SELinux userspace 3.5 release

Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -105,3 +105,17 @@ checkpolicy-2.0.22.tgz
 /checkpolicy-3.0-rc1.tar.gz
 /checkpolicy-3.0.tar.gz
 /checkpolicy-3.1.tar.gz
+/checkpolicy-3.2-rc1.tar.gz
+/checkpolicy-3.2-rc2.tar.gz
+/checkpolicy-3.2.tar.gz
+/checkpolicy-3.3-rc2.tar.gz
+/checkpolicy-3.3-rc3.tar.gz
+/checkpolicy-3.3.tar.gz
+/checkpolicy-3.4-rc1.tar.gz
+/checkpolicy-3.4-rc2.tar.gz
+/checkpolicy-3.4-rc3.tar.gz
+/checkpolicy-3.4.tar.gz
+/checkpolicy-3.5-rc1.tar.gz
+/checkpolicy-3.5-rc2.tar.gz
+/checkpolicy-3.5-rc3.tar.gz
+/checkpolicy-3.5.tar.gz

0001-libsepol-checkpolicy-optimize-storage-of-filename-tr.patch

@@ -1,129 +0,0 @@
-From 42ae834a7428c57f7b2a9f448adf4cf991fa3487 Mon Sep 17 00:00:00 2001
-From: Ondrej Mosnacek <omosnace@redhat.com>
-Date: Fri, 31 Jul 2020 13:10:34 +0200
-Subject: [PATCH] libsepol,checkpolicy: optimize storage of filename
- transitions
-
-In preparation to support a new policy format with a more optimal
-representation of filename transition rules, this patch applies an
-equivalent change from kernel commit c3a276111ea2 ("selinux: optimize
-storage of filename transitions").
-
-See the kernel commit's description [1] for the rationale behind this
-representation. This change doesn't bring any measurable difference of
-policy build performance (semodule -B) on Fedora.
-
-[1] https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?id=c3a276111ea2572399281988b3129683e2a6b60b
-
-Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
----
- checkpolicy/policy_define.c | 49 ++++++++++---------------------------
- checkpolicy/test/dispol.c   | 20 ++++++++++-----
- 2 files changed, 27 insertions(+), 42 deletions(-)
-
-diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
-index c6733fa469c5..395f62284e3c 100644
---- a/checkpolicy/policy_define.c
-+++ b/checkpolicy/policy_define.c
-@@ -3303,8 +3303,6 @@ int define_filename_trans(void)
- 	ebitmap_t e_stypes, e_ttypes;
- 	ebitmap_t e_tclasses;
- 	ebitmap_node_t *snode, *tnode, *cnode;
--	filename_trans_t *ft;
--	filename_trans_datum_t *ftdatum;
- 	filename_trans_rule_t *ftr;
- 	type_datum_t *typdatum;
- 	uint32_t otype;
-@@ -3388,40 +3386,19 @@ int define_filename_trans(void)
- 	ebitmap_for_each_positive_bit(&e_tclasses, cnode, c) {
- 		ebitmap_for_each_positive_bit(&e_stypes, snode, s) {
- 			ebitmap_for_each_positive_bit(&e_ttypes, tnode, t) {
--				ft = calloc(1, sizeof(*ft));
--				if (!ft) {
--					yyerror("out of memory");
--					goto bad;
--				}
--				ft->stype = s+1;
--				ft->ttype = t+1;
--				ft->tclass = c+1;
--				ft->name = strdup(name);
--				if (!ft->name) {
--					yyerror("out of memory");
--					goto bad;
--				}
--
--				ftdatum = hashtab_search(policydbp->filename_trans,
--							 (hashtab_key_t)ft);
--				if (ftdatum) {
--					yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s",
--						 name,
--						 policydbp->p_type_val_to_name[s],
--						 policydbp->p_type_val_to_name[t],
--						 policydbp->p_class_val_to_name[c]);
--					goto bad;
--				}
--
--				ftdatum = calloc(1, sizeof(*ftdatum));
--				if (!ftdatum) {
--					yyerror("out of memory");
--					goto bad;
--				}
--				rc = hashtab_insert(policydbp->filename_trans,
--						    (hashtab_key_t)ft,
--						    ftdatum);
--				if (rc) {
-+				rc = policydb_filetrans_insert(
-+					policydbp, s+1, t+1, c+1, name,
-+					NULL, otype, NULL
-+				);
-+				if (rc != SEPOL_OK) {
-+					if (rc == SEPOL_EEXIST) {
-+						yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s",
-+							name,
-+							policydbp->p_type_val_to_name[s],
-+							policydbp->p_type_val_to_name[t],
-+							policydbp->p_class_val_to_name[c]);
-+						goto bad;
-+					}
- 					yyerror("out of memory");
- 					goto bad;
- 				}
-diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
-index d72d9fb331cf..8785b7252824 100644
---- a/checkpolicy/test/dispol.c
-+++ b/checkpolicy/test/dispol.c
-@@ -335,17 +335,25 @@ static int filenametr_display(hashtab_key_t key,
- 			      hashtab_datum_t datum,
- 			      void *ptr)
- {
--	struct filename_trans *ft = (struct filename_trans *)key;
-+	struct filename_trans_key *ft = (struct filename_trans_key *)key;
- 	struct filename_trans_datum *ftdatum = datum;
- 	struct filenametr_display_args *args = ptr;
- 	policydb_t *p = args->p;
- 	FILE *fp = args->fp;
-+	ebitmap_node_t *node;
-+	uint32_t bit;
-+
-+	do {
-+		ebitmap_for_each_positive_bit(&ftdatum->stypes, node, bit) {
-+			display_id(p, fp, SYM_TYPES, bit, "");
-+			display_id(p, fp, SYM_TYPES, ft->ttype - 1, "");
-+			display_id(p, fp, SYM_CLASSES, ft->tclass - 1, ":");
-+			display_id(p, fp, SYM_TYPES, ftdatum->otype - 1, "");
-+			fprintf(fp, " %s\n", ft->name);
-+		}
-+		ftdatum = ftdatum->next;
-+	} while (ftdatum);
- 
--	display_id(p, fp, SYM_TYPES, ft->stype - 1, "");
--	display_id(p, fp, SYM_TYPES, ft->ttype - 1, "");
--	display_id(p, fp, SYM_CLASSES, ft->tclass - 1, ":");
--	display_id(p, fp, SYM_TYPES, ftdatum->otype - 1, "");
--	fprintf(fp, " %s\n", ft->name);
- 	return 0;
- }
- 
--- 
-2.29.0
-

