tests / selinux

Clone
Source Code
GIT

#474 Update the install-uninstall-dsp-packages test
Merged a month ago by mmalik. Opened 2 months ago by zpytela.
tests/ zpytela/selinux update-dsp-install-test  into  main

file modified
+1 -1 
@@ -30,7 +30,7 @@ 
 

  

  BUILT_FILES=
 

  

- FILES=$(METADATA) runtest.sh Makefile PURPOSE
 

+ FILES=$(METADATA) additional-dsp-packages.txt dbus-sendmsg.pl runtest.sh Makefile PURPOSE
 

  

  .PHONY: all install download clean

file added
+13 
@@ -0,0 +1,13 @@ 
 

+ # List of additional DSP packages which distribute its custom SELinux module,
 

+ # but not in a subpackage with the "-selinux" suffix
 

+ # This file is being maintained manually
 

+ 

+ BackupPC
 

+ # beah - temporary not working in rawhide
 

+ ec2-hibinit-agent
 

+ google-compute-engine-oslogin
 

+ mariadb-cracklib-password-check
 

+ mariadb-server-galera
 

+ postsrsd
 

+ qm
 

+ receptor

file added
+71 
@@ -0,0 +1,71 @@ 
 

+ #!/usr/bin/perl -w
 

+ ### Check if dbus communication is allowed bidirectionally
 

+ 

+ use strict;
 

+ 

+ my $sesearch_cmd="/usr/bin/sesearch";
 

+ my $sesearch_args="-A -c dbus -p send_msg";
 

+ my ($line, @output);
 

+ my (@seoutarray, $seout, $seline);
 

+ my $count=0;
 

+ 

+ # Take all allow rules matching the description
 

+ open SESEARCH, "$sesearch_cmd $sesearch_args |"
 

+   or die "Cannot run sesearch: $!";
 

+ while ($line =<SESEARCH>) {
 

+ 	$count++;
 

+ 	#debug printf "%4d %s", $count, $line;
 

+ 	chomp $line;
 

+ 	# > sesearch -A -t systemd_timedated_t -s initrc_t -c dbus -p send_msg
 

+ 	# allow dbusd_unconfined nsswitch_domain:dbus send_msg;
 

+ 	# allow system_bus_type system_dbusd_t:dbus { acquire_svc send_msg };
 

+ 	# allow NetworkManager_t xguest_t:dbus send_msg; [ xguest_connect_network ]:True
 

+ 	@output = split /[ :]/, $line;
 

+         next if $output[2] eq "self";
 

+         next if $output[2] eq $output[1];
 

+ 	# Look for the rule in the inverse direction
 

+ 	open $seout, "$sesearch_cmd $sesearch_args -s $output[2] -t $output[1] |"
 

+ 	  or die "Cannot run sesearch: $!";
 

+ 	@seoutarray = <$seout>;
 

+ 	if (@seoutarray == 0) {
 

+ 	  print "No reverse match: $line\n";
 

+ 	}
 

+ 	else {
 

+ 	  foreach $seline (@seoutarray) {
 

+ 	    if ($seline =~ /\]:/) {
 

+ 	      print "Conditional rule: $seline";
 

+ 	      print "   Original line: $line\n";
 

+ 	    }
 

+ 	  }
 

+ 	}
 

+ 	close $seout;
 

+ }
 

+ print "Total dbus:send_msg rules number: $count\n";
 

+ 

+ __END__
 

+ 

+ State as of 2024.03.05
 

+ f39: 1738 rules, 8 asymmetrical
 

+ RHEL9: 1731 rules, 6 asymmetrical
 

+ RHEL8: 2359 rules, 52 asymmetrical
 

+ 

+ f39
 

+ No reverse match: allow cronjob_t openshift_app_t:dbus send_msg;
 

+ No reverse match: allow cronjob_t openshift_t:dbus send_msg;
 

+ No reverse match: allow cronjob_t staff_t:dbus send_msg;
 

+ No reverse match: allow cronjob_t sysadm_t:dbus send_msg;
 

+ No reverse match: allow cronjob_t user_t:dbus send_msg;
 

+ No reverse match: allow pasta_t init_t:dbus send_msg;
 

+ No reverse match: allow pasta_t system_dbusd_t:dbus send_msg;
 

+ No reverse match: allow pasta_t systemd_hostnamed_t:dbus send_msg;
 

+ 

+ RHEL9
 

+ No reverse match: allow cronjob_t openshift_app_t:dbus send_msg;
 

+ No reverse match: allow cronjob_t openshift_t:dbus send_msg;
 

+ No reverse match: allow cronjob_t staff_t:dbus send_msg;
 

