| Message ID | 20200316095523.335474-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [v2] secilc: add basic test for policy optimization | expand |
On Mon, Mar 16, 2020 at 5:55 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > Add a simple test for secilc -O to make sure that it produces the > expected output. This might produce some false positives when the output > of secilc/checkpolicy changes slightly, in which case the expected CIL > will need to be updated along with the change. > > The test should normally work even with a checkpolicy built from an > older tree, as long as it produces the same CIL output, so it uses the > checkpolicy it finds in PATH by default. > > The test policy is taken from an e-mail from James Carter: > https://lore.kernel.org/selinux/CAP+JOzTQQx6aM81QyVe0yoiPJeDU+7xE6nn=0UMAB1EZ_c9ryA@mail.gmail.com/T/ > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > > v2: > - move test policies to the 'test' subdirectory > - use a simplified test policy supplied by James > > secilc/.gitignore | 2 ++ > secilc/Makefile | 9 +++++ > secilc/test/opt-expected.cil | 57 +++++++++++++++++++++++++++++++ > secilc/test/opt-input.cil | 65 ++++++++++++++++++++++++++++++++++++ > 4 files changed, 133 insertions(+) > create mode 100644 secilc/test/opt-expected.cil > create mode 100644 secilc/test/opt-input.cil > > diff --git a/secilc/.gitignore b/secilc/.gitignore > index 2d3ff405..164523b0 100644 > --- a/secilc/.gitignore > +++ b/secilc/.gitignore > @@ -7,3 +7,5 @@ file_contexts > docs/html > docs/pdf > docs/tmp > +opt-actual.bin > +opt-actual.cil > diff --git a/secilc/Makefile b/secilc/Makefile > index 16640098..d4a1c35a 100644 > --- a/secilc/Makefile > +++ b/secilc/Makefile > @@ -13,6 +13,10 @@ SECIL2CONF_OBJS := $(patsubst %.c,%.o,$(SECIL2CONF_SRCS)) > SECILC_MANPAGE = secilc.8 > SECIL2CONF_MANPAGE = secil2conf.8 > XMLTO = xmlto > +DIFF = diff > + > +CHECKPOLICY = checkpolicy > +POL_VERS = $(shell $(CHECKPOLICY) -V | cut -f 1 -d ' ') > > CFLAGS ?= -Wall -Wshadow -Wextra -Wundef -Wmissing-format-attribute -Wcast-align -Wstrict-prototypes -Wpointer-arith -Wunused > > @@ -26,6 +30,9 @@ $(SECILC): $(SECILC_OBJS) > > test: $(SECILC) > ./$(SECILC) test/policy.cil > + ./$(SECILC) -c $(POL_VERS) -O -M 1 -f /dev/null -o opt-actual.bin test/opt-input.cil > + $(CHECKPOLICY) -b -C -M -o opt-actual.cil opt-actual.bin >/dev/null > + $(DIFF) test/opt-expected.cil opt-actual.cil > > $(SECIL2CONF): $(SECIL2CONF_OBJS) > $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS) > @@ -58,6 +65,8 @@ clean: > rm -f file_contexts > rm -f $(SECILC_MANPAGE) > rm -f $(SECIL2CONF_MANPAGE) > + rm -f opt-actual.cil > + rm -f opt-actual.bin > $(MAKE) -C docs clean > > relabel: > diff --git a/secilc/test/opt-expected.cil b/secilc/test/opt-expected.cil > new file mode 100644 > index 00000000..73ac9045 > --- /dev/null > +++ b/secilc/test/opt-expected.cil > @@ -0,0 +1,57 @@ > +(handleunknown deny) > +(class cl01 (p01a p01b p11a p11b)) > +(classorder (cl01)) > +(sid kernel) > +(sidorder (kernel)) > +(mls true) > +(sensitivity s01) > +(sensitivityorder (s01)) > +(category c01) > +(categoryorder (c01)) > +(sensitivitycategory s01 (c01)) > +(typeattribute at02) > +(boolean