0002-libsepol-cil-fix-signed-overflow-caused-by-using-1-3.patch

@@ -1,90 +0,0 @@
-From 521e6a2f478a4c7a7c198c017d4d12e8667d89e7 Mon Sep 17 00:00:00 2001
-From: Nicolas Iooss <nicolas.iooss@m4x.org>
-Date: Sat, 3 Oct 2020 15:19:08 +0200
-Subject: [PATCH] libsepol/cil: fix signed overflow caused by using (1 << 31) -
- 1
-
-When compiling SELinux userspace tools with -ftrapv (this option
-generates traps for signed overflow on addition, subtraction,
-multiplication operations, instead of silently wrapping around),
-semodule crashes when running the tests from
-scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine:
-
-    [root@localhost selinux-testsuite]# make test
-    make -C policy load
-    make[1]: Entering directory '/root/selinux-testsuite/policy'
-    # Test for "expand-check = 0" in /etc/selinux/semanage.conf
-    # General policy build
-    make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy'
-    Compiling targeted test_policy module
-    Creating targeted test_policy.pp policy package
-    rm tmp/test_policy.mod.fc
-    make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
-    # General policy load
-    domain_fd_use --> off
-    /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil
-    make[1]: *** [Makefile:174: load] Aborted (core dumped)
-
-Using "coredumpctl gdb" leads to the following strack trace:
-
-    (gdb) bt
-    #0  0x00007f608fe4fa25 in raise () from /lib64/libc.so.6
-    #1  0x00007f608fe38895 in abort () from /lib64/libc.so.6
-    #2  0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1
-    #3  0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
-        at ../cil/src/cil_binary.c:1551
-    #4  0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18)
-        at ../cil/src/cil_binary.c:1596
-    #5  0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30,
-        args=0x239a640) at ../cil/src/cil_binary.c:1649
-    #6  0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>,
-        args=0x239a640) at hashtab.c:234
-    #7  0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640)
-        at ../cil/src/cil_binary.c:4969
-    #8  0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329
-    #9  0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30)
-        at ../cil/src/cil.c:631
-    #10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1
-    #11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1
-    #12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753
-
-    (gdb) f 3
-    #3  0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
-        at ../cil/src/cil_binary.c:1551
-    1551     xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low);
-
-A signed integer overflow therefore occurs in XPERM_SETBITS(h):
-
-    #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
-
-This macro is expanded with h=31, so "(1 << 31) - 1" is computed:
-
-* (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value
-* (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and
-  results in 0x7fffffff (which is unsigned)
-
-Using unsigned integers (with "1U") fixes the crash, as
-(1U << 31) = 0x80000000U has no overflowing issues.
-
-Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
-Acked-by: Petr Lautrbach <plautrba@redhat.com>
----
- checkpolicy/policy_define.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
-index 395f62284e3c..bf6c3e68bef3 100644
---- a/checkpolicy/policy_define.c
-+++ b/checkpolicy/policy_define.c
-@@ -2147,7 +2147,7 @@ out:
- /* index of the u32 containing the permission */
- #define XPERM_IDX(x) (x >> 5)
- /* set bits 0 through x-1 within the u32 */
--#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
-+#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
- /* low value for this u32 */
- #define XPERM_LOW(x) (x << 5)
- /* high value for this u32 */
--- 
-2.29.0
-

checkpolicy.spec

@@ -1,21 +1,20 @@
-%define libselinuxver 3.1-4
-%define libsepolver 3.1-4
+%define libselinuxver 3.5-1
+%define libsepolver 3.5-1
 
 Summary: SELinux policy compiler
 Name: checkpolicy
-Version: 3.1
-Release: 4%{?dist}
-License: GPLv2
-Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/checkpolicy-3.1.tar.gz
+Version: 3.5
+Release: 1%{?dist}
+License: GPL-2.0-or-later AND LGPL-2.1-or-later
+Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5/checkpolicy-3.5.tar.gz
 # $ git clone https://github.com/fedora-selinux/selinux.git
 # $ cd selinux
-# $ git format-patch -N checkpolicy-3.1 -- checkpolicy
+# $ git format-patch -N 3.5 -- checkpolicy
 # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
-Patch0001: 0001-libsepol-checkpolicy-optimize-storage-of-filename-tr.patch
-Patch0002: 0002-libsepol-cil-fix-signed-overflow-caused-by-using-1-3.patch
 # Patch list end
 BuildRequires: gcc
+BuildRequires: make
 BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel  >= %{libselinuxver} 
 
 %description
@@ -51,7 +50,7 @@ install test/dispol ${RPM_BUILD_ROOT}%{_bindir}/sedispol
 
 %files
 %{!?_licensedir:%global license %%doc}
-%license COPYING
+%license LICENSE
 %{_bindir}/checkpolicy
 %{_bindir}/checkmodule
 %{_mandir}/man8/checkpolicy.8.gz
@@ -62,6 +61,72 @@ install test/dispol ${RPM_BUILD_ROOT}%{_bindir}/sedispol
 %{_bindir}/sedispol
 
