#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/policycoreutils/Sanity/file-contexts
# Description: Test semanage fcontext, restorecon, fixfiles, chcon
# Author: Jan Zarsky <jzarsky@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2018 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="policycoreutils"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
RUN_CON="system_u:object_r:var_run_t:s0"
HOME_BIN_CON="unconfined_u:object_r:home_bin_t:s0"
FILE_CON="user_tmp_t"
TEST_CON="user_home_t"
TEST_CON2="tmp_t"
function checkFC {
ls -dZ $1
ls -dZ $1 | grep $2
return $?
}
rlPhaseEnd
rlPhaseStartTest "semanage fcontext -l"
rlRun "semanage fcontext -l >stdout"
rlAssertGrep "SELinux fcontext" stdout
rlAssertGrep "SELinux Distribution fcontext Equivalence" stdout
rlAssertGrep "/run/\.\* *all files *$RUN_CON" stdout
rlAssertGrep "/run *directory *$RUN_CON" stdout
rlAssertGrep "/home/\[\^/\]+/bin(/\.\*)? *all files *$HOME_BIN_CON" stdout
rlAssertGrep "/run = /var/run" stdout
rlPhaseEnd
rlPhaseStartTest "semanage fcontext add and delete"
rlRun "mkdir /tmp/test"
rlRun "pushd /tmp/test"
DIR=$(pwd)
# add custom file context
rlRun "semanage fcontext -a -t $TEST_CON '$DIR/asdf'"
rlRun "semanage fcontext -l -C | grep '$DIR/asdf *all files *system_u:object_r:$TEST_CON'"
# test for regular file
rlRun "touch asdf"
rlRun "checkFC asdf $FILE_CON"
rlRun "restorecon asdf"
rlRun "checkFC asdf $TEST_CON"
rlRun "rm asdf"
# test for directory
rlRun "mkdir asdf"
rlRun "checkFC asdf $FILE_CON"
rlRun "restorecon asdf"
rlRun "checkFC asdf $TEST_CON"
rlRun "rmdir asdf"
# modify the context
rlRun "semanage fcontext -m -t $TEST_CON2 '$DIR/asdf'"
rlRun "semanage fcontext -l -C | grep '$DIR/asdf *all files *system_u:object_r:$TEST_CON2'"
# test
rlRun "touch asdf"
rlRun "checkFC asdf $FILE_CON"
rlRun "restorecon asdf"
rlRun "checkFC asdf $TEST_CON2"
rlRun "rm asdf"
# delete the context
rlRun "semanage fcontext -d '$DIR/asdf'"
rlRun "popd"
rlRun "rm -rf /tmp/test"
rlPhaseEnd
rlPhaseStartTest "semanage fcontext add and delete with file type"
rlRun "mkdir /tmp/test"
rlRun "pushd /tmp/test"
DIR=$(pwd)
# add custom file context for regular files
rlRun "semanage fcontext -a -f f -t $TEST_CON '$DIR/asdf'"
# add custom file context for directories
rlRun "semanage fcontext -a -f d -t $TEST_CON2 '$DIR/asdf'"
rlRun "semanage fcontext -l | grep '$DIR/asdf *regular file *system_u:object_r:$TEST_CON'"
rlRun "semanage fcontext -l | grep '$DIR/asdf *directory *system_u:object_r:$TEST_CON2'"
# test regular file
rlRun "touch asdf"
rlRun "checkFC asdf $FILE_CON"
rlRun "restorecon asdf"
rlRun "checkFC asdf $TEST_CON"
rlRun "rm asdf"
# test directory
rlRun "mkdir asdf"
rlRun "checkFC asdf $FILE_CON"
rlRun "restorecon asdf"
rlRun "checkFC asdf $TEST_CON2"
rlRun "rmdir asdf"
# delete the context
rlRun "semanage fcontext -d -f f '$DIR/asdf'"
rlRun "semanage fcontext -d -f d '$DIR/asdf'"
rlRun "popd"
rlRun "rm -rf /tmp/test"
rlPhaseEnd
rlPhaseStartTest "chcon"
rlRun "mkdir /tmp/test"
rlRun "pushd /tmp/test"
rlRun "touch asdf"
rlRun "checkFC asdf $FILE_CON"
rlRun "chcon -t $TEST_CON asdf"
rlRun "checkFC asdf $TEST_CON"
rlRun "popd"
rlRun "rm -rf /tmp/test"
rlPhaseEnd
rlPhaseStartTest "restorecon"
rlRun "mkdir /tmp/test"
rlRun "pushd /tmp/test"
DIR=$(pwd)
# add a custom file context for whole directory
rlRun "semanage fcontext -a -t $TEST_CON '$DIR/.*'"
# create test files and directories
rlRun "touch a"
rlRun "checkFC a $FILE_CON"
rlRun "mkdir dir"
rlRun "checkFC dir $FILE_CON"
rlRun "touch dir/a"
rlRun "checkFC dir/a $FILE_CON"
rlRun "touch dir/b"
rlRun "checkFC dir/b $FILE_CON"
rlRun "mkdir dir/dir"
rlRun "checkFC dir/dir $FILE_CON"
rlRun "touch dir/dir/a"
rlRun "checkFC dir/dir/a $FILE_CON"
function prepareStr {
echo -n ".* $DIR/$1 .* [[:alnum:]:_]*$2:[[:alnum:]:_]*.*[[:alnum:]:_]*$3:[[:alnum:]:_]*"
}
# run restorecon in dry-run mode for a single file
rlRun "restorecon -v -n dir/a >stdout"
rlRun "cat stdout"
rlAssertGrep "$(prepareStr dir/a $FILE_CON $TEST_CON)" stdout
rlRun "[ $(cat stdout | wc -l) -eq 1 ]"
# run restorecon in recursive mode
rlRun "restorecon -r -v dir >stdout"
rlRun "cat stdout"
rlAssertGrep "$(prepareStr dir $FILE_CON $TEST_CON)" stdout
rlAssertGrep "$(prepareStr dir/a $FILE_CON $TEST_CON)" stdout
rlAssertGrep "$(prepareStr dir/b $FILE_CON $TEST_CON)" stdout
rlAssertGrep "$(prepareStr dir/dir $FILE_CON $TEST_CON)" stdout
rlAssertGrep "$(prepareStr dir/dir/a $FILE_CON $TEST_CON)" stdout
rlRun "[ $(cat stdout | wc -l) -eq 5 ]"
rlRun "checkFC dir $TEST_CON"
rlRun "checkFC dir/a $TEST_CON"
rlRun "checkFC dir/b $TEST_CON"
rlRun "checkFC dir/dir $TEST_CON"
rlRun "checkFC dir/dir/a $TEST_CON"
# delete the custom context
rlRun "semanage fcontext -d '$DIR/.*'"
rlRun "popd"
rlRun "rm -rf /tmp/test"
rlPhaseEnd
rlPhaseStartCleanup
rlRun "rm -rf stdout"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd