Compare commits
10 Commits
a85176781b
...
b8533e5ff3
Author | SHA1 | Date |
---|---|---|
Petr Lautrbach | b8533e5ff3 | |
Petr Lautrbach | 5a90bd37cd | |
Petr Lautrbach | 172aa6a9c7 | |
Petr Lautrbach | 2bf78f3526 | |
Petr Lautrbach | 59be98a24f | |
Petr Lautrbach | 36ad04f322 | |
Petr Lautrbach | 0948ba07a7 | |
Petr Lautrbach | 2e94ed4b6e | |
Petr Lautrbach | 04ac4f468c | |
Mohan Boddu | f83088e739 |
|
@ -0,0 +1 @@
|
|||
40e9c6939db7a94552dc971fc871286812bcea3b checkpolicy-3.5.tar.gz
|
|
@ -0,0 +1 @@
|
|||
1
|
|
@ -108,3 +108,11 @@ checkpolicy-2.0.22.tgz
|
|||
/checkpolicy-3.2-rc1.tar.gz
|
||||
/checkpolicy-3.2-rc2.tar.gz
|
||||
/checkpolicy-3.2.tar.gz
|
||||
/checkpolicy-3.3-rc2.tar.gz
|
||||
/checkpolicy-3.3-rc3.tar.gz
|
||||
/checkpolicy-3.3.tar.gz
|
||||
/checkpolicy-3.4.tar.gz
|
||||
/checkpolicy-3.5-rc1.tar.gz
|
||||
/checkpolicy-3.5-rc2.tar.gz
|
||||
/checkpolicy-3.5-rc3.tar.gz
|
||||
/checkpolicy-3.5.tar.gz
|
||||
|
|
|
@ -1,78 +0,0 @@
|
|||
From dcd07fdcbf3ba9fc47aef924b9b9f81bdefcb18b Mon Sep 17 00:00:00 2001
|
||||
From: James Carter <jwcart2@gmail.com>
|
||||
Date: Mon, 8 Mar 2021 15:49:23 -0500
|
||||
Subject: [PATCH] libsepol/checkpolicy: Set user roles using role value instead
|
||||
of dominance
|
||||
|
||||
Roles in an optional block have two datums, one in the global block
|
||||
and one in the avrule_decl where it is declared. The datum in the
|
||||
global block does not have its dominace set. This is a problem because
|
||||
the function set_user_role() sets the user's roles based on the global
|
||||
datum's dominance ebitmap. If a user is declared with an associated role
|
||||
that was declared in an optional block, then it will not have any roles
|
||||
set for it because the dominance ebitmap is empty.
|
||||
|
||||
Example/
|
||||
# handle_unknown deny
|
||||
class CLASS1
|
||||
sid kernel
|
||||
class CLASS1 { PERM1 }
|
||||
type TYPE1;
|
||||
allow TYPE1 self:CLASS1 PERM1;
|
||||
role ROLE1;
|
||||
role ROLE1 types { TYPE1 };
|
||||
optional {
|
||||
require {
|
||||
class CLASS1 { PERM1 };
|
||||
}
|
||||
role ROLE1A;
|
||||
user USER1A roles ROLE1A;
|
||||
}
|
||||
user USER1 roles ROLE1;
|
||||
sid kernel USER1:ROLE1:TYPE1
|
||||
|
||||
In this example, USER1A would not have ROLE1A associated with it.
|
||||
|
||||
Instead of using dominance, which has been deprecated anyway, just
|
||||
set the bit corresponding to the role's value in the user's roles
|
||||
ebitmap in set_user_role().
|
||||
|
||||
Signed-off-by: James Carter <jwcart2@gmail.com>
|
||||
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
|
||||
|
||||
[N.I: added spaces around "-" operator]
|
||||
---
|
||||
checkpolicy/policy_define.c | 9 ++-------
|
||||
1 file changed, 2 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
|
||||
index c9286f7733c5..16234f31bbc3 100644
|
||||
--- a/checkpolicy/policy_define.c
|
||||
+++ b/checkpolicy/policy_define.c
|
||||
@@ -4088,8 +4088,6 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
|
||||
static int set_user_roles(role_set_t * set, char *id)
|
||||
{
|
||||
role_datum_t *r;
|
||||
- unsigned int i;
|
||||
- ebitmap_node_t *node;
|
||||
|
||||
if (strcmp(id, "*") == 0) {
|
||||
free(id);
|
||||
@@ -4115,12 +4113,9 @@ static int set_user_roles(role_set_t * set, char *id)
|
||||
return -1;
|
||||
}
|
||||
|
||||
- /* set the role and every role it dominates */
|
||||
- ebitmap_for_each_positive_bit(&r->dominates, node, i) {
|
||||
- if (ebitmap_set_bit(&set->roles, i, TRUE))
|
||||
- goto oom;
|
||||
- }
|
||||
free(id);
|
||||
+ if (ebitmap_set_bit(&set->roles, r->s.value - 1, TRUE))
|
||||
+ goto oom;
|
||||
return 0;
|
||||
oom:
|
||||
yyerror("out of memory");
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,97 +0,0 @@
|
|||
From 750cc1136d054b77e84cd55be5fbe0e8ad0174e8 Mon Sep 17 00:00:00 2001
|
||||
From: James Carter <jwcart2@gmail.com>
|
||||
Date: Mon, 15 Mar 2021 11:09:37 -0400
|
||||
Subject: [PATCH] checkpolicy: Do not automatically upgrade when using "-b"
|
||||
flag
|
||||
|
||||
When reading a binary policy, do not automatically change the version
|
||||
to the max policy version supported by libsepol or, if specified, the
|
||||
value given using the "-c" flag.
|
||||
|
||||
If the binary policy version is less than or equal to version 23
|
||||
(POLICYDB_VERSION_PERMISSIVE) than do not automatically upgrade the
|
||||
policy and if a policy version is specified by the "-c" flag, only set
|
||||
the binary policy to the specified version if it is lower than the
|
||||
current version.
|
||||
|
||||
If the binary policy version is greater than version 23 than it should
|
||||
be set to the maximum version supported by libsepol or, if specified,
|
||||
the value given by the "-c" flag.
|
||||
|
||||
The reason for this change is that policy versions 20
|
||||
(POLICYDB_VERSION_AVTAB) to 23 have a more primitive support for type
|
||||
attributes where the datums are not written out, but they exist in the
|
||||
type_attr_map. This means that when the binary policy is read by
|
||||
libsepol, there will be gaps in the type_val_to_struct and
|
||||
p_type_val_to_name arrays and policy rules can refer to those gaps.
|
||||
Certain libsepol functions like sepol_kernel_policydb_to_conf() and
|
||||
sepol_kernel_policydb_to_cil() do not support this behavior and need
|
||||
to be able to identify these policies. Policies before version 20 do not
|
||||
support attributes at all and can be handled by all libsepol functions.
|
||||
|
||||
Signed-off-by: James Carter <jwcart2@gmail.com>
|
||||
---
|
||||
checkpolicy/checkpolicy.c | 19 +++++++++++++++----
|
||||
1 file changed, 15 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
|
||||
index 5841c5c4c196..acf1eac41559 100644
|
||||
--- a/checkpolicy/checkpolicy.c
|
||||
+++ b/checkpolicy/checkpolicy.c
|
||||
@@ -106,7 +106,7 @@ static int handle_unknown = SEPOL_DENY_UNKNOWN;
|
||||
static const char *txtfile = "policy.conf";
|
||||
static const char *binfile = "policy";
|
||||
|
||||
-unsigned int policyvers = POLICYDB_VERSION_MAX;
|
||||
+unsigned int policyvers = 0;
|
||||
|
||||
static __attribute__((__noreturn__)) void usage(const char *progname)
|
||||
{
|
||||
@@ -515,7 +515,8 @@ int main(int argc, char **argv)
|
||||
}
|
||||
|
||||
if (show_version) {
|
||||
- printf("%d (compatibility range %d-%d)\n", policyvers,
|
||||
+ printf("%d (compatibility range %d-%d)\n",
|
||||
+ policyvers ? policyvers : POLICYDB_VERSION_MAX ,
|
||||
POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
|
||||
exit(0);
|
||||
}
|
||||
@@ -588,6 +589,16 @@ int main(int argc, char **argv)
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
+
|
||||
+ if (policydbp->policyvers <= POLICYDB_VERSION_PERMISSIVE) {
|
||||
+ if (policyvers > policydbp->policyvers) {
|
||||
+ fprintf(stderr, "Binary policies with version <= %u cannot be upgraded\n", POLICYDB_VERSION_PERMISSIVE);
|
||||
+ } else if (policyvers) {
|
||||
+ policydbp->policyvers = policyvers;
|
||||
+ }
|
||||
+ } else {
|
||||
+ policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
|
||||
+ }
|
||||
} else {
|
||||
if (conf) {
|
||||
fprintf(stderr, "Can only generate policy.conf from binary policy\n");
|
||||
@@ -629,6 +640,8 @@ int main(int argc, char **argv)
|
||||
policydb_destroy(policydbp);
|
||||
policydbp = &policydb;
|
||||
}
|
||||
+
|
||||
+ policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
|
||||
}
|
||||
|
||||
if (policydb_load_isids(&policydb, &sidtab))
|
||||
@@ -654,8 +667,6 @@ int main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
|
||||
- policydb.policyvers = policyvers;
|
||||
-
|
||||
if (!cil) {
|
||||
if (!conf) {
|
||||
policydb.policy_type = POLICY_KERN;
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,48 +0,0 @@
|
|||
From ed7e3348d18bb00bcfcb3da6d4265307425bb882 Mon Sep 17 00:00:00 2001
|
||||
From: Nicolas Iooss <nicolas.iooss@m4x.org>
|
||||
Date: Sat, 3 Jul 2021 16:31:20 +0200
|
||||
Subject: [PATCH] checkpolicy: silence -Wextra-semi-stmt warning
|
||||
|
||||
On Ubuntu 20.04, when building with clang -Werror -Wextra-semi-stmt
|
||||
(which is not the default build configuration), the compiler reports:
|
||||
|
||||
checkpolicy.c:740:33: error: empty expression statement has no
|
||||
effect; remove unnecessary ';' to silence this warning
|
||||
[-Werror,-Wextra-semi-stmt]
|
||||
FGETS(ans, sizeof(ans), stdin);
|
||||
^
|
||||
|
||||
Introduce "do { } while (0)" blocks to silence such warnings.
