Add CI tests using the standard test interface
The following steps are used to execute the tests using the standard test interface: Docker sudo ANSIBLE_INVENTORY=$(test -e inventory && echo inventory || echo /usr/share/ansible/inventory) TEST_SUBJECTS=docker:docker.io/library/fedora:26 TEST_ARTIFACTS=$PWD/artifacts ansible-playbook --tags container tests.yml Classic sudo ANSIBLE_INVENTORY=$(test -e inventory && echo inventory || echo /usr/share/ansible/inventory) TEST_SUBJECTS="" TEST_ARTIFACTS=$PWD/artifacts ansible-playbook --tags classic tests.yml https://src.fedoraproject.org/rpms/checkpolicy/pull-request/1
This commit is contained in:
parent
39e0ef552a
commit
ba7a17bc80
67
tests/checkmodule/Makefile
Normal file
67
tests/checkmodule/Makefile
Normal file
@ -0,0 +1,67 @@
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/checkpolicy/Sanity/checkmodule
|
||||
# Description: runs checkmodule with various options to find out if it behaves correctly
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/checkpolicy/Sanity/checkmodule
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE mypolicy.te
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: runs checkmodule with various options to find out if it behaves correctly" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 10m" >> $(METADATA)
|
||||
@echo "RunFor: checkpolicy" >> $(METADATA)
|
||||
@echo "Requires: checkpolicy" >> $(METADATA)
|
||||
@echo "Requires: man" >> $(METADATA)
|
||||
@echo "Requires: grep" >> $(METADATA)
|
||||
@echo "Requires: mktemp" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
5
tests/checkmodule/PURPOSE
Normal file
5
tests/checkmodule/PURPOSE
Normal file
@ -0,0 +1,5 @@
|
||||
PURPOSE of /CoreOS/checkpolicy/Sanity/checkmodule
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
This TC runs checkmodule with various options to find out if it behaves correctly.
|
||||
|
9
tests/checkmodule/mypolicy.te
Normal file
9
tests/checkmodule/mypolicy.te
Normal file
@ -0,0 +1,9 @@
|
||||
module mypolicy 1.0;
|
||||
require {
|
||||
type httpd_log_t;
|
||||
type postfix_postdrop_t;
|
||||
class dir getattr;
|
||||
class file { read getattr };
|
||||
}
|
||||
allow postfix_postdrop_t httpd_log_t:file getattr;
|
||||
|
101
tests/checkmodule/runtest.sh
Normal file
101
tests/checkmodule/runtest.sh
Normal file
@ -0,0 +1,101 @@
|
||||
#!/bin/bash
|
||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/checkpolicy/Sanity/checkmodule
|
||||
# Description: runs checkmodule with various options to find out if it behaves correctly
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include rhts environment
|
||||
. /usr/bin/rhts-environment.sh
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
|
||||
PACKAGE="checkpolicy"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
TEST_FILE=`mktemp`
|
||||
TEST_DIR=`mktemp -d`
|
||||
rlRun "rpm -ql ${PACKAGE} | grep bin/checkmodule"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "checkmodule >& ${TEST_FILE}" 1
|
||||
rlAssertGrep "loading policy configuration from policy.conf" ${TEST_FILE}
|
||||
rlRun "checkmodule -b >& ${TEST_FILE}" 1
|
||||
rlAssertGrep "loading policy configuration from policy" ${TEST_FILE}
|
||||
rlRun "checkmodule -V"
|
||||
rlRun "checkmodule -U 1>/dev/null" 1
|
||||
rlRun "rm -f policy.conf"
|
||||
for OPTION in "deny" "reject" "allow" ; do
|
