tue Jan 20 2004 Dan Walsh <dwalsh@redhat.com> 1.4-5
|
||||||
|
- Update excludetypes with negset-final patch
|
||||||
|
|
||||||
|
* Wed Jan 14 2004 Dan Walsh <dwalsh@redhat.com> 1.4-4
|
||||||
|
- Add excludetypes patch
|
||||||
|
|
||||||
|
* Wed Jan 14 2004 Dan Walsh <dwalsh@redhat.com> 1.4-3
|
||||||
|
- Add Colin Walter's lineno patch
|
||||||
|
|
||||||
|
* Wed Jan 7 2004 Dan Walsh <dwalsh@redhat.com> 1.4-2
|
||||||
|
- Remove check for roles transition
|
||||||
|
|
||||||
|
* Sat Dec 6 2003 Dan Walsh <dwalsh@redhat.com> 1.4-1
|
||||||
|
- upgrade to 1.4
|
||||||
|
|
||||||
|
* Wed Oct 1 2003 Dan Walsh <dwalsh@redhat.com> 1.2-1
|
||||||
|
- upgrade to 1.2
|
||||||
|
|
||||||
|
* Thu Aug 28 2003 Dan Walsh <dwalsh@redhat.com> 1.1-2
|
||||||
|
- upgrade to 1.1
|
||||||
|
|
||||||
|
* Mon Jun 2 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1
|
||||||
|
- Initial version
|
1
sources
Normal file
1
sources
Normal file
@ -0,0 +1 @@
|
|||||||
|
SHA512 (checkpolicy-3.1.tar.gz) = 2276a5a0919286049d2ceba386ef5f6de523745b588bb81cb4fed5eced5fd0b8070249b7a3ae5a85e2abb9369a86318f727d4073aad14ab75c43750a46069168
|
67
tests/checkmodule/Makefile
Normal file
67
tests/checkmodule/Makefile
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/checkpolicy/Sanity/checkmodule
|
||||||
|
# Description: runs checkmodule with various options to find out if it behaves correctly
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/checkpolicy/Sanity/checkmodule
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE mypolicy.te
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: runs checkmodule with various options to find out if it behaves correctly" >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 10m" >> $(METADATA)
|
||||||
|
@echo "RunFor: checkpolicy" >> $(METADATA)
|
||||||
|
@echo "Requires: checkpolicy" >> $(METADATA)
|
||||||
|
@echo "Requires: man" >> $(METADATA)
|
||||||
|
@echo "Requires: grep" >> $(METADATA)
|
||||||
|
@echo "Requires: mktemp" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
||||||
|
|
5
tests/checkmodule/PURPOSE
Normal file
5
tests/checkmodule/PURPOSE
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
PURPOSE of /CoreOS/checkpolicy/Sanity/checkmodule
|
||||||
|
Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
|
||||||
|
This TC runs checkmodule with various options to find out if it behaves correctly.
|
||||||
|
|
9
tests/checkmodule/mypolicy.te
Normal file
9
tests/checkmodule/mypolicy.te
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
module mypolicy 1.0;
|
||||||
|
require {
|
||||||
|
type httpd_log_t;
|
||||||
|
type postfix_postdrop_t;
|
||||||
|
class dir getattr;
|
||||||
|
class file { read getattr };
|
||||||
|
}
|
||||||
|
allow postfix_postdrop_t httpd_log_t:file getattr;
|
||||||
|
|
101
tests/checkmodule/runtest.sh
Normal file
101
tests/checkmodule/runtest.sh
Normal file
@ -0,0 +1,101 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/checkpolicy/Sanity/checkmodule
|
||||||
|
# Description: runs checkmodule with various options to find out if it behaves correctly
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include rhts environment
|
||||||
|
. /usr/bin/rhts-environment.sh
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh
|
||||||
|
|
||||||
|
PACKAGE="checkpolicy"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm ${PACKAGE}
|
||||||
|
TEST_FILE=`mktemp`
|
||||||
|
TEST_DIR=`mktemp -d`
|
||||||
|
rlRun "rpm -ql ${PACKAGE} | grep bin/checkmodule"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "checkmodule >& ${TEST_FILE}" 1
|
||||||
|
rlAssertGrep "loading policy configuration from policy.conf" ${TEST_FILE}
|
||||||
|
rlRun "checkmodule -b >& ${TEST_FILE}" 1
|
||||||
|
