+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Makefile of /CoreOS/selinux-policy/Regression/pam_limits-and-related

+ #   Description: Does SELinux cooperate with pam_limits.so?

+ #   Author: Milos Malik <mmalik@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2020 Red Hat, Inc. All rights reserved.

+ #

+ #   This copyrighted material is made available to anyone wishing

+ #   to use, modify, copy, or redistribute it subject to the terms

+ #   and conditions of the GNU General Public License version 2.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE. See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public

+ #   License along with this program; if not, write to the Free

+ #   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,

+ #   Boston, MA 02110-1301, USA.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ export TEST=/CoreOS/selinux-policy/Regression/pam_limits-and-related

+ export TESTVERSION=1.0

+ 

+ BUILT_FILES=

+ 

+ FILES=$(METADATA) runtest.sh Makefile PURPOSE ssh.exp

+ 

+ .PHONY: all install download clean

+ 

+ run: $(FILES) build

+ 	./runtest.sh

+ 

+ build: $(BUILT_FILES)

+ 	chmod a+x runtest.sh ssh.exp

+ 	chcon -t bin_t runtest.sh ssh.exp

+ 

+ clean:

+ 	rm -f *~ $(BUILT_FILES)

+ 

+ include /usr/share/rhts/lib/rhts-make.include

+ 

+ $(METADATA): Makefile

+ 	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)

+ 	@echo "Name:            $(TEST)" >> $(METADATA)

+ 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)

+ 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)

+ 	@echo "Description:     Does SELinux cooperate with pam_limits.so?" >> $(METADATA)

+ 	@echo "Type:            Regression" >> $(METADATA)

+ 	@echo "TestTime:        10m" >> $(METADATA)

+ 	@echo "RunFor:          pam" >> $(METADATA)

+ 	@echo "RunFor:          selinux-policy" >> $(METADATA)

+ 	@echo "Requires:        audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console expect openssh-clients pam shadow-utils" >> $(METADATA)

+ 	@echo "RhtsRequires:    library(selinux-policy/common)" >> $(METADATA)

+ 	@echo "Environment:     AVC_ERROR=+no_avc_check" >> $(METADATA)

+ 	@echo "Priority:        Normal" >> $(METADATA)

+ 	@echo "License:         GPLv2" >> $(METADATA)

+ 	@echo "Confidential:    no" >> $(METADATA)

+ 	@echo "Destructive:     no" >> $(METADATA)

+ 	@echo "Releases:        -RHEL4 -RHEL5 -RHEL6 -RHEL7" >> $(METADATA)

+ 	@echo "Bug:             1958819" >> $(METADATA) # Fedora 34

+ 

+ 	rhts-lint $(METADATA)

+ 

+ PURPOSE of /CoreOS/selinux-policy/Regression/pam_limits-and-related

+ Author: Milos Malik <mmalik@redhat.com>

+ 

+ Does SELinux cooperate with pam_limits.so?

+ Confined and unconfined users are tested using SSH.

+ 

+ This TC uses following parameters which can be overriden:

+  * ALLOWED_USERS - which SELinux users should be tested?

+  * DENIED_USERS - which SELinux users should NOT be tested?

+ 

+ path: /selinux-policy/pam_limits-and-related

+ tier: 2

+ #!/bin/bash

+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   runtest.sh of /CoreOS/selinux-policy/Regression/pam_limits-and-related

+ #   Description: Does SELinux cooperate with pam_limits.so?

+ #   Author: Milos Malik <mmalik@redhat.com>

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ #

+ #   Copyright (c) 2020 Red Hat, Inc. All rights reserved.

+ #

+ #   This copyrighted material is made available to anyone wishing

+ #   to use, modify, copy, or redistribute it subject to the terms

+ #   and conditions of the GNU General Public License version 2.

+ #

+ #   This program is distributed in the hope that it will be

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

+ #   PURPOSE. See the GNU General Public License for more details.

