From: Stephen S. <sd...@ty...> - 2011-04-22 13:28:05
|
Hi, A recent posting on lkml noted that the selinux testsuite in ltp doesn't work anymore. As no one seems to be maintaining it in the ltp, I'd suggest just removing it entirely. You may want to leave a README.MOVED or similar file pointing to the new location, e.g.: The selinux testsuite has been moved to a standalone testsuite separate from the ltp. You can obtain it via: git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite Thanks. -- Stephen Smalley National Security Agency |
From: Shubham G. <sh...@li...> - 2011-04-22 21:34:12
|
On Friday 22 April 2011 06:38 PM, Stephen Smalley wrote: > Hi, > > A recent posting on lkml noted that the selinux testsuite in ltp doesn't > work anymore. As no one seems to be maintaining it in the ltp, I'd > suggest just removing it entirely. You may want to leave a README.MOVED > or similar file pointing to the new location, e.g.: > > The selinux testsuite has been moved to a standalone testsuite > separate from the ltp. You can obtain it via: > git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite > > Thanks. > Hi Stephan, Can you please tell what was the exact problem in running LTP's selinux testsuite? I tried running them and it worked for me with a minor modification. The current 'test_selinux.sh' sets the LTPROOT as the LTP source's 'testscripts' directory but as per current build process '/opt/ltp' is the install directory. After making these changes in 'test_selinux.sh' script, the test cases worked fine for me. I believe keeping it as a part of LTP tree is a better idea and would have better chances of getting it maintained along with other LTP test case and modules. Thanks, Shubham |
From: Stephen S. <sd...@ty...> - 2011-04-25 13:32:54
|
On Sat, 2011-04-23 at 02:13 +0530, Shubham Goyal wrote: > On Friday 22 April 2011 06:38 PM, Stephen Smalley wrote: > > Hi, > > > > A recent posting on lkml noted that the selinux testsuite in ltp doesn't > > work anymore. As no one seems to be maintaining it in the ltp, I'd > > suggest just removing it entirely. You may want to leave a README.MOVED > > or similar file pointing to the new location, e.g.: > > > > The selinux testsuite has been moved to a standalone testsuite > > separate from the ltp. You can obtain it via: > > git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite > > > > Thanks. > > > > Hi Stephan, > > Can you please tell what was the exact problem in running LTP's selinux > testsuite? > I tried running them and it worked for me with a minor modification. The > current > 'test_selinux.sh' sets the LTPROOT as the LTP source's 'testscripts' > directory but as > per current build process '/opt/ltp' is the install directory. After > making these changes > in 'test_selinux.sh' script, the test cases worked fine for me. I don't know the exact problem; I just know that it didn't work for the person who mentioned it in passing on lkml. And apparently it didn't work for you either until you changed test_selinux.sh. But I know that test_selinux.sh has worked in the past, even after the change to /opt/ltp, and that we haven't changed it recently. Actually, I just tried running it via cd /opt/ltp && ./testscripts/test_selinux.sh and it seemed to work fine. This was with the current git, building in-tree, installing to /opt/ltp. > I believe keeping it as a part of LTP tree is a better idea and would > have better > chances of getting it maintained along with other LTP test case and modules. This has been discussed a bit in the past, e.g. see this thread: http://marc.info/?t=127790181000003&r=1&w=2 At present we see no benefit, only cost, to maintaining the selinux testsuite in the ltp as it is regularly broken by unrelated changes elsewhere in the ltp and as it is not truly integrated into the ltp (you have to perform separate steps to build and run it). In comparison, we don't have to worry about unrelated changes breaking the standalone selinux testsuite, and it is certainly no harder to do this: git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite cd selinux-testsuite sudo make test than to do this: git clone git://ltp.git.sourceforge.net/gitroot/ltp/ltp cd ltp make autotools ./configure make all make install cd testcases/kernel/security/selinux-testsuite make all make install cd /opt/ltp ./testscripts/test_selinux.sh If the selinux testsuite were fully integrated into the ltp (e.g. built and run by default if SELinux is enabled on the system), then that might be more worthwhile to keep it as part of the ltp. But in the 6 years since it was added to the ltp, that hasn't happened. -- Stephen Smalley National Security Agency |
From: Lucas M. R. <lm...@re...> - 2011-04-25 20:30:55
|
