|
 |
e624beb |
#!/bin/bash
|
|
|
e624beb |
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
|
|
e624beb |
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
e624beb |
#
|
|
|
e624beb |
# runtest.sh of /CoreOS/selinux-policy/Regression/usbmuxd-and-similar
|
|
|
e624beb |
# Description: SELinux interferes with usbmuxd and related programs
|
|
|
e624beb |
# Author: Milos Malik <mmalik@redhat.com>
|
|
|
e624beb |
#
|
|
|
e624beb |
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
e624beb |
#
|
|
|
e624beb |
# Copyright (c) 2012 Red Hat, Inc. All rights reserved.
|
|
|
e624beb |
#
|
|
|
e624beb |
# This copyrighted material is made available to anyone wishing
|
|
|
e624beb |
# to use, modify, copy, or redistribute it subject to the terms
|
|
|
e624beb |
# and conditions of the GNU General Public License version 2.
|
|
|
e624beb |
#
|
|
|
e624beb |
# This program is distributed in the hope that it will be
|
|
|
e624beb |
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
|
e624beb |
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
|
e624beb |
# PURPOSE. See the GNU General Public License for more details.
|
|
|
e624beb |
#
|
|
|
e624beb |
# You should have received a copy of the GNU General Public
|
|
|
e624beb |
# License along with this program; if not, write to the Free
|
|
|
e624beb |
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
|
e624beb |
# Boston, MA 02110-1301, USA.
|
|
|
e624beb |
#
|
|
|
e624beb |
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
e624beb |
|
|
|
e624beb |
# Include Beaker environment
|
|
|
e624beb |
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
|
|
e624beb |
|
|
|
e624beb |
PACKAGE="selinux-policy"
|
|
|
e624beb |
ROOT_PASSWORD="redhat"
|
|
|
e624beb |
FILE_PATH="/usr/sbin/usbmuxd"
|
|
|
e624beb |
FILE_CONTEXT="usbmuxd_exec_t"
|
|
|
e624beb |
SERVICE_PACKAGE="usbmuxd"
|
|
|
e624beb |
SERVICE_NAME="usbmuxd"
|
|
|
e624beb |
PROCESS_NAME="usbmuxd"
|
|
|
e624beb |
PROCESS_CONTEXT="usbmuxd_t"
|
|
|
e624beb |
|
|
|
e624beb |
rlJournalStart
|
|
|
e624beb |
rlPhaseStartSetup
|
|
|
e624beb |
rlRun "rlImport 'selinux-policy/common'"
|
|
|
e624beb |
rlSESatisfyRequires
|
|
|
e624beb |
rlAssertRpm ${PACKAGE}
|
|
|
e624beb |
rlAssertRpm ${PACKAGE}-targeted
|
|
|
e624beb |
rlAssertRpm ${SERVICE_PACKAGE}
|
|
|
e624beb |
|
|
|
e624beb |
rlServiceStop ${SERVICE_NAME}
|
|
|
e624beb |
rlFileBackup /etc/shadow
|
|
|
e624beb |
|
|
|
e624beb |
rlSESetEnforce
|
|
|
e624beb |
rlSEStatus
|
|
|
e624beb |
rlSESetTimestamp
|
|
|
e624beb |
sleep 2
|
|
|
e624beb |
rlPhaseEnd
|
|
|
e624beb |
|
|
|
e624beb |
rlPhaseStartTest "bz#1521054 + bz#1582205"
|
|
|
e624beb |
if rlIsRHEL 5 ; then
|
|
|
e624beb |
SOURCE_TYPE="initrc_t"
|
|
|
e624beb |
BOOLEANS="[ ]"
|
|
|
e624beb |
elif rlIsRHEL 6 ; then
|
|
|
e624beb |
SOURCE_TYPE="initrc_t"
|
|
|
e624beb |
else # RHEL-7 etc.
