[3/3] audit2allow: tests should use local copy not system
diff mbox

Message ID 1471578317-22785-3-git-send-email-jason@perfinion.com
State Not Applicable
Headers show

Commit Message

Jason Zaman Aug. 19, 2016, 3:45 a.m. UTC
The tests currently just executed "audit2allow" which meant search in
$PATH. They should instead test the one in the pwd. The files in the
repo are not executable so prefix with "python" also.

Signed-off-by: Jason Zaman <jason@perfinion.com>
---
 policycoreutils/audit2allow/test_audit2allow.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Jason Zaman Aug. 19, 2016, 3:56 a.m. UTC | #1
On Fri, Aug 19, 2016 at 11:45:17AM +0800, Jason Zaman wrote:
> The tests currently just executed "audit2allow" which meant search in
> $PATH. They should instead test the one in the pwd. The files in the
> repo are not executable so prefix with "python" also.

Additionally, this test doesnt actually work that well. I get these
denials and an error: "No SELinux Policy installed"

allow staff_t policy_config_t:dir { getattr open read search };
allow staff_t policy_config_t:file { getattr open read };
allow staff_t security_t:security read_policy;

And if I grant them I get a ton of messages about unknown types. Gentoo
installs modules only as needed so I dont have smb_t and several others.

Can we switch these tests to use some minimal pre-built policy instead
of reading the system one? I recall one of the other tests doing that
but cant seem to find the policy file right now.

-- Jason

> Signed-off-by: Jason Zaman <jason@perfinion.com>
> ---
>  policycoreutils/audit2allow/test_audit2allow.py | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/policycoreutils/audit2allow/test_audit2allow.py b/policycoreutils/audit2allow/test_audit2allow.py
> index 765c9ea..a826a9f 100644
> --- a/policycoreutils/audit2allow/test_audit2allow.py
> +++ b/policycoreutils/audit2allow/test_audit2allow.py
> @@ -33,7 +33,7 @@ class Audit2allowTests(unittest.TestCase):
>  
>      def test_audit2allow(self):
>          "Verify audit2allow works"
> -        p = Popen(['audit2allow', "-i", "test.log"], stdout=PIPE)
> +        p = Popen(['python', './audit2allow', "-i", "test.log"], stdout=PIPE)
>          out, err = p.communicate()
>          if err:
>              print(out, err)
> @@ -41,7 +41,7 @@ class Audit2allowTests(unittest.TestCase):
>  
>      def test_audit2why(self):
>          "Verify audit2why works"
> -        p = Popen(['audit2why', "-i", "test.log"], stdout=PIPE)
> +        p = Popen(['python', './audit2why', "-i", "test.log"], stdout=PIPE)
>          out, err = p.communicate()
>          if err:
>              print(out, err)
> -- 
> 2.7.3
>
Stephen Smalley Aug. 19, 2016, 2:42 p.m. UTC | #2
On 08/18/2016 11:45 PM, Jason Zaman wrote:
> The tests currently just executed "audit2allow" which meant search in
> $PATH. They should instead test the one in the pwd. The files in the
> repo are not executable so prefix with "python" also.
> 
> Signed-off-by: Jason Zaman <jason@perfinion.com>

Thanks, applied all three.

> ---
>  policycoreutils/audit2allow/test_audit2allow.py | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/policycoreutils/audit2allow/test_audit2allow.py b/policycoreutils/audit2allow/test_audit2allow.py
> index 765c9ea..a826a9f 100644
> --- a/policycoreutils/audit2allow/test_audit2allow.py
> +++ b/policycoreutils/audit2allow/test_audit2allow.py
> @@ -33,7 +33,7 @@ class Audit2allowTests(unittest.TestCase):
>  
>      def test_audit2allow(self):
>          "Verify audit2allow works"
> -        p = Popen(['audit2allow', "-i", "test.log"], stdout=PIPE)
> +        p = Popen(['python', './audit2allow', "-i", "test.log"], stdout=PIPE)
>          out, err = p.communicate()
>          if err:
>              print(out, err)
> @@ -41,7 +41,7 @@ class Audit2allowTests(unittest.TestCase):
>  
>      def test_audit2why(self):
>          "Verify audit2why works"
> -        p = Popen(['audit2why', "-i", "test.log"], stdout=PIPE)
> +        p = Popen(['python', './audit2why', "-i", "test.log"], stdout=PIPE)
>          out, err = p.communicate()
>          if err:
>              print(out, err)
>
Stephen Smalley Aug. 19, 2016, 2:46 p.m. UTC | #3
On 08/18/2016 11:56 PM, Jason Zaman wrote:
> On Fri, Aug 19, 2016 at 11:45:17AM +0800, Jason Zaman wrote:
>> The tests currently just executed "audit2allow" which meant search in
>> $PATH. They should instead test the one in the pwd. The files in the
>> repo are not executable so prefix with "python" also.
> 
> Additionally, this test doesnt actually work that well. I get these
> denials and an error: "No SELinux Policy installed"
> 
> allow staff_t policy_config_t:dir { getattr open read search };
> allow staff_t policy_config_t:file { getattr open read };
> allow staff_t security_t:security read_policy;
> 
> And if I grant them I get a ton of messages about unknown types. Gentoo
> installs modules only as needed so I dont have smb_t and several others.
> 
> Can we switch these tests to use some minimal pre-built policy instead
> of reading the system one? I recall one of the other tests doing that
> but cant seem to find the policy file right now.

I'd be fine with that, and that seems easy enough to do for audit2allow
(versus e.g. semanage, where it seems more problematic).  libsepol has
test policies for its tests (but there is some longstanding breakage
there for certain tests).

Patch
diff mbox

diff --git a/policycoreutils/audit2allow/test_audit2allow.py b/policycoreutils/audit2allow/test_audit2allow.py
index 765c9ea..a826a9f 100644
--- a/policycoreutils/audit2allow/test_audit2allow.py
+++ b/policycoreutils/audit2allow/test_audit2allow.py
@@ -33,7 +33,7 @@  class Audit2allowTests(unittest.TestCase):
 
     def test_audit2allow(self):
         "Verify audit2allow works"
-        p = Popen(['audit2allow', "-i", "test.log"], stdout=PIPE)
+        p = Popen(['python', './audit2allow', "-i", "test.log"], stdout=PIPE)
         out, err = p.communicate()
         if err:
             print(out, err)
@@ -41,7 +41,7 @@  class Audit2allowTests(unittest.TestCase):
 
     def test_audit2why(self):
         "Verify audit2why works"
-        p = Popen(['audit2why', "-i", "test.log"], stdout=PIPE)
+        p = Popen(['python', './audit2why', "-i", "test.log"], stdout=PIPE)
         out, err = p.communicate()
         if err:
             print(out, err)