On Mon, 2011-04-25 at 09:32 -0400, Stephen Smalley wrote: > At present we see no benefit, only cost, to maintaining the selinux > testsuite in the ltp as it is regularly broken by unrelated changes > elsewhere in the ltp and as it is not truly integrated into the ltp (you > have to perform separate steps to build and run it). In comparison, we > don't have to worry about unrelated changes breaking the standalone > selinux testsuite, and it is certainly no harder to do this: > > git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite > cd selinux-testsuite > sudo make test > > than to do this: > > git clone git://ltp.git.sourceforge.net/gitroot/ltp/ltp > cd ltp > make autotools > ./configure > make all > make install > cd testcases/kernel/security/selinux-testsuite > make all > make install > cd /opt/ltp > ./testscripts/test_selinux.sh > > If the selinux testsuite were fully integrated into the ltp (e.g. built > and run by default if SELinux is enabled on the system), then that might > be more worthwhile to keep it as part of the ltp. But in the 6 years > since it was added to the ltp, that hasn't happened. +1 for this. In the end of the day, what matters for a software project is maintenance. Since we have a working, maintained git repo with the selinux testsuite, it's better than having it half integrated with LTP, so the better choice here IMHO is to just remove it from the LTP tree. I know LTP aims to be comprehensive, but this comprehensiveness has to be achieved through tightly integrated code, no point in keeping disconnected pieces of code in the tree, that will likely break and bitrot. I wish I could commit in looking at all current testsuites merged into LTP that need better integration so we can opt by: 1) Remove 2) Do what it takes to get it fully integrated in terms of API, build system, workflow. I am not an LTP maintainer so I feel like I'm meddling on other people's business, however I thought it'd be worth to point this out... take it with a grain of salt. Cheers, Lucas |
From: Garrett C. <yan...@gm...> - 2011-04-25 19:39:16
|
On Apr 25, 2011, at 6:32 AM, Stephen Smalley <sd...@ty...> wrote: > On Sat, 2011-04-23 at 02:13 +0530, Shubham Goyal wrote: >> On Friday 22 April 2011 06:38 PM, Stephen Smalley wrote: >>> Hi, >>> >>> A recent posting on lkml noted that the selinux testsuite in ltp doesn't >>> work anymore. As no one seems to be maintaining it in the ltp, I'd >>> suggest just removing it entirely. You may want to leave a README.MOVED >>> or similar file pointing to the new location, e.g.: >>> >>> The selinux testsuite has been moved to a standalone testsuite >>> separate from the ltp. You can obtain it via: >>> git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite >>> >>> Thanks. >>> >> >> Hi Stephan, >> >> Can you please tell what was the exact problem in running LTP's selinux >> testsuite? >> I tried running them and it worked for me with a minor modification. The >> current >> 'test_selinux.sh' sets the LTPROOT as the LTP source's 'testscripts' >> directory but as >> per current build process '/opt/ltp' is the install directory. After >> making these changes >> in 'test_selinux.sh' script, the test cases worked fine for me. > > I don't know the exact problem; I just know that it didn't work for the > person who mentioned it in passing on lkml. And apparently it didn't > work for you either until you changed test_selinux.sh. But I know that > test_selinux.sh has worked in the past, even after the change > to /opt/ltp, and that we haven't changed it recently. > > Actually, I just tried running it via cd /opt/ltp > && ./testscripts/test_selinux.sh and it seemed to work fine. This was > with the current git, building in-tree, installing to /opt/ltp. > >> I believe keeping it as a part of LTP tree is a better idea and would >> have better >> chances of getting it maintained along with other LTP test case and modules. > > This has been discussed a bit in the past, e.g. see this thread: > http://marc.info/?t=127790181000003&r=1&w=2 > > At present we see no benefit, only cost, to maintaining the selinux > testsuite in the ltp as it is regularly broken by unrelated changes > elsewhere in the ltp and as it is not truly integrated into the ltp (you > have to perform separate steps to build and run it). In comparison, we > don't have to worry about unrelated changes breaking the standalone > selinux testsuite, and it is certainly no harder to do this: > > git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite > cd selinux-testsuite > sudo make test > > than to do this: > > git clone git://ltp.git.sourceforge.net/gitroot/ltp/ltp > cd ltp > make autotools > ./configure > make all > make install > cd testcases/kernel/security/selinux-testsuite > make all > make install > cd /opt/ltp > ./testscripts/test_selinux.sh > > If the selinux testsuite were fully integrated into the ltp (e.g. built > and run by default if SELinux is enabled on the system), then that might > be more worthwhile to keep it as part of the ltp. But in the 6 years > since it was added to the ltp, that hasn't happened. Do what's easiest for you guys to maintain upstream; what you suggested makes sense: pull from git and run selinux as-is. The twist I'm proposing here is as follows: 1. The selinux test suite needs to be made modular and portable. I'll provide you with autoconf/other patches sometime after I get back from vacation on friday. 