||||
rlRun "checkmodule -U ${OPTION} >& ${TEST_FILE}" 1
|
||||
rlAssertGrep "unable to open policy.conf" ${TEST_FILE}
|
||||
done
|
||||
rlRun "rm -f ${TEST_FILE}"
|
||||
rlRun "touch ${TEST_FILE}"
|
||||
rlRun "rm -rf ${TEST_DIR}"
|
||||
rlRun "mkdir ${TEST_DIR}"
|
||||
rlRun "checkmodule ${TEST_FILE}" 1,2
|
||||
rlRun "checkmodule -b ${TEST_FILE}" 1
|
||||
rlRun "checkmodule ${TEST_DIR}" 1,2
|
||||
rlRun "checkmodule -b ${TEST_DIR}" 1
|
||||
rlRun "rm -f ${TEST_FILE}"
|
||||
rlRun "rm -rf ${TEST_DIR}"
|
||||
rlRun "checkmodule ${TEST_FILE}" 1
|
||||
rlRun "checkmodule -b ${TEST_FILE}" 1
|
||||
if rlIsRHEL 5 ; then
|
||||
rlRun "checkmodule --help 2>&1 | grep -- -d"
|
||||
fi
|
||||
rlRun "checkmodule --help 2>&1 | grep -- -h"
|
||||
rlRun "checkmodule --help 2>&1 | grep -- -U"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
for POLICY_KIND in minimum mls targeted ; do
|
||||
rlRun "checkmodule -M -m -b -o testmod.mod /etc/selinux/${POLICY_KIND}/policy/policy.* >& ${TEST_FILE}" 1
|
||||
rlRun "grep -i \"checkmodule.*-b and -m are incompatible with each other\" ${TEST_FILE}"
|
||||
done
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
INPUT_FILE="mypolicy.te"
|
||||
OUTPUT_FILE="mypolicy.output"
|
||||
rlRun "ls -l ${INPUT_FILE}"
|
||||
rlRun "checkmodule -m -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*loading policy configuration from ${INPUT_FILE}\""
|
||||
rlRun "checkmodule -m -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*writing binary representation.*to ${OUTPUT_FILE}\""
|
||||
rlRun "ls -l ${OUTPUT_FILE}"
|
||||
if checkmodule --help | grep -q " CIL " ; then
|
||||
rlRun "rm -f ${OUTPUT_FILE}"
|
||||
rlRun "checkmodule -m -C -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*loading policy configuration from ${INPUT_FILE}\""
|
||||
rlRun "checkmodule -m -C -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*writing CIL to ${OUTPUT_FILE}\""
|
||||
rlRun "ls -l ${OUTPUT_FILE}"
|
||||
fi
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "rm -rf ${TEST_FILE} ${TEST_DIR} ${OUTPUT_FILE}"
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
64
tests/checkpolicy-docs/Makefile
Normal file
64
tests/checkpolicy-docs/Makefile
Normal file
@ -0,0 +1,64 @@
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/checkpolicy/Sanity/checkpolicy
|
||||
# Description: covers an issue where manpage included an unsupported option.
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/checkpolicy/Sanity/checkpolicy
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: covers an issue where manpage included an unsupported option." >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 1m" >> $(METADATA)
|
||||
@echo "RunFor: checkpolicy" >> $(METADATA)
|
||||
@echo "Requires: checkpolicy" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
7
tests/checkpolicy-docs/PURPOSE
Normal file
7
tests/checkpolicy-docs/PURPOSE
Normal file
@ -0,0 +1,7 @@
|
||||
PURPOSE of /CoreOS/checkpolicy/Sanity/checkpolicy
|
||||
|
||||
Description: covers an issue where manpage included an unsupported option.
|
||||
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
|
53
tests/checkpolicy-docs/runtest.sh
Normal file
53
tests/checkpolicy-docs/runtest.sh
Normal file
@ -0,0 +1,53 @@
|
||||
#!/bin/bash
|
||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/checkpolicy/Sanity/checkpolicy-docs
