| Message ID | 20191127134643.822677-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [testsuite] travis: improve selinuxfs mocking | expand |
On 11/27/19 8:46 AM, Ondrej Mosnacek wrote: > Modify all Makefiles to allow overriding the path to the selinuxfs > mountpoint via the SELINUXFS variable and use it in the Travis script to > allow more stuff to be built (namely the extended_socket_class subdir). > > This patch also drops the auto-detection of selinuxfs mount from > policy/Makefile in favor of overriding it via the variable if it differs > from the usual /sys/fs/selinux/. This seems fine but note that several test scripts also access /sys/fs/selinux for various purposes: tests/mkdir/test: @locations = ( '/selinux', '/sys/fs/selinux' ); tests/nnp_nosuid/test:"grep -q 1 /sys/fs/selinux/policy_capabilities/nnp_nosuid_transition 2> /dev/null" tests/checkreqprot/default_value.sh: grep -q 0 /sys/fs/selinux/checkreqprot 2> /dev/null tests/mmap/test: if ( system("grep -q 0 /sys/fs/selinux/checkreqprot 2> /dev/null") == 0 ) { tests/mmap/test: if ( -e '/sys/fs/selinux/class/file/perms/map' ) { This won't matter until/unless we get to the point of actually running the testsuite on travis, in which case we should have a real /sys/fs/selinux so it may not matter. > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > .travis.yml | 8 ++++---- > policy/Makefile | 2 +- > tests/Makefile | 5 +++-- > 3 files changed, 8 insertions(+), 7 deletions(-) > > diff --git a/.travis.yml b/.travis.yml > index d1e5056..2c8e416 100644 > --- a/.travis.yml > +++ b/.travis.yml > @@ -51,15 +51,15 @@ before_install: > - bash travis-ci/setup-policy-fedora.sh > - bash travis-ci/setup-policy-refpolicy.sh > # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs) > - - sudo mkdir -p /tmp/fake-selinuxfs > - - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs > + - mkdir -p /tmp/fake-selinuxfs/policy_capabilities > + - echo 1 > /tmp/fake-selinuxfs/policy_capabilities/extended_socket_class > - echo 999 >/tmp/fake-selinuxfs/policyvers > > script: > - tools/check-syntax -f && git diff --exit-code > - | > bash travis-ci/enable-policy.sh targeted && > - make PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted > + make SELINUXFS=/tmp/fake-selinuxfs PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted > - | > bash travis-ci/enable-policy.sh refpolicy && > - make PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy > + make SELINUXFS=/tmp/fake-selinuxfs PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy > diff --git a/policy/Makefile b/policy/Makefile > index 87b2856..dda2e16 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -3,6 +3,7 @@ PREFIX ?= /usr > BINDIR ?= $(PREFIX)/bin > SBINDIR ?= $(PREFIX)/sbin > POLDEV ?= $(PREFIX)/share/selinux/devel > +SELINUXFS ?= /sys/fs/selinux > SEMODULE = $(SBINDIR)/semodule > CHECKPOLICY = $(BINDIR)/checkpolicy > CHECKMODULE = $(BINDIR)/checkmodule > @@ -11,7 +12,6 @@ DISTRO=$(shell ../tests/os_detect) > > POL_VERS := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') > MOD_POL_VERS := $(shell $(CHECKMODULE) -V |cut -f 2 -d '-') > -SELINUXFS := $(shell cat /proc/mounts | grep selinuxfs | cut -f 2 -d ' ') > MAX_KERNEL_POLICY := $(shell cat $(SELINUXFS)/policyvers) > > TARGETS = \ > diff --git a/tests/Makefile b/tests/Makefile > index 1cdb1ac..0d33fbf 100644 > --- a/tests/Makefile > +++ b/tests/Makefile > @@ -1,5 +1,6 @@ > INCLUDEDIR ?= /usr/include > POLDEV ?= /usr/share/selinux/devel > +SELINUXFS ?