 %changelog
+* Fri Feb 24 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1
+- SELinux userspace 3.5 release
+
+* Tue Feb 14 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc3.1
+- SELinux userspace 3.5-rc3 release
+
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5-0.rc2.1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Mon Jan 16 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.1
+- SELinux userspace 3.5-rc2 release
+
+* Tue Dec 27 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc1.1
+- SELinux userspace 3.5-rc1 release
+
+* Mon Nov 21 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.4-4
+- Rebase on upstream f56a72ac9e86
+
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Wed May 25 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-2
+- rebuilt
+
+* Thu May 19 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-1
+- SELinux userspace 3.4 release
+
+* Tue May 10 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc3.1
+- SELinux userspace 3.4-rc3 release
+
+* Fri Apr 22 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc2.1
+- SELinux userspace 3.4-rc2 release
+
+* Wed Apr 13 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc1.1
+- SELinux userspace 3.4-rc1 release
+
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
+- SELinux userspace 3.3 release
+
+* Mon Oct 11 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
+- SELinux userspace 3.3-rc3 release
+
+* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
+- SELinux userspace 3.3-rc2 release
+
+* Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-3
+- Rebase on upstream commit 32611aea6543
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Mon Mar  8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
+- SELinux userspace 3.2 release
+
+* Fri Feb  5 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc2.1
+- SELinux userspace 3.2-rc2 release
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-0.rc1.1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Jan 21 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
+- SELinux userspace 3.2-rc1 release
+
 * Sun Nov  1 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-4
 - Fix signed overflow caused by using (1 << 31) - 1
 - Optimize storage of filename transitions

plans/selinux.fmf

@@ -0,0 +1,7 @@
+summary: selinux tests - Tier 1 | checkpolicy
+discover:
+    how: fmf
+    url: https://src.fedoraproject.org/tests/selinux
+    filter: "tier:1 | component:checkpolicy"
+execute:
+    how: tmt

sources

@@ -1 +1 @@
-SHA512 (checkpolicy-3.1.tar.gz) = 2276a5a0919286049d2ceba386ef5f6de523745b588bb81cb4fed5eced5fd0b8070249b7a3ae5a85e2abb9369a86318f727d4073aad14ab75c43750a46069168
+SHA512 (checkpolicy-3.5.tar.gz) = fcd490d865af3b4350c32c5dd9916f8406219841e1e255d8945c6dcc958535247aa27af5597a6988e19f11faea7beeabcb46e8ba2431112bb4aa5c7697bca529

tests/checkmodule/Makefile

@@ -1,67 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/checkpolicy/Sanity/checkmodule
-#   Description: runs checkmodule with various options to find out if it behaves correctly
-#   Author: Milos Malik <mmalik@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2009 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/checkpolicy/Sanity/checkmodule
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE mypolicy.te
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     runs checkmodule with various options to find out if it behaves correctly" >> $(METADATA)
-	@echo "Type:            Sanity" >> $(METADATA)
-	@echo "TestTime:        10m" >> $(METADATA)
-	@echo "RunFor:          checkpolicy" >> $(METADATA)
-	@echo "Requires:        checkpolicy" >> $(METADATA)
-	@echo "Requires:        man" >> $(METADATA)
-	@echo "Requires:        grep" >> $(METADATA)
-	@echo "Requires:        mktemp" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-	@echo "Releases:        -RHEL4" >> $(METADATA)
-
-	rhts-lint $(METADATA)
-

tests/checkmodule/PURPOSE

@@ -1,5 +0,0 @@
-PURPOSE of /CoreOS/checkpolicy/Sanity/checkmodule
-Author: Milos Malik <mmalik@redhat.com>
-
-This TC runs checkmodule with various options to find out if it behaves correctly.
-

tests/checkmodule/mypolicy.te

@@ -1,9 +0,0 @@
-module mypolicy 1.0;
-require {
-        type httpd_log_t;
-        type postfix_postdrop_t;
-        class dir getattr;
-        class file { read getattr };
-}
-allow postfix_postdrop_t httpd_log_t:file getattr; 
-

