#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
. /usr/share/beakerlib/beakerlib.sh || exit 1
rlJournalStart
rlPhaseStartSetup
rlAssertRpm libsepol
rlAssertRpm libsemanage
rlAssertRpm libselinux
rlAssertRpm policycoreutils
rlAssertRpm selinux-policy
rlRun "setenforce 1"
rlRun "sestatus"
rlPhaseEnd
rlPhaseStartTest "prevent the reading of a file"
rlRun "stat /etc/shadow" 0
rlRun "grep ^bin /etc/shadow" 0
rlRun "echo -e '( deny unconfined_t shadow_t ( file ( getattr read )))' > testpolicy.cil"
rlRun "semodule -i testpolicy.cil"
rlRun "semodule -lfull | grep testpolicy"
rlRun "stat /etc/shadow" 1
rlRun "grep ^bin /etc/shadow" 2
rlRun "semodule -r testpolicy"
rlPhaseEnd
rlPhaseStartTest "prevent the execution of a file"
rlRun "dmesg >& /dev/null"
rlRun "echo -e '( deny unconfined_t dmesg_exec_t ( file ( execute execute_no_trans )))' > testpolicy.cil"
rlRun "semodule -i testpolicy.cil"
rlRun "semodule -lfull | grep testpolicy"
rlRun "dmesg" 126
rlRun "semodule -r testpolicy"
rlPhaseEnd
rlPhaseStartTest "prevent removal of a file"
if [ -f /etc/machine-id ] ; then
rlRun "cp -a /etc/machine-id ."
else
rlRun "cp -a /run/machine-id ."
fi
rlRun "ls -Z ./machine-id"
rlRun "echo -e '( deny unconfined_t machineid_t ( file ( unlink )))' > testpolicy.cil"
rlRun "semodule -i testpolicy.cil"
rlRun "semodule -lfull | grep testpolicy"
rlRun "rm -f ./machine-id" 1,2
rlRun "semodule -r testpolicy"
rlRun "rm -f ./machine-id"
rlPhaseEnd
rlPhaseStartTest "prevent the search in a directory"
rlRun "ls -lZR /etc/pki >& /dev/null"
rlRun "echo -e '( deny unconfined_t cert_t ( dir ( search )))' > testpolicy.cil"
rlRun "semodule -i testpolicy.cil"
rlRun "semodule -lfull | grep testpolicy"
rlRun "ls -lZR /etc/pki" 1
rlRun "semodule -r testpolicy"
rlPhaseEnd
rlPhaseStartTest "prevent ptracing of processes"
rlWatchdog "strace -p $$" 5
rlRun "echo -e '( deny unconfined_t unconfined_t ( process ( ptrace )))' > testpolicy.cil"
rlRun "semodule -i testpolicy.cil"
rlRun "semodule -lfull | grep testpolicy"
rlRun -s "strace -p $$" 1
rlRun "grep -i 'permission denied' $rlRun_LOG"
rm -f $rlRun_LOG
rlRun "semodule -r testpolicy"
rlPhaseEnd
rlPhaseStartTest "prevent loading of kernel modules"
if lsmod | grep -q dummy ; then
rlRun "modprobe -r dummy"
fi
rlRun "echo -e '( deny unconfined_t unconfined_t ( system ( module_load module_request )))' > testpolicy.cil"
rlRun "semodule -i testpolicy.cil"
rlRun "semodule -lfull | grep testpolicy"
rlRun -s "modprobe dummy" 1
rlRun "grep -i 'permission denied' $rlRun_LOG"
rm -f $rlRun_LOG
rlRun "lsmod | grep dummy" 1
rlRun "semodule -r testpolicy"
rlRun "modprobe dummy"
rlRun "lsmod | grep dummy"
rlPhaseEnd
rlPhaseStartCleanup
rlPhaseEnd
rlJournalEnd