From: Serge E. H. <se...@us...> - 2008-01-30 17:40:18
|
Quoting Stephen Smalley (sd...@ty...): > > On Wed, 2008-01-30 at 07:20 -0500, Stephen Smalley wrote: > > On Tue, 2008-01-29 at 18:21 -0600, Serge E. Hallyn wrote: > > > Here is a patch against this morning's ltp cvs snapshot to implement > > > Stephen's suggestion of setting expand-check=0 for the duration of > > > the policy load. This allowed me to get rid of the hack > > > ++domain_type(test_create_no_t) in refpolicy/test_task_create.te, also > > > done in this patch. > > > > > > (I think it also inlines a patch Stephen sent on jan 23 which > > > wasn't yet in ltp cvs) > > > > As far as I can tell, no one has merged the two patches that I sent > > earlier, which explains why you are still seeing failures (the one patch > > I sent added permissions needed for the tests). I've seen no reply to > > my patches, although I've seen other patches responded to. > > Actually, I see that your patch does include the permissions from my > patch (still not sure why my patch hasn't been merged), so I don't know > why you'd still be seeing failures. I only get 3 failures with my > patch applied, on inherit and fdreceive (due to Fedora 8 policy granting > fd:use permission liberally to all domains) and on task_create (due to > the refpolicy granting process:fork to all domains), so I would only > expect you to get 2 failures after your patch. Interesting. I'll look into some these on Friday. Here is the list of failures btw: Test Start Time: Wed Jan 30 06:25:54 2008 ----------------------------------------- Testcase Result Exit Value -------- ------ ---------- SELinux01 PASS 0 SELinux02 PASS 0 SELinux03 PASS 0 SELinux04 PASS 0 SELinux05 PASS 0 SELinux06 PASS 0 SELinux07 PASS 0 SELinux08 PASS 0 SELinux09 FAIL 1 SELinux10 FAIL 2 SELinux11 FAIL 1 SELinux12 PASS 0 SELinux13 PASS 0 SELinux14 FAIL 1 SELinux15 FAIL 1 SELinux16 PASS 0 SELinux17 PASS 0 SELinux18 PASS 0 SELinux19 FAIL 1 SELinux20 FAIL 1 SELinux21 FAIL 2 SELinux22 FAIL 1 SELinux23 PASS 0 SELinux24 PASS 0 SELinux25 FAIL 1 SELinux26 PASS 0 SELinux27 PASS 0 SELinux28 PASS 0 SELinux29 PASS 0 SELinux30 PASS 0 SELinux31 PASS 0 SELinux32 PASS 0 SELinux33 PASS 0 SELinux34 PASS 0 SELinux35 PASS 0 SELinux36 PASS 0 SELinux37 PASS 0 SELinux38 PASS 0 ----------------------------------------------- Total Tests: 38 Total Failures: 10 Kernel Version: 2.6.23.1-42.fc8 Machine Architecture: i686 Hostname: localhost.localdomain > Debugging failures generally requires a copy of your audit.log entries > generated during the tests, and can sometimes benefit from manually > running individual tests as per the README so that you can see more > output. The ltp logfiles may lack some diagnostic output because > policy may not be allowing the test domains to write to whatever type > the log file happens to have (depends on where you install the ltp). yes there's not much in the logfiles, but on friday i'll try running some by hand and looking through the audit logs. thanks, -serge |