tests/checkmodule/runtest.sh

@@ -1,101 +0,0 @@
-#!/bin/bash
-# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   runtest.sh of /CoreOS/checkpolicy/Sanity/checkmodule
-#   Description: runs checkmodule with various options to find out if it behaves correctly
-#   Author: Milos Malik <mmalik@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2009 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# Include rhts environment
-. /usr/bin/rhts-environment.sh
-. /usr/share/beakerlib/beakerlib.sh
-
-PACKAGE="checkpolicy"
-
-rlJournalStart
-    rlPhaseStartSetup
-        rlAssertRpm ${PACKAGE}
-        TEST_FILE=`mktemp`
-        TEST_DIR=`mktemp -d`
-        rlRun "rpm -ql ${PACKAGE} | grep bin/checkmodule"
-    rlPhaseEnd
-
-    rlPhaseStartTest
-        rlRun "checkmodule >& ${TEST_FILE}" 1
-        rlAssertGrep "loading policy configuration from policy.conf" ${TEST_FILE}
-        rlRun "checkmodule -b >& ${TEST_FILE}" 1
-        rlAssertGrep "loading policy configuration from policy" ${TEST_FILE}
-        rlRun "checkmodule -V"
-        rlRun "checkmodule -U 1>/dev/null" 1
-        rlRun "rm -f policy.conf"
-        for OPTION in "deny" "reject" "allow" ; do
-            rlRun "checkmodule -U ${OPTION} >& ${TEST_FILE}" 1
-            rlAssertGrep "unable to open policy.conf" ${TEST_FILE}
-        done
-        rlRun "rm -f ${TEST_FILE}"
-        rlRun "touch ${TEST_FILE}"
-        rlRun "rm -rf ${TEST_DIR}"
-        rlRun "mkdir ${TEST_DIR}"
-        rlRun "checkmodule ${TEST_FILE}" 1,2
-        rlRun "checkmodule -b ${TEST_FILE}" 1
-        rlRun "checkmodule ${TEST_DIR}" 1,2
-        rlRun "checkmodule -b ${TEST_DIR}" 1
-        rlRun "rm -f ${TEST_FILE}"
-        rlRun "rm -rf ${TEST_DIR}"
-        rlRun "checkmodule ${TEST_FILE}" 1
-        rlRun "checkmodule -b ${TEST_FILE}" 1
-        if rlIsRHEL 5 ; then
-            rlRun "checkmodule --help 2>&1 | grep -- -d"
-        fi
-        rlRun "checkmodule --help 2>&1 | grep -- -h"
-        rlRun "checkmodule --help 2>&1 | grep -- -U"
-    rlPhaseEnd
-
-    rlPhaseStartTest
-        for POLICY_KIND in minimum mls targeted ; do
-            rlRun "checkmodule -M -m -b -o testmod.mod /etc/selinux/${POLICY_KIND}/policy/policy.* >& ${TEST_FILE}" 1
-            rlRun "grep -i \"checkmodule.*-b and -m are incompatible with each other\" ${TEST_FILE}"
-        done
-    rlPhaseEnd
-
-    rlPhaseStartTest
-        INPUT_FILE="mypolicy.te"
-        OUTPUT_FILE="mypolicy.output"
-        rlRun "ls -l ${INPUT_FILE}"
-        rlRun "checkmodule -m -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*loading policy configuration from ${INPUT_FILE}\""
-        rlRun "checkmodule -m -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*writing binary representation.*to ${OUTPUT_FILE}\""
-        rlRun "ls -l ${OUTPUT_FILE}"
-        if checkmodule --help | grep -q " CIL " ; then
-            rlRun "rm -f ${OUTPUT_FILE}"
-            rlRun "checkmodule -m -C -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*loading policy configuration from ${INPUT_FILE}\""
-            rlRun "checkmodule -m -C -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*writing CIL to ${OUTPUT_FILE}\""
-            rlRun "ls -l ${OUTPUT_FILE}"
-        fi
-    rlPhaseEnd
-
-    rlPhaseStartCleanup
-        rlRun "rm -rf ${TEST_FILE} ${TEST_DIR} ${OUTPUT_FILE}"
-    rlPhaseEnd
-rlJournalPrintText
-rlJournalEnd
-

tests/checkpolicy-docs/Makefile

@@ -1,64 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/checkpolicy/Sanity/checkpolicy
-#   Description: covers an issue where manpage included an unsupported option.
-#   Author: Milos Malik <mmalik@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2009 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/checkpolicy/Sanity/checkpolicy
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     covers an issue where manpage included an unsupported option." >> $(METADATA)
-	@echo "Type:            Sanity" >> $(METADATA)
-	@echo "TestTime:        1m" >> $(METADATA)
-	@echo "RunFor:          checkpolicy" >> $(METADATA)
-	@echo "Requires:        checkpolicy" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-	@echo "Releases:        -RHEL4" >> $(METADATA)
-
-	rhts-lint $(METADATA)
-

tests/checkpolicy-docs/PURPOSE

@@ -1,7 +0,0 @@
-PURPOSE of /CoreOS/checkpolicy/Sanity/checkpolicy
-
-Description: covers an issue where manpage included an unsupported option.
-
-Author: Milos Malik <mmalik@redhat.com>
-
-

tests/checkpolicy-docs/runtest.sh

@@ -1,53 +0,0 @@
-#!/bin/bash
-# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   runtest.sh of /CoreOS/checkpolicy/Sanity/checkpolicy-docs
-#   Description: covers an issue where manpage included an unsupported option.
-#   Author: Milos Malik <mmalik@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2009 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# Include rhts environment
-. /usr/bin/rhts-environment.sh
-. /usr/share/beakerlib/beakerlib.sh
-
-PACKAGE="checkpolicy"
-
-rlJournalStart
-    rlPhaseStartSetup
-        rlAssertRpm ${PACKAGE}
-        rlAssertExists "/usr/share/man/man8/checkpolicy.8.gz"
-    rlPhaseEnd
-
-    rlPhaseStartTest
-        rlRun "man checkpolicy | col -b | grep -- '-m]'" 1
-        rlRun "rpm -ql ${PACKAGE} | grep /usr/share/man/.*checkmodule"
-        if rlIsRHEL 5 ; then
-            rlRun "man checkmodule | col -b | grep -- -d"
-        fi
-        rlRun "man checkmodule | col -b | grep -- -h"
-        rlRun "man checkmodule | col -b | grep -- -U"
-    rlPhaseEnd
-
-rlJournalPrintText
-rlJournalEnd
-

tests/checkpolicy/Makefile

@@ -1,64 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/checkpolicy/Sanity/checkpolicy
-#   Description: runs checkpolicy with various options to find out if it behaves correctly
-#   Author: Milos Malik <mmalik@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2009 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/checkpolicy/Sanity/checkpolicy
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE policy.conf.from.secilc
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     runs checkpolicy with various options to find out if it behaves correctly" >> $(METADATA)
-	@echo "Type:            Sanity" >> $(METADATA)
-	@echo "TestTime:        10m" >> $(METADATA)
-	@echo "RunFor:          checkpolicy setools" >> $(METADATA)
-	@echo "Requires:        checkpolicy setools-console selinux-policy-minimum selinux-policy-mls selinux-policy-targeted" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-	@echo "Releases:        -RHEL4" >> $(METADATA)
-
-	rhts-lint $(METADATA)
-

