From d731f78c637fbc1d3cdda5a1279a2244fe03ecd3 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Feb 14 2018 12:39:35 +0000 Subject: Add tests from https://src.fedoraproject.org/rpms/checkpolicy/blob/master/f/tests --- diff --git a/checkpolicy/checkmodule/Makefile b/checkpolicy/checkmodule/Makefile new file mode 100644 index 0000000..7be6779 --- /dev/null +++ b/checkpolicy/checkmodule/Makefile @@ -0,0 +1,67 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/checkpolicy/Sanity/checkmodule +# Description: runs checkmodule with various options to find out if it behaves correctly +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/checkpolicy/Sanity/checkmodule +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE mypolicy.te + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: runs checkmodule with various options to find out if it behaves correctly" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: checkpolicy" >> $(METADATA) + @echo "Requires: checkpolicy" >> $(METADATA) + @echo "Requires: man" >> $(METADATA) + @echo "Requires: grep" >> $(METADATA) + @echo "Requires: mktemp" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/checkpolicy/checkmodule/PURPOSE b/checkpolicy/checkmodule/PURPOSE new file mode 100644 index 0000000..e7316a6 --- /dev/null +++ b/checkpolicy/checkmodule/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/checkpolicy/Sanity/checkmodule +Author: Milos Malik + +This TC runs checkmodule with various options to find out if it behaves correctly. + diff --git a/checkpolicy/checkmodule/mypolicy.te b/checkpolicy/checkmodule/mypolicy.te new file mode 100644 index 0000000..8a85503 --- /dev/null +++ b/checkpolicy/checkmodule/mypolicy.te @@ -0,0 +1,9 @@ +module mypolicy 1.0; +require { + type httpd_log_t; + type postfix_postdrop_t; + class dir getattr; + class file { read getattr }; +} +allow postfix_postdrop_t httpd_log_t:file getattr; + diff --git a/checkpolicy/checkmodule/runtest.sh b/checkpolicy/checkmodule/runtest.sh new file mode 100644 index 0000000..f4ee8ce --- /dev/null +++ b/checkpolicy/checkmodule/runtest.sh @@ -0,0 +1,101 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/checkpolicy/Sanity/checkmodule +# Description: runs checkmodule with various options to find out if it behaves correctly +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh + +PACKAGE="checkpolicy" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + TEST_FILE=`mktemp` + TEST_DIR=`mktemp -d` + rlRun "rpm -ql ${PACKAGE} | grep bin/checkmodule" + rlPhaseEnd + + rlPhaseStartTest + rlRun "checkmodule >& ${TEST_FILE}" 1 + rlAssertGrep "loading policy configuration from policy.conf" ${TEST_FILE} + rlRun "checkmodule -b >& ${TEST_FILE}" 1 + rlAssertGrep "loading policy configuration from policy" ${TEST_FILE} + rlRun "checkmodule -V" + rlRun "checkmodule -U 1>/dev/null" 1 + rlRun "rm -f policy.conf" + for OPTION in "deny" "reject" "allow" ; do + rlRun "checkmodule -U ${OPTION} >& ${TEST_FILE}" 1 + rlAssertGrep "unable to open policy.conf" ${TEST_FILE} + done + rlRun "rm -f ${TEST_FILE}" + rlRun "touch ${TEST_FILE}" + rlRun "rm -rf ${TEST_DIR}" + rlRun "mkdir ${TEST_DIR}" + rlRun "checkmodule ${TEST_FILE}" 1,2 + rlRun "checkmodule -b ${TEST_FILE}" 1 + rlRun "checkmodule ${TEST_DIR}" 1,2 + rlRun "checkmodule -b ${TEST_DIR}" 1 + rlRun "rm -f ${TEST_FILE}" + rlRun "rm -rf ${TEST_DIR}" + rlRun "checkmodule ${TEST_FILE}" 1 + rlRun "checkmodule -b ${TEST_FILE}" 1 + if rlIsRHEL 5 ; then + rlRun "checkmodule --help 2>&1 | grep -- -d" + fi + rlRun "checkmodule --help 2>&1 | grep -- -h" + rlRun "checkmodule --help 2>&1 | grep -- -U" + rlPhaseEnd + + rlPhaseStartTest + for POLICY_KIND in minimum mls targeted ; do + rlRun "checkmodule -M -m -b -o testmod.mod /etc/selinux/${POLICY_KIND}/policy/policy.