Tree - tests/selinux - src.fedoraproject.org

mmalik / tests / selinux

Forked from tests/selinux 6 years ago
Source
Stats
Files

Commit: 26a276d5c97f001a9abbced51aa4aff31e49bc6d
Blob Blame History Raw
#!/bin/bash
# vim: set dictionary=/usr/share/rhts-library/dictionary.vim cpt=.,w,b,u,t,i,k:
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
#   runtest.sh of /CoreOS/selinux-policy/Regression/bz481628-send-msg-to-dbus
#   Description: checks if dbus daemon is able to send message to hal daemon and vice versa
#   Author: Milos Malik <mmalik@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
#   Copyright (c) 2009 Red Hat, Inc. All rights reserved.
#
#   This copyrighted material is made available to anyone wishing
#   to use, modify, copy, or redistribute it subject to the terms
#   and conditions of the GNU General Public License version 2.
#
#   This program is distributed in the hope that it will be
#   useful, but WITHOUT ANY WARRANTY; without even the implied
#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
#   PURPOSE. See the GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public
#   License along with this program; if not, write to the Free
#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
#   Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# Include rhts environment
. /usr/share/beakerlib/beakerlib.sh

PACKAGE="selinux-policy"
FILE_PATH="/bin/dbus-daemon"
FILE_CONTEXT="dbusd_exec_t"
SERVICE_PACKAGE="dbus"
if [ -f /usr/lib/systemd/system/dbus-broker.service ] ; then
    PROCESS_NAME="dbus-broker"
    SERVICE_NAME="dbus-broker"
else
    PROCESS_NAME="dbus-daemon"
    SERVICE_NAME="dbus"
fi
PROCESS_CONTEXT="system_dbusd_t"

rlJournalStart
    rlPhaseStartSetup
        rlRun "rlImport 'selinux-policy/common'" 0,1
        rlSESatisfyRequires
        rlAssertRpm ${PACKAGE}
        rlAssertRpm ${PACKAGE}-targeted
        rlAssertRpm ${SERVICE_PACKAGE}

        rlSEConfigureSSH

        rlSESetEnforce
        rlSEStatus
        rlSESetTimestamp
        sleep 2
    rlPhaseEnd

    rlPhaseStartTest "bz#463267"
        if rlIsRHEL 5 ; then
            rlSEMatchPathCon "/lib/dbus-1/dbus-daemon-launch-helper" "system_dbusd_exec_t"
            rlSEMatchPathCon "/lib64/dbus-1/dbus-daemon-launch-helper" "system_dbusd_exec_t"
            rlSESearchRule "allow system_dbusd_t system_dbusd_exec_t : file { execute_no_trans }"
        else
            rlSEMatchPathCon "/lib/dbus-1/dbus-daemon-launch-helper" "dbusd_exec_t"
            rlSEMatchPathCon "/lib64/dbus-1/dbus-daemon-launch-helper" "dbusd_exec_t"
            rlSESearchRule "allow system_dbusd_t dbusd_exec_t : file { execute_no_trans }"
        fi
    rlPhaseEnd

    if rlSEDefined "hald_t" ; then
    rlPhaseStartTest "bz#481628"
        if rlIsRHEL 5 ; then
            rlSEMatchPathCon "/bin/dbus-daemon" "system_dbusd_exec_t"
        else
            rlSEMatchPathCon "/bin/dbus-daemon" "dbusd_exec_t"
        fi
        rlSESearchRule "allow system_dbusd_t hald_t : dbus { send_msg }"
        rlSESearchRule "allow hald_t system_dbusd_t : dbus { send_msg }"
        rlSESearchRule "allow system_dbusd_t unconfined_t : dbus { send_msg }"
        rlSESearchRule "allow unconfined_t system_dbusd_t : dbus { send_msg }"
        if rlIsRHEL 5 ; then
            rlSESearchRule "allow initrc_t system_dbusd_exec_t : file { getattr open read execute }"
            rlSESearchRule "type_transition initrc_t system_dbusd_exec_t : process system_dbusd_t"
        else
            rlSESearchRule "allow initrc_t dbusd_exec_t : file { getattr open read execute }"
            rlSESearchRule "type_transition initrc_t dbusd_exec_t : process system_dbusd_t"
        fi
        rlSESearchRule "allow initrc_t system_dbusd_t : process { transition }"
    rlPhaseEnd
    fi

    if ! rlIsRHEL 5 6 ; then
    rlPhaseStartTest "bz#1546721"
        rlSEMatchPathCon "/usr/libexec/dbus-1/dbus-daemon-launch-helper" "dbusd_exec_t"
    rlPhaseEnd