tests/checkpolicy/PURPOSE

@@ -1,7 +0,0 @@
-PURPOSE of /CoreOS/checkpolicy/Sanity/checkpolicy
-
-Description: runs checkpolicy with various options to find out if it behaves correctly
-
-Author: Milos Malik <mmalik@redhat.com>
-
-

tests/checkpolicy/policy.conf.from.secilc

@@ -1,143 +0,0 @@
-class file
-class process
-class char
-
-sid kernel
-sid security
-sid unlabeled
-
-common file {ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton }
-
-class file inherits file { execute_no_trans entrypoint execmod open audit_access }
-class char inherits file { foo transition }
-class process { open }
-
-sensitivity s0 alias sens0;
-sensitivity s1;
-
-dominance { s0 s1 }
-
-category c0 alias cat0;
-category c1;
-category c2;
-
-level s0:c0.c2;
-level s1:c0.c2;
-
-mlsconstrain file { open } (not (((l1 eq l2) and (u1 eq u2)) or (r1 eq r2)));
-mlsconstrain file { open } (((l1 eq l2) and (u1 eq u2)) or (r1 != r2));
-mlsconstrain file { open } (l1 dom h2);
-mlsconstrain file { open } (h1 domby l2);
-mlsconstrain file { open } (l1 incomp l2);
-
-mlsvalidatetrans file (h1 domby l2);
-
-attribute foo_type;
-attribute bar_type;
-attribute baz_type;
-attribute exec_type;
-
-type bin_t, bar_type, exec_type;
-type kernel_t, foo_type, exec_type, baz_type;
-type security_t, baz_type;
-type unlabeled_t, baz_type;
-
-type exec_t, baz_type;
-type console_t, baz_type;
-type auditadm_t, baz_type;
-type console_device_t, baz_type;
-type user_tty_device_t, baz_type;
-type device_t, baz_type;
-type getty_t, baz_type;
-type a_t, baz_type;
-type b_t, baz_type;
-
-typealias bin_t alias sbin_t;
-
-bool secure_mode false;
-bool console_login true;
-bool b1 false;
-
-role system_r;
-role user_r;
-role system_r types bin_t; 
-role system_r types kernel_t; 
-role system_r types security_t; 
-role system_r types unlabeled_t; 
-
-policycap open_perms;
-permissive device_t;
-
-range_transition device_t console_t : file s0:c0 - s1:c0.c1;
-
-type_transition device_t console_t : file console_device_t;
-type_member device_t bin_t : file exec_t;
-
-if console_login{
-	type_change auditadm_t console_device_t : file user_tty_device_t;
-}
-
-role_transition system_r bin_t user_r;
-
-auditallow device_t auditadm_t: file { open };
-dontaudit device_t auditadm_t: file { read };
-
-allow system_r user_r;
-
-allow console_t console_device_t: char { write setattr };
-allow console_t console_device_t: file { open read getattr };
-allow foo_type self: file { execute };
-allow bin_t device_t: file { execute };
-allow bin_t exec_t: file { execute };
-allow bin_t bin_t: file { execute };
-allow a_t b_t : file { write };
-allow console_t console_device_t: file { read write getattr setattr lock append };
-allow kernel_t kernel_t : file { execute };
-
-if b1 {
-	allow a_t b_t : file { read };
-}
-
-if secure_mode{
-	auditallow device_t exec_t: file { read write };
-}
-
-if console_login{
-	allow getty_t console_device_t: file { getattr open read write append };
-}
-else {
-	dontaudit getty_t console_device_t: file { getattr open read write append };
-}
-
-if (not ((secure_mode eq console_login) xor ((secure_mode or console_login) and secure_mode))){
-	allow bin_t exec_t: file { execute };
-}
-
-user system_u roles system_r level s0:c0 range s0:c0 - s1:c0,c1; 
-user user_u roles user_r level s0:c0 range s0:c0 - s0:c0;
-
-validatetrans file (t1 == exec_t);
-
-constrain char transition (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
-constrain file { open } (r1 dom r2);
-constrain file { open }	(r1 domby r2);
-constrain file { open }	(r1 incomp r2);
-constrain file { open read getattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
-constrain char { write setattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
-
-
-sid kernel system_u:system_r:kernel_t:s0:c0 - s1:c0,c1
-sid security system_u:system_r:security_t:s0:c0 - s1:c0,c1
-sid unlabeled system_u:system_r:unlabeled_t:s0:c0 - s1:c0,c1
-
-fs_use_xattr ext3 system_u:system_r:bin_t:s0:c0 - s1:c0,c1;
-
-genfscon proc /usr/bin system_u:system_r:bin_t:s0:c0 - s1:c0,c1
-
-portcon tcp 22 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
-portcon udp 25 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
-
-netifcon eth0 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
-
-nodecon 192.25.35.200 192.168.1.1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
-nodecon 2001:db8:ac10:fe01:: 2001:de0:da88:2222:: system_u:system_r:bin_t:s0:c0 - s1:c0,c1

