Compare commits
No commits in common. "c8" and "c8s" have entirely different histories.
|
@ -1,13 +1,47 @@
|
||||||
SOURCES/gui-po.tgz
|
/policycoreutils_man_ru2.tar.bz2
|
||||||
SOURCES/policycoreutils-2.9.tar.gz
|
/policycoreutils-2.7.tar.gz
|
||||||
SOURCES/policycoreutils-po.tgz
|
/selinux-python-2.7.tar.gz
|
||||||
SOURCES/python-po.tgz
|
/selinux-gui-2.7.tar.gz
|
||||||
SOURCES/restorecond-2.9.tar.gz
|
/selinux-sandbox-2.7.tar.gz
|
||||||
SOURCES/sandbox-po.tgz
|
/selinux-dbus-2.7.tar.gz
|
||||||
SOURCES/selinux-dbus-2.9.tar.gz
|
/semodule-utils-2.7.tar.gz
|
||||||
SOURCES/selinux-gui-2.9.tar.gz
|
/restorecond-2.7.tar.gz
|
||||||
SOURCES/selinux-python-2.9.tar.gz
|
/policycoreutils-2.8-rc1.tar.gz
|
||||||
SOURCES/selinux-sandbox-2.9.tar.gz
|
/restorecond-2.8-rc1.tar.gz
|
||||||
SOURCES/semodule-utils-2.9.tar.gz
|
/selinux-dbus-2.8-rc1.tar.gz
|
||||||
SOURCES/sepolicy-icons.tgz
|
/selinux-gui-2.8-rc1.tar.gz
|
||||||
SOURCES/system-config-selinux.png
|
/selinux-python-2.8-rc1.tar.gz
|
||||||
|
/selinux-sandbox-2.8-rc1.tar.gz
|
||||||
|
/semodule-utils-2.8-rc1.tar.gz
|
||||||
|
/policycoreutils-2.8-rc2.tar.gz
|
||||||
|
/restorecond-2.8-rc2.tar.gz
|
||||||
|
/selinux-dbus-2.8-rc2.tar.gz
|
||||||
|
/selinux-gui-2.8-rc2.tar.gz
|
||||||
|
/selinux-python-2.8-rc2.tar.gz
|
||||||
|
/selinux-sandbox-2.8-rc2.tar.gz
|
||||||
|
/semodule-utils-2.8-rc2.tar.gz
|
||||||
|
/policycoreutils-2.8-rc3.tar.gz
|
||||||
|
/restorecond-2.8-rc3.tar.gz
|
||||||
|
/selinux-dbus-2.8-rc3.tar.gz
|
||||||
|
/selinux-gui-2.8-rc3.tar.gz
|
||||||
|
/selinux-python-2.8-rc3.tar.gz
|
||||||
|
/selinux-sandbox-2.8-rc3.tar.gz
|
||||||
|
/semodule-utils-2.8-rc3.tar.gz
|
||||||
|
/policycoreutils-2.8.tar.gz
|
||||||
|
/restorecond-2.8.tar.gz
|
||||||
|
/selinux-dbus-2.8.tar.gz
|
||||||
|
/selinux-gui-2.8.tar.gz
|
||||||
|
/selinux-python-2.8.tar.gz
|
||||||
|
/selinux-sandbox-2.8.tar.gz
|
||||||
|
/semodule-utils-2.8.tar.gz
|
||||||
|
/gui-po.tgz
|
||||||
|
/policycoreutils-po.tgz
|
||||||
|
/python-po.tgz
|
||||||
|
/sandbox-po.tgz
|
||||||
|
/policycoreutils-2.9.tar.gz
|
||||||
|
/restorecond-2.9.tar.gz
|
||||||
|
/selinux-dbus-2.9.tar.gz
|
||||||
|
/selinux-gui-2.9.tar.gz
|
||||||
|
/selinux-python-2.9.tar.gz
|
||||||
|
/selinux-sandbox-2.9.tar.gz
|
||||||
|
/semodule-utils-2.9.tar.gz
|
||||||
|
|
|
@ -1,13 +0,0 @@
|
||||||
3f355f8cbfdf7be6f9a8190153090af95d2c7358 SOURCES/gui-po.tgz
|
|
||||||
6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz
|
|
||||||
51122ae6029657bf762d72bff94bab38890fd1e7 SOURCES/policycoreutils-po.tgz
|
|
||||||
c503e61733af54159d5950bbd9fa8080771ee938 SOURCES/python-po.tgz
|
|
||||||
0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz
|
|
||||||
7df1784ab0c6b0823943571d733b856d10a87f76 SOURCES/sandbox-po.tgz
|
|
||||||
8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz
|
|
||||||
5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz
|
|
||||||
660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz
|
|
||||||
0e208cad193021ad17a445b76b72af3fef8db999 SOURCES/selinux-sandbox-2.9.tar.gz
|
|
||||||
a4414223e60bb664ada4824e54f8d36ab208d599 SOURCES/semodule-utils-2.9.tar.gz
|
|
||||||
d849fa76cc3ef4a26047d8a69fef3a55d2f3097f SOURCES/sepolicy-icons.tgz
|
|
||||||
611a5d497efaddd45ec0dcc3e9b2e5b0f81ebc41 SOURCES/system-config-selinux.png
|
|
|
@ -0,0 +1,64 @@
|
||||||
|
From b6fa6e77d5d40a5c1b5f4be95500aa1a05147e5b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Date: Wed, 7 Feb 2024 15:46:23 +0100
|
||||||
|
Subject: [PATCH] python/semanage: Do not sort local fcontext definitions
|
||||||
|
|
||||||
|
Entries in file_contexts.local are processed from the most recent one to
|
||||||
|
the oldest, with first match being used. Therefore it is important to
|
||||||
|
preserve their order when listing (semanage fcontext -lC) and exporting
|
||||||
|
(semanage export).
|
||||||
|
|
||||||
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Acked-by: James Carter <jwcart2@gmail.com>
|
||||||
|
---
|
||||||
|
gui/fcontextPage.py | 6 +++++-
|
||||||
|
python/semanage/seobject.py | 9 +++++++--
|
||||||
|
2 files changed, 12 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
|
||||||
|
index e424366d..01a403a2 100644
|
||||||
|
--- a/gui/fcontextPage.py
|
||||||
|
+++ b/gui/fcontextPage.py
|
||||||
|
@@ -125,7 +125,11 @@ class fcontextPage(semanagePage):
|
||||||
|
self.fcontext = seobject.fcontextRecords()
|
||||||
|
self.store.clear()
|
||||||
|
fcon_dict = self.fcontext.get_all(self.local)
|
||||||
|
- for k in sorted(fcon_dict.keys()):
|
||||||
|
+ if self.local:
|
||||||
|
+ fkeys = fcon_dict.keys()
|
||||||
|
+ else:
|
||||||
|
+ fkeys = sorted(fcon_dict.keys())
|
||||||
|
+ for k in fkeys:
|
||||||
|
if not self.match(fcon_dict, k, filter):
|
||||||
|
continue
|
||||||
|
iter = self.store.append()
|
||||||
|
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
|
||||||
|
index 0e923a0d..dd915a69 100644
|
||||||
|
--- a/python/semanage/seobject.py
|
||||||
|
+++ b/python/semanage/seobject.py
|
||||||
|
@@ -2644,7 +2644,7 @@ class fcontextRecords(semanageRecords):
|
||||||
|
def customized(self):
|
||||||
|
l = []
|
||||||
|
fcon_dict = self.get_all(True)
|
||||||
|
- for k in sorted(fcon_dict.keys()):
|
||||||
|
+ for k in fcon_dict.keys():
|
||||||
|
if fcon_dict[k]:
|
||||||
|
if fcon_dict[k][3]:
|
||||||
|
l.append("-a -f %s -t %s -r '%s' '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], fcon_dict[k][3], k[0]))
|
||||||
|
@@ -2661,7 +2661,12 @@ class fcontextRecords(semanageRecords):
|
||||||
|
if len(fcon_dict) != 0:
|
||||||
|
if heading:
|
||||||
|
print("%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context")))
|
||||||
|
- for k in sorted(fcon_dict.keys()):
|
||||||
|
+ # do not sort local customizations since they are evaluated based on the order they where added in
|
||||||
|
+ if locallist:
|
||||||
|
+ fkeys = fcon_dict.keys()
|
||||||
|
+ else:
|
||||||
|
+ fkeys = sorted(fcon_dict.keys())
|
||||||
|
+ for k in fkeys:
|
||||||
|
if fcon_dict[k]:
|
||||||
|
if is_mls_enabled:
|
||||||
|
print("%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2], translate(fcon_dict[k][3], False)))
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
|
@ -0,0 +1,396 @@
|
||||||
|
From 108a7d43dd8fa4f5cb682f9df9c15304fa4eddea Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Date: Wed, 14 Feb 2024 13:08:40 +0100
|
||||||
|
Subject: [PATCH] python/semanage: Allow modifying records on "add"
|
||||||
|
|
||||||
|
When trying to add a record with a key that already exists, modify
|
||||||
|
the existing record instead.