* >& ${TEST_FILE}" 1 + rlRun "grep -i \"checkmodule.*-b and -m are incompatible with each other\" ${TEST_FILE}" + done + rlPhaseEnd + + rlPhaseStartTest + INPUT_FILE="mypolicy.te" + OUTPUT_FILE="mypolicy.output" + rlRun "ls -l ${INPUT_FILE}" + rlRun "checkmodule -m -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*loading policy configuration from ${INPUT_FILE}\"" + rlRun "checkmodule -m -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*writing binary representation.*to ${OUTPUT_FILE}\"" + rlRun "ls -l ${OUTPUT_FILE}" + if checkmodule --help | grep -q " CIL " ; then + rlRun "rm -f ${OUTPUT_FILE}" + rlRun "checkmodule -m -C -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*loading policy configuration from ${INPUT_FILE}\"" + rlRun "checkmodule -m -C -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*writing CIL to ${OUTPUT_FILE}\"" + rlRun "ls -l ${OUTPUT_FILE}" + fi + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "rm -rf ${TEST_FILE} ${TEST_DIR} ${OUTPUT_FILE}" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/checkpolicy/checkpolicy-docs/Makefile b/checkpolicy/checkpolicy-docs/Makefile new file mode 100644 index 0000000..ea1a0bc --- /dev/null +++ b/checkpolicy/checkpolicy-docs/Makefile @@ -0,0 +1,64 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/checkpolicy/Sanity/checkpolicy +# Description: covers an issue where manpage included an unsupported option. +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/checkpolicy/Sanity/checkpolicy +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: covers an issue where manpage included an unsupported option." >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 1m" >> $(METADATA) + @echo "RunFor: checkpolicy" >> $(METADATA) + @echo "Requires: checkpolicy" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/checkpolicy/checkpolicy-docs/PURPOSE b/checkpolicy/checkpolicy-docs/PURPOSE new file mode 100644 index 0000000..bde34d7 --- /dev/null +++ b/checkpolicy/checkpolicy-docs/PURPOSE @@ -0,0 +1,7 @@ +PURPOSE of /CoreOS/checkpolicy/Sanity/checkpolicy + +Description: covers an issue where manpage included an unsupported option. + +Author: Milos Malik + + diff --git a/checkpolicy/checkpolicy-docs/runtest.sh b/checkpolicy/checkpolicy-docs/runtest.sh new file mode 100644 index 0000000..83a7079 --- /dev/null +++ b/checkpolicy/checkpolicy-docs/runtest.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/checkpolicy/Sanity/checkpolicy-docs +# Description: covers an issue where manpage included an unsupported option. +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh + +PACKAGE="checkpolicy" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + rlAssertExists "/usr/share/man/man8/checkpolicy.8.gz" + rlPhaseEnd + + rlPhaseStartTest + rlRun "man checkpolicy | col -b | grep -- '-m]'" 1 + rlRun "rpm -ql ${PACKAGE} | grep /usr/share/man/.