From d5312d22c018dd04fe31d932ce87368ce7fa3e20 Mon Sep 17 00:00:00 2001 From: Milos Malik Date: Mar 04 2021 10:05:35 +0000 Subject: add the colord test to upstream repo The colord service is available in various Fedoras and RHELs, so it makes sense to run the TC in upstream testing too. There are no changes in the TC functionality. Moving the downstream TC to upstream repo. --- diff --git a/selinux-policy/colord-and-similar/Makefile b/selinux-policy/colord-and-similar/Makefile new file mode 100644 index 0000000..4a609b8 --- /dev/null +++ b/selinux-policy/colord-and-similar/Makefile @@ -0,0 +1,74 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/selinux-policy/Regression/colord-and-similar +# Description: SELinux interferes with colord and related programs +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2012 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/selinux-policy/Regression/colord-and-similar +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE ssh.exp + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh ssh.exp + chcon -t bin_t runtest.sh ssh.exp + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: SELinux interferes with colord and related programs" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: selinux-policy" >> $(METADATA) + @echo "RunFor: colord" >> $(METADATA) + @echo "Requires: audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted glib2 setools-console colord initscripts expect" >> $(METADATA) + @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELServer5 -RHELClient5 -RHEL6" >> $(METADATA) + @echo "Bug: 1373082" >> $(METADATA) # RHEL-7 + @echo "Bug: 1381579" >> $(METADATA) # RHEL-7 + @echo "Bug: 1398030" >> $(METADATA) # RHEL-7 + @echo "Bug: 1421247" >> $(METADATA) # RHEL-7 + @echo "Bug: 1460480" >> $(METADATA) # RHEL-7 + @echo "Bug: 1772669" >> $(METADATA) # RHEL-8 + + rhts-lint $(METADATA) + diff --git a/selinux-policy/colord-and-similar/PURPOSE b/selinux-policy/colord-and-similar/PURPOSE new file mode 100644 index 0000000..eca8438 --- /dev/null +++ b/selinux-policy/colord-and-similar/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/selinux-policy/Regression/colord-and-similar +Author: Milos Malik + +SELinux interferes with colord and related programs. + diff --git a/selinux-policy/colord-and-similar/main.fmf b/selinux-policy/colord-and-similar/main.fmf new file mode 100644 index 0000000..418c370 --- /dev/null +++ b/selinux-policy/colord-and-similar/main.fmf @@ -0,0 +1,2 @@ +path: /selinux-policy/colord-and-similar +tier: 2 diff --git a/selinux-policy/colord-and-similar/runtest.sh b/selinux-policy/colord-and-similar/runtest.sh new file mode 100755 index 0000000..b385f8c --- /dev/null +++ b/selinux-policy/colord-and-similar/runtest.sh @@ -0,0 +1,153 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/selinux-policy/Regression/colord-and-similar +# Description: SELinux interferes with colord and related programs +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2012 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="selinux-policy" +ROOT_PASSWORD="redhat" +SERVICE_PACKAGE="colord" +SERVICE_NAME="colord" +PROCESS_NAME="colord" +PROCESS_CONTEXT="colord_t" +ALLOWED_USERS=${ALLOWED_USERS:-"staff_u user_u sysadm_u unconfined_u"} +DENIED_USERS=${DENIED_USERS:-"guest_u xguest_u"} + +rlJournalStart + rlPhaseStartSetup + rlRun "rlImport 'selinux-policy/common'" + rlSESatisfyRequires + rlAssertRpm ${PACKAGE} + rlAssertRpm ${PACKAGE}-targeted + rlAssertRpm ${SERVICE_PACKAGE} + + rlServiceStop ${SERVICE_NAME} + rlFileBackup /etc/shadow + + rlSESetEnforce + rlSEStatus + rlSESetTimestamp + sleep 2 + rlPhaseEnd + + rlPhaseStartTest "bz#1373082 + bz#1381579 + bz#1398030 + bz#1421247 + bz#1460480" + rlSEMatchPathCon "/usr/libexec/colord" "colord_exec_t" + rlSEMatchPathCon "/etc/udev/hwdb.bin" "systemd_hwdb_etc_t" + rlSESearchRule "allow colord_t systemd_hwdb_etc_t : file { getattr open read } [ ]" + rlPhaseEnd + + if ! rlIsRHEL 5 ; then + rlPhaseStartTest "real scenario -- DBus service" + DESTINATION="org.freedesktop.ColorManager" + rlRun "gdbus introspect --system --object-path / --dest ${DESTINATION} >& /dev/null" + sleep 1 + rlRun "ps -efZ | grep -v grep | grep ${PROCESS_NAME}" + rlRun "ps -efZ | grep -v grep | grep \"${PROCESS_CONTEXT}.