|
||||
# Description: covers an issue where manpage included an unsupported option.
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include rhts environment
|
||||
. /usr/bin/rhts-environment.sh
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
|
||||
PACKAGE="checkpolicy"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
rlAssertExists "/usr/share/man/man8/checkpolicy.8.gz"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "man checkpolicy | col -b | grep -- '-m]'" 1
|
||||
rlRun "rpm -ql ${PACKAGE} | grep /usr/share/man/.*checkmodule"
|
||||
if rlIsRHEL 5 ; then
|
||||
rlRun "man checkmodule | col -b | grep -- -d"
|
||||
fi
|
||||
rlRun "man checkmodule | col -b | grep -- -h"
|
||||
rlRun "man checkmodule | col -b | grep -- -U"
|
||||
rlPhaseEnd
|
||||
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
64
tests/checkpolicy/Makefile
Normal file
64
tests/checkpolicy/Makefile
Normal file
@ -0,0 +1,64 @@
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/checkpolicy/Sanity/checkpolicy
|
||||
# Description: runs checkpolicy with various options to find out if it behaves correctly
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/checkpolicy/Sanity/checkpolicy
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE policy.conf.from.secilc
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: runs checkpolicy with various options to find out if it behaves correctly" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 10m" >> $(METADATA)
|
||||
@echo "RunFor: checkpolicy setools" >> $(METADATA)
|
||||
@echo "Requires: checkpolicy setools-console selinux-policy-minimum selinux-policy-mls selinux-policy-targeted" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
7
tests/checkpolicy/PURPOSE
Normal file
7
tests/checkpolicy/PURPOSE
Normal file
@ -0,0 +1,7 @@
|
||||
PURPOSE of /CoreOS/checkpolicy/Sanity/checkpolicy
|
||||
|
||||
Description: runs checkpolicy with various options to find out if it behaves correctly
|
||||
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
|
143
tests/checkpolicy/policy.conf.from.secilc
Normal file
143
tests/checkpolicy/policy.conf.from.secilc
Normal file
@ -0,0 +1,143 @@
|
||||
class file
|
||||
class process
|
||||
class char
|
||||
|
||||
sid kernel
|
||||
sid security
|
||||
sid unlabeled
|
||||
|
||||
common file {ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton }
|
||||
|
||||
class file inherits file { execute_no_trans entrypoint execmod open audit_access }
|
||||
class char inherits file { foo transition }
|
||||
class process { open }
|
||||
|
||||
sensitivity s0 alias sens0;
|
||||
sensitivity s1;
|
||||
|
||||
dominance { s0 s1 }
|
||||
|
||||
category c0 alias cat0;
|
||||
category c1;
|
||||
category c2;
|
||||
|
||||
level s0:c0.c2;
|
||||
level s1:c0.c2;
|
||||
|
||||
mlsconstrain file { open } (not (((l1 eq l2) and (u1 eq u2)) or (r1 eq r2)));
|
||||
mlsconstrain file { open } (((l1 eq l2) and (u1 eq u2)) or (r1 != r2));
|
||||
mlsconstrain file { open } (l1 dom h2);
|
||||
mlsconstrain file { open } (h1 domby l2);
|
||||
mlsconstrain file { open } (l1 incomp l2);
|
||||
|
||||
mlsvalidatetrans file (h1 domby l2);
|
||||
|
||||
attribute foo_type;
|
||||
attribute bar_type;
|
||||
attribute baz_type;
|
||||
attribute exec_type;
|
||||
|
||||
type bin_t, bar_type, exec_type;
|
||||
type kernel_t, foo_type, exec_type, baz_type;
|
||||
type security_t, baz_type;
|
||||
type unlabeled_t, baz_type;
|
||||
|
||||
type exec_t, baz_type;
