From e92b874fda276982998f3a93c886937d60cddf61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0abata?= Date: Wed, 14 Oct 2020 22:48:01 +0200 Subject: [PATCH] RHEL 9.0.0 Alpha bootstrap The content of this branch was automatically imported from Fedora ELN with the following as its source: https://src.fedoraproject.org/rpms/checkpolicy#611818c50ab52cb1d01890df4a3296b290b7fd82 --- .gitignore | 107 +++ checkpolicy.spec | 954 ++++++++++++++++++++++ sources | 1 + tests/checkmodule/Makefile | 67 ++ tests/checkmodule/PURPOSE | 5 + tests/checkmodule/mypolicy.te | 9 + tests/checkmodule/runtest.sh | 101 +++ tests/checkpolicy-docs/Makefile | 64 ++ tests/checkpolicy-docs/PURPOSE | 7 + tests/checkpolicy-docs/runtest.sh | 53 ++ tests/checkpolicy/Makefile | 64 ++ tests/checkpolicy/PURPOSE | 7 + tests/checkpolicy/policy.conf.from.secilc | 143 ++++ tests/checkpolicy/runtest.sh | 153 ++++ tests/sedismod/Makefile | 65 ++ tests/sedismod/PURPOSE | 5 + tests/sedismod/runtest.sh | 83 ++ tests/sedismod/sedismod.exp | 21 + tests/sedispol/Makefile | 65 ++ tests/sedispol/PURPOSE | 5 + tests/sedispol/runtest.sh | 77 ++ tests/sedispol/sedispol.exp | 21 + tests/tests.yml | 61 ++ 23 files changed, 2138 insertions(+) create mode 100644 checkpolicy.spec create mode 100644 sources create mode 100644 tests/checkmodule/Makefile create mode 100644 tests/checkmodule/PURPOSE create mode 100644 tests/checkmodule/mypolicy.te create mode 100644 tests/checkmodule/runtest.sh create mode 100644 tests/checkpolicy-docs/Makefile create mode 100644 tests/checkpolicy-docs/PURPOSE create mode 100644 tests/checkpolicy-docs/runtest.sh create mode 100644 tests/checkpolicy/Makefile create mode 100644 tests/checkpolicy/PURPOSE create mode 100644 tests/checkpolicy/policy.conf.from.secilc create mode 100644 tests/checkpolicy/runtest.sh create mode 100644 tests/sedismod/Makefile create mode 100644 tests/sedismod/PURPOSE create mode 100755 tests/sedismod/runtest.sh create mode 100755 tests/sedismod/sedismod.exp create mode 100644 tests/sedispol/Makefile create mode 100644 tests/sedispol/PURPOSE create mode 100755 tests/sedispol/runtest.sh create mode 100755 tests/sedispol/sedispol.exp create mode 100644 tests/tests.yml diff --git a/.gitignore b/.gitignore index e69de29..836f74f 100644 --- a/.gitignore +++ b/.gitignore @@ -0,0 +1,107 @@ +checkpolicy-1.17.2.tgz +checkpolicy-1.17.3.tgz +checkpolicy-1.17.4.tgz +checkpolicy-1.17.5.tgz +checkpolicy-1.18.1.tgz +checkpolicy-1.19.1.tgz.tgz +checkpolicy-1.19.2.tgz +checkpolicy-1.20.1.tgz +checkpolicy-1.20.2.tgz +checkpolicy-1.21.3.tgz +checkpolicy-1.21.4.tgz +checkpolicy-1.22.tgz +checkpolicy-1.23.1.tgz +checkpolicy-1.23.2.tgz +checkpolicy-1.23.3.tgz +checkpolicy-1.23.4.tgz +checkpolicy-1.25.2.tgz +checkpolicy-1.25.3.tgz +checkpolicy-1.25.5.tgz +checkpolicy-1.25.8.tgz +checkpolicy-1.25.10.tgz +checkpolicy-1.25.11.tgz +checkpolicy-1.25.12.tgz +checkpolicy-1.26.tgz +checkpolicy-1.27.1.tgz +checkpolicy-1.27.2.tgz +checkpolicy-1.27.4.tgz +checkpolicy-1.27.5.tgz +checkpolicy-1.27.6.tgz +checkpolicy-1.27.7.tgz +checkpolicy-1.27.8.tgz +checkpolicy-1.27.9.tgz +checkpolicy-1.27.10.tgz +checkpolicy-1.27.11.tgz +checkpolicy-1.27.16.tgz +checkpolicy-1.27.17.tgz +checkpolicy-1.27.19.tgz +checkpolicy-1.27.20.tgz +checkpolicy-1.28.tgz +checkpolicy-1.29.1.tgz +checkpolicy-1.29.2.tgz +checkpolicy-1.29.4.tgz +checkpolicy-1.29.5.tgz +checkpolicy-1.30.tgz +checkpolicy-1.30.1.tgz +checkpolicy-1.30.3.tgz +checkpolicy-1.30.4.tgz +checkpolicy-1.30.5.tgz +checkpolicy-1.30.9.tgz +checkpolicy-1.30.10.tgz +checkpolicy-1.30.11.tgz +checkpolicy-1.30.12.tgz +checkpolicy-1.32.tgz +checkpolicy-1.33.1.tgz +checkpolicy-1.34.0.tgz +checkpolicy-2.0.0.tgz +checkpolicy-2.0.1.tgz +checkpolicy-2.0.2.tgz +checkpolicy-2.0.3.tgz +checkpolicy-2.0.4.tgz +checkpolicy-2.0.5.tgz +checkpolicy-2.0.6.tgz +checkpolicy-2.0.7.tgz +checkpolicy-2.0.8.tgz +checkpolicy-2.0.9.tgz +checkpolicy-2.0.10.tgz +checkpolicy-2.0.13.tgz +checkpolicy-2.0.14.tgz +checkpolicy-2.0.15.tgz +checkpolicy-2.0.16.tgz +checkpolicy-2.0.17.tgz +checkpolicy-2.0.18.tgz +checkpolicy-2.0.19.tgz +checkpolicy-2.0.20.tgz +checkpolicy-2.0.21.tgz +checkpolicy-2.0.22.tgz +/checkpolicy-2.0.23.tgz +/checkpolicy-2.0.24.tgz +/checkpolicy-2.0.26.tgz +/checkpolicy-2.1.0.tgz +/checkpolicy-2.1.1.tgz +/checkpolicy-2.1.3.tgz +/checkpolicy-2.1.4.tgz +/checkpolicy-2.1.5.tgz +/checkpolicy-2.1.6.tgz +/checkpolicy-2.1.7.tgz +/checkpolicy-2.1.8.tgz +/checkpolicy-2.1.9.tgz +/checkpolicy-2.1.10.tgz +/checkpolicy-2.1.11.tgz +/checkpolicy-2.1.12.tgz +/checkpolicy-2.2.tgz +/checkpolicy-2.3.tgz +/checkpolicy-2.4.tar.gz +/checkpolicy-2.5-rc1.tar.gz +/checkpolicy-2.5.tar.gz +/checkpolicy-2.6.tar.gz +/checkpolicy-2.7.tar.gz +/checkpolicy-2.8-rc1.tar.gz +/checkpolicy-2.8-rc3.tar.gz +/checkpolicy-2.8.tar.gz +/checkpolicy-2.9-rc1.tar.gz +/checkpolicy-2.9-rc2.tar.gz +/checkpolicy-2.9.tar.gz +/checkpolicy-3.0-rc1.tar.gz +/checkpolicy-3.0.tar.gz +/checkpolicy-3.1.tar.gz diff --git a/checkpolicy.spec b/checkpolicy.spec new file mode 100644 index 0000000..b1bf31c --- /dev/null +++ b/checkpolicy.spec @@ -0,0 +1,954 @@ +%define libselinuxver 3.1 +%define libsepolver 3.1 + +Summary: SELinux policy compiler +Name: checkpolicy +Version: 3.1 +Release: 3%{?dist} +License: GPLv2 +Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/checkpolicy-3.1.tar.gz +# $ git clone https://github.com/fedora-selinux/selinux.git +# $ cd selinux +# $ git format-patch -N checkpolicy-3.1 -- checkpolicy +# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done +# Patch list start +# Patch list end +BuildRequires: gcc +BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel >= %{libselinuxver} + +%description +Security-enhanced Linux is a feature of the Linux® kernel and a number +of utilities with enhanced security functionality designed to add +mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These +architectural components provide general support for the enforcement +of many kinds of mandatory access control policies, including those +based on the concepts of Type Enforcement®, Role-based Access +Control, and Multi-level Security. + +This package contains checkpolicy, the SELinux policy compiler. +Only required for building policies. + +%prep +%autosetup -p 2 -n checkpolicy-%{version} + +%build + +%set_build_flags + +%make_build LIBDIR="%{_libdir}" +cd test +%make_build LIBDIR="%{_libdir}" + +%install +mkdir -p ${RPM_BUILD_ROOT}%{_bindir} +%make_install LIBDIR="%{_libdir}" +install test/dismod ${RPM_BUILD_ROOT}%{_bindir}/sedismod +install test/dispol ${RPM_BUILD_ROOT}%{_bindir}/sedispol + +%files +%{!?_licensedir:%global license %%doc} +%license COPYING +%{_bindir}/checkpolicy +%{_bindir}/checkmodule +%{_mandir}/man8/checkpolicy.8.gz +%{_mandir}/man8/checkmodule.8.gz +%{_mandir}/ru/man8/checkpolicy.8.gz +%{_mandir}/ru/man8/checkmodule.8.gz +%{_bindir}/sedismod +%{_bindir}/sedispol + +%changelog +* Mon Jul 27 2020 Fedora Release Engineering - 3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jul 13 2020 Tom Stellard - 3.1-2 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Fri Jul 10 2020 Petr Lautrbach - 3.1-1 +- SELinux userspace 3.1 release + +* Tue Jan 28 2020 Petr Lautrbach - 3.0-3 +- Fix -fno-common issues discovered by GCC 10 + +* Tue Jan 28 2020 Fedora Release Engineering - 3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Dec 6 2019 Petr Lautrbach - 3.0-1 +- SELinux userspace 3.0 release + +* Mon Nov 11 2019 Petr Lautrbach - 3.0-0.rc1.1 +- SELinux userspace 3.0-rc1 release candidate + +* Wed Jul 24 2019 Fedora Release Engineering - 2.