From: russell@coker.com.au (Russell Coker) Date: Thu, 10 Mar 2011 12:14:38 +1100 Subject: [refpolicy] run/build-time sanity checks In-Reply-To: <1299684873.2948.73.camel@tesla.lan> References: <1297836836.3205.56.camel@tesla.lan> <201103100159.00445.russell@coker.com.au> <1299684873.2948.73.camel@tesla.lan> Message-ID: <201103101214.38976.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 10 Mar 2011, Guido Trentalancia wrote: > > The main problem I've found in transitions not working is binaries > > getting renamed, which "make check" can never find. > > But do you mean application or daemon binaries ? That would be > classified as a labeling problem. Yes, a labeling problem that is very common. > There are infinite degrees of freedom with the naming of executables > (not necessary "binaries"). I suppose that the reference policy targets > a reference system. No, the reference policy targets Fedora, RHEL, Debian, Gentoo, and any other distribution that has people sending patches! > And the reference system is an upstream system. Where "upstream" is defined to mean any of the major distributions of Linux, then yes. > And > upstream systems should have no degrees of freedom on the naming of > executables. No, they have heaps of freedom. Red Hat decides to have a program named "httpd" for legal reasons, Debian names the same program "apache", and then renames it to "apache2" for some reason. We just have to deal with this stuff. > Even if the reference system did not exactly coincide with > an upstream system, the reference system would still be unique by > definition (I don't know exactly, maybe it's a system being run at > Tresys). I think that Tresys mostly works with Red Hat based systems, they do work on RHEL servers, Fedora, and they probably have some Rawhide (Red Hat bleeding edge) systems in there too. Some of the Tresys employees are Gentoo people so they probably have some Gentoo systems. > > The next issue is application misconfiguration, such as an xdm program > > not having the correct PAM configuration, again it's not something that > > you can check through policy. > > That's not a problem with refpolicy I think. That's a local > misconfiguration (or even intentional). True, but we want to find and fix as many problems as possible. > > Rebooting a VM is no big deal at all. It's something that can be done by > > a cron job. > > > > Also I'd like to automate the process of an X login and running some > > applications in KDE and GNOME sessions. Any suggestions of how to do > > this would be appreciated. > > Through xdmcp and/or x11 ports ? But I suppose a bit of compiled code > (ideally C) would be required here. The applications could then be > started automatically through the session manager (e.g. gnome-session > configuration) ? Then after a few seconds the main script checks that > everything is running in the proper context. Finally it kills everything > and creates the report (or iterates for other configurations). http://search.cpan.org/~ctrondlp/X11-GUITest-0.22/GUITest.pm There are a variety of test frameworks for X11 available, the above is the first Google hit. I'm not sure whether it's what I will eventually use, but I have done some Perl programming and I have many friends who are Perl experts who can help me so it seems like a good possibility. What I want to do is test clicking on a URL from kmail to launch a web browser, saving a file from the web page (EG a PDF) to disk and then viewing it, changing the web browser program (from Konqueror to Iceweasel and then Chrome) and testing the process with all of them. Then do the same things with Jabber clients and other things. Also for this I want to have test servers setup. I'd like to run up all common ISP services on a test machine and then connect to them from the common clients (at least two for every common protocol) and make sure that it all works. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/