|
||||
|
||||
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
|
||||
---
|
||||
checkpolicy/checkpolicy.c | 13 ++++++++-----
|
||||
1 file changed, 8 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
|
||||
index acf1eac41559..8af31db5c6b7 100644
|
||||
--- a/checkpolicy/checkpolicy.c
|
||||
+++ b/checkpolicy/checkpolicy.c
|
||||
@@ -119,11 +119,14 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
|
||||
}
|
||||
|
||||
#define FGETS(out, size, in) \
|
||||
-if (fgets(out,size,in)==NULL) { \
|
||||
- fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,\
|
||||
- strerror(errno)); \
|
||||
- exit(1);\
|
||||
-}
|
||||
+do { \
|
||||
+ if (fgets(out,size,in)==NULL) { \
|
||||
+ fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__, \
|
||||
+ strerror(errno)); \
|
||||
+ exit(1);\
|
||||
+ } \
|
||||
+} while (0)
|
||||
+
|
||||
static int print_sid(sepol_security_id_t sid,
|
||||
context_struct_t * context
|
||||
__attribute__ ((unused)), void *data
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,54 +0,0 @@
|
|||
From 40e2f98519ba3fc6a4a0f2b4a2b8b0e1d864fd9e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 6 Jul 2021 19:54:21 +0200
|
||||
Subject: [PATCH] checkpolicy: pass CFLAGS at link stage
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Pass CFLAGS when invoking CC at link time, it might contain optimization
|
||||
or sanitizer flags required for linking.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
checkpolicy/Makefile | 4 ++--
|
||||
checkpolicy/test/Makefile | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile
|
||||
index 0d282ef93d14..be63c0182682 100644
|
||||
--- a/checkpolicy/Makefile
|
||||
+++ b/checkpolicy/Makefile
|
||||
@@ -30,10 +30,10 @@ all: $(TARGETS)
|
||||
$(MAKE) -C test
|
||||
|
||||
checkpolicy: $(CHECKPOLOBJS) $(LIBSEPOLA)
|
||||
- $(CC) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
|
||||
+ $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
|
||||
|
||||
checkmodule: $(CHECKMODOBJS) $(LIBSEPOLA)
|
||||
- $(CC) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
|
||||
+ $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
|
||||
|
||||
%.o: %.c
|
||||
$(CC) $(CFLAGS) -o $@ -c $<
|
||||
diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
|
||||
index 89e7557c7aa6..e2a332b5a079 100644
|
||||
--- a/checkpolicy/test/Makefile
|
||||
+++ b/checkpolicy/test/Makefile
|
||||
@@ -13,10 +13,10 @@ endif
|
||||
all: dispol dismod
|
||||
|
||||
dispol: dispol.o $(LIBSEPOLA)
|
||||
- $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
|
||||
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
|
||||
|
||||
dismod: dismod.o $(LIBSEPOLA)
|
||||
- $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
|
||||
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
|
||||
|
||||
clean:
|
||||
-rm -f dispol dismod *.o
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,49 +0,0 @@
|
|||
From 02678b9d40f7de5cae1840f3d7ceedf1499c84a8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 6 Jul 2021 19:54:22 +0200
|
||||
Subject: [PATCH] checkpolicy: drop -pipe compile option
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The compiler option -pipe does not affect the generated code; it affects
|
||||
whether the compiler uses temporary files or pipes. As the benefit might
|
||||
vary from system to system usually its up to the packager or build
|
||||
framework to set it.
|
||||
Also these are the only places where the flag is used.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
checkpolicy/Makefile | 2 +-
|
||||
checkpolicy/test/Makefile | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile
|
||||
index be63c0182682..f9e1fc7cecd4 100644
|
||||
--- a/checkpolicy/Makefile
|
||||
+++ b/checkpolicy/Makefile
|
||||
@@ -10,7 +10,7 @@ TARGETS = checkpolicy checkmodule
|
||||
LEX = flex
|
||||
YACC = bison -y
|
||||
|
||||
-CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing
|
||||
+CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -fno-strict-aliasing
|
||||
|
||||
# If no specific libsepol.a is specified, fall back on LDFLAGS search path
|
||||
# Otherwise, as $(LIBSEPOLA) already appears in the dependencies, there
|
||||
diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
|
||||
index e2a332b5a079..8e5d16b3c5f0 100644
|
||||
--- a/checkpolicy/test/Makefile
|
||||
+++ b/checkpolicy/test/Makefile
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# Makefile for building the dispol program
|
||||
#
|
||||
-CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
|
||||
+CFLAGS ?= -g -Wall -W -Werror -O2
|
||||
|
||||
# If no specific libsepol.a is specified, fall back on LDFLAGS search path
|
||||
# Otherwise, as $(LIBSEPOLA) already appears in the dependencies, there
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,42 +0,0 @@
|
|||
From 7cdb2a8fd2af0a063d6e505fd1250ca10ebbea11 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 6 Jul 2021 19:54:23 +0200
|
||||
Subject: [PATCH] checkpolicy: simplify assignment
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
checkpolicy.c:504:20: style: The statement 'if (policyvers!=n) policyvers=n' is logically equivalent to 'policyvers=n'. [duplicateConditionalAssign]
|
||||
if (policyvers != n)
|
||||
^
|
||||
checkpolicy.c:505:17: note: Assignment 'policyvers=n'
|
||||
policyvers = n;
|
||||
^
|
||||
checkpolicy.c:504:20: note: Condition 'policyvers!=n' is redundant
|
||||
if (policyvers != n)
|
||||
^
|
||||
|
||||
Found by Cppcheck
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
checkpolicy/checkpolicy.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
|
||||
index 8af31db5c6b7..b52595a87b29 100644
|
||||
--- a/checkpolicy/checkpolicy.c
|
||||
+++ b/checkpolicy/checkpolicy.c
|
||||
@@ -504,8 +504,7 @@ int main(int argc, char **argv)
|
||||
usage(argv[0]);
|
||||
exit(1);
|
||||
}
|
||||
- if (policyvers != n)
|
||||
- policyvers = n;
|
||||
+ policyvers = n;
|
||||
break;
|
||||
}
|
||||
case 'E':
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,47 +0,0 @@
|
|||
From db674bf2186b34a3712e2069c769131503dcb9ff Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 6 Jul 2021 19:54:24 +0200
|
||||
Subject: [PATCH] checkpolicy: drop dead condition
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The variable `id` is guaranteed to be non-NULL due to the preceding
|
||||
while condition.
|
||||
|
||||
policy_define.c:1171:7: style: Condition '!id' is always false [knownConditionTrueFalse]
|
||||
if (!id) {
|
||||
^
|
||||
policy_define.c:1170:13: note: Assuming that condition 'id=queue_remove(id_queue)' is not redundant
|
||||
while ((id = queue_remove(id_queue))) {
|
||||
^
|
||||
policy_define.c:1171:7: note: Condition '!id' is always false
|
||||
if (!id) {
|
||||
^
|
||||
|
||||
Found by Cppcheck.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
checkpolicy/policy_define.c | 5 -----
|
||||
1 file changed, 5 deletions(-)
|
||||
|
||||
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
|
||||
index 16234f31bbc3..7eff747adacf 100644
|
||||
--- a/checkpolicy/policy_define.c
|
||||
+++ b/checkpolicy/policy_define.c
|
||||
@@ -1168,11 +1168,6 @@ int expand_attrib(void)
|
||||
|
||||
ebitmap_init(&attrs);
|
||||
while ((id = queue_remove(id_queue))) {
|
||||
- if (!id) {
|
||||
- yyerror("No attribute name for expandattribute statement?");
|
||||
- goto exit;
|
||||
- }
|
||||
-
|
||||
if (!is_id_in_scope(SYM_TYPES, id)) {
|
||||
yyerror2("attribute %s is not within scope", id);
|
||||
goto exit;
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,52 +0,0 @@
|
|||
From babc3d53518b7f9f01b83b9c997f9233a58af92b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 6 Jul 2021 19:54:25 +0200
|
||||
Subject: [PATCH] checkpolicy: use correct format specifier for unsigned
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
test/dispol.c:288:4: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
|
||||
snprintf(buf, sizeof(buf), "unknown (%d)", i);
|
||||
^
|
||||
test/dismod.c:830:4: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
|
||||
snprintf(buf, sizeof(buf), "unknown (%d)", i);
|
||||
^
|
||||
|
||||
Found by Cppcheck.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
checkpolicy/test/dismod.c | 2 +-
|
||||
checkpolicy/test/dispol.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
|
||||
index 3408e9b6b767..fadbc8d16695 100644
|
||||
--- a/checkpolicy/test/dismod.c
|
||||
+++ b/checkpolicy/test/dismod.c
|
||||
@@ -827,7 +827,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
|
||||
ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
|
||||
capname = sepol_polcap_getname(i);
|
||||
if (capname == NULL) {
|
||||
- snprintf(buf, sizeof(buf), "unknown (%d)", i);
|
||||
+ snprintf(buf, sizeof(buf), "unknown (%u)", i);
|
||||
capname = buf;
|
||||
}
|
||||
fprintf(fp, "\t%s\n", capname);
|
||||
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
|
||||
index 8785b7252824..37f71842c9e6 100644
|
||||
--- a/checkpolicy/test/dispol.c
|
||||
+++ b/checkpolicy/test/dispol.c
|
||||
@@ -285,7 +285,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
|
||||
ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
|
||||
capname = sepol_polcap_getname(i);
|
||||
if (capname == NULL) {
|
||||
- snprintf(buf, sizeof(buf), "unknown (%d)", i);
|
||||
+ snprintf(buf, sizeof(buf), "unknown (%u)", i);
|
||||
capname = buf;
|
||||
}
|
||||
fprintf(fp, "\t%s\n", capname);
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,75 +0,0 @@
|
|||
From 79e7724930d49cc8cdac4c7d4e80b1fafd22d1d7 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 6 Jul 2021 19:54:26 +0200
|
||||
Subject: [PATCH] checkpolicy: follow declaration-after-statement
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Follow the project style of no declaration after statement.