|
||||
type console_t, baz_type;
|
||||
type auditadm_t, baz_type;
|
||||
type console_device_t, baz_type;
|
||||
type user_tty_device_t, baz_type;
|
||||
type device_t, baz_type;
|
||||
type getty_t, baz_type;
|
||||
type a_t, baz_type;
|
||||
type b_t, baz_type;
|
||||
|
||||
typealias bin_t alias sbin_t;
|
||||
|
||||
bool secure_mode false;
|
||||
bool console_login true;
|
||||
bool b1 false;
|
||||
|
||||
role system_r;
|
||||
role user_r;
|
||||
role system_r types bin_t;
|
||||
role system_r types kernel_t;
|
||||
role system_r types security_t;
|
||||
role system_r types unlabeled_t;
|
||||
|
||||
policycap open_perms;
|
||||
permissive device_t;
|
||||
|
||||
range_transition device_t console_t : file s0:c0 - s1:c0.c1;
|
||||
|
||||
type_transition device_t console_t : file console_device_t;
|
||||
type_member device_t bin_t : file exec_t;
|
||||
|
||||
if console_login{
|
||||
type_change auditadm_t console_device_t : file user_tty_device_t;
|
||||
}
|
||||
|
||||
role_transition system_r bin_t user_r;
|
||||
|
||||
auditallow device_t auditadm_t: file { open };
|
||||
dontaudit device_t auditadm_t: file { read };
|
||||
|
||||
allow system_r user_r;
|
||||
|
||||
allow console_t console_device_t: char { write setattr };
|
||||
allow console_t console_device_t: file { open read getattr };
|
||||
allow foo_type self: file { execute };
|
||||
allow bin_t device_t: file { execute };
|
||||
allow bin_t exec_t: file { execute };
|
||||
allow bin_t bin_t: file { execute };
|
||||
allow a_t b_t : file { write };
|
||||
allow console_t console_device_t: file { read write getattr setattr lock append };
|
||||
allow kernel_t kernel_t : file { execute };
|
||||
|
||||
if b1 {
|
||||
allow a_t b_t : file { read };
|
||||
}
|
||||
|
||||
if secure_mode{
|
||||
auditallow device_t exec_t: file { read write };
|
||||
}
|
||||
|
||||
if console_login{
|
||||
allow getty_t console_device_t: file { getattr open read write append };
|
||||
}
|
||||
else {
|
||||
dontaudit getty_t console_device_t: file { getattr open read write append };
|
||||
}
|
||||
|
||||
if (not ((secure_mode eq console_login) xor ((secure_mode or console_login) and secure_mode))){
|
||||
allow bin_t exec_t: file { execute };
|
||||
}
|
||||
|
||||
user system_u roles system_r level s0:c0 range s0:c0 - s1:c0,c1;
|
||||
user user_u roles user_r level s0:c0 range s0:c0 - s0:c0;
|
||||
|
||||
validatetrans file (t1 == exec_t);
|
||||
|
||||
constrain char transition (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
|
||||
constrain file { open } (r1 dom r2);
|
||||
constrain file { open } (r1 domby r2);
|
||||
constrain file { open } (r1 incomp r2);
|
||||
constrain file { open read getattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
|
||||
constrain char { write setattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2)));
|
||||
|
||||
|
||||
sid kernel system_u:system_r:kernel_t:s0:c0 - s1:c0,c1
|
||||
sid security system_u:system_r:security_t:s0:c0 - s1:c0,c1
|
||||
sid unlabeled system_u:system_r:unlabeled_t:s0:c0 - s1:c0,c1
|
||||
|
||||
fs_use_xattr ext3 system_u:system_r:bin_t:s0:c0 - s1:c0,c1;
|
||||
|
||||
genfscon proc /usr/bin system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||||
|
||||
portcon tcp 22 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||||
portcon udp 25 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||||
|
||||
netifcon eth0 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||||