b01 false) > +(type tp01) > +(type tp02) > +(type tp04) > +(type tpr1) > +(type tpr2) > +(type tpr3) > +(type tpr4) > +(type tpr5) > +(typeattributeset at02 (tp01 tp02)) > +(allow at02 tpr1 (cl01 (p01a p01b p11a))) > +(allow at02 tpr3 (cl01 (p01a p01b p11a))) > +(allow tp01 self (cl01 (p01a p01b p11a p11b))) > +(allow tp01 tpr1 (cl01 (p11b))) > +(dontaudit at02 tpr2 (cl01 (p01a p01b p11a))) > +(dontaudit at02 tpr4 (cl01 (p01a p01b p11a))) > +(dontaudit tp01 tpr2 (cl01 (p11b))) > +(booleanif b01 > + (true > + (allow tp01 tpr3 (cl01 (p11b))) > + (allow tp01 tpr5 (cl01 (p01a p01b p11a p11b))) > + (allow tp02 tpr5 (cl01 (p01a p11a))) > + (dontaudit tp01 tpr4 (cl01 (p11b))) > + ) > + (false > + (allow at02 tpr5 (cl01 (p01a p01b p11a))) > + ) > +) > +(role object_r) > +(role rl01) > +(roletype rl01 tp01) > +(roletype object_r tp01) > +(roletype object_r tp02) > +(roletype object_r tp04) > +(roletype object_r tpr1) > +(roletype object_r tpr2) > +(roletype object_r tpr3) > +(roletype object_r tpr4) > +(roletype object_r tpr5) > +(user us01) > +(userrole us01 object_r) > +(userrole us01 rl01) > +(userlevel us01 (s01)) > +(userrange us01 ((s01) (s01))) > +(sidcontext kernel (us01 rl01 tp01 ((s01) (s01)))) > diff --git a/secilc/test/opt-input.cil b/secilc/test/opt-input.cil > new file mode 100644 > index 00000000..5bb6c266 > --- /dev/null > +++ b/secilc/test/opt-input.cil > @@ -0,0 +1,65 @@ > +(handleunknown deny) > +(class cl01 (p01a p01b p11a p11b)) > +(classorder (cl01)) > +(sid kernel) > +(sidorder (kernel)) > +(mls true) > +(sensitivity s01) > +(sensitivityorder (s01)) > +(category c01) > +(categoryorder (c01)) > +(sensitivitycategory s01 (c01)) > +(typeattribute at01) > +(typeattribute at02) > +(boolean b01 false) > +(type tp01) > +(type tp02) > +(type tp04) > +(type tpr1) > +(type tpr2) > +(type tpr3) > +(type tpr4) > +(type tpr5) > +(typeattributeset at01 (tp01)) > +(typeattributeset at02 (tp01 tp02)) > +(allow at02 tpr1 (cl01 (p11a p01a p01b))) > +(allow at02 tpr3 (cl01 (p11a p01a p01b))) > +(allow tp01 at01 (cl01 (p11b))) > +(allow tp01 self (cl01 (p11a p01a))) > +(allow tp01 tp01 (cl01 (p01b))) > +(allow tp01 tpr1 (cl01 (p11a p11b p01a p01b))) > +(allow tp02 tpr1 (cl01 (p11a p01a))) > +(dontaudit at02 tpr2 (cl01 (p11a p01a p01b))) > +(dontaudit at02 tpr4 (cl01 (p11a p01a p01b))) > +(dontaudit tp01 tpr2 (cl01 (p11a p11b p01a p01b))) > +(dontaudit tp02 tpr2 (cl01 (p11a p01a))) > +(booleanif (b01) > + (true > + (allow tp01 tpr3 (cl01 (p11a p11b p01a p01b))) > + (allow tp01 tpr5 (cl01 (p11a p11b p01a p01b))) > + (allow tp02 tpr3 (cl01 (p11a p01a))) > + (allow tp02 tpr5 (cl01 (p11a p01a))) > + (dontaudit tp01 tpr4 (cl01 (p11a p11b p01a p01b))) > + (dontaudit tp02 tpr4 (cl01 (p11a p01a))) > + ) > + (false > + (allow at02 tpr5 (cl01 (p11a p01a p01b))) > + ) > +) > +(role object_r) > +(role rl01) > +(roletype rl01 tp01) > +(roletype object_r tp01) > +(roletype object_r tp02) > +(roletype object_r tp04) > +(roletype object_r tpr1) > +(roletype object_r tpr2) > +(roletype object_r tpr3) > +(roletype object_r tpr4) > +(roletype object_r tpr5) > +(user us01) > +(userrole us01 object_r) > +(userrole us01 rl01) > +(userlevel us01 (s01)) > +(userrange us01 ((s01) (s01))) > +(sidcontext kernel (us01 rl01 tp01 ((s01) (s01)))) > -- > 2.24.1 >