+ No reverse match: allow cronjob_t sysadm_t:dbus send_msg;
 

+ No reverse match: allow cronjob_t user_t:dbus send_msg;
 

+ No reverse match: allow nvme_stas_t system_dbusd_t:dbus { acquire_svc send_msg };
 

+ 

+ RHEL8
 

+

file modified
+55 -11 
@@ -34,8 +34,20 @@ 
 

  SKIP_REMOVAL=${SKIP_REMOVAL:-""}
 

  SKIP_INSTALL=${SKIP_INSTALL:-""}
 

  INSTALL_ONLY=${INSTALL_ONLY:-""}
 

- FCONTEXT_LIST="/tmp/semanage-fcontext"
 

- FCONTEXT_LIST_VARRUN="/tmp/semanage-fcontext-varrun"
 

+ ADDITIONAL_DSP_PACKAGES="additional-dsp-packages.txt"
 

+ TMPDIR=${TMPDIR-"/var/tmp"}
 

+ OUTDIR="${TMPDIR}/test-output"
 

+ FCONTEXT_LIST="${OUTDIR}/semanage-fcontext"
 

+ FCONTEXT_LIST2="${OUTDIR}/semanage-fcontext2"
 

+ FCONTEXT_LIST_VARRUN="${OUTDIR}/semanage-fcontext-varrun"
 

+ RESTORECON_RVN_RUN="${OUTDIR}/restorecon-rvn-run"
 

+ RPMQA="${OUTDIR}/rpmqa"
 

+ SEMODULE_LIST="${OUTDIR}/semodule-list"
 

+ SEMODULE_LIST_DSP="${OUTDIR}/semodule-list-dsp"
 

+ PERMISSIVE_DOMAINS="${OUTDIR}/permissive-domains"
 

+ UNCONFINED_DOMAINS="${OUTDIR}/unconfined-domains"
 

+ DBUS_SENDMSG="${OUTDIR}/dbus-sendmsg"
 

+ mkdir -p ${OUTDIR}
 

  

  # Function to create a report template for install test
 

  function install_report() {
 
@@ -98,12 +110,17 @@ 
 

          rlRun "sed -i '/beaker-tasks/d' install-list"
 

  	# exclude debuginfo packages
 

          rlRun "sed -i '/-debuginfo/d' install-list"
 

- 	# tmp: omit failing vfrnav
 

-         rlRun "sed -i '/vfrnav-selinux/d' install-list"
 

  	# packages names only
 

          rlRun "awk '{print \$1}' install-list > pkgonlylist"
 

  	# exclude updates-source
 

          rlRun "grep -vE '(.src)' pkgonlylist | sort -u > install-pkgs"
 

+ 	# include additional packages which do not match the "*-selinux" pattern
 

+ 	# currently for Fedora only
 

+ 	if rlIsFedora ">=38"
 

+ 	then
 

+ 	  # remove comments and blank lines
 

+ 	  rlRun "sed '/^[#]/d;/^$/d' ${ADDITIONAL_DSP_PACKAGES} >> install-pkgs"
 

+ 	fi
 

  	# use the same list for checks of the subsequent uninstallation
 

          rlRun "cp -f install-pkgs uninstall-pkgs"
 

          rlRun "install_report"
 
@@ -130,20 +147,46 @@ 
 

      rlPhaseEnd
 

  

      ### Checks performed with all dsp packages installed
 

+ 

      ### Status of /run and /var/run equivalency
 

      rlPhaseStartTest "Check /run equivalency status"
 

  	rlRun "semanage fcontext -l > ${FCONTEXT_LIST}"
 

  	if grep -q "/run = /var/run" ${FCONTEXT_LIST}; then
 

- 	    echo "Warning: Legacy equivalency settings \"/run = /var/run\" are in place."
 

+ 	    rlLogInfo "Legacy equivalency settings \"/run = /var/run\" are in place."
 

  	elif grep -q "/var/run = /run" ${FCONTEXT_LIST}; then
 

- 	    echo "New equivalency settings /\"var/run = /run\" are in place."
 

- 	    if grep -q "^/var/run" ${FCONTEXT_LIST}; then
 

- 		rlLog "Warning: /var/run entries found in the file context database"
 

- 		rlRun "sed '/^\/var\/run/!d; s|[ \t].*$||' ${FCONTEXT_LIST} | uniq > ${FCONTEXT_LIST_VARRUN}"
 

+ 	    rlLog "New equivalency settings /\"var/run = /run\" are in place."
 