    rlPhaseStartTest "bz#1614236"
        rlSEMatchPathCon "/usr/bin/dbus-daemon" "dbusd_exec_t"
        rlSEMatchPathCon "/dev/nvme0n1p1" "nvme_device_t"
        rlSESearchRule "allow system_dbusd_t nvme_device_t : blk_file { read } [ ]"
    rlPhaseEnd
    fi

    rlPhaseStartTest "real scenario -- standalone service"
        rlSEService "nopassword" ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "reload status" 1
    rlPhaseEnd

    if ! rlIsRHEL 5 6 7 ; then
    rlPhaseStartTest "bz#1688671"
        rlSEMatchPathCon "/run/user/1000" "user_tmp_t"
        if [ -f /usr/lib/systemd/system/dbus-broker.service ] ; then
                rlSEMatchPathCon "/run/user/1000/dbus" "session_dbusd_tmp_t"
                rlSEMatchPathCon "/run/user/1000/dbus/services" "session_dbusd_tmp_t"
	else
                rlSEMatchPathCon "/run/user/1000/dbus-1" "session_dbusd_tmp_t"
                rlSEMatchPathCon "/run/user/1000/dbus-1/services" "session_dbusd_tmp_t"
        fi
        rlSESearchRule "allow init_t session_dbusd_tmp_t : dir { read } [ ]"
        rlSESearchRule "type_transition staff_dbusd_t user_tmp_t : dir session_dbusd_tmp_t"
        rlSESearchRule "type_transition sysadm_dbusd_t user_tmp_t : dir session_dbusd_tmp_t"
        rlSESearchRule "type_transition unconfined_dbusd_t user_tmp_t : dir session_dbusd_tmp_t"
        rlSESearchRule "type_transition user_dbusd_t user_tmp_t : dir session_dbusd_tmp_t"
        rlSESearchRule "type_transition xguest_dbusd_t user_tmp_t : dir session_dbusd_tmp_t"
    rlPhaseEnd

    rlPhaseStartTest "bz#1727887 + bz#1754476"
        rlSESearchRule "allow guest_t init_t : process { signal } [ ]"
    rlPhaseEnd

    rlPhaseStartTest "real scenario -- user session service"
        rlRun "setsebool ssh_sysadm_login on"
        rlRun "setsebool selinuxuser_tcp_server on"
        CREATED_USERS=""
        # TODO: guest_u, xguest_u cannot successfully run systemctl
        for SELINUX_USER in user_u staff_u sysadm_u unconfined_u ; do
            USER_NAME="user${RANDOM}"
            USER_SECRET="S3kr3t${RANDOM}"
            rlRun "useradd -Z ${SELINUX_USER} ${USER_NAME}"
            rlRun "echo ${USER_SECRET} | passwd --stdin ${USER_NAME}"
            rlRun "restorecon -RvF /home/${USER_NAME}"
            rlRun "./ssh.exp ${USER_NAME} ${USER_SECRET} localhost /usr/bin/systemctl --user --no-pager status dbus"
            rlRun "rm -f files.txt"
            USER_ID=`id -u ${USER_NAME}`
            ( sleep 3 ; ls -RZ /run/user/${USER_ID} > files.txt ) &
            rlRun "./ssh.exp ${USER_NAME} ${USER_SECRET} localhost /usr/bin/systemctl --user --no-pager start dbus"
            if ! [ -f /usr/lib/systemd/system/dbus-broker.service ] ; then
                rlRun "grep \"${SELINUX_USER}:object_r:session_dbusd_tmp_t:.* dbus-1\" files.txt"
                rlRun "grep \"${SELINUX_USER}:object_r:session_dbusd_tmp_t:.* services\" files.txt"
            fi
            rlRun "./ssh.exp ${USER_NAME} ${USER_SECRET} localhost /usr/bin/busctl --user --no-pager"
            CREATED_USERS="${USER_NAME} ${CREATED_USERS}"
        done
        for USER_NAME in ${CREATED_USERS} ; do
            rlRun "userdel -rfZ ${USER_NAME}"
        done
        rlRun "setsebool selinuxuser_tcp_server off"
        rlRun "setsebool ssh_sysadm_login off"
    rlPhaseEnd
    fi

    rlPhaseStartCleanup
        sleep 2
        rlSECheckAVC --ignore 'type=AVC .* create .*systemd .*:user_t:.*:user_tmp_t:.*tclass=dir'
        rm -f files.txt

        rlFileRestore
        rlRun "service sshd restart"
    rlPhaseEnd
    rlJournalPrintText
rlJournalEnd
mmalik / tests / selinux

Source Code

Files