*checkmodule" + if rlIsRHEL 5 ; then + rlRun "man checkmodule | col -b | grep -- -d" + fi + rlRun "man checkmodule | col -b | grep -- -h" + rlRun "man checkmodule | col -b | grep -- -U" + rlPhaseEnd + +rlJournalPrintText +rlJournalEnd + diff --git a/checkpolicy/checkpolicy/Makefile b/checkpolicy/checkpolicy/Makefile new file mode 100644 index 0000000..1ba29a4 --- /dev/null +++ b/checkpolicy/checkpolicy/Makefile @@ -0,0 +1,64 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/checkpolicy/Sanity/checkpolicy +# Description: runs checkpolicy with various options to find out if it behaves correctly +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/checkpolicy/Sanity/checkpolicy +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE policy.conf.from.secilc + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: runs checkpolicy with various options to find out if it behaves correctly" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: checkpolicy setools" >> $(METADATA) + @echo "Requires: checkpolicy setools-console selinux-policy-minimum selinux-policy-mls selinux-policy-targeted" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/checkpolicy/checkpolicy/PURPOSE b/checkpolicy/checkpolicy/PURPOSE new file mode 100644 index 0000000..c60c59e --- /dev/null +++ b/checkpolicy/checkpolicy/PURPOSE @@ -0,0 +1,7 @@ +PURPOSE of /CoreOS/checkpolicy/Sanity/checkpolicy + +Description: runs checkpolicy with various options to find out if it behaves correctly + +Author: Milos Malik + + diff --git a/checkpolicy/checkpolicy/policy.conf.from.secilc b/checkpolicy/checkpolicy/policy.conf.from.secilc new file mode 100644 index 0000000..938af91 --- /dev/null +++ b/checkpolicy/checkpolicy/policy.conf.from.secilc @@ -0,0 +1,143 @@ +class file +class process +class char + +sid kernel +sid security +sid unlabeled + +common file {ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton } + +class file inherits file { execute_no_trans entrypoint execmod open audit_access } +class char inherits file { foo transition } +class process { open } + +sensitivity s0 alias sens0; +sensitivity s1; + +dominance { s0 s1 } + +category c0 alias cat0; +category c1; +category c2; + +level s0:c0.c2; +level s1:c0.c2; + +mlsconstrain file { open } (not (((l1 eq l2) and (u1 eq u2)) or (r1 eq r2))); +mlsconstrain file { open } (((l1 eq l2) and (u1 eq u2)) or (r1 != r2)); +mlsconstrain file { open } (l1 dom h2); +mlsconstrain file { open } (h1 domby l2); +mlsconstrain file { open } (l1 incomp l2); + +mlsvalidatetrans file (h1 domby l2); + +attribute foo_type; +attribute bar_type; +attribute baz_type; +attribute exec_type; + +type bin_t, bar_type, exec_type; +type kernel_t, foo_type, exec_type, baz_type; +type security_t, baz_type; +type unlabeled_t, baz_type; + +type exec_t, baz_type; +type console_t, baz_type; +type auditadm_t, baz_type; +type console_device_t, baz_type; +type user_tty_device_t, baz_type; +type device_t, baz_type; +type getty_t, baz_type; +type a_t, baz_type; +type b_t, baz_type; + +typealias bin_t alias sbin_t; + +bool secure_mode false; +bool console_login true; +bool b1 false; + +role system_r; +role user_r; +role system_r types bin_t; +role system_r types kernel_t; +role system_r types security_t; +role system_r types unlabeled_t; + +policycap open_perms; +permissive device_t; + +range_transition device_t console_t : file s0:c0 - s1:c0.c1; + +type_transition device_t console_t : file console_device_t; +type_member device_t bin_t : file exec_t; + +if console_login{ + type_change auditadm_t console_device_t : file user_tty_device_t; +} + +role_transition system_r bin_t user_r; + +auditallow device_t auditadm_t: file { open }; +dontaudit device_t auditadm_t: file { read }; + +allow system_r user_r; + +allow console_t