#!/bin/bash # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # # runtest.sh of /CoreOS/policycoreutils/Sanity/setsebool # Description: does setsebool work correctly ? # Author: Milos Malik # # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # # Copyright (c) 2011 Red Hat, Inc. All rights reserved. # # This copyrighted material is made available to anyone wishing # to use, modify, copy, or redistribute it subject to the terms # and conditions of the GNU General Public License version 2. # # This program is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR # PURPOSE. See the GNU General Public License for more details. # # You should have received a copy of the GNU General Public # License along with this program; if not, write to the Free # Software Foundation, Inc., 51 Franklin Street, Fifth Floor, # Boston, MA 02110-1301, USA. # # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Include rhts environment . /usr/bin/rhts-environment.sh . /usr/share/beakerlib/beakerlib.sh PACKAGE="policycoreutils" USER_NAME="user${RANDOM}" USER_SECRET="s3kr3t${RANDOM}" BOOLEAN="ftpd_connect_db" if rlIsRHEL 5 6 ; then SELINUX_FS_MOUNT="/selinux" else # RHEL-7 and above SELINUX_FS_MOUNT="/sys/fs/selinux" fi rlJournalStart rlPhaseStartSetup rlAssertRpm ${PACKAGE} OUTPUT_FILE=`mktemp` chcon -t tmp_t ${OUTPUT_FILE} rlRun "useradd ${USER_NAME}" rlRun "echo ${USER_SECRET} | passwd --stdin ${USER_NAME}" rlPhaseEnd rlPhaseStartTest for OPTION in "" "-P" ; do for OPERATOR in " " "=" ; do for VALUE in 0 1 false true off on ; do rlRun "setsebool ${OPTION} ${BOOLEAN}${OPERATOR}${VALUE} | grep -i -e illegal -e usage -e invalid" 1 if [ ${VALUE} == "0" -o ${VALUE} == "false" ] ; then SHOWN_VALUE="off" elif [ ${VALUE} == "1" -o ${VALUE} == "true" ] ; then SHOWN_VALUE="on" else SHOWN_VALUE=${VALUE} fi rlRun "getsebool -a | grep \"^${BOOLEAN}.*${SHOWN_VALUE}\"" done done done rlPhaseEnd rlPhaseStartTest rlRun "setsebool" 1 rlRun "setsebool xyz=1 2>&1 | tee /dev/stderr | grep -i -e \"invalid boolean\" -e \"not found\" -e \"not defined\"" rlRun "setsebool xyz=-1 2>&1 | tee /dev/stderr | grep -i \"illegal value\"" rlRun "setsebool xyz=2 2>&1 | tee /dev/stderr | grep -i \"illegal value\"" if ! rlIsRHEL 5 6 ; then rlRun "setsebool -N 2>&1 | tee /dev/stderr | grep -i \"boolean.*required\"" rlRun "setsebool -P 2>&1 | tee /dev/stderr | grep -i \"boolean.*required\"" fi rlRun "setsebool -P xyz=1 2>&1 | tee /dev/stderr | grep -i -e \"invalid boolean\" -e \"not found\" -e \"not defined\"" rlRun "setsebool -P xyz=-1 2>&1 | tee /dev/stderr | grep -i \"illegal value\"" rlRun "setsebool -P xyz=2 2>&1 | tee /dev/stderr | grep -i \"illegal value\"" rlPhaseEnd if ! rlIsRHEL 5 6 ; then rlPhaseStartTest rlRun "su -l -c '/usr/sbin/setsebool allow_ypbind 0' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}" rlAssertGrep "try as root" ${OUTPUT_FILE} -i rlRun "su -l -c '/usr/sbin/setsebool allow_ypbind 1' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}" rlAssertGrep "try as root" ${OUTPUT_FILE} -i rlRun "su -l -c '/usr/sbin/setsebool -P allow_ypbind 0' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}" rlAssertGrep "try as root" ${OUTPUT_FILE} -i rlRun "su -l -c '/usr/sbin/setsebool -P allow_ypbind 1' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}" rlAssertGrep "try as root" ${OUTPUT_FILE} -i rlPhaseEnd rlPhaseStartTest for OPTION in "" "-P" ; do rlRun "getsebool allow_ypbind | grep nis_enabled" rlRun "setsebool ${OPTION} allow_ypbind on" rlRun "getsebool allow_ypbind | grep \"nis_enabled.*on\"" rlRun "setsebool ${OPTION} allow_ypbind off" rlRun "getsebool allow_ypbind | grep \"nis_enabled.*off\"" done rlPhaseEnd rlPhaseStartTest # https://fedoraproject.org/wiki/Features/SELinuxBooleansRename for LINE in `cat /etc/selinux/*/booleans.subs_dist | sort | uniq | tr -s ' ' | tr ' ' ':'` ; do OLD_BOOLEAN_NAME=`echo ${LINE} | cut -d : -f 1` NEW_BOOLEAN_NAME=`echo ${LINE} | cut -d : -f 2` rlRun "getsebool ${OLD_BOOLEAN_NAME} 2>&1 | tee ${OUTPUT_FILE}" rlRun "getsebool ${NEW_BOOLEAN_NAME} 2>&1 | tee -a ${OUTPUT_FILE}" rlRun "uniq -c ${OUTPUT_FILE} | grep '2 '" done rlPhaseEnd fi rlPhaseStartTest "audit messages" START_DATE_TIME=`date "+%m/%d/%Y %T"` sleep 1 rlRun "setsebool ${BOOLEAN} on" rlRun "setsebool ${BOOLEAN} off" rlRun "setsebool ${BOOLEAN} on" sleep 1 rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=MAC_CONFIG_CHANGE.*bool=${BOOLEAN} val=1 old_val=0\"" rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=MAC_CONFIG_CHANGE.*bool=${BOOLEAN} val=0 old_val=1\"" if rlIsRHEL ; then rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=SYSCALL.*comm=setsebool\"" fi rlPhaseEnd rlPhaseStartTest "extreme cases" # pretend that no booleans are defined rlRun "mkdir ./booleans" rlRun "mount --bind ./booleans ${SELINUX_FS_MOUNT}/booleans" rlRun "setsebool ${BOOLEAN} on 2>&1 | tee ${OUTPUT_FILE}" rlAssertGrep "could not change active booleans" ${OUTPUT_FILE} -i rlRun "setsebool ${BOOLEAN} off 2>&1 | tee ${OUTPUT_FILE}" rlAssertGrep "could not change active booleans" ${OUTPUT_FILE} -i rlRun "umount ${SELINUX_FS_MOUNT}/booleans" rlRun "rmdir ./booleans" rlPhaseEnd rlPhaseStartCleanup rlRun "userdel -rf ${USER_NAME}" rm -f ${OUTPUT_FILE} rlPhaseEnd rlJournalPrintText rlJournalEnd