From patchwork Fri Sep 29 17:23:14 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9978465 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 67FBB60311 for ; Fri, 29 Sep 2017 17:18:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4F666296F8 for ; Fri, 29 Sep 2017 17:18:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 43C7B29702; Fri, 29 Sep 2017 17:18:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from USFB19PA12.eemsg.mail.mil (uphb19pa09.eemsg.mail.mil [214.24.26.83]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4EC4C296F8 for ; Fri, 29 Sep 2017 17:18:35 +0000 (UTC) Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by USFB19PA12.eemsg.mail.mil with ESMTP/TLS/AES256-SHA; 29 Sep 2017 17:18:34 +0000 Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 29 Sep 2017 17:18:30 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v8THI5IN009194; Fri, 29 Sep 2017 13:18:13 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v8THI13n012883 for ; Fri, 29 Sep 2017 13:18:01 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v8THHvLs008953; Fri, 29 Sep 2017 13:18:01 -0400 From: Stephen Smalley To: selinux@tycho.nsa.gov Date: Fri, 29 Sep 2017 13:23:14 -0400 Message-Id: <20170929172314.16443-2-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.9.5 In-Reply-To: <20170929172314.16443-1-sds@tycho.nsa.gov> References: <20170929172314.16443-1-sds@tycho.nsa.gov> Subject: [PATCH 2/2 v2] selinux-testsuite: Move kernel config to a defconfig fragment X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Move the required kernel configuration options to run the testsuite from the README to a separate defconfig file, and update the README to refer to it and provide instructions on how to merge this file with a base config. Signed-off-by: Stephen Smalley --- README | 80 ++++++++++++++++----------------------------------------------- defconfig | 53 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+), 60 deletions(-) create mode 100644 defconfig diff --git a/README b/README index 8ae9dbd..e832f49 100644 --- a/README +++ b/README @@ -9,70 +9,30 @@ PREREQUISITES Kernel Configuration -------------------- -Your kernel should have been built with the following options to -test SELinux: - -# Minimal dependencies. -CONFIG_AUDIT=y -CONFIG_NET=y -CONFIG_INET=y -CONFIG_IPV6=y -CONFIG_SECURITY=y -CONFIG_SECURITY_NETWORK=y -CONFIG_SECURITY_SELINUX=y - -# For testing of labeled IPSEC, NetLabel, and SECMARK functionality. -# Not strictly required for basic SELinux operation. -CONFIG_SECURITY_NETWORK_XFRM=y -CONFIG_NETLABEL=y -CONFIG_IP_NF_SECURITY=m -CONFIG_INET_XFRM_MODE_TRANSPORT=m -CONFIG_INET_AH=m -CONFIG_INET6_XFRM_MODE_TRANSPORT=m -CONFIG_INET6_AH=m -CONFIG_CRYPTO_SHA1=m # used for testing, could be updated if desired -CONFIG_NETWORK_SECMARK=y -CONFIG_NF_CONNTRACK_SECMARK=y -CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m -CONFIG_NETFILTER_XT_TARGET_SECMARK=m - -# Filesystem security labeling support. -# Only need to enable the ones for the filesystems on which you are testing. -# reiserfs is not supported. -CONFIG_EXT2_FS_SECURITY=y -CONFIG_EXT3_FS_SECURITY=y -CONFIG_EXT4_FS_SECURITY=y -CONFIG_JFS_SECURITY=y -CONFIG_XFS_SECURITY=y -CONFIG_JFFS2_FS_SECURITY=y - -# Network protocol implementations. -# These are enabled to test the extended socket classes in -# tests/extended_socket_class; they are not required -# for SELinux operation itself. -CONFIG_IP_SCTP=m -CONFIG_BT=m -CONFIG_CRYPTO_USER_API=m - -# Netlink protocol implementations. -# These are enabled to test the netlink socket