From: rfkrocktk@gmail.com (Naftuli Tzvi Kay) Date: Tue, 23 Aug 2016 20:35:11 -0700 Subject: [refpolicy] Testing in the Reference Policy In-Reply-To: <9e6f676d-edd4-e33c-a861-9334adfea081@gmail.com> References: <9e6f676d-edd4-e33c-a861-9334adfea081@gmail.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Don't worry, I'm not giving up :) It might just take a while before I have something working. Would the reference policy ever be interested in having a Vagrant VM setup for testing policy rules and everything? I'd be happy to contribute that back upstream. Thanks, - Naftuli Tzvi On Tue, Aug 23, 2016 at 2:36 AM, Dominick Grift wrote: > On 08/22/2016 07:52 PM, Naftuli Tzvi Kay via refpolicy wrote: > > I'm currently working on a reference policy addition to restrict access > for > > a given application. Up until now, I've been testing my application on a > > Fedora 24 Vagrant VM, compiling a non-base module and loading it into the > > kernel, running, testing, auditing, etc. > > > > What I found is that I ended up using a lot of RedHat specific downstream > > macros, which aren't supported here upstream. > > > > Is there a recommended way of testing reference policy code? How can I > > alter my Fedora Vagrant VM setup to cover the use case I'm after? Should > I > > just compile the reference policy in my VM, relabel the filesystem, and > > then reboot and load the reference policy into the kernel? > > > > My host OS is running Ubuntu 14.04, so it's not very useful for debugging > > SELinux things; I once tried getting SELinux running on my desktop > > , but X wouldn't > > start, etc. and I imagine the policy is pretty out of date. > > > > How can I create an environment in which I can test my policy against the > > program I'm aiming to constrain? (Syncthing) > > > > > > I spent the morning recording the full procedure of developing for > refpolicy on fedora. > > I start with installing refpolicy, enabling it. then it write a simple > module on top of the installation. This is what one would do when one > wants to write a module atop of refpolicy. > > I encourage you to not give up and take this final step. You are very > close, and your module so far is pretty good. > > Learning how to do what is in the video is the final piece in the puzzle > i think. > > The video might be long but its comprehensive (the video might still be > processing on youtube but it will become available shortly: > > https://www.youtube.com/watch?v=XIyxW4qT0UM > > If you have any questions, then please do not hesitate to ask > > > > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20160823/f2005e52/attachment.html