tests/checkpolicy/runtest.sh

@@ -1,153 +0,0 @@
-#!/bin/bash
-# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   runtest.sh of /CoreOS/checkpolicy/Sanity/checkpolicy
-#   Description: runs checkpolicy with various options to find out if it behaves correctly
-#   Author: Milos Malik <mmalik@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2009 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# Include rhts environment
-. /usr/bin/rhts-environment.sh
-. /usr/share/beakerlib/beakerlib.sh
-
-PACKAGE="checkpolicy"
-
-rlJournalStart
-    rlPhaseStartSetup
-        rlAssertRpm ${PACKAGE}
-        rlAssertRpm selinux-policy-minimum
-        rlAssertRpm selinux-policy-mls
-        rlAssertRpm selinux-policy-targeted
-        rlRun "uname -a"
-        TEST_FILE=`mktemp`
-        TEST_DIR=`mktemp -d`
-        OUTPUT_FILE=`mktemp`
-        rlAssertExists "/usr/bin/checkpolicy"
-    rlPhaseEnd
-
-    rlPhaseStartTest "compilation from policy.conf"
-        MIN_VERSION="15"
-        MAX_VERSION=`find /etc/selinux/ -name policy.?? | cut -d / -f 6 | cut -d . -f 2 | head -n 1`
-        if rlIsRHEL 5 6 ; then
-            VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION}`
-        else
-            # some versions are skipped because seinfo segfaults when inspecting binary policies between v.20 and v.23"
-            VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION} | grep -v -e 19 -e 20 -e 21 -e 22 -e 23`
-        fi
-        for CUR_VERSION in ${VERSIONS} ; do
-            rlRun "rm -f policy.out"
-            rlWatchdog "checkpolicy -M -c ${CUR_VERSION} -o policy.out policy.conf.from.secilc" 15
-            if [ -s policy.out ] ; then
-                rlRun "seinfo policy.out 2>&1 | tee ${OUTPUT_FILE}"
-                rlRun "grep -i -e \"policy version.*${CUR_VERSION}\" -e \"unable to open policy\" ${OUTPUT_FILE}"
-            else
-                rlRun "ls -l policy.out"
-            fi
-        done
-    rlPhaseEnd
-
-    rlPhaseStartTest
-        rlRun "checkpolicy >& ${TEST_FILE}" 1
-        rlAssertGrep "loading policy configuration from policy.conf" ${TEST_FILE}
-        rlRun "checkpolicy -b >& ${TEST_FILE}" 1
-        rlAssertGrep "loading policy configuration from policy" ${TEST_FILE}
-        rlRun "checkpolicy -V"
-        rlRun "checkpolicy -U 2>&1 | grep \"option requires an argument\""
-        rlRun "checkpolicy -U xyz" 1
-        rlRun "rm -f policy.conf"
-        if ! rlIsRHEL 4 ; then
-            for OPTION in "deny" "reject" "allow" ; do
-                rlRun "checkpolicy -U ${OPTION} >& ${TEST_FILE}" 1
-                rlAssertGrep "unable to open policy.conf" ${TEST_FILE}
-            done
-        fi
-        rlRun "rm -f ${TEST_FILE}"
-        rlRun "touch ${TEST_FILE}"
-        rlRun "rm -rf ${TEST_DIR}"
-        rlRun "mkdir ${TEST_DIR}"
-        rlRun "checkpolicy ${TEST_FILE}" 1,2
-        rlRun "checkpolicy -b ${TEST_FILE}" 1
-        rlRun "checkpolicy ${TEST_DIR}" 1,2
-        rlRun "checkpolicy -b ${TEST_DIR}" 1
-        rlRun "rm -f ${TEST_FILE}"
-        rlRun "rm -rf ${TEST_DIR}"
-        rlRun "checkpolicy ${TEST_FILE}" 1
-        rlRun "checkpolicy -b ${TEST_FILE}" 1
-        rlRun "checkpolicy -c 2>&1 | grep \"option requires an argument\""
-        rlRun "checkpolicy -c 0 2>&1 | grep \"value 0 not in range\""
-        rlRun "checkpolicy -t 2>&1 | grep \"option requires an argument\""
-        rlRun "checkpolicy -t xyz 2>&1 | grep -i \"unknown target platform\""
-        rlRun "checkpolicy --help 2>&1 | grep -- '-m]'" 1
-    rlPhaseEnd
-
-    rlPhaseStartTest
-        if rlIsRHEL 5 6 ; then
-            ACTIVE_POLICY="/selinux/policy"
-        else
-            ACTIVE_POLICY="/sys/fs/selinux/policy"
-        fi
-        rlRun "echo -e 'q\n' | checkpolicy -Mdb ${ACTIVE_POLICY} | tee ${OUTPUT_FILE}"
-        rlRun "grep -qi -e error -e ebitmap -e 'not match' ${OUTPUT_FILE}" 1
-        for POLICY_TYPE in minimum mls targeted ; do
-            if [ ! -e /etc/selinux/${POLICY_TYPE}/policy/policy.* ] ; then
-                continue
-            fi
-            rlRun "echo -e 'q\n' | checkpolicy -Mdb /etc/selinux/${POLICY_TYPE}/policy/policy.* | tee ${OUTPUT_FILE}"
-            rlRun "grep -qi -e error -e ebitmap -e 'not match' ${OUTPUT_FILE}" 1
-        done
-    rlPhaseEnd
-
-    rlPhaseStartTest
-        if rlIsRHEL 5 6 ; then
-            ACTIVE_POLICY_TREE="/selinux"
-        else # RHEL-7 and above
-            ACTIVE_POLICY_TREE="/sys/fs/selinux"
-        fi
-        MIN_VERSION="15"
-        MAX_VERSION=`find /etc/selinux/ -name policy.?? | cut -d / -f 6 | cut -d . -f 2 | head -n 1`
-        for POLICY_TYPE in minimum mls targeted ; do
-            if rlIsRHEL 5 6 ; then
-                VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION}`
-            else
-                # some versions are skipped because seinfo segfaults when inspecting binary policies between v.20 and v.23"
-                VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION} | grep -v -e 19 -e 20 -e 21 -e 22 -e 23`
-            fi
-            for CUR_VERSION in ${VERSIONS} ; do
-                rlRun "rm -f policy.out"
-                rlWatchdog "checkpolicy -b -M -c ${CUR_VERSION} -o policy.out /etc/selinux/${POLICY_TYPE}/policy/policy.${MAX_VERSION}" 15
-                if [ -s policy.out ] ; then
-                    rlRun "seinfo policy.out 2>&1 | tee ${OUTPUT_FILE}"
-                    rlRun "grep -i -e \"policy version.*${CUR_VERSION}\" -e \"unable to open policy\" ${OUTPUT_FILE}"
-                else
-                    rlRun "ls -l policy.out"
-                fi
-            done
-        done
-    rlPhaseEnd
-
-    rlPhaseStartCleanup
-        rm -f ${OUTPUT_FILE} policy.out
-    rlPhaseEnd
-rlJournalPrintText
-rlJournalEnd
-