2. I'll add logic to pull from git in ltp, which means the following: releases will come with the selinux test suite; archives and other non-release mechanisms won't. Thus, if you want to run the selinux testcases, you will need git, and will have to specify --with-selinux=yes when running configure, etc. Sound ok? Thanks! -Garrett |
From: Stephen S. <sd...@ty...> - 2011-04-26 13:21:25
|
On Mon, 2011-04-25 at 12:38 -0700, Garrett Cooper wrote: > On Apr 25, 2011, at 6:32 AM, Stephen Smalley <sd...@ty...> wrote: > > At present we see no benefit, only cost, to maintaining the selinux > > testsuite in the ltp as it is regularly broken by unrelated changes > > elsewhere in the ltp and as it is not truly integrated into the ltp (you > > have to perform separate steps to build and run it). In comparison, we > > don't have to worry about unrelated changes breaking the standalone > > selinux testsuite, and it is certainly no harder to do this: > > > > git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite > > cd selinux-testsuite > > sudo make test > > > > than to do this: > > > > git clone git://ltp.git.sourceforge.net/gitroot/ltp/ltp > > cd ltp > > make autotools > > ./configure > > make all > > make install > > cd testcases/kernel/security/selinux-testsuite > > make all > > make install > > cd /opt/ltp > > ./testscripts/test_selinux.sh > > > > If the selinux testsuite were fully integrated into the ltp (e.g. built > > and run by default if SELinux is enabled on the system), then that might > > be more worthwhile to keep it as part of the ltp. But in the 6 years > > since it was added to the ltp, that hasn't happened. > > Do what's easiest for you guys to maintain upstream; what you suggested makes sense: pull from git and run selinux as-is. The twist I'm proposing here is as follows: > 1. The selinux test suite needs to be made modular and portable. I'll provide you with autoconf/other patches sometime after I get back from vacation on friday. > 2. I'll add logic to pull from git in ltp, which means the following: releases will come with the selinux test suite; archives and other non-release mechanisms won't. Thus, if you want to run the selinux testcases, you will need git, and will have to specify --with-selinux=yes when running configure, etc. > > Sound ok? Not sure what modularity or portability problems you see in the testsuite, but I think autotools would be overkill and just make maintenance harder. If by modularity you mean the ability to run tests individually, that is already possible, and if by portability you mean the ability to build and run the tests on the various architectures, I believe that also is already covered. We certainly don't have to concern ourselves with portability to other OSes, as the selinux testsuite is by definition specific to Linux. -- Stephen Smalley National Security Agency |
From: Cyril H. <ch...@su...> - 2011-05-06 11:30:54
|
Hi! Okay, let's renew the conversation now. What we have: * selinux is outdated in LTP and maintained elsewhere * and the selinux is not well integrated with LTP And my points are: * we don't have manpower to integrate selinux with LTP * it's not good if testers use outdated selinux from LTP And what we could do: * remove selinux from LTP with redirect to it's repository - that is easy, but a little controversial * start pulling changes in selinux git into LTP git - should be easy, may have some problems with LTP make system integration * integrate selinux with LTP - hard one, anybody starting that would have my support (I could help with understanding LTP infrastructure) -- Cyril Hrubis ch...@su... |
From: Stephen S. <sd...@ty...> - 2011-05-06 12:57:45
|
