[refpolicy] run/build-time sanity checks
russell at coker.com.au
Wed Mar 9 19:14:38 CST 2011
On Thu, 10 Mar 2011, Guido Trentalancia <guido at trentalancia.com> wrote:
> > The main problem I've found in transitions not working is binaries
> > getting renamed, which "make check" can never find.
> But do you mean application or daemon binaries ? That would be
> classified as a labeling problem.
Yes, a labeling problem that is very common.
> There are infinite degrees of freedom with the naming of executables
> (not necessary "binaries"). I suppose that the reference policy targets
> a reference system.
No, the reference policy targets Fedora, RHEL, Debian, Gentoo, and any other
distribution that has people sending patches!
> And the reference system is an upstream system.
Where "upstream" is defined to mean any of the major distributions of Linux,
> upstream systems should have no degrees of freedom on the naming of
No, they have heaps of freedom. Red Hat decides to have a program named
"httpd" for legal reasons, Debian names the same program "apache", and then
renames it to "apache2" for some reason. We just have to deal with this
> Even if the reference system did not exactly coincide with
> an upstream system, the reference system would still be unique by
> definition (I don't know exactly, maybe it's a system being run at
I think that Tresys mostly works with Red Hat based systems, they do work on
RHEL servers, Fedora, and they probably have some Rawhide (Red Hat bleeding
edge) systems in there too. Some of the Tresys employees are Gentoo people so
they probably have some Gentoo systems.
> > The next issue is application misconfiguration, such as an xdm program
> > not having the correct PAM configuration, again it's not something that
> > you can check through policy.
> That's not a problem with refpolicy I think. That's a local
> misconfiguration (or even intentional).
True, but we want to find and fix as many problems as possible.
> > Rebooting a VM is no big deal at all. It's something that can be done by
> > a cron job.
> > Also I'd like to automate the process of an X login and running some
> > applications in KDE and GNOME sessions. Any suggestions of how to do
> > this would be appreciated.
> Through xdmcp and/or x11 ports ? But I suppose a bit of compiled code
> (ideally C) would be required here. The applications could then be
> started automatically through the session manager (e.g. gnome-session
> configuration) ? Then after a few seconds the main script checks that
> everything is running in the proper context. Finally it kills everything
> and creates the report (or iterates for other configurations).
There are a variety of test frameworks for X11 available, the above is the
first Google hit. I'm not sure whether it's what I will eventually use, but I
have done some Perl programming and I have many friends who are Perl experts
who can help me so it seems like a good possibility.
What I want to do is test clicking on a URL from kmail to launch a web
browser, saving a file from the web page (EG a PDF) to disk and then viewing
it, changing the web browser program (from Konqueror to Iceweasel and then
Chrome) and testing the process with all of them. Then do the same things
with Jabber clients and other things.
Also for this I want to have test servers setup.
I'd like to run up all common ISP services on a test machine and then connect
to them from the common clients (at least two for every common protocol) and
make sure that it all works.
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the refpolicy