|
 |
f97a294 |
#!/bin/bash
|
|
|
f97a294 |
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
|
|
f97a294 |
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
f97a294 |
#
|
|
|
f97a294 |
# runtest.sh of /CoreOS/policycoreutils/Sanity/setsebool
|
|
|
f97a294 |
# Description: does setsebool work correctly ?
|
|
|
f97a294 |
# Author: Milos Malik <mmalik@redhat.com>
|
|
|
f97a294 |
#
|
|
|
f97a294 |
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
f97a294 |
#
|
|
|
f97a294 |
# Copyright (c) 2011 Red Hat, Inc. All rights reserved.
|
|
|
f97a294 |
#
|
|
|
f97a294 |
# This copyrighted material is made available to anyone wishing
|
|
|
f97a294 |
# to use, modify, copy, or redistribute it subject to the terms
|
|
|
f97a294 |
# and conditions of the GNU General Public License version 2.
|
|
|
f97a294 |
#
|
|
|
f97a294 |
# This program is distributed in the hope that it will be
|
|
|
f97a294 |
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
|
f97a294 |
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
|
f97a294 |
# PURPOSE. See the GNU General Public License for more details.
|
|
|
f97a294 |
#
|
|
|
f97a294 |
# You should have received a copy of the GNU General Public
|
|
|
f97a294 |
# License along with this program; if not, write to the Free
|
|
|
f97a294 |
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
|
f97a294 |
# Boston, MA 02110-1301, USA.
|
|
|
f97a294 |
#
|
|
|
f97a294 |
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
f97a294 |
|
|
|
f97a294 |
# Include rhts environment
|
|
|
f97a294 |
. /usr/bin/rhts-environment.sh
|
|
|
f97a294 |
. /usr/share/beakerlib/beakerlib.sh
|
|
|
f97a294 |
|
|
|
f97a294 |
PACKAGE="policycoreutils"
|
|
|
f97a294 |
USER_NAME="user${RANDOM}"
|
|
|
f97a294 |
USER_SECRET="s3kr3t${RANDOM}"
|
|
|
f97a294 |
BOOLEAN="ftpd_connect_db"
|
|
|
f97a294 |
if rlIsRHEL 5 6 ; then
|
|
|
f97a294 |
SELINUX_FS_MOUNT="/selinux"
|
|
|
f97a294 |
else # RHEL-7 and above
|
|
|
f97a294 |
SELINUX_FS_MOUNT="/sys/fs/selinux"
|
|
|
f97a294 |
fi
|
|
|
f97a294 |
|
|
|
f97a294 |
rlJournalStart
|
|
|
f97a294 |
rlPhaseStartSetup
|
|
|
f97a294 |
rlAssertRpm ${PACKAGE}
|
|
|
f97a294 |
OUTPUT_FILE=`mktemp`
|
|
|
f97a294 |
chcon -t tmp_t ${OUTPUT_FILE}
|
|
|
f97a294 |
|
|
|
f97a294 |
rlRun "useradd ${USER_NAME}"
|
|
|
f97a294 |
rlRun "echo ${USER_SECRET} | passwd --stdin ${USER_NAME}"
|
|
|
f97a294 |
rlPhaseEnd
|
|
|
f97a294 |
|
|
|
f97a294 |
rlPhaseStartTest
|
|
|
f97a294 |
for OPTION in "" "-P" ; do
|
|
|
f97a294 |
for OPERATOR in " " "=" ; do
|
|
|
f97a294 |
for VALUE in 0 1 false true off on ; do
|
|
|
f97a294 |
