[apparmor] [patch] various fixes for minitools_test.py

Christian Boltz apparmor at cboltz.de
Mon Sep 15 23:19:21 UTC 2014 

Hello,

Am Montag, 15. September 2014 schrieb Seth Arnold:
> On Sun, Sep 14, 2014 at 12:31:49AM +0200, Christian Boltz wrote:
> > this patch contains various fixes for utils/test/minitools_test.py:
> > - test_audit: fix error message
> > - test_complain: replace "aa-complain -r" with aa-enforce (we
> > removed >
> >   the -r flag from aa-complain)
> >
> > - test_complain: disable checks for force-complain symlinks, 
> >
> >   aa-complain doesn't create them
> 
> NAK, aa-enforce should remove the force-complain syslink and 

It does - but there's nothing that creates that symlink, which makes 
testing the removal a bit hard ;-)


Let me explain some details:

We have two methods to put a profile into complain mode:
a) the force-complain symlink
b) flags=(complain)

a) has the advantage that it's packagemanager-friendly (it doesn't 
modify the profile file), but the big disadvantage that it breaks 
caching - if a force-complain symlink exists, the cache is not used.

Therefore we decided that aa-complain should not create force-complain 
symlinks, but add flags=(complain) instead.

Based on that behaviour change, the tests needed to be adjusted.

Does this clarify the situation?

> we need to continue testing this to ensure it works. 

Good point - maybe the test should "manually"[1] create a force-complain 
symlink so that we can check afterwards that aa-enforce really deletes 
it.

Patches welcome ;-) - otherwise it will end up somewhere[tm] on my TODO 
list.

> I'm fine with dropping
> the aa-complain test of force-complain, since the tool can't be
> expected to pass without further development, but aa-enforce should
> work now.

See above - aa-enforce works :-)  (it removes flags=(complain) and also 
removes the force-complain symlink if it exists)


Regards,

Christian Boltz

[1] "manually" as in "run ln -s" - that's what a real user could also 
    have done

-- 
xslt, was? Wir kombinieren das Paradigma von awk mit der
sprachlichen Eleganz von Cobol und den programmiertechnischen
Verrenkungen von funktionalen Sprachen unter sorgfältiger
Umgehung aller möglichen Vorteile.    [Kristian Köhntopp]

More information about the AppArmor mailing list