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Mon Mar 18 2019 Petr Lautrbach - 2.9-1 +- SELinux userspace 2.9 release + +* Mon Mar 11 2019 Petr Lautrbach - 2.9-0.rc2.1 +- SELinux userspace 2.9-rc2 release + +* Thu Jan 31 2019 Fedora Release Engineering - 2.9-0.rc1.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 25 2019 Petr Lautrbach - 2.9-0.rc1.1 +- SELinux userspace 2.9-rc1 release + +* Mon Jan 21 2019 Petr Lautrbach - 2.8-3 +- Check the result value of hashtable_search +- Destroy the class datum if it fails to initialize + +* Thu Jul 12 2018 Fedora Release Engineering - 2.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri May 25 2018 Petr Lautrbach - 2.8-1 +- SELinux userspace 2.8 release + +* Tue May 15 2018 Petr Lautrbach - 2.8-0.rc3.1 +- SELinux userspace 2.8-rc3 release candidate + +* Mon Apr 23 2018 Petr Lautrbach - 2.8-0.rc1.1 +- SELinux userspace 2.8-rc1 release candidate + +* Wed Mar 21 2018 Petr Lautrbach - 2.7-7 +- Add support for the SCTP portcon keyword + +* Tue Mar 13 2018 Petr Lautrbach - 2.7-6 +- build: follow standard semantics for DESTDIR and PREFIX + +* Thu Feb 22 2018 Florian Weimer - 2.7-5 +- Use LDFLAGS from redhat-rpm-config + +* Wed Feb 07 2018 Fedora Release Engineering - 2.7-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Nov 22 2017 Petr Lautrbach - 2.7-3 +- Rebuild with libsepol-2.7-3 and libselinux-2.7-6 + +* Fri Oct 20 2017 Petr Lautrbach - 2.7-2 +- Rebuilt with libsepol-2.7-2 + +* Mon Aug 07 2017 Petr Lautrbach - 2.7-1 +- Update to upstream release 2017-08-04 + +* Wed Aug 02 2017 Fedora Release Engineering - 2.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 2.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Feb 15 2017 Petr Lautrbach - 2.6-1 +- Update to upstream release 2016-10-14 + +* Fri Feb 10 2017 Fedora Release Engineering - 2.5-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Oct 03 2016 Petr Lautrbach 2.5-8 +- Add types associated to a role in the current scope when parsing + +* Mon Aug 01 2016 Petr Lautrbach 2.5-7 +- Extend checkpolicy pathname matching +- Rebuilt with libsepol-2.5-9 + +* Mon Jun 27 2016 Petr Lautrbach - 2.5-6 +- Fix typos in sedispol + +* Thu Jun 23 2016 Petr Lautrbach - 2.5-5 +- Set flex as default lexer +- Fix checkmodule output message + +* Wed May 11 2016 Petr Lautrbach - 2.5-4 +- Rebuilt with libsepol-2.5-6 + +* Fri Apr 29 2016 Petr Lautrbach - 2.5-3 +- Build policy on systems not supporting DCCP protocol +- Fail if module name different than output base filename + +* Fri Apr 08 2016 Petr Lautrbach - 2.5-2 +- Add support for portcon dccp protocol + +* Tue Feb 23 2016 Petr Lautrbach 2.5-1 +- Update to upstream release 2016-02-23 + +* Sun Feb 21 2016 Petr Lautrbach 2.5-0.1.rc1 +- Update to upstream rc1 release 2016-01-07 + +* Wed Feb 03 2016 Fedora Release Engineering - 2.4-2.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Jul 21 2015 Petr Lautrbach 2.4-1.1 +- Update to 2.4 release + +* Sat Aug 16 2014 Fedora Release Engineering - 2.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 11 2014 Tom Callaway - 2.3-3 +- fix license handling + +* Sat Jun 07 2014 Fedora Release Engineering - 2.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue May 6 2014 Dan Walsh - 2.3-1 +- Update to upstream + * Add Android support for building dispol. + * Report source file and line information for neverallow failures. + * Prevent incompatible option combinations for checkmodule. + * Drop -lselinux from LDLIBS for test programs; not used. + * Add debug feature to display constraints/validatetrans from Richard Haines. + +* Thu Oct 31 2013 Dan Walsh - 2.2-1 +- Update to upstream + * Fix hyphen usage in man pages from Laurent Bigonville. + * handle-unknown / -U required argument fix from Laurent Bigonville. + * Support overriding Makefile PATH and LIBDIR from Laurent Bigonville. + * Support space and : in filenames from Dan Walsh. + +* Sat Aug 03 2013 Fedora Release Engineering - 2.1.12-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Jul 16 2013 Dan Walsh - 2.1.12-4 +- Fix a segmentation fault if the --handle-unknown option was set without +arguments. +- Thanks to Alexandre Rebert and his team at Carnegie Mellon University +for detecting this crash. + +* Tue Mar 19 2013 Dan Walsh - 2.1.12-3 +- ":" should be allowed for file trans names + +* Tue Mar 12 2013 Dan Walsh - 2.1.12-2 +- Space should be allowed for file trans names + +* Thu Feb 7 2013 Dan Walsh - 2.1.12-1 +- Update to upstream + * Fix errors found by coverity + * implement default type policy syntax + * Free allocated memory when clean up / exit. + +* Sat Jan 5 2013 Dan Walsh - 2.1.11-3 +- Update to latest patches from eparis/Upstream +- checkpolicy: libsepol: implement default type policy syntax +- +- We currently have a mechanism in which the default user, role, and range +- can be picked up from the source or the target object. This implements +- the same thing for types. The kernel will override this with type +- transition rules and similar. This is just the default if nothing +- specific is given. + + +* Wed Sep 19 2012 Dan Walsh - 2.1.11-2 +- Rebuild with fixed libsepol + +* Thu Sep 13 2012 Dan Walsh - 2.1.11-1 +- Update to upstream + * fd leak reading policy + * check return code on ebitmap_set_bit + +* Mon Jul 30 2012 Dan Walsh - 2.1.10-4 +- Rebuild to grab latest libsepol + +* Tue Jul 24 2012 Dan Walsh - 2.1.10-3 +- Rebuild to grab latest libsepol + +* Wed Jul 18 2012 Fedora Release Engineering - 2.1.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jul 4 2012 Dan Walsh - 2.1.10-1 +- Update to upstream + * sepolgen: We need to support files that have a + in them + * Android/MacOS X build support + +* Mon Apr 23 2012 Dan Walsh - 2.1.9-4 +- Rebuild to get latest libsepol which fixes the file_name transition problems + +* Tue Apr 17 2012 Dan Walsh - 2.1.9-3 +- Recompile with libsepol that has support for ptrace_child + +* Tue Apr 3 2012 Dan Walsh - 2.1.9-2 +- Allow checkpolicy to use + in a file name + +* Thu Mar 29 2012 Dan Walsh - 2.1.9-1 +- Update to upstream + * implement new default labeling behaviors for usr, role, range + * Fix dead links to www.nsa.gov/selinux + +* Mon Jan 16 2012 Dan Walsh - 2.1.8-3 +- Fix man page to link to www.nsa.giv/research/selinux + +* Thu Jan 12 2012 Fedora Release Engineering - 2.1.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Dec 21 2011 Dan Walsh - 2.1.8-1 +-Update to upstream + * add ignoredirs config for genhomedircon + * Fallback_user_level can be NULL if you are not using MLS + +* Wed Dec 21 2011 Dan Walsh - 2.1.7-3 +- default_rules should be optional + +* Thu Dec 15 2011 Dan Walsh - 2.1.7-2 +- Rebuild with latest libsepol + +* Tue Dec 6 2011 Dan Walsh - 2.1.7-1 +- Upgrade to upstream + * dis* fixed signed vs unsigned errors + * dismod: fix unused parameter errors + * test: Makefile: include -W and -Werror + * allow ~ in filename transition rules +- Allow policy to specify the source of target for generating the default user,role +- or mls label for a new target. + +* Mon Nov 14 2011 Dan Walsh - 2.1.6-2 +- Allow ~ in a filename + +* Fri Nov 4 2011 Dan Walsh - 2.1.6-1 +- Upgrade to upstream + * Revert "checkpolicy: Redo filename/filesystem syntax to support filename trans rules" + * drop libsepol dynamic link in checkpolicy + +* Tue Sep 20 2011 Dan Walsh - 2.1.5-2 +- Fix checkpolicy to ignore '"' in filename trans rules + +* Mon Sep 19 2011 Dan Walsh - 2.1.5-1 +-Update to upstream + * Separate tunable from boolean during compile. + +* Tue Aug 30 2011 Dan Walsh - 2.1.4-0 +-Update to upstream + * checkpolicy: fix spacing in output message + +* Thu Aug 18 2011 Dan Walsh - 2.1.3-0 + * add missing ; to attribute_role_def + *Redo filename/filesystem syntax to support filename trans + +* Wed Aug 3 2011 Dan Walsh - 2.1.2-0 +-Update to upstream + * .gitignore changes + * dispol output of role trans + * man page update: build a module with an older policy version + +* Thu Jul 28 2011 Dan Walsh - 2.1.1-0 +-Update to upstream + * Minor updates to filename trans rule output in dis{mod,pol} + +* Thu Jul 28 2011 Dan Walsh - 2.1.0-1 +-Update to upstream + +* Mon May 23 2011 Dan Walsh - 2.0.26-1 +-Update to upstream + * Wrap file names in filename transitions with quotes by Steve Lawrence. + * Allow filesystem names to start with a digit by James Carter. + * Add support for using the last path compnent in type transitions by Eric + +* Thu Apr 21 2011 Dan Walsh - 2.0.24-2 +* Fixes for new role_transition class field by Eric Paris. + +* Fri Apr 15 2011 Dan Walsh - 2.0.24-2 +- Add "-" as a file type + +* Tue Apr 12 2011 Dan Walsh - 2.0.24-1 +-Update to upstream + * Add new class field in role_transition by Harry Ciao. + +* Mon Apr 11 2011 Dan Walsh - 2.0.23-5 +- Fix type_transition to allow all files + +* Tue Mar 29 2011 Dan Walsh - 2.0.23-4 +- Patches from Eric Paris +We just use random numbers to make menu selections. Use #defines and +names that make some sense instead. + +This patch adds support for using the last path component as part of the +information in making labeling decisions for new objects. A example +rule looks like so: + +type_transition unconfined_t etc_t:file system_conf_t eric; + +This rule says if unconfined_t creates a file in a directory labeled +etc_t and the last path component is "eric" (no globbing, no matching +magic, just exact strcmp) it should be labeled system_conf_t. + +The kernel and policy representation does not have support for such +rules in conditionals, and thus policy explicitly notes that fact if +such a rule is added to a conditional. + + +* Tue Feb 08 2011 Fedora Release Engineering - 2.0.23-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 12 2011 Dan Walsh - 2.0.23-2 +- Add James Carters Patch + *This patch is needed because some filesystem names (such as 9p) start + with a digit. + +* Tue Dec 21 2010 Dan Walsh - 2.0.23-1 +- Latest update from NSA + * Remove unused variables to fix compliation under GCC 4.6 by Justin Mattock + +* Wed Dec 8 2010 Dan Walsh - 2.0.22-2 +- Rebuild to make sure it will build in Fedora + +* Wed Jun 16 2010 Dan Walsh - 2.0.22-1 +- Latest update from NSA + * Update checkmodule man page and usage by Daniel Walsh and Steve Lawrence +- Allow policy version to be one number + +* Mon May 3 2010 Dan Walsh - 2.0.21-2 +- Fix checkmodule man page and usage statements + +* Sun Nov 1 2009 Dan Walsh - 2.0.21-1 +- Latest update from NSA + * Add support for building Xen policies from Paul Nuzzi. + * Add long options to checkpolicy and checkmodule by Guido + Trentalancia + +* Fri Jul 24 2009 Fedora Release Engineering - 2.0.19-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Feb 23 2009 Fedora Release Engineering - 2.0.19-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Wed Feb 18 2009 Dan Walsh - 2.0.19-1 +- Latest update from NSA + * Fix alias field in module format, caused by boundary format change + from Caleb Case. + +* Fri Jan 30 2009 Dan Walsh - 2.0.18-1 +- Latest update from NSA + * Properly escape regex symbols in the lexer from Stephen Smalley. + * Add bounds support from KaiGai Kohei. + +* Tue Oct 28 2008 Dan Walsh - 2.0.16-4 + +* Mon Jul 7 2008 Dan Walsh - 2.0.16-3 +- Rebuild with new libsepol + +* Wed May 28 2008 Tom "spot" Callaway 2.0.16-2 +- fix license tag + +* Wed May 28 2008 Dan Walsh - 2.0.16-1 +- Latest update from NSA + * Update checkpolicy for user and role mapping support from Joshua Brindle. + +* Fri May 2 2008 Dan Walsh - 2.0.15-1 +- Latest update from NSA + * Fix for policy module versions that look like IPv4 addresses from Jim Carter. + Resolves bug 444451. + +* Fri May 2 2008 Dan Walsh - 2.0.14-2 +- Allow modules with 4 sections or more + +* Thu Mar 27 2008 Dan Walsh - 2.0.14-1 +- Latest update from NSA + * Add permissive domain support from Eric Paris. + +* Thu Mar 13 2008 Dan Walsh - 2.0.13-1 +- Latest update from NSA + * Split out non-grammar parts of policy_parse.yacc into + policy_define.c and policy_define.h from Todd C. Miller. + * Initialize struct policy_file before using it, from Todd C. Miller. + * Remove unused define, move variable out of .y file, simplify COND_ERR, from Todd C. Miller. + +* Thu Feb 28 2008 Dan Walsh - 2.0.10-1 +- Latest update from NSA + * Use yyerror2() where appropriate from Todd C. Miller. +- Build against latest libsepol + +* Fri Feb 22 2008 Dan Walsh - 2.0.9-2 +- Start shipping sedismod and sedispol + +* Mon Feb 4 2008 Dan Walsh - 2.0.9-1 +- Latest update from NSA + * Update dispol for libsepol avtab changes from Stephen Smalley. + +* Fri Jan 25 2008 Dan Walsh - 2.0.8-1 +- Latest update from NSA + * Deprecate role dominance in parser. + +* Mon Jan 21 2008 Dan Walsh - 2.0.7-2 +- Update to use libsepol-static library + +* Fri Jan 11 2008 Dan Walsh - 2.0.7-1 +- Latest update from NSA + * Added support for policy capabilities from Todd Miller. + +* Thu Nov 15 2007 Dan Walsh - 2.0.6-1 +- Latest update from NSA + * Initialize the source file name from the command line argument so that checkpolicy/checkmodule report something more useful than "unknown source". + * Merged remove use of REJECT and trailing context in lex rules; make ipv4 address parsing like ipv6 from James Carter. + +* Tue Sep 18 2007 Dan Walsh - 2.0.4-1 + * Merged handle unknown policydb flag support from Eric Paris. + Adds new command line options -U {allow, reject, deny} for selecting + the flag when a base module or kernel policy is built. + +* Tue Aug 28 2007 Fedora Release Engineering - 2.0.3-3 +- Rebuild for selinux ppc32 issue. + +* Mon Jun 18 2007 Dan Walsh - 2.0.3-2 +- Rebuild with the latest libsepol + +* Sun Jun 17 2007 Dan Walsh - 2.0.3-1 +- Latest update from NSA + * Merged fix for segfault on duplicate require of sensitivity from Caleb Case. + * Merged fix for dead URLs in checkpolicy man pages from Dan Walsh. + +* Thu Apr 12 2007 Dan Walsh - 2.0.2-1 +- Latest update from NSA + * Merged checkmodule man page fix from Dan Walsh. + +* Fri Mar 30 2007 Dan Walsh - 2.0.1-3 +- Rebuild with new libsepol + +* Wed Mar 28 2007 Dan Walsh - 2.0.1-2 +- Rebuild with new libsepol + +* Mon Nov 20 2006 Dan Walsh - 2.0.1-1 +- Latest update from NSA + * Merged patch to allow dots in class identifiers from Caleb Case. + +* Tue Nov 14 2006 Dan Walsh - 2.0.0-1 +- Latest update from NSA + * Merged patch to use new libsepol error codes by Karl MacMillan. + * Updated version for stable branch. + +* Tue Nov 14 2006 Dan Walsh - 1.33.1-2 +- Rebuild for new libraries + +* Tue Nov 14 2006 Dan Walsh - 1.33.1-1 +- Latest update from NSA + * Collapse user identifiers and identifiers together. + +* Tue Oct 17 2006 Dan Walsh - 1.32-1 +- Latest update from NSA + * Updated version for release. + +* Thu Sep 28 2006 Dan Walsh - 1.30.12-1 +- Latest update from NSA + * Merged user and range_transition support for modules from + Darrel Goeddel + +* Wed Sep 6 2006 Dan Walsh - 1.30.11-1 +- Latest update from NSA + * merged range_transition enhancements and user module format + changes from Darrel Goeddel + * Merged symtab datum patch from Karl MacMillan. + +* Wed Jul 12 2006 Jesse Keating - 1.30.9-1.1 +- rebuild + +* Tue Jul 4 2006 Dan Walsh - 1.30.8-1 +- Latest upgrade from NSA + * Lindent. + * Merged patch to remove TE rule conflict checking from the parser + from Joshua Brindle. This can only be done properly by the + expander. + * Merged patch to make checkpolicy/checkmodule handling of + duplicate/conflicting TE rules