On Mon, Mar 16, 2020 at 10:08 AM James Carter <jwcart2@gmail.com> wrote: > > On Mon, Mar 16, 2020 at 5:55 AM Ondrej Mosnacek <omosnace@redhat.com> wrote: > > > > Add a simple test for secilc -O to make sure that it produces the > > expected output. This might produce some false positives when the output > > of secilc/checkpolicy changes slightly, in which case the expected CIL > > will need to be updated along with the change. > > > > The test should normally work even with a checkpolicy built from an > > older tree, as long as it produces the same CIL output, so it uses the > > checkpolicy it finds in PATH by default. > > > > The test policy is taken from an e-mail from James Carter: > > https://lore.kernel.org/selinux/CAP+JOzTQQx6aM81QyVe0yoiPJeDU+7xE6nn=0UMAB1EZ_c9ryA@mail.gmail.com/T/ > > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > Acked-by: James Carter <jwcart2@gmail.com> > Applied. Thanks, Jim > > --- > > > > v2: > > - move test policies to the 'test' subdirectory > > - use a simplified test policy supplied by James > > > > secilc/.gitignore | 2 ++ > > secilc/Makefile | 9 +++++ > > secilc/test/opt-expected.cil | 57 +++++++++++++++++++++++++++++++ > > secilc/test/opt-input.cil | 65 ++++++++++++++++++++++++++++++++++++ > > 4 files changed, 133 insertions(+) > > create mode 100644 secilc/test/opt-expected.cil > > create mode 100644 secilc/test/opt-input.cil > > > > diff --git a/secilc/.gitignore b/secilc/.gitignore > > index 2d3ff405..164523b0 100644 > > --- a/secilc/.gitignore > > +++ b/secilc/.gitignore > > @@ -7,3 +7,5 @@ file_contexts > > docs/html > > docs/pdf > > docs/tmp > > +opt-actual.bin > > +opt-actual.cil > > diff --git a/secilc/Makefile b/secilc/Makefile > > index 16640098..d4a1c35a 100644 > > --- a/secilc/Makefile > > +++ b/secilc/Makefile > > @@ -13,6 +13,10 @@ SECIL2CONF_OBJS := $(patsubst %.c,%.o,$(SECIL2CONF_SRCS)) > > SECILC_MANPAGE = secilc.8 > > SECIL2CONF_MANPAGE = secil2conf.8 > > XMLTO = xmlto > > +DIFF = diff > > + > > +CHECKPOLICY = checkpolicy > > +POL_VERS = $(shell $(CHECKPOLICY) -V | cut -f 1 -d ' ') > > > > CFLAGS ?= -Wall -Wshadow -Wextra -Wundef -Wmissing-format-attribute -Wcast-align -Wstrict-prototypes -Wpointer-arith -Wunused > > > > @@ -26,6 +30,9 @@ $(SECILC): $(SECILC_OBJS) > > > > test: $(SECILC) > > ./$(SECILC) test/policy.cil > > + ./$(SECILC) -c $(POL_VERS) -O -M 1 -f /dev/null -o opt-actual.bin test/opt-input.cil > > + $(CHECKPOLICY) -b -C -M -o opt-actual.cil opt-actual.bin >/dev/null > > + $(DIFF) test/opt-expected.cil opt-actual.cil > > > > $(SECIL2CONF): $(SECIL2CONF_OBJS) > > $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS) > > @@ -58,6 +65,8 @@ clean: > > rm -f file_contexts > > rm -f $(SECILC_MANPAGE) > > rm -f $(SECIL2CONF_MANPAGE) > > + rm -f opt-actual.cil > > + rm -f opt-actual.bin > > $(MAKE) -C docs clean > > > > relabel: > > diff --git a/secilc/test/opt-expected.cil b/secilc/test/opt-expected.cil > > new file mode 100644 > > index 00000000..73ac9045 > > --- /dev/null > > +++ b/secilc/test/opt-expected.cil > > @@ -0,0 +1,57 @@ > > +(handleunknown deny) > > +(class cl01 (p01a p01b p11a