rlRun "setsebool ${OPTION} ${BOOLEAN}${OPERATOR}${VALUE} | grep -i -e illegal -e usage -e invalid" 1
|
|
|
f97a294 |
if [ ${VALUE} == "0" -o ${VALUE} == "false" ] ; then
|
|
|
f97a294 |
SHOWN_VALUE="off"
|
|
|
f97a294 |
elif [ ${VALUE} == "1" -o ${VALUE} == "true" ] ; then
|
|
|
f97a294 |
SHOWN_VALUE="on"
|
|
|
f97a294 |
else
|
|
|
f97a294 |
SHOWN_VALUE=${VALUE}
|
|
|
f97a294 |
fi
|
|
|
f97a294 |
rlRun "getsebool -a | grep \"^${BOOLEAN}.*${SHOWN_VALUE}\""
|
|
|
f97a294 |
done
|
|
|
f97a294 |
done
|
|
|
f97a294 |
done
|
|
|
f97a294 |
rlPhaseEnd
|
|
|
f97a294 |
|
|
|
f97a294 |
rlPhaseStartTest
|
|
|
f97a294 |
rlRun "setsebool" 1
|
|
|
f97a294 |
rlRun "setsebool xyz=1 2>&1 | tee /dev/stderr | grep -i -e \"invalid boolean\" -e \"not found\" -e \"not defined\""
|
|
|
f97a294 |
rlRun "setsebool xyz=-1 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
|
|
|
f97a294 |
rlRun "setsebool xyz=2 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
|
|
|
f97a294 |
if ! rlIsRHEL 5 6 ; then
|
|
|
f97a294 |
rlRun "setsebool -N 2>&1 | tee /dev/stderr | grep -i \"boolean.*required\""
|
|
|
f97a294 |
rlRun "setsebool -P 2>&1 | tee /dev/stderr | grep -i \"boolean.*required\""
|
|
|
f97a294 |
fi
|
|
|
f97a294 |
rlRun "setsebool -P xyz=1 2>&1 | tee /dev/stderr | grep -i -e \"invalid boolean\" -e \"not found\" -e \"not defined\""
|
|
|
f97a294 |
rlRun "setsebool -P xyz=-1 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
|
|
|
f97a294 |
rlRun "setsebool -P xyz=2 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
|
|
|
f97a294 |
rlPhaseEnd
|
|
|
f97a294 |
|
|
|
f97a294 |
if ! rlIsRHEL 5 6 ; then
|
|
|
f97a294 |
rlPhaseStartTest
|
|
|
f97a294 |
rlRun "su -l -c '/usr/sbin/setsebool allow_ypbind 0' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
|
|
|
f97a294 |
rlAssertGrep "try as root" ${OUTPUT_FILE} -i
|
|
|
f97a294 |
rlRun "su -l -c '/usr/sbin/setsebool allow_ypbind 1' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
|
|
|
f97a294 |
rlAssertGrep "try as root" ${OUTPUT_FILE} -i
|
|
|
f97a294 |
rlRun "su -l -c '/usr/sbin/setsebool -P allow_ypbind 0' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
|
|
|
f97a294 |
rlAssertGrep "try as root" ${OUTPUT_FILE} -i
|
|
|
f97a294 |
rlRun "su -l -c '/usr/sbin/setsebool -P allow_ypbind 1' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
|
|
|
f97a294 |
rlAssertGrep "try as root" ${OUTPUT_FILE} -i
|
|
|
f97a294 |
rlPhaseEnd
|
|
|
f97a294 |
|
|
|
f97a294 |
rlPhaseStartTest
|
|
|
f97a294 |
for OPTION in "" "-P" ; do
|
|
|
f97a294 |
rlRun "getsebool allow_ypbind | grep nis_enabled"
|
|
|
f97a294 |
rlRun "setsebool ${OPTION} allow_ypbind on"
