From 565cbef1415355eaff78975f675500f5efda7aef Mon Sep 17 00:00:00 2001 From: Milos Malik Date: Dec 14 2020 11:17:12 +0000 Subject: add new test which covers the dhclient program Basic automated test which runs the dhclient program and looks for any SELinux denials which appear during the run. The dhclient tool is known to run other network related programs, which can trigger various SELinux denials. --- diff --git a/selinux-policy/dhclient-and-similar/Makefile b/selinux-policy/dhclient-and-similar/Makefile new file mode 100644 index 0000000..9a1b4c3 --- /dev/null +++ b/selinux-policy/dhclient-and-similar/Makefile @@ -0,0 +1,67 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/selinux-policy/Regression/dhclient-and-similar +# Description: SELinux interferes with dhclient and related programs +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2020 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/selinux-policy/Regression/dhclient-and-similar +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + chcon -t bin_t runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: SELinux interferes with dhclient and related programs" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: selinux-policy" >> $(METADATA) + @echo "Requires: audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console psmisc chrony dhcp-client" >> $(METADATA) + @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA) + @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHEL5 -RHEL6 -RHEL7" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/selinux-policy/dhclient-and-similar/PURPOSE b/selinux-policy/dhclient-and-similar/PURPOSE new file mode 100644 index 0000000..019dcb9 --- /dev/null +++ b/selinux-policy/dhclient-and-similar/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/selinux-policy/Regression/dhclient-and-similar +Author: Milos Malik + +SELinux interferes with dhclient and related programs. + diff --git a/selinux-policy/dhclient-and-similar/runtest.sh b/selinux-policy/dhclient-and-similar/runtest.sh new file mode 100755 index 0000000..d2caa8b --- /dev/null +++ b/selinux-policy/dhclient-and-similar/runtest.sh @@ -0,0 +1,70 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/selinux-policy/Regression/dhclient-and-similar +# Description: SELinux interferes with dhclient and related programs +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2020 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="selinux-policy" +ROOT_PASSWORD="redhat" +SERVICE_PACKAGE="chrony" +SERVICE_NAME="chronyd" + +rlJournalStart + rlLog "If this test fails, please contact mmalik on IRC #selinux" + rlLog "This test should fail if tested bugs are NOT fixed yet" + rlPhaseStartSetup + rlRun "rlImport 'selinux-policy/common'" + rlSESatisfyRequires + rlAssertRpm ${PACKAGE} + rlAssertRpm ${PACKAGE}-targeted + rlAssertRpm ${SERVICE_PACKAGE} + + rlServiceStart ${SERVICE_NAME} + + rlSESetEnforce + rlSEStatus + rlSESetTimestamp + sleep 2 + rlPhaseEnd + + rlPhaseStartTest "real scenario -- runcon under root" + rlRun "dhclient" + sleep 5 + rlRun "killall dhclient" + rlPhaseEnd + + rlPhaseStartCleanup + sleep 2 + rlSECheckAVC + + rlServiceRestore ${SERVICE_NAME} + rlPhaseEnd +rlJournalPrintText +rlJournalEnd +