|
||||
|
||||
Found by the GCC warning -Wdeclaration-after-statement.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
checkpolicy/checkmodule.c | 6 ++++--
|
||||
checkpolicy/policy_define.c | 3 ++-
|
||||
checkpolicy/test/dismod.c | 2 +-
|
||||
3 files changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c
|
||||
index 40d0ec9924e9..316b289865e1 100644
|
||||
--- a/checkpolicy/checkmodule.c
|
||||
+++ b/checkpolicy/checkmodule.c
|
||||
@@ -288,14 +288,16 @@ int main(int argc, char **argv)
|
||||
}
|
||||
|
||||
if (policy_type != POLICY_BASE && outfile) {
|
||||
+ char *out_name;
|
||||
+ char *separator;
|
||||
char *mod_name = modpolicydb.name;
|
||||
char *out_path = strdup(outfile);
|
||||
if (out_path == NULL) {
|
||||
fprintf(stderr, "%s: out of memory\n", argv[0]);
|
||||
exit(1);
|
||||
}
|
||||
- char *out_name = basename(out_path);
|
||||
- char *separator = strrchr(out_name, '.');
|
||||
+ out_name = basename(out_path);
|
||||
+ separator = strrchr(out_name, '.');
|
||||
if (separator) {
|
||||
*separator = '\0';
|
||||
}
|
||||
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
|
||||
index 7eff747adacf..049df55f8468 100644
|
||||
--- a/checkpolicy/policy_define.c
|
||||
+++ b/checkpolicy/policy_define.c
|
||||
@@ -1904,9 +1904,10 @@ int avrule_read_ioctls(struct av_ioctl_range_list **rangehead)
|
||||
{
|
||||
char *id;
|
||||
struct av_ioctl_range_list *rnew, *r = NULL;
|
||||
- *rangehead = NULL;
|
||||
uint8_t omit = 0;
|
||||
|
||||
+ *rangehead = NULL;
|
||||
+
|
||||
/* read in all the ioctl commands */
|
||||
while ((id = queue_remove(id_queue))) {
|
||||
if (strcmp(id,"~") == 0) {
|
||||
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
|
||||
index fadbc8d16695..b1b96115e79e 100644
|
||||
--- a/checkpolicy/test/dismod.c
|
||||
+++ b/checkpolicy/test/dismod.c
|
||||
@@ -697,8 +697,8 @@ int display_avblock(int field, policydb_t * policy,
|
||||
{
|
||||
avrule_block_t *block = policydb.global;
|
||||
while (block != NULL) {
|
||||
- fprintf(out_fp, "--- begin avrule block ---\n");
|
||||
avrule_decl_t *decl = block->branch_list;
|
||||
+ fprintf(out_fp, "--- begin avrule block ---\n");
|
||||
while (decl != NULL) {
|
||||
if (display_avdecl(decl, field, policy, out_fp)) {
|
||||
return -1;
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
From 7723180fa09b0c483c07a76a4678f2c2cd51bff6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 6 Jul 2021 19:54:27 +0200
|
||||
Subject: [PATCH] checkpolicy: remove dead assignments
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The variable `cladatum` is otherwise always assigned before used, so
|
||||
these two assignments without a follow up usages are not needed.
|
||||
|
||||
Found by clang-analyzer.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
checkpolicy/checkpolicy.c | 4 ----
|
||||
1 file changed, 4 deletions(-)
|
||||
|
||||
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
|
||||
index b52595a87b29..58edcc34e8cc 100644
|
||||
--- a/checkpolicy/checkpolicy.c
|
||||
+++ b/checkpolicy/checkpolicy.c
|
||||
@@ -1179,8 +1179,6 @@ int main(int argc, char **argv)
|
||||
printf("\nNo such class.\n");
|
||||
break;
|
||||
}
|
||||
- cladatum =
|
||||
- policydb.class_val_to_struct[tclass - 1];
|
||||
} else {
|
||||
ans[strlen(ans) - 1] = 0;
|
||||
cladatum =
|
||||
@@ -1232,8 +1230,6 @@ int main(int argc, char **argv)
|
||||
printf("\nNo such class.\n");
|
||||
break;
|
||||
}
|
||||
- cladatum =
|
||||
- policydb.class_val_to_struct[tclass - 1];
|
||||
} else {
|
||||
ans[strlen(ans) - 1] = 0;
|
||||
cladatum =
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
From 5a10f05f53ef78c48ebce3d512960c71100073d0 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 6 Jul 2021 19:54:28 +0200
|
||||
Subject: [PATCH] checkpolicy: check before potential NULL dereference
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
policy_define.c: In function ‘define_te_avtab_extended_perms’:
|
||||
policy_define.c:1946:17: error: potential null pointer dereference [-Werror=null-dereference]
|
||||
1946 | r->omit = omit;
|
||||
| ^
|
||||
|
||||
In the case of `r` being NULL, avrule_read_ioctls() would return
|
||||
with its parameter `rangehead` being a pointer to NULL, which is
|
||||
considered a failure in its caller `avrule_ioctl_ranges`.
|
||||
So it is not necessary to alter the return value.
|
||||
|
||||
Found by GCC 11 with LTO enabled.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
checkpolicy/policy_define.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
|
||||
index 049df55f8468..887857851504 100644
|
||||
--- a/checkpolicy/policy_define.c
|
||||
+++ b/checkpolicy/policy_define.c
|
||||
@@ -1943,7 +1943,9 @@ int avrule_read_ioctls(struct av_ioctl_range_list **rangehead)
|
||||
}
|
||||
}
|
||||
r = *rangehead;
|
||||
- r->omit = omit;
|
||||
+ if (r) {
|
||||
+ r->omit = omit;
|
||||
+ }
|
||||
return 0;
|
||||
error:
|
||||
yyerror("out of memory");
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,62 +0,0 @@
|
|||
From 5218bf4b262ae6c3aa0ec72c5116a73bbdb7806f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 6 Jul 2021 19:54:29 +0200
|
||||
Subject: [PATCH] checkpolicy: avoid potential use of uninitialized variable
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
checkpolicy.c: In function ‘main’:
|
||||
checkpolicy.c:1000:25: error: ‘tsid’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
|
||||
1000 | printf("if_sid %d default_msg_sid %d\n", ssid, tsid);
|
||||
| ^
|
||||
|
||||
checkpolicy.c: In function ‘main’:
|
||||
checkpolicy.c:971:25: error: ‘tsid’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
|
||||
971 | printf("fs_sid %d default_file_sid %d\n", ssid, tsid);
|
||||
| ^
|
||||
|
||||
Found by GCC 11 with LTO enabled.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
checkpolicy/checkpolicy.c | 16 ++++++++++++----
|
||||
1 file changed, 12 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
|
||||
index 58edcc34e8cc..e6cfd3372022 100644
|
||||
--- a/checkpolicy/checkpolicy.c
|
||||
+++ b/checkpolicy/checkpolicy.c
|
||||
@@ -970,8 +970,12 @@ int main(int argc, char **argv)
|
||||
printf("fs kdevname? ");
|
||||
FGETS(ans, sizeof(ans), stdin);
|
||||
ans[strlen(ans) - 1] = 0;
|
||||
- sepol_fs_sid(ans, &ssid, &tsid);
|
||||
- printf("fs_sid %d default_file_sid %d\n", ssid, tsid);
|
||||
+ ret = sepol_fs_sid(ans, &ssid, &tsid);
|
||||
+ if (ret) {
|
||||
+ printf("unknown fs kdevname\n");
|
||||
+ } else {
|
||||
+ printf("fs_sid %d default_file_sid %d\n", ssid, tsid);
|
||||
+ }
|
||||
break;
|
||||
case '9':
|
||||
printf("protocol? ");
|
||||
@@ -999,8 +1003,12 @@ int main(int argc, char **argv)
|
||||
printf("netif name? ");
|
||||
FGETS(ans, sizeof(ans), stdin);
|
||||
ans[strlen(ans) - 1] = 0;
|
||||
- sepol_netif_sid(ans, &ssid, &tsid);
|
||||
- printf("if_sid %d default_msg_sid %d\n", ssid, tsid);
|
||||
+ ret = sepol_netif_sid(ans, &ssid, &tsid);
|
||||
+ if (ret) {
|
||||
+ printf("unknown name\n");
|
||||
+ } else {
|
||||
+ printf("if_sid %d default_msg_sid %d\n", ssid, tsid);
|
||||
+ }
|
||||
break;
|
||||
case 'b':{
|
||||
char *p;
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
From 4e3d0990c6be73419df3c32b7de98c992797e3ef Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 6 Jul 2021 19:54:30 +0200
|
||||
Subject: [PATCH] checkpolicy: drop redundant cast to the same type
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Found by clang-tidy.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
checkpolicy/policy_define.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
|
||||
index 887857851504..efe3a1a26315 100644
|
||||
--- a/checkpolicy/policy_define.c
|
||||
+++ b/checkpolicy/policy_define.c
|
||||
@@ -1796,7 +1796,7 @@ int define_bool_tunable(int is_tunable)
|
||||
return -1;
|
||||
}
|
||||
|
||||
- datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
|
||||
+ datum->state = (bool_value[0] == 'T') ? 1 : 0;
|
||||
free(bool_value);
|
||||
return 0;
|
||||
cleanup:
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
From 47f4cbd357fa0b0dc46e2e95ce10fc2d9a586061 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 6 Jul 2021 19:54:31 +0200
|
||||
Subject: [PATCH] checkpolicy: parse_util drop unused declaration
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
checkpolicy/parse_util.c | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/checkpolicy/parse_util.c b/checkpolicy/parse_util.c
|
||||
index f2809b483be3..1795e93c31e4 100644
|
||||
--- a/checkpolicy/parse_util.c
|
||||
+++ b/checkpolicy/parse_util.c
|
||||
@@ -28,7 +28,6 @@ extern int yyparse(void);
|
||||
extern void yyrestart(FILE *);
|
||||
extern queue_t id_queue;
|
||||
extern unsigned int policydb_errors;
|
||||
-extern unsigned long policydb_lineno;
|
||||
extern policydb_t *policydbp;
|
||||
extern int mlspol;
|
||||
extern void set_source_file(const char *name);
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,282 +0,0 @@
|
|||
From b306cd5b90979a4d6e1a85b842835deb77272873 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 6 Jul 2021 19:54:32 +0200
|
||||
Subject: [PATCH] checkpolicy/test: mark file local functions static
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
checkpolicy/test/dismod.c | 36 ++++++++++++++++++------------------
|
||||
checkpolicy/test/dispol.c | 22 +++++++++++-----------
|
||||
2 files changed, 29 insertions(+), 29 deletions(-)