= /sys/fs/selinux > > export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE > > @@ -19,11 +20,11 @@ SUBDIRS += cap_userns > endif > endif > > -ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && grep -q 1 /sys/fs/selinux/policy_capabilities/extended_socket_class && echo true),true) > +ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && grep -q 1 $(SELINUXFS)/policy_capabilities/extended_socket_class && echo true),true) > SUBDIRS += extended_socket_class > endif > > -ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/corenetwork.if && grep -q 1 /sys/fs/selinux/policy_capabilities/extended_socket_class && echo true),true) > +ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/corenetwork.if && grep -q 1 $(SELINUXFS)/policy_capabilities/extended_socket_class && echo true),true) > ifneq ($(shell ./kvercmp $$(uname -r) 4.20.17),-1) > SUBDIRS += sctp > endif >
On 11/27/19 8:46 AM, Ondrej Mosnacek wrote: > Modify all Makefiles to allow overriding the path to the selinuxfs > mountpoint via the SELINUXFS variable and use it in the Travis script to > allow more stuff to be built (namely the extended_socket_class subdir). > > This patch also drops the auto-detection of selinuxfs mount from > policy/Makefile in favor of overriding it via the variable if it differs > from the usual /sys/fs/selinux/. > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Thanks, applied. > --- > .travis.yml | 8 ++++---- > policy/Makefile | 2 +- > tests/Makefile | 5 +++-- > 3 files changed, 8 insertions(+), 7 deletions(-) > > diff --git a/.travis.yml b/.travis.yml > index d1e5056..2c8e416 100644 > --- a/.travis.yml > +++ b/.travis.yml > @@ -51,15 +51,15 @@ before_install: > - bash travis-ci/setup-policy-fedora.sh > - bash travis-ci/setup-policy-refpolicy.sh > # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs) > - - sudo mkdir -p /tmp/fake-selinuxfs > - - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs > + - mkdir -p /tmp/fake-selinuxfs/policy_capabilities > + - echo 1 > /tmp/fake-selinuxfs/policy_capabilities/extended_socket_class > - echo 999 >/tmp/fake-selinuxfs/policyvers > > script: > - tools/check-syntax -f && git diff --exit-code > - | > bash travis-ci/enable-policy.sh targeted && > - make PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted > + make SELINUXFS=/tmp/fake-selinuxfs PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted > - | > bash travis-ci/enable-policy.sh refpolicy && > - make PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy > + make SELINUXFS=/tmp/fake-selinuxfs PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy > diff --git a/policy/Makefile b/policy/Makefile > index 87b2856..dda2e16 100644 > --- a/policy/Makefile > +++ b/policy/Makefile > @@ -3,6 +3,7 @@ PREFIX ?= /usr > BINDIR ?= $(PREFIX)/bin > SBINDIR ?= $(PREFIX)/sbin > POLDEV ?= $(PREFIX)/share/selinux/devel > +SELINUXFS ?= /sys/fs/selinux > SEMODULE = $(SBINDIR)/semodule > CHECKPOLICY = $(BINDIR)/checkpolicy > CHECKMODULE = $(BINDIR)/checkmodule > @@ -11,7 +12,6 @@ DISTRO=$(shell ../tests/os_detect) > > POL_VERS := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') > MOD_POL_VERS := $(shell $(CHECKMODULE) -V |cut -f 2 -d '-') > -SELINUXFS := $(shell cat /proc/mounts | grep selinuxfs | cut -f 2 -d ' ') > MAX_KERNEL_POLICY := $(shell cat $(SELINUXFS)/policyvers) > > TARGETS = \ > diff --git a/tests/Makefile b/tests/Makefile > index 1cdb1ac..0d33fbf 100644 > --- a/tests/Makefile > +++ b/tests/Makefile > @@ -1,5 +1,6 @@ > INCLUDEDIR ?= /usr/include > POLDEV ?= /usr/share/selinux/devel > +SELINUXFS ?= /sys/fs/selinux > > export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE > > @@ -19,11 +20,11 @@ SUBDIRS += cap_userns > endif > endif > > -ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && grep -q 1 /sys/fs/selinux/policy_capabilities/extended_socket_class && echo true),true) > +ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && grep -q 1 $(SELINUXFS)/policy_capabilities/extended_socket_class && echo true),true) > SUBDIRS += extended_socket_class > endif > > -ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/corenetwork.if && grep -q 1 /sys/fs/selinux/policy_capabilities/extended_socket_class && echo true),true) > +ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/corenetwork.if && grep -q 1 $(SELINUXFS)/policy_capabilities/extended_socket_class && echo true),true) > ifneq ($(shell ./kvercmp $$(uname -r) 4.20.17),-1) > SUBDIRS += sctp > endif >
