From 2bb9a41b7ea4dce49a72a3316a97c8615d29106b Mon Sep 17 00:00:00 2001 From: Milos Malik Date: May 20 2021 10:23:53 +0000 Subject: add the cups-lpd test to upstream repo The cups-lpd package is available in various versions of RHEL and Fedora. The cups-lpd service is also used in these environments, so it makes sense to run this TC in upstream testing too. Moving the downstream TC to upstream repository. There are only slight changes when comparing the upstream and downstream version of this TC. --- diff --git a/selinux-policy/cups-lpd-and-similar/Makefile b/selinux-policy/cups-lpd-and-similar/Makefile new file mode 100644 index 0000000..dcbcdc2 --- /dev/null +++ b/selinux-policy/cups-lpd-and-similar/Makefile @@ -0,0 +1,71 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/selinux-policy/Regression/cups-lpd-and-similar +# Description: SELinux interferes with cups-lpd and related programs +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2021 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/selinux-policy/Regression/cups-lpd-and-similar +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + chcon -t bin_t runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: SELinux interferes with cups-lpd and related programs" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 20m" >> $(METADATA) + @echo "RunFor: selinux-policy" >> $(METADATA) + @echo "RunFor: cups" >> $(METADATA) + @echo "Requires: audit expect policycoreutils-python-utils selinux-policy-devel libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools setools-console xinetd nmap-ncat nc net-tools cups-lpd chkconfig initscripts" >> $(METADATA) + @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + @echo "Bug: 1004198" >> $(METADATA) # RHEL-7 + @echo "Bug: 1554118" >> $(METADATA) # RHEL-8 + @echo "Bug: 1919399" >> $(METADATA) # RHEL-8 + + rhts-lint $(METADATA) + diff --git a/selinux-policy/cups-lpd-and-similar/PURPOSE b/selinux-policy/cups-lpd-and-similar/PURPOSE new file mode 100644 index 0000000..4bf0246 --- /dev/null +++ b/selinux-policy/cups-lpd-and-similar/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/selinux-policy/Regression/cups-lpd-and-similar +Author: Milos Malik + +SELinux interferes with cups-lpd and related programs. + diff --git a/selinux-policy/cups-lpd-and-similar/main.fmf b/selinux-policy/cups-lpd-and-similar/main.fmf new file mode 100644 index 0000000..c9e7c44 --- /dev/null +++ b/selinux-policy/cups-lpd-and-similar/main.fmf @@ -0,0 +1,3 @@ +path: /selinux-policy/cups-lpd-and-similar +tier: 2 + diff --git a/selinux-policy/cups-lpd-and-similar/runtest.sh b/selinux-policy/cups-lpd-and-similar/runtest.sh new file mode 100755 index 0000000..e9e01a5 --- /dev/null +++ b/selinux-policy/cups-lpd-and-similar/runtest.sh @@ -0,0 +1,146 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/selinux-policy/Regression/cups-lpd-and-similar +# Description: SELinux interferes with cups-lpd and related programs +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2021 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="selinux-policy" +ROOT_PASSWORD="redhat" +FILE_PATH="/usr/lib/cups/daemon/cups-lpd" +FILE_CONTEXT="cupsd_lpd_exec_t" +SERVICE_PACKAGE="cups-lpd" +SERVICE_NAME="cups-lpd" +PROCESS_NAME="cups-lpd" +PROCESS_CONTEXT="cupsd_lpd_t" + +rlJournalStart + rlPhaseStartSetup + rlRun "rlImport 