console_device_t: char { write setattr }; +allow console_t console_device_t: file { open read getattr }; +allow foo_type self: file { execute }; +allow bin_t device_t: file { execute }; +allow bin_t exec_t: file { execute }; +allow bin_t bin_t: file { execute }; +allow a_t b_t : file { write }; +allow console_t console_device_t: file { read write getattr setattr lock append }; +allow kernel_t kernel_t : file { execute }; + +if b1 { + allow a_t b_t : file { read }; +} + +if secure_mode{ + auditallow device_t exec_t: file { read write }; +} + +if console_login{ + allow getty_t console_device_t: file { getattr open read write append }; +} +else { + dontaudit getty_t console_device_t: file { getattr open read write append }; +} + +if (not ((secure_mode eq console_login) xor ((secure_mode or console_login) and secure_mode))){ + allow bin_t exec_t: file { execute }; +} + +user system_u roles system_r level s0:c0 range s0:c0 - s1:c0,c1; +user user_u roles user_r level s0:c0 range s0:c0 - s0:c0; + +validatetrans file (t1 == exec_t); + +constrain char transition (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2))); +constrain file { open } (r1 dom r2); +constrain file { open } (r1 domby r2); +constrain file { open } (r1 incomp r2); +constrain file { open read getattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2))); +constrain char { write setattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2))); + + +sid kernel system_u:system_r:kernel_t:s0:c0 - s1:c0,c1 +sid security system_u:system_r:security_t:s0:c0 - s1:c0,c1 +sid unlabeled system_u:system_r:unlabeled_t:s0:c0 - s1:c0,c1 + +fs_use_xattr ext3 system_u:system_r:bin_t:s0:c0 - s1:c0,c1; + +genfscon proc /usr/bin system_u:system_r:bin_t:s0:c0 - s1:c0,c1 + +portcon tcp 22 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 +portcon udp 25 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 + +netifcon eth0 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 + +nodecon 192.25.35.200 192.168.1.1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 +nodecon 2001:db8:ac10:fe01:: 2001:de0:da88:2222:: system_u:system_r:bin_t:s0:c0 - s1:c0,c1 diff --git a/checkpolicy/checkpolicy/runtest.sh b/checkpolicy/checkpolicy/runtest.sh new file mode 100644 index 0000000..815dbaf --- /dev/null +++ b/checkpolicy/checkpolicy/runtest.sh @@ -0,0 +1,153 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/checkpolicy/Sanity/checkpolicy +# Description: runs checkpolicy with various options to find out if it behaves correctly +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh + +PACKAGE="checkpolicy" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + rlAssertRpm selinux-policy-minimum + rlAssertRpm selinux-policy-mls + rlAssertRpm selinux-policy-targeted + rlRun "uname -a" + TEST_FILE=`mktemp` + TEST_DIR=`mktemp -d` + OUTPUT_FILE=`mktemp` + rlAssertExists "/usr/bin/checkpolicy" + rlPhaseEnd + + rlPhaseStartTest "compilation from policy.conf" + MIN_VERSION="15" + MAX_VERSION=`find /etc/selinux/ -name policy.?? | cut -d / -f 6 | cut -d . -f 2 | head -n 1` + if rlIsRHEL 5 6 ; then + VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION}` + else + # some versions are skipped because seinfo segfaults when inspecting binary policies between v.20 and v.23" + VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION} | grep -v -e 19 -e 20 -e 21 -e 22 -e 23` + fi + for CUR_VERSION in ${VERSIONS} ; do + rlRun "rm -f policy.out" + rlWatchdog "checkpolicy -M -c ${CUR_VERSION} -o policy.out policy.conf.from.secilc" 15 + if [ -s policy.out ] ; then + rlRun "seinfo policy.out 2>&1 | tee ${OUTPUT_FILE}" + rlRun "grep -i -e \"policy version.