tests / selinux

Clone
Source Code
GIT

#367 test if the kernel_generic_helper_t policy works fine
Closed 11 months ago by mmalik. Opened a year ago by mmalik.
tests/ mmalik/selinux kernel-helper-request-key  into  main

file added
+35 
@@ -0,0 +1,35 @@ 
 

+ summary: test if the kernel_generic_helper_t policy works fine
 

+ contact: Milos Malik <mmalik@redhat.com>
 

+ framework: beakerlib
 

+ component:
 

+   - selinux-policy
 

+ require:
 

+   - library(selinux-policy/common)
 

+ recommend:
 

+   - audit
 

+   - libselinux
 

+   - libselinux-utils
 

+   - policycoreutils
 

+   - selinux-policy
 

+   - selinux-policy-targeted
 

+   - setools-console
 

+   - keyutils
 

+   - nfs-utils
 

+   - /usr/sbin/service
 

+ environment:
 

+     AVC_ERROR: +no_avc_check
 

+ duration: 15m
 

+ enabled: true
 

+ tag:
 

+   - NoRHEL4
 

+   - NoRHEL5
 

+   - NoRHEL6
 

+   - NoRHEL7
 

+   - NoRHEL8
 

+   - targeted
 

+ link:
 

+   - verifies: https://bugzilla.redhat.com/show_bug.cgi?id=2166228
 

+ adjust:
 

+   - enabled: false
 

+     when: distro == rhel-4, rhel-5, rhel-6, rhel-7, rhel-8
 

+     because: the kernel_generic_helper_t is not defined there

file added
+55 
@@ -0,0 +1,55 @@ 
 

+ #!/bin/bash
 

+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
 

+ . /usr/share/beakerlib/beakerlib.sh || exit 1
 

+ 

+ rlJournalStart
 

+     rlPhaseStartSetup
 

+         rlRun "rlImport 'selinux-policy/common'"
 

+         rlAssertRpm keyutils
 

+         rlAssertRpm nfs-utils
 

+         rlAssertRpm selinux-policy
 

+ 

+         rlSESetEnforce
 

+         rlSEStatus
 

+         rlSESetTimestamp
 

+         sleep 2
 

+     rlPhaseEnd
 

+ 

+     rlPhaseStartTest "bz#2166228"
 

+         rlSEMatchPathCon "/usr/sbin/request-key" "bin_t"
 

+         rlSESearchRule "allow kernel_t bin_t : file { execute } [ ]"
 

+         rlSESearchRule "type_transition kernel_t bin_t : process kernel_generic_helper_t"
 

+         rlSESearchRule "allow kernel_t usr_t : file { execute } [ ]"
 

+         rlSESearchRule "type_transition kernel_t usr_t : process kernel_generic_helper_t"
 

+         rlSESearchRule "allow kernel_t kernel_generic_helper_t : process { transition } [ ]"
 

+         rlSESearchRule "allow kernel_generic_helper_t kernel_t : key { read view } [ ]"
 

+         rlSESearchRule "allow kernel_generic_helper_t kernel_generic_helper_t : unix_dgram_socket { create } [ ]"
 

+     rlPhaseEnd
 

+ 

+     rlPhaseStartTest "real scenario"
 

+         DIRECT_MOUNT_POINT="/mnt/direct${RANDOM}"
 

+         NFS_MOUNT_POINT="/mnt/nfs${RANDOM}"
 

+         rlRun "service rpcbind start"
 

+         rlRun "service nfs-idmapd start"
 

+         rlRun "mkdir ${DIRECT_MOUNT_POINT}"
 

+         rlRun "exportfs -v localhost:${DIRECT_MOUNT_POINT}"
 

+         rlRun "exportfs"
 

+         rlRun "mkdir ${NFS_MOUNT_POINT}"
 

+         rlRun "mount -t nfs4 localhost:${DIRECT_MOUNT_POINT} ${NFS_MOUNT_POINT}"
 

+         rlRun "mount | grep ${NFS_MOUNT_POINT}"
 

+         rlRun "systemctl daemon-reload"
 

+         sleep 2
 

+         rlRun "umount ${NFS_MOUNT_POINT}"
 

+         rlRun "rmdir ${NFS_MOUNT_POINT}"
 

+         rlRun "exportfs -u localhost:${DIRECT_MOUNT_POINT}"
 

+         rlRun "rmdir ${DIRECT_MOUNT_POINT}"
 

+         rlRun "service rpcbind stop"
 

+         rlRun "service nfs-idmapd stop"
 

+     rlPhaseEnd
 

+ 

+     rlPhaseStartCleanup
 

+         sleep 2
 

+         rlSECheckAVC
 

+     rlPhaseEnd
 

+ rlJournalEnd
 

+

TBA later

The TC covers BZ#2166228.

rebased onto 80ad3c39e3e469eeb8ca5cba6351e77a7c91f698
a year ago

rebased onto 3ccb97f2b9da29cef82e2ebdeb5edcbbb6d5a842
a year ago

Unfortunately, the TC run does not trigger the SELinux denials reported in BZ#2166228.

rebased onto d0e45e0f2f30ff2b1430ab39410234120ac9abce
a year ago

rebased onto 1d07fe472cae65d81f98600baa1e27ec2c55ae61
a year ago

rebased onto eb4f33b2ac48d372fa0009a9a56aa044cb2ebb9a
a year ago

rebased onto fc886f1c07941839c9d61817d2410de5deddea38
a year ago

rebased onto 5ad24912f9c3d661c727af6aab445bc994d1bca3
a year ago

rebased onto 566d15b51f8a4b36406ba592de7e793723d69ab9
a year ago

rebased onto a1e81c1cd58e4665c6a7f801e59f3addb6da053d
a year ago

rebased onto d9d63e6138f6727dfabcb157c4c8e267019eae11
a year ago

rebased onto 4fc595b
11 months ago

I don't want to increase the number of failing tests in this repository. Each run of such tests require additional reviews. The automated test will be added after it stops failing.

Pull-Request has been closed by mmalik
11 months ago
Metadata
None
No Tags
Changes Summary 2
+35
file added
selinux-policy/kernel-generic-helper/main.fmf
+55
file added
selinux-policy/kernel-generic-helper/runtest.sh
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.