|
||||
nodecon 192.25.35.200 192.168.1.1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
||||
nodecon 2001:db8:ac10:fe01:: 2001:de0:da88:2222:: system_u:system_r:bin_t:s0:c0 - s1:c0,c1
|
153
tests/checkpolicy/runtest.sh
Normal file
153
tests/checkpolicy/runtest.sh
Normal file
@ -0,0 +1,153 @@
|
||||
#!/bin/bash
|
||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/checkpolicy/Sanity/checkpolicy
|
||||
# Description: runs checkpolicy with various options to find out if it behaves correctly
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include rhts environment
|
||||
. /usr/bin/rhts-environment.sh
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
|
||||
PACKAGE="checkpolicy"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
rlAssertRpm selinux-policy-minimum
|
||||
rlAssertRpm selinux-policy-mls
|
||||
rlAssertRpm selinux-policy-targeted
|
||||
rlRun "uname -a"
|
||||
TEST_FILE=`mktemp`
|
||||
TEST_DIR=`mktemp -d`
|
||||
OUTPUT_FILE=`mktemp`
|
||||
rlAssertExists "/usr/bin/checkpolicy"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "compilation from policy.conf"
|
||||
MIN_VERSION="15"
|
||||
MAX_VERSION=`find /etc/selinux/ -name policy.?? | cut -d / -f 6 | cut -d . -f 2 | head -n 1`
|
||||
if rlIsRHEL 5 6 ; then
|
||||
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION}`
|
||||
else
|
||||
# some versions are skipped because seinfo segfaults when inspecting binary policies between v.20 and v.23"
|
||||
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION} | grep -v -e 19 -e 20 -e 21 -e 22 -e 23`
|
||||
fi
|
||||
for CUR_VERSION in ${VERSIONS} ; do
|
||||
rlRun "rm -f policy.out"
|
||||
rlWatchdog "checkpolicy -M -c ${CUR_VERSION} -o policy.out policy.conf.from.secilc" 15
|
||||
if [ -s policy.out ] ; then
|
||||
rlRun "seinfo policy.out 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlRun "grep -i -e \"policy version.*${CUR_VERSION}\" -e \"unable to open policy\" ${OUTPUT_FILE}"
|
||||
else
|
||||
rlRun "ls -l policy.out"
|
||||
fi
|
||||
done
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "checkpolicy >& ${TEST_FILE}" 1
|
||||
rlAssertGrep "loading policy configuration from policy.conf" ${TEST_FILE}
|
||||
rlRun "checkpolicy -b >& ${TEST_FILE}" 1
|
||||
rlAssertGrep "loading policy configuration from policy" ${TEST_FILE}
|
||||
rlRun "checkpolicy -V"
|
||||
rlRun "checkpolicy -U 2>&1 | grep \"option requires an argument\""
|
||||
rlRun "checkpolicy -U xyz" 1
|
||||
rlRun "rm -f policy.conf"
|
||||
if ! rlIsRHEL 4 ; then
|
||||
for OPTION in "deny" "reject" "allow" ; do
|
||||
rlRun "checkpolicy -U ${OPTION} >& ${TEST_FILE}" 1
|
||||
rlAssertGrep "unable to open policy.conf" ${TEST_FILE}
|
||||
done
|
||||
fi
|
||||
rlRun "rm -f ${TEST_FILE}"
|
||||
rlRun "touch ${TEST_FILE}"
|
||||
rlRun "rm -rf ${TEST_DIR}"
|
||||
rlRun "mkdir ${TEST_DIR}"
|
||||
rlRun "checkpolicy ${TEST_FILE}" 1,2
|
||||
rlRun "checkpolicy -b ${TEST_FILE}" 1
|
||||
rlRun "checkpolicy ${TEST_DIR}" 1,2
|
||||
rlRun "checkpolicy -b ${TEST_DIR}" 1
|
||||
rlRun "rm -f ${TEST_FILE}"
|
||||
rlRun "rm -rf ${TEST_DIR}"
|
||||
rlRun "checkpolicy ${TEST_FILE}" 1
|
||||
rlRun "checkpolicy -b ${TEST_FILE}" 1
|
||||
rlRun "checkpolicy -c 2>&1 | grep \"option requires an argument\""
|
||||
rlRun "checkpolicy -c 0 2>&1 | grep \"value 0 not in range\""
|
||||
rlRun "checkpolicy -t 2>&1 | grep \"option requires an argument\""
|
||||
rlRun "checkpolicy -t xyz 2>&1 | grep -i \"unknown target platform\""