|
||||
|
||||
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
|
||||
index b1b96115e79e..90c293186afd 100644
|
||||
--- a/checkpolicy/test/dismod.c
|
||||
+++ b/checkpolicy/test/dismod.c
|
||||
@@ -111,7 +111,7 @@ static void display_id(policydb_t * p, FILE * fp, uint32_t symbol_type,
|
||||
}
|
||||
}
|
||||
|
||||
-int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
|
||||
+static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
|
||||
FILE * fp)
|
||||
{
|
||||
unsigned int i, num_types;
|
||||
@@ -175,7 +175,7 @@ int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
|
||||
+static int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
|
||||
{
|
||||
unsigned int i, num = 0;
|
||||
|
||||
@@ -210,7 +210,7 @@ int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
|
||||
|
||||
}
|
||||
|
||||
-int display_avrule(avrule_t * avrule, policydb_t * policy,
|
||||
+static int display_avrule(avrule_t * avrule, policydb_t * policy,
|
||||
FILE * fp)
|
||||
{
|
||||
class_perm_node_t *cur;
|
||||
@@ -313,7 +313,7 @@ int display_avrule(avrule_t * avrule, policydb_t * policy,
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
|
||||
+static int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
|
||||
{
|
||||
type_datum_t *type;
|
||||
FILE *fp;
|
||||
@@ -355,14 +355,14 @@ int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int display_types(policydb_t * p, FILE * fp)
|
||||
+static int display_types(policydb_t * p, FILE * fp)
|
||||
{
|
||||
if (hashtab_map(p->p_types.table, display_type_callback, fp))
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int display_users(policydb_t * p, FILE * fp)
|
||||
+static int display_users(policydb_t * p, FILE * fp)
|
||||
{
|
||||
unsigned int i, j;
|
||||
ebitmap_t *bitmap;
|
||||
@@ -381,7 +381,7 @@ int display_users(policydb_t * p, FILE * fp)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int display_bools(policydb_t * p, FILE * fp)
|
||||
+static int display_bools(policydb_t * p, FILE * fp)
|
||||
{
|
||||
unsigned int i;
|
||||
|
||||
@@ -392,7 +392,7 @@ int display_bools(policydb_t * p, FILE * fp)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
|
||||
+static void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
|
||||
{
|
||||
|
||||
cond_expr_t *cur;
|
||||
@@ -427,14 +427,14 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
|
||||
}
|
||||
}
|
||||
|
||||
-void display_policycon(FILE * fp)
|
||||
+static void display_policycon(FILE * fp)
|
||||
{
|
||||
/* There was an attempt to implement this at one time. Look through
|
||||
* git history to find it. */
|
||||
fprintf(fp, "Sorry, not implemented\n");
|
||||
}
|
||||
|
||||
-void display_initial_sids(policydb_t * p, FILE * fp)
|
||||
+static void display_initial_sids(policydb_t * p, FILE * fp)
|
||||
{
|
||||
ocontext_t *cur;
|
||||
char *user, *role, *type;
|
||||
@@ -459,7 +459,7 @@ void display_initial_sids(policydb_t * p, FILE * fp)
|
||||
#endif
|
||||
}
|
||||
|
||||
-void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
|
||||
+static void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
|
||||
{
|
||||
unsigned int i, num = 0;
|
||||
|
||||
@@ -482,7 +482,7 @@ void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
|
||||
fprintf(fp, " }");
|
||||
}
|
||||
|
||||
-void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
|
||||
+static void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
|
||||
{
|
||||
for (; tr; tr = tr->next) {
|
||||
fprintf(fp, "role transition ");
|
||||
@@ -495,7 +495,7 @@ void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
|
||||
}
|
||||
}
|
||||
|
||||
-void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp)
|
||||
+static void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp)
|
||||
{
|
||||
for (; ra; ra = ra->next) {
|
||||
fprintf(fp, "role allow ");
|
||||
@@ -517,7 +517,7 @@ static void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, F
|
||||
}
|
||||
}
|
||||
|
||||
-int role_display_callback(hashtab_key_t key __attribute__((unused)),
|
||||
+static int role_display_callback(hashtab_key_t key __attribute__((unused)),
|
||||
hashtab_datum_t datum, void *data)
|
||||
{
|
||||
role_datum_t *role;
|
||||
@@ -611,7 +611,7 @@ int change_bool(char *name, int state, policydb_t * p, FILE * fp)
|
||||
}
|
||||
#endif
|
||||
|
||||
-int display_avdecl(avrule_decl_t * decl, int field,
|
||||
+static int display_avdecl(avrule_decl_t * decl, int field,
|
||||
policydb_t * policy, FILE * out_fp)
|
||||
{
|
||||
fprintf(out_fp, "decl %u:%s\n", decl->decl_id,
|
||||
@@ -692,7 +692,7 @@ int display_avdecl(avrule_decl_t * decl, int field,
|
||||
return 0; /* should never get here */
|
||||
}
|
||||
|
||||
-int display_avblock(int field, policydb_t * policy,
|
||||
+static int display_avblock(int field, policydb_t * policy,
|
||||
FILE * out_fp)
|
||||
{
|
||||
avrule_block_t *block = policydb.global;
|
||||
@@ -710,7 +710,7 @@ int display_avblock(int field, policydb_t * policy,
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int display_handle_unknown(policydb_t * p, FILE * out_fp)
|
||||
+static int display_handle_unknown(policydb_t * p, FILE * out_fp)
|
||||
{
|
||||
if (p->handle_unknown == ALLOW_UNKNOWN)
|
||||
fprintf(out_fp, "Allow unknown classes and perms\n");
|
||||
@@ -834,7 +834,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
|
||||
}
|
||||
}
|
||||
|
||||
-int menu(void)
|
||||
+static int menu(void)
|
||||
{
|
||||
printf("\nSelect a command:\n");
|
||||
printf("1) display unconditional AVTAB\n");
|
||||
diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
|
||||
index 37f71842c9e6..8ddefb04ac89 100644
|
||||
--- a/checkpolicy/test/dispol.c
|
||||
+++ b/checkpolicy/test/dispol.c
|
||||
@@ -42,7 +42,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
-int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
|
||||
+static int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
|
||||
FILE * fp)
|
||||
{
|
||||
char *perm;
|
||||
@@ -54,13 +54,13 @@ int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int render_type(uint32_t type, policydb_t * p, FILE * fp)
|
||||
+static int render_type(uint32_t type, policydb_t * p, FILE * fp)
|
||||
{
|
||||
fprintf(fp, "%s", p->p_type_val_to_name[type - 1]);
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
|
||||
+static int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
|
||||
{
|
||||
char *stype, *ttype, *tclass;
|
||||
stype = p->p_type_val_to_name[key->source_type - 1];
|
||||
@@ -84,7 +84,7 @@ int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
|
||||
#define RENDER_DISABLED 0x0004
|
||||
#define RENDER_CONDITIONAL (RENDER_ENABLED|RENDER_DISABLED)
|
||||
|
||||
-int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
|
||||
+static int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
|
||||
policydb_t * p, FILE * fp)
|
||||
{
|
||||
if (!(what & RENDER_UNCONDITIONAL)) {
|
||||
@@ -163,7 +163,7 @@ int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
|
||||
+static int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
|
||||
{
|
||||
unsigned int i;
|
||||
avtab_ptr_t cur;
|
||||
@@ -178,7 +178,7 @@ int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int display_bools(policydb_t * p, FILE * fp)
|
||||
+static int display_bools(policydb_t * p, FILE * fp)
|
||||
{
|
||||
unsigned int i;
|
||||
|
||||
@@ -189,7 +189,7 @@ int display_bools(policydb_t * p, FILE * fp)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
|
||||
+static void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
|
||||
{
|
||||
|
||||
cond_expr_t *cur;
|
||||
@@ -224,7 +224,7 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
|
||||
}
|
||||
}
|
||||
|
||||
-int display_cond_expressions(policydb_t * p, FILE * fp)
|
||||
+static int display_cond_expressions(policydb_t * p, FILE * fp)
|
||||
{
|
||||
cond_node_t *cur;
|
||||
cond_av_list_t *av_cur;
|
||||
@@ -249,7 +249,7 @@ int display_cond_expressions(policydb_t * p, FILE * fp)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int display_handle_unknown(policydb_t * p, FILE * out_fp)
|
||||
+static int display_handle_unknown(policydb_t * p, FILE * out_fp)
|
||||
{
|
||||
if (p->handle_unknown == ALLOW_UNKNOWN)
|
||||
fprintf(out_fp, "Allow unknown classes and permissions\n");
|
||||
@@ -260,7 +260,7 @@ int display_handle_unknown(policydb_t * p, FILE * out_fp)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int change_bool(char *name, int state, policydb_t * p, FILE * fp)
|
||||
+static int change_bool(char *name, int state, policydb_t * p, FILE * fp)
|
||||
{
|
||||
cond_bool_datum_t *bool;
|
||||
|
||||
@@ -368,7 +368,7 @@ static void display_filename_trans(policydb_t *p, FILE *fp)
|
||||
hashtab_map(p->filename_trans, filenametr_display, &args);
|
||||
}
|
||||
|
||||
-int menu(void)
|
||||
+static int menu(void)
|
||||
{
|
||||
printf("\nSelect a command:\n");
|
||||
printf("1) display unconditional AVTAB\n");
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,81 +0,0 @@
|
|||
From 1711757378d1ff1e7437fd7d5ddf263272284641 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Tue, 6 Jul 2021 19:54:33 +0200
|
||||
Subject: [PATCH] checkpolicy: mark read-only parameters in policy define const
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Make it more obvious which parameters are read-only and not being
|
||||
modified and allow callers to pass const pointers.
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
---
|
||||
checkpolicy/policy_define.c | 15 ++++++++-------
|
||||
1 file changed, 8 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
|
||||
index efe3a1a26315..75a67d5c8a7c 100644
|
||||
--- a/checkpolicy/policy_define.c
|
||||
+++ b/checkpolicy/policy_define.c
|
||||
@@ -77,7 +77,7 @@ extern int yyerror(const char *msg);
|
||||
#define ERRORMSG_LEN 255
|
||||
static char errormsg[ERRORMSG_LEN + 1] = {0};
|
||||
|
||||
-static int id_has_dot(char *id);
|
||||
+static int id_has_dot(const char *id);
|
||||
static int parse_security_context(context_struct_t *c);
|
||||
|
||||
/* initialize all of the state variables for the scanner/parser */
|
||||
@@ -141,7 +141,7 @@ int insert_id(const char *id, int push)
|
||||
|
||||
/* If the identifier has a dot within it and that its first character
|
||||
is not a dot then return 1, else return 0. */
|
||||
-static int id_has_dot(char *id)
|
||||
+static int id_has_dot(const char *id)
|
||||
{
|
||||
if (strchr(id, '.') >= id + 1) {
|
||||
return 1;
|
||||
@@ -2172,7 +2172,7 @@ void avrule_xperm_setrangebits(uint16_t low, uint16_t high,
|
||||
}
|
||||
}
|
||||
|
||||
-int avrule_xperms_used(av_extended_perms_t *xperms)
|
||||
+int avrule_xperms_used(const av_extended_perms_t *xperms)
|
||||
{
|
||||
unsigned int i;
|
||||
|
||||
@@ -2347,7 +2347,7 @@ unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int avrule_cpy(avrule_t *dest, avrule_t *src)
|
||||
+int avrule_cpy(avrule_t *dest, const avrule_t *src)
|
||||
{
|
||||
class_perm_node_t *src_perms;
|
||||
class_perm_node_t *dest_perms, *dest_tail;
|
||||
@@ -2395,7 +2395,7 @@ int avrule_cpy(avrule_t *dest, avrule_t *src)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int define_te_avtab_ioctl(avrule_t *avrule_template)
|
||||
+int define_te_avtab_ioctl(const avrule_t *avrule_template)
|
||||
{
|
||||
avrule_t *avrule;
|
||||
struct av_ioctl_range_list *rangelist;
|
||||
@@ -3444,9 +3444,10 @@ bad:
|
||||
return -1;
|
||||
}
|
||||
|
||||
-static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
|
||||
+static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr)
|
||||
{
|
||||
- constraint_expr_t *h = NULL, *l = NULL, *e, *newe;
|
||||
+ constraint_expr_t *h = NULL, *l = NULL, *newe;
|
||||
+ const constraint_expr_t *e;
|
||||
for (e = expr; e; e = e->next) {
|
||||
newe = malloc(sizeof(*newe));
|
||||
if (!newe)
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -1,33 +1,17 @@
|
|||
%define libselinuxver 3.2-5
|
||||
%define libsepolver 3.2-3
|
||||
%define libselinuxver 3.5-1
|
||||
%define libsepolver 3.5-1
|
||||
|
||||
Summary: SELinux policy compiler
|
||||
Name: checkpolicy
|
||||
Version: 3.2
|
||||
Release: 3%{?dist}
|
||||
Version: 3.5
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/checkpolicy-3.2.tar.gz
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5/checkpolicy-3.5.tar.gz
|
||||
# $ git clone https://github.com/fedora-selinux/selinux.git
|
||||
# $ cd selinux
|
||||
# $ git format-patch -N 3.2 -- checkpolicy
|
||||
# $ git format-patch -N 3.5 -- checkpolicy
|
||||
# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
|
||||
# Patch list start
|
||||
Patch0001: 0001-libsepol-checkpolicy-Set-user-roles-using-role-value.patch
|
||||
Patch0002: 0002-checkpolicy-Do-not-automatically-upgrade-when-using-.patch
|
||||
Patch0003: 0003-checkpolicy-silence-Wextra-semi-stmt-warning.patch
|
||||
Patch0004: 0004-checkpolicy-pass-CFLAGS-at-link-stage.patch
|
||||
Patch0005: 0005-checkpolicy-drop-pipe-compile-option.patch
|
||||
Patch0006: 0006-checkpolicy-simplify-assignment.patch
|
||||
Patch0007: 0007-checkpolicy-drop-dead-condition.patch
|
||||
Patch0008: 0008-checkpolicy-use-correct-format-specifier-for-unsigne.patch
|
||||
Patch0009: 0009-checkpolicy-follow-declaration-after-statement.patch
|
||||
Patch0010: 0010-checkpolicy-remove-dead-assignments.patch
|
||||
Patch0011: 0011-checkpolicy-check-before-potential-NULL-dereference.patch
|
||||
Patch0012: 0012-checkpolicy-avoid-potential-use-of-uninitialized-var.patch
|
||||
Patch0013: 0013-checkpolicy-drop-redundant-cast-to-the-same-type.patch
|
||||
Patch0014: 0014-checkpolicy-parse_util-drop-unused-declaration.patch
|
||||
Patch0015: 0015-checkpolicy-test-mark-file-local-functions-static.patch
|
||||
Patch0016: 0016-checkpolicy-mark-read-only-parameters-in-policy-defi.patch
|
||||
# Patch list end
|
||||
BuildRequires: gcc
|
||||
BuildRequires: make
|
||||
|
@ -66,7 +50,7 @@ install test/dispol ${RPM_BUILD_ROOT}%{_bindir}/sedispol
|
|||
|
||||
%files
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING
|
||||
%license LICENSE
|
||||
%{_bindir}/checkpolicy
|
||||
%{_bindir}/checkmodule
|
||||
%{_mandir}/man8/checkpolicy.8.gz
|
||||
|
@ -77,6 +61,34 @@ install test/dispol ${RPM_BUILD_ROOT}%{_bindir}/sedispol
|
|||
%{_bindir}/sedispol
|
||||
|
||||
%changelog
|
||||
* Thu Feb 23 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1
|
||||
- SELinux userspace 3.5 release
|
||||
|
||||
* Wed Feb 15 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc3.1
|
||||
- SELinux userspace 3.5-rc3 release
|
||||
|
||||
* Tue Jan 17 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.1
|
||||
- SELinux userspace 3.5-rc2 release
|
||||
|
||||
* Mon Jan 2 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc1.1
|
||||
- SELinux userspace 3.5-rc1 release
|
||||
|
||||
* Fri May 20 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-1
|
||||
- SELinux userspace 3.4 release
|
||||
|
||||
* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
|
||||
- SELinux userspace 3.3 release
|
||||
|
||||
* Mon Oct 11 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
|
||||
- SELinux userspace 3.3-rc3 release
|
||||
|
||||
* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
|
||||
- SELinux userspace 3.3-rc2 release
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-4
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-3
|
||||
- Rebase on upstream commit 32611aea6543
|
||||
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
summary: selinux tests - Tier 1 | checkpolicy
|
||||
discover:
|
||||
how: fmf
|
||||
url: https://src.fedoraproject.org/tests/selinux
|
||||
filter: "tier:1 | component:checkpolicy"
|
||||
execute:
|
||||
how: tmt
|
2
sources
2
sources
|
@ -1 +1 @@
|
|||
SHA512 (checkpolicy-3.2.tar.gz) = 133639595c2acc66c02b5a637c5e0c60d80ce2bae04f4a709d9fafabd31f9497d1a6e3334904b985c2a1bd94a7a7e3df782c2af2ae41d1fd79b69156a835edeb
|
||||
SHA512 (checkpolicy-3.5.tar.gz) = fcd490d865af3b4350c32c5dd9916f8406219841e1e255d8945c6dcc958535247aa27af5597a6988e19f11faea7beeabcb46e8ba2431112bb4aa5c7697bca529
|
||||
|
|
|
@ -1,67 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/checkpolicy/Sanity/checkmodule
|
||||
# Description: runs checkmodule with various options to find out if it behaves correctly
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/checkpolicy/Sanity/checkmodule
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE mypolicy.te
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: runs checkmodule with various options to find out if it behaves correctly" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 10m" >> $(METADATA)
|
||||
@echo "RunFor: checkpolicy" >> $(METADATA)
|
||||
@echo "Requires: checkpolicy" >> $(METADATA)
|
||||
@echo "Requires: man" >> $(METADATA)
|
||||
@echo "Requires: grep" >> $(METADATA)
|
||||
@echo "Requires: mktemp" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
PURPOSE of /CoreOS/checkpolicy/Sanity/checkmodule
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
This TC runs checkmodule with various options to find out if it behaves correctly.
