#173 add test which covers new records in capability2 class
Opened 4 months ago by mmalik. Modified 4 months ago
tests/ mmalik/selinux add-capabilities-test  into  main

@@ -0,0 +1,68 @@ 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Makefile of /CoreOS/selinux-policy/Sanity/capability2-class

+ #   Description: Does SELinux policy define new capabilities in capability2 class?

+ #   Author: Milos Malik <mmalik@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2020 Red Hat, Inc. All rights reserved.

+ #

+ #   This copyrighted material is made available to anyone wishing

+ #   to use, modify, copy, or redistribute it subject to the terms

+ #   and conditions of the GNU General Public License version 2.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE. See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public

+ #   License along with this program; if not, write to the Free

+ #   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,

+ #   Boston, MA 02110-1301, USA.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ export TEST=/CoreOS/selinux-policy/Sanity/capability2-class

+ export TESTVERSION=1.0

+ 

+ BUILT_FILES=

+ 

+ FILES=$(METADATA) runtest.sh Makefile PURPOSE

+ 

+ .PHONY: all install download clean

+ 

+ run: $(FILES) build

+ 	./runtest.sh

+ 

+ build: $(BUILT_FILES)

+ 	chmod a+x runtest.sh

+ 	chcon -t bin_t runtest.sh

+ 

+ clean:

+ 	rm -f *~ $(BUILT_FILES)

+ 

+ include /usr/share/rhts/lib/rhts-make.include

+ 

+ $(METADATA): Makefile

+ 	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)

+ 	@echo "Name:            $(TEST)" >> $(METADATA)

+ 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)

+ 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)

+ 	@echo "Description:     Does SELinux policy define new capabilities in capability2 class?" >> $(METADATA)

+ 	@echo "Type:            Sanity" >> $(METADATA)

+ 	@echo "TestTime:        10m" >> $(METADATA)

+ 	@echo "RunFor:          selinux-policy" >> $(METADATA)

+ 	@echo "Requires:        audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console" >> $(METADATA)

+ 	@echo "RhtsRequires:    library(selinux-policy/common)" >> $(METADATA)

+ 	@echo "Environment:     AVC_ERROR=+no_avc_check" >> $(METADATA)

+ 	@echo "Priority:        Normal" >> $(METADATA)

+ 	@echo "License:         GPLv2" >> $(METADATA)

+ 	@echo "Confidential:    no" >> $(METADATA)

+ 	@echo "Destructive:     no" >> $(METADATA)

+ 	@echo "Releases:        -RHEL4 -RHEL5 -RHEL6 -RHEL7" >> $(METADATA)

+ 	@echo "Bug:             1915264" >> $(METADATA) # Fedora rawhide

+ 

+ 	rhts-lint $(METADATA)

+ 

@@ -0,0 +1,5 @@ 

+ PURPOSE of /CoreOS/selinux-policy/Sanity/capability2-class

+ Author: Milos Malik <mmalik@redhat.com>

+ 

+ Description: Does SELinux policy define new capabilities in capability2 class?

+ 

@@ -0,0 +1,3 @@ 

+ path: /selinux-policy/capability2-class

+ tier: 2

+ 

@@ -0,0 +1,61 @@ 

+ #!/bin/bash

+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of /CoreOS/selinux-policy/Sanity/capability2-class

+ #   Description: Does SELinux policy define new capabilities in capability2 class?

+ #   Author: Milos Malik <mmalik@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2020 Red Hat, Inc. All rights reserved.

+ #

+ #   This copyrighted material is made available to anyone wishing

+ #   to use, modify, copy, or redistribute it subject to the terms

+ #   and conditions of the GNU General Public License version 2.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE. See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public

+ #   License along with this program; if not, write to the Free

+ #   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,

+ #   Boston, MA 02110-1301, USA.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ # Include Beaker environment

+ . /usr/bin/rhts-environment.sh || exit 1

+ . /usr/share/beakerlib/beakerlib.sh || exit 1

+ 

+ PACKAGE="selinux-policy"

+ 

+ rlJournalStart

+     rlPhaseStartSetup

+         rlRun "rlImport 'selinux-policy/common'"

+         rlSESatisfyRequires

+         rlAssertRpm ${PACKAGE}

+         rlAssertRpm ${PACKAGE}-targeted

+ 

+         rlSESetEnforce

+         rlSEStatus

+         rlSESetTimestamp

+         sleep 2

+     rlPhaseEnd

+ 

+     rlPhaseStartTest "bz#1915264"

+         rlRun "seinfo --common cap2 -x"

+         for CAPABILITY in perfmon bpf checkpoint_restore ; do

+             rlRun "seinfo --common cap2 -x | grep -w ${CAPABILITY}"

+         done

+     rlPhaseEnd

+ 

+     rlPhaseStartCleanup

+         sleep 2

+         rlSECheckAVC

+     rlPhaseEnd

+ rlJournalPrintText

+ rlJournalEnd

+ 

In comparison to kernel, which recognizes capabilities like perfmon,
bpf and checkpoint_restore, SELinux policy does not recognize them yet.
But that situation should change soon.
Purpose of the TC is to find out if these capabilities recognized
by kernel are also recognized by SELinux policy.

The TC covers BZ#1915264.

rebased onto 68c15c7

4 months ago