rlAssertGrep "loading policy configuration from policy" ${TEST_FILE}
|
||||||
|
rlRun "checkmodule -V"
|
||||||
|
rlRun "checkmodule -U 1>/dev/null" 1
|
||||||
|
rlRun "rm -f policy.conf"
|
||||||
|
for OPTION in "deny" "reject" "allow" ; do
|
||||||
|
rlRun "checkmodule -U ${OPTION} >& ${TEST_FILE}" 1
|
||||||
|
rlAssertGrep "unable to open policy.conf" ${TEST_FILE}
|
||||||
|
done
|
||||||
|
rlRun "rm -f ${TEST_FILE}"
|
||||||
|
rlRun "touch ${TEST_FILE}"
|
||||||
|
rlRun "rm -rf ${TEST_DIR}"
|
||||||
|
rlRun "mkdir ${TEST_DIR}"
|
||||||
|
rlRun "checkmodule ${TEST_FILE}" 1,2
|
||||||
|
rlRun "checkmodule -b ${TEST_FILE}" 1
|
||||||
|
rlRun "checkmodule ${TEST_DIR}" 1,2
|
||||||
|
rlRun "checkmodule -b ${TEST_DIR}" 1
|
||||||
|
rlRun "rm -f ${TEST_FILE}"
|
||||||
|
rlRun "rm -rf ${TEST_DIR}"
|
||||||
|
rlRun "checkmodule ${TEST_FILE}" 1
|
||||||
|
rlRun "checkmodule -b ${TEST_FILE}" 1
|
||||||
|
if rlIsRHEL 5 ; then
|
||||||
|
rlRun "checkmodule --help 2>&1 | grep -- -d"
|
||||||
|
fi
|
||||||
|
rlRun "checkmodule --help 2>&1 | grep -- -h"
|
||||||
|
rlRun "checkmodule --help 2>&1 | grep -- -U"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
for POLICY_KIND in minimum mls targeted ; do
|
||||||
|
rlRun "checkmodule -M -m -b -o testmod.mod /etc/selinux/${POLICY_KIND}/policy/policy.* >& ${TEST_FILE}" 1
|
||||||
|
rlRun "grep -i \"checkmodule.*-b and -m are incompatible with each other\" ${TEST_FILE}"
|
||||||
|
done
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
INPUT_FILE="mypolicy.te"
|
||||||
|
OUTPUT_FILE="mypolicy.output"
|
||||||
|
rlRun "ls -l ${INPUT_FILE}"
|
||||||
|
rlRun "checkmodule -m -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*loading policy configuration from ${INPUT_FILE}\""
|
||||||
|
rlRun "checkmodule -m -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*writing binary representation.*to ${OUTPUT_FILE}\""
|
||||||
|
rlRun "ls -l ${OUTPUT_FILE}"
|
||||||
|
if checkmodule --help | grep -q " CIL " ; then
|
||||||
|
rlRun "rm -f ${OUTPUT_FILE}"
|
||||||
|
rlRun "checkmodule -m -C -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*loading policy configuration from ${INPUT_FILE}\""
|
||||||
|
rlRun "checkmodule -m -C -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*writing CIL to ${OUTPUT_FILE}\""
|
||||||
|
rlRun "ls -l ${OUTPUT_FILE}"
|
||||||
|
fi
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "rm -rf ${TEST_FILE} ${TEST_DIR} ${OUTPUT_FILE}"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
||||||
|
|
64
tests/checkpolicy-docs/Makefile
Normal file
64
tests/checkpolicy-docs/Makefile
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/checkpolicy/Sanity/checkpolicy
|
||||||
|
# Description: covers an issue where manpage included an unsupported option.
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/checkpolicy/Sanity/checkpolicy
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: covers an issue where manpage included an unsupported option." >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 1m" >> $(METADATA)
|
||||||
|
@echo "RunFor: checkpolicy" >> $(METADATA)
|
||||||
|
@echo "Requires: checkpolicy" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
||||||
|
|
7
tests/checkpolicy-docs/PURPOSE
Normal file
7
tests/checkpolicy-docs/PURPOSE
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
PURPOSE of /CoreOS/checkpolicy/Sanity/checkpolicy
|
||||||
|
|
||||||
|
Description: covers an issue where manpage included an unsupported option.
|
||||||
|
|
||||||
|
Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
|
||||||
|
|
53
tests/checkpolicy-docs/runtest.sh
Normal file
53
tests/checkpolicy-docs/runtest.sh
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/checkpolicy/Sanity/checkpolicy-docs
|
||||||
|
# Description: covers an issue where manpage included an unsupported option.
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include rhts environment
|
||||||
|
. /usr/bin/rhts-environment.sh
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh
|
||||||
|
|
||||||
|
PACKAGE="checkpolicy"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm ${PACKAGE}
|
||||||
|
rlAssertExists "/usr/share/man/man8/checkpolicy.8.gz"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "man checkpolicy | col -b | grep -- '-m]'" 1
|
||||||
|
rlRun "rpm -ql ${PACKAGE} | grep /usr/share/man/.*checkmodule"
|
||||||
|
if rlIsRHEL 5 ; then
|
||||||
|
rlRun "man checkmodule | col -b | grep -- -d"
|
||||||
|
fi
|
||||||
|
rlRun "man checkmodule | col -b | grep -- -h"
|
||||||
|
rlRun "man checkmodule | col -b | grep -- -U"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
||||||
|
|
64
tests/checkpolicy/Makefile
Normal file
64
tests/checkpolicy/Makefile
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/checkpolicy/Sanity/checkpolicy
|
||||||
|
# Description: runs checkpolicy with various options to find out if it behaves correctly
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/checkpolicy/Sanity/checkpolicy
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE policy.conf.from.secilc
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: runs checkpolicy with various options to find out if it behaves correctly" >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 10m" >> $(METADATA)
|
||||||
|
@echo "RunFor: checkpolicy setools" >> $(METADATA)
|
||||||
|
@echo "Requires: checkpolicy setools-console selinux-policy-minimum selinux-policy-mls selinux-policy-targeted" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
||||||
|
|
7
tests/checkpolicy/PURPOSE
Normal file
7
tests/checkpolicy/PURPOSE
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
PURPOSE of /CoreOS/checkpolicy/Sanity/checkpolicy
|
||||||
|
|
||||||
|
Description: runs checkpolicy with various options to find out if it behaves correctly
|
||||||
|
|
||||||
|
Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
|
||||||
|
|
143
tests/checkpolicy/policy.conf.from.secilc
Normal file
143
tests/checkpolicy/policy.conf.from.secilc
Normal file
@ -0,0 +1,143 @@
|
|||||||
|
class file
|
||||||
|
class process
|
||||||
|
class char
|
||||||
|
|
||||||
|
sid kernel
|
||||||
|
sid security
|
||||||
|
sid unlabeled
|
||||||
|
|
||||||
|
common file {ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton }
|
||||||
|
|
||||||
|
class file inherits file { execute_no_trans entrypoint execmod open audit_access }
|
||||||
|
class char inherits file { foo transition }
|
||||||
|
class process { open }
|
||||||
|
|
||||||
|
sensitivity s0 alias sens0;
|
||||||
|
sensitivity s1;
|
||||||
|
|
||||||
|
dominance { s0 s1 }
|
||||||
|
|
||||||
|
category c0 alias cat0;
|
||||||
|
category c1;
|
||||||
|
category c2;
|
||||||
|
|
||||||
|
level s0:c0.c2;
|
||||||
|
level s1:c0.c2;
|
||||||
|
|
||||||
|
mlsconstrain file { open } (not (((l1 eq l2) and (u1 eq u2)) or (r1 eq r2)));
|
||||||
|
mlsconstrain file { open } (((l1 eq l2) and (u1 eq u2)) or (r1 != r2));
|
||||||
|
mlsconstrain file { open } (l1 dom h2);
|
||||||
|
mlsconstrain file { open } (h1 domby l2);
|
||||||
|
mlsconstrain file { open } (l1 incomp l2);
|
||||||
|
|
||||||
|
mlsvalidatetrans file (h1 domby l2);
|
||||||
|
|
||||||
|
attribute foo_type;
|
||||||
|
attribute bar_type;
|
||||||
|
attribute baz_type;
|
||||||
|
attribute exec_type;
|
||||||
|
|
||||||
|
type bin_t, bar_type, exec_type;
|
||||||
|
type kernel_t, foo_type, exec_type, baz_type;
|
||||||
|
type security_t, baz_type;
|
||||||
|
type unlabeled_t, baz_type;
|
||||||
|
|
||||||
|
type exec_t, baz_type;
|
||||||
|
type console_t, baz_type;
|
||||||
|
type auditadm_t, baz_type;
|
||||||
|
type console_device_t, baz_type;
|
||||||
|
type user_tty_device_t, baz_type;
|
||||||
|
