diff --git a/tests/CIL-modules-without-compilation/Makefile b/tests/CIL-modules-without-compilation/Makefile new file mode 100644 index 0000000..2d8a660 --- /dev/null +++ b/tests/CIL-modules-without-compilation/Makefile @@ -0,0 +1,64 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation +# Description: What the test does +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: What the test does" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: policycoreutils" >> $(METADATA) + @echo "Requires: policycoreutils" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHEL6 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/CIL-modules-without-compilation/PURPOSE b/tests/CIL-modules-without-compilation/PURPOSE new file mode 100644 index 0000000..a9c7d54 --- /dev/null +++ b/tests/CIL-modules-without-compilation/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation +Author: Milos Malik + +Is it possible to manage policy modules written in CIL without any compilation? Does semanage and semodule understand them? + diff --git a/tests/CIL-modules-without-compilation/runtest.sh b/tests/CIL-modules-without-compilation/runtest.sh new file mode 100755 index 0000000..451461a --- /dev/null +++ b/tests/CIL-modules-without-compilation/runtest.sh @@ -0,0 +1,73 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation +# Description: What the test does +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="policycoreutils" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + rlRun "echo '()' > empty.cil" + rlRun "echo '(())' > invalid.cil" + rlPhaseEnd + + rlPhaseStartTest "empty CIL module" + rlRun "semodule -lfull | grep '400.*empty.*cil'" 1 + rlRun "semodule -i empty.cil" + rlRun "semodule -lfull | grep '400.*empty.*cil'" + rlRun "semodule -r empty" + rlRun "semodule -lfull | grep '400.*empty.*cil'" 1 + rlRun "semanage module -l | grep 'empty.*400.*cil'" 1 + rlRun "semanage module -a empty.cil" + rlRun "semanage module -l | grep 'empty.*400.*cil'" + rlRun "semanage module -r empty" + rlRun "semanage module -l | grep 'empty.*400.*cil'" 1 + rlPhaseEnd + + rlPhaseStartTest "invalid CIL module" + rlRun "semodule -lfull | grep '400.*invalid.*cil'" 1 + rlRun "semodule -i invalid.cil" 1 + rlRun "semodule -lfull | grep '400.*invalid.*cil'" 1 + rlRun "semodule -r invalid" 1 + rlRun "semodule -lfull | grep '400.*invalid.*cil'" 1 + rlRun "semanage module -l | grep 'invalid.*400.*cil'" 1 + rlRun "semanage module -a invalid.cil" 1 + rlRun "semanage module -l | grep 'invalid.*400.*cil'" 1 + rlRun "semanage module -r invalid" 1 + rlRun "semanage module -l | grep 'invalid.*400.*cil'" 1 + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "rm -f empty.cil invalid.cil" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/tests/load_policy/Makefile b/tests/load_policy/Makefile new file mode 100644 index 0000000..ffee588 --- /dev/null +++ b/tests/load_policy/Makefile @@ -0,0 +1,64 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/policycoreutils/Sanity/load_policy +# Description: Does load_policy work as expected? Does it produce correct audit messages? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/policycoreutils/Sanity/load_policy +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Does load_policy work as expected? Does it produce correct audit messages?" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: policycoreutils" >> $(METADATA) + @echo "Requires: audit policycoreutils selinux-policy-targeted" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/load_policy/PURPOSE b/tests/load_policy/PURPOSE new file mode 100644 index 0000000..a5984d3 --- /dev/null +++ b/tests/load_policy/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/policycoreutils/Sanity/load_policy +Author: Milos Malik + +Does load_policy work as expected? Does it produce correct audit messages? + diff --git a/tests/load_policy/runtest.sh b/tests/load_policy/runtest.sh new file mode 100755 index 0000000..2a77654 --- /dev/null +++ b/tests/load_policy/runtest.sh @@ -0,0 +1,79 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/policycoreutils/Sanity/load_policy +# Description: Does load_policy work as expected? Does it produce correct audit messages? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="policycoreutils" +if rlIsRHEL 6 ; then + SELINUX_FS_MOUNT="/selinux" +else # RHEL-7 and above + SELINUX_FS_MOUNT="/sys/fs/selinux" +fi + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + rlRun "ls -l `which load_policy`" + BINARY_POLICY=`find /etc/selinux/targeted -type f -name policy.?? | sort -n | tail -n 1` + rlRun "ls -l ${BINARY_POLICY}" + rlPhaseEnd + + rlPhaseStartTest + rlRun "load_policy --xyz 2>&1 | grep \"invalid option\"" + rlRun "dmesg | grep -i selinux" 0,1 + rlRun "grep -i selinux /proc/mounts" + START_DATE_TIME=`date "+%m/%d/%Y %T"` + sleep 1 + rlRun "load_policy -q" + rlRun "grep -i selinux /proc/mounts" + sleep 1 + if rlIsRHEL ; then + rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep load_policy" + fi + rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep 'policy loaded'" + rlRun "umount ${SELINUX_FS_MOUNT}" + rlRun "grep -i selinux /proc/mounts" 1 + START_DATE_TIME=`date "+%m/%d/%Y %T"` + sleep 1 + rlRun "load_policy -i ${BINARY_POLICY}" + rlRun "grep -i selinux /proc/mounts" + sleep 1 + if rlIsRHEL ; then + rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep load_policy" + fi + rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep 'policy loaded'" + rlRun "dmesg | grep -i selinux" + rlPhaseEnd + + rlPhaseStartCleanup + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/tests/restorecon/Makefile b/tests/restorecon/Makefile new file mode 100644 index 0000000..991e8f9 --- /dev/null +++ b/tests/restorecon/Makefile @@ -0,0 +1,70 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/policycoreutils/Sanity/restorecon +# Description: does restorecon work correctly ? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/policycoreutils/Sanity/restorecon +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE testpolicy.te testpolicy.fc + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + chcon -t bin_t runtest.sh;: + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: does restorecon work correctly ?" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 15m" >> $(METADATA) + @echo "RunFor: policycoreutils" >> $(METADATA) + @echo "Requires: policycoreutils" >> $(METADATA) + @echo "Requires: grep" >> $(METADATA) + @echo "Requires: e2fsprogs" >> $(METADATA) + @echo "Requires: libselinux" >> $(METADATA) + @echo "Requires: selinux-policy-devel" >> $(METADATA) + @echo "Requires: libselinux-utils" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/restorecon/PURPOSE b/tests/restorecon/PURPOSE new file mode 100644 index 0000000..d029be8 --- /dev/null +++ b/tests/restorecon/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/policycoreutils/Sanity/restorecon +Author: Milos Malik + +Does restorecon work correctly? + diff --git a/tests/restorecon/runtest.sh b/tests/restorecon/runtest.sh new file mode 100755 index 0000000..b16d4c0 --- /dev/null +++ b/tests/restorecon/runtest.sh @@ -0,0 +1,367 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/policycoreutils/Sanity/restorecon +# Description: does restorecon work correctly ? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh + +PACKAGE="policycoreutils" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + rlServiceStop mcstrans mcstransd + rlRun "rpm -qf `which restorecon` | grep ${PACKAGE}" + rlRun "setenforce 1" + rlRun "sestatus" + rlRun "setsebool allow_domain_fd_use on" + rlPhaseEnd + + rlPhaseStartTest "Functional test" + + TESTDIR="/opt/restorecon_testdir" + DIRS="correct.dir incorrect1.dir incorrect2.dir customizable.dir" + FILES="correct.file incorrect.file customizable.file" + + rlRun "make -f /usr/share/selinux/devel/Makefile" + rlRun "semodule -i testpolicy.pp" + + rlFileBackup /etc/selinux/targeted/contexts/customizable_types + rlRun "echo 'customizable_t' >> /etc/selinux/targeted/contexts/customizable_types" + + # Here is the testing dirs and files structure + # all the files have initial context corresponding to their names + + # ./ + # correct.file + # incorrect.file + # customizable.file + + # correct.dir/ + # correct.file + # incorrect.file + # customizable.file + + # incorrect1.dir/ + # correct.file + # incorrect.file + # customizable.file + + # incorrect2.dir/ + # correct.file + # incorrect.file + # customizable.file + + # customizable.dir/ + # correct.file + # incorrect.file + # customizable.file + + # Function to set initial contexts + function set_contexts { + # Set the intended contexts + rlLog "Setting initial contexts of testing dirs..." + restorecon -R $TESTDIR + for ITEM in `find . -name 'incorrect*'`; do + chcon -t incorrect_t $ITEM + done + for ITEM in `find . -name 'customizable*'`; do + chcon -t customizable_t $ITEM + done + } + + # Check that files in dir $1 have the initial contexts + function check_initial_contexts { + if echo $1 | grep -q 'incorrect.dir'; then + rlRun "ls -ladZ $1 | grep :incorrect_t" + elif echo $1 | grep -q 'correct.dir'; then + rlRun "ls -ladZ $1 | grep :correct_t" + elif echo $1 | grep -q 'customizable.dir'; then + rlRun "ls -ladZ $1 | grep :customizable_t" + fi + rlRun "ls -ladZ $1/* | grep '\ ../file_list < +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/policycoreutils/Regression/semanage-interface +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + test -x runtest.sh || chcon -t bin_t runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Does semanage interface ... work correctly?" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 20m" >> $(METADATA) + @echo "RunFor: policycoreutils" >> $(METADATA) + @echo "Requires: policycoreutils policycoreutils-python-utils grep selinux-policy-minimum selinux-policy-mls selinux-policy-targeted" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/semanage-interface/PURPOSE b/tests/semanage-interface/PURPOSE new file mode 100644 index 0000000..86bd3ab --- /dev/null +++ b/tests/semanage-interface/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/policycoreutils/Regression/semanage-interface +Description: Does semanage interface ... work correctly? +Author: Milos Malik + diff --git a/tests/semanage-interface/runtest.sh b/tests/semanage-interface/runtest.sh new file mode 100755 index 0000000..ba8608b --- /dev/null +++ b/tests/semanage-interface/runtest.sh @@ -0,0 +1,69 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/policycoreutils/Regression/semanage-interface +# Description: Does semanage interface ... work correctly? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="policycoreutils" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + rlPhaseEnd + + rlPhaseStartTest + rlRun "semanage interface --help" 0,1 + for POLICY_TYPE in minimum mls targeted ; do + if [ ! -d /etc/selinux/${POLICY_TYPE} ] ; then + continue + fi + rlRun "semanage interface -l -S ${POLICY_TYPE}" + done + if ! rlIsRHEL 5; then + rlRun "semanage interface -l -S unknown 2>&1 | grep \"store cannot be accessed\"" + fi + rlRun "semanage interface -a -t xyz_t xyz 2>&1 | grep -i -e 'not defined' -e 'error' -e 'could not'" + rlRun "semanage interface -m xyz" 1,2 + rlRun "semanage interface -d xyz" 1 + rlRun "semanage interface -a -t netif_t xyz" + if rlIsRHEL 5 6; then + rlRun "semanage interface -m -r s0 xyz" + else + rlRun "semanage interface -m -t netif_t -r s0 xyz" + fi + rlRun "semanage interface -l | grep \"xyz.*:netif_t:s0\"" + rlRun "semanage interface -d xyz" + rlRun "semanage interface -l | grep xyz" 1 + rlPhaseEnd + + rlPhaseStartCleanup + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/tests/semanage-login/Makefile b/tests/semanage-login/Makefile new file mode 100644 index 0000000..1172ca9 --- /dev/null +++ b/tests/semanage-login/Makefile @@ -0,0 +1,65 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/policycoreutils/Regression/semanage-login +# Description: Does semanage login ... work correctly? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/policycoreutils/Regression/semanage-login +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + test -x runtest.sh || chcon -t bin_t runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Does semanage login ... work correctly?" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: policycoreutils" >> $(METADATA) + @echo "Requires: policycoreutils policycoreutils-python-utils grep shadow-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/semanage-login/PURPOSE b/tests/semanage-login/PURPOSE new file mode 100644 index 0000000..b8f26c6 --- /dev/null +++ b/tests/semanage-login/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/policycoreutils/Regression/semanage-login +Description: Does semanage login ... work correctly? +Author: Milos Malik + diff --git a/tests/semanage-login/runtest.sh b/tests/semanage-login/runtest.sh new file mode 100755 index 0000000..daf074c --- /dev/null +++ b/tests/semanage-login/runtest.sh @@ -0,0 +1,67 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/policycoreutils/Regression/semanage-login +# Description: Does semanage login ... work correctly? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="policycoreutils" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + rlPhaseEnd + + rlPhaseStartTest + rlRun "semanage login --help" 0,1 + for POLICY_TYPE in minimum mls targeted ; do + if [ ! -d /etc/selinux/${POLICY_TYPE} ] ; then + continue + fi + rlRun "semanage login -l -S ${POLICY_TYPE}" + done + if ! rlIsRHEL 5; then + rlRun "semanage login -l -S unknown 2>&1 | grep \"store cannot be accessed\"" + fi + rlRun "semanage login -a -s xyz_u xyz 2>&1 | grep -i -e 'does not exist' -e 'mapping.*invalid' -e 'could not query'" + rlRun "semanage login -m xyz" 1 + rlRun "semanage login -d xyz" 1 + rlRun "useradd xyz" + rlRun "semanage login -a -s user_u xyz" + rlRun "semanage login -m -r s0 xyz" + rlRun "semanage login -l | grep \"xyz.*user_u.*s0\"" + rlRun "semanage login -d xyz" + rlRun "semanage login -l | grep xyz" 1 + rlRun "userdel -rf xyz" + rlPhaseEnd + + rlPhaseStartCleanup + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/tests/semanage-permissive-d-problems/Makefile b/tests/semanage-permissive-d-problems/Makefile new file mode 100644 index 0000000..a5bffc2 --- /dev/null +++ b/tests/semanage-permissive-d-problems/Makefile @@ -0,0 +1,70 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/policycoreutils/Regression/semanage-permissive-d-problems +# Description: semanage permissive -d accepts more than domain types, its behavior is not reliable +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/policycoreutils/Regression/semanage-permissive-d-problems +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + chcon -t bin_t runtest.sh; : + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: semanage permissive -d accepts more than domain types, its behavior is not reliable" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 20m" >> $(METADATA) + @echo "RunFor: policycoreutils" >> $(METADATA) + @echo "Requires: policycoreutils" >> $(METADATA) + @echo "Requires: policycoreutils-python-utils" >> $(METADATA) + @echo "Requires: policycoreutils-devel" >> $(METADATA) + @echo "Requires: selinux-policy-devel" >> $(METADATA) + @echo "Requires: grep" >> $(METADATA) + @echo "Requires: coreutils" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELServer5 -RHELClient5" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/semanage-permissive-d-problems/PURPOSE b/tests/semanage-permissive-d-problems/PURPOSE new file mode 100644 index 0000000..f0d5e6f --- /dev/null +++ b/tests/semanage-permissive-d-problems/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/policycoreutils/Regression/semanage-permissive-d-problems +Author: Milos Malik + +Does semanage permissive work correctly? + diff --git a/tests/semanage-permissive-d-problems/runtest.sh b/tests/semanage-permissive-d-problems/runtest.sh new file mode 100755 index 0000000..61ccc4f --- /dev/null +++ b/tests/semanage-permissive-d-problems/runtest.sh @@ -0,0 +1,93 