*${PROCESS_NAME}\"" + rlPhaseEnd + fi + + if ! rlIsRHEL 5 6 7 ; then + rlPhaseStartTest "real scenario -- user session service" + rlFileBackup /etc/ssh/sshd_config + rlRun "sed -i 's/^.*PermitRootLogin.*$/PermitRootLogin yes/' /etc/ssh/sshd_config" + rlRun "sed -i 's/^.*PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config" + rlRun "service sshd restart" + + rlRun "setsebool ssh_sysadm_login on" + rlLog "configuration says not to test SELinux users: ${DENIED_USERS}" + for SELINUX_USER in ${ALLOWED_USERS} ; do + USER_NAME="user${RANDOM}" + USER_SECRET="S3kr3t${RANDOM}" + rlRun "useradd -Z ${SELINUX_USER} ${USER_NAME}" + rlRun "echo ${USER_SECRET} | passwd --stdin ${USER_NAME}" + rlRun "restorecon -RvF /home/${USER_NAME}" + rlRun "./ssh.exp ${USER_NAME} ${USER_SECRET} localhost /usr/bin/systemctl --user --no-pager status colord-session" + rlRun "./ssh.exp ${USER_NAME} ${USER_SECRET} localhost /usr/bin/systemctl --user --no-pager start colord-session" + rlRun "./ssh.exp ${USER_NAME} ${USER_SECRET} localhost /usr/bin/systemctl --user --no-pager stop colord-session" + rlRun "userdel -rfZ ${USER_NAME}" + sleep 10 + done + rlRun "setsebool ssh_sysadm_login off" + rlPhaseEnd + + rlPhaseStartTest "bz#1772669" + # TODO: find an agreement about which confined users should be allowed + rlSESearchRule "allow staff_t colord_t : dbus { send_msg } [ ]" + rlSESearchRule "allow colord_t staff_t : dbus { send_msg } [ ]" + rlSESearchRule "allow user_t colord_t : dbus { send_msg } [ ]" + rlSESearchRule "allow colord_t user_t : dbus { send_msg } [ ]" + rlSESearchRule "allow sysadm_t colord_t : dbus { send_msg } [ ]" + rlSESearchRule "allow colord_t sysadm_t : dbus { send_msg } [ ]" + rlSESearchRule "allow unconfined_t colord_t : dbus { send_msg } [ ]" + rlSESearchRule "allow colord_t unconfined_t : dbus { send_msg } [ ]" + rlPhaseEnd + + rlPhaseStartTest "real scenario -- bz#1772669" + rlRun "setsebool ssh_sysadm_login on" + rlLog "configuration says not to test SELinux users: ${DENIED_USERS}" + for SELINUX_USER in ${ALLOWED_USERS} ; do + USER_NAME="user${RANDOM}" + USER_SECRET="S3kr3t${RANDOM}" + rlRun "useradd -Z ${SELINUX_USER} ${USER_NAME}" + rlRun "echo ${USER_SECRET} | passwd --stdin ${USER_NAME}" + rlRun "restorecon -RvF /home/${USER_NAME}" + rlRun "./ssh.exp ${USER_NAME} ${USER_SECRET} localhost colormgr get-devices" + sleep 2 + rlRun "userdel -rfZ ${USER_NAME}" + sleep 10 + done + rlRun "setsebool ssh_sysadm_login off" + rlPhaseEnd + fi + + rlPhaseStartTest "real scenario" + rlRun "echo ${ROOT_PASSWORD} | passwd --stdin root" + if ! rlSEDefined ${PROCESS_CONTEXT} ; then + if rlIsRHEL 5 6 ; then + PROCESS_CONTEXT="initrc_t" + else + PROCESS_CONTEXT="unconfined_service_t" + fi + fi + rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "start status" 1 + rlRun "restorecon -Rv /run /var" + rlSEService ${ROOT_PASSWORD} ${SERVICE_NAME} ${PROCESS_NAME} ${PROCESS_CONTEXT} "restart status stop status" 1 + rlPhaseEnd + + rlPhaseStartCleanup + sleep 2 + rlSECheckAVC + + rlFileRestore + rlRun "service sshd restart" + rlServiceRestore ${SERVICE_NAME} + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/selinux-policy/colord-and-similar/ssh.exp b/selinux-policy/colord-and-similar/ssh.exp new file mode 100755 index 0000000..1244013 --- /dev/null +++ b/selinux-policy/colord-and-similar/ssh.exp @@ -0,0 +1,20 @@ +#!/usr/bin/expect -f +# Expect script for SSH logging as $username to $hostname using $password and executing $command. +# Usage: +# ./ssh.exp username password hostname command +set username [lrange $argv 0 0] +set password [lrange $argv 1 1] +set hostname [lrange $argv 2 2] +set command [lrange $argv 3 10] +set timeout 15 +# connect to remote host and execute given command +log_user 1 +spawn ssh -t $username@$hostname "$command ; sleep 5" +expect { + -nocase "yes/no" { send -- "yes\r" ; exp_continue } + -nocase "password" { send -- "$password\r" } +} +log_user 1 +# send -- "\r" +expect eof +