type device_t, baz_type;
|
||||||
|
type getty_t, baz_type;
|
||||||
|
type a_t, baz_type;
|
||||||
|
type b_t, baz_type;
|
||||||
|
|
||||||
|
typealias bin_t alias sbin_t;
|
||||||
|
|
||||||
|
bool secure_mode false;
|
||||||
|
bool console_login true;
|
||||||
|
bool b1 false;
|
||||||
|
|
||||||
|
role system_r;
|
||||||
|
role user_r;
|
||||||
|
role system_r types bin_t;
|
||||||
|
role system_r types kernel_t;
|
||||||
|
role system_r types security_t;
|
||||||
|
role system_r types unlabeled_t;
|
||||||
|
|
||||||
|
policycap open_perms;
|
||||||
|
permissive device_t;
|
||||||
|
|
||||||
|
range_transition device_t console_t : file s0:c0 - s1:c0.c1;
|
||||||
|
|
||||||
|
type_transition device_t console_t : file console_device_t;
|
||||||
|
type_member device_t bin_t : file exec_t;
|
||||||
|
|
||||||
|
if console_login{
|
||||||
|
type_change auditadm_t console_device_t : file user_tty_device_t;
|
||||||
|
}
|
||||||
|
|
||||||
|
role_transition system_r bin_t user_r;
|
||||||
|
|
||||||
|
auditallow device_t auditadm_t: file { open };
|
||||||
|
dontaudit device_t auditadm_t: file { read };
|
||||||
|
|
||||||
|
allow system_r user_r;
|
||||||
|
|
||||||
|
allow console_t console_device_t: char { write setattr };
|
||||||
|
allow console_t console_device_t: file { open read getattr };
|
||||||
|
allow foo_type self: file { execute };
|
||||||
|
allow bin_t device_t: file { execute };
|
||||||
|
allow bin_t exec_t: file { execute };
|
||||||
|
allow bin_t bin_t: file { execute };
|
||||||
|
allow a_t b_t : file { write };
|
||||||
|
allow console_t console_device_t: file { read write getattr setattr lock append };
|
||||||
|
allow kernel_t kernel_t : file { execute };
|
||||||
|
|
||||||
|
if b1 {
|
||||||
|
allow a_t b_t : file { read };
|
||||||
|
}
|
||||||
|
|
||||||
|
if secure_mode{
|
||||||
|
auditallow device_t exec_t: file { read write };
|
||||||
|
}
|
||||||
|
|
||||||
|
if console_login{
|
||||||
|
allow getty_t console_device_t: file { getattr open read write append };
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
dontaudit getty_t console_device_t: file { getattr open read write append };
|
||||||
|
}
|
||||||
|
|
||||||
|
if (not ((secure_mode eq console_login) xor ((secure_mode or console_login) and secure_mode))){
|
||||||
|
allow bin_t exec_t: file { execute };
|
||||||
|
}
|
||||||
|
|
||||||
|
user system_u roles system_r level s0:c0 range s0:c0 - s1:c0,c1;
|
||||||
|
user user_u roles user_r level s0:c0 range s0:c0 - s0:c0;
|
||||||
|
|
||||||
|
validatetrans file (t1 == exec_t);
|
||||||
|
|
||||||
|
constrain char transition (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
|
||||||
|
constrain file { open } (r1 dom r2);
|
||||||
|
constrain file { open } (r1 domby r2);
|
||||||
|
constrain file { open } (r1 incomp r2);
|
||||||
|
constrain file { open read getattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
|
||||||
|
constrain char { write setattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
|
||||||
|
|
||||||
|
|
||||||
|
sid kernel system_u:system_r:kernel_t:s0:c0 - s1:c0,c1
|
||||||
|
sid security system_u:system_r:security_t:s0:c0 - s1:c0,c1
|
||||||
|
sid unlabeled system_u:system_r:unlabeled_t:s0:c0 - s1:c0,c1
|
||||||
|
|
||||||
|
fs_use_xattr ext3 system_u:system_r:bin_t:s0:c0 - s1:c0,c1;
|
||||||
|
|
||||||
|
genfscon proc /usr/bin system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||||||
|
|
||||||
|
portcon tcp 22 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||||||
|
portcon udp 25 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||||||
|
|
||||||
|
netifcon eth0 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||||||
|
|
||||||
|
nodecon 192.25.35.200 192.168.1.1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||||||
|
nodecon 2001:db8:ac10:fe01:: 2001:de0:da88:2222:: system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
153
tests/checkpolicy/runtest.sh
Normal file