|
||||||
|
|
||||||
|
Also, fix "semanage -m -e" (add_equal was called instead of
|
||||||
|
modify_equal), which meant that existing local equivalency couldn't be
|
||||||
|
modified (though a user could remove it and add a modified
|
||||||
|
equivalency).
|
||||||
|
|
||||||
|
Fixes:
|
||||||
|
https://github.com/SELinuxProject/selinux/issues/412
|
||||||
|
When a port or login definition present in the policy is modified
|
||||||
|
using "semanage port -m", "semanage export" exports the command as
|
||||||
|
"port -a" instead of "port -m". This results in "semanage import"
|
||||||
|
failing (port already defined). The same is true for port, user,
|
||||||
|
login, ibpkey, ibendport, node, interface and fcontext.
|
||||||
|
|
||||||
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Acked-by: James Carter <jwcart2@gmail.com>
|
||||||
|
---
|
||||||
|
python/semanage/semanage | 2 +-
|
||||||
|
python/semanage/seobject.py | 208 +++++++++++++++++++++++++-----------
|
||||||
|
2 files changed, 147 insertions(+), 63 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/python/semanage/semanage b/python/semanage/semanage
|
||||||
|
index 1f170f60..f55751b6 100644
|
||||||
|
--- a/python/semanage/semanage
|
||||||
|
+++ b/python/semanage/semanage
|
||||||
|
@@ -316,7 +316,7 @@ def handleFcontext(args):
|
||||||
|
OBJECT.add(args.file_spec, args.type, args.ftype, args.range, args.seuser)
|
||||||
|
if args.action == "modify":
|
||||||
|
if args.equal:
|
||||||
|
- OBJECT.add_equal(args.file_spec, args.equal)
|
||||||
|
+ OBJECT.modify_equal(args.file_spec, args.equal)
|
||||||
|
else:
|
||||||
|
OBJECT.modify(args.file_spec, args.type, args.ftype, args.range, args.seuser)
|
||||||
|
if args.action == "delete":
|
||||||
|
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
|
||||||
|
index dd915a69..f6c559a7 100644
|
||||||
|
--- a/python/semanage/seobject.py
|
||||||
|
+++ b/python/semanage/seobject.py
|
||||||
|
@@ -560,11 +560,6 @@ class loginRecords(semanageRecords):
|
||||||
|
if rc < 0:
|
||||||
|
raise ValueError(_("Could not create a key for %s") % name)
|
||||||
|
|
||||||
|
- (rc, exists) = semanage_seuser_exists(self.sh, k)
|
||||||
|
- if rc < 0:
|
||||||
|
- raise ValueError(_("Could not check if login mapping for %s is defined") % name)
|
||||||
|
- if exists:
|
||||||
|
- raise ValueError(_("Login mapping for %s is already defined") % name)
|
||||||
|
if name[0] == '%':
|
||||||
|
try:
|
||||||
|
grp.getgrnam(name[1:])
|
||||||
|
@@ -603,11 +598,29 @@ class loginRecords(semanageRecords):
|
||||||
|
def add(self, name, sename, serange):
|
||||||
|
try:
|
||||||
|
self.begin()
|
||||||
|
- self.__add(name, sename, serange)
|
||||||
|
+ # Add a new mapping, or modify an existing one
|
||||||
|
+ if self.__exists(name):
|
||||||
|
+ print(_("Login mapping for %s is already defined, modifying instead") % name)
|
||||||
|
+ self.__modify(name, sename, serange)
|
||||||
|
+ else:
|
||||||
|
+ self.__add(name, sename, serange)
|
||||||
|
self.commit()
|
||||||
|
except ValueError as error:
|
||||||
|
raise error
|
||||||
|
|
||||||
|
+ # check if login mapping for given user exists
|
||||||
|
+ def __exists(self, name):
|
||||||
|
+ (rc, k) = semanage_seuser_key_create(self.sh, name)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not create a key for %s") % name)
|
||||||
|
+
|
||||||
|
+ (rc, exists) = semanage_seuser_exists(self.sh, k)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not check if login mapping for %s is defined") % name)
|
||||||
|
+ semanage_seuser_key_free(k)
|
||||||
|
+
|
||||||
|
+ return exists
|
||||||
|
+
|
||||||
|
def __modify(self, name, sename="", serange=""):
|
||||||
|
rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name)
|
||||||
|
if sename == "" and serange == "":
|
||||||
|
@@ -824,12 +837,6 @@ class seluserRecords(semanageRecords):
|
||||||
|
if rc < 0:
|
||||||
|
raise ValueError(_("Could not create a key for %s") % name)
|
||||||
|
|
||||||
|
- (rc, exists) = semanage_user_exists(self.sh, k)
|
||||||
|
- if rc < 0:
|
||||||
|
- raise ValueError(_("Could not check if SELinux user %s is defined") % name)
|
||||||
|
- if exists:
|
||||||
|
- raise ValueError(_("SELinux user %s is already defined") % name)
|
||||||
|
-
|
||||||
|
(rc, u) = semanage_user_create(self.sh)
|
||||||
|
if rc < 0:
|
||||||
|
raise ValueError(_("Could not create SELinux user for %s") % name)
|
||||||
|
@@ -869,12 +876,28 @@ class seluserRecords(semanageRecords):
|
||||||
|
def add(self, name, roles, selevel, serange, prefix):
|
||||||
|
try:
|
||||||
|
self.begin()
|
||||||
|
- self.__add(name, roles, selevel, serange, prefix)
|
||||||
|
+ if self.__exists(name):
|
||||||
|
+ print(_("SELinux user %s is already defined, modifying instead") % name)
|
||||||
|
+ self.__modify(name, roles, selevel, serange, prefix)
|
||||||
|
+ else:
|
||||||
|
+ self.__add(name, roles, selevel, serange, prefix)
|
||||||
|
self.commit()
|
||||||
|
except ValueError as error:
|
||||||
|
self.mylog.commit(0)
|
||||||
|
raise error
|
||||||
|
|
||||||
|
+ def __exists(self, name):
|
||||||
|
+ (rc, k) = semanage_user_key_create(self.sh, name)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not create a key for %s") % name)
|
||||||
|
+
|
||||||
|
+ (rc, exists) = semanage_user_exists(self.sh, k)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not check if SELinux user %s is defined") % name)
|
||||||
|
+ semanage_user_key_free(k)
|
||||||
|
+
|
||||||
|
+ return exists
|
||||||
|
+
|
||||||
|
def __modify(self, name, roles=[], selevel="", serange="", prefix=""):
|
||||||
|
oldserole = ""
|
||||||
|
oldserange = ""
|
||||||
|
@@ -1102,12 +1125,6 @@ class portRecords(semanageRecords):
|
||||||
|
|
||||||
|
(k, proto_d, low, high) = self.__genkey(port, proto)
|
||||||
|
|
||||||
|
- (rc, exists) = semanage_port_exists(self.sh, k)
|
||||||
|
- if rc < 0:
|
||||||
|
- raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
|
||||||
|
- if exists:
|
||||||
|
- raise ValueError(_("Port %s/%s already defined") % (proto, port))
|
||||||
|
-
|
||||||
|
(rc, p) = semanage_port_create(self.sh)
|
||||||
|
if rc < 0:
|
||||||
|
raise ValueError(_("Could not create port for %s/%s") % (proto, port))
|
||||||
|
@@ -1151,9 +1168,23 @@ class portRecords(semanageRecords):
|
||||||
|
|
||||||
|
def add(self, port, proto, serange, type):
|
||||||
|
self.begin()
|
||||||
|
- self.__add(port, proto, serange, type)
|
||||||
|
+ if self.__exists(port, proto):
|
||||||
|
+ print(_("Port {proto}/{port} already defined, modifying instead").format(proto=proto, port=port))
|
||||||
|
+ self.__modify(port, proto, serange, type)
|
||||||
|
+ else:
|
||||||
|
+ self.__add(port, proto, serange, type)
|
||||||
|
self.commit()
|
||||||
|
|
||||||
|
+ def __exists(self, port, proto):
|
||||||
|
+ (k, proto_d, low, high) = self.__genkey(port, proto)
|
||||||
|
+
|
||||||
|
+ (rc, exists) = semanage_port_exists(self.sh, k)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not check if port {proto}/{port} is defined").format(proto=proto, port=port))
|
||||||
|
+ semanage_port_key_free(k)
|
||||||
|
+
|
||||||
|
+ return exists
|
||||||
|
+
|
||||||
|