tests/sedismod/Makefile

@@ -1,65 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/checkpolicy/Sanity/sedismod
-#   Description: Does sedismod work correctly ?)
-#   Author: Milos Malik <mmalik@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/checkpolicy/Sanity/sedismod
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE sedismod.exp
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-	test -x sedismod.exp || chmod a+x sedismod.exp
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     Does sedismod work correctly?" >> $(METADATA)
-	@echo "Type:            Sanity" >> $(METADATA)
-	@echo "TestTime:        10m" >> $(METADATA)
-	@echo "RunFor:          checkpolicy" >> $(METADATA)
-	@echo "Requires:        checkpolicy selinux-policy-targeted expect policycoreutils psmisc" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
-
-	rhts-lint $(METADATA)
-

tests/sedismod/PURPOSE

@@ -1,5 +0,0 @@
-PURPOSE of /CoreOS/checkpolicy/Sanity/sedismod
-Author: Milos Malik <mmalik@redhat.com>
-
-Does sedismod work correctly?
-

tests/sedismod/runtest.sh

@@ -1,83 +0,0 @@
-#!/bin/bash
-# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   runtest.sh of /CoreOS/checkpolicy/Sanity/sedismod
-#   Description: Does sedismod work correctly 
-#   Author: Milos Malik <mmalik@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# Include Beaker environment
-. /usr/bin/rhts-environment.sh || exit 1
-. /usr/share/beakerlib/beakerlib.sh || exit 1
-
-PACKAGE="checkpolicy"
-# TODO: repeat for all policy modules that are installed under /etc/selinux
-if rlIsFedora ; then
-    POLICY_FILE="`find /var/lib/selinux/targeted -type d -name base`/hll"
-elif rlIsRHEL '<7.3' ; then
-    POLICY_FILE=`find /etc/selinux/targeted -type f -name base.pp`
-else # RHEL-7.3 and above
-    POLICY_FILE="`find /etc/selinux/targeted -type d -name base`/hll"
-fi
-
-rlJournalStart
-    rlPhaseStartSetup
-        rlAssertRpm ${PACKAGE}
-        OUTPUT_FILE=`mktemp`
-        if rlIsRHEL '>=7.3' || rlIsFedora ; then
-            rlRun "semodule -H -E base"
-        else
-            rlRun "cp ${POLICY_FILE} ./base.pp.bz2"
-            rlRun "rm -f base.pp"
-            rlRun "bzip2 -d ./base.pp.bz2"
-        fi
-        POLICY_FILE="base.pp"
-        rlRun "ls -l ${POLICY_FILE}"
-    rlPhaseEnd
-
-    rlPhaseStartTest "check all available options"
-        if rlIsRHEL 6 ; then
-            AVAILABLE_OPTIONS="1 2 3 4 5 6 7 8 0 a b c u"
-        else # RHEL-7 and above
-            AVAILABLE_OPTIONS="1 2 3 4 5 6 7 8 9 0 a b c u F"
-        fi
-        for OPTION in ${AVAILABLE_OPTIONS} ; do
-            rlRun "rm -f ${OUTPUT_FILE}"
-            rlWatchdog "./sedismod.exp ${OPTION} ${POLICY_FILE} ${OUTPUT_FILE}" 65
-            # rlWatchdog kills the expect script, but we need to kill the sedismod process too
-            rlRun "killall sedismod" 0,1
-            rlRun "ls -l ${OUTPUT_FILE}"
-            if [ -s ${OUTPUT_FILE} ] ; then
-                rlPass "sedismod produced some output"
-            else
-                rlFail "sedismod did not produce any output"
-            fi
-        done
-    rlPhaseEnd
-
-    rlPhaseStartCleanup
-        rlRun "rm -f ${OUTPUT_FILE} ${POLICY_FILE}"
-    rlPhaseEnd
-rlJournalPrintText
-rlJournalEnd
-

tests/sedismod/sedismod.exp

@@ -1,21 +0,0 @@
-#!/usr/bin/expect -f
-# ./sedismod.exp option policyfile outputfile
-set option [lrange $argv 0 0]
-set policyfile [lrange $argv 1 1]
-set outputfile [lrange $argv 2 2]
-set timeout 60
-spawn sedismod $policyfile
-expect "Command*:" {
-  send -- "f\r"
-}
-expect "Filename*:" {
-  send -- "$outputfile\r"
-}
-expect "Command*:" {
-  send -- "$option\r"
-}
-expect "Command*:" {
-  send -- "q\r"
-}
-expect eof
-

tests/sedispol/Makefile

@@ -1,65 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/checkpolicy/Sanity/sedispol
-#   Description: Does sedispol work correctly?
-#   Author: Milos Malik <mmalik@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/checkpolicy/Sanity/sedispol
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE sedispol.exp
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-	test -x sedispol.exp || chmod a+x sedispol.exp
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     Does sedispol work correctly?" >> $(METADATA)
-	@echo "Type:            Sanity" >> $(METADATA)
-	@echo "TestTime:        10m" >> $(METADATA)
-	@echo "RunFor:          checkpolicy" >> $(METADATA)
-	@echo "Requires:        checkpolicy selinux-policy expect" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
-
-	rhts-lint $(METADATA)
-