'selinux-policy/common'" + # rlSESatisfyRequires + rlAssertRpm ${PACKAGE} + rlAssertRpm ${PACKAGE}-targeted + rlAssertRpm ${SERVICE_PACKAGE} + + if rlIsRHEL 5 6 ; then + rlServiceStop ${SERVICE_NAME} + else + rlSocketStop ${SERVICE_NAME} + fi + + rlSESetEnforce + rlSEStatus + rlSESetTimestamp + sleep 2 + rlPhaseEnd + + rlPhaseStartTest "bz#1004198" + if rlIsRHEL 5 ; then + SOURCE_TYPE="inetd_t" # xinetd runs the process + BOOLEANS="[ cupsd_lpd_disable_trans ]" + elif rlIsRHEL 6 ; then + SOURCE_TYPE="inetd_t" # xinetd runs the process + else # RHEL-7 etc. + SOURCE_TYPE="init_t" # systemd runs the process + fi + rlSEMatchPathCon "${FILE_PATH}" "${FILE_CONTEXT}" + rlSEMatchPortCon "tcp" "515" "printer_port_t" + rlSESearchRule "allow ${SOURCE_TYPE} ${FILE_CONTEXT} : file { getattr open read execute }" + rlSESearchRule "allow ${SOURCE_TYPE} ${PROCESS_CONTEXT} : process { transition } ${BOOLEANS}" + rlSESearchRule "type_transition ${SOURCE_TYPE} ${FILE_CONTEXT} : process ${PROCESS_CONTEXT} ${BOOLEANS}" + if ! rlIsRHEL 5 6 ; then + rlSESearchRule "allow ${PROCESS_CONTEXT} printer_port_t : tcp_socket { name_bind }" + fi + rlPhaseEnd + + rlPhaseStartTest "bz#1554118" + rlSEMatchPathCon "/usr/lib/cups/daemon/cups-lpd" "cupsd_lpd_exec_t" + rlSESearchRule "allow init_t cupsd_lpd_t : tcp_socket { create setopt bind listen }" + rlPhaseEnd + + rlPhaseStartTest "bz#1919399" + rlSEMatchPathCon "/usr/lib/cups/daemon/cups-lpd" "cupsd_lpd_exec_t" + rlSEMatchPathCon "/run/cups/cups.sock" "cupsd_var_run_t" + rlSESearchRule "allow cupsd_lpd_t cupsd_var_run_t : sock_file { read } [ ]" + rlPhaseEnd + + rlPhaseStartTest "real scenario -- BZ#1919399" + rlRun "systemctl start cups.service" + rlRun "systemctl enable cups-lpd.socket" + rlRun "systemctl start cups-lpd.socket" + rlRun "lpadmin -p test -E" + rlRun "DEVICE_URI=lpd://127.0.0.1/test /usr/lib/cups/backend/lpd 1 user test 1 '' /etc/fstab" + sleep 5 + rlRun "systemctl stop cups-lpd.socket" + rlRun "systemctl disable cups-lpd.socket" + rlRun "systemctl stop cups.service" + rlPhaseEnd + + rlPhaseStartTest "real scenario -- xinetd service" + HOST_ADDRESS="127.0.0.1" # IP address or nothing + PORT_NUMBER="515" # number or socket path + PORT_TYPE="" # default is TCP, otherwise use -u (UDP) or --sctp (SCTP) + if rlIsRHEL 5 6 ; then + rlRun "chkconfig ${SERVICE_NAME} on" + rlRun "service xinetd restart" + rlLog "starting provocateur job" + ( tail -f - | nc ${PORT_TYPE} ${HOST_ADDRESS} ${PORT_NUMBER} ) & + PROVOCATEUR_PID=$! + else + rlRun "systemctl enable ${SERVICE_NAME}.socket" + rlRun "systemctl start ${SERVICE_NAME}.socket" + rlLog "starting provocateur job" + ( tail -f - | ncat ${PORT_TYPE} ${HOST_ADDRESS} ${PORT_NUMBER} ) & + PROVOCATEUR_PID=$! + fi + sleep 1 + rlRun "netstat -tupan | grep :${PORT_NUMBER}" + rlRun "ps -o pid,user,context,args -C ${PROCESS_NAME}" + rlRun "ps -o pid,user,context,args -C ${PROCESS_NAME} | grep :${PROCESS_CONTEXT}" + rlRun "kill ${PROVOCATEUR_PID}" + if rlIsRHEL 5 6 ; then + rlRun "chkconfig ${SERVICE_NAME} off" + rlRun "service xinetd stop" + else + rlRun "systemctl stop ${SERVICE_NAME}.socket" + rlRun "systemctl disable ${SERVICE_NAME}.socket" + fi + rlPhaseEnd + + rlPhaseStartCleanup + sleep 2 + rlSECheckAVC + if rlIsRHEL 5 6 ; then + rlServiceRestore ${SERVICE_NAME} + else + rlSocketRestore ${SERVICE_NAME} + fi + rlPhaseEnd +rlJournalPrintText +rlJournalEnd +