def __modify(self, port, proto, serange, setype):
|
||||||
|
if serange == "" and setype == "":
|
||||||
|
if is_mls_enabled == 1:
|
||||||
|
@@ -1376,12 +1407,6 @@ class ibpkeyRecords(semanageRecords):
|
||||||
|
|
||||||
|
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
|
||||||
|
|
||||||
|
- (rc, exists) = semanage_ibpkey_exists(self.sh, k)
|
||||||
|
- if rc < 0:
|
||||||
|
- raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey))
|
||||||
|
- if exists:
|
||||||
|
- raise ValueError(_("ibpkey %s/%s already defined") % (subnet_prefix, pkey))
|
||||||
|
-
|
||||||
|
(rc, p) = semanage_ibpkey_create(self.sh)
|
||||||
|
if rc < 0:
|
||||||
|
raise ValueError(_("Could not create ibpkey for %s/%s") % (subnet_prefix, pkey))
|
||||||
|
@@ -1423,9 +1448,23 @@ class ibpkeyRecords(semanageRecords):
|
||||||
|
|
||||||
|
def add(self, pkey, subnet_prefix, serange, type):
|
||||||
|
self.begin()
|
||||||
|
- self.__add(pkey, subnet_prefix, serange, type)
|
||||||
|
+ if self.__exists(pkey, subnet_prefix):
|
||||||
|
+ print(_("ibpkey {subnet_prefix}/{pkey} already defined, modifying instead").format(subnet_prefix=subnet_prefix, pkey=pkey))
|
||||||
|
+ self.__modify(pkey, subnet_prefix, serange, type)
|
||||||
|
+ else:
|
||||||
|
+ self.__add(pkey, subnet_prefix, serange, type)
|
||||||
|
self.commit()
|
||||||
|
|
||||||
|
+ def __exists(self, pkey, subnet_prefix):
|
||||||
|
+ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
|
||||||
|
+
|
||||||
|
+ (rc, exists) = semanage_ibpkey_exists(self.sh, k)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not check if ibpkey {subnet_prefix}/{pkey} is defined").formnat(subnet_prefix=subnet_prefix, pkey=pkey))
|
||||||
|
+ semanage_ibpkey_key_free(k)
|
||||||
|
+
|
||||||
|
+ return exists
|
||||||
|
+
|
||||||
|
def __modify(self, pkey, subnet_prefix, serange, setype):
|
||||||
|
if serange == "" and setype == "":
|
||||||
|
if is_mls_enabled == 1:
|
||||||
|
@@ -1630,12 +1669,6 @@ class ibendportRecords(semanageRecords):
|
||||||
|
raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
|
||||||
|
(k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
|
||||||
|
|
||||||
|
- (rc, exists) = semanage_ibendport_exists(self.sh, k)
|
||||||
|
- if rc < 0:
|
||||||
|
- raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, port))
|
||||||
|
- if exists:
|
||||||
|
- raise ValueError(_("ibendport %s/%s already defined") % (ibdev_name, port))
|
||||||
|
-
|
||||||
|
(rc, p) = semanage_ibendport_create(self.sh)
|
||||||
|
if rc < 0:
|
||||||
|
raise ValueError(_("Could not create ibendport for %s/%s") % (ibdev_name, port))
|
||||||
|
@@ -1677,9 +1710,23 @@ class ibendportRecords(semanageRecords):
|
||||||
|
|
||||||
|
def add(self, ibendport, ibdev_name, serange, type):
|
||||||
|
self.begin()
|
||||||
|
- self.__add(ibendport, ibdev_name, serange, type)
|
||||||
|
+ if self.__exists(ibendport, ibdev_name):
|
||||||
|
+ print(_("ibendport {ibdev_name}/{port} already defined, modifying instead").format(ibdev_name=ibdev_name, port=port))
|
||||||
|
+ self.__modify(ibendport, ibdev_name, serange, type)
|
||||||
|
+ else:
|
||||||
|
+ self.__add(ibendport, ibdev_name, serange, type)
|
||||||
|
self.commit()
|
||||||
|
|
||||||
|
+ def __exists(self, ibendport, ibdev_name):
|
||||||
|
+ (k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
|
||||||
|
+
|
||||||
|
+ (rc, exists) = semanage_ibendport_exists(self.sh, k)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not check if ibendport {ibdev_name}/{port} is defined").format(ibdev_name=ibdev_name, port=port))
|
||||||
|
+ semanage_ibendport_key_free(k)
|
||||||
|
+
|
||||||
|
+ return exists
|
||||||
|
+
|
||||||
|
def __modify(self, ibendport, ibdev_name, serange, setype):
|
||||||
|
if serange == "" and setype == "":
|
||||||
|
if is_mls_enabled == 1:
|
||||||
|
@@ -1891,12 +1938,6 @@ class nodeRecords(semanageRecords):
|
||||||
|
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
|
||||||
|
if rc < 0:
|
||||||
|
raise ValueError(_("Could not create key for %s") % addr)
|
||||||
|
- if rc < 0:
|
||||||
|
- raise ValueError(_("Could not check if addr %s is defined") % addr)
|
||||||
|
-
|
||||||
|
- (rc, exists) = semanage_node_exists(self.sh, k)
|
||||||
|
- if exists:
|
||||||
|
- raise ValueError(_("Addr %s already defined") % addr)
|
||||||
|
|
||||||
|
(rc, node) = semanage_node_create(self.sh)
|
||||||
|
if rc < 0:
|
||||||
|
@@ -1945,9 +1986,27 @@ class nodeRecords(semanageRecords):
|
||||||
|
|
||||||
|
def add(self, addr, mask, proto, serange, ctype):
|
||||||
|
self.begin()
|
||||||
|
- self.__add(addr, mask, proto, serange, ctype)
|
||||||
|
+ if self.__exists(addr, mask, proto):
|
||||||
|
+ print(_("Addr %s already defined, modifying instead") % addr)
|
||||||
|
+ self.__modify(addr, mask, proto, serange, ctype)
|
||||||
|
+ else:
|
||||||
|
+ self.__add(addr, mask, proto, serange, ctype)
|
||||||
|
self.commit()
|
||||||
|
|
||||||
|
+ def __exists(self, addr, mask, proto):
|
||||||
|
+ addr, mask, proto = self.validate(addr, mask, proto)
|
||||||
|
+
|
||||||
|
+ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not create key for %s") % addr)
|
||||||
|
+
|
||||||
|
+ (rc, exists) = semanage_node_exists(self.sh, k)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
|
||||||
|
+ semanage_node_key_free(k)
|
||||||
|
+
|
||||||
|
+ return exists
|
||||||
|
+
|
||||||
|
def __modify(self, addr, mask, proto, serange, setype):
|
||||||
|
addr, mask, proto = self.validate(addr, mask, proto)
|
||||||
|
|
||||||
|
@@ -2102,12 +2161,6 @@ class interfaceRecords(semanageRecords):
|
||||||
|
if rc < 0:
|
||||||
|
raise ValueError(_("Could not create key for %s") % interface)
|
||||||
|
|
||||||
|
- (rc, exists) = semanage_iface_exists(self.sh, k)
|
||||||
|
- if rc < 0:
|
||||||
|
- raise ValueError(_("Could not check if interface %s is defined") % interface)
|
||||||
|
- if exists:
|
||||||
|
- raise ValueError(_("Interface %s already defined") % interface)
|
||||||
|
-
|
||||||
|
(rc, iface) = semanage_iface_create(self.sh)
|
||||||
|
if rc < 0:
|
||||||
|
raise ValueError(_("Could not create interface for %s") % interface)
|
||||||
|
@@ -2154,9 +2207,25 @@ class interfaceRecords(semanageRecords):
|
||||||
|
|
||||||
|
def add(self, interface, serange, ctype):
|
||||||
|
self.begin()
|
||||||
|
- self.__add(interface, serange, ctype)
|
||||||
|
+ if self.__exists(interface):
|
||||||
|
+ print(_("Interface %s already defined, modifying instead") % interface)
|
||||||
|
+ self.__modify(interface, serange, ctype)
|
||||||
|
+ else:
|
||||||
|
+ self.__add(interface, serange, ctype)
|
||||||
|
self.commit()
|
||||||
|
|
||||||
|
+ def __exists(self, interface):
|
||||||
|
+ (rc, k) = semanage_iface_key_create(self.sh, interface)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not create key for %s") % interface)
|
||||||
|
+
|
||||||
|
+ (rc, exists) = semanage_iface_exists(self.sh, k)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not check if interface %s is defined") % interface)
|
||||||
|
+ semanage_iface_key_free(k)
|
||||||
|
+
|
||||||
|
+ return exists
|
||||||
|
+
|
||||||
|
def __modify(self, interface, serange, setype):