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
module mypolicy 1.0;
|
||||
require {
|
||||
type httpd_log_t;
|
||||
type postfix_postdrop_t;
|
||||
class dir getattr;
|
||||
class file { read getattr };
|
||||
}
|
||||
allow postfix_postdrop_t httpd_log_t:file getattr;
|
||||
|
|
@ -1,101 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/checkpolicy/Sanity/checkmodule
|
||||
# Description: runs checkmodule with various options to find out if it behaves correctly
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include rhts environment
|
||||
. /usr/bin/rhts-environment.sh
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
|
||||
PACKAGE="checkpolicy"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
TEST_FILE=`mktemp`
|
||||
TEST_DIR=`mktemp -d`
|
||||
rlRun "rpm -ql ${PACKAGE} | grep bin/checkmodule"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "checkmodule >& ${TEST_FILE}" 1
|
||||
rlAssertGrep "loading policy configuration from policy.conf" ${TEST_FILE}
|
||||
rlRun "checkmodule -b >& ${TEST_FILE}" 1
|
||||
rlAssertGrep "loading policy configuration from policy" ${TEST_FILE}
|
||||
rlRun "checkmodule -V"
|
||||
rlRun "checkmodule -U 1>/dev/null" 1
|
||||
rlRun "rm -f policy.conf"
|
||||
for OPTION in "deny" "reject" "allow" ; do
|
||||
rlRun "checkmodule -U ${OPTION} >& ${TEST_FILE}" 1
|
||||
rlAssertGrep "unable to open policy.conf" ${TEST_FILE}
|
||||
done
|
||||
rlRun "rm -f ${TEST_FILE}"
|
||||
rlRun "touch ${TEST_FILE}"
|
||||
rlRun "rm -rf ${TEST_DIR}"
|
||||
rlRun "mkdir ${TEST_DIR}"
|
||||
rlRun "checkmodule ${TEST_FILE}" 1,2
|
||||
rlRun "checkmodule -b ${TEST_FILE}" 1
|
||||
rlRun "checkmodule ${TEST_DIR}" 1,2
|
||||
rlRun "checkmodule -b ${TEST_DIR}" 1
|
||||
rlRun "rm -f ${TEST_FILE}"
|
||||
rlRun "rm -rf ${TEST_DIR}"
|
||||
rlRun "checkmodule ${TEST_FILE}" 1
|
||||
rlRun "checkmodule -b ${TEST_FILE}" 1
|
||||
if rlIsRHEL 5 ; then
|
||||
rlRun "checkmodule --help 2>&1 | grep -- -d"
|
||||
fi
|
||||
rlRun "checkmodule --help 2>&1 | grep -- -h"
|
||||
rlRun "checkmodule --help 2>&1 | grep -- -U"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
for POLICY_KIND in minimum mls targeted ; do
|
||||
rlRun "checkmodule -M -m -b -o testmod.mod /etc/selinux/${POLICY_KIND}/policy/policy.* >& ${TEST_FILE}" 1
|
||||
rlRun "grep -i \"checkmodule.*-b and -m are incompatible with each other\" ${TEST_FILE}"
|
||||
done
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
INPUT_FILE="mypolicy.te"
|
||||
OUTPUT_FILE="mypolicy.output"
|
||||
rlRun "ls -l ${INPUT_FILE}"
|
||||
rlRun "checkmodule -m -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*loading policy configuration from ${INPUT_FILE}\""
|
||||
rlRun "checkmodule -m -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*writing binary representation.*to ${OUTPUT_FILE}\""
|
||||
rlRun "ls -l ${OUTPUT_FILE}"
|
||||
if checkmodule --help | grep -q " CIL " ; then
|
||||
rlRun "rm -f ${OUTPUT_FILE}"
|
||||
rlRun "checkmodule -m -C -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*loading policy configuration from ${INPUT_FILE}\""
|
||||
rlRun "checkmodule -m -C -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*writing CIL to ${OUTPUT_FILE}\""
|
||||
rlRun "ls -l ${OUTPUT_FILE}"
|
||||
fi
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "rm -rf ${TEST_FILE} ${TEST_DIR} ${OUTPUT_FILE}"
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/checkpolicy/Sanity/checkpolicy
|
||||
# Description: covers an issue where manpage included an unsupported option.
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/checkpolicy/Sanity/checkpolicy
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: covers an issue where manpage included an unsupported option." >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 1m" >> $(METADATA)
|
||||
@echo "RunFor: checkpolicy" >> $(METADATA)
|
||||
@echo "Requires: checkpolicy" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
PURPOSE of /CoreOS/checkpolicy/Sanity/checkpolicy
|
||||
|
||||
Description: covers an issue where manpage included an unsupported option.
|
||||
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/checkpolicy/Sanity/checkpolicy-docs
|
||||
# Description: covers an issue where manpage included an unsupported option.
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include rhts environment
|
||||
. /usr/bin/rhts-environment.sh
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
|
||||
PACKAGE="checkpolicy"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
rlAssertExists "/usr/share/man/man8/checkpolicy.8.gz"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "man checkpolicy | col -b | grep -- '-m]'" 1
|
||||
rlRun "rpm -ql ${PACKAGE} | grep /usr/share/man/.*checkmodule"
|
||||
if rlIsRHEL 5 ; then
|
||||
rlRun "man checkmodule | col -b | grep -- -d"
|
||||
fi
|
||||
rlRun "man checkmodule | col -b | grep -- -h"
|
||||
rlRun "man checkmodule | col -b | grep -- -U"
|
||||
rlPhaseEnd
|
||||
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/checkpolicy/Sanity/checkpolicy
|
||||
# Description: runs checkpolicy with various options to find out if it behaves correctly
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/checkpolicy/Sanity/checkpolicy
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE policy.conf.from.secilc
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: runs checkpolicy with various options to find out if it behaves correctly" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 10m" >> $(METADATA)
|
||||
@echo "RunFor: checkpolicy setools" >> $(METADATA)
|
||||
@echo "Requires: checkpolicy setools-console selinux-policy-minimum selinux-policy-mls selinux-policy-targeted" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
PURPOSE of /CoreOS/checkpolicy/Sanity/checkpolicy
|
||||
|
||||
Description: runs checkpolicy with various options to find out if it behaves correctly
|
||||
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
|
|
@ -1,143 +0,0 @@
|
|||
class file
|
||||
class process
|
||||
class char
|
||||
|
||||
sid kernel
|
||||
sid security
|
||||
sid unlabeled
|
||||
|
||||
common file {ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton }
|
||||
|
||||
class file inherits file { execute_no_trans entrypoint execmod open audit_access }
|
||||
class char inherits file { foo transition }
|
||||
class process { open }
|
||||
|
||||
sensitivity s0 alias sens0;
|
||||
sensitivity s1;
|
||||
|
||||
dominance { s0 s1 }
|
||||
|
||||
category c0 alias cat0;
|
||||
category c1;
|
||||
category c2;
|
||||
|
||||
level s0:c0.c2;
|
||||
level s1:c0.c2;
|
||||
|
||||
mlsconstrain file { open } (not (((l1 eq l2) and (u1 eq u2)) or (r1 eq r2)));
|
||||
mlsconstrain file { open } (((l1 eq l2) and (u1 eq u2)) or (r1 != r2));
|
||||
mlsconstrain file { open } (l1 dom h2);
|
||||
mlsconstrain file { open } (h1 domby l2);
|
||||
mlsconstrain file { open } (l1 incomp l2);
|
||||
|
||||
mlsvalidatetrans file (h1 domby l2);
|
||||
|
||||
attribute foo_type;
|
||||
attribute bar_type;
|
||||
attribute baz_type;
|
||||
attribute exec_type;
|
||||
|
||||
type bin_t, bar_type, exec_type;
|
||||
type kernel_t, foo_type, exec_type, baz_type;
|
||||
type security_t, baz_type;
|
||||
type unlabeled_t, baz_type;
|
||||
|
||||
type exec_t, baz_type;
|
||||
type console_t, baz_type;
|
||||
type auditadm_t, baz_type;
|
||||
type console_device_t, baz_type;
|
||||
type user_tty_device_t, baz_type;
|
||||
type device_t, baz_type;
|
||||
type getty_t, baz_type;
|
||||
type a_t, baz_type;
|
||||
type b_t, baz_type;
|
||||
|
||||
typealias bin_t alias sbin_t;
|
||||
|
||||
bool secure_mode false;
|
||||
bool console_login true;
|
||||
bool b1 false;
|
||||
|
||||
role system_r;
|
||||
role user_r;
|
||||
role system_r types bin_t;
|
||||
role system_r types kernel_t;
|
||||
role system_r types security_t;
|
||||
role system_r types unlabeled_t;
|
||||
|
||||
policycap open_perms;
|
||||
permissive device_t;
|
||||
|
||||
range_transition device_t console_t : file s0:c0 - s1:c0.c1;
|
||||
|
||||
type_transition device_t console_t : file console_device_t;
|
||||
type_member device_t bin_t : file exec_t;
|
||||
|
||||