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/policycoreutils/Regression/semanage-permissive-d-problems +# Description: semanage permissive -d accepts more than domain types, its behavior is not reliable +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh + +PACKAGE="policycoreutils" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + rlRun "rpm -qf /usr/sbin/semanage" + OUTPUT_FILE=`mktemp` + rlRun "sestatus" + rlPhaseEnd + + if selinuxenabled ; then + rlPhaseStartTest + if rlIsRHEL 7 ; then + rlFileBackup /usr/share/selinux/default/Makefile + rlRun "rm -rf /usr/share/selinux/default/Makefile" + fi + rlRun "semanage permissive -l | grep fenced" 1 + rlRun "semanage permissive -a fenced_t" + rlRun "semanage permissive -l | grep fenced" + rlRun "semanage permissive -d fenced_t" + rlRun "semanage permissive -l | grep fenced" 1 + if rlIsRHEL 7 ; then + rlFileRestore + fi + rlPhaseEnd + + rlPhaseStartTest + rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}" + rlRun "wc -l < ${OUTPUT_FILE} | grep ^0$" + rlRun "semanage permissive -a ypbind_t" + rlRun "semanage permissive -a ypserv_t" + rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}" + rlRun "wc -l < ${OUTPUT_FILE} | grep ^2$" + rlRun "semanage permissive -d yp" 1-255 + rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}" + rlRun "wc -l < ${OUTPUT_FILE} | grep ^2$" + rlRun "semanage permissive -d ypbind_t" + rlRun "semanage permissive -d ypserv_t" + rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}" + rlRun "wc -l < ${OUTPUT_FILE} | grep ^0$" + rlPhaseEnd + + rlPhaseStartTest + rlRun -s "semanage permissive -d" 1 + rlAssertNotGrep 'traceback' $rlRun_LOG -iEq + rlAssertGrep 'error: the following argument is required: type' $rlRun_LOG -iEq + rm -f $rlRun_LOG + rlPhaseEnd + else + rlPhaseStartTest + rlRun "semanage permissive -l >& ${OUTPUT_FILE}" 0,1 + rlRun "grep -C 32 -i -e exception -e traceback -e error ${OUTPUT_FILE}" 1 + rlPhaseEnd + fi + + rlPhaseStartCleanup + rm -f ${OUTPUT_FILE} + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/tests/semanage-port-add-delete-problems/Makefile b/tests/semanage-port-add-delete-problems/Makefile new file mode 100644 index 0000000..263da02 --- /dev/null +++ b/tests/semanage-port-add-delete-problems/Makefile @@ -0,0 +1,71 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems +# Description: semanage accepts invalid port numbers and then cannot delete them +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + chcon -t bin_t runtest.sh;: + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: semanage accepts invalid port numbers and then cannot delete them" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 15m" >> $(METADATA) + @echo "RunFor: policycoreutils" >> $(METADATA) + @echo "Requires: policycoreutils" >> $(METADATA) + @echo "Requires: policycoreutils-python-utils" >> $(METADATA) + @echo "Requires: setools-console" >> $(METADATA) + @echo "Requires: libselinux" >> $(METADATA) + @echo "Requires: libselinux-utils" >> $(METADATA) + @echo "Requires: coreutils" >> $(METADATA) + @echo "Requires: grep" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/semanage-port-add-delete-problems/PURPOSE b/tests/semanage-port-add-delete-problems/PURPOSE new file mode 100644 index 0000000..a59e74f --- /dev/null +++ b/tests/semanage-port-add-delete-problems/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems +Author: Milos Malik + +semanage accepts invalid port numbers and then cannot delete them + diff --git a/tests/semanage-port-add-delete-problems/runtest.sh b/tests/semanage-port-add-delete-problems/runtest.sh new file mode 100755 index 0000000..2bd9c9a --- /dev/null +++ b/tests/semanage-port-add-delete-problems/runtest.sh @@ -0,0 +1,137 @@ +#!/bin/bash +# vim: dict=/usr/share/rhts-library/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems +# Description: semanage accepts invalid port numbers and then cannot delete them +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="policycoreutils" +PORT_NAME="ldap_port_t" +BAD_PORT_NUMBER="123456" +GOOD_PORT_NUMBER="1389" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + rlRun "rpm -qf /usr/sbin/semanage" + rlRun "rpm -qf /usr/bin/seinfo" + OUTPUT_FILE=`mktemp` + rlRun "setenforce 1" + rlRun "sestatus" + rlPhaseEnd + + rlPhaseStartTest + rlRun "semanage port -l | grep ${PORT_NAME}" + + rlRun "semanage port -l | grep ${PORT_NAME} | tee -a ${OUTPUT_FILE}" + rlRun "semanage port -a -t ${PORT_NAME} -p tcp ${BAD_PORT_NUMBER}" 1 + rlRun "semanage port -l | grep ${PORT_NAME} | tee -a ${OUTPUT_FILE}" + rlRun "semanage port -d -t ${PORT_NAME} -p tcp ${BAD_PORT_NUMBER}" 1 + rlRun "semanage port -l | grep ${PORT_NAME} | tee -a ${OUTPUT_FILE}" + #rlRun "sort ${OUTPUT_FILE} | uniq | wc -l | grep '^2$'" + + rlRun "semanage port -l | grep ${PORT_NAME} | grep ${GOOD_PORT_NUMBER}" 1 + rlRun "semanage port -a -t ${PORT_NAME} -p tcp ${GOOD_PORT_NUMBER}" + rlRun "semanage port -l | grep ${PORT_NAME} | grep ${GOOD_PORT_NUMBER}" + rlRun "semanage port -d -t ${PORT_NAME} -p tcp ${GOOD_PORT_NUMBER}" + rlRun "semanage port -l | grep ${PORT_NAME} | grep ${GOOD_PORT_NUMBER}" 1 + rlPhaseEnd + + rlPhaseStartTest + rlRun "semanage port -a -t syslogd_port_t -p tcp 60514-60516 2>&1 | grep -i traceback" 1 + rlRun "semanage port -l | grep syslogd_port_t" + rlRun "semanage port -d -t syslogd_port_t -p tcp 60514-60516 2>&1 | grep -i traceback" 1 + rlPhaseEnd + + if rlIsRHEL ; then + rlPhaseStartTest + rlRun "ps -efZ | grep -v grep | grep \"auditd_t.