|
||||||
|
if serange == "" and setype == "":
|
||||||
|
raise ValueError(_("Requires setype or serange"))
|
||||||
|
@@ -2344,7 +2413,13 @@ class fcontextRecords(semanageRecords):
|
||||||
|
raise ValueError(_("Substitute %s is not valid. Substitute is not allowed to end with '/'") % substitute)
|
||||||
|
|
||||||
|
if target in self.equiv.keys():
|
||||||
|
- raise ValueError(_("Equivalence class for %s already exists") % target)
|
||||||
|
+ print(_("Equivalence class for %s already exists, modifying instead") % target)
|
||||||
|
+ self.equiv[target] = substitute
|
||||||
|
+ self.equal_ind = True
|
||||||
|
+ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
|
||||||
|
+ self.commit()
|
||||||
|
+ return
|
||||||
|
+
|
||||||
|
self.validate(target)
|
||||||
|
|
||||||
|
for fdict in (self.equiv, self.equiv_dist):
|
||||||
|
@@ -2420,18 +2495,6 @@ class fcontextRecords(semanageRecords):
|
||||||
|
if rc < 0:
|
||||||
|
raise ValueError(_("Could not create key for %s") % target)
|
||||||
|
|
||||||
|
- (rc, exists) = semanage_fcontext_exists(self.sh, k)
|
||||||
|
- if rc < 0:
|
||||||
|
- raise ValueError(_("Could not check if file context for %s is defined") % target)
|
||||||
|
-
|
||||||
|
- if not exists:
|
||||||
|
- (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
|
||||||
|
- if rc < 0:
|
||||||
|
- raise ValueError(_("Could not check if file context for %s is defined") % target)
|
||||||
|
-
|
||||||
|
- if exists:
|
||||||
|
- raise ValueError(_("File context for %s already defined") % target)
|
||||||
|
-
|
||||||
|
(rc, fcontext) = semanage_fcontext_create(self.sh)
|
||||||
|
if rc < 0:
|
||||||
|
raise ValueError(_("Could not create file context for %s") % target)
|
||||||
|
@@ -2470,9 +2533,30 @@ class fcontextRecords(semanageRecords):
|
||||||
|
|
||||||
|
def add(self, target, type, ftype="", serange="", seuser="system_u"):
|
||||||
|
self.begin()
|
||||||
|
- self.__add(target, type, ftype, serange, seuser)
|
||||||
|
+ if self.__exists(target, ftype):
|
||||||
|
+ print(_("File context for %s already defined, modifying instead") % target)
|
||||||
|
+ self.__modify(target, type, ftype, serange, seuser)
|
||||||
|
+ else:
|
||||||
|
+ self.__add(target, type, ftype, serange, seuser)
|
||||||
|
self.commit()
|
||||||
|
|
||||||
|
+ def __exists(self, target, ftype):
|
||||||
|
+ (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not create key for %s") % target)
|
||||||
|
+
|
||||||
|
+ (rc, exists) = semanage_fcontext_exists(self.sh, k)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
|
||||||
|
+
|
||||||
|
+ if not exists:
|
||||||
|
+ (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
|
||||||
|
+ semanage_fcontext_key_free(k)
|
||||||
|
+
|
||||||
|
+ return exists
|
||||||
|
+
|
||||||
|
def __modify(self, target, setype, ftype, serange, seuser):
|
||||||
|
if serange == "" and setype == "" and seuser == "":
|
||||||
|
raise ValueError(_("Requires setype, serange or seuser"))
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
|
@ -0,0 +1,57 @@
|
||||||
|
How to update source files on weblate:
|
||||||
|
$ git clone git@github.com:fedora-selinux/selinux.git
|
||||||
|
$ cd selinux
|
||||||
|
# generate new potfiles
|
||||||
|
$ for p in policycoreutils python gui sandbox; do
|
||||||
|
cd $p/po
|
||||||
|
rm $p.pot
|
||||||
|
make $p.pot
|
||||||
|
sed -i 's/charset=CHARSET/charset=UTF-8/g' $p.pot
|
||||||
|
cd -
|
||||||
|
done
|
||||||
|
# https://translate.fedoraproject.org/projects/selinux/policycoreutils/en/
|
||||||
|
# Files -> Upload translations
|
||||||
|
# Repeat the process for python, gui and sandbox
|
||||||
|
# or use weblate command line tool (get your API key at https://translate.fedoraproject.org/accounts/profile/#api):
|
||||||
|
$ for p in policycoreutils python gui sandbox; do
|
||||||
|
wlc --key <API key> --url https://translate.fedoraproject.org/api/ upload --input $p/po/$p.pot selinux/rhel8$p/en --method=source
|
||||||
|
done
|
||||||
|
|
||||||
|
How to pull new translations from weblate
|
||||||
|
$ git clone git@github.com:fedora-selinux/selinux.git
|
||||||
|
# https://translate.fedoraproject.org/projects/selinux/policycoreutils
|
||||||
|
# Files -> Download translation files as ZIP file (save in selinux source directory)
|
||||||
|
# Repeat the process for python, gui and sandbox
|
||||||
|
# or use weblate command line tool
|
||||||
|
$ for p in policycoreutils python gui sandbox; do
|
||||||
|
wlc --key <API key> --url https://translate.fedoraproject.org/api/ download selinux/rhel8$p --output selinux
|
||||||
|
done
|
||||||
|
# unzip archives
|
||||||
|
$ cd selinux
|
||||||
|
$ for p in policycoreutils python gui sandbox; do
|
||||||
|
unzip -o selinux-rhel8$p.zip -d ..
|
||||||
|
mv rhel8$p/selinux/$p/po/*.po $p/po/
|
||||||
|
rm -rf selinux-rhel8$p.zip rhel8$p
|
||||||
|
done
|
||||||
|
$ git add .
|
||||||
|
$ git commit
|
||||||
|
|
||||||
|
How to update translations in *-po.tgz files
|
||||||
|
$ rhpkg clone policycoreutils; cd policycoreutils
|
||||||
|
$ mkdir weblate; cd weblate
|
||||||
|
$ for p in policycoreutils python gui sandbox; do
|
||||||
|
wlc --key <API key> --url https://translate.fedoraproject.org/api/ download selinux/rhel8$p --output .
|
||||||
|
unzip -o selinux-rhel8$p.zip
|
||||||
|
mv selinux/rhel8$p/selinux/$p .
|
||||||
|
rm -rf selinux-rhel8$p.zip selinux
|
||||||
|
cd $p
|
||||||
|
tar -c -f ../$p-po.tgz -z .
|
||||||
|
cd -
|
||||||
|
done
|
||||||
|
# upload new sources
|
||||||
|
$ cp *.tgz ..
|
||||||
|
$ cd ..
|
||||||
|
$ cat sources | head -n -4 > sources
|
||||||
|
$ for p in gui policycoreutils python sandbox; do
|
||||||
|
rhpkg upload $p-po.tgz
|
||||||
|
done
|
|
@ -0,0 +1,7 @@
|
||||||
|
--- !Policy
|
||||||
|
product_versions:
|
||||||
|
- rhel-8
|
||||||
|
decision_context: osci_compose_gate
|
||||||
|
rules:
|
||||||
|
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
|
@ -0,0 +1,40 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
POLICYCOREUTILS_VERSION=2.4
|
||||||
|
SEPOLGEN_VERSION=1.2.2
|
||||||
|
BRANCH=master
|
||||||
|
|
||||||
|
REBASEDIR=`mktemp -d rebase.XXXXXX`
|
||||||
|
pushd $REBASEDIR
|
||||||
|
|
||||||
|
git clone git@github.com:fedora-selinux/selinux.git
|
||||||
|
pushd selinux; git checkout $BRANCH; COMMIT=`git rev-parse --verify HEAD`; popd
|
||||||
|
|
||||||
|
# prepare policycoreutils-rhat.patch
|
||||||
|
tar xfz ../policycoreutils-$POLICYCOREUTILS_VERSION.tar.gz
|
||||||
|
pushd policycoreutils-$POLICYCOREUTILS_VERSION
|
||||||
|
|
||||||
|
git init; git add .; git commit -m "init"
|
||||||
|
cp -r ../selinux/policycoreutils/* .
|
||||||
|
git add -A .
|
||||||
|
|
||||||
|
git diff --cached --src-prefix=a/policycoreutils-$POLICYCOREUTILS_VERSION/ --dst-prefix=b/policycoreutils-$POLICYCOREUTILS_VERSION/ > ../../policycoreutils-rhat.patch
|
||||||
|
|
||||||
|
popd
|
||||||
|
|
||||||
|
#prepare sepolgen-rhat.patch
|
||||||
|
tar xfz ../sepolgen-$SEPOLGEN_VERSION.tar.gz
|
||||||
|
pushd sepolgen-$SEPOLGEN_VERSION
|
||||||
|
|
||||||
|
git init; git add .; git commit -m "init"
|
||||||
|
cp -r ../selinux/sepolgen/* .
|
||||||
|
git add -A .