153
tests/checkpolicy/runtest.sh
Normal file
@ -0,0 +1,153 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/checkpolicy/Sanity/checkpolicy
|
||||||
|
# Description: runs checkpolicy with various options to find out if it behaves correctly
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include rhts environment
|
||||||
|
. /usr/bin/rhts-environment.sh
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh
|
||||||
|
|
||||||
|
PACKAGE="checkpolicy"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm ${PACKAGE}
|
||||||
|
rlAssertRpm selinux-policy-minimum
|
||||||
|
rlAssertRpm selinux-policy-mls
|
||||||
|
rlAssertRpm selinux-policy-targeted
|
||||||
|
rlRun "uname -a"
|
||||||
|
TEST_FILE=`mktemp`
|
||||||
|
TEST_DIR=`mktemp -d`
|
||||||
|
OUTPUT_FILE=`mktemp`
|
||||||
|
rlAssertExists "/usr/bin/checkpolicy"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "compilation from policy.conf"
|
||||||
|
MIN_VERSION="15"
|
||||||
|
MAX_VERSION=`find /etc/selinux/ -name policy.?? | cut -d / -f 6 | cut -d . -f 2 | head -n 1`
|
||||||
|
if rlIsRHEL 5 6 ; then
|
||||||
|
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION}`
|
||||||
|
else
|
||||||
|
# some versions are skipped because seinfo segfaults when inspecting binary policies between v.20 and v.23"
|
||||||
|
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION} | grep -v -e 19 -e 20 -e 21 -e 22 -e 23`
|
||||||
|
fi
|
||||||
|
for CUR_VERSION in ${VERSIONS} ; do
|
||||||
|
rlRun "rm -f policy.out"
|
||||||
|
rlWatchdog "checkpolicy -M -c ${CUR_VERSION} -o policy.out policy.conf.from.secilc" 15
|
||||||
|
if [ -s policy.out ] ; then
|
||||||
|
rlRun "seinfo policy.out 2>&1 | tee ${OUTPUT_FILE}"
|
||||||
|
rlRun "grep -i -e \"policy version.*${CUR_VERSION}\" -e \"unable to open policy\" ${OUTPUT_FILE}"
|
||||||
|
else
|
||||||
|
rlRun "ls -l policy.out"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "checkpolicy >& ${TEST_FILE}" 1
|
||||||
|
rlAssertGrep "loading policy configuration from policy.conf" ${TEST_FILE}
|
||||||
|
rlRun "checkpolicy -b >& ${TEST_FILE}" 1
|
||||||
|
rlAssertGrep "loading policy configuration from policy" ${TEST_FILE}
|
||||||
|
rlRun "checkpolicy -V"
|
||||||
|
rlRun "checkpolicy -U 2>&1 | grep \"option requires an argument\""
|
||||||
|
rlRun "checkpolicy -U xyz" 1
|
||||||
|
rlRun "rm -f policy.conf"
|
||||||
|
if ! rlIsRHEL 4 ; then
|
||||||
|
for OPTION in "deny" "reject" "allow" ; do
|
||||||
|
rlRun "checkpolicy -U ${OPTION} >& ${TEST_FILE}" 1
|
||||||
|
rlAssertGrep "unable to open policy.conf" ${TEST_FILE}
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
rlRun "rm -f ${TEST_FILE}"
|
||||||
|
rlRun "touch ${TEST_FILE}"
|
||||||
|
rlRun "rm -rf ${TEST_DIR}"
|
||||||
|
rlRun "mkdir ${TEST_DIR}"
|
||||||
|
rlRun "checkpolicy ${TEST_FILE}" 1,2
|
||||||
|
rlRun "checkpolicy -b ${TEST_FILE}" 1
|
||||||
|
rlRun "checkpolicy ${TEST_DIR}" 1,2
|
||||||
|
rlRun "checkpolicy -b ${TEST_DIR}" 1
|
||||||
|
rlRun "rm -f ${TEST_FILE}"
|
||||||
|
rlRun "rm -rf ${TEST_DIR}"
|
||||||
|
rlRun "checkpolicy ${TEST_FILE}" 1
|
||||||
|
rlRun "checkpolicy -b ${TEST_FILE}" 1
|
||||||
|
rlRun "checkpolicy -c 2>&1 | grep \"option requires an argument\""
|
||||||
|
rlRun "checkpolicy -c 0 2>&1 | grep \"value 0 not in range\""
|
||||||
|
rlRun "checkpolicy -t 2>&1 | grep \"option requires an argument\""
|
||||||
|
rlRun "checkpolicy -t xyz 2>&1 | grep -i \"unknown target platform\""
|
||||||
|
rlRun "checkpolicy --help 2>&1 | grep -- '-m]'" 1
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
if rlIsRHEL 5 6 ; then
|
||||||
|
ACTIVE_POLICY="/selinux/policy"
|
||||||
|
else
|
||||||
|
ACTIVE_POLICY="/sys/fs/selinux/policy"
|
||||||
|
fi
|
||||||
|
rlRun "echo -e 'q\n' | checkpolicy -Mdb ${ACTIVE_POLICY} | tee ${OUTPUT_FILE}"
|
||||||
|
rlRun "grep -qi -e error -e ebitmap -e 'not match' ${OUTPUT_FILE}" 1
|
||||||
|
for POLICY_TYPE in minimum mls targeted ; do
|
||||||
|
