| Message ID | 20240320063218.449072-1-pvorel@suse.cz |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [1/2] lib: Add tst_selinux_enforcing() | expand |
Hi Petr, On Wed, Mar 20, 2024 at 2:32 PM Petr Vorel <pvorel@suse.cz> wrote: > Co-developed-by: Mete Durlu <meted@linux.ibm.com> > Signed-off-by: Petr Vorel <pvorel@suse.cz> > This patch is doing the same work as security_getenforce() which provides by 'selinux/selinux.h', but it is still worth having it because we do not want ltp has many extra dependencies (e.g. libselinux-devel). Reviewed-by: Li Wang <liwang@redhat.com> > --- > Hi, > > @Li, Cyril: > 1) I guess we want to distinguish EACCES for SELinux enforcing, right? > If not, this commit would be dropped and second commit would just use > > const int exp_errs[] = {tc->expected_errno, EACCES}; > > TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | > tc->mark.flags, > tc->mask.flags, dirfd, path), > exp_errs); > > 2) Some time ago I proposed to merge some lib/*.c files, not > just have so many files with single functions in the library. E.g. > lib/tst_fips.c, lib/tst_selinux.c, lib/tst_lockdown.c could be merged > into lib/tst_security.c. Or do we want to have these separate? > I think the answer is Yes. There are more and more lib/*.c files with some trivial features, which bring troubles for reading/managing the library. It is necessary to archive and merge the same thing. > > When I proposed this, I wanted to merge files, which have the same name > as the single function in the file (e.g. tst_dir_is_empty.c, > tst_path_has_mnt_flags.c), having them as single file does not help much > with searching for the content. > +1 And the most important is we need to give a good name for the achieved header file.
Hi Li, all, > Hi Petr, > On Wed, Mar 20, 2024 at 2:32 PM Petr Vorel <pvorel@suse.cz> wrote: > > Co-developed-by: Mete Durlu <meted@linux.ibm.com> > > Signed-off-by: Petr Vorel <pvorel@suse.cz> > This patch is doing the same work as security_getenforce() which provides > by 'selinux/selinux.h', but it is still worth having it because we do not > want ltp > has many extra dependencies (e.g. libselinux-devel). +1 > Reviewed-by: Li Wang <liwang@redhat.com> Thanks! > > --- > > Hi, > > @Li, Cyril: > > 1) I guess we want to distinguish EACCES for SELinux enforcing, right? > > If not, this commit would be dropped and second commit would just use > > const int exp_errs[] = {tc->expected_errno, EACCES}; > > TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | > > tc->mark.flags, > > tc->mask.flags, dirfd, path), > > exp_errs); > > 2) Some time ago I proposed to merge some lib/*.c files, not > > just have so many files with single functions in the library. E.g. > > lib/tst_fips.c, lib/tst_selinux.c, lib/tst_lockdown.c could be merged > > into lib/tst_security.c. Or do we want to have these separate? > I think the answer is Yes. There are more and more lib/*.c files with I read "Yes" as to keep lib/tst_selinux.c, lib/tst_lockdown.c as separate. I'm not sure myself (quite separate things, although they are all "security"), what bothers me more are these tst_dir_is_empty.c, tst_path_has_mnt_flags.c files. > some trivial features, which bring troubles for reading/managing the > library. It is necessary to archive and merge the same thing. > > When I proposed this, I wanted to merge files, which have the same name > > as the single function in the file (e.g. tst_dir_is_empty.c, > > tst_path_has_mnt_flags.c), having them as single file does not help much > > with searching for the content. > +1 > And the most important is we need to give a good name for the > achieved header file. +1 Kind regards, Petr
On Wed, Mar 20, 2024 at 3:56 PM Petr Vorel <pvorel@suse.cz> wrote: > Hi Li, all, > > > Hi Petr, > > > On Wed, Mar 20, 2024 at 2:32 PM Petr Vorel <pvorel@suse.cz> wrote: > > > > Co-developed-by: Mete Durlu <meted@linux.ibm.com> > > > Signed-off-by: Petr Vorel <pvorel@suse.cz> > > > > This patch is doing the same work as security_getenforce() which provides > > by 'selinux/selinux.h', but it is still worth having it because we do not > > want ltp > > has many extra dependencies (e.g. libselinux-devel). > > +1 > > > Reviewed-by: Li Wang <liwang@redhat.com> > > Thanks! > > > > --- > > > Hi, > > > > @Li, Cyril: > > > 1) I guess we want to distinguish EACCES for SELinux enforcing, right? > > > If not, this commit would be dropped and second commit would just use > > > > const int exp_errs[] = {tc->expected_errno, EACCES}; > > > > TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | > > > tc->mark.flags, > > > tc->mask.flags, dirfd, path), > > > exp_errs); > > > > 2) Some time ago I proposed to merge some lib/*.c files, not > > > just have so many files with single functions in the library. E.g. > > > lib/tst_fips.c, lib/tst_selinux.c, lib/tst_lockdown.c could be merged > > > into lib/tst_security.c. Or do we want to have these separate? > > > > I think the answer is Yes. There are more and more lib/*.c files with > > I read "Yes" as to keep lib/tst_selinux.c, lib/tst_lockdown.c as separate. > Ohh, sorry, I don't mean that. More separate (boring!!!) files should be avoided. I think I should step away from the keyboard now, watching too much screen time makes me foolish :).