the same as the expander + from Joshua Brindle. + * Merged optionals in base take 2 patch set from Joshua Brindle. + +* Tue May 23 2006 Dan Walsh - 1.30.5-1 +- Latest upgrade from NSA + * Merged compiler cleanup patch from Karl MacMillan. + * Merged fix warnings patch from Karl MacMillan. + +* Wed Apr 5 2006 Dan Walsh - 1.30.4-1 +- Latest upgrade from NSA + * Changed require_class to reject permissions that have not been + declared if building a base module. + +* Tue Mar 28 2006 Dan Walsh - 1.30.3-1 +- Latest upgrade from NSA + * Fixed checkmodule to call link_modules prior to expand_module + to handle optionals. + * Fixed require_class to avoid shadowing permissions already defined + in an inherited common definition. + +* Mon Mar 27 2006 Dan Walsh - 1.30.1-2 +- Rebuild with new libsepol + +* Thu Mar 23 2006 Dan Walsh - 1.30.1-1 +- Latest upgrade from NSA + * Moved processing of role and user require statements to 2nd pass. + +* Fri Mar 17 2006 Dan Walsh - 1.30-1 +- Latest upgrade from NSA + * Updated version for release. + * Fixed bug in role dominance (define_role_dom). + +* Fri Feb 17 2006 Dan Walsh - 1.29.4-1 +- Latest upgrade from NSA + * Added a check for failure to declare each sensitivity in + a level definition. + * Changed to clone level data for aliased sensitivities to + avoid double free upon sens_destroy. Bug reported by Kevin + Carr of Tresys Technology. + +* Mon Feb 13 2006 Dan Walsh - 1.29.2-1 +- Latest upgrade from NSA + * Merged optionals in base patch from Joshua Brindle. + +* Mon Feb 13 2006 Dan Walsh - 1.29.1-1.2 +- Need to build againi + +* Fri Feb 10 2006 Jesse Keating - 1.29.1-1.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Dan Walsh 1.29.1-1 +- Latest upgrade from NSA + * Merged sepol_av_to_string patch from Joshua Brindle. + +* Tue Feb 07 2006 Jesse Keating - 1.28-5.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Jan 13 2006 Dan Walsh 1.28-5 +- Rebuild to get latest libsepol + +* Fri Jan 13 2006 Dan Walsh 1.28-5 +- Rebuild to get latest libsepol + +* Thu Jan 5 2006 Dan Walsh 1.28-4 +- Rebuild to get latest libsepol + +* Wed Jan 4 2006 Dan Walsh 1.28-3 +- Rebuild to get latest libsepol + +* Fri Dec 16 2005 Dan Walsh 1.28-2 +- Rebuild to get latest libsepol + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Fri Dec 9 2005 Dan Walsh 1.28-1 +- Latest upgrade from NSA + +* Sun Dec 4 2005 Dan Walsh 1.27.20-1 +- Latest upgrade from NSA + * Merged checkmodule man page from Dan Walsh, and edited it. + +* Thu Dec 1 2005 Dan Walsh 1.27.19-1 +- Latest upgrade from NSA + * Added error checking of all ebitmap_set_bit calls for out of + memory conditions. + * Merged removal of compatibility handling of netlink classes + (requirement that policies with newer versions include the + netlink class definitions, remapping of fine-grained netlink + classes in newer source policies to single netlink class when + generating older policies) from George Coker. + +* Tue Nov 8 2005 Dan Walsh 1.27.17-7 +- Rebuild to get latest libsepol + +* Tue Oct 25 2005 Dan Walsh 1.27.17-1 +- Latest upgrade from NSA + * Merged dismod fix from Joshua Brindle. + +* Thu Oct 20 2005 Dan Walsh 1.27.16-1 +- Latest upgrade from NSA + * Removed obsolete cond_check_type_rules() function and call and + cond_optimize_lists() call from checkpolicy.c; these are handled + during parsing and expansion now. + * Updated calls to expand_module for interface change. + * Changed checkmodule to verify that expand_module succeeds + when building base modules. + * Merged module compiler fixes from Joshua Brindle. + * Removed direct calls to hierarchy_check_constraints() and + check_assertions() from checkpolicy since they are now called + internally by expand_module(). + +* Tue Oct 18 2005 Dan Walsh 1.27.11-1 +- Latest upgrade from NSA + * Updated for changes to sepol policydb_index_others interface. + +* Tue Oct 18 2005 Dan Walsh 1.27.10-1 +- Latest upgrade from NSA + * Updated for changes to sepol expand_module and link_modules interfaces. +* Sat Oct 15 2005 Dan Walsh 1.27.9-2 +- Rebuild to get latest libsepol + +* Fri Oct 14 2005 Dan Walsh 1.27.9-1 +- Latest upgrade from NSA + * Merged support for require blocks inside conditionals from + Joshua Brindle (Tresys). + +* Wed Oct 12 2005 Karsten Hopp 1.27.8-2 +- add buildrequirement for libselinux-devel for dispol + +* Mon Oct 10 2005 Dan Walsh 1.27.8-1 +- Latest upgrade from NSA + * Updated for changes to libsepol. + +* Fri Oct 7 2005 Dan Walsh 1.27.7-2 +- Rebuild to get latest libsepol + +* Thu Oct 6 2005 Dan Walsh 1.27.7-1 +- Latest upgrade from NSA + * Merged several bug fixes from Joshua Brindle (Tresys). + +* Tue Oct 4 2005 Dan Walsh 1.27.6-1 +- Latest upgrade from NSA + * Merged MLS in modules patch from Joshua Brindle (Tresys). + +* Mon Oct 3 2005 Dan Walsh 1.27.5-2 +- Rebuild to get latest libsepol + +* Wed Sep 28 2005 Dan Walsh 1.27.5-1 +- Latest upgrade from NSA + * Merged error handling improvement in checkmodule from Karl MacMillan (Tresys). + +* Tue Sep 27 2005 Dan Walsh 1.27.4-1 +- Latest upgrade from NSA + * Merged bugfix for dup role transition error messages from + Karl MacMillan (Tresys). + +* Fri Sep 23 2005 Dan Walsh 1.27.3-1 +- Latest upgrade from NSA + * Merged policyver/modulever patches from Joshua Brindle (Tresys). + +* Wed Sep 21 2005 Dan Walsh 1.27.2-2 +- Rebuild to get latest libsepol + +* Wed Sep 21 2005 Dan Walsh 1.27.2-1 +- Latest upgrade from NSA + * Fixed parse_categories handling of undefined category. + +* Tue Sep 20 2005 Dan Walsh 1.27.1-2 +- Rebuild to get latest libsepol + +* Sat Sep 17 2005 Dan Walsh 1.27.1-1 +- Latest upgrade from NSA + * Merged bug fix for role dominance handling from Darrel Goeddel (TCS). +* Wed Sep 14 2005 Dan Walsh 1.26-2 +- Rebuild to get latest libsepol + +* Mon Sep 12 2005 Dan Walsh 1.26-1 +- Latest upgrade from NSA + * Updated version for release. +- Rebuild to get latest libsepol + +* Thu Sep 1 2005 Dan Walsh 1.25.12-3 +- Rebuild to get latest libsepol + +* Mon Aug 29 2005 Dan Walsh 1.25.12-2 +- Rebuild to get latest libsepol + +* Mon Aug 22 2005 Dan Walsh 1.25.12-1 +- Update to NSA Release + * Fixed handling of validatetrans constraint expressions. + Bug reported by Dan Walsh for checkpolicy -M. + +* Mon Aug 22 2005 Dan Walsh 1.25.11-2 +- Fix mls crash + +* Fri Aug 19 2005 Dan Walsh 1.25.11-1 +- Update to NSA Release + * Merged use-after-free fix from Serge Hallyn (IBM). + Bug found by Coverity. + +* Sun Aug 14 2005 Dan Walsh 1.25.10-1 +- Update to NSA Release + * Fixed further memory leaks found by valgrind. + * Changed checkpolicy to destroy the policydbs prior to exit + to allow leak detection. + * Fixed several memory leaks found by valgrind. + +* Sun Aug 14 2005 Dan Walsh 1.25.8-3 +- Rebuild to get latest libsepol changes + +* Sat Aug 13 2005 Dan Walsh 1.25.8-2 +- Rebuild to get latest libsepol changes + +* Thu Aug 11 2005 Dan Walsh 1.25.8-1 +- Update to NSA Release + * Updated checkpolicy and dispol for the new avtab format. + Converted users of ebitmaps to new inline operators. + Note: The binary policy format version has been incremented to + version 20 as a result of these changes. To build a policy + for a kernel that does not yet include these changes, use + the -c 19 option to checkpolicy. + * Merged patch to prohibit use of "self" as a type name from Jason Tang (Tresys). + * Merged patch to fix dismod compilation from Joshua Brindle (Tresys). + +* Wed Aug 10 2005 Dan Walsh 1.25.5-1 +- Update to NSA Release + * Fixed call to hierarchy checking code to pass the right policydb. + * Merged patch to update dismod for the relocation of the + module read/write code from libsemanage to libsepol, and + to enable build of test subdirectory from Jason Tang (Tresys). + +* Thu Jul 28 2005 Dan Walsh 1.25.3-1 +- Update to NSA Release + * Merged hierarchy check fix from Joshua Brindle (Tresys). + +* Thu Jul 7 2005 Dan Walsh 1.25.2-1 +- Update to NSA Release + * Merged loadable module support from Tresys Technology. + * Merged patch to prohibit the use of * and ~ in type sets + (other than in neverallow statements) and in role sets + from Joshua Brindle (Tresys). + * Updated version for release. + +* Fri May 20 2005 Dan Walsh 1.23-4-1 +- Update to NSA Release + * Merged cleanup patch from Dan Walsh. + +* Thu May 19 2005 Dan Walsh 1.23-3-1 +- Update to NSA Release + * Added sepol_ prefix to Flask types to avoid namespace + collision with libselinux. + +* Sat May 7 2005 Dan Walsh 1.23-2-1 +- Update to NSA Release + * Merged identifier fix from Joshua Brindle (Tresys). + +* Thu Apr 14 2005 Dan Walsh 1.23,1-1 + * Merged hierarchical type/role patch from Tresys Technology. + * Merged MLS fixes from Darrel Goeddel of TCS. + +* Thu Mar 10 2005 Dan Walsh 1.22-1 +- Update to NSA Release + +* Tue Mar 1 2005 Dan Walsh 1.21.4-2 +- Rebuild for FC4 + +* Thu Feb 17 2005 Dan Walsh 1.21.4-1 + * Merged define_user() cleanup patch from Darrel Goeddel (TCS). + * Moved genpolusers utility to libsepol. + * Merged range_transition support from Darrel Goeddel (TCS). + +* Thu Feb 10 2005 Dan Walsh 1.21.2-1 +- Latest from NSA + * Changed relabel Makefile target to use restorecon. + +* Mon Feb 7 2005 Dan Walsh 1.21.1-1 +- Latest from NSA + * Merged enhanced MLS support from Darrel Goeddel (TCS). + +* Fri Jan 7 2005 Dan Walsh 1.20.1-1 +- Update for version increase at NSA + +* Mon Dec 20 2004 Dan Walsh 1.19.2-1 +- Latest from NSA + * Merged typeattribute statement patch from Darrel Goeddel of TCS. + * Changed genpolusers to handle multiple user config files. + * Merged nodecon ordering patch from Chad Hanson of TCS. + +* Thu Nov 11 2004 Dan Walsh 1.19.1-1 +- Latest from NSA + * Merged nodecon ordering patch from Chad Hanson of TCS. + +* Thu Nov 4 2004 Dan Walsh 1.18.1-1 +- Latest from NSA + * MLS build fix. + +* Sat Sep 4 2004 Dan Walsh 1.17.5-1 +- Latest from NSA + * Fixed Makefile dependencies (Chris PeBenito). + +* Sat Sep 4 2004 Dan Walsh 1.17.4-1 +- Latest from NSA + * Fixed Makefile dependencies (Chris PeBenito). + +* Sat Sep 4 2004 Dan Walsh 1.17.3-1 +- Latest from NSA + * Merged fix for role dominance ordering issue from Chad Hanson of TCS. + +* Mon Aug 30 2004 Dan Walsh 1.17.2-1 +- Latest from NSA + +* Thu Aug 26 2004 Dan Walsh 1.16.3-1 +- Fix NSA package to not include y.tab files. + +* Tue Aug 24 2004 Dan Walsh 1.16.2-1 +- Latest from NSA +- Allow port ranges to overlap + +* Sun Aug 22 2004 Dan Walsh 1.16.1-1 +- Latest from NSA + +* Mon Aug 16 2004 Dan Walsh 1.15.6-1 +- Latest from NSA + +* Fri Aug 13 2004 Dan Walsh 1.15.5-1 +- Latest from NSA + +* Wed Aug 11 2004 Dan Walsh 1.15.4-1 +- Latest from NSA + +* Sat Aug 7 2004 Dan Walsh 1.15.3-1 +- Latest from NSA + +* Wed Aug 4 2004 Dan Walsh 1.15.2-1 +- Latest from NSA + +* Sat Jul 31 2004 Dan Walsh 1.15.1-1 +- Latest from NSA + +* Tue Jul 27 2004 Dan Walsh 1.14.2-1 +- Latest from NSA + +* Wed Jun 30 2004 Dan Walsh 1.14.1-1 +- Latest from NSA + +* Fri Jun 18 2004 Dan Walsh 1.12.2-1 +- Latest from NSA + +* Thu Jun 17 2004 Dan Walsh 1.12.1-1 +- Update to latest from NSA + +* Wed Jun 16 2004 Dan Walsh 1.12-1 +- Update to latest from NSA + +* Wed Jun 16 2004 Dan Walsh 1.10-5 +- Add nlclass patch + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Fri Jun 4 2004 Dan Walsh 1.10-3 +- Add BuildRequires flex + +* Thu Apr 8 2004 Dan Walsh 1.10-2 +- Add BuildRequires byacc + +* Thu Apr 8 2004 Dan Walsh 1.10-1 +- Upgrade to the latest from NSA + +* Mon Mar 15 2004 Dan Walsh 1.8-1 +- Upgrade to the latest from NSA + +* Tue Feb 24 2004 Dan Walsh 1.6-1 +- Upgrade to the latest from NSA + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Tue Jan 20 2004 Dan Walsh 1.4-6 +- Add typealias patch + +* Tue Jan 20 2004 Dan Walsh 1.4-5 +- Update excludetypes with negset-final patch + +* Wed Jan 14 2004 Dan Walsh 1.4-4 +- Add excludetypes patch + +* Wed Jan 14 2004 Dan Walsh 1.4-3 +- Add Colin Walter's lineno patch + +* Wed Jan 7 2004 Dan Walsh 1.4-2 +- Remove check for roles transition + +* Sat Dec 6 2003 Dan Walsh 1.4-1 +- upgrade to 1.4 + +* Wed Oct 1 2003 Dan Walsh 1.2-1 +- upgrade to 1.2 + +* Thu Aug 28 2003 Dan Walsh 1.1-2 +- upgrade to 1.1 + +* Mon Jun 2 2003 Dan Walsh 1.0-1 +- Initial version diff --git a/sources b/sources new file mode 100644 index 0000000..72e0bf4 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (checkpolicy-3.1.tar.gz) = 2276a5a0919286049d2ceba386ef5f6de523745b588bb81cb4fed5eced5fd0b8070249b7a3ae5a85e2abb9369a86318f727d4073aad14ab75c43750a46069168 diff --git a/tests/checkmodule/Makefile b/tests/checkmodule/Makefile new file mode 100644 index 0000000..7be6779 --- /dev/null +++ b/tests/checkmodule/Makefile @@ -0,0 +1,67 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/checkpolicy/Sanity/checkmodule +# Description: runs checkmodule with various options to find out if it behaves correctly +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/checkpolicy/Sanity/checkmodule +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE mypolicy.te + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: runs checkmodule with various options to find out if it behaves correctly" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: checkpolicy" >> $(METADATA) + @echo "Requires: checkpolicy" >> $(METADATA) + @echo "Requires: man" >> $(METADATA) + @echo "Requires: grep" >> $(METADATA) + @echo "Requires: mktemp" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/checkmodule/PURPOSE b/tests/checkmodule/PURPOSE new file mode 100644 index 0000000..e7316a6 --- /dev/null +++ b/tests/checkmodule/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/checkpolicy/Sanity/checkmodule +Author: Milos Malik + +This TC runs checkmodule with various options to find out if it behaves correctly. + diff --git a/tests/checkmodule/mypolicy.te b/tests/checkmodule/mypolicy.te new file mode 100644 index 0000000..8a85503 --- /dev/null +++ b/tests/checkmodule/mypolicy.te @@ -0,0 +1,9 @@ +module mypolicy 1.0; +require { + type httpd_log_t; + type postfix_postdrop_t; + class dir getattr; + class file { read getattr }; +} +allow postfix_postdrop_t httpd_log_t:file getattr; + diff --git a/tests/checkmodule/runtest.sh b/tests/checkmodule/runtest.sh new file mode 100644 index 0000000..f4ee8ce --- /dev/null +++ b/tests/checkmodule/runtest.sh @@ -0,0 +1,101 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/checkpolicy/Sanity/checkmodule +# Description: runs checkmodule with various options to find out if it behaves correctly +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh + +PACKAGE="checkpolicy" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + TEST_FILE=`mktemp` + TEST_DIR=`mktemp -d` + rlRun "rpm -ql ${PACKAGE} | grep bin/checkmodule" + rlPhaseEnd + + rlPhaseStartTest + rlRun "checkmodule >& ${TEST_FILE}" 1 + rlAssertGrep "loading policy configuration from policy.conf" ${TEST_FILE} + rlRun "checkmodule -b >& ${TEST_FILE}" 1 + rlAssertGrep "loading policy configuration from policy" ${TEST_FILE} + rlRun "checkmodule -V" + rlRun "checkmodule -U 1>/dev/null" 1 + rlRun "rm -f policy.conf" + for OPTION in "deny" "reject" "allow" ; do + rlRun "checkmodule -U ${OPTION} >& ${TEST_FILE}" 1 + rlAssertGrep "unable to open policy.conf" ${TEST_FILE} + done + rlRun "rm -f ${TEST_FILE}" + rlRun "touch ${TEST_FILE}" + rlRun "rm -rf ${TEST_DIR}" + rlRun "mkdir ${TEST_DIR}" + rlRun "checkmodule ${TEST_FILE}" 1,2 + rlRun "checkmodule -b ${TEST_FILE}" 1 + rlRun "checkmodule ${TEST_DIR}" 1,2 + rlRun "checkmodule -b ${TEST_DIR}" 1 + rlRun "rm -f ${TEST_FILE}" + rlRun "rm -rf ${TEST_DIR}" + rlRun "checkmodule ${TEST_FILE}" 1 + rlRun "checkmodule -b ${TEST_FILE}" 1 + if rlIsRHEL 5 ; then + rlRun "checkmodule --help 2>&1 | grep -- -d" + fi + rlRun "checkmodule --help 2>&1 | grep -- -h" + rlRun "checkmodule --help 2>&1 | grep -- -U" + rlPhaseEnd + + rlPhaseStartTest + for POLICY_KIND in minimum mls targeted ; do + rlRun "checkmodule -M -m -b -o testmod.mod /etc/selinux/${POLICY_KIND}/policy/policy.