if [ ! -e /etc/selinux/${POLICY_TYPE}/policy/policy.* ] ; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
rlRun "echo -e 'q\n' | checkpolicy -Mdb /etc/selinux/${POLICY_TYPE}/policy/policy.* | tee ${OUTPUT_FILE}"
|
||||||
|
rlRun "grep -qi -e error -e ebitmap -e 'not match' ${OUTPUT_FILE}" 1
|
||||||
|
done
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
if rlIsRHEL 5 6 ; then
|
||||||
|
ACTIVE_POLICY_TREE="/selinux"
|
||||||
|
else # RHEL-7 and above
|
||||||
|
ACTIVE_POLICY_TREE="/sys/fs/selinux"
|
||||||
|
fi
|
||||||
|
MIN_VERSION="15"
|
||||||
|
MAX_VERSION=`find /etc/selinux/ -name policy.?? | cut -d / -f 6 | cut -d . -f 2 | head -n 1`
|
||||||
|
for POLICY_TYPE in minimum mls targeted ; do
|
||||||
|
if rlIsRHEL 5 6 ; then
|
||||||
|
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION}`
|
||||||
|
else
|
||||||
|
# some versions are skipped because seinfo segfaults when inspecting binary policies between v.20 and v.23"
|
||||||
|
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION} | grep -v -e 19 -e 20 -e 21 -e 22 -e 23`
|
||||||
|
fi
|
||||||
|
for CUR_VERSION in ${VERSIONS} ; do
|
||||||
|
rlRun "rm -f policy.out"
|
||||||
|
rlWatchdog "checkpolicy -b -M -c ${CUR_VERSION} -o policy.out /etc/selinux/${POLICY_TYPE}/policy/policy.${MAX_VERSION}" 15
|
||||||
|
if [ -s policy.out ] ; then
|
||||||
|
rlRun "seinfo policy.out 2>&1 | tee ${OUTPUT_FILE}"
|
||||||
|
rlRun "grep -i -e \"policy version.*${CUR_VERSION}\" -e \"unable to open policy\" ${OUTPUT_FILE}"
|
||||||
|
else
|
||||||
|
rlRun "ls -l policy.out"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rm -f ${OUTPUT_FILE} policy.out
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
||||||
|
|
65
tests/sedismod/Makefile
Normal file
65
tests/sedismod/Makefile
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/checkpolicy/Sanity/sedismod
|
||||||
|
# Description: Does sedismod work correctly ?)
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/checkpolicy/Sanity/sedismod
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE sedismod.exp
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
test -x sedismod.exp || chmod a+x sedismod.exp
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Does sedismod work correctly?" >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 10m" >> $(METADATA)
|
||||||
|
@echo "RunFor: checkpolicy" >> $(METADATA)
|
||||||
|
@echo "Requires: checkpolicy selinux-policy-targeted expect policycoreutils psmisc" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
||||||
|
|
5
tests/sedismod/PURPOSE
Normal file
5
tests/sedismod/PURPOSE
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
PURPOSE of /CoreOS/checkpolicy/Sanity/sedismod
|
||||||
|
Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
|
||||||
|
Does sedismod work correctly?
|
||||||
|
|
83
tests/sedismod/runtest.sh
Executable file
83
tests/sedismod/runtest.sh
Executable file
@ -0,0 +1,83 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/checkpolicy/Sanity/sedismod
|
||||||
|
# Description: Does sedismod work correctly
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="checkpolicy"
|
||||||
|
# TODO: repeat for all policy modules that are installed under /etc/selinux
|
||||||
|
if rlIsFedora ; then
|
||||||
|
POLICY_FILE="`find /var/lib/selinux/targeted -type d -name base`/hll"
|
||||||
|
elif rlIsRHEL '<7.3' ; then
|
||||||
|
POLICY_FILE=`find /etc/selinux/targeted -type f -name base.pp`
|
||||||
|
else # RHEL-7.3 and above
|
||||||
|
POLICY_FILE="`find /etc/selinux/targeted -type d -name base`/hll"
|
||||||
|
fi
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm ${PACKAGE}
|
||||||
|
OUTPUT_FILE=`mktemp`
|
||||||
|
if rlIsRHEL '>=7.3' || rlIsFedora ; then
|
||||||
|
rlRun "semodule -H -E base"
|
||||||
|
else
|
||||||
|
rlRun "cp ${POLICY_FILE} ./base.pp.bz2"
|
||||||
|
rlRun "rm -f base.pp"
|
||||||
|
rlRun "bzip2 -d ./base.pp.bz2"
|
||||||
|
fi
|
||||||
|
POLICY_FILE="base.pp"