p11b)) > > +(classorder (cl01)) > > +(sid kernel) > > +(sidorder (kernel)) > > +(mls true) > > +(sensitivity s01) > > +(sensitivityorder (s01)) > > +(category c01) > > +(categoryorder (c01)) > > +(sensitivitycategory s01 (c01)) > > +(typeattribute at02) > > +(boolean b01 false) > > +(type tp01) > > +(type tp02) > > +(type tp04) > > +(type tpr1) > > +(type tpr2) > > +(type tpr3) > > +(type tpr4) > > +(type tpr5) > > +(typeattributeset at02 (tp01 tp02)) > > +(allow at02 tpr1 (cl01 (p01a p01b p11a))) > > +(allow at02 tpr3 (cl01 (p01a p01b p11a))) > > +(allow tp01 self (cl01 (p01a p01b p11a p11b))) > > +(allow tp01 tpr1 (cl01 (p11b))) > > +(dontaudit at02 tpr2 (cl01 (p01a p01b p11a))) > > +(dontaudit at02 tpr4 (cl01 (p01a p01b p11a))) > > +(dontaudit tp01 tpr2 (cl01 (p11b))) > > +(booleanif b01 > > + (true > > + (allow tp01 tpr3 (cl01 (p11b))) > > + (allow tp01 tpr5 (cl01 (p01a p01b p11a p11b))) > > + (allow tp02 tpr5 (cl01 (p01a p11a))) > > + (dontaudit tp01 tpr4 (cl01 (p11b))) > > + ) > > + (false > > + (allow at02 tpr5 (cl01 (p01a p01b p11a))) > > + ) > > +) > > +(role object_r) > > +(role rl01) > > +(roletype rl01 tp01) > > +(roletype object_r tp01) > > +(roletype object_r tp02) > > +(roletype object_r tp04) > > +(roletype object_r tpr1) > > +(roletype object_r tpr2) > > +(roletype object_r tpr3) > > +(roletype object_r tpr4) > > +(roletype object_r tpr5) > > +(user us01) > > +(userrole us01 object_r) > > +(userrole us01 rl01) > > +(userlevel us01 (s01)) > > +(userrange us01 ((s01) (s01))) > > +(sidcontext kernel (us01 rl01 tp01 ((s01) (s01)))) > > diff --git a/secilc/test/opt-input.cil b/secilc/test/opt-input.cil > > new file mode 100644 > > index 00000000..5bb6c266 > > --- /dev/null > > +++ b/secilc/test/opt-input.cil > > @@ -0,0 +1,65 @@ > > +(handleunknown deny) > > +(class cl01 (p01a p01b p11a p11b)) > > +(classorder (cl01)) > > +(sid kernel) > > +(sidorder (kernel)) > > +(mls true) > > +(sensitivity s01) > > +(sensitivityorder (s01)) > > +(category c01) > > +(categoryorder (c01)) > > +(sensitivitycategory s01 (c01)) > > +(typeattribute at01) > > +(typeattribute at02) > > +(boolean b01 false) > > +(type tp01) > > +(type tp02) > > +(type tp04) > > +(type tpr1) > > +(type tpr2) > > +(type tpr3) > > +(type tpr4) > > +(type tpr5) > > +(typeattributeset at01 (tp01)) > > +(typeattributeset at02 (tp01 tp02)) > > +(allow at02 tpr1 (cl01 (p11a p01a p01b))) > > +(allow at02 tpr3 (cl01 (p11a p01a p01b))) > > +(allow tp01 at01 (cl01 (p11b))) > > +(allow tp01 self (cl01 (p11a p01a))) > > +(allow tp01 tp01 (cl01 (p01b))) > > +(allow tp01 tpr1 (cl01 (p11a p11b p01a p01b))) > > +(allow tp02 tpr1 (cl01 (p11a p01a))) > > +(dontaudit at02 tpr2 (cl01 (p11a p01a p01b))) > > +(dontaudit at02 tpr4 (cl01 (p11a p01a p01b))) > > +(dontaudit tp01 tpr2 (cl01 (p11a p11b p01a p01b))) > > +(dontaudit tp02 tpr2 (cl01 (p11a p01a))) > > +(booleanif (b01) > > + (true > > + (allow tp01 tpr3 (cl01 (p11a p11b p01a p01b))) > > + (allow tp01 tpr5 (cl01 (p11a p11b p01a p01b))) > > + (allow tp02 tpr3 (cl01 (p11a p01a))) > > + (allow tp02 tpr5 (cl01 (p11a p01a))) > > + (dontaudit tp01 tpr4 (cl01 (p11a p11b p01a p01b))) > > + (dontaudit tp02 tpr4 (cl01 (p11a p01a))) > > + ) > > + (false > > + (allow