|
||||
rlRun "checkpolicy --help 2>&1 | grep -- '-m]'" 1
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
if rlIsRHEL 5 6 ; then
|
||||
ACTIVE_POLICY="/selinux/policy"
|
||||
else
|
||||
ACTIVE_POLICY="/sys/fs/selinux/policy"
|
||||
fi
|
||||
rlRun "echo -e 'q\n' | checkpolicy -Mdb ${ACTIVE_POLICY} | tee ${OUTPUT_FILE}"
|
||||
rlRun "grep -qi -e error -e ebitmap -e 'not match' ${OUTPUT_FILE}" 1
|
||||
for POLICY_TYPE in minimum mls targeted ; do
|
||||
if [ ! -e /etc/selinux/${POLICY_TYPE}/policy/policy.* ] ; then
|
||||
continue
|
||||
fi
|
||||
rlRun "echo -e 'q\n' | checkpolicy -Mdb /etc/selinux/${POLICY_TYPE}/policy/policy.* | tee ${OUTPUT_FILE}"
|
||||
rlRun "grep -qi -e error -e ebitmap -e 'not match' ${OUTPUT_FILE}" 1
|
||||
done
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
if rlIsRHEL 5 6 ; then
|
||||
ACTIVE_POLICY_TREE="/selinux"
|
||||
else # RHEL-7 and above
|
||||
ACTIVE_POLICY_TREE="/sys/fs/selinux"
|
||||
fi
|
||||
MIN_VERSION="15"
|
||||
MAX_VERSION=`find /etc/selinux/ -name policy.?? | cut -d / -f 6 | cut -d . -f 2 | head -n 1`
|
||||
for POLICY_TYPE in minimum mls targeted ; do
|
||||
if rlIsRHEL 5 6 ; then
|
||||
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION}`
|
||||
else
|
||||
# some versions are skipped because seinfo segfaults when inspecting binary policies between v.20 and v.23"
|
||||
VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION} | grep -v -e 19 -e 20 -e 21 -e 22 -e 23`
|
||||
fi
|
||||
for CUR_VERSION in ${VERSIONS} ; do
|
||||
rlRun "rm -f policy.out"
|
||||
rlWatchdog "checkpolicy -b -M -c ${CUR_VERSION} -o policy.out /etc/selinux/${POLICY_TYPE}/policy/policy.${MAX_VERSION}" 15
|
||||
if [ -s policy.out ] ; then
|
||||
rlRun "seinfo policy.out 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlRun "grep -i -e \"policy version.*${CUR_VERSION}\" -e \"unable to open policy\" ${OUTPUT_FILE}"
|
||||
else
|
||||
rlRun "ls -l policy.out"
|
||||
fi
|
||||
done
|
||||
done
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rm -f ${OUTPUT_FILE} policy.out
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
65
tests/sedismod/Makefile
Normal file
65
tests/sedismod/Makefile
Normal file
@ -0,0 +1,65 @@
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/checkpolicy/Sanity/sedismod
|
||||
# Description: Does sedismod work correctly ?)
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/checkpolicy/Sanity/sedismod
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE sedismod.exp
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
test -x sedismod.exp || chmod a+x sedismod.exp
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: Does sedismod work correctly?" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 10m" >> $(METADATA)
|
||||
@echo "RunFor: checkpolicy" >> $(METADATA)
|
||||
@echo "Requires: checkpolicy selinux-policy-targeted expect policycoreutils psmisc" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
5
tests/sedismod/PURPOSE
Normal file
5
tests/sedismod/PURPOSE
Normal file
@ -0,0 +1,5 @@
|
||||
PURPOSE of /CoreOS/checkpolicy/Sanity/sedismod
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
Does sedismod work correctly?
|
||||
|
83
tests/sedismod/runtest.sh
Executable file
83
tests/sedismod/runtest.sh
Executable file
@ -0,0 +1,83 @@
|
||||
#!/bin/bash
|
||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/checkpolicy/Sanity/sedismod
|
||||
# Description: Does sedismod work correctly
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/bin/rhts-environment.sh || exit 1