*${CUR_VERSION}\" -e \"unable to open policy\" ${OUTPUT_FILE}" + else + rlRun "ls -l policy.out" + fi + done + rlPhaseEnd + + rlPhaseStartTest + rlRun "checkpolicy >& ${TEST_FILE}" 1 + rlAssertGrep "loading policy configuration from policy.conf" ${TEST_FILE} + rlRun "checkpolicy -b >& ${TEST_FILE}" 1 + rlAssertGrep "loading policy configuration from policy" ${TEST_FILE} + rlRun "checkpolicy -V" + rlRun "checkpolicy -U 2>&1 | grep \"option requires an argument\"" + rlRun "checkpolicy -U xyz" 1 + rlRun "rm -f policy.conf" + if ! rlIsRHEL 4 ; then + for OPTION in "deny" "reject" "allow" ; do + rlRun "checkpolicy -U ${OPTION} >& ${TEST_FILE}" 1 + rlAssertGrep "unable to open policy.conf" ${TEST_FILE} + done + fi + rlRun "rm -f ${TEST_FILE}" + rlRun "touch ${TEST_FILE}" + rlRun "rm -rf ${TEST_DIR}" + rlRun "mkdir ${TEST_DIR}" + rlRun "checkpolicy ${TEST_FILE}" 1,2 + rlRun "checkpolicy -b ${TEST_FILE}" 1 + rlRun "checkpolicy ${TEST_DIR}" 1,2 + rlRun "checkpolicy -b ${TEST_DIR}" 1 + rlRun "rm -f ${TEST_FILE}" + rlRun "rm -rf ${TEST_DIR}" + rlRun "checkpolicy ${TEST_FILE}" 1 + rlRun "checkpolicy -b ${TEST_FILE}" 1 + rlRun "checkpolicy -c 2>&1 | grep \"option requires an argument\"" + rlRun "checkpolicy -c 0 2>&1 | grep \"value 0 not in range\"" + rlRun "checkpolicy -t 2>&1 | grep \"option requires an argument\"" + rlRun "checkpolicy -t xyz 2>&1 | grep -i \"unknown target platform\"" + rlRun "checkpolicy --help 2>&1 | grep -- '-m]'" 1 + rlPhaseEnd + + rlPhaseStartTest + if rlIsRHEL 5 6 ; then + ACTIVE_POLICY="/selinux/policy" + else + ACTIVE_POLICY="/sys/fs/selinux/policy" + fi + rlRun "echo -e 'q\n' | checkpolicy -Mdb ${ACTIVE_POLICY} | tee ${OUTPUT_FILE}" + rlRun "grep -qi -e error -e ebitmap -e 'not match' ${OUTPUT_FILE}" 1 + for POLICY_TYPE in minimum mls targeted ; do + if [ ! -e /etc/selinux/${POLICY_TYPE}/policy/policy.* ] ; then + continue + fi + rlRun "echo -e 'q\n' | checkpolicy -Mdb /etc/selinux/${POLICY_TYPE}/policy/policy.* | tee ${OUTPUT_FILE}" + rlRun "grep -qi -e error -e ebitmap -e 'not match' ${OUTPUT_FILE}" 1 + done + rlPhaseEnd + + rlPhaseStartTest + if rlIsRHEL 5 6 ; then + ACTIVE_POLICY_TREE="/selinux" + else # RHEL-7 and above + ACTIVE_POLICY_TREE="/sys/fs/selinux" + fi + MIN_VERSION="15" + MAX_VERSION=`find /etc/selinux/ -name policy.?? | cut -d / -f 6 | cut -d . -f 2 | head -n 1` + for POLICY_TYPE in minimum mls targeted ; do + if rlIsRHEL 5 6 ; then + VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION}` + else + # some versions are skipped because seinfo segfaults when inspecting binary policies between v.20 and v.23" + VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION} | grep -v -e 19 -e 20 -e 21 -e 22 -e 23` + fi + for CUR_VERSION in ${VERSIONS} ; do + rlRun "rm -f policy.out" + rlWatchdog "checkpolicy -b -M -c ${CUR_VERSION} -o policy.out /etc/selinux/${POLICY_TYPE}/policy/policy.${MAX_VERSION}" 15 + if [ -s policy.out ] ; then + rlRun "seinfo policy.out 2>&1 | tee ${OUTPUT_FILE}" + rlRun "grep -i -e \"policy version.