*auditd\"" + if rlIsRHEL 5 6; then + PORT_TYPE="syslogd_port_t" + else + PORT_TYPE="commplex_link_port_t" + fi + + # adding a port number to a type + START_DATE_TIME=`date "+%m/%d/%Y %T"` + sleep 1 + rlRun "semanage port -a -p tcp -t $PORT_TYPE 5005" + sleep 2 + + # Check for user_avc + rlRun "ausearch -m user_avc -ts ${START_DATE_TIME} > ${OUTPUT_FILE}" 0,1 + LINE_COUNT=`wc -l < ${OUTPUT_FILE}` + rlRun "cat ${OUTPUT_FILE}" + rlAssert0 "number of lines in ${OUTPUT_FILE} should be 0" ${LINE_COUNT} + + # deleting a port number from a type + START_DATE_TIME=`date "+%m/%d/%Y %T"` + sleep 1 + rlRun "semanage port -d -p tcp -t $PORT_TYPE 5005" + sleep 2 + + # Check for user_avc + rlRun "ausearch -m user_avc -ts ${START_DATE_TIME} > ${OUTPUT_FILE}" 0,1 + LINE_COUNT=`wc -l < ${OUTPUT_FILE}` + rlRun "cat ${OUTPUT_FILE}" + rlAssert0 "number of lines in ${OUTPUT_FILE} should be 0" ${LINE_COUNT} + rlPhaseEnd + fi + + if ! rlIsRHEL 5 ; then + rlPhaseStartTest + rlRun "seinfo --portcon | grep :hi_reserved_port_t:" + rlRun "seinfo --portcon | grep :reserved_port_t:" + rlRun "semanage port -l | grep ^hi_reserved_port_t" + rlRun "semanage port -l | grep ^reserved_port_t" + if ! rlIsRHEL 6 ; then + rlRun "seinfo --portcon | grep :unreserved_port_t:" + rlRun "semanage port -l | grep ^unreserved_port_t" + fi + rlPhaseEnd + fi + + rlPhaseStartTest "manipulation with hard-wired ports" + rlRun "semanage port -l | grep 'smtp_port_t.*tcp.*25'" + rlRun "semanage port -a -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "port .* already defined" ${OUTPUT_FILE} -i + rlRun "semanage port -a -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "port .* already defined" ${OUTPUT_FILE} -i + rlRun "semanage port -l | grep 'smtp_port_t.*tcp.*25'" + rlRun "semanage port -d -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "port .* is defined in policy.*cannot be deleted" ${OUTPUT_FILE} -i + rlRun "semanage port -d -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "port .* is defined in policy.*cannot be deleted" ${OUTPUT_FILE} -i + rlRun "semanage port -l | grep 'smtp_port_t.*tcp.*25'" + rlPhaseEnd + + rlPhaseStartCleanup + rm -f ${OUTPUT_FILE} + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/tests/semanage-user/Makefile b/tests/semanage-user/Makefile new file mode 100644 index 0000000..5ab248d --- /dev/null +++ b/tests/semanage-user/Makefile @@ -0,0 +1,65 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/policycoreutils/Regression/semanage-user +# Description: Does semanage user ... work correctly? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/policycoreutils/Regression/semanage-user +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE testpolicy.te + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + test -x runtest.sh || chcon -t bin_t runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Does semanage user ... work correctly?" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 20m" >> $(METADATA) + @echo "RunFor: policycoreutils" >> $(METADATA) + @echo "Requires: policycoreutils policycoreutils-python-utils grep selinux-policy-devel selinux-policy-minimum selinux-policy-mls selinux-policy-targeted selinux-policy-devel" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/semanage-user/PURPOSE b/tests/semanage-user/PURPOSE new file mode 100644 index 0000000..8089db8 --- /dev/null +++ b/tests/semanage-user/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/policycoreutils/Regression/semanage-user +Description: Does semanage user ... work correctly? +Author: Milos Malik + diff --git a/tests/semanage-user/runtest.sh b/tests/semanage-user/runtest.sh new file mode 100755 index 0000000..b2413fb --- /dev/null +++ b/tests/semanage-user/runtest.sh @@ -0,0 +1,76 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/policycoreutils/Regression/semanage-user +# Description: Does semanage user ... work correctly? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="policycoreutils" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + rlRun "make -f /usr/share/selinux/devel/Makefile" + rlRun "ls -l testpolicy.pp" + rlPhaseEnd + + rlPhaseStartTest + if rlIsRHEL 5 6; then + rlRun "semanage user --help" 1 + else + rlRun "semanage user --help" 0 + # semanage: list option can not be used with --level ("semanage user -l") + rlRun "semanage user --help | grep fcontext" 1 + fi + for POLICY_TYPE in minimum mls targeted ; do + if [ ! -d /etc/selinux/${POLICY_TYPE} ] ; then + continue + fi + rlRun "semanage user -l -S ${POLICY_TYPE}" + done + if ! rlIsRHEL 5; then + rlRun "semanage user -l -S unknown 2>&1 | grep \"store cannot be accessed\"" + fi + rlRun "semanage user -a -P user -R xyz_r xyz_u 2>&1 | grep -i -e 'undefined' -e 'error' -e 'could not'" + rlRun "semanage user -m xyz_u" 1 + rlRun "semanage user -d xyz_u" 1 + rlRun "semodule -i testpolicy.pp" + rlRun "semanage user -a -P user -R xyz_r xyz_u" + rlRun "semanage user -m -r s0 xyz_u" + rlRun "semanage user -l | grep \"xyz_u.*s0.*s0.*xyz_r\"" + rlRun "semanage user -d xyz_u" + rlRun "semanage user -l | grep xyz_u" 1 + rlRun "semodule -r testpolicy" + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "rm -rf tmp testpolicy.