On Fri, 2011-05-06 at 13:25 +0200, Cyril Hrubis wrote: > Hi! > Okay, let's renew the conversation now. What we have: > > * selinux is outdated in LTP and maintained elsewhere > * and the selinux is not well integrated with LTP > > And my points are: > > * we don't have manpower to integrate selinux with LTP > * it's not good if testers use outdated selinux from LTP > > And what we could do: > > * remove selinux from LTP with redirect to it's repository > - that is easy, but a little controversial > > * start pulling changes in selinux git into LTP git > - should be easy, may have some problems with LTP make system > integration > > * integrate selinux with LTP > - hard one, anybody starting that would have my support (I could help > with understanding LTP infrastructure) I'd vote for the first option. The second one is harder than you may think given differences in test harness and layout, and the third one seems unlikely at this point. Just redirect to git://git.kernel.org/pub/scm/tests/selinux-testsuite -- Stephen Smalley National Security Agency |
From: Cyril H. <ch...@su...> - 2011-05-11 12:44:18
|
Hi! > I'd vote for the first option. The second one is harder than you may > think given differences in test harness and layout, and the third one > seems unlikely at this point. Just redirect to > git://git.kernel.org/pub/scm/tests/selinux-testsuite Okay. Let's wait for about a week or two and if nobody would object in that period I'll do so. -- Cyril Hrubis ch...@su... |
From: Garrett C. <yan...@gm...> - 2011-05-23 19:30:57
|
On Wed, May 11, 2011 at 5:39 AM, Cyril Hrubis <ch...@su...> wrote: > Hi! >> I'd vote for the first option. The second one is harder than you may >> think given differences in test harness and layout, and the third one >> seems unlikely at this point. Just redirect to >> git://git.kernel.org/pub/scm/tests/selinux-testsuite > > Okay. > > Let's wait for about a week or two and if nobody would object in that > period I'll do so. I've removed the testsuite on latest. Thanks, -Garrett |
From: Jan S. <jst...@re...> - 2012-01-17 10:44:57
|
----- Original Message ----- > From: "Stephen Smalley" <sd...@ty...> > To: "ltp-list" <ltp...@li...> > Sent: Friday, April 22, 2011 3:08:47 PM > Subject: [LTP] selinux-testsuite has moved > The selinux testsuite has been moved to a standalone testsuite > separate from the ltp. You can obtain it via: > git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite Hi, Is this still valid? I'm having troubles cloning from there. git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite Initialized empty Git repository in /usr/src/selinux-testsuite/.git/ fatal: The remote end hung up unexpectedly and also I can't see it listed here: http://git.kernel.org/ Regards, Jan > > Thanks. > > -- > Stephen Smalley > National Security Agency > |
From: Cyril H. <ch...@su...> - 2012-01-18 13:23:38
|
Hi! > Is this still valid? I'm having troubles cloning from there. > > git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite > Initialized empty Git repository in /usr/src/selinux-testsuite/.git/ > fatal: The remote end hung up unexpectedly > > and also I can't see it listed here: http://git.kernel.org/ Yes, it is. However some of the repositories on kernel.org haven't yet recovered from the security breach. I would expect this is the case here. -- Cyril Hrubis ch...@su... |
From: Serge H. <ser...@ca...> - 2012-01-18 21:19:23
|
Quoting Stephen Smalley (sd...@ty...): > On Wed, 2012-01-18 at 14:16 +0100, Cyril Hrubis wrote: > > Hi! > > > Is this still valid? I'm having troubles cloning from there. > > > > > > git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite > > > Initialized empty Git repository in /usr/src/selinux-testsuite/.git/ > > > fatal: The remote end hung up unexpectedly > > > > > > and also I can't see it listed here: http://git.kernel.org/ > > > > Yes, it is. > > > > However some of the repositories on kernel.org haven't yet recovered > > from the security breach. I would expect this is the case here. > > Serge Hallyn (cc'd) originally set up the git tree on kernel.org for the > selinux-testsuite, so I guess the first question is whether he plans to > restore it. If not, then possibly James Morris (also cc'd) could make > it available again. Oh, drat. Yeah, I've gotten a few signatures of my pgp key, I need to see whether it's enough to get my account re-instated. Hopefully they have backups which can be restored! -serge |
From: Stephen S. <sd...@ty...> - 2012-01-18 21:04:14
|
On Wed, 2012-01-18 at 15:02 -0600, Serge Hallyn wrote: > Quoting Stephen Smalley (sd...@ty...): > > On Wed, 2012-01-18 at 14:16 +0100, Cyril Hrubis wrote: > > > Hi! > > > > Is this still valid? I'm having troubles cloning from there. > > > > > > > > git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite > > > > Initialized empty Git repository in /usr/src/selinux-testsuite/.git/ > > > > fatal: The remote end hung up unexpectedly > > > > > > > > and also I can't see it listed here: http://git.kernel.org/ > > > > > > Yes, it is. > > > > > > However some of the repositories on kernel.org haven't yet recovered > > > from the security breach. I would expect this is the case here. > > > > Serge Hallyn (cc'd) originally set up the git tree on kernel.org for the > > selinux-testsuite, so I guess the first question is whether he plans to > > restore it. If not, then possibly James Morris (also cc'd) could make > > it available again. > > Oh, drat. Yeah, I've gotten a few signatures of my pgp key, I need to > see whether it's enough to get my account re-instated. Hopefully they > have backups which can be restored! As long as you have a cloned copy somewhere, you should just be able to re-create from it. If not, I have one. -- Stephen Smalley National Security Agency |