at02 tpr5 (cl01 (p11a p01a p01b))) > > + ) > > +) > > +(role object_r) > > +(role rl01) > > +(roletype rl01 tp01) > > +(roletype object_r tp01) > > +(roletype object_r tp02) > > +(roletype object_r tp04) > > +(roletype object_r tpr1) > > +(roletype object_r tpr2) > > +(roletype object_r tpr3) > > +(roletype object_r tpr4) > > +(roletype object_r tpr5) > > +(user us01) > > +(userrole us01 object_r) > > +(userrole us01 rl01) > > +(userlevel us01 (s01)) > > +(userrange us01 ((s01) (s01))) > > +(sidcontext kernel (us01 rl01 tp01 ((s01) (s01)))) > > -- > > 2.24.1 > >
diff --git a/secilc/.gitignore b/secilc/.gitignore index 2d3ff405..164523b0 100644 --- a/secilc/.gitignore +++ b/secilc/.gitignore @@ -7,3 +7,5 @@ file_contexts docs/html docs/pdf docs/tmp +opt-actual.bin +opt-actual.cil diff --git a/secilc/Makefile b/secilc/Makefile index 16640098..d4a1c35a 100644 --- a/secilc/Makefile +++ b/secilc/Makefile @@ -13,6 +13,10 @@ SECIL2CONF_OBJS := $(patsubst %.c,%.o,$(SECIL2CONF_SRCS)) SECILC_MANPAGE = secilc.8 SECIL2CONF_MANPAGE = secil2conf.8 XMLTO = xmlto +DIFF = diff + +CHECKPOLICY = checkpolicy +POL_VERS = $(shell $(CHECKPOLICY) -V | cut -f 1 -d ' ') CFLAGS ?= -Wall -Wshadow -Wextra -Wundef -Wmissing-format-attribute -Wcast-align -Wstrict-prototypes -Wpointer-arith -Wunused @@ -26,6 +30,9 @@ $(SECILC): $(SECILC_OBJS) test: $(SECILC) ./$(SECILC) test/policy.cil + ./$(SECILC) -c $(POL_VERS) -O -M 1 -f /dev/null -o opt-actual.bin test/opt-input.cil + $(CHECKPOLICY) -b -C -M -o opt-actual.cil opt-actual.bin >/dev/null + $(DIFF) test/opt-expected.cil opt-actual.cil $(SECIL2CONF): $(SECIL2CONF_OBJS) $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS) @@ -58,6 +65,8 @@ clean: rm -f file_contexts rm -f $(SECILC_MANPAGE) rm -f $(SECIL2CONF_MANPAGE) + rm -f opt-actual.cil + rm -f opt-actual.bin $(MAKE) -C docs clean relabel: diff --git a/secilc/test/opt-expected.cil b/secilc/test/opt-expected.cil new file mode 100644 index 00000000..73ac9045 --- /dev/null +++ b/secilc/test/opt-expected.cil @@ -0,0 +1,57 @@ +(handleunknown deny) +(class cl01 (p01a p01b p11a p11b)) +(classorder (cl01)) +(sid kernel) +(sidorder (kernel)) +(mls true) +(sensitivity s01) +(sensitivityorder (s01)) +(category c01) +(categoryorder (c01)) +(sensitivitycategory s01 (c01)) +(typeattribute at02) +(boolean b01 false) +(type tp01) +(type tp02) +(type tp04) +(type tpr1) +(type tpr2) +(type tpr3) +(type tpr4) +(type tpr5) +(typeattributeset at02 (tp01 tp02)) +(allow at02 tpr1 (cl01 (p01a p01b p11a))) +(allow at02 tpr3 (cl01 (p01a p01b p11a))) +(allow tp01 self (cl01 (p01a p01b p11a p11b))) +(allow tp01 tpr1 (cl01 (p11b))) +(dontaudit at02 tpr2 (cl01 (p01a p01b p11a))) +(dontaudit at02 tpr4 (cl01 (p01a p01b p11a))) +(dontaudit tp01 tpr2 (cl01 (p11b))) +(booleanif b01 + (true + (allow tp01 tpr3 (cl01 (p11b))) + (allow tp01 tpr5 (cl01 (p01a p01b p11a p11b))) + (allow tp02 tpr5 (cl01 (p01a p11a))) + (dontaudit tp01 tpr4 (cl01 (p11b))) + ) + (false + (allow at02 tpr5 (cl01 (p01a p01b p11a))) + ) +) +(role object_r) +(role rl01) +(roletype rl01 tp01) +(roletype object_r tp01) +(roletype object_r tp02) +(roletype object_r tp04) +(roletype object_r tpr1) +(roletype object_r tpr2) +(roletype object_r