From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 25 Aug 2016 18:51:00 -0400 Subject: [refpolicy] Testing in the Reference Policy In-Reply-To: References: <9e6f676d-edd4-e33c-a861-9334adfea081@gmail.com> <9b6be580-6efd-fa8f-daa8-94e371cc4bf3@ieee.org> <500fc9cb-11ee-18b9-c049-4587ba29633a@ieee.org> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/25/16 18:48, Naftuli Tzvi Kay wrote: > I'm hoping to have as few scripts as possible. Is there a preference > here? I could use Ansible, but if shell scripts are the most portable > thing with the least dependencies, I can do that. I'd prefer shell scripts, because it doesn't incur even more dependencies, but if they get too ugly, I'd be willing to entertain something like an ansible playbook. > On Thu, Aug 25, 2016 at 3:39 PM, Chris PeBenito > wrote: > > On 08/24/16 18:14, Naftuli Tzvi Kay wrote: > > I was thinking of making a Vagrant environment where users can test > their applications on a system running the currently checked out > master > of refpolicy. This will make it easier for me to update my > policy for > Syncthing for instance. > > In short, an environment to: > 1. compile the reference policy > 2. install it in the running kernel > 3. install applications and do integration tests of the policy > against > actual running binaries when developing new policies for > applications > > > Will you be including configuration/scripts for provisioning too? > How would the provisioning be done? Shell scripts? > > > > On Wed, Aug 24, 2016 at 3:12 PM, Chris PeBenito > > >> wrote: > > On 08/23/16 23:35, Naftuli Tzvi Kay via refpolicy wrote: > > Don't worry, I'm not giving up :) It might just take a while > before I > have something working. > > Would the reference policy ever be interested in having > a Vagrant VM > setup for testing policy rules and everything? I'd be > happy to > contribute that back upstream. > > > What kind of testing did you have in mind? Just a > compile/link test > or something more? If it's just compile/link then the CI > tests are > sufficient. > > > On Tue, Aug 23, 2016 at 2:36 AM, Dominick Grift > > > > >>> > > wrote: > > On 08/22/2016 07:52 PM, Naftuli Tzvi Kay via > refpolicy wrote: > > I'm currently working on a reference policy > addition to > restrict access for > > a given application. Up until now, I've been > testing my > application on a > > Fedora 24 Vagrant VM, compiling a non-base module and > loading it into the > > kernel, running, testing, auditing, etc. > > > > What I found is that I ended up using a lot of RedHat > specific downstream > > macros, which aren't supported here upstream. > > > > Is there a recommended way of testing reference policy > code? How can I > > alter my Fedora Vagrant VM setup to cover the use > case I'm > after? Should I > > just compile the reference policy in my VM, > relabel the > filesystem, and > > then reboot and load the reference policy into the > kernel? > > > > My host OS is running Ubuntu 14.04, so it's not very > useful for debugging > > SELinux things; I once tried getting SELinux > running on my > desktop > > > > > > > > >>>, but X > wouldn't > > start, etc. and I imagine the policy is pretty out > of date. > > > > How can I create an environment in which I can test my > policy against the > > program I'm aiming to constrain? (Syncthing) > > > > > > I spent the morning recording the full procedure of > developing for > refpolicy on fedora. > > I start with installing refpolicy, enabling it. then it > write a simple > module on top of the installation. This is what one > would do > when one > wants to write a module atop of refpolicy. > > I encourage you to not give up and take this final > step. You > are very > close, and your module so far is pretty good. > > Learning how to do what is in the video is the final > piece > in the puzzle > i think. > > The video might be long but its comprehensive (the video > might still be > processing on youtube but it will become available > shortly: > > https://www.youtube.com/watch?v=XIyxW4qT0UM > > > > > >> > > If you have any questions, then please do not > hesitate to ask > > > > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > > > > >> > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > > >> > > > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 > 3B6C 5F1D > 2C7B 6B02 > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > > > > > > > > > >> > Dominick Grift > > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > > > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > > > > -- > Chris PeBenito > > > > > -- > Chris PeBenito > > -- Chris PeBenito