|
|
|
e624beb |
SOURCE_TYPE="init_t" # systemd runs the process
|
|
|
e624beb |
fi
|
|
|
e624beb |
rlSEMatchPathCon "${FILE_PATH}" "${FILE_CONTEXT}"
|
|
|
e624beb |
rlSEMatchPathCon "/run/udev/data" "udev_var_run_t"
|
|
|
e624beb |
rlSEMatchPathCon "/run/udev/data/c189:0" "udev_var_run_t"
|
|
|
e624beb |
rlSESearchRule "allow ${SOURCE_TYPE} ${FILE_CONTEXT} : file { getattr open read execute }"
|
|
|
e624beb |
rlSESearchRule "allow ${SOURCE_TYPE} ${PROCESS_CONTEXT} : process { transition } ${BOOLEANS}"
|
|
|
e624beb |
rlSESearchRule "type_transition ${SOURCE_TYPE} ${FILE_CONTEXT} : process ${PROCESS_CONTEXT} ${BOOLEANS}"
|
|
|
e624beb |
rlSESearchRule "allow usbmuxd_t udev_var_run_t : dir { getattr open search } [ ]"
|
|
|
e624beb |
rlSESearchRule "allow usbmuxd_t udev_var_run_t : file { getattr open read } [ ]"
|
|
|
e624beb |
rlPhaseEnd
|
|
|
e624beb |
|
|
|
c40e0ae |
if ! rlIsRHEL 8 ; then
|
|
|
30ada8f |
rlPhaseStartTest "bz#1930992"
|
|
|
30ada8f |
rlSEMatchPathCon "/sys" "sysfs_t"
|
|
|
30ada8f |
rlSESearchRule "allow usbmuxd_t sysfs_t : filesystem { getattr } [ ]"
|
|
|
30ada8f |
rlPhaseEnd
|
|
|
30ada8f |
|
|
|
f4761fd |
rlPhaseStartTest "bz#1936705"
|
|
|
f4761fd |
rlSEMatchPathCon "/sys/fs/cgroup" "cgroup_t"
|
|
|
f4761fd |
rlSESearchRule "allow usbmuxd_t cgroup_t : filesystem { getattr } [ ]"
|
|
|
f4761fd |
rlPhaseEnd
|
|
|
f4761fd |
|
|
|
bcdbcff |
rlPhaseStartTest "bz#1959747"
|
|
|
bcdbcff |
rlRun "ls -dZ /proc/1 | grep :init_t"
|
|
|
bcdbcff |
rlRun "ls -Z /proc/1/environ | grep :init_t"
|
|
|
bcdbcff |
rlSESearchRule "dontaudit usbmuxd_t init_t : dir { search } [ ]"
|
|
|
bcdbcff |
rlSESearchRule "dontaudit usbmuxd_t init_t : file { getattr open read ioctl } [ ]"
|
|
|
bcdbcff |
rlPhaseEnd
|
|
|
c40e0ae |
fi
|
|
|
bcdbcff |
|
|
|
e624beb |
rlPhaseStartTest "real scenario"
|
|
|
e624beb |
rlRun "echo ${ROOT_PASSWORD} | passwd --stdin root"
|
|
|
e624beb |
if ! rlSEDefined ${PROCESS_CONTEXT} ; then
|
|
|
e624beb |
PROCESS_CONTEXT="unconfined_service_t"
|
|
|
e624beb |
fi
|
|
|
e624beb |
rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "start status" 1
|
|
|
e624beb |
rlRun "restorecon -Rv /var /run"
|
|
|
e624beb |
rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "restart status stop status" 1
|
|
|
e624beb |
rlPhaseEnd
|
|
|
e624beb |
|
|
|
e624beb |
rlPhaseStartCleanup
|
|
|
e624beb |
sleep 2
|
|
|
e624beb |
rlSECheckAVC
|
|
|
e624beb |
|
|
|
e624beb |
rlFileRestore
|
|
|
e624beb |
rlServiceRestore ${SERVICE_NAME}
|
|
|
e624beb |
rlPhaseEnd
|
|
|
e624beb |
rlJournalPrintText
|
|
|
e624beb |
rlJournalEnd
|
|
|
e624beb |
|