+ 	    grep -v "/var/run = /run" ${FCONTEXT_LIST} > ${FCONTEXT_LIST2}
 

+ 	    if grep -q "^/var/run" ${FCONTEXT_LIST2}; then
 

+ 		rlLogWarning "/var/run entries found in the file context database"
 

+ 		rlRun "sed '/^\/var\/run/!d; s|[ \t].*$||' ${FCONTEXT_LIST2} | uniq > ${FCONTEXT_LIST_VARRUN}"
 

+ 

+ 		# List /var/run rules which do not have an equivalent one in /run
 

+ 		while read line
 

+ 		do
 

+ 		    if ! grep -q "^${line#/var}" ${FCONTEXT_LIST2}; then
 

+ 		        rlLog "Dup rule does not exist in /run: \"$line\""
 

+ 		    fi
 

+ 		done < ${FCONTEXT_LIST_VARRUN}
 

  	    fi
 

- 	else echo "Unknown or none /run equivalency settings."
 

+ 	else rlLogWarning "None or unknown /run equivalency settings."
 

+ 	fi
 

+ 

+ 	[ "$DEBUG" = "yes" ] ||
 

+ 	rlRun "rm -f ${FCONTEXT_LIST} ${FCONTEXT_LIST_VARRUN}"
 

+     rlPhaseEnd
 

+ 

+     ### Store some data which might be of some use later
 

+     rlPhaseStartTest "Gather relevant data"
 

+ 	if [ "${DEBUG}" = "yes" ]; then
 

+ 	    rlRun "restorecon -Rvn /run > ${RESTORECON_RVN_RUN}"
 

+ 	    rlRun "rpm -qa | sort > ${RPMQA}"
 

+ 	    rlRun "semanage permissive -l > ${PERMISSIVE_DOMAINS}"
 

+ 	    rlRun "seinfo -xa unconfined_domain_type > ${UNCONFINED_DOMAINS}"
 

+ 	    rlRun "semodule -lfull > ${SEMODULE_LIST}"
 

+ 	    rlRun "grep -v ^100 ${SEMODULE_LIST} > ${SEMODULE_LIST_DSP}"
 

+ 	    rlRpmInstall "perl"
 

+ 	    rlRun "./dbus-sendmsg.pl > ${DBUS_SENDMSG}"
 

  	fi
 

- 	rm -f ${FCONTEXT_LIST} ${FCONTEXT_LIST_VARRUN}
 

      rlPhaseEnd
 

  

      rlPhaseStartTest "Uninstall test for dsp packages"
 
@@ -174,6 +217,7 @@ 
 

          if [ -f "Err_file" ]; then
 

              rlRun "rm -f Err_file"
 

          fi
 

+ 	[ "$DEBUG" = "yes" ] ||
 

          rlRun "rm -f install-list pkgonlylist install-pkgs uninstall-pkgs pkglist.report"
 

          rlSECheckAVC --ignore 'type=USER_AVC.*denied.* send_msg .*scontext=.*:unconfined_t:.*tcontext=.*:system_dbusd_t:.*tclass=dbus' \
 

                       --ignore 'type=USER_AVC.* start .*:unconfined_t:.*:init_t:.*tclass=system' \

Particular changes:
- include DSP packages which do not distribute its custom SELinux module
in a subpackage with the "-selinux" suffix
- use the DEBUG variable to keep files after test finishes
- change warnings to using rlLogWarning

rebased onto cce2cf6938b97f38e272b324829f0470fd2e27cf
2 months ago

Looks good to me :thumbsup:

rebased onto 27f1331fa3b620eb90997048dd467a78e9ad2bf6
2 months ago

rebased onto 385c562deae4039061f847df91f1b1665e71bef4
2 months ago

rebased onto 7e4b6954d0ff20d74a5038be7bb96de5e0c079f5
2 months ago

rebased onto b3e21466b63cf68b37f6c3068a52aa7004c5445d
2 months ago

rebased onto 296bbce4a1aeebc95379618b93e381fe6e460d46
2 months ago

rebased onto 9bc9cf8df47ce408f3230cf036a1a72ca589d8f9
2 months ago

rebased onto 194da97de478b614b588f1437f5d19d9842c4360
2 months ago

rebased onto 03fc444
a month ago

Pull-Request has been merged by mmalik
a month ago
Metadata
None
No Tags
Changes Summary 4
+1 -1
file changed
selinux-policy/install-uninstall-dsp-packages/Makefile
+13
file added
selinux-policy/install-uninstall-dsp-packages/additional-dsp-packages.txt
+71
file added
selinux-policy/install-uninstall-dsp-packages/dbus-sendmsg.pl
+55 -11
file changed
selinux-policy/install-uninstall-dsp-packages/runtest.sh
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.