> On Wed, Mar 20, 2024 at 3:56 PM Petr Vorel <pvorel@suse.cz> wrote: > > Hi Li, all, > > > Hi Petr, > > > On Wed, Mar 20, 2024 at 2:32 PM Petr Vorel <pvorel@suse.cz> wrote: > > > > Co-developed-by: Mete Durlu <meted@linux.ibm.com> > > > > Signed-off-by: Petr Vorel <pvorel@suse.cz> > > > This patch is doing the same work as security_getenforce() which provides > > > by 'selinux/selinux.h', but it is still worth having it because we do not > > > want ltp > > > has many extra dependencies (e.g. libselinux-devel). > > +1 > > > Reviewed-by: Li Wang <liwang@redhat.com> > > Thanks! > > > > --- > > > > Hi, > > > > @Li, Cyril: > > > > 1) I guess we want to distinguish EACCES for SELinux enforcing, right? > > > > If not, this commit would be dropped and second commit would just use > > > > const int exp_errs[] = {tc->expected_errno, EACCES}; > > > > TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | > > > > tc->mark.flags, > > > > tc->mask.flags, dirfd, path), > > > > exp_errs); > > > > 2) Some time ago I proposed to merge some lib/*.c files, not > > > > just have so many files with single functions in the library. E.g. > > > > lib/tst_fips.c, lib/tst_selinux.c, lib/tst_lockdown.c could be merged > > > > into lib/tst_security.c. Or do we want to have these separate? > > > I think the answer is Yes. There are more and more lib/*.c files with > > I read "Yes" as to keep lib/tst_selinux.c, lib/tst_lockdown.c as separate. > Ohh, sorry, I don't mean that. More separate (boring!!!) files should be > avoided. Thank for info. I'll send this another version, which merge these two files. I guess we could merge it soon. Kind regards, Petr > I think I should step away from the keyboard now, watching too much screen > time makes me foolish :).
diff --git a/include/tst_selinux.h b/include/tst_selinux.h new file mode 100644 index 000000000..18bbcff21 --- /dev/null +++ b/include/tst_selinux.h @@ -0,0 +1,10 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later + * Copyright (c) Linux Test Project, 2024 + */ + +#ifndef TST_SELINUX_H__ +#define TST_SELINUX_H__ + +int tst_selinux_enforcing(void); + +#endif /* TST_SELINUX_H__ */ diff --git a/lib/tst_selinux.c b/lib/tst_selinux.c new file mode 100644 index 000000000..2219b85d4 --- /dev/null +++ b/lib/tst_selinux.c @@ -0,0 +1,25 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (c) Linux Test Project, 2024 + */ + +#define TST_NO_DEFAULT_MAIN + +#define SELINUX_STATUS_PATH "/sys/fs/selinux/enforce" + +#include <fcntl.h> +#include <stdlib.h> +#include "tst_test.h" +#include "tst_selinux.h" + +int tst_selinux_enforcing(void) +{ + int res = 0; + + if (access(SELINUX_STATUS_PATH, F_OK) == 0) + SAFE_FILE_SCANF(SELINUX_STATUS_PATH, "%d", &res); + + tst_res(TINFO, "SELinux enforcing: %s", res ? "on" : "off"); + + return res; +}
Co-developed-by: Mete Durlu <meted@linux.ibm.com> Signed-off-by: Petr Vorel <pvorel@suse.cz> --- Hi, @Li, Cyril: 1) I guess we want to distinguish EACCES for SELinux enforcing, right? If not, this commit would be dropped and second commit would just use const int exp_errs[] = {tc->expected_errno, EACCES}; TST_EXP_FAIL_ARR(fanotify_mark(fanotify_fd, FAN_MARK_ADD | tc->mark.flags, tc->mask.flags, dirfd, path), exp_errs); 2) Some time ago I proposed to merge some lib/*.c files, not just have so many files with single functions in the library. E.g. lib/tst_fips.c, lib/tst_selinux.c, lib/tst_lockdown.c could be merged into lib/tst_security.c. Or do we want to have these separate? When I proposed this, I wanted to merge files, which have the same name as the single function in the file (e.g. tst_dir_is_empty.c, tst_path_has_mnt_flags.c), having them as single file does not help much with searching for the content. Kind regards, Petr include/tst_selinux.h | 10 ++++++++++ lib/tst_selinux.c | 25 +++++++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 include/tst_selinux.h create mode 100644 lib/tst_selinux.c