|
||||||
|
|
||||||
|
git diff --cached --src-prefix=a/sepolgen-$SEPOLGEN_VERSION/ --dst-prefix=b/sepolgen-$SEPOLGEN_VERSION/ > ../../sepolgen-rhat.patch
|
||||||
|
|
||||||
|
popd
|
||||||
|
|
||||||
|
popd
|
||||||
|
# echo rm -rf $REBASEDIR
|
||||||
|
|
||||||
|
echo policycoreutils-rhat.patch and sepolgen-rhat.patch created from https://github.com/fedora-selinux/selinux/commit/$COMMIT
|
|
@ -12,7 +12,7 @@
|
||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.9
|
Version: 2.9
|
||||||
Release: 25%{?dist}
|
Release: 26%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
|
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
|
||||||
|
@ -92,6 +92,8 @@ Patch0051: 0051-python-sepolicy-add-missing-booleans-to-man-pages.patch
|
||||||
Patch0052: 0052-python-sepolicy-Cache-conditional-rule-queries.patch
|
Patch0052: 0052-python-sepolicy-Cache-conditional-rule-queries.patch
|
||||||
Patch0053: 0053-python-Harden-more-tools-against-rogue-modules.patch
|
Patch0053: 0053-python-Harden-more-tools-against-rogue-modules.patch
|
||||||
Patch0054: 0054-sepolicy-port-to-dnf4-python-API.patch
|
Patch0054: 0054-sepolicy-port-to-dnf4-python-API.patch
|
||||||
|
Patch0056: 0055-python-semanage-Do-not-sort-local-fcontext-definitio.patch
|
||||||
|
Patch0057: 0056-python-semanage-Allow-modifying-records-on-add.patch
|
||||||
|
|
||||||
Obsoletes: policycoreutils < 2.0.61-2
|
Obsoletes: policycoreutils < 2.0.61-2
|
||||||
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
|
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
|
||||||
|
@ -531,6 +533,10 @@ The policycoreutils-restorecond package contains the restorecond service.
|
||||||
%systemd_postun_with_restart restorecond.service
|
%systemd_postun_with_restart restorecond.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Mar 06 2024 Vit Mojzis <vmojzis@redhat.com> - 2.9-26
|
||||||
|
- python/semanage: Allow modifying records on "add" (RHEL-28167)
|
||||||
|
- python/semanage: Do not sort local fcontext definitions (RHEL-24461)
|
||||||
|
|
||||||
* Tue Feb 06 2024 Vit Mojzis <vmojzis@redhat.com> - 2.9-25
|
* Tue Feb 06 2024 Vit Mojzis <vmojzis@redhat.com> - 2.9-25
|
||||||
- Harden more tools against "rogue" modules (RHEL-17351)
|
- Harden more tools against "rogue" modules (RHEL-17351)
|
||||||
- sepolicy: port to dnf4 python API (RHEL-17398)
|
- sepolicy: port to dnf4 python API (RHEL-17398)
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,11 @@
|
||||||
|
SHA512 (policycoreutils-2.9.tar.gz) = d8356115671ba66de05f1c13193ab47fab69cc4d09603a92171ed40afafc084dd191591bf336b7d722de637378ad09622ebb6eca85c06063ca9ddd6db10e02a2
|
||||||
|
SHA512 (restorecond-2.9.tar.gz) = 6de9dd4c6b8e5d8275221aba5df27437998f635cfe83a5da75de479e260ceea884a36253eb873a8d71e1a77ed67544d8657fb75fe409af1f630052ce73ec5d8a
|
||||||
|
SHA512 (selinux-dbus-2.9.tar.gz) = f7a9ab2975eb97ff389a78ddaa2fcf3cd1c5fe590abdbe6aa0aa0c3f0c3a96cc0f34ce54b14e0348b46c1de9257ebe5288e16d585c96a9d8149d969788af359e
|
||||||
|
SHA512 (selinux-gui-2.9.tar.gz) = b6e1847c9f2668670cbe9c2fc65e18001eb03e1d73af049ad6520af486950cf657885a9fb71ad9679c0060fb3ee7dd166d4354e863ad517a9f3aee93587ea57e
|
||||||
|
SHA512 (selinux-python-2.9.tar.gz) = 1138661128635004fec04dc5e39f035680b5f21beb1b79f3328690a1b93a3984d522a02724af793340112a5e647d363dda8a7d3536de959b34ffd69aa396254d
|
||||||
|
SHA512 (selinux-sandbox-2.9.tar.gz) = 429994f6140d7ba03b023681d04b365af837e23c5d64e998f849febe08872549bffc0bc490717d6f500332845ec849483ba0d3dfffa77e02b6a2cd2f631c9f1f
|
||||||
|
SHA512 (semodule-utils-2.9.tar.gz) = 688f1fcb34042b837019302debda76847691657709130b99bf937a85774a0ae69d789ee82b0633a4d2dc661dc6d0a1706a878ac681317df2abe68418bec3f952
|
||||||
|
SHA512 (gui-po.tgz) = a1e70afd3113fdab9339231fcb1bf64128aec03063026f4c6e721a29e6e5cc7cf35493bf4e60236b239e1602ad1061a763dfb50e5d285eee40c3f817d21c9920
|
||||||
|
SHA512 (policycoreutils-po.tgz) = 1cd58a3462f11082a858d4460d3a6d4cfa25c345f5d5657ba5274a11194310c3b45ed051ac9461c1d1710f54513ee8bd6643f788b97c9c5d71e66ed7a018d5d1
|
||||||
|
SHA512 (python-po.tgz) = 01ce85e8ac163cd7c47c869cbcf57997a007a3227b33d9954c4e346fbf72eb581d6d964cfcce498c6fa7e48466e63692edc41812f7aeb813243fc385567a0c08
|
||||||
|
SHA512 (sandbox-po.tgz) = 34726bde3f244720d2158a4d743c458d556463aebb82326a27fb136d6b330aba560f1de601390b2e1fb8b998170f62b1957f95195273ce99afa2a9bc3bbe5aaf
|
Binary file not shown.
After Width: | Height: | Size: 1.4 KiB |
|
@ -0,0 +1,64 @@
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation
|
||||||
|
# Description: What the test does
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: What the test does" >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||||
|
@echo "Requires: policycoreutils" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHEL6 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
PURPOSE of /CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation
|
||||||
|
Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
|
||||||
|
Is it possible to manage policy modules written in CIL without any compilation? Does semanage and semodule understand them?
|
||||||
|
|
|
@ -0,0 +1,73 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation
|
||||||
|
# Description: What the test does
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="policycoreutils"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
rlRun "echo '()' > empty.cil"
|
||||||
|
rlRun "echo '(())' > invalid.cil"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "empty CIL module"
|
||||||
|
rlRun "semodule -lfull | grep '400.*empty.*cil'" 1
|
||||||
|
rlRun "semodule -i empty.cil"
|
||||||
|
rlRun "semodule -lfull | grep '400.*empty.*cil'"
|
||||||
|
rlRun "semodule -r empty"
|
||||||
|
rlRun "semodule -lfull | grep '400.*empty.*cil'" 1
|
||||||
|
rlRun "semanage module -l | grep 'empty.*400.*cil'" 1
|
||||||
|
rlRun "semanage module -a empty.cil"
|
||||||
|
rlRun "semanage module -l | grep 'empty.*400.*cil'"
|
||||||
|
rlRun "semanage module -r empty"
|
||||||
|
rlRun "semanage module -l | grep 'empty.*400.*cil'" 1
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "invalid CIL module"
|
||||||
|
rlRun "semodule -lfull | grep '400.*invalid.*cil'" 1
|
||||||
|
rlRun "semodule -i invalid.cil" 1
|
||||||
|
rlRun "semodule -lfull | grep '400.*invalid.*cil'" 1
|
||||||
|
rlRun "semodule -r invalid" 1
|
||||||
|
rlRun "semodule -lfull | grep '400.*invalid.*cil'" 1
|
||||||
|
rlRun "semanage module -l | grep 'invalid.*400.*cil'" 1
|
||||||
|
rlRun "semanage module -a invalid.cil" 1
|
||||||
|
rlRun "semanage module -l | grep 'invalid.*400.*cil'" 1
|
||||||
|
rlRun "semanage module -r invalid" 1
|
||||||
|
rlRun "semanage module -l | grep 'invalid.*400.*cil'" 1
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "rm -f empty.cil invalid.cil"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
||||||
|
|
|
@ -0,0 +1,63 @@
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of selinux-ansible-playbook
|
||||||
|
# Description: Run linux-system-roles.selinux (https://github.com/linux-system-roles/selinux.git) Ansible role tests
|
||||||
|
# Author: Petr Lautrbach <plautrba@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2018 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=linux-system-roles.selinux-tests
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Petr Lautrbach <plautrba@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Run linux-system-roles.selinux (https://github.com/linux-system-roles/selinux.git) Ansible role tests" >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 10m" >> $(METADATA)
|
||||||
|
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||||
|
@echo "Requires: policycoreutils ansible git" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2+" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
PURPOSE of selinux-ansible-playbook
|
||||||
|
Author: Petr Lautrbach <plautrba@redhat.com>
|
||||||
|
|
||||||
|
Run linux-system-roles.selinux (https://github.com/linux-system-roles/selinux.git) Ansible role tests
|
|
@ -0,0 +1,57 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Description: Run linux-system-roles.selinux (https://github.com/linux-system-roles/selinux.git) Ansible role tests
|
||||||
|
# Author: Petr Lautrbach <plautrba@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2018 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="policycoreutils"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
rlAssertRpm "git"
|
||||||
|
rlAssertRpm "ansible"
|
||||||
|
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "git clone https://github.com/linux-system-roles/selinux.git"
|
||||||
|
rlRun "cd selinux/test"
|
||||||
|
|
||||||
|
for ansible_test in test_*.yml; do
|
||||||
|
rlRun "ansible-playbook -i localhost, -c local -v $ansible_test"
|
||||||
|
done
|
||||||
|
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "cd ../../"
|
||||||
|
rlRun "rm -rf selinux"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
||||||
|
|
|
@ -0,0 +1,64 @@
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/policycoreutils/Sanity/load_policy
|
||||||
|
# Description: Does load_policy work as expected? Does it produce correct audit messages?
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/policycoreutils/Sanity/load_policy
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Does load_policy work as expected? Does it produce correct audit messages?" >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||||
|
@echo "Requires: audit policycoreutils selinux-policy-targeted" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
PURPOSE of /CoreOS/policycoreutils/Sanity/load_policy
|
||||||
|
Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
|
||||||
|
Does load_policy work as expected? Does it produce correct audit messages?