diff --git a/.travis.yml b/.travis.yml index d1e5056..2c8e416 100644 --- a/.travis.yml +++ b/.travis.yml @@ -51,15 +51,15 @@ before_install: - bash travis-ci/setup-policy-fedora.sh - bash travis-ci/setup-policy-refpolicy.sh # establish a fake "selinuxfs" mount (policy/Makefile just greps for selinuxfs) - - sudo mkdir -p /tmp/fake-selinuxfs - - sudo mount -t tmpfs tmpfs /tmp/fake-selinuxfs + - mkdir -p /tmp/fake-selinuxfs/policy_capabilities + - echo 1 > /tmp/fake-selinuxfs/policy_capabilities/extended_socket_class - echo 999 >/tmp/fake-selinuxfs/policyvers script: - tools/check-syntax -f && git diff --exit-code - | bash travis-ci/enable-policy.sh targeted && - make PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted + make SELINUXFS=/tmp/fake-selinuxfs PREFIX=/usr/local POLDEV=/usr/share/selinux/targeted - | bash travis-ci/enable-policy.sh refpolicy && - make PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy + make SELINUXFS=/tmp/fake-selinuxfs PREFIX=/usr/local POLDEV=/usr/share/selinux/refpolicy diff --git a/policy/Makefile b/policy/Makefile index 87b2856..dda2e16 100644 --- a/policy/Makefile +++ b/policy/Makefile @@ -3,6 +3,7 @@ PREFIX ?= /usr BINDIR ?= $(PREFIX)/bin SBINDIR ?= $(PREFIX)/sbin POLDEV ?= $(PREFIX)/share/selinux/devel +SELINUXFS ?= /sys/fs/selinux SEMODULE = $(SBINDIR)/semodule CHECKPOLICY = $(BINDIR)/checkpolicy CHECKMODULE = $(BINDIR)/checkmodule @@ -11,7 +12,6 @@ DISTRO=$(shell ../tests/os_detect) POL_VERS := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') MOD_POL_VERS := $(shell $(CHECKMODULE) -V |cut -f 2 -d '-') -SELINUXFS := $(shell cat /proc/mounts | grep selinuxfs | cut -f 2 -d ' ') MAX_KERNEL_POLICY := $(shell cat $(SELINUXFS)/policyvers) TARGETS = \ diff --git a/tests/Makefile b/tests/Makefile index 1cdb1ac..0d33fbf 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -1,5 +1,6 @@ INCLUDEDIR ?= /usr/include POLDEV ?= /usr/share/selinux/devel +SELINUXFS ?= /sys/fs/selinux export CFLAGS+=-g -O0 -Wall -D_GNU_SOURCE @@ -19,11 +20,11 @@ SUBDIRS += cap_userns endif endif -ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && grep -q 1 /sys/fs/selinux/policy_capabilities/extended_socket_class && echo true),true) +ifeq ($(shell grep -q icmp_socket $(POLDEV)/include/support/all_perms.spt && grep -q 1 $(SELINUXFS)/policy_capabilities/extended_socket_class && echo true),true) SUBDIRS += extended_socket_class endif -ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/corenetwork.if && grep -q 1 /sys/fs/selinux/policy_capabilities/extended_socket_class && echo true),true) +ifeq ($(shell grep -q corenet_sctp_bind_all_nodes $(POLDEV)/include/kernel/corenetwork.if && grep -q 1 $(SELINUXFS)/policy_capabilities/extended_socket_class && echo true),true) ifneq ($(shell ./kvercmp $$(uname -r) 4.20.17),-1) SUBDIRS += sctp endif
Modify all Makefiles to allow overriding the path to the selinuxfs mountpoint via the SELINUXFS variable and use it in the Travis script to allow more stuff to be built (namely the extended_socket_class subdir). This patch also drops the auto-detection of selinuxfs mount from policy/Makefile in favor of overriding it via the variable if it differs from the usual /sys/fs/selinux/. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- .travis.yml | 8 ++++---- policy/Makefile | 2 +- tests/Makefile | 5 +++-- 3 files changed, 8 insertions(+), 7 deletions(-)