|
||||||
|
rlRun "ls -l ${POLICY_FILE}"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "check all available options"
|
||||||
|
if rlIsRHEL 6 ; then
|
||||||
|
AVAILABLE_OPTIONS="1 2 3 4 5 6 7 8 0 a b c u"
|
||||||
|
else # RHEL-7 and above
|
||||||
|
AVAILABLE_OPTIONS="1 2 3 4 5 6 7 8 9 0 a b c u F"
|
||||||
|
fi
|
||||||
|
for OPTION in ${AVAILABLE_OPTIONS} ; do
|
||||||
|
rlRun "rm -f ${OUTPUT_FILE}"
|
||||||
|
rlWatchdog "./sedismod.exp ${OPTION} ${POLICY_FILE} ${OUTPUT_FILE}" 65
|
||||||
|
# rlWatchdog kills the expect script, but we need to kill the sedismod process too
|
||||||
|
rlRun "killall sedismod" 0,1
|
||||||
|
rlRun "ls -l ${OUTPUT_FILE}"
|
||||||
|
if [ -s ${OUTPUT_FILE} ] ; then
|
||||||
|
rlPass "sedismod produced some output"
|
||||||
|
else
|
||||||
|
rlFail "sedismod did not produce any output"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "rm -f ${OUTPUT_FILE} ${POLICY_FILE}"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
||||||
|
|
21
tests/sedismod/sedismod.exp
Executable file
21
tests/sedismod/sedismod.exp
Executable file
@ -0,0 +1,21 @@
|
|||||||
|
#!/usr/bin/expect -f
|
||||||
|
# ./sedismod.exp option policyfile outputfile
|
||||||
|
set option [lrange $argv 0 0]
|
||||||
|
set policyfile [lrange $argv 1 1]
|
||||||
|
set outputfile [lrange $argv 2 2]
|
||||||
|
set timeout 60
|
||||||
|
spawn sedismod $policyfile
|
||||||
|
expect "Command*:" {
|
||||||
|
send -- "f\r"
|
||||||
|
}
|
||||||
|
expect "Filename*:" {
|
||||||
|
send -- "$outputfile\r"
|
||||||
|
}
|
||||||
|
expect "Command*:" {
|
||||||
|
send -- "$option\r"
|
||||||
|
}
|
||||||
|
expect "Command*:" {
|
||||||
|
send -- "q\r"
|
||||||
|
}
|
||||||
|
expect eof
|
||||||
|
|
65
tests/sedispol/Makefile
Normal file
65
tests/sedispol/Makefile
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/checkpolicy/Sanity/sedispol
|
||||||
|
# Description: Does sedispol work correctly?
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/checkpolicy/Sanity/sedispol
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE sedispol.exp
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
test -x sedispol.exp || chmod a+x sedispol.exp
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Does sedispol work correctly?" >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 10m" >> $(METADATA)
|
||||||
|
@echo "RunFor: checkpolicy" >> $(METADATA)
|
||||||
|
@echo "Requires: checkpolicy selinux-policy expect" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
||||||
|
|
5
tests/sedispol/PURPOSE
Normal file
5
tests/sedispol/PURPOSE
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
PURPOSE of /CoreOS/checkpolicy/Sanity/sedispol
|
||||||
|
Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
|
||||||
|
Does sedispol work correctly?
|
||||||
|
|
77
tests/sedispol/runtest.sh
Executable file
77
tests/sedispol/runtest.sh
Executable file
@ -0,0 +1,77 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/checkpolicy/Sanity/sedispol
|
||||||
|
# Description: Does sedispol work correctly?
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="checkpolicy"
|
||||||
|
# TODO: repeat for all policy files that are installed under /etc/selinux
|
||||||
|
POLICY_FILE=`find /etc/selinux/targeted/policy/ -type f`
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm ${PACKAGE}
|
||||||
|
OUTPUT_FILE=`mktemp`
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
if rlIsRHEL 6 ; then
|
||||||
|
AVAILABLE_OPTIONS="1 2 3 4 5 6 c p u"
|
||||||
|
else # RHEL-7 and above
|
||||||
|
AVAILABLE_OPTIONS="1 2 3 4 5 6 8 c p u F"
|
||||||
|
fi
|
||||||
|
for OPTION in ${AVAILABLE_OPTIONS} ; do
|
||||||
|
rlRun "rm -f ${OUTPUT_FILE}"
|
||||||
|
rlWatchdog "./sedispol.exp ${OPTION} ${POLICY_FILE} ${OUTPUT_FILE}" 65
|
||||||
|
# rlWatchdog kills the expect script, but we need to kill the sedispol process too
|
||||||
|
rlRun "killall sedispol" 0,1
|
||||||
|
rlRun "ls -l ${OUTPUT_FILE}"
|
||||||
|