|
||||||
|
|
|
@ -0,0 +1,79 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/policycoreutils/Sanity/load_policy
|
||||||
|
# Description: Does load_policy work as expected? Does it produce correct audit messages?
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="policycoreutils"
|
||||||
|
if rlIsRHEL 6 ; then
|
||||||
|
SELINUX_FS_MOUNT="/selinux"
|
||||||
|
else # RHEL-7 and above
|
||||||
|
SELINUX_FS_MOUNT="/sys/fs/selinux"
|
||||||
|
fi
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm ${PACKAGE}
|
||||||
|
rlRun "ls -l `which load_policy`"
|
||||||
|
BINARY_POLICY=`find /etc/selinux/targeted -type f -name policy.?? | sort -n | tail -n 1`
|
||||||
|
rlRun "ls -l ${BINARY_POLICY}"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "load_policy --xyz 2>&1 | grep \"invalid option\""
|
||||||
|
rlRun "dmesg | grep -i selinux" 0,1
|
||||||
|
rlRun "grep -i selinux /proc/mounts"
|
||||||
|
START_DATE_TIME=`date "+%m/%d/%Y %T"`
|
||||||
|
sleep 1
|
||||||
|
rlRun "load_policy -q"
|
||||||
|
rlRun "grep -i selinux /proc/mounts"
|
||||||
|
sleep 1
|
||||||
|
if rlIsRHEL ; then
|
||||||
|
rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep load_policy"
|
||||||
|
fi
|
||||||
|
rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep 'policy loaded'"
|
||||||
|
rlRun "umount ${SELINUX_FS_MOUNT}"
|
||||||
|
rlRun "grep -i selinux /proc/mounts" 1
|
||||||
|
START_DATE_TIME=`date "+%m/%d/%Y %T"`
|
||||||
|
sleep 1
|
||||||
|
rlRun "load_policy -i ${BINARY_POLICY}"
|
||||||
|
rlRun "grep -i selinux /proc/mounts"
|
||||||
|
sleep 1
|
||||||
|
if rlIsRHEL ; then
|
||||||
|
rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep load_policy"
|
||||||
|
fi
|
||||||
|
rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep 'policy loaded'"
|
||||||
|
rlRun "dmesg | grep -i selinux"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
||||||
|
|
|
@ -0,0 +1,70 @@
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/policycoreutils/Sanity/restorecon
|
||||||
|
# Description: does restorecon work correctly ?
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2011 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/policycoreutils/Sanity/restorecon
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE testpolicy.te testpolicy.fc
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
chmod a+x runtest.sh
|
||||||
|
chcon -t bin_t runtest.sh;:
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: does restorecon work correctly ?" >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 15m" >> $(METADATA)
|
||||||
|
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||||
|
@echo "Requires: policycoreutils" >> $(METADATA)
|
||||||
|
@echo "Requires: grep" >> $(METADATA)
|
||||||
|
@echo "Requires: e2fsprogs" >> $(METADATA)
|
||||||
|
@echo "Requires: libselinux" >> $(METADATA)
|
||||||
|
@echo "Requires: selinux-policy-devel" >> $(METADATA)
|
||||||
|
@echo "Requires: libselinux-utils" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
PURPOSE of /CoreOS/policycoreutils/Sanity/restorecon
|
||||||
|
Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
|
||||||
|
Does restorecon work correctly?
|
||||||
|
|
|
@ -0,0 +1,367 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/policycoreutils/Sanity/restorecon
|
||||||
|
# Description: does restorecon work correctly ?
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2011 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include rhts environment
|
||||||
|
. /usr/bin/rhts-environment.sh
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh
|
||||||
|
|
||||||
|
PACKAGE="policycoreutils"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm ${PACKAGE}
|
||||||
|
rlServiceStop mcstrans mcstransd
|
||||||
|
rlRun "rpm -qf `which restorecon` | grep ${PACKAGE}"
|
||||||
|
rlRun "setenforce 1"
|
||||||
|
rlRun "sestatus"
|
||||||
|
rlRun "setsebool allow_domain_fd_use on"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Functional test"
|
||||||
|
|
||||||
|
TESTDIR="/opt/restorecon_testdir"
|
||||||
|
DIRS="correct.dir incorrect1.dir incorrect2.dir customizable.dir"
|
||||||
|
FILES="correct.file incorrect.file customizable.file"
|
||||||
|
|
||||||
|
rlRun "make -f /usr/share/selinux/devel/Makefile"
|
||||||
|
rlRun "semodule -i testpolicy.pp"
|
||||||
|
|
||||||
|
rlFileBackup /etc/selinux/targeted/contexts/customizable_types
|
||||||
|
rlRun "echo 'customizable_t' >> /etc/selinux/targeted/contexts/customizable_types"
|
||||||
|
|
||||||
|
# Here is the testing dirs and files structure
|
||||||
|
# all the files have initial context corresponding to their names
|
||||||
|
|
||||||
|
# ./
|
||||||
|
# correct.file
|
||||||
|
# incorrect.file
|
||||||
|
# customizable.file
|
||||||
|
|
||||||
|
# correct.dir/
|
||||||
|
# correct.file
|
||||||
|
# incorrect.file
|
||||||
|
# customizable.file
|
||||||
|
|
||||||
|
# incorrect1.dir/
|
||||||
|
# correct.file
|
||||||
|
# incorrect.file
|
||||||
|
# customizable.file
|
||||||
|
|
||||||
|
# incorrect2.dir/
|
||||||
|
# correct.file
|
||||||
|
# incorrect.file
|
||||||
|
# customizable.file
|
||||||
|
|
||||||
|
# customizable.dir/
|
||||||
|
# correct.file
|
||||||
|
# incorrect.file
|
||||||
|
# customizable.file
|
||||||
|
|
||||||
|
# Function to set initial contexts
|
||||||
|
function set_contexts {
|
||||||
|
# Set the intended contexts
|
||||||
|
rlLog "Setting initial contexts of testing dirs..."
|
||||||
|
restorecon -R $TESTDIR
|
||||||
|
for ITEM in `find . -name 'incorrect*'`; do
|
||||||
|
chcon -t incorrect_t $ITEM
|
||||||
|
done
|
||||||
|
for ITEM in `find . -name 'customizable*'`; do
|
||||||
|
chcon -t customizable_t $ITEM
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check that files in dir $1 have the initial contexts
|
||||||
|
function check_initial_contexts {
|
||||||
|
if echo $1 | grep -q 'incorrect.dir'; then
|
||||||
|
rlRun "ls -ladZ $1 | grep :incorrect_t"
|
||||||
|
elif echo $1 | grep -q 'correct.dir'; then
|
||||||
|
rlRun "ls -ladZ $1 | grep :correct_t"
|
||||||
|
elif echo $1 | grep -q 'customizable.dir'; then
|
||||||
|
rlRun "ls -ladZ $1 | grep :customizable_t"
|
||||||
|
fi
|
||||||
|
rlRun "ls -ladZ $1/* | grep '\<correct.file' | grep ':correct_t'"
|
||||||
|
rlRun "ls -ladZ $1/* | grep '\<incorrect.file' | grep ':incorrect_t'"
|
||||||
|
rlRun "ls -ladZ $1/* | grep '\<customizable.file' | grep ':customizable_t'"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check that files matching with $2 in dir $1 have context $3
|
||||||
|
function check_contexts {
|
||||||
|
COMMAND="find $1 -name '$2'"
|
||||||
|
for ITEM in `eval $COMMAND`; do
|
||||||
|
rlRun "ls -ladZ $ITEM | grep :$3";
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# Create the testing dirs and files
|
||||||
|
rlRun "mkdir -p $TESTDIR"
|
||||||
|
rlRun "pushd $TESTDIR"
|
||||||
|
rlRun "mkdir $DIRS"
|
||||||
|
rlRun "touch $FILES"
|
||||||
|
for DIR in $DIRS; do
|
||||||
|
rlRun "pushd $DIR"
|
||||||
|
rlRun "touch $FILES"
|
||||||
|
rlRun "popd"
|
||||||
|
done
|
||||||
|
|
||||||
|
set_contexts
|
||||||
|
|
||||||
|
echo
|
||||||
|
rlLog "Checking initial contexts of testing dirs..."