*${CUR_VERSION}\" -e \"unable to open policy\" ${OUTPUT_FILE}" + else + rlRun "ls -l policy.out" + fi + done + done + rlPhaseEnd + + rlPhaseStartCleanup + rm -f ${OUTPUT_FILE} policy.out + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/checkpolicy/sedismod/Makefile b/checkpolicy/sedismod/Makefile new file mode 100644 index 0000000..62a901c --- /dev/null +++ b/checkpolicy/sedismod/Makefile @@ -0,0 +1,65 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/checkpolicy/Sanity/sedismod +# Description: Does sedismod work correctly ?) +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/checkpolicy/Sanity/sedismod +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE sedismod.exp + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + test -x sedismod.exp || chmod a+x sedismod.exp + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Does sedismod work correctly?" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: checkpolicy" >> $(METADATA) + @echo "Requires: checkpolicy selinux-policy-targeted expect policycoreutils psmisc" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/checkpolicy/sedismod/PURPOSE b/checkpolicy/sedismod/PURPOSE new file mode 100644 index 0000000..3c9db2c --- /dev/null +++ b/checkpolicy/sedismod/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/checkpolicy/Sanity/sedismod +Author: Milos Malik + +Does sedismod work correctly? + diff --git a/checkpolicy/sedismod/runtest.sh b/checkpolicy/sedismod/runtest.sh new file mode 100755 index 0000000..8f86e9e --- /dev/null +++ b/checkpolicy/sedismod/runtest.sh @@ -0,0 +1,83 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/checkpolicy/Sanity/sedismod +# Description: Does sedismod work correctly +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="checkpolicy" +# TODO: repeat for all policy modules that are installed under /etc/selinux +if rlIsFedora ; then + POLICY_FILE="`find /var/lib/selinux/targeted -type d -name base`/hll" +elif rlIsRHEL '<7.3' ; then + POLICY_FILE=`find /etc/selinux/targeted -type f -name base.pp` +else # RHEL-7.3 and above + POLICY_FILE="`find /etc/selinux/targeted -type d -name base`/hll" +fi + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + OUTPUT_FILE=`mktemp` + if rlIsRHEL '>=7.3' || rlIsFedora ; then + rlRun "semodule -H -E base" + else + rlRun "cp ${POLICY_FILE} ./base.pp.bz2" + rlRun "rm -f base.pp" + rlRun "bzip2 -d ./base.pp.bz2" + fi + POLICY_FILE="base.pp" + rlRun "ls -l ${POLICY_FILE}" + rlPhaseEnd + + rlPhaseStartTest "check all available options" + if rlIsRHEL 6 ; then + AVAILABLE_OPTIONS="1 2 3 4 5 6 7 8 0 a b c u" + else # RHEL-7 and above + AVAILABLE_OPTIONS="1 2 3 4 5 6 7 8 9 0 a b c u F" + fi + for OPTION in ${AVAILABLE_OPTIONS} ; do + rlRun "rm -f ${OUTPUT_FILE}" + rlWatchdog "./sedismod.exp ${OPTION} ${POLICY_FILE} ${OUTPUT_FILE}" 65 + # rlWatchdog kills the expect script, but we need to kill the sedismod process too + rlRun "killall sedismod" 0,1 + rlRun "ls -l ${OUTPUT_FILE}" + if [ -s ${OUTPUT_FILE} ] ; then + rlPass "sedismod produced some output" + else + rlFail "sedismod did not produce any output" + fi + done + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "rm -f ${OUTPUT_FILE} ${POLICY_FILE}" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/checkpolicy/sedismod/sedismod.exp b/checkpolicy/sedismod/sedismod.exp new file mode 100755 index 0000000..7409bfe --- /dev/null +++ b/checkpolicy/sedismod/sedismod.exp @@ -0,0 +1,21 @@ +#!