tpr3) +(roletype object_r tpr4) +(roletype object_r tpr5) +(user us01) +(userrole us01 object_r) +(userrole us01 rl01) +(userlevel us01 (s01)) +(userrange us01 ((s01) (s01))) +(sidcontext kernel (us01 rl01 tp01 ((s01) (s01)))) diff --git a/secilc/test/opt-input.cil b/secilc/test/opt-input.cil new file mode 100644 index 00000000..5bb6c266 --- /dev/null +++ b/secilc/test/opt-input.cil @@ -0,0 +1,65 @@ +(handleunknown deny) +(class cl01 (p01a p01b p11a p11b)) +(classorder (cl01)) +(sid kernel) +(sidorder (kernel)) +(mls true) +(sensitivity s01) +(sensitivityorder (s01)) +(category c01) +(categoryorder (c01)) +(sensitivitycategory s01 (c01)) +(typeattribute at01) +(typeattribute at02) +(boolean b01 false) +(type tp01) +(type tp02) +(type tp04) +(type tpr1) +(type tpr2) +(type tpr3) +(type tpr4) +(type tpr5) +(typeattributeset at01 (tp01)) +(typeattributeset at02 (tp01 tp02)) +(allow at02 tpr1 (cl01 (p11a p01a p01b))) +(allow at02 tpr3 (cl01 (p11a p01a p01b))) +(allow tp01 at01 (cl01 (p11b))) +(allow tp01 self (cl01 (p11a p01a))) +(allow tp01 tp01 (cl01 (p01b))) +(allow tp01 tpr1 (cl01 (p11a p11b p01a p01b))) +(allow tp02 tpr1 (cl01 (p11a p01a))) +(dontaudit at02 tpr2 (cl01 (p11a p01a p01b))) +(dontaudit at02 tpr4 (cl01 (p11a p01a p01b))) +(dontaudit tp01 tpr2 (cl01 (p11a p11b p01a p01b))) +(dontaudit tp02 tpr2 (cl01 (p11a p01a))) +(booleanif (b01) + (true + (allow tp01 tpr3 (cl01 (p11a p11b p01a p01b))) + (allow tp01 tpr5 (cl01 (p11a p11b p01a p01b))) + (allow tp02 tpr3 (cl01 (p11a p01a))) + (allow tp02 tpr5 (cl01 (p11a p01a))) + (dontaudit tp01 tpr4 (cl01 (p11a p11b p01a p01b))) + (dontaudit tp02 tpr4 (cl01 (p11a p01a))) + ) + (false + (allow at02 tpr5 (cl01 (p11a p01a p01b))) + ) +) +(role object_r) +(role rl01) +(roletype rl01 tp01) +(roletype object_r tp01) +(roletype object_r tp02) +(roletype object_r tp04) +(roletype object_r tpr1) +(roletype object_r tpr2) +(roletype object_r tpr3) +(roletype object_r tpr4) +(roletype object_r tpr5) +(user us01) +(userrole us01 object_r) +(userrole us01 rl01) +(userlevel us01 (s01)) +(userrange us01 ((s01) (s01))) +(sidcontext kernel (us01 rl01 tp01 ((s01) (s01))))
Add a simple test for secilc -O to make sure that it produces the expected output. This might produce some false positives when the output of secilc/checkpolicy changes slightly, in which case the expected CIL will need to be updated along with the change. The test should normally work even with a checkpolicy built from an older tree, as long as it produces the same CIL output, so it uses the checkpolicy it finds in PATH by default. The test policy is taken from an e-mail from James Carter: https://lore.kernel.org/selinux/CAP+JOzTQQx6aM81QyVe0yoiPJeDU+7xE6nn=0UMAB1EZ_c9ryA@mail.gmail.com/T/ Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- v2: - move test policies to the 'test' subdirectory - use a simplified test policy supplied by James secilc/.gitignore | 2 ++ secilc/Makefile | 9 +++++ secilc/test/opt-expected.cil | 57 +++++++++++++++++++++++++++++++ secilc/test/opt-input.cil | 65 ++++++++++++++++++++++++++++++++++++ 4 files changed, 133 insertions(+) create mode 100644 secilc/test/opt-expected.cil create mode 100644 secilc/test/opt-input.cil