From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 14 Mar 2011 14:04:45 -0400 Subject: [refpolicy] [PATCH 13/34]: patch to allow networkmanager dbus chat In-Reply-To: <1300123406.3071.6.camel@tesla.lan> References: <1297836836.3205.56.camel@tesla.lan> <4D651B7A.4010100@tresys.com> <1298487030.29671.20.camel@tesla.lan> <4D74E408.2050501@tresys.com> <1299517796.2978.41.camel@tesla.lan> <4D7533E5.9050806@tresys.com> <1299533995.2967.23.camel@tesla.lan> <4D7E0D25.5080304@tresys.com> <1300123406.3071.6.camel@tesla.lan> Message-ID: <4D7E58BD.2020004@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/14/11 13:23, Guido Trentalancia wrote: > On Mon, 14/03/2011 at 08.42 -0400, Christopher J. PeBenito wrote: >> On 3/7/2011 4:39 PM, Guido Trentalancia wrote: >>> On Mon, 07/03/2011 at 14.37 -0500, Christopher J. PeBenito wrote: >>>> On 03/07/11 12:09, Guido Trentalancia wrote: >>>>> On Mon, 07/03/2011 at 08.56 -0500, Christopher J. PeBenito wrote: >>>>>> On 02/23/11 13:50, Guido Trentalancia wrote: >>>>> Also, what do you think about the idea of providing a make target (say >>>>> "make check") in refpolicy which runs some minimal checks on that for at >>>>> least the core processes ? >>>> >>>> I can't think of how that would work off the top of my head. If you have ideas, I'd be happy to listen. I'd prefer to not write a script that has all of the checking hard coded in it. >>> >>> It's just something very simple. A make target which runs ps axZ (as >>> sysadm) and compares a few very basic things: >>> >>> - if init has properly transitioned to its context (apparently at the >>> moment no one cares if it hasn't, which is quite worrying as everything >>> could run in kernel_t without showing any symptom or warning); >>> - for a few core modules (as long as they are compiled in the policy), >>> that they are running in the proper context: so for example if polkitd >>> is running in policykit_t context (ps axZ | grep polkitd | grep >>> policykit_t). >>> >>> Of course you can avoid hardcoding the keywords "polkitd" and >>> "policykit_d" as long as you can get that out of policykit.{te,fc} by >>> the means of some other form of regexp matching and string processing >>> (sed, awk) for example: something very simple, something very basic, >>> still quite useful to the inexperienced user. >> >> What you're describing is a big hardcoded script, which I'm trying to avoid. > > More or less this what I meant: > > check: > ps axZ | grep init | grep -q init_t || echo "FAIL: init has not > transitioned properly to its context" > > and so on for the a few other basic first-line context checks. > > If you don't like it, it doesn't matter. Any test needs at least to have > the reference results "hardcoded". Actually, this is one of the reasons I created the sestatus tool (see sestatus -v): to help people determine certain the context of key files and processes. It doesn't validate that the contexts are correct, but it makes it easy to find them. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com