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="checkpolicy"
|
||||
# TODO: repeat for all policy modules that are installed under /etc/selinux
|
||||
if rlIsFedora ; then
|
||||
POLICY_FILE="`find /var/lib/selinux/targeted -type d -name base`/hll"
|
||||
elif rlIsRHEL '<7.3' ; then
|
||||
POLICY_FILE=`find /etc/selinux/targeted -type f -name base.pp`
|
||||
else # RHEL-7.3 and above
|
||||
POLICY_FILE="`find /etc/selinux/targeted -type d -name base`/hll"
|
||||
fi
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
OUTPUT_FILE=`mktemp`
|
||||
if rlIsRHEL '>=7.3' || rlIsFedora ; then
|
||||
rlRun "semodule -H -E base"
|
||||
else
|
||||
rlRun "cp ${POLICY_FILE} ./base.pp.bz2"
|
||||
rlRun "rm -f base.pp"
|
||||
rlRun "bzip2 -d ./base.pp.bz2"
|
||||
fi
|
||||
POLICY_FILE="base.pp"
|
||||
rlRun "ls -l ${POLICY_FILE}"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "check all available options"
|
||||
if rlIsRHEL 6 ; then
|
||||
AVAILABLE_OPTIONS="1 2 3 4 5 6 7 8 0 a b c u"
|
||||
else # RHEL-7 and above
|
||||
AVAILABLE_OPTIONS="1 2 3 4 5 6 7 8 9 0 a b c u F"
|
||||
fi
|
||||
for OPTION in ${AVAILABLE_OPTIONS} ; do
|
||||
rlRun "rm -f ${OUTPUT_FILE}"
|
||||
rlWatchdog "./sedismod.exp ${OPTION} ${POLICY_FILE} ${OUTPUT_FILE}" 65
|
||||
# rlWatchdog kills the expect script, but we need to kill the sedismod process too
|
||||
rlRun "killall sedismod" 0,1
|
||||
rlRun "ls -l ${OUTPUT_FILE}"
|
||||
if [ -s ${OUTPUT_FILE} ] ; then
|
||||
rlPass "sedismod produced some output"
|
||||
else
|
||||
rlFail "sedismod did not produce any output"
|
||||
fi
|
||||
done
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "rm -f ${OUTPUT_FILE} ${POLICY_FILE}"
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
21
tests/sedismod/sedismod.exp
Executable file
21
tests/sedismod/sedismod.exp
Executable file
@ -0,0 +1,21 @@
|
||||
#!/usr/bin/expect -f
|
||||
# ./sedismod.exp option policyfile outputfile
|
||||
set option [lrange $argv 0 0]
|
||||
set policyfile [lrange $argv 1 1]
|
||||
set outputfile [lrange $argv 2 2]
|
||||
set timeout 60
|
||||
spawn sedismod $policyfile
|
||||
expect "Command*:" {
|
||||
send -- "f\r"
|
||||
}
|
||||
expect "Filename*:" {
|
||||
send -- "$outputfile\r"
|
||||
}
|
||||
expect "Command*:" {
|
||||
send -- "$option\r"
|
||||
}
|
||||
expect "Command*:" {
|
||||
send -- "q\r"
|
||||
}
|
||||
expect eof
|
||||
|
65
tests/sedispol/Makefile
Normal file
65
tests/sedispol/Makefile
Normal file
@ -0,0 +1,65 @@
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/checkpolicy/Sanity/sedispol
|
||||
# Description: Does sedispol work correctly?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/checkpolicy/Sanity/sedispol
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE sedispol.exp
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
test -x sedispol.exp || chmod a+x sedispol.exp
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: Does sedispol work correctly?" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 10m" >> $(METADATA)
|
||||
@echo "RunFor: checkpolicy" >> $(METADATA)
|
||||
@echo "Requires: checkpolicy selinux-policy expect" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
5
tests/sedispol/PURPOSE
Normal file
5
tests/sedispol/PURPOSE
Normal file
@ -0,0 +1,5 @@
|
||||
PURPOSE of /CoreOS/checkpolicy/Sanity/sedispol
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
Does sedispol work correctly?