{fc,if,pp}" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/tests/semanage-user/testpolicy.te b/tests/semanage-user/testpolicy.te new file mode 100644 index 0000000..b854bef --- /dev/null +++ b/tests/semanage-user/testpolicy.te @@ -0,0 +1,11 @@ +module testpolicy 1.0; + +type xyz_t; +role xyz_r; + +require { + type xyz_t; +} + +role xyz_r types xyz_t; + diff --git a/tests/sepolicy-generate/Makefile b/tests/sepolicy-generate/Makefile new file mode 100644 index 0000000..9e1a9b7 --- /dev/null +++ b/tests/sepolicy-generate/Makefile @@ -0,0 +1,64 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/policycoreutils/Sanity/sepolicy-generate +# Description: sepolicy generate sanity test +# Author: Michal Trunecka +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/policycoreutils/Sanity/sepolicy-generate +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Michal Trunecka " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: sepolicy generate sanity test" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 115m" >> $(METADATA) + @echo "RunFor: policycoreutils" >> $(METADATA) + @echo "Requires: policycoreutils policycoreutils-devel rpm-build" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHEL5 -RHEL6" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/sepolicy-generate/PURPOSE b/tests/sepolicy-generate/PURPOSE new file mode 100644 index 0000000..a069ff2 --- /dev/null +++ b/tests/sepolicy-generate/PURPOSE @@ -0,0 +1,3 @@ +PURPOSE of /CoreOS/policycoreutils/Sanity/sepolicy-generate +Description: sepolicy generate sanity test +Author: Michal Trunecka diff --git a/tests/sepolicy-generate/runtest.sh b/tests/sepolicy-generate/runtest.sh new file mode 100755 index 0000000..5da10b8 --- /dev/null +++ b/tests/sepolicy-generate/runtest.sh @@ -0,0 +1,115 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/policycoreutils/Sanity/sepolicy-generate +# Description: sepolicy generate sanity test +# Author: Michal Trunecka +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="policycoreutils" + +rlJournalStart + rlPhaseStartSetup + rlRun "rlCheckRequirements ${PACKAGES[*]}" || rlDie "cannot continue" + rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" + rlRun "pushd $TmpDir" + rlPhaseEnd + + rlPhaseStartTest + rlRun "mkdir mypolicy" + rlRun "sepolicy generate --customize -p mypolicy -n testpolicy -d httpd_sys_script_t -w /home" + rlRun "grep 'manage_dirs_pattern(httpd_sys_script_t' mypolicy/testpolicy.te" + rlRun "rm -rf mypolicy" + rlPhaseEnd + + rlPhaseStartTest + rlRun "mkdir mypolicy" + rlRun "touch /usr/bin/testpolicy" + for VARIANT in " -n testpolicy --admin_user -r webadm_r" \ + " --application /usr/bin/testpolicy " \ + " -n testpolicy --confined_admin -a firewalld " \ + " -n testpolicy --confined_admin " \ + " -n testpolicy --customize -d httpd_t -a firewalld " \ + " -n testpolicy --customize -d httpd_t" \ + " --dbus /usr/bin/testpolicy " \ + " -n testpolicy --desktop_user " \ + " --inetd /usr/bin/testpolicy " \ + " --init /usr/bin/testpolicy " \ + " -n testpolicy --newtype -t newtype_var_log_t " \ + " -n testpolicy --newtype -t newtype_unit_file_t " \ + " -n testpolicy --newtype -t newtype_var_run_t " \ + " -n testpolicy --newtype -t newtype_var_cache_t " \ + " -n testpolicy --newtype -t newtype_tmp_t " \ + " -n testpolicy --newtype -t newtype_port_t " \ + " -n testpolicy --newtype -t newtype_var_spool_t " \ + " -n testpolicy --newtype -t newtype_var_lib_t " \ + " -n testpolicy --sandbox " \ + " -n testpolicy --term_user " \ + " -n testpolicy --x_user " +# " --cgi /usr/bin/testpolicy " + do + rlRun "sepolicy generate -p mypolicy $VARIANT" + rlRun "cat mypolicy/testpolicy.te" + rlRun "cat mypolicy/testpolicy.if" + rlRun "cat mypolicy/testpolicy.fc" + if echo "$VARIANT" | grep -q newtype; then + rlAssertNotExists "mypolicy/testpolicy.sh" + rlAssertNotExists "mypolicy/testpolicy.spec" + else + rlRun "mypolicy/testpolicy.sh" + rlRun "semodule -l | grep testpolicy" + rlRun "semanage user -d testpolicy_u" 0-255 + rlRun "semodule -r testpolicy" + fi + + rlRun "rm -rf mypolicy/*" + rlRun "sleep 1" + + if ! echo "$VARIANT" | grep -q newtype; then + rlRun "sepolicy generate -p mypolicy -w /home $VARIANT" + rlRun "cat mypolicy/testpolicy.te" + rlRun "cat mypolicy/testpolicy.if" + rlRun "cat mypolicy/testpolicy.fc" + + rlRun "mypolicy/testpolicy.sh" + rlRun "semodule -l | grep testpolicy" + rlRun "semanage user -d testpolicy_u" 0-255 + rlRun "semodule -r testpolicy" + + rlRun "rm -rf mypolicy/*" + rlRun "sleep 1" + fi + done + rlRun "rm -rf mypolicy" + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "popd" + rlRun "rm -r $TmpDir" 0 "Removing tmp directory" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/sestatus/Makefile b/tests/sestatus/Makefile new file mode 100644 index 0000000..e45db0d --- /dev/null +++ b/tests/sestatus/Makefile @@ -0,0 +1,67 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/policycoreutils/Sanity/sestatus +# Description: tests everything about sestatus +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/policycoreutils/Sanity/sestatus +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + chcon -t bin_t runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: tests everything about sestatus" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: policycoreutils" >> $(METADATA) + @echo "Requires: policycoreutils" >> $(METADATA) + @echo "Requires: grep" >> $(METADATA) + @echo "Requires: man" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/sestatus/PURPOSE