|
|
|
f97a294 |
rlRun "getsebool allow_ypbind | grep \"nis_enabled.*on\""
|
|
|
f97a294 |
rlRun "setsebool ${OPTION} allow_ypbind off"
|
|
|
f97a294 |
rlRun "getsebool allow_ypbind | grep \"nis_enabled.*off\""
|
|
|
f97a294 |
done
|
|
|
f97a294 |
rlPhaseEnd
|
|
|
f97a294 |
|
|
|
f97a294 |
rlPhaseStartTest
|
|
|
f97a294 |
# https://fedoraproject.org/wiki/Features/SELinuxBooleansRename
|
|
|
f97a294 |
for LINE in `cat /etc/selinux/*/booleans.subs_dist | sort | uniq | tr -s ' ' | tr ' ' ':'` ; do
|
|
|
f97a294 |
OLD_BOOLEAN_NAME=`echo ${LINE} | cut -d : -f 1`
|
|
|
f97a294 |
NEW_BOOLEAN_NAME=`echo ${LINE} | cut -d : -f 2`
|
|
|
f97a294 |
rlRun "getsebool ${OLD_BOOLEAN_NAME} 2>&1 | tee ${OUTPUT_FILE}"
|
|
|
f97a294 |
rlRun "getsebool ${NEW_BOOLEAN_NAME} 2>&1 | tee -a ${OUTPUT_FILE}"
|
|
|
f97a294 |
rlRun "uniq -c ${OUTPUT_FILE} | grep '2 '"
|
|
|
f97a294 |
done
|
|
|
f97a294 |
rlPhaseEnd
|
|
|
f97a294 |
fi
|
|
|
f97a294 |
|
|
|
f97a294 |
rlPhaseStartTest "audit messages"
|
|
|
f97a294 |
START_DATE_TIME=`date "+%m/%d/%Y %T"`
|
|
|
f97a294 |
sleep 1
|
|
|
f97a294 |
rlRun "setsebool ${BOOLEAN} on"
|
|
|
f97a294 |
rlRun "setsebool ${BOOLEAN} off"
|
|
|
f97a294 |
rlRun "setsebool ${BOOLEAN} on"
|
|
|
f97a294 |
sleep 1
|
|
|
f97a294 |
rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=MAC_CONFIG_CHANGE.*bool=${BOOLEAN} val=1 old_val=0\""
|
|
|
f97a294 |
rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=MAC_CONFIG_CHANGE.*bool=${BOOLEAN} val=0 old_val=1\""
|
|
|
f97a294 |
if rlIsRHEL ; then
|
|
|
f97a294 |
rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=SYSCALL.*comm=setsebool\""
|
|
|
f97a294 |
fi
|
|
|
f97a294 |
rlPhaseEnd
|
|
|
f97a294 |
|
|
|
f97a294 |
rlPhaseStartTest "extreme cases"
|
|
|
f97a294 |
# pretend that no booleans are defined
|
|
|
f97a294 |
rlRun "mkdir ./booleans"
|
|
|
f97a294 |
rlRun "mount --bind ./booleans ${SELINUX_FS_MOUNT}/booleans"
|
|
|
f97a294 |
rlRun "setsebool ${BOOLEAN} on 2>&1 | tee ${OUTPUT_FILE}"
|
|
|
f97a294 |
rlAssertGrep "could not change active booleans" ${OUTPUT_FILE} -i
|
|
|
f97a294 |
rlRun "setsebool ${BOOLEAN} off 2>&1 | tee ${OUTPUT_FILE}"
|
|
|
f97a294 |
rlAssertGrep "could not change active booleans" ${OUTPUT_FILE} -i
|
|
|
f97a294 |
rlRun "umount ${SELINUX_FS_MOUNT}/booleans"
|
|
|
f97a294 |
rlRun "rmdir ./booleans"
|
|
|
f97a294 |
rlPhaseEnd
|
|
|
f97a294 |
|
|
|
f97a294 |
rlPhaseStartCleanup
|
|
|
f97a294 |
rlRun "userdel -rf ${USER_NAME}"
|
|
|
f97a294 |
rm -f ${OUTPUT_FILE}
|
|
|
f97a294 |
rlPhaseEnd
|
|
|
f97a294 |
rlJournalPrintText
|
|
|
f97a294 |
rlJournalEnd
|
|
|
f97a294 |
|