| Message ID | 1471578317-22785-3-git-send-email-jason@perfinion.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
On Fri, Aug 19, 2016 at 11:45:17AM +0800, Jason Zaman wrote: > The tests currently just executed "audit2allow" which meant search in > $PATH. They should instead test the one in the pwd. The files in the > repo are not executable so prefix with "python" also. Additionally, this test doesnt actually work that well. I get these denials and an error: "No SELinux Policy installed" allow staff_t policy_config_t:dir { getattr open read search }; allow staff_t policy_config_t:file { getattr open read }; allow staff_t security_t:security read_policy; And if I grant them I get a ton of messages about unknown types. Gentoo installs modules only as needed so I dont have smb_t and several others. Can we switch these tests to use some minimal pre-built policy instead of reading the system one? I recall one of the other tests doing that but cant seem to find the policy file right now. -- Jason > Signed-off-by: Jason Zaman <jason@perfinion.com> > --- > policycoreutils/audit2allow/test_audit2allow.py | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/policycoreutils/audit2allow/test_audit2allow.py b/policycoreutils/audit2allow/test_audit2allow.py > index 765c9ea..a826a9f 100644 > --- a/policycoreutils/audit2allow/test_audit2allow.py > +++ b/policycoreutils/audit2allow/test_audit2allow.py > @@ -33,7 +33,7 @@ class Audit2allowTests(unittest.TestCase): > > def test_audit2allow(self): > "Verify audit2allow works" > - p = Popen(['audit2allow', "-i", "test.log"], stdout=PIPE) > + p = Popen(['python', './audit2allow', "-i", "test.log"], stdout=PIPE) > out, err = p.communicate() > if err: > print(out, err) > @@ -41,7 +41,7 @@ class Audit2allowTests(unittest.TestCase): > > def test_audit2why(self): > "Verify audit2why works" > - p = Popen(['audit2why', "-i", "test.log"], stdout=PIPE) > + p = Popen(['python', './audit2why', "-i", "test.log"], stdout=PIPE) > out, err = p.communicate() > if err: > print(out, err) > -- > 2.7.3 >
On 08/18/2016 11:45 PM, Jason Zaman wrote: > The tests currently just executed "audit2allow" which meant search in > $PATH. They should instead test the one in the pwd. The files in the > repo are not executable so prefix with "python" also. > > Signed-off-by: Jason Zaman <jason@perfinion.com> Thanks, applied all three. > --- > policycoreutils/audit2allow/test_audit2allow.py | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/policycoreutils/audit2allow/test_audit2allow.py b/policycoreutils/audit2allow/test_audit2allow.py > index 765c9ea..a826a9f 100644 > --- a/policycoreutils/audit2allow/test_audit2allow.py > +++ b/policycoreutils/audit2allow/test_audit2allow.py > @@ -33,7 +33,7 @@ class Audit2allowTests(unittest.TestCase): > > def test_audit2allow(self): > "Verify audit2allow works" > - p = Popen(['audit2allow', "-i", "test.log"], stdout=PIPE) > + p = Popen(['python', './audit2allow', "-i", "test.log"], stdout=PIPE) > out, err = p.communicate() > if err: > print(out, err) > @@ -41,7 +41,7 @@ class Audit2allowTests(unittest.TestCase): > > def test_audit2why(self): > "Verify audit2why works" > - p = Popen(['audit2why', "-i", "test.log"], stdout=PIPE) > + p = Popen(['python', './audit2why', "-i", "test.log"], stdout=PIPE) > out, err = p.communicate() > if err: > print(out, err) >
On 08/18/2016 11:56 PM, Jason Zaman wrote: > On Fri, Aug 19, 2016 at 11:45:17AM +0800, Jason Zaman wrote: >> The tests currently just executed "audit2allow" which meant search in >> $PATH. They should instead test the one in the pwd. The files in the >> repo are not executable so prefix with "python" also. > > Additionally, this test doesnt actually work that well. I get these > denials and an error: "No SELinux Policy installed" > > allow staff_t policy_config_t:dir { getattr open read search }; > allow staff_t policy_config_t:file { getattr open read }; > allow staff_t security_t:security read_policy; > > And if I grant them I get a ton of messages about unknown types. Gentoo > installs modules only as needed so I dont have smb_t and several others. > > Can we switch these tests to use some minimal pre-built policy instead > of reading the system one? I recall one of the other tests doing that > but cant seem to find the policy file right now. I'd be fine with that, and that seems easy enough to do for audit2allow (versus e.g. semanage, where it seems more problematic). libsepol has test policies for its tests (but there is some longstanding breakage there for certain tests).
diff --git a/policycoreutils/audit2allow/test_audit2allow.py b/policycoreutils/audit2allow/test_audit2allow.py index 765c9ea..a826a9f 100644 --- a/policycoreutils/audit2allow/test_audit2allow.py +++ b/policycoreutils/audit2allow/test_audit2allow.py @@ -33,7 +33,7 @@ class Audit2allowTests(unittest.TestCase): def test_audit2allow(self): "Verify audit2allow works" - p = Popen(['audit2allow', "-i", "test.log"], stdout=PIPE) + p = Popen(['python', './audit2allow', "-i", "test.log"], stdout=PIPE) out, err = p.communicate() if err: print(out, err) @@ -41,7 +41,7 @@ class Audit2allowTests(unittest.TestCase): def test_audit2why(self): "Verify audit2why works" - p = Popen(['audit2why', "-i", "test.log"], stdout=PIPE) + p = Popen(['python', './audit2why', "-i", "test.log"], stdout=PIPE) out, err = p.communicate() if err: print(out, err)
The tests currently just executed "audit2allow" which meant search in $PATH. They should instead test the one in the pwd. The files in the repo are not executable so prefix with "python" also. Signed-off-by: Jason Zaman <jason@perfinion.com> --- policycoreutils/audit2allow/test_audit2allow.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)