b/tests/sestatus/PURPOSE new file mode 100644 index 0000000..cacee0f --- /dev/null +++ b/tests/sestatus/PURPOSE @@ -0,0 +1,4 @@ +PURPOSE of /CoreOS/policycoreutils/Sanity/sestatus +Description: tests everything about sestatus +Author: Milos Malik + diff --git a/tests/sestatus/runtest.sh b/tests/sestatus/runtest.sh new file mode 100644 index 0000000..b91b948 --- /dev/null +++ b/tests/sestatus/runtest.sh @@ -0,0 +1,114 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/policycoreutils/Sanity/sestatus +# Description: tests everything about sestatus +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh + +PACKAGE="policycoreutils" +if rlIsRHEL 5 6 ; then + SELINUX_FS_MOUNT="/selinux" +else # RHEL-7 and above + SELINUX_FS_MOUNT="/sys/fs/selinux" +fi + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + rlFileBackup /etc/sestatus.conf + rlRun "mount | grep -i selinux" 0,1 + OUTPUT_FILE=`mktemp` + rlPhaseEnd + + rlPhaseStartTest "basic use" + rlRun "sestatus" + rlRun "sestatus -b 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "policy booleans" ${OUTPUT_FILE} -i + rlRun "sestatus -v 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "process contexts" ${OUTPUT_FILE} -i + rlAssertGrep "file contexts" ${OUTPUT_FILE} -i + rlAssertGrep "current context" ${OUTPUT_FILE} -i + rlAssertGrep "init context" ${OUTPUT_FILE} -i + rlAssertGrep "controlling term" ${OUTPUT_FILE} -i + rlRun "sestatus --xyz 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "invalid option" ${OUTPUT_FILE} -i + rlPhaseEnd + + rlPhaseStartTest "extreme cases" + # pretend that the config file contains an invalid section + rlRun "sed -i 's/files/xyz/' /etc/sestatus.conf" + rlRun "sestatus -v 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "line not in a section" ${OUTPUT_FILE} -i + rlRun "rm -f /etc/sestatus.conf" + rlRun "mkdir /etc/sestatus.conf" # intentionally replaced a file with a directory + rlRun "sestatus -v" + # pretend that the config file is missing + rlRun "rm -rf /etc/sestatus.conf" + for OPTION in "-bv" "-v" ; do + rlRun "sestatus ${OPTION} 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "unable to open /etc/sestatus.conf" ${OUTPUT_FILE} -i + done + rlFileRestore + # pretend that SELinux is disabled + rlRun "umount ${SELINUX_FS_MOUNT}" + for OPTION in "" "-b" "-v" "-bv" ; do + rlRun "sestatus ${OPTION} 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "selinux status.*disabled" ${OUTPUT_FILE} -i + done + rlRun "mount -t selinuxfs none ${SELINUX_FS_MOUNT}" + # pretend that no booleans are defined + rlRun "mkdir ./booleans" + rlRun "mount --bind ./booleans ${SELINUX_FS_MOUNT}/booleans" + rlRun "sestatus -b 2>&1 | tee ${OUTPUT_FILE}" + rlRun "umount ${SELINUX_FS_MOUNT}/booleans" + rlAssertNotGrep "booleans" ${OUTPUT_FILE} -i + rlRun "rmdir ./booleans" + rlPhaseEnd + + # This bug is not worth fixing in RHEL-5 + if ! rlIsRHEL 5 ; then + rlPhaseStartTest + rlRun "rpm -ql ${PACKAGE} | grep /usr/sbin/sestatus" + rlRun "rpm -ql ${PACKAGE} | grep /usr/share/man/man8/sestatus.8" + for OPTION in b v ; do + rlRun "sestatus --help 2>&1 | grep -- -${OPTION}" + rlRun "man sestatus | col -b | grep -- -${OPTION}" + done + if ! rlIsRHEL 6 ; then + rlRun "man -w sestatus.conf" + fi + rlPhaseEnd + fi + + rlPhaseStartCleanup + rlFileRestore + rm -f ${OUTPUT_FILE} + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/tests/setsebool/Makefile b/tests/setsebool/Makefile new file mode 100644 index 0000000..0730993 --- /dev/null +++ b/tests/setsebool/Makefile @@ -0,0 +1,65 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/policycoreutils/Sanity/setsebool +# Description: does setsebool work correctly ? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/policycoreutils/Sanity/setsebool +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + chcon -t bin_t runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: does setsebool work correctly ?" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 45m" >> $(METADATA) + @echo "RunFor: policycoreutils" >> $(METADATA) + @echo "Requires: audit policycoreutils libselinux-utils shadow-utils grep" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/setsebool/PURPOSE b/tests/setsebool/PURPOSE new file mode 100644 index 0000000..07ce0bf --- /dev/null +++ b/tests/setsebool/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/policycoreutils/Sanity/setsebool +Author: Milos Malik + +Does setsebool work as expected? Does it produce correct audit messages? + diff --git a/tests/setsebool/runtest.sh b/tests/setsebool/runtest.sh new file mode 100755 index 0000000..04040d1 --- /dev/null +++ b/tests/setsebool/runtest.sh @@ -0,0 +1,151 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/policycoreutils/Sanity/setsebool +# Description: does setsebool work correctly ? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2011 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh + +PACKAGE="policycoreutils" +USER_NAME="user${RANDOM}" +USER_SECRET="s3kr3t${RANDOM}" +BOOLEAN="ftpd_connect_db" +if rlIsRHEL 5 6 ; then + SELINUX_FS_MOUNT="/selinux" +else # RHEL-7 and above + SELINUX_FS_MOUNT="/sys/fs/selinux" +fi + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + OUTPUT_FILE=`mktemp` + chcon -t tmp_t ${OUTPUT_FILE} + + rlRun "useradd ${USER_NAME}" + rlRun "echo ${USER_SECRET} | passwd --stdin ${USER_NAME}" + rlPhaseEnd + + rlPhaseStartTest + for OPTION in "" "-P" ; do + for OPERATOR in " " "=" ; do + for VALUE in 0 1 false true off on ; do + rlRun "setsebool ${OPTION} ${BOOLEAN}${OPERATOR}${VALUE} | grep -i -e illegal -e usage -e invalid" 1 + if [ ${VALUE} == "0" -o ${VALUE} == "false" ] ; then + SHOWN_VALUE="off" + elif [ ${VALUE} == "1" -o ${VALUE} == "true" ] ; then + SHOWN_VALUE="on" + else + SHOWN_VALUE=${VALUE} + fi + rlRun "getsebool -a | grep \"^${BOOLEAN}.