tests/sedispol/PURPOSE

@@ -1,5 +0,0 @@
-PURPOSE of /CoreOS/checkpolicy/Sanity/sedispol
-Author: Milos Malik <mmalik@redhat.com>
-
-Does sedispol work correctly?
-

tests/sedispol/runtest.sh

@@ -1,77 +0,0 @@
-#!/bin/bash
-# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   runtest.sh of /CoreOS/checkpolicy/Sanity/sedispol
-#   Description: Does sedispol work correctly?
-#   Author: Milos Malik <mmalik@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# Include Beaker environment
-. /usr/bin/rhts-environment.sh || exit 1
-. /usr/share/beakerlib/beakerlib.sh || exit 1
-
-PACKAGE="checkpolicy"
-# TODO: repeat for all policy files that are installed under /etc/selinux
-POLICY_FILE=`find /etc/selinux/targeted/policy/ -type f`
-
-rlJournalStart
-    rlPhaseStartSetup
-        rlAssertRpm ${PACKAGE}
-        OUTPUT_FILE=`mktemp`
-    rlPhaseEnd
-
-    rlPhaseStartTest
-        if rlIsRHEL 6 ; then
-            AVAILABLE_OPTIONS="1 2 3 4 5 6 c p u"
-        else # RHEL-7 and above
-            AVAILABLE_OPTIONS="1 2 3 4 5 6 8 c p u F"
-        fi
-        for OPTION in ${AVAILABLE_OPTIONS} ; do
-            rlRun "rm -f ${OUTPUT_FILE}"
-            rlWatchdog "./sedispol.exp ${OPTION} ${POLICY_FILE} ${OUTPUT_FILE}" 65
-            # rlWatchdog kills the expect script, but we need to kill the sedispol process too
-            rlRun "killall sedispol" 0,1
-            rlRun "ls -l ${OUTPUT_FILE}"
-            if [ -s ${OUTPUT_FILE} ] ; then
-                rlPass "sedispol produced some output"
-            else
-                rlFail "sedispol did not produce any output"
-            fi
-        done
-    rlPhaseEnd
-
-    rlPhaseStartTest
-        rlRun "echo q | sedispol ${POLICY_FILE} >& ${OUTPUT_FILE}"
-        rlRun "grep AVTAB ${OUTPUT_FILE}"
-        rlRun "grep AVTAG ${OUTPUT_FILE}" 1
-        rlRun "echo -en 'u\nq\n' | sedispol ${POLICY_FILE} >& ${OUTPUT_FILE}"
-        rlRun "grep permissions ${OUTPUT_FILE}"
-        rlRun "grep permisions ${OUTPUT_FILE}" 1
-    rlPhaseEnd
-
-    rlPhaseStartCleanup
-        rlRun "rm -f ${OUTPUT_FILE}"
-    rlPhaseEnd
-rlJournalPrintText
-rlJournalEnd
-

tests/sedispol/sedispol.exp

@@ -1,21 +0,0 @@
-#!/usr/bin/expect -f
-# ./sedispol.exp option policyfile outputfile
-set option [lrange $argv 0 0]
-set policyfile [lrange $argv 1 1]
-set outputfile [lrange $argv 2 2]
-set timeout 60
-spawn sedispol $policyfile
-expect "Command*:" {
-  send -- "f\r"
-}
-expect "Filename*:" {
-  send -- "$outputfile\r"
-}
-expect "Command*:" {
-  send -- "$option\r"
-}
-expect "Command*:" {
-  send -- "q\r"
-}
-expect eof
-

tests/tests.yml

@@ -1,61 +0,0 @@
----
-# Tests for Classic
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    repositories:
-    - repo: "https://src.fedoraproject.org/tests/selinux.git"
-      dest: "selinux"
-      fmf_filter: "tier:1 | component:checkpolicy"
-    required_packages:
-    - checkpolicy              # Required by all tests
-    - man                      # Required by checkpolicy-docs
-    - grep                     # Required by checkmodule
-    - coreutils                # Required by checkmodule
-    - setools-console          # Required by checkpolicy
-    - selinux-policy-minimum   # Required by checkpolicy
-    - selinux-policy-mls       # Required by checkpolicy
-    - selinux-policy-targeted  # Required by checkpolicy and sedismod
-    - expect                   # Required by sedismod and sedispol
-    - policycoreutils          # Required by sedismod
-    - psmisc                   # Required by sedismod
-    - selinux-policy           # Required by sedispol
-    - e2fsprogs
-    - gcc
-    - git
-    - libselinux
-    - libselinux-utils
-    - libsemanage
-    - libsepol
-    - libsepol-devel
-    - policycoreutils-python-utils
-    - selinux-policy-devel
-
-# Tests for Container
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - container
-    repositories:
-    - repo: "https://src.fedoraproject.org/tests/selinux.git"
-      dest: "selinux"
-    tests:
-    - selinux/checkpolicy/checkmodule
-    - selinux/checkpolicy/checkpolicy
-    - selinux/checkpolicy/sedismod
-    - selinux/checkpolicy/sedispol
-    required_packages:
-    - checkpolicy              # Required by all tests
-    - grep                     # Required by checkmodule
-    - coreutils                # Required by checkmodule
-    - setools-console          # Required by checkpolicy
-    - selinux-policy-minimum   # Required by checkpolicy
-    - selinux-policy-mls       # Required by checkpolicy
-    - selinux-policy-targeted  # Required by checkpolicy and sedismod
-    - expect                   # Required by sedismod and sedispol
-    - policycoreutils          # Required by sedismod
-    - psmisc                   # Required by sedismod
-    - selinux-policy           # Required by sedispol