* >& ${TEST_FILE}" 1 + rlRun "grep -i \"checkmodule.*-b and -m are incompatible with each other\" ${TEST_FILE}" + done + rlPhaseEnd + + rlPhaseStartTest + INPUT_FILE="mypolicy.te" + OUTPUT_FILE="mypolicy.output" + rlRun "ls -l ${INPUT_FILE}" + rlRun "checkmodule -m -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*loading policy configuration from ${INPUT_FILE}\"" + rlRun "checkmodule -m -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*writing binary representation.*to ${OUTPUT_FILE}\"" + rlRun "ls -l ${OUTPUT_FILE}" + if checkmodule --help | grep -q " CIL " ; then + rlRun "rm -f ${OUTPUT_FILE}" + rlRun "checkmodule -m -C -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*loading policy configuration from ${INPUT_FILE}\"" + rlRun "checkmodule -m -C -o ${OUTPUT_FILE} ${INPUT_FILE} 2>&1 | grep \"checkmodule.*writing CIL to ${OUTPUT_FILE}\"" + rlRun "ls -l ${OUTPUT_FILE}" + fi + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "rm -rf ${TEST_FILE} ${TEST_DIR} ${OUTPUT_FILE}" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/tests/checkpolicy-docs/Makefile b/tests/checkpolicy-docs/Makefile new file mode 100644 index 0000000..ea1a0bc --- /dev/null +++ b/tests/checkpolicy-docs/Makefile @@ -0,0 +1,64 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/checkpolicy/Sanity/checkpolicy +# Description: covers an issue where manpage included an unsupported option. +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/checkpolicy/Sanity/checkpolicy +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: covers an issue where manpage included an unsupported option." >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 1m" >> $(METADATA) + @echo "RunFor: checkpolicy" >> $(METADATA) + @echo "Requires: checkpolicy" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/checkpolicy-docs/PURPOSE b/tests/checkpolicy-docs/PURPOSE new file mode 100644 index 0000000..bde34d7 --- /dev/null +++ b/tests/checkpolicy-docs/PURPOSE @@ -0,0 +1,7 @@ +PURPOSE of /CoreOS/checkpolicy/Sanity/checkpolicy + +Description: covers an issue where manpage included an unsupported option. + +Author: Milos Malik + + diff --git a/tests/checkpolicy-docs/runtest.sh b/tests/checkpolicy-docs/runtest.sh new file mode 100644 index 0000000..83a7079 --- /dev/null +++ b/tests/checkpolicy-docs/runtest.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/checkpolicy/Sanity/checkpolicy-docs +# Description: covers an issue where manpage included an unsupported option. +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh + +PACKAGE="checkpolicy" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + rlAssertExists "/usr/share/man/man8/checkpolicy.8.gz" + rlPhaseEnd + + rlPhaseStartTest + rlRun "man checkpolicy | col -b | grep -- '-m]'" 1 + rlRun "rpm -ql ${PACKAGE} | grep /usr/share/man/.*checkmodule" + if rlIsRHEL 5 ; then + rlRun "man checkmodule | col -b | grep -- -d" + fi + rlRun "man checkmodule | col -b | grep -- -h" + rlRun "man checkmodule | col -b | grep -- -U" + rlPhaseEnd + +rlJournalPrintText +rlJournalEnd + diff --git a/tests/checkpolicy/Makefile b/tests/checkpolicy/Makefile new file mode 100644 index 0000000..1ba29a4 --- /dev/null +++ b/tests/checkpolicy/Makefile @@ -0,0 +1,64 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/checkpolicy/Sanity/checkpolicy +# Description: runs checkpolicy with various options to find out if it behaves correctly +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/checkpolicy/Sanity/checkpolicy +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE policy.conf.from.secilc + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: runs checkpolicy with various options to find out if it behaves correctly" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: checkpolicy setools" >> $(METADATA) + @echo "Requires: checkpolicy setools-console selinux-policy-minimum selinux-policy-mls selinux-policy-targeted" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/checkpolicy/PURPOSE b/tests/checkpolicy/PURPOSE new file mode 100644 index 0000000..c60c59e --- /dev/null +++ b/tests/checkpolicy/PURPOSE @@ -0,0 +1,7 @@ +PURPOSE of /CoreOS/checkpolicy/Sanity/checkpolicy + +Description: runs checkpolicy with various options to find out if it behaves correctly + +Author: Milos Malik + + diff --git a/tests/checkpolicy/policy.conf.from.secilc b/tests/checkpolicy/policy.conf.from.secilc new file mode 100644 index 0000000..938af91 --- /dev/null +++ b/tests/checkpolicy/policy.conf.from.secilc @@ -0,0 +1,143 @@ +class file +class process +class char + +sid kernel +sid security +sid unlabeled + +common file {ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton } + +class file inherits file { execute_no_trans entrypoint execmod open audit_access } +class char inherits file { foo transition } +class process { open } + +sensitivity s0 alias sens0; +sensitivity s1; + +dominance { s0 s1 } + +category c0 alias cat0; +category c1; +category c2; + +level s0:c0.c2; +level s1:c0.c2; + +mlsconstrain file { open } (not (((l1 eq l2) and (u1 eq u2)) or (r1 eq r2))); +mlsconstrain file { open } (((l1 eq l2) and (u1 eq u2)) or (r1 != r2)); +mlsconstrain file { open } (l1 dom h2); +mlsconstrain file { open } (h1 domby l2); +mlsconstrain file { open } (l1 incomp l2); + +mlsvalidatetrans file (h1 domby l2); + +attribute foo_type; +attribute bar_type; +attribute baz_type; +attribute exec_type; + +type bin_t, bar_type, exec_type; +type kernel_t, foo_type, exec_type, baz_type; +type security_t, baz_type; +type unlabeled_t, baz_type; + +type exec_t, baz_type; +type console_t, baz_type; +type auditadm_t, baz_type; +type console_device_t, baz_type; +type user_tty_device_t, baz_type; +type device_t, baz_type; +type getty_t, baz_type; +type a_t, baz_type; +type b_t, baz_type; + +typealias bin_t alias sbin_t; + +bool secure_mode false; +bool console_login true; +bool b1 false; + +role system_r; +role user_r; +role system_r types bin_t; +role system_r types kernel_t; +role system_r types security_t; +role system_r types unlabeled_t; + +policycap open_perms; +permissive device_t; + +range_transition device_t console_t : file s0:c0 - s1:c0.c1; + +type_transition device_t console_t : file console_device_t; +type_member device_t bin_t : file exec_t; + +if console_login{ + type_change auditadm_t console_device_t : file user_tty_device_t; +} + +role_transition system_r bin_t user_r; + +auditallow device_t auditadm_t: file { open }; +dontaudit device_t auditadm_t: file { read }; + +allow system_r user_r; + +allow console_t console_device_t: char { write setattr }; +allow console_t console_device_t: file { open read getattr }; +allow foo_type self: file { execute }; +allow bin_t device_t: file { execute }; +allow bin_t exec_t: file { execute }; +allow bin_t bin_t: file { execute }; +allow a_t b_t : file { write }; +allow console_t console_device_t: file { read write getattr setattr lock append }; +allow kernel_t kernel_t : file { execute }; + +if b1 { + allow a_t b_t : file { read }; +} + +if secure_mode{ + auditallow device_t exec_t: file { read write }; +} + +if console_login{ + allow getty_t console_device_t: file { getattr open read write append }; +} +else { + dontaudit getty_t console_device_t: file { getattr open read write append }; +} + +if (not ((secure_mode eq console_login) xor ((secure_mode or console_login) and secure_mode))){ + allow bin_t exec_t: file { execute }; +} + +user system_u roles system_r level s0:c0 range s0:c0 - s1:c0,c1; +user user_u roles user_r level s0:c0 range s0:c0 - s0:c0; + +validatetrans file (t1 == exec_t); + +constrain char transition (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2))); +constrain file { open } (r1 dom r2); +constrain file { open } (r1 domby r2); +constrain file { open } (r1 incomp r2); +constrain file { open read getattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2))); +constrain char { write setattr } (not (((t1 eq exec_t) and (t2 eq bin_t)) or (r1 eq r2))); + + +sid kernel system_u:system_r:kernel_t:s0:c0 - s1:c0,c1 +sid security system_u:system_r:security_t:s0:c0 - s1:c0,c1 +sid unlabeled system_u:system_r:unlabeled_t:s0:c0 - s1:c0,c1 + +fs_use_xattr ext3 system_u:system_r:bin_t:s0:c0 - s1:c0,c1; + +genfscon proc /usr/bin system_u:system_r:bin_t:s0:c0 - s1:c0,c1 + +portcon tcp 22 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 +portcon udp 25 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 + +netifcon eth0 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 + +nodecon 192.25.35.200 192.168.1.1 system_u:system_r:bin_t:s0:c0 - s1:c0,c1 +nodecon 2001:db8:ac10:fe01:: 2001:de0:da88:2222:: system_u:system_r:bin_t:s0:c0 - s1:c0,c1 diff --git a/tests/checkpolicy/runtest.sh b/tests/checkpolicy/runtest.sh new file mode 100644 index 0000000..815dbaf --- /dev/null +++ b/tests/checkpolicy/runtest.sh @@ -0,0 +1,153 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/checkpolicy/Sanity/checkpolicy +# Description: runs checkpolicy with various options to find out if it behaves correctly +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2009 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include rhts environment +. /usr/bin/rhts-environment.sh +. /usr/share/beakerlib/beakerlib.sh + +PACKAGE="checkpolicy" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + rlAssertRpm selinux-policy-minimum + rlAssertRpm selinux-policy-mls + rlAssertRpm selinux-policy-targeted + rlRun "uname -a" + TEST_FILE=`mktemp` + TEST_DIR=`mktemp -d` + OUTPUT_FILE=`mktemp` + rlAssertExists "/usr/bin/checkpolicy" + rlPhaseEnd + + rlPhaseStartTest "compilation from policy.conf" + MIN_VERSION="15" + MAX_VERSION=`find /etc/selinux/ -name policy.?? | cut -d / -f 6 | cut -d . -f 2 | head -n 1` + if rlIsRHEL 5 6 ; then + VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION}` + else + # some versions are skipped because seinfo segfaults when inspecting binary policies between v.20 and v.23" + VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION} | grep -v -e 19 -e 20 -e 21 -e 22 -e 23` + fi + for CUR_VERSION in ${VERSIONS} ; do + rlRun "rm -f policy.out" + rlWatchdog "checkpolicy -M -c ${CUR_VERSION} -o policy.out policy.conf.from.secilc" 15 + if [ -s policy.out ] ; then + rlRun "seinfo policy.out 2>&1 | tee ${OUTPUT_FILE}" + rlRun "grep -i -e \"policy version.*${CUR_VERSION}\" -e \"unable to open policy\" ${OUTPUT_FILE}" + else + rlRun "ls -l policy.out" + fi + done + rlPhaseEnd + + rlPhaseStartTest + rlRun "checkpolicy >& ${TEST_FILE}" 1 + rlAssertGrep "loading policy configuration from policy.conf" ${TEST_FILE} + rlRun "checkpolicy -b >& ${TEST_FILE}" 1 + rlAssertGrep "loading policy configuration from policy" ${TEST_FILE} + rlRun "checkpolicy -V" + rlRun "checkpolicy -U 2>&1 | grep \"option requires an argument\"" + rlRun "checkpolicy -U xyz" 1 + rlRun "rm -f policy.conf" + if ! rlIsRHEL 4 ; then + for OPTION in "deny" "reject" "allow" ; do + rlRun "checkpolicy -U ${OPTION} >& ${TEST_FILE}" 1 + rlAssertGrep "unable to open policy.conf" ${TEST_FILE} + done + fi + rlRun "rm -f ${TEST_FILE}" + rlRun "touch ${TEST_FILE}" + rlRun "rm -rf ${TEST_DIR}" + rlRun "mkdir ${TEST_DIR}" + rlRun "checkpolicy ${TEST_FILE}" 1,2 + rlRun "checkpolicy -b ${TEST_FILE}" 1 + rlRun "checkpolicy ${TEST_DIR}" 1,2 + rlRun "checkpolicy -b ${TEST_DIR}" 1 + rlRun "rm -f ${TEST_FILE}" + rlRun "rm -rf ${TEST_DIR}" + rlRun "checkpolicy ${TEST_FILE}" 1 + rlRun "checkpolicy -b ${TEST_FILE}" 1 + rlRun "checkpolicy -c 2>&1 | grep \"option requires an argument\"" + rlRun "checkpolicy -c 0 2>&1 | grep \"value 0 not in range\"" + rlRun "checkpolicy -t 2>&1 | grep \"option requires an argument\"" + rlRun "checkpolicy -t xyz 2>&1 | grep -i \"unknown target platform\"" + rlRun "checkpolicy --help 2>&1 | grep -- '-m]'" 1 + rlPhaseEnd + + rlPhaseStartTest + if rlIsRHEL 5 6 ; then + ACTIVE_POLICY="/selinux/policy" + else + ACTIVE_POLICY="/sys/fs/selinux/policy" + fi + rlRun "echo -e 'q\n' | checkpolicy -Mdb ${ACTIVE_POLICY} | tee ${OUTPUT_FILE}" + rlRun "grep -qi -e error -e ebitmap -e 'not match' ${OUTPUT_FILE}" 1 + for POLICY_TYPE in minimum mls targeted ; do + if [ ! -e /etc/selinux/${POLICY_TYPE}/policy/policy.* ] ; then + continue + fi + rlRun "echo -e 'q\n' | checkpolicy -Mdb /etc/selinux/${POLICY_TYPE}/policy/policy.* | tee ${OUTPUT_FILE}" + rlRun "grep -qi -e error -e ebitmap -e 'not match' ${OUTPUT_FILE}" 1 + done + rlPhaseEnd + + rlPhaseStartTest + if rlIsRHEL 5 6 ; then + ACTIVE_POLICY_TREE="/selinux" + else # RHEL-7 and above + ACTIVE_POLICY_TREE="/sys/fs/selinux" + fi + MIN_VERSION="15" + MAX_VERSION=`find /etc/selinux/ -name policy.?? | cut -d / -f 6 | cut -d . -f 2 | head -n 1` + for POLICY_TYPE in minimum mls targeted ; do + if rlIsRHEL 5 6 ; then + VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION}` + else + # some versions are skipped because seinfo segfaults when inspecting binary policies between v.20 and v.23" + VERSIONS=`seq ${MIN_VERSION} 1 ${MAX_VERSION} | grep -v -e 19 -e 20 -e 21 -e 22 -e 23` + fi + for CUR_VERSION in ${VERSIONS} ; do + rlRun "rm -f policy.out" + rlWatchdog "checkpolicy -b -M -c ${CUR_VERSION} -o policy.out /etc/selinux/${POLICY_TYPE}/policy/policy.${MAX_VERSION}" 15 + if [ -s policy.out ] ; then + rlRun "seinfo policy.out 2>&1 | tee ${OUTPUT_FILE}" + rlRun "grep -i -e \"policy version.*${CUR_VERSION}\" -e \"unable to open policy\" ${OUTPUT_FILE}" + else + rlRun "ls -l policy.out" + fi + done + done + rlPhaseEnd + + rlPhaseStartCleanup + rm -f ${OUTPUT_FILE} policy.out + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/tests/sedismod/Makefile b/tests/sedismod/Makefile new file mode 100644 index 0000000..62a901c --- /dev/null +++ b/tests/sedismod/Makefile @@ -0,0 +1,65 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/checkpolicy/Sanity/sedismod +# Description: Does sedismod work correctly ?) +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/checkpolicy/Sanity/sedismod +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE sedismod.exp + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + test -x sedismod.exp || chmod a+x sedismod.exp + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Does sedismod work correctly?" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: checkpolicy" >> $(METADATA) + @echo "Requires: checkpolicy selinux-policy-targeted expect policycoreutils psmisc" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/sedismod/PURPOSE b/tests/sedismod/PURPOSE new file mode 100644 index 0000000..3c9db2c --- /dev/null +++ b/tests/sedismod/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/checkpolicy/Sanity/sedismod +Author: Milos Malik + +Does sedismod work correctly? + diff --git a/tests/sedismod/runtest.sh b/tests/sedismod/runtest.sh new file mode 100755 index 0000000..8f86e9e --- /dev/null +++ b/tests/sedismod/runtest.sh @@ -0,0 +1,83 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/checkpolicy/Sanity/sedismod +# Description: Does sedismod work correctly +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="checkpolicy" +# TODO: repeat for all policy modules that are installed under /etc/selinux +if rlIsFedora ; then + POLICY_FILE="`find /var/lib/selinux/targeted -type d -name base`/hll" +elif rlIsRHEL '<7.3' ; then + POLICY_FILE=`find /etc/selinux/targeted -type f -name base.pp` +else # RHEL-7.3 and above + POLICY_FILE="`find /etc/selinux/targeted -type d -name base`/hll" +fi + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + OUTPUT_FILE=`mktemp` + if rlIsRHEL '>=7.3' || rlIsFedora ; then + rlRun "semodule -H -E base" + else + rlRun "cp ${POLICY_FILE} ./base.pp.bz2" + rlRun "rm -f base.pp" + rlRun "bzip2 -d ./base.pp.bz2" + fi + POLICY_FILE="base.pp" + rlRun "ls -l ${POLICY_FILE}" + rlPhaseEnd + + rlPhaseStartTest "check all available options" + if rlIsRHEL 6 ; then + AVAILABLE_OPTIONS="1 2 3 4 5 6 7 8 0 a b c u" + else # RHEL-7 and above + AVAILABLE_OPTIONS="1 2 3 4 5 6 7 8 9 0 a b c u F" + fi + for OPTION in ${AVAILABLE_OPTIONS} ; do + rlRun "rm -f ${OUTPUT_FILE}" + rlWatchdog "./sedismod.exp ${OPTION} ${POLICY_FILE} ${OUTPUT_FILE}" 65 + # rlWatchdog kills the expect script, but we need to kill the sedismod process too + rlRun "killall sedismod" 0,1 + rlRun "ls -l ${OUTPUT_FILE}" + if [ -s ${OUTPUT_FILE} ] ; then + rlPass "sedismod produced some output" + else + rlFail "sedismod did not produce any output" + fi + done + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "rm -f ${OUTPUT_FILE} ${POLICY_FILE}" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/tests/sedismod/sedismod.exp b/tests/sedismod/sedismod.exp new file mode 100755 index 0000000..7409bfe --- /dev/null +++ b/tests/sedismod/sedismod.exp @@ -0,0 +1,21 @@ +#!/usr/bin/expect -f +# ./sedismod.exp option policyfile outputfile +set option [lrange $argv 0 0] +set policyfile [lrange $argv 1 1] +set outputfile [lrange $argv 2 2] +set timeout 60 +spawn sedismod $policyfile +expect "Command*:" { + send -- "f\r" +} +expect "Filename*:" { + send -- "$outputfile\r" +} +expect "Command*:" { + send -- "$option\r" +} +expect "Command*:" { + send -- "q\r" +} +expect eof + diff --git a/tests/sedispol/Makefile b/tests/sedispol/Makefile new file mode 100644 index 0000000..f39bae8 --- /dev/null +++ b/tests/sedispol/Makefile @@ -0,0 +1,65 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/checkpolicy/Sanity/sedispol +# Description: Does sedispol work correctly? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/checkpolicy/Sanity/sedispol +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE sedispol.exp + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + test -x sedispol.exp || chmod a+x sedispol.exp + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Does sedispol work correctly?" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: checkpolicy" >> $(METADATA) + @echo "Requires: checkpolicy selinux-policy expect" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/sedispol/PURPOSE b/tests/sedispol/PURPOSE new file mode 100644 index 0000000..4ab0c43 --- /dev/null +++ b/tests/sedispol/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/checkpolicy/Sanity/sedispol +Author: Milos Malik + +Does sedispol work correctly? + diff --git a/tests/sedispol/runtest.sh b/tests/sedispol/runtest.sh new file mode 100755 index 0000000..5ed441b --- /dev/null +++ b/tests/sedispol/runtest.sh @@ -0,0 +1,77 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/checkpolicy/Sanity/sedispol +# Description: Does sedispol work correctly? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="checkpolicy" +# TODO: repeat for all policy files that are installed under /etc/selinux +POLICY_FILE=`find /etc/selinux/targeted/policy/ -type f` + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE} + OUTPUT_FILE=`mktemp` + rlPhaseEnd + + rlPhaseStartTest + if rlIsRHEL 6 ; then + AVAILABLE_OPTIONS="1 2 3 4 5 6 c p u" + else # RHEL-7 and above + AVAILABLE_OPTIONS="1 2 3 4 5 6 8 c p u F" + fi + for OPTION in ${AVAILABLE_OPTIONS} ; do + rlRun "rm -f ${OUTPUT_FILE}" + rlWatchdog "./sedispol.exp ${OPTION} ${POLICY_FILE} ${OUTPUT_FILE}" 65 + # rlWatchdog kills the expect script, but we need to kill the sedispol process too + rlRun "killall sedispol" 0,1 + rlRun "ls -l ${OUTPUT_FILE}" + if [ -s ${OUTPUT_FILE} ] ; then + rlPass "sedispol produced some output" + else + rlFail "sedispol did not produce any output" + fi + done + rlPhaseEnd + + rlPhaseStartTest + rlRun "echo q | sedispol ${POLICY_FILE} >& ${OUTPUT_FILE}" + rlRun "grep AVTAB ${OUTPUT_FILE}" + rlRun "grep AVTAG ${OUTPUT_FILE}" 1 + rlRun "echo -en 'u\nq\n' | sedispol ${POLICY_FILE} >& ${OUTPUT_FILE}" + rlRun "grep permissions ${OUTPUT_FILE}" + rlRun "grep permisions ${OUTPUT_FILE}" 1 + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "rm -f ${OUTPUT_FILE}" + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/tests/sedispol/sedispol.exp b/tests/sedispol/sedispol.exp new file mode 100755 index 0000000..462e3b8 --- /dev/null +++ b/tests/sedispol/sedispol.exp @@ -0,0 +1,21 @@ +#!/usr/bin/expect -f +# ./sedispol.exp option policyfile outputfile +set option [lrange $argv 0 0] +set policyfile [lrange $argv 1 1] +set outputfile [lrange $argv 2 2] +set timeout 60 +spawn sedispol $policyfile +expect "Command*:" { + send -- "f\r" +} +expect "Filename*:" { + send -- "$outputfile\r" +} +expect "Command*:" { + send -- "$option\r" +} +expect "Command*:" { + send -- "q\r" +} +expect eof + diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..1b15b20 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,61 @@ +--- +# Tests for Classic +- hosts: localhost + roles: + - role: standard-test-beakerlib + tags: + - classic + repositories: + - repo: "https://src.fedoraproject.org/tests/selinux.git" + dest: "selinux" + fmf_filter: "tier:1 | component:checkpolicy" + required_packages: + - checkpolicy # Required by all tests + - man # Required by checkpolicy-docs + - grep # Required by checkmodule + - coreutils # Required by checkmodule + - setools-console # Required by checkpolicy + - selinux-policy-minimum # Required by checkpolicy + - selinux-policy-mls # Required by checkpolicy + - selinux-policy-targeted # Required by checkpolicy and sedismod + - expect # Required by sedismod and sedispol + - policycoreutils # Required by sedismod + - psmisc # Required by sedismod + - selinux-policy # Required by sedispol + - e2fsprogs + - gcc + - git + - libselinux + - libselinux-utils + - libsemanage + - libsepol + - libsepol-devel + - policycoreutils-python-utils + - selinux-policy-devel + +# Tests for Container +- hosts: localhost + roles: + - role: standard-test-beakerlib + tags: + - container + repositories: + - repo: "https://src.fedoraproject.org/tests/selinux.git" + dest: "selinux" + tests: + - selinux/checkpolicy/checkmodule + - selinux/checkpolicy/checkpolicy + - selinux/checkpolicy/sedismod + - selinux/checkpolicy/sedispol + required_packages: + - checkpolicy # Required by all tests + - grep # Required by checkmodule + - coreutils # Required by checkmodule + - setools-console # Required by checkpolicy + - selinux-policy-minimum # Required by checkpolicy + - selinux-policy-mls # Required by checkpolicy + - selinux-policy-targeted # Required by checkpolicy and sedismod + - expect # Required by sedismod and sedispol + - policycoreutils # Required by sedismod + - psmisc # Required by sedismod + - selinux-policy # Required by sedispol