controls in -# tests/netlink_socket; they are not required for SELinux operation itself. -CONFIG_SCSI_ISCSI_ATTRS=m -CONFIG_NETFILTER_NETLINK=m -CONFIG_CRYPTO_USER=m - -# Overlay fs. -# This is enabled to test overlayfs SELinux integration. -# It is not required for SELinux operation itself. -CONFIG_OVERLAY_FS=m +Your kernel should have been built with the configuration options +specified by the defconfig file in this directory to run this testsuite. +You can merge the provided defconfig file with your existing .config +file (or one generated via e.g. make localmodconfig or other commands) +using the kernel ./scripts/kconfig/merge_config.sh script as follows: + +cd linux +# Assumes that you have already created a .config file with your base config. +# If you don't have one, generate one using make localmodconfig or other +# suitable command. +./scripts/kconfig/merge_config.sh .config /path/to/selinux-testsuite/defconfig + +Some of the config options may not be set in the final config because +they are unnecessary based on your base config, e.g. you only need the +CONFIG_*_FS_SECURITY option to be enabled for the particular +filesystem type being used for the testing. Do not set CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX; it is an option for legacy distributions (Fedora 3 and 4). -Otherwise, you should not enable any other security modules in your -kernel configuration unless you use the security= option to select a -module at boot time. Only one primary security module may be active -at a time. +You should not enable any other security modules in your kernel +configuration unless you use the security= option to select a module +at boot time. Only one primary security module may be active at a +time. Userland and Base Policy ------------------------ diff --git a/defconfig b/defconfig new file mode 100644 index 0000000..7dce8bc --- /dev/null +++ b/defconfig @@ -0,0 +1,53 @@ +# Minimal dependencies. +CONFIG_AUDIT=y +CONFIG_NET=y +CONFIG_INET=y +CONFIG_IPV6=y +CONFIG_SECURITY=y +CONFIG_SECURITY_NETWORK=y +CONFIG_SECURITY_SELINUX=y + +# For testing of labeled IPSEC, NetLabel, and SECMARK functionality. +# Not strictly required for basic SELinux operation. +CONFIG_SECURITY_NETWORK_XFRM=y +CONFIG_NETLABEL=y +CONFIG_IP_NF_SECURITY=m +CONFIG_INET_XFRM_MODE_TRANSPORT=m +CONFIG_INET_AH=m +CONFIG_INET6_XFRM_MODE_TRANSPORT=m +CONFIG_INET6_AH=m +CONFIG_CRYPTO_SHA1=m # used for testing, could be updated if desired +CONFIG_NETWORK_SECMARK=y +CONFIG_NF_CONNTRACK_SECMARK=y +CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m +CONFIG_NETFILTER_XT_TARGET_SECMARK=m + +# Filesystem security labeling support. +# Only need to enable the ones for the filesystems on which you are testing. +# reiserfs is not supported. +CONFIG_EXT2_FS_SECURITY=y +CONFIG_EXT3_FS_SECURITY=y +CONFIG_EXT4_FS_SECURITY=y +CONFIG_JFS_SECURITY=y +CONFIG_XFS_SECURITY=y +CONFIG_JFFS2_FS_SECURITY=y + +# Network protocol implementations. +# These are enabled to test the extended socket classes in +# tests/extended_socket_class; they are not required +# for SELinux operation itself. +CONFIG_IP_SCTP=m +CONFIG_BT=m +CONFIG_CRYPTO_USER_API=m + +# Netlink protocol implementations. +# These are enabled to test the netlink socket controls in +# tests/netlink_socket; they are not required for SELinux operation itself. +CONFIG_SCSI_ISCSI_ATTRS=m +CONFIG_NETFILTER_NETLINK=m +CONFIG_CRYPTO_USER=m + +# Overlay fs. +# This is enabled to test overlayfs SELinux integration. +# It is not required for SELinux operation itself. +CONFIG_OVERLAY_FS=m