From: Serge H. <ser...@ca...> - 2012-01-19 17:56:59
|
Quoting Stephen Smalley (sd...@ty...): > On Wed, 2012-01-18 at 15:02 -0600, Serge Hallyn wrote: > > Quoting Stephen Smalley (sd...@ty...): > > > On Wed, 2012-01-18 at 14:16 +0100, Cyril Hrubis wrote: > > > > Hi! > > > > > Is this still valid? I'm having troubles cloning from there. > > > > > > > > > > git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite > > > > > Initialized empty Git repository in /usr/src/selinux-testsuite/.git/ > > > > > fatal: The remote end hung up unexpectedly > > > > > > > > > > and also I can't see it listed here: http://git.kernel.org/ > > > > > > > > Yes, it is. > > > > > > > > However some of the repositories on kernel.org haven't yet recovered > > > > from the security breach. I would expect this is the case here. > > > > > > Serge Hallyn (cc'd) originally set up the git tree on kernel.org for the > > > selinux-testsuite, so I guess the first question is whether he plans to > > > restore it. If not, then possibly James Morris (also cc'd) could make > > > it available again. > > > > Oh, drat. Yeah, I've gotten a few signatures of my pgp key, I need to > > see whether it's enough to get my account re-instated. Hopefully they > > have backups which can be restored! > > As long as you have a cloned copy somewhere, you should just be able to > re-create from it. If not, I have one. Thanks, Stephen, I think I'll need to get that copy from you. I'm still waiting to hear back about my korg account. Note if James wants to take over the tree (as his account is already active) I wouldn't object, but I'm definately willing to continue maintaining it. -serge |
From: Stephen S. <sd...@ty...> - 2012-01-18 14:13:02
|
On Wed, 2012-01-18 at 14:16 +0100, Cyril Hrubis wrote: > Hi! > > Is this still valid? I'm having troubles cloning from there. > > > > git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite > > Initialized empty Git repository in /usr/src/selinux-testsuite/.git/ > > fatal: The remote end hung up unexpectedly > > > > and also I can't see it listed here: http://git.kernel.org/ > > Yes, it is. > > However some of the repositories on kernel.org haven't yet recovered > from the security breach. I would expect this is the case here. Serge Hallyn (cc'd) originally set up the git tree on kernel.org for the selinux-testsuite, so I guess the first question is whether he plans to restore it. If not, then possibly James Morris (also cc'd) could make it available again. -- Stephen Smalley National Security Agency |
From: Serge H. <ser...@ca...> - 2012-02-25 14:26:20
|
Quoting Stephen Smalley (sd...@ty...): > On Wed, 2012-01-18 at 14:16 +0100, Cyril Hrubis wrote: > > Hi! > > > Is this still valid? I'm having troubles cloning from there. > > > > > > git clone git://git.kernel.org/pub/scm/tests/selinux-testsuite > > > Initialized empty Git repository in /usr/src/selinux-testsuite/.git/ > > > fatal: The remote end hung up unexpectedly > > > > > > and also I can't see it listed here: http://git.kernel.org/ > > > > Yes, it is. > > > > However some of the repositories on kernel.org haven't yet recovered > > from the security breach. I would expect this is the case here. > > Serge Hallyn (cc'd) originally set up the git tree on kernel.org for the > selinux-testsuite, so I guess the first question is whether he plans to > restore it. If not, then possibly James Morris (also cc'd) could make > it available again. Ok, I never heard back about recreating my kernel.org account, and, worse, hardware failure just lost me the key I'd been getting signed by people. So for now I'm giving up on kernel.org. I'll happily put it up at github, but if James still doesn't mind putting it up at kernel.org, that seems more official. thanks, -serge |
From: James M. <jm...@na...> - 2012-02-27 00:53:56
|
On Sat, 25 Feb 2012, Serge Hallyn wrote: > I'll happily put it up at github, but if James still doesn't mind putting > it up at kernel.org, that seems more official. It's probably better if you have full access to maintain it. You could use selinuxproject.org (like SE-Android does). -- James Morris <jm...@na...> |