if console_login{
|
||||
type_change auditadm_t console_device_t : file user_tty_device_t;
|
||||
}
|
||||
|
||||
role_transition system_r bin_t user_r;
|
||||
|
||||
auditallow device_t auditadm_t: file { open };
|
||||
dontaudit device_t auditadm_t: file { read };
|
||||
|
||||
allow system_r user_r;
|
||||
|
||||
allow console_t console_device_t: char { write setattr };
|
||||
allow console_t console_device_t: file { open read getattr };
|
||||
allow foo_type self: file { execute };
|
||||
allow bin_t device_t: file { execute };
|
||||
allow bin_t exec_t: file { execute };
|
||||
allow bin_t bin_t: file { execute };
|
||||
allow a_t b_t : file { write };
|
||||
allow console_t console_device_t: file { read write getattr setattr lock append };
|
||||
allow kernel_t kernel_t : file { execute };
|
||||
|
||||
if b1 {
|
||||
allow a_t b_t : file { read };
|
||||
}
|
||||
|
||||
if secure_mode{
|
||||
auditallow device_t exec_t: file { read write };
|
||||
}
|
||||
|
||||
if console_login{
|
||||
allow getty_t console_device_t: file { getattr open read write append };
|
||||
}
|
||||
else {
|
||||
dontaudit getty_t console_device_t: file { getattr open read write append };
|
||||
}
|
||||
|
||||
if (not ((secure_mode eq console_login) xor ((secure_mode or console_login) and secure_mode))){
|
||||
allow bin_t exec_t: file { execute };
|
||||
}
|
||||
|
||||
user system_u roles system_r level s0:c0 range s0:c0 - s1:c0,c1;
|
||||
user user_u roles user_r level s0:c0 range s0:c0 - s0:c0;
|
||||
|
||||
validatetrans file (t1 == exec_t);
|
||||
|
||||
constrain char transition (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
|
||||
constrain file { open } (r1 dom r2);
|
||||
constrain file { open } (r1 domby r2);
|
||||
constrain file { open } (r1 incomp r2);
|
||||
constrain file { open read getattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
|
||||
constrain char { write setattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
|
||||
|
||||
|
||||
sid kernel system_u:system_r:kernel_t:s0:c0 - s1:c0,c1
|
||||
sid security system_u:system_r:security_t:s0:c0 - s1:c0,c1
|
||||
sid unlabeled system_u:system_r:unlabeled_t:s0:c0 - s1:c0,c1
|
||||
|
||||
fs_use_xattr ext3 system_u:system_r:bin_t:s0:c0 - s1:c0,c1;
|
||||
|
||||
genfscon proc /usr/bin system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||||
|
||||
portcon tcp 22 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||||
portcon udp 25 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||||
|
||||
netifcon eth0 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||||
|
||||
nodecon 192.25.35.200 192.168.1.1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||||
nodecon 2001:db8:ac10:fe01:: 2001:de0:da88:2222:: system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
|
@ -1,153 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/checkpolicy/Sanity/checkpolicy
|
||||
# Description: runs checkpolicy with various options to find out if it behaves correctly
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include rhts environment
|
||||
. /usr/bin/rhts-environment.sh
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
|
||||
PACKAGE="checkpolicy"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
rlAssertRpm selinux-policy-minimum
|
||||
rlAssertRpm selinux-policy-mls
|
||||
rlAssertRpm selinux-policy-targeted
|
||||
rlRun "uname -a"
|
||||
TEST_FILE=`mktemp`
|
||||
TEST_DIR=`mktemp -d`
|
||||
OUTPUT_FILE=`mktemp`
|
||||
rlAssertExists "/usr/bin/checkpolicy"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "compilation from policy.conf"
|
||||
MIN_VERSION="15"
|
||||
MAX_VERSION=`find /etc/selinux/ -name policy.?? | cut -d / -f 6 | cut -d . -f 2 | head -n 1`
|
||||
if rlIsRHEL 5 6 ; then
|
||||
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION}`
|
||||
else
|
||||
# some versions are skipped because seinfo segfaults when inspecting binary policies between v.20 and v.23"
|
||||
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION} | grep -v -e 19 -e 20 -e 21 -e 22 -e 23`
|
||||
fi
|
||||
for CUR_VERSION in ${VERSIONS} ; do
|
||||
rlRun "rm -f policy.out"
|
||||
rlWatchdog "checkpolicy -M -c ${CUR_VERSION} -o policy.out policy.conf.from.secilc" 15
|
||||
if [ -s policy.out ] ; then
|
||||
rlRun "seinfo policy.out 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlRun "grep -i -e \"policy version.*${CUR_VERSION}\" -e \"unable to open policy\" ${OUTPUT_FILE}"
|
||||
else
|
||||
rlRun "ls -l policy.out"
|
||||
fi
|
||||
done
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "checkpolicy >& ${TEST_FILE}" 1
|
||||
rlAssertGrep "loading policy configuration from policy.conf" ${TEST_FILE}
|
||||
rlRun "checkpolicy -b >& ${TEST_FILE}" 1
|
||||
rlAssertGrep "loading policy configuration from policy" ${TEST_FILE}
|
||||
rlRun "checkpolicy -V"
|
||||
rlRun "checkpolicy -U 2>&1 | grep \"option requires an argument\""
|
||||
rlRun "checkpolicy -U xyz" 1
|
||||
rlRun "rm -f policy.conf"
|
||||
if ! rlIsRHEL 4 ; then
|
||||
for OPTION in "deny" "reject" "allow" ; do
|
||||
rlRun "checkpolicy -U ${OPTION} >& ${TEST_FILE}" 1
|
||||
rlAssertGrep "unable to open policy.conf" ${TEST_FILE}
|
||||
done
|
||||
fi
|
||||
rlRun "rm -f ${TEST_FILE}"
|
||||
rlRun "touch ${TEST_FILE}"
|
||||
rlRun "rm -rf ${TEST_DIR}"
|
||||
rlRun "mkdir ${TEST_DIR}"
|
||||
rlRun "checkpolicy ${TEST_FILE}" 1,2
|
||||
rlRun "checkpolicy -b ${TEST_FILE}" 1
|
||||
rlRun "checkpolicy ${TEST_DIR}" 1,2
|
||||
rlRun "checkpolicy -b ${TEST_DIR}" 1
|
||||
rlRun "rm -f ${TEST_FILE}"
|
||||
rlRun "rm -rf ${TEST_DIR}"
|
||||
rlRun "checkpolicy ${TEST_FILE}" 1
|
||||
rlRun "checkpolicy -b ${TEST_FILE}" 1
|
||||
rlRun "checkpolicy -c 2>&1 | grep \"option requires an argument\""
|
||||
rlRun "checkpolicy -c 0 2>&1 | grep \"value 0 not in range\""
|
||||
rlRun "checkpolicy -t 2>&1 | grep \"option requires an argument\""
|
||||
rlRun "checkpolicy -t xyz 2>&1 | grep -i \"unknown target platform\""
|
||||
rlRun "checkpolicy --help 2>&1 | grep -- '-m]'" 1
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
if rlIsRHEL 5 6 ; then
|
||||
ACTIVE_POLICY="/selinux/policy"
|
||||
else
|
||||
ACTIVE_POLICY="/sys/fs/selinux/policy"
|
||||
fi
|
||||
rlRun "echo -e 'q\n' | checkpolicy -Mdb ${ACTIVE_POLICY} | tee ${OUTPUT_FILE}"
|
||||
rlRun "grep -qi -e error -e ebitmap -e 'not match' ${OUTPUT_FILE}" 1
|
||||
for POLICY_TYPE in minimum mls targeted ; do
|
||||
if [ ! -e /etc/selinux/${POLICY_TYPE}/policy/policy.* ] ; then
|
||||
continue
|
||||
fi
|
||||
rlRun "echo -e 'q\n' | checkpolicy -Mdb /etc/selinux/${POLICY_TYPE}/policy/policy.* | tee ${OUTPUT_FILE}"
|
||||
rlRun "grep -qi -e error -e ebitmap -e 'not match' ${OUTPUT_FILE}" 1
|
||||
done
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
if rlIsRHEL 5 6 ; then
|
||||
ACTIVE_POLICY_TREE="/selinux"
|
||||
else # RHEL-7 and above
|
||||
ACTIVE_POLICY_TREE="/sys/fs/selinux"
|
||||
fi
|
||||
MIN_VERSION="15"
|
||||
MAX_VERSION=`find /etc/selinux/ -name policy.?? | cut -d / -f 6 | cut -d . -f 2 | head -n 1`
|
||||
for POLICY_TYPE in minimum mls targeted ; do
|
||||
if rlIsRHEL 5 6 ; then
|
||||
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION}`
|
||||
else
|
||||
# some versions are skipped because seinfo segfaults when inspecting binary policies between v.20 and v.23"
|
||||
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION} | grep -v -e 19 -e 20 -e 21 -e 22 -e 23`
|
||||
fi
|
||||
for CUR_VERSION in ${VERSIONS} ; do
|
||||
rlRun "rm -f policy.out"
|
||||
rlWatchdog "checkpolicy -b -M -c ${CUR_VERSION} -o policy.out /etc/selinux/${POLICY_TYPE}/policy/policy.${MAX_VERSION}" 15
|
||||
if [ -s policy.out ] ; then
|
||||
rlRun "seinfo policy.out 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlRun "grep -i -e \"policy version.*${CUR_VERSION}\" -e \"unable to open policy\" ${OUTPUT_FILE}"
|
||||
else
|
||||
rlRun "ls -l policy.out"
|
||||
fi
|
||||
done
|
||||
done
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rm -f ${OUTPUT_FILE} policy.out
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,65 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/checkpolicy/Sanity/sedismod