|
||||||
|
# Check the contexts are set properly
|
||||||
|
check_initial_contexts '.'
|
||||||
|
check_initial_contexts 'incorrect1.dir'
|
||||||
|
check_initial_contexts 'incorrect2.dir'
|
||||||
|
check_initial_contexts 'correct.dir'
|
||||||
|
check_initial_contexts 'customizable.dir'
|
||||||
|
check_contexts '.' 'incorrect*' 'incorrect_t'
|
||||||
|
check_contexts '.' 'correct*' 'correct_t'
|
||||||
|
check_contexts '.' 'customizable*' 'customizable_t'
|
||||||
|
|
||||||
|
# -e directory
|
||||||
|
# exclude a directory (repeat the option to exclude more than one directory).
|
||||||
|
|
||||||
|
echo
|
||||||
|
rlLog "-e directory"
|
||||||
|
set_contexts
|
||||||
|
rlRun "restorecon -RF -e $TESTDIR/incorrect2.dir $TESTDIR"
|
||||||
|
for ITEM in `ls *.file`; do rlRun "ls -ladZ $ITEM | grep correct_t"; done
|
||||||
|
check_contexts 'incorrect1.dir' '*' 'correct_t'
|
||||||
|
check_contexts 'customizable.dir' '*' 'correct_t'
|
||||||
|
check_initial_contexts 'incorrect2.dir'
|
||||||
|
rlRun "ls -ladZ incorrect2.dir | grep incorrect_t"
|
||||||
|
|
||||||
|
# -f infilename
|
||||||
|
# infilename contains a list of files to be processed. Use - for stdin.
|
||||||
|
|
||||||
|
echo
|
||||||
|
rlLog "-f filename"
|
||||||
|
set_contexts
|
||||||
|
rlRun "cat > ../file_list <<EOF
|
||||||
|
./customizable.file
|
||||||
|
./customizable.dir
|
||||||
|
./correct.dir/customizable.file
|
||||||
|
./incorrect1.dir/customizable.file
|
||||||
|
./incorrect2.dir/customizable.file
|
||||||
|
./customizable.dir/customizable.file
|
||||||
|
EOF"
|
||||||
|
if rlIsRHEL 5; then chcon -t file_t ../file_list ;fi
|
||||||
|
rlRun "restorecon -F -f ../file_list"
|
||||||
|
check_contexts '.' 'incorrect*' 'incorrect_t'
|
||||||
|
check_contexts '.' 'correct*' 'correct_t'
|
||||||
|
check_contexts '.' 'customizable*' 'correct_t'
|
||||||
|
rlRun "rm -f ../file_list"
|
||||||
|
|
||||||
|
|
||||||
|
echo
|
||||||
|
rlLog "-f - Input from stdin"
|
||||||
|
set_contexts
|
||||||
|
rlRun "echo -e 'incorrect2.dir\ncustomizable.file\nincorrect.file' | restorecon -f -"
|
||||||
|
check_initial_contexts 'incorrect1.dir'
|
||||||
|
check_initial_contexts 'correct.dir'
|
||||||
|
check_initial_contexts 'customizable.dir'
|
||||||
|
check_contexts 'incorrect2' '*' 'correct_t'
|
||||||
|
rlRun "ls -ladZ customizable.file | grep customizable_t"
|
||||||
|
rlRun "ls -ladZ incorrect.file | grep :correct_t"
|
||||||
|
|
||||||
|
# -F Force reset of context to match file_context for customizable files, and
|
||||||
|
# the default file context, changing the user, role, range portion as well
|
||||||
|
# as the type.
|
||||||
|
|
||||||
|
echo
|
||||||
|
rlLog "-F Force reset of customizable types"
|
||||||
|
set_contexts
|
||||||
|
rlRun "restorecon -RF $TESTDIR"
|
||||||
|
check_contexts '.' '*' 'correct_t'
|
||||||
|
|
||||||
|
# This feature is from RHEL6 further
|
||||||
|
if ! rlIsRHEL; then
|
||||||
|
echo
|
||||||
|
rlLog "-F Force reset of the whole context"
|
||||||
|
set_contexts
|
||||||
|
chcon -u staff_u *.file
|
||||||
|
rlRun "ls -laZ correct.file | grep staff_u"
|
||||||
|
rlRun "ls -laZ incorrect.file | grep staff_u"
|
||||||
|
rlRun "ls -laZ customizable.file | grep staff_u"
|
||||||
|
rlRun "restorecon -R $TESTDIR"
|
||||||
|
rlRun "ls -laZ correct.file | grep staff_u"
|
||||||
|
rlRun "ls -laZ incorrect.file | grep staff_u"
|
||||||
|
rlRun "ls -laZ customizable.file | grep staff_u"
|
||||||
|
rlRun "restorecon -RF $TESTDIR"
|
||||||
|
rlRun "ls -laZ correct.file | grep system_u"
|
||||||
|
rlRun "ls -laZ incorrect.file | grep system_u"
|
||||||
|
rlRun "ls -laZ customizable.file | grep system_u"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# -i ignore files that do not exist.
|
||||||
|
|
||||||
|
rlRun "restorecon non-existent-file" 1-255
|
||||||
|
rlRun "restorecon -i non-existent-file"
|
||||||
|
|
||||||
|
# -n don't change any file labels (passive check).
|
||||||
|
|
||||||
|
echo
|
||||||
|
rlLog "-n dry-run"
|
||||||
|
set_contexts
|
||||||
|
rlRun "restorecon -RF -n $TESTDIR"
|
||||||
|
check_contexts '.' 'incorrect*' 'incorrect_t'
|
||||||
|
check_contexts '.' 'correct*' 'correct_t'
|
||||||
|
check_contexts '.' 'customizable*' 'customizable_t'
|
||||||
|
|
||||||
|
# -o outfilename
|
||||||
|
# Deprecated, SELinux policy will probably block this access. Use shell
|
||||||
|
# redirection to save list of files with incorrect context in filename.
|
||||||
|
|
||||||
|
# ----not tested yet
|
||||||
|
|
||||||
|
# -R, -r change files and directories file labels recursively (descend directo‐
|
||||||
|
# ries).
|
||||||
|
# Note: restorecon reports warnings on paths without default labels only
|
||||||
|
# if called non-recursively or in verbose mode.
|
||||||
|
|
||||||
|
set_contexts
|
||||||
|
rlRun "restorecon -R $TESTDIR"
|
||||||
|
check_contexts '.' '*corr*' 'correct_t'
|
||||||
|
check_contexts '.' 'customizable*' 'customizable_t'
|
||||||
|
|
||||||
|
# ...by default it does not operate recursively on directories
|
||||||
|
|
||||||
|
set_contexts
|
||||||
|
rlRun "restorecon $TESTDIR"
|
||||||
|
check_initial_contexts 'incorrect1.dir'
|
||||||
|
check_initial_contexts 'incorrect2.dir'
|
||||||
|
check_initial_contexts 'correct.dir'
|
||||||
|
check_initial_contexts 'customizable.dir'
|
||||||
|
rlRun "ls -ladZ customizable.file | grep customizable_t"
|
||||||
|
rlRun "ls -ladZ incorrect.file | grep :incorrect_t"
|
||||||
|
rlRun "ls -ladZ correct.file | grep :correct_t"
|
||||||
|
|
||||||
|
# -v show changes in file labels, if type or role are going to be changed.
|
||||||
|
|
||||||
|
# ----not tested yet
|
||||||
|
|
||||||
|
# -0 option is not present in RHEL5
|
||||||
|
if ! rlIsRHEL 5; then
|
||||||
|
# -0 the separator for the input items is assumed to be the null character
|
||||||
|
# (instead of the white space). The quotes and the backslash characters
|
||||||
|
# are also treated as normal characters that can form valid input. This
|
||||||
|
# option finally also disables the end of file string, which is treated
|
||||||
|
# like any other argument. Useful when input items might contain white
|
||||||
|
# space, quote marks or backslashes. The -print0 option of GNU find pro‐
|
||||||
|
# duces input suitable for this mode.
|
||||||
|
|
||||||
|
echo
|
||||||
|
rlLog "-0"
|
||||||
|
set_contexts
|
||||||
|
rlRun "find . -print0 | restorecon -f - -0"
|
||||||
|
check_contexts '.' '*corr*' 'correct_t'
|
||||||
|
check_contexts '.' 'customizable*' 'customizable_t'
|
||||||
|
|
||||||
|
echo
|
||||||
|
rlLog "-0 with -F"
|
||||||
|
set_contexts
|
||||||
|
rlRun "find . -print0 | restorecon -F -f - -0"
|
||||||
|
check_contexts '.' '*' 'correct_t'
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If a file object does not have a context, restorecon will write the default