+ #

+ #   You should have received a copy of the GNU General Public

+ #   License along with this program; if not, write to the Free

+ #   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,

+ #   Boston, MA 02110-1301, USA.

+ #

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ 

+ # Include Beaker environment

+ . /usr/bin/rhts-environment.sh || exit 1

+ . /usr/share/beakerlib/beakerlib.sh || exit 1

+ 

+ PACKAGE="selinux-policy"

+ SERVICE_PACKAGE="pam"

+ DENIED_USERS=${DENIED_USERS:-""}

+ ALLOWED_USERS=${ALLOWED_USERS:-"guest_u xguest_u user_u staff_u sysadm_u unconfined_u"}

+ 

+ rlJournalStart

+     rlPhaseStartSetup

+         rlRun "rlImport 'selinux-policy/common'"

+         rlSESatisfyRequires

+         rlAssertRpm ${PACKAGE}

+         rlAssertRpm ${PACKAGE}-targeted

+         rlAssertRpm ${SERVICE_PACKAGE}

+ 

+         rlFileBackup /etc/shadow

+         rlFileBackup /etc/security/limits.conf

+ 

+         rlSESetEnforce

+         rlSEStatus

+         rlSESetTimestamp

+         sleep 2

+     rlPhaseEnd

+ 

+     rlPhaseStartTest "bz#1958819"

+         rlSESearchRule "allow init_t guest_t : process2 { nnp_transition } [ ]"

+         rlSESearchRule "allow init_t staff_t : process2 { nnp_transition } [ ]"

+         rlSESearchRule "allow init_t sysadm_t : process2 { nnp_transition } [ ]"

+         rlSESearchRule "allow init_t unconfined_t : process2 { nnp_transition } [ ]"

+         rlSESearchRule "allow init_t user_t : process2 { nnp_transition } [ ]"

+         rlSESearchRule "allow init_t xguest_t : process2 { nnp_transition } [ ]"

+     rlPhaseEnd

+ 

+     rlPhaseStartTest "real scenario -- confined users"

+         rlRun "setsebool ssh_sysadm_login on"

+         rlLog "configuration says not to test SELinux users: ${DENIED_USERS}"

+         for SELINUX_USER in ${ALLOWED_USERS} ; do

+             USER_NAME="user${RANDOM}"

+             USER_SECRET="S3kr3t${RANDOM}"

+             rlRun "useradd -Z ${SELINUX_USER} ${USER_NAME}"

+             rlRun "echo ${USER_SECRET} | passwd --stdin ${USER_NAME}"

+             rlRun "echo \"${USER_NAME} - nonewprivs 1\" >> /etc/security/limits.conf"

+             rlRun "restorecon -RvF /home/${USER_NAME}"

+             rlRun "./ssh.exp ${USER_NAME} ${USER_SECRET} localhost id"

+             rlRun "userdel -rfZ ${USER_NAME}"

+             sleep 10

+         done

+         rlRun "setsebool ssh_sysadm_login off"

+     rlPhaseEnd

+ 

+     rlPhaseStartCleanup

+         sleep 2

+         rlSECheckAVC

+ 

+         rlFileRestore

+     rlPhaseEnd

+ rlJournalPrintText

+ rlJournalEnd

+ 

+ #!/usr/bin/expect -f

+ # Expect script for SSH logging as $username to $hostname using $password and executing $command.

+ # Usage:

+ #   ./ssh.exp username password hostname command

+ set username [lrange $argv 0 0]

+ set password [lrange $argv 1 1]

+ set hostname [lrange $argv 2 2]

+ set command  [lrange $argv 3 10]

+ set timeout 15

+ # connect to remote host and execute given command

+ log_user 1

+ spawn ssh -t $username@$hostname $command

+ expect {

+   -nocase "yes/no" { send -- "yes\r" ; exp_continue }

+   -nocase "password" { send -- "$password\r" }

+ }

+ log_user 1

+ # send -- "\r"

+ expect eof

+