152 lines
6.3 KiB
Bash
152 lines
6.3 KiB
Bash
|
#!/bin/bash
|
||
|
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
#
|
||
|
# runtest.sh of /CoreOS/policycoreutils/Sanity/setsebool
|
||
|
# Description: does setsebool work correctly ?
|
||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||
|
#
|
||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
#
|
||
|
# Copyright (c) 2011 Red Hat, Inc. All rights reserved.
|
||
|
#
|
||
|
# This copyrighted material is made available to anyone wishing
|
||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||
|
# and conditions of the GNU General Public License version 2.
|
||
|
#
|
||
|
# This program is distributed in the hope that it will be
|
||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||
|
# PURPOSE. See the GNU General Public License for more details.
|
||
|
#
|
||
|
# You should have received a copy of the GNU General Public
|
||
|
# License along with this program; if not, write to the Free
|
||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||
|
# Boston, MA 02110-1301, USA.
|
||
|
#
|
||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
|
||
|
# Include rhts environment
|
||
|
. /usr/bin/rhts-environment.sh
|
||
|
. /usr/share/beakerlib/beakerlib.sh
|
||
|
|
||
|
PACKAGE="policycoreutils"
|
||
|
USER_NAME="user${RANDOM}"
|
||
|
USER_SECRET="s3kr3t${RANDOM}"
|
||
|
BOOLEAN="ftpd_connect_db"
|
||
|
if rlIsRHEL 5 6 ; then
|
||
|
SELINUX_FS_MOUNT="/selinux"
|
||
|
else # RHEL-7 and above
|
||
|
SELINUX_FS_MOUNT="/sys/fs/selinux"
|
||
|
fi
|
||
|
|
||
|
rlJournalStart
|
||
|
rlPhaseStartSetup
|
||
|
rlAssertRpm ${PACKAGE}
|
||
|
OUTPUT_FILE=`mktemp`
|
||
|
chcon -t tmp_t ${OUTPUT_FILE}
|
||
|
|
||
|
rlRun "useradd ${USER_NAME}"
|
||
|
rlRun "echo ${USER_SECRET} | passwd --stdin ${USER_NAME}"
|
||
|
rlPhaseEnd
|
||
|
|
||
|
rlPhaseStartTest
|
||
|
for OPTION in "" "-P" ; do
|
||
|
for OPERATOR in " " "=" ; do
|
||
|
for VALUE in 0 1 false true off on ; do
|
||
|
rlRun "setsebool ${OPTION} ${BOOLEAN}${OPERATOR}${VALUE} | grep -i -e illegal -e usage -e invalid" 1
|
||
|
if [ ${VALUE} == "0" -o ${VALUE} == "false" ] ; then
|
||
|
SHOWN_VALUE="off"
|
||
|
elif [ ${VALUE} == "1" -o ${VALUE} == "true" ] ; then
|
||
|
SHOWN_VALUE="on"
|
||
|
else
|
||
|
SHOWN_VALUE=${VALUE}
|
||
|
fi
|
||
|
rlRun "getsebool -a | grep \"^${BOOLEAN}.*${SHOWN_VALUE}\""
|
||
|
done
|
||
|
done
|
||
|
done
|
||
|
rlPhaseEnd
|
||
|
|
||
|
rlPhaseStartTest
|
||
|
rlRun "setsebool" 1
|
||
|
rlRun "setsebool xyz=1 2>&1 | tee /dev/stderr | grep -i -e \"invalid boolean\" -e \"not found\" -e \"not defined\""
|
||
|
rlRun "setsebool xyz=-1 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
|
||
|
rlRun "setsebool xyz=2 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
|
||
|
if ! rlIsRHEL 5 6 ; then
|
||
|
rlRun "setsebool -N 2>&1 | tee /dev/stderr | grep -i \"boolean.*required\""
|
||
|
rlRun "setsebool -P 2>&1 | tee /dev/stderr | grep -i \"boolean.*required\""
|
||
|
fi
|
||
|
rlRun "setsebool -P xyz=1 2>&1 | tee /dev/stderr | grep -i -e \"invalid boolean\" -e \"not found\" -e \"not defined\""
|
||
|
rlRun "setsebool -P xyz=-1 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