/usr/bin/expect -f +# ./sedismod.exp option policyfile outputfile +set option [lrange $argv 0 0] +set policyfile [lrange $argv 1 1] +set outputfile [lrange $argv 2 2] +set timeout 60 +spawn sedismod $policyfile +expect "Command*:" { + send -- "f\r" +} +expect "Filename*:" { + send -- "$outputfile\r" +} +expect "Command*:" { + send -- "$option\r" +} +expect "Command*:" { + send -- "q\r" +} +expect eof + diff --git a/checkpolicy/sedispol/Makefile b/checkpolicy/sedispol/Makefile new file mode 100644 index 0000000..f39bae8 --- /dev/null +++ b/checkpolicy/sedispol/Makefile @@ -0,0 +1,65 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/checkpolicy/Sanity/sedispol +# Description: Does sedispol work correctly? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/checkpolicy/Sanity/sedispol +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE sedispol.exp + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + test -x sedispol.exp || chmod a+x sedispol.exp + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Does sedispol work correctly?" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: checkpolicy" >> $(METADATA) + @echo "Requires: checkpolicy selinux-policy expect" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/checkpolicy/sedispol/PURPOSE b/checkpolicy/sedispol/PURPOSE new file mode 100644 index 0000000..4ab0c43 --- /dev/null +++ b/checkpolicy/sedispol/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/checkpolicy/Sanity/sedispol +Author: Milos Malik + +Does sedispol work correctly? + diff --git a/checkpolicy/sedispol/runtest.sh b/checkpolicy/sedispol/runtest.sh new file mode 100755 index 0000000..5ed441b --- /dev/null +++ b/checkpolicy/sedispol/runtest.sh @@ -0,0 +1,77 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/checkpolicy/Sanity/sedispol +# Description: Does sedispol work correctly? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="checkpolicy" +# TODO: repeat for all policy files that are installed under /etc/selinux +POLICY_FILE=`find /etc/selinux/targeted/policy/ -type f` + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + OUTPUT_FILE=`mktemp` + rlPhaseEnd + + rlPhaseStartTest + if rlIsRHEL 6 ; then + AVAILABLE_OPTIONS="1 2 3 4 5 6 c p u" + else # RHEL-7 and above + AVAILABLE_OPTIONS="1 2 3 4 5 6 8 c p u F" + fi + for OPTION in ${AVAILABLE_OPTIONS} ; do + rlRun "rm -f ${OUTPUT_FILE}" + rlWatchdog "./sedispol.exp ${OPTION} ${POLICY_FILE} ${OUTPUT_FILE}" 65 + # rlWatchdog kills the expect script, but we need to kill the sedispol process too + rlRun "killall sedispol" 0,1 + rlRun "ls -l ${OUTPUT_FILE}" + if [ -s ${OUTPUT_FILE} ] ; then + rlPass "sedispol produced some output" + else + rlFail "sedispol did not produce any output" + fi + done + rlPhaseEnd + + rlPhaseStartTest + rlRun "echo q | sedispol ${POLICY_FILE} >& ${OUTPUT_FILE}" + rlRun "grep AVTAB ${OUTPUT_FILE}" + rlRun "grep AVTAG ${OUTPUT_FILE}" 1 + rlRun "echo -en 'u\nq\n' | sedispol ${POLICY_FILE} >& ${OUTPUT_FILE}" + rlRun "grep permissions ${OUTPUT_FILE}" + rlRun "grep permisions ${OUTPUT_FILE}" 1 + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "rm -f ${OUTPUT_FILE}" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/checkpolicy/sedispol/sedispol.exp b/checkpolicy/sedispol/sedispol.exp new file mode 100755 index 0000000..462e3b8 --- /dev/null +++ b/checkpolicy/sedispol/sedispol.exp @@ -0,0 +1,21 @@ +#!/usr/bin/expect -f +# ./sedispol.exp option policyfile outputfile +set option [lrange $argv 0 0] +set policyfile [lrange $argv 1 1] +set outputfile [lrange $argv 2 2] +set timeout 60 +spawn sedispol $policyfile +expect "Command*:" { + send -- "f\r" +} +expect "Filename*:" { + send -- "$outputfile\r" +} +expect "Command*:" { + send -- "$option\r" +} +expect "Command*:" { + send -- "q\r" +} +expect eof +