diff --git a/selinux-policy/pam_limits-and-related/Makefile b/selinux-policy/pam_limits-and-related/Makefile new file mode 100644 index 0000000..2fb85ca --- /dev/null +++ b/selinux-policy/pam_limits-and-related/Makefile @@ -0,0 +1,69 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/selinux-policy/Regression/pam_limits-and-related +# Description: Does SELinux cooperate with pam_limits.so? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2020 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/selinux-policy/Regression/pam_limits-and-related +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE ssh.exp + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh ssh.exp + chcon -t bin_t runtest.sh ssh.exp + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Does SELinux cooperate with pam_limits.so?" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: pam" >> $(METADATA) + @echo "RunFor: selinux-policy" >> $(METADATA) + @echo "Requires: audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console expect openssh-clients pam shadow-utils" >> $(METADATA) + @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA) + @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHEL5 -RHEL6 -RHEL7" >> $(METADATA) + @echo "Bug: 1958819" >> $(METADATA) # Fedora 34 + + rhts-lint $(METADATA) + diff --git a/selinux-policy/pam_limits-and-related/PURPOSE b/selinux-policy/pam_limits-and-related/PURPOSE new file mode 100644 index 0000000..9b9e9c4 --- /dev/null +++ b/selinux-policy/pam_limits-and-related/PURPOSE @@ -0,0 +1,10 @@ +PURPOSE of /CoreOS/selinux-policy/Regression/pam_limits-and-related +Author: Milos Malik + +Does SELinux cooperate with pam_limits.so? +Confined and unconfined users are tested using SSH. + +This TC uses following parameters which can be overriden: + * ALLOWED_USERS - which SELinux users should be tested? + * DENIED_USERS - which SELinux users should NOT be tested? + diff --git a/selinux-policy/pam_limits-and-related/main.fmf b/selinux-policy/pam_limits-and-related/main.fmf new file mode 100644 index 0000000..7d613d7 --- /dev/null +++ b/selinux-policy/pam_limits-and-related/main.fmf @@ -0,0 +1,2 @@ +path: /selinux-policy/pam_limits-and-related +tier: 2 diff --git a/selinux-policy/pam_limits-and-related/runtest.sh b/selinux-policy/pam_limits-and-related/runtest.sh new file mode 100755 index 0000000..d9c6a3e --- /dev/null +++ b/selinux-policy/pam_limits-and-related/runtest.sh @@ -0,0 +1,89 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/selinux-policy/Regression/pam_limits-and-related +# Description: Does SELinux cooperate with pam_limits.so? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2020 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="selinux-policy" +SERVICE_PACKAGE="pam" +DENIED_USERS=${DENIED_USERS:-""} +ALLOWED_USERS=${ALLOWED_USERS:-"guest_u xguest_u user_u staff_u sysadm_u unconfined_u"} + +rlJournalStart + rlPhaseStartSetup + rlRun "rlImport 'selinux-policy/common'" + rlSESatisfyRequires + rlAssertRpm ${PACKAGE} + rlAssertRpm ${PACKAGE}-targeted + rlAssertRpm ${SERVICE_PACKAGE} + + rlFileBackup /etc/shadow + rlFileBackup /etc/security/limits.conf + + rlSESetEnforce + rlSEStatus + rlSESetTimestamp + sleep 2 + rlPhaseEnd + + rlPhaseStartTest "bz#1958819" + rlSESearchRule "allow init_t guest_t : process2 { nnp_transition } [ ]" + rlSESearchRule "allow init_t staff_t : process2 { nnp_transition } [ ]" + rlSESearchRule "allow init_t sysadm_t : process2 { nnp_transition } [ ]" + rlSESearchRule "allow init_t unconfined_t : process2 { nnp_transition } [ ]" + rlSESearchRule "allow init_t user_t : process2 { nnp_transition } [ ]" + rlSESearchRule "allow init_t xguest_t : process2 { nnp_transition } [ ]" + rlPhaseEnd + + rlPhaseStartTest "real scenario -- confined users" + rlRun "setsebool ssh_sysadm_login on" + rlLog "configuration says not to test SELinux users: ${DENIED_USERS}" + for SELINUX_USER in ${ALLOWED_USERS} ; do + USER_NAME="user${RANDOM}" + USER_SECRET="S3kr3t${RANDOM}" + rlRun "useradd -Z ${SELINUX_USER} ${USER_NAME}" + rlRun "echo ${USER_SECRET} | passwd --stdin ${USER_NAME}" + rlRun "echo \"${USER_NAME} - nonewprivs 1\" >> /etc/security/limits.conf" + rlRun "restorecon -RvF /home/${USER_NAME}" + rlRun "./ssh.exp ${USER_NAME} ${USER_SECRET} localhost id" + rlRun "userdel -rfZ ${USER_NAME}" + sleep 10 + done + rlRun "setsebool ssh_sysadm_login off" + rlPhaseEnd + + rlPhaseStartCleanup + sleep 2 + rlSECheckAVC + + rlFileRestore + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/selinux-policy/pam_limits-and-related/ssh.exp b/selinux-policy/pam_limits-and-related/ssh.exp new file mode 100755 index 0000000..58c9647 --- /dev/null +++ b/selinux-policy/pam_limits-and-related/ssh.exp @@ -0,0 +1,20 @@ +#!/usr/bin/expect -f +# Expect script for SSH logging as $username to $hostname using $password and executing $command. +# Usage: +# ./ssh.exp username password hostname command +set username [lrange $argv 0 0] +set password [lrange $argv 1 1] +set hostname [lrange $argv 2 2] +set command [lrange $argv 3 10] +set timeout 15 +# connect to remote host and execute given command +log_user 1 +spawn ssh -t $username@$hostname $command +expect { + -nocase "yes/no" { send -- "yes\r" ; exp_continue } + -nocase "password" { send -- "$password\r" } +} +log_user 1 +# send -- "\r" +expect eof +