|
||
|
rlRun "setsebool -P xyz=2 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
|
||
|
rlPhaseEnd
|
||
|
|
||
|
if ! rlIsRHEL 5 6 ; then
|
||
|
rlPhaseStartTest
|
||
|
rlRun "su -l -c '/usr/sbin/setsebool allow_ypbind 0' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
|
||
|
rlAssertGrep "try as root" ${OUTPUT_FILE} -i
|
||
|
rlRun "su -l -c '/usr/sbin/setsebool allow_ypbind 1' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
|
||
|
rlAssertGrep "try as root" ${OUTPUT_FILE} -i
|
||
|
rlRun "su -l -c '/usr/sbin/setsebool -P allow_ypbind 0' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
|
||
|
rlAssertGrep "try as root" ${OUTPUT_FILE} -i
|
||
|
rlRun "su -l -c '/usr/sbin/setsebool -P allow_ypbind 1' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
|
||
|
rlAssertGrep "try as root" ${OUTPUT_FILE} -i
|
||
|
rlPhaseEnd
|
||
|
|
||
|
rlPhaseStartTest
|
||
|
for OPTION in "" "-P" ; do
|
||
|
rlRun "getsebool allow_ypbind | grep nis_enabled"
|
||
|
rlRun "setsebool ${OPTION} allow_ypbind on"
|
||
|
rlRun "getsebool allow_ypbind | grep \"nis_enabled.*on\""
|
||
|
rlRun "setsebool ${OPTION} allow_ypbind off"
|
||
|
rlRun "getsebool allow_ypbind | grep \"nis_enabled.*off\""
|
||
|
done
|
||
|
rlPhaseEnd
|
||
|
|
||
|
rlPhaseStartTest
|
||
|
# https://fedoraproject.org/wiki/Features/SELinuxBooleansRename
|
||
|
for LINE in `cat /etc/selinux/*/booleans.subs_dist | sort | uniq | tr -s ' ' | tr ' ' ':'` ; do
|
||
|
OLD_BOOLEAN_NAME=`echo ${LINE} | cut -d : -f 1`
|
||
|
NEW_BOOLEAN_NAME=`echo ${LINE} | cut -d : -f 2`
|
||
|
rlRun "getsebool ${OLD_BOOLEAN_NAME} 2>&1 | tee ${OUTPUT_FILE}"
|
||
|
rlRun "getsebool ${NEW_BOOLEAN_NAME} 2>&1 | tee -a ${OUTPUT_FILE}"
|
||
|
rlRun "uniq -c ${OUTPUT_FILE} | grep '2 '"
|
||
|
done
|
||
|
rlPhaseEnd
|
||
|
fi
|
||
|
|
||
|
rlPhaseStartTest "audit messages"
|
||
|
START_DATE_TIME=`date "+%m/%d/%Y %T"`
|
||
|
sleep 1
|
||
|
rlRun "setsebool ${BOOLEAN} on"
|
||
|
rlRun "setsebool ${BOOLEAN} off"
|
||
|
rlRun "setsebool ${BOOLEAN} on"
|
||
|
sleep 1
|
||
|
rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=MAC_CONFIG_CHANGE.*bool=${BOOLEAN} val=1 old_val=0\""
|
||
|
rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=MAC_CONFIG_CHANGE.*bool=${BOOLEAN} val=0 old_val=1\""
|
||
|
if rlIsRHEL ; then
|
||
|
rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=SYSCALL.*comm=setsebool\""
|
||
|
fi
|
||
|
rlPhaseEnd
|
||
|
|
||
|
rlPhaseStartTest "extreme cases"
|
||
|
# pretend that no booleans are defined
|
||
|
rlRun "mkdir ./booleans"
|
||
|
rlRun "mount --bind ./booleans ${SELINUX_FS_MOUNT}/booleans"
|
||
|
rlRun "setsebool ${BOOLEAN} on 2>&1 | tee ${OUTPUT_FILE}"
|
||
|
rlAssertGrep "could not change active booleans" ${OUTPUT_FILE} -i
|
||
|
rlRun "setsebool ${BOOLEAN} off 2>&1 | tee ${OUTPUT_FILE}"
|
||
|
rlAssertGrep "could not change active booleans" ${OUTPUT_FILE} -i
|
||
|
rlRun "umount ${SELINUX_FS_MOUNT}/booleans"
|
||
|
rlRun "rmdir ./booleans"
|
||
|
rlPhaseEnd
|
||
|
|
||
|
rlPhaseStartCleanup
|
||
|
rlRun "userdel -rf ${USER_NAME}"
|
||
|
rm -f ${OUTPUT_FILE}
|
||
|
rlPhaseEnd
|
||
|
rlJournalPrintText
|
||
|
rlJournalEnd
|
||
|
|