[Swan-dev] [Testing] Test Suite & Docker

Paul Wouters paul at nohats.ca
Mon May 16 03:35:39 UTC 2016

On Sun, 15 May 2016, Ondrej Moris wrote:

>> Our problem was that we couldn't easilly add fips=1 on a per-test basis
>> to the VM. Similarly, we need a MLS on/off method so we can run the MLS
>> labeled ipsec tests. We might be able to virt-install a FIPS and
>> FIPS+MLS image, eg east-fips, west-fips, and then use those.
> I see, well there is still --impair-force-fips for per-test FIPS
> testing. Sure, it is not the "FIPS product" when kernel is not in FIPS
> mode but for testing user-space it should be sufficient.

yes, I added --impair-force-fips to avoid issues of not being really in
FIPS mode, and /usr/local vs /usr installs and .hmac files. It works
if you seprately put NSS in FIPS mode. It can test IKE algorithms, but
it is not good to test how we respond to the kernel refusing an item
we asked for because of FIPS mode.

> MLS would be a much bigger step I guess.

yes. Currently the KVM images are COW images, so switching a machine
between MLS and non-MLS, even if we scripted that in swantest, would
cause some dramatic COW write increases and slowdown. I think it is
better to add those as a separate virt-install image.

> At least in Fedora since almost nobody cares
> about selinux-mls-policy there. We recently started the same testing we
> did for Common Criteria in RHEL in Fedora 23 and there are tons of
> selinux denials. In RHEL both FIPS and MLS testing should be possible.

I would like to move to RHEL7 on host and guest testing :)


More information about the Swan-dev mailing list