|
||||
# Description: Does sedismod work correctly ?)
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/checkpolicy/Sanity/sedismod
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE sedismod.exp
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
test -x sedismod.exp || chmod a+x sedismod.exp
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: Does sedismod work correctly?" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 10m" >> $(METADATA)
|
||||
@echo "RunFor: checkpolicy" >> $(METADATA)
|
||||
@echo "Requires: checkpolicy selinux-policy-targeted expect policycoreutils psmisc" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
PURPOSE of /CoreOS/checkpolicy/Sanity/sedismod
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
Does sedismod work correctly?
|
||||
|
|
@ -1,83 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/checkpolicy/Sanity/sedismod
|
||||
# Description: Does sedismod work correctly
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/bin/rhts-environment.sh || exit 1
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="checkpolicy"
|
||||
# TODO: repeat for all policy modules that are installed under /etc/selinux
|
||||
if rlIsFedora ; then
|
||||
POLICY_FILE="`find /var/lib/selinux/targeted -type d -name base`/hll"
|
||||
elif rlIsRHEL '<7.3' ; then
|
||||
POLICY_FILE=`find /etc/selinux/targeted -type f -name base.pp`
|
||||
else # RHEL-7.3 and above
|
||||
POLICY_FILE="`find /etc/selinux/targeted -type d -name base`/hll"
|
||||
fi
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
OUTPUT_FILE=`mktemp`
|
||||
if rlIsRHEL '>=7.3' || rlIsFedora ; then
|
||||
rlRun "semodule -H -E base"
|
||||
else
|
||||
rlRun "cp ${POLICY_FILE} ./base.pp.bz2"
|
||||
rlRun "rm -f base.pp"
|
||||
rlRun "bzip2 -d ./base.pp.bz2"
|
||||
fi
|
||||
POLICY_FILE="base.pp"
|
||||
rlRun "ls -l ${POLICY_FILE}"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "check all available options"
|
||||
if rlIsRHEL 6 ; then
|
||||
AVAILABLE_OPTIONS="1 2 3 4 5 6 7 8 0 a b c u"
|
||||
else # RHEL-7 and above
|
||||
AVAILABLE_OPTIONS="1 2 3 4 5 6 7 8 9 0 a b c u F"
|
||||
fi
|
||||
for OPTION in ${AVAILABLE_OPTIONS} ; do
|
||||
rlRun "rm -f ${OUTPUT_FILE}"
|
||||
rlWatchdog "./sedismod.exp ${OPTION} ${POLICY_FILE} ${OUTPUT_FILE}" 65
|
||||
# rlWatchdog kills the expect script, but we need to kill the sedismod process too
|
||||
rlRun "killall sedismod" 0,1
|
||||
rlRun "ls -l ${OUTPUT_FILE}"
|
||||
if [ -s ${OUTPUT_FILE} ] ; then
|
||||
rlPass "sedismod produced some output"
|
||||
else
|
||||
rlFail "sedismod did not produce any output"
|
||||
fi
|
||||
done
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "rm -f ${OUTPUT_FILE} ${POLICY_FILE}"
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/expect -f
|
||||
# ./sedismod.exp option policyfile outputfile
|
||||
set option [lrange $argv 0 0]
|
||||
set policyfile [lrange $argv 1 1]
|
||||
set outputfile [lrange $argv 2 2]
|
||||
set timeout 60
|
||||
spawn sedismod $policyfile
|
||||
expect "Command*:" {
|
||||
send -- "f\r"
|
||||
}
|
||||
expect "Filename*:" {
|
||||
send -- "$outputfile\r"
|
||||
}
|
||||
expect "Command*:" {
|
||||
send -- "$option\r"
|
||||
}
|
||||
expect "Command*:" {
|
||||
send -- "q\r"
|
||||
}
|
||||
expect eof
|
||||
|
|
@ -1,65 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/checkpolicy/Sanity/sedispol
|
||||
# Description: Does sedispol work correctly?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/checkpolicy/Sanity/sedispol
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE sedispol.exp
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
test -x sedispol.exp || chmod a+x sedispol.exp
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: Does sedispol work correctly?" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 10m" >> $(METADATA)
|
||||
@echo "RunFor: checkpolicy" >> $(METADATA)
|
||||
@echo "Requires: checkpolicy selinux-policy expect" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
PURPOSE of /CoreOS/checkpolicy/Sanity/sedispol
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
Does sedispol work correctly?
|
||||
|
|
@ -1,77 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/checkpolicy/Sanity/sedispol
|
||||
# Description: Does sedispol work correctly?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/bin/rhts-environment.sh || exit 1
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="checkpolicy"
|
||||
# TODO: repeat for all policy files that are installed under /etc/selinux
|
||||
POLICY_FILE=`find /etc/selinux/targeted/policy/ -type f`
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
OUTPUT_FILE=`mktemp`
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
if rlIsRHEL 6 ; then
|
||||
AVAILABLE_OPTIONS="1 2 3 4 5 6 c p u"
|
||||
else # RHEL-7 and above
|
||||
AVAILABLE_OPTIONS="1 2 3 4 5 6 8 c p u F"
|
||||
fi
|
||||
for OPTION in ${AVAILABLE_OPTIONS} ; do
|
||||
rlRun "rm -f ${OUTPUT_FILE}"
|
||||
rlWatchdog "./sedispol.exp ${OPTION} ${POLICY_FILE} ${OUTPUT_FILE}" 65
|
||||
# rlWatchdog kills the expect script, but we need to kill the sedispol process too
|
||||
rlRun "killall sedispol" 0,1
|
||||
rlRun "ls -l ${OUTPUT_FILE}"
|
||||
if [ -s ${OUTPUT_FILE} ] ; then
|
||||
rlPass "sedispol produced some output"
|
||||
else
|
||||
rlFail "sedispol did not produce any output"
|
||||
fi
|
||||
done
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "echo q | sedispol ${POLICY_FILE} >& ${OUTPUT_FILE}"
|
||||
rlRun "grep AVTAB ${OUTPUT_FILE}"
|
||||
rlRun "grep AVTAG ${OUTPUT_FILE}" 1
|
||||
rlRun "echo -en 'u\nq\n' | sedispol ${POLICY_FILE} >& ${OUTPUT_FILE}"
|
||||
rlRun "grep permissions ${OUTPUT_FILE}"
|
||||
rlRun "grep permisions ${OUTPUT_FILE}" 1
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "rm -f ${OUTPUT_FILE}"
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
#!/usr/bin/expect -f
|
||||
# ./sedispol.exp option policyfile outputfile
|
||||
set option [lrange $argv 0 0]
|
||||
set policyfile [lrange $argv 1 1]
|
||||
set outputfile [lrange $argv 2 2]
|
||||
set timeout 60
|
||||
spawn sedispol $policyfile
|
||||
expect "Command*:" {
|
||||
send -- "f\r"
|
||||
}
|
||||
expect "Filename*:" {
|
||||
send -- "$outputfile\r"
|
||||
}
|
||||
expect "Command*:" {
|
||||
send -- "$option\r"
|
||||
}
|
||||
expect "Command*:" {
|
||||
send -- "q\r"
|
||||
}
|
||||
expect eof
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
---
|
||||
# Tests for Classic
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- role: standard-test-beakerlib
|
||||
tags:
|
||||
- classic
|
||||
repositories:
|
||||
- repo: "https://src.fedoraproject.org/tests/selinux.git"
|
||||
dest: "selinux"
|
||||
fmf_filter: "tier:1 | component:checkpolicy"
|
||||
|
||||
# Tests for Container
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- role: standard-test-beakerlib
|
||||
tags:
|
||||
- container
|
||||
repositories:
|
||||
- repo: "https://src.fedoraproject.org/tests/selinux.git"
|
||||
dest: "selinux"
|
||||
tests:
|
||||
- selinux/checkpolicy/checkmodule
|
||||
- selinux/checkpolicy/checkpolicy
|
||||
- selinux/checkpolicy/sedismod
|
||||
- selinux/checkpolicy/sedispol
|
||||
required_packages:
|
||||
- checkpolicy # Required by all tests
|
||||
- grep # Required by checkmodule
|
||||
- coreutils # Required by checkmodule
|
||||
- setools-console # Required by checkpolicy
|
||||
- selinux-policy-minimum # Required by checkpolicy
|
||||
- selinux-policy-mls # Required by checkpolicy
|
||||
- selinux-policy-targeted # Required by checkpolicy and sedismod
|
||||
- expect # Required by sedismod and sedispol
|
||||
- policycoreutils # Required by sedismod
|
||||
- psmisc # Required by sedismod
|
||||
- selinux-policy # Required by sedispol
|
Loading…
Reference in New Issue