|
||||
|
77
tests/sedispol/runtest.sh
Executable file
77
tests/sedispol/runtest.sh
Executable file
@ -0,0 +1,77 @@
|
||||
#!/bin/bash
|
||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/checkpolicy/Sanity/sedispol
|
||||
# Description: Does sedispol work correctly?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/bin/rhts-environment.sh || exit 1
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="checkpolicy"
|
||||
# TODO: repeat for all policy files that are installed under /etc/selinux
|
||||
POLICY_FILE=`find /etc/selinux/targeted/policy/ -type f`
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
OUTPUT_FILE=`mktemp`
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
if rlIsRHEL 6 ; then
|
||||
AVAILABLE_OPTIONS="1 2 3 4 5 6 c p u"
|
||||
else # RHEL-7 and above
|
||||
AVAILABLE_OPTIONS="1 2 3 4 5 6 8 c p u F"
|
||||
fi
|
||||
for OPTION in ${AVAILABLE_OPTIONS} ; do
|
||||
rlRun "rm -f ${OUTPUT_FILE}"
|
||||
rlWatchdog "./sedispol.exp ${OPTION} ${POLICY_FILE} ${OUTPUT_FILE}" 65
|
||||
# rlWatchdog kills the expect script, but we need to kill the sedispol process too
|
||||
rlRun "killall sedispol" 0,1
|
||||
rlRun "ls -l ${OUTPUT_FILE}"
|
||||
if [ -s ${OUTPUT_FILE} ] ; then
|
||||
rlPass "sedispol produced some output"
|
||||
else
|
||||
rlFail "sedispol did not produce any output"
|
||||
fi
|
||||
done
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "echo q | sedispol ${POLICY_FILE} >& ${OUTPUT_FILE}"
|
||||
rlRun "grep AVTAB ${OUTPUT_FILE}"
|
||||
rlRun "grep AVTAG ${OUTPUT_FILE}" 1
|
||||
rlRun "echo -en 'u\nq\n' | sedispol ${POLICY_FILE} >& ${OUTPUT_FILE}"
|
||||
rlRun "grep permissions ${OUTPUT_FILE}"
|
||||
rlRun "grep permisions ${OUTPUT_FILE}" 1
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "rm -f ${OUTPUT_FILE}"
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
21
tests/sedispol/sedispol.exp
Executable file
21
tests/sedispol/sedispol.exp
Executable file
@ -0,0 +1,21 @@
|
||||
#!/usr/bin/expect -f
|
||||
# ./sedispol.exp option policyfile outputfile
|
||||
set option [lrange $argv 0 0]
|
||||
set policyfile [lrange $argv 1 1]
|
||||
set outputfile [lrange $argv 2 2]
|
||||
set timeout 60
|
||||
spawn sedispol $policyfile
|
||||
expect "Command*:" {
|
||||
send -- "f\r"
|
||||
}
|
||||
expect "Filename*:" {
|
||||
send -- "$outputfile\r"
|
||||
}
|
||||
expect "Command*:" {
|
||||
send -- "$option\r"
|
||||
}
|
||||
expect "Command*:" {
|
||||
send -- "q\r"
|
||||
}
|
||||
expect eof
|
||||
|
50
tests/tests.yml
Normal file
50
tests/tests.yml
Normal file
@ -0,0 +1,50 @@
|
||||
---
|
||||
# Tests for Classic
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- role: standard-test-beakerlib
|
||||
tags:
|
||||
- classic
|
||||
tests:
|
||||
- checkmodule
|
||||
- checkpolicy
|
||||
- checkpolicy-docs
|
||||
- sedismod
|
||||
- sedispol
|
||||
required_packages:
|
||||
- checkpolicy # Required by all tests
|
||||
- man # Required by checkpolicy-docs
|
||||
- grep # Required by checkmodule
|
||||
- mktemp # Required by checkmodule
|
||||
- setools-console # Required by checkpolicy
|
||||
- selinux-policy-minimum # Required by checkpolicy
|
||||
- selinux-policy-mls # Required by checkpolicy
|
||||
- selinux-policy-targeted # Required by checkpolicy and sedismod
|
||||
- expect # Required by sedismod and sedispol
|
||||
- policycoreutils # Required by sedismod
|
||||
- psmisc # Required by sedismod
|
||||
- selinux-policy # Required by sedispol
|
||||
|
||||
# Tests for Container
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- role: standard-test-beakerlib
|
||||
tags:
|
||||
- container
|
||||
tests:
|
||||
- checkmodule
|
||||
- checkpolicy
|
||||
- sedismod
|
||||
- sedispol
|
||||
required_packages:
|
||||
- checkpolicy # Required by all tests
|
||||
- grep # Required by checkmodule
|
||||
- mktemp # Required by checkmodule
|
||||
- setools-console # Required by checkpolicy
|
||||
- selinux-policy-minimum # Required by checkpolicy
|
||||
- selinux-policy-mls # Required by checkpolicy
|
||||
- selinux-policy-targeted # Required by checkpolicy and sedismod
|
||||
- expect # Required by sedismod and sedispol
|
||||
- policycoreutils # Required by sedismod
|
||||
- psmisc # Required by sedismod
|
||||
- selinux-policy # Required by sedispol
|
Loading…
Reference in New Issue
Block a user