*${SHOWN_VALUE}\"" + done + done + done + rlPhaseEnd + + rlPhaseStartTest + rlRun "setsebool" 1 + rlRun "setsebool xyz=1 2>&1 | tee /dev/stderr | grep -i -e \"invalid boolean\" -e \"not found\" -e \"not defined\"" + rlRun "setsebool xyz=-1 2>&1 | tee /dev/stderr | grep -i \"illegal value\"" + rlRun "setsebool xyz=2 2>&1 | tee /dev/stderr | grep -i \"illegal value\"" + if ! rlIsRHEL 5 6 ; then + rlRun "setsebool -N 2>&1 | tee /dev/stderr | grep -i \"boolean.*required\"" + rlRun "setsebool -P 2>&1 | tee /dev/stderr | grep -i \"boolean.*required\"" + fi + rlRun "setsebool -P xyz=1 2>&1 | tee /dev/stderr | grep -i -e \"invalid boolean\" -e \"not found\" -e \"not defined\"" + rlRun "setsebool -P xyz=-1 2>&1 | tee /dev/stderr | grep -i \"illegal value\"" + rlRun "setsebool -P xyz=2 2>&1 | tee /dev/stderr | grep -i \"illegal value\"" + rlPhaseEnd + + if ! rlIsRHEL 5 6 ; then + rlPhaseStartTest + rlRun "su -l -c '/usr/sbin/setsebool allow_ypbind 0' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "try as root" ${OUTPUT_FILE} -i + rlRun "su -l -c '/usr/sbin/setsebool allow_ypbind 1' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "try as root" ${OUTPUT_FILE} -i + rlRun "su -l -c '/usr/sbin/setsebool -P allow_ypbind 0' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "try as root" ${OUTPUT_FILE} -i + rlRun "su -l -c '/usr/sbin/setsebool -P allow_ypbind 1' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "try as root" ${OUTPUT_FILE} -i + rlPhaseEnd + + rlPhaseStartTest + for OPTION in "" "-P" ; do + rlRun "getsebool allow_ypbind | grep nis_enabled" + rlRun "setsebool ${OPTION} allow_ypbind on" + rlRun "getsebool allow_ypbind | grep \"nis_enabled.*on\"" + rlRun "setsebool ${OPTION} allow_ypbind off" + rlRun "getsebool allow_ypbind | grep \"nis_enabled.*off\"" + done + rlPhaseEnd + + rlPhaseStartTest + # https://fedoraproject.org/wiki/Features/SELinuxBooleansRename + for LINE in `cat /etc/selinux/*/booleans.subs_dist | sort | uniq | tr -s ' ' | tr ' ' ':'` ; do + OLD_BOOLEAN_NAME=`echo ${LINE} | cut -d : -f 1` + NEW_BOOLEAN_NAME=`echo ${LINE} | cut -d : -f 2` + rlRun "getsebool ${OLD_BOOLEAN_NAME} 2>&1 | tee ${OUTPUT_FILE}" + rlRun "getsebool ${NEW_BOOLEAN_NAME} 2>&1 | tee -a ${OUTPUT_FILE}" + rlRun "uniq -c ${OUTPUT_FILE} | grep '2 '" + done + rlPhaseEnd + fi + + rlPhaseStartTest "audit messages" + START_DATE_TIME=`date "+%m/%d/%Y %T"` + sleep 1 + rlRun "setsebool ${BOOLEAN} on" + rlRun "setsebool ${BOOLEAN} off" + rlRun "setsebool ${BOOLEAN} on" + sleep 1 + rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=MAC_CONFIG_CHANGE.*bool=${BOOLEAN} val=1 old_val=0\"" + rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=MAC_CONFIG_CHANGE.*bool=${BOOLEAN} val=0 old_val=1\"" + if rlIsRHEL ; then + rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=SYSCALL.*comm=setsebool\"" + fi + rlPhaseEnd + + rlPhaseStartTest "extreme cases" + # pretend that no booleans are defined + rlRun "mkdir ./booleans" + rlRun "mount --bind ./booleans ${SELINUX_FS_MOUNT}/booleans" + rlRun "setsebool ${BOOLEAN} on 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "could not change active booleans" ${OUTPUT_FILE} -i + rlRun "setsebool ${BOOLEAN} off 2>&1 | tee ${OUTPUT_FILE}" + rlAssertGrep "could not change active booleans" ${OUTPUT_FILE} -i + rlRun "umount ${SELINUX_FS_MOUNT}/booleans" + rlRun "rmdir ./booleans" + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "userdel -rf ${USER_NAME}" + rm -f ${OUTPUT_FILE} + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..4f475f9 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,45 @@ +--- +# Tests to run in a classic environment +- hosts: localhost + roles: + - role: standard-test-beakerlib + tags: + - classic + tests: + - CIL-modules-without-compilation + - semanage-interface + - semanage-login + - semanage-permissive-d-problems + - semanage-port-add-delete-problems + - semanage-user + - sestatus + required_packages: + - policycoreutils # Required by all tests + - policycoreutils-devel # Required by sepolicy-generate + - rpm-build # Required by sepolicy-generate + - policycoreutils-python-utils # Required by semanage tests + - grep # Required by semanage tests + - selinux-policy-minimum # Required by semanage tests + - selinux-policy-mls # Required by semanage tests + - selinux-policy-targeted # Required by semanage tests + - shadow-utils # Required by semanage tests + - selinux-policy-devel # Required by semanage tests + - coreutils # Required by semanage tests + - man # Required by semanage tests + - setools-console # Required by semanage tests + - libselinux # Required by semanage tests + - libselinux-utils # Required by semanage tests + - audit # Required by audit test + - e2fsprogs # Required by restorecon test + +# Tests for atomic host +- hosts: localhost + tags: + - atomic + # no compatible tests + +# Tests for docker container +- hosts: localhost + tags: + - container + # no compatible tests