if [ -s ${OUTPUT_FILE} ] ; then
|
||||||
|
rlPass "sedispol produced some output"
|
||||||
|
else
|
||||||
|
rlFail "sedispol did not produce any output"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "echo q | sedispol ${POLICY_FILE} >& ${OUTPUT_FILE}"
|
||||||
|
rlRun "grep AVTAB ${OUTPUT_FILE}"
|
||||||
|
rlRun "grep AVTAG ${OUTPUT_FILE}" 1
|
||||||
|
rlRun "echo -en 'u\nq\n' | sedispol ${POLICY_FILE} >& ${OUTPUT_FILE}"
|
||||||
|
rlRun "grep permissions ${OUTPUT_FILE}"
|
||||||
|
rlRun "grep permisions ${OUTPUT_FILE}" 1
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "rm -f ${OUTPUT_FILE}"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
||||||
|
|
21
tests/sedispol/sedispol.exp
Executable file
21
tests/sedispol/sedispol.exp
Executable file
@ -0,0 +1,21 @@
|
|||||||
|
#!/usr/bin/expect -f
|
||||||
|
# ./sedispol.exp option policyfile outputfile
|
||||||
|
set option [lrange $argv 0 0]
|
||||||
|
set policyfile [lrange $argv 1 1]
|
||||||
|
set outputfile [lrange $argv 2 2]
|
||||||
|
set timeout 60
|
||||||
|
spawn sedispol $policyfile
|
||||||
|
expect "Command*:" {
|
||||||
|
send -- "f\r"
|
||||||
|
}
|
||||||
|
expect "Filename*:" {
|
||||||
|
send -- "$outputfile\r"
|
||||||
|
}
|
||||||
|
expect "Command*:" {
|
||||||
|
send -- "$option\r"
|
||||||
|
}
|
||||||
|
expect "Command*:" {
|
||||||
|
send -- "q\r"
|
||||||
|
}
|
||||||
|
expect eof
|
||||||
|
|
61
tests/tests.yml
Normal file
61
tests/tests.yml
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
---
|
||||||
|
# Tests for Classic
|
||||||
|
- hosts: localhost
|
||||||
|
roles:
|
||||||
|
- role: standard-test-beakerlib
|
||||||
|
tags:
|
||||||
|
- classic
|
||||||
|
repositories:
|
||||||
|
- repo: "https://src.fedoraproject.org/tests/selinux.git"
|
||||||
|
dest: "selinux"
|
||||||
|
fmf_filter: "tier:1 | component:checkpolicy"
|
||||||
|
required_packages:
|
||||||
|
- checkpolicy # Required by all tests
|
||||||
|
- man # Required by checkpolicy-docs
|
||||||
|
- grep # Required by checkmodule
|
||||||
|
- coreutils # Required by checkmodule
|
||||||
|
- setools-console # Required by checkpolicy
|
||||||
|
- selinux-policy-minimum # Required by checkpolicy
|
||||||
|
- selinux-policy-mls # Required by checkpolicy
|
||||||
|
- selinux-policy-targeted # Required by checkpolicy and sedismod
|
||||||
|
- expect # Required by sedismod and sedispol
|
||||||
|
- policycoreutils # Required by sedismod
|
||||||
|
- psmisc # Required by sedismod
|
||||||
|
- selinux-policy # Required by sedispol
|
||||||
|
- e2fsprogs
|
||||||
|
- gcc
|
||||||
|
- git
|
||||||
|
- libselinux
|
||||||
|
- libselinux-utils
|
||||||
|
- libsemanage
|
||||||
|
- libsepol
|
||||||
|
- libsepol-devel
|
||||||
|
- policycoreutils-python-utils
|
||||||
|
- selinux-policy-devel
|
||||||
|
|
||||||
|
# Tests for Container
|
||||||
|
- hosts: localhost
|
||||||
|
roles:
|
||||||
|
- role: standard-test-beakerlib
|
||||||
|
tags:
|
||||||
|
- container
|
||||||
|
repositories:
|
||||||
|
- repo: "https://src.fedoraproject.org/tests/selinux.git"
|
||||||
|
dest: "selinux"
|
||||||
|
tests:
|
||||||
|
- selinux/checkpolicy/checkmodule
|
||||||
|
- selinux/checkpolicy/checkpolicy
|
||||||
|
- selinux/checkpolicy/sedismod
|
||||||
|
- selinux/checkpolicy/sedispol
|
||||||
|
required_packages:
|
||||||
|
- checkpolicy # Required by all tests
|
||||||
|
- grep # Required by checkmodule
|
||||||
|
- coreutils # Required by checkmodule
|
||||||
|
- setools-console # Required by checkpolicy
|
||||||
|
- selinux-policy-minimum # Required by checkpolicy
|
||||||
|
- selinux-policy-mls # Required by checkpolicy
|
||||||
|
- selinux-policy-targeted # Required by checkpolicy and sedismod
|
||||||
|
- expect # Required by sedismod and sedispol
|
||||||
|
- policycoreutils # Required by sedismod
|
||||||
|
- psmisc # Required by sedismod
|
||||||
|
- selinux-policy # Required by sedispol
|
Loading…
Reference in New Issue
Block a user