| Message ID | 157486604069.70468.14139138243381994891.stgit@chester (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | selinux-testsuite: update the dependencies in README.md | expand |
On Wed, Nov 27, 2019 at 3:47 PM Paul Moore <paul@paul-moore.com> wrote: > From: Paul Moore <paul@paul-moore.com> > > The new kernel module tests added in a68d583c2a70 ("selinux-testsuite: > Add kernel module tests") require the kernel-devel package on Fedora, > make sure we list that in the README.md file. Thanks, I should have thought of this when reviewing the patch :) > > Signed-off-by: Paul Moore <paul@paul-moore.com> > --- > README.md | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/README.md b/README.md > index e845df8..4352796 100644 > --- a/README.md > +++ b/README.md > @@ -53,6 +53,7 @@ similar dependencies): > * attr _(tools used by the overlayfs tests)_ > * libbpf-devel _(tools used by the bpf tests)_ > * keyutils-libs-devel _(tools used by the keys tests)_ > +* kernel-devel _(used by the kernel module tests)_ > > On a modern Fedora system you can install these dependencies with the > following command: > @@ -69,7 +70,8 @@ following command: > lksctp-tools-devel \ > attr \ > libbpf-devel \ > - keyutils-libs-devel > + keyutils-libs-devel \ > + kernel-devel I'm wondering whether we should rather put kernel-devel-$(uname -r) here, to make sure that the right package is installed that corresponds to the running kernel version (which may not be the latest version that dnf will fetch). Or if the use of shell expansion feels too clever, then we should at last document that the command may not always install the version that is needed. > > The testsuite requires a pre-existing base policy configuration of SELinux, > using either the old example policy or the reference policy as the baseline. -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
On 11/27/19 9:47 AM, Paul Moore wrote: > From: Paul Moore <paul@paul-moore.com> > > The new kernel module tests added in a68d583c2a70 ("selinux-testsuite: > Add kernel module tests") require the kernel-devel package on Fedora, > make sure we list that in the README.md file. > > Signed-off-by: Paul Moore <paul@paul-moore.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > README.md | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/README.md b/README.md > index e845df8..4352796 100644 > --- a/README.md > +++ b/README.md > @@ -53,6 +53,7 @@ similar dependencies): > * attr _(tools used by the overlayfs tests)_ > * libbpf-devel _(tools used by the bpf tests)_ > * keyutils-libs-devel _(tools used by the keys tests)_ > +* kernel-devel _(used by the kernel module tests)_ > > On a modern Fedora system you can install these dependencies with the > following command: > @@ -69,7 +70,8 @@ following command: > lksctp-tools-devel \ > attr \ > libbpf-devel \ > - keyutils-libs-devel > + keyutils-libs-devel \ > + kernel-devel > > The testsuite requires a pre-existing base policy configuration of SELinux, > using either the old example policy or the reference policy as the baseline. >
On 11/27/19 10:21 AM, Ondrej Mosnacek wrote: > On Wed, Nov 27, 2019 at 3:47 PM Paul Moore <paul@paul-moore.com> wrote: >> From: Paul Moore <paul@paul-moore.com> >> >> The new kernel module tests added in a68d583c2a70 ("selinux-testsuite: >> Add kernel module tests") require the kernel-devel package on Fedora, >> make sure we list that in the README.md file. > > Thanks, I should have thought of this when reviewing the patch :) > >> >> Signed-off-by: Paul Moore <paul@paul-moore.com> >> --- >> README.md | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/README.md b/README.md >> index e845df8..4352796 100644 >> --- a/README.md >> +++ b/README.md >> @@ -53,6 +53,7 @@ similar dependencies): >> * attr _(tools used by the overlayfs tests)_ >> * libbpf-devel _(tools used by the bpf tests)_ >> * keyutils-libs-devel _(tools used by the keys tests)_ >> +* kernel-devel _(used by the kernel module tests)_ >> >> On a modern Fedora system you can install these dependencies with the >> following command: >> @@ -69,7 +70,8 @@ following command: >> lksctp-tools-devel \ >> attr \ >> libbpf-devel \ >> - keyutils-libs-devel >> + keyutils-libs-devel \ >> + kernel-devel > > I'm wondering whether we should rather put kernel-devel-$(uname -r) > here, to make sure that the right package is installed that > corresponds to the running kernel version (which may not be the latest > version that dnf will fetch). Or if the use of shell expansion feels > too clever, then we should at last document that the command may not > always install the version that is needed. I'm often testing kernels I build myself and not via rpm. > >> >> The testsuite requires a pre-existing base policy configuration of SELinux, >> using either the old example policy or the reference policy as the baseline. > > -- > Ondrej Mosnacek <omosnace at redhat dot com> > Software Engineer, Security Technologies > Red Hat, Inc. >
On Wed, Nov 27, 2019 at 4:24 PM Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 11/27/19 10:21 AM, Ondrej Mosnacek wrote: > > On Wed, Nov 27, 2019 at 3:47 PM Paul Moore <paul@paul-moore.com> wrote: > >> From: Paul Moore <paul@paul-moore.com> > >> > >> The new kernel module tests added in a68d583c2a70 ("selinux-testsuite: > >> Add kernel module tests") require the kernel-devel package on Fedora, > >> make sure we list that in the README.md file. > > > > Thanks, I should have thought of this when reviewing the patch :) > > > >> > >> Signed-off-by: Paul Moore <paul@paul-moore.com> > >> --- > >> README.md | 4 +++- > >> 1 file changed, 3 insertions(+), 1 deletion(-) > >> > >> diff --git a/README.md b/README.md > >> index e845df8..4352796 100644 > >> --- a/README.md > >> +++ b/README.md > >> @@ -53,6 +53,7 @@ similar dependencies): > >> * attr _(tools used by the overlayfs tests)_ > >> * libbpf-devel _(tools used by the bpf tests)_ > >> * keyutils-libs-devel _(tools used by the keys tests)_ > >> +* kernel-devel _(used by the kernel module tests)_ > >> > >> On a modern Fedora system you can install these dependencies with the > >> following command: > >> @@ -69,7 +70,8 @@ following command: > >> lksctp-tools-devel \ > >> attr \ > >> libbpf-devel \ > >> - keyutils-libs-devel > >> + keyutils-libs-devel \ > >> + kernel-devel > > > > I'm wondering whether we should rather put kernel-devel-$(uname -r) > > here, to make sure that the right package is installed that > > corresponds to the running kernel version (which may not be the latest > > version that dnf will fetch). Or if the use of shell expansion feels > > too clever, then we should at last document that the command may not > > always install the version that is needed. > > I'm often testing kernels I build myself and not via rpm. Right, then the command would just fail... :/ But it might be slightly faster to realize that you can just delete the kernel-devel line from the command when you're running a local kernel build, than figuring out why the test failed to build after a successful run of the command (in the non-latest stock kernel scenario). But I'm fine with just documenting it if we want to keep it simple. > > > > >> > >> The testsuite requires a pre-existing base policy configuration of SELinux, > >> using either the old example policy or the reference policy as the baseline. > > > > -- > > Ondrej Mosnacek <omosnace at redhat dot com> > > Software Engineer, Security Technologies > > Red Hat, Inc. -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
On Wed, Nov 27, 2019 at 10:39 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > On Wed, Nov 27, 2019 at 4:24 PM Stephen Smalley <sds@tycho.nsa.gov> wrote: > > On 11/27/19 10:21 AM, Ondrej Mosnacek wrote: > > > On Wed, Nov 27, 2019 at 3:47 PM Paul Moore <paul@paul-moore.com> wrote: > > >> From: Paul Moore <paul@paul-moore.com> > > >> > > >> The new kernel module tests added in a68d583c2a70 ("selinux-testsuite: > > >> Add kernel module tests") require the kernel-devel package on Fedora, > > >> make sure we list that in the README.md file. > > > > > > Thanks, I should have thought of this when reviewing the patch :) > > > > > >> > > >> Signed-off-by: Paul Moore <paul@paul-moore.com> > > >> --- > > >> README.md | 4 +++- > > >> 1 file changed, 3 insertions(+), 1 deletion(-) > > >> > > >> diff --git a/README.md b/README.md > > >> index e845df8..4352796 100644 > > >> --- a/README.md > > >> +++ b/README.md > > >> @@ -53,6 +53,7 @@ similar dependencies): > > >> * attr _(tools used by the overlayfs tests)_ > > >> * libbpf-devel _(tools used by the bpf tests)_ > > >> * keyutils-libs-devel _(tools used by the keys tests)_ > > >> +* kernel-devel _(used by the kernel module tests)_ > > >> > > >> On a modern Fedora system you can install these dependencies with the > > >> following command: > > >> @@ -69,7 +70,8 @@ following command: > > >> lksctp-tools-devel \ > > >> attr \ > > >> libbpf-devel \ > > >> - keyutils-libs-devel > > >> + keyutils-libs-devel \ > > >> + kernel-devel > > > > > > I'm wondering whether we should rather put kernel-devel-$(uname -r) > > > here, to make sure that the right package is installed that > > > corresponds to the running kernel version (which may not be the latest > > > version that dnf will fetch). Or if the use of shell expansion feels > > > too clever, then we should at last document that the command may not > > > always install the version that is needed. > > > > I'm often testing kernels I build myself and not via rpm. > > Right, then the command would just fail... :/ But it might be slightly > faster to realize that you can just delete the kernel-devel line from > the command when you're running a local kernel build, than figuring > out why the test failed to build after a successful run of the command > (in the non-latest stock kernel scenario). But I'm fine with just > documenting it if we want to keep it simple. I don't feel that strongly about it either way, but one could argue that if start versioning the kernel-devel package, why not all the other packages? What if you have a locally modified BPF userspace? Infiniband? I think you get the idea. My opinion is that if you are going off into the weeds by replacing the kernel or portions of your userspace, you should know well enough how to ensure that they are properly installed ;)
On 11/27/19 9:47 AM, Paul Moore wrote: > From: Paul Moore <paul@paul-moore.com> > > The new kernel module tests added in a68d583c2a70 ("selinux-testsuite: > Add kernel module tests") require the kernel-devel package on Fedora, > make sure we list that in the README.md file. > > Signed-off-by: Paul Moore <paul@paul-moore.com> Thanks, applied. > --- > README.md | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/README.md b/README.md > index e845df8..4352796 100644 > --- a/README.md > +++ b/README.md > @@ -53,6 +53,7 @@ similar dependencies): > * attr _(tools used by the overlayfs tests)_ > * libbpf-devel _(tools used by the bpf tests)_ > * keyutils-libs-devel _(tools used by the keys tests)_ > +* kernel-devel _(used by the kernel module tests)_ > > On a modern Fedora system you can install these dependencies with the > following command: > @@ -69,7 +70,8 @@ following command: > lksctp-tools-devel \ > attr \ > libbpf-devel \ > - keyutils-libs-devel > + keyutils-libs-devel \ > + kernel-devel > > The testsuite requires a pre-existing base policy configuration of SELinux, > using either the old example policy or the reference policy as the baseline. >
diff --git a/README.md b/README.md index e845df8..4352796 100644 --- a/README.md +++ b/README.md @@ -53,6 +53,7 @@ similar dependencies): * attr _(tools used by the overlayfs tests)_ * libbpf-devel _(tools used by the bpf tests)_ * keyutils-libs-devel _(tools used by the keys tests)_ +* kernel-devel _(used by the kernel module tests)_ On a modern Fedora system you can install these dependencies with the following command: @@ -69,7 +70,8 @@ following command: lksctp-tools-devel \ attr \ libbpf-devel \ - keyutils-libs-devel + keyutils-libs-devel \ + kernel-devel The testsuite requires a pre-existing base policy configuration of SELinux, using either the old example policy or the reference policy as the baseline.