|
||||||
|
# context to the file object's extended attributes.
|
||||||
|
|
||||||
|
# ----not tested yet
|
||||||
|
|
||||||
|
|
||||||
|
# Cleanup
|
||||||
|
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -rf /opt/restorecon_testdir"
|
||||||
|
rlFileRestore
|
||||||
|
rlRun "semodule -r testpolicy"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
# This is RFE from RHEL6 and further versions
|
||||||
|
if ! rlIsRHEL 5;then
|
||||||
|
rlPhaseStartTest
|
||||||
|
# META-Fixed-In: policycoreutils-2.0.83-19.14.el6
|
||||||
|
rlRun "pushd /root"
|
||||||
|
rlRun "touch test-file"
|
||||||
|
rlRun "mkdir test-dir"
|
||||||
|
for ITEM in "test-file" "test-dir" ; do
|
||||||
|
rlRun "chcon -u staff_u -t shadow_t -l s0:c1 ${ITEM}"
|
||||||
|
rlRun "ls -dZ ${ITEM} | grep staff_u:object_r:shadow_t:s0:c1"
|
||||||
|
rlRun "restorecon -v ${ITEM}" 0,1
|
||||||
|
rlRun "ls -dZ ${ITEM} | grep staff_u:object_r:admin_home_t:s0:c1"
|
||||||
|
rlRun "restorecon -F -v ${ITEM}" 0,1
|
||||||
|
rlRun "ls -dZ ${ITEM} | grep system_u:object_r:admin_home_t:s0"
|
||||||
|
done
|
||||||
|
rlRun "rm -rf test-dir"
|
||||||
|
rlRun "rm -f test-file"
|
||||||
|
rlRun "popd"
|
||||||
|
rlPhaseEnd
|
||||||
|
fi
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
# META-Fixed-In: policycoreutils-2.0.83-19.16.el6
|
||||||
|
rlRun "pushd /root"
|
||||||
|
rlRun "touch test-file"
|
||||||
|
rlRun "mkdir test-dir"
|
||||||
|
for ITEM in "test-file" "test-dir" ; do
|
||||||
|
rlRun "chcon -t tmp_t ${ITEM}"
|
||||||
|
rlRun "ls -dZ ${ITEM}"
|
||||||
|
rlRun "chattr +i ${ITEM}"
|
||||||
|
rlRun "restorecon -v ${ITEM}" 1-255
|
||||||
|
rlRun "chattr -i ${ITEM}"
|
||||||
|
rlRun "ls -dZ ${ITEM}"
|
||||||
|
rlRun "restorecon -v ${ITEM}"
|
||||||
|
rlRun "ls -dZ ${ITEM}"
|
||||||
|
done
|
||||||
|
rlRun "rm -rf test-dir"
|
||||||
|
rlRun "rm -f test-file"
|
||||||
|
rlRun "popd"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
# The bug was closed as NEXTRELEASE for RHEL5
|
||||||
|
if ! rlIsRHEL 5; then
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "touch ~/test-file"
|
||||||
|
rlRun "restorecon -vF ~/test-file"
|
||||||
|
rlRun "restorecon -vF ~/test-file | grep \"reset.*context\"" 1
|
||||||
|
rlRun "rm -f ~/test-file"
|
||||||
|
|
||||||
|
rlRun "mkdir ~/test-dir"
|
||||||
|
rlRun "restorecon -vF ~/test-dir"
|
||||||
|
rlRun "restorecon -vF ~/test-dir | grep \"reset.*context\"" 1
|
||||||
|
rlRun "rm -rf ~/test-dir"
|
||||||
|
rlPhaseEnd
|
||||||
|
fi
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlServiceRestore mcstrans mcstransd
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
||||||
|
|
|
@ -0,0 +1,2 @@
|
||||||
|
/opt/restorecon_testdir(/.*)? system_u:object_r:correct_t:s0
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
policy_module(testpolicy, 1.0)
|
||||||
|
|
||||||
|
require {
|
||||||
|
attribute domain;
|
||||||
|
type fs_t;
|
||||||
|
}
|
||||||
|
|
||||||
|
type correct_t;
|
||||||
|
files_type(correct_t)
|
||||||
|
type incorrect_t;
|
||||||
|
files_type(incorrect_t)
|
||||||
|
type customizable_t;
|
||||||
|
files_type(customizable_t)
|
||||||
|
|
||||||
|
|
||||||
|
#allow domain correct_t:dir relabelto;
|
||||||
|
#allow correct_t fs_t:filesystem associate;
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,65 @@
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/policycoreutils/Regression/semanage-interface
|
||||||
|
# Description: Does semanage interface ... work correctly?
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/policycoreutils/Regression/semanage-interface
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
test -x runtest.sh || chcon -t bin_t runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Does semanage interface ... work correctly?" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 20m" >> $(METADATA)
|
||||||
|
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||||
|
@echo "Requires: policycoreutils policycoreutils-python-utils grep selinux-policy-minimum selinux-policy-mls selinux-policy-targeted" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
PURPOSE of /CoreOS/policycoreutils/Regression/semanage-interface
|
||||||
|
Description: Does semanage interface ... work correctly?
|
||||||
|
Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/policycoreutils/Regression/semanage-interface
|
||||||
|
# Description: Does semanage interface ... work correctly?
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="policycoreutils"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm ${PACKAGE}
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "semanage interface --help" 0,1
|
||||||
|
for POLICY_TYPE in minimum mls targeted ; do
|
||||||
|
if [ ! -d /etc/selinux/${POLICY_TYPE} ] ; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
rlRun "semanage interface -l -S ${POLICY_TYPE}"
|
||||||
|
done
|
||||||
|
if ! rlIsRHEL 5; then
|
||||||
|
rlRun "semanage interface -l -S unknown 2>&1 | grep \"store cannot be accessed\""
|
||||||
|
fi
|
||||||
|
rlRun "semanage interface -a -t xyz_t xyz 2>&1 | grep -i -e 'not defined' -e 'error' -e 'could not'"
|
||||||
|
rlRun "semanage interface -m xyz" 1,2
|
||||||
|
rlRun "semanage interface -d xyz" 1
|
||||||
|
rlRun "semanage interface -a -t netif_t xyz"
|
||||||
|
if rlIsRHEL 5 6; then
|
||||||
|
rlRun "semanage interface -m -r s0 xyz"
|
||||||
|
else
|
||||||
|
rlRun "semanage interface -m -t netif_t -r s0 xyz"
|
||||||
|
fi
|
||||||
|
rlRun "semanage interface -l | grep \"xyz.*:netif_t:s0\""
|
||||||
|
rlRun "semanage interface -d xyz"
|
||||||
|
rlRun "semanage interface -l | grep xyz" 1
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
||||||
|
|
|
@ -0,0 +1,65 @@
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/policycoreutils/Regression/semanage-login
|
||||||
|
# Description: Does semanage login ... work correctly?
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/policycoreutils/Regression/semanage-login
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
test -x runtest.sh || chcon -t bin_t runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Does semanage login ... work correctly?" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 10m" >> $(METADATA)
|
||||||
|
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||||
|
@echo "Requires: policycoreutils policycoreutils-python-utils grep shadow-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
PURPOSE of /CoreOS/policycoreutils/Regression/semanage-login
|
||||||
|
Description: Does semanage login ... work correctly?
|
||||||
|
Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
|
|
@ -0,0 +1,67 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/policycoreutils/Regression/semanage-login
|
||||||
|
# Description: Does semanage login ... work correctly?
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="policycoreutils"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm ${PACKAGE}
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "semanage login --help" 0,1
|
||||||
|
for POLICY_TYPE in minimum mls targeted ; do
|
||||||
|
if [ ! -d /etc/selinux/${POLICY_TYPE} ] ; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
rlRun "semanage login -l -S ${POLICY_TYPE}"
|
||||||
|
done
|
||||||
|
if ! rlIsRHEL 5; then
|
||||||
|
rlRun "semanage login -l -S unknown 2>&1 | grep \"store cannot be accessed\""
|
||||||
|
fi
|
||||||
|
rlRun "semanage login -a -s xyz_u xyz 2>&1 | grep -i -e 'does not exist' -e 'mapping.*invalid' -e 'could not query'"
|
||||||
|
rlRun "semanage login -m xyz" 1
|
||||||
|
rlRun "semanage login -d xyz" 1
|
||||||
|
rlRun "useradd xyz"
|
||||||
|
rlRun "semanage login -a -s user_u xyz"
|
||||||
|
rlRun "semanage login -m -r s0 xyz"
|
||||||
|
rlRun "semanage login -l | grep \"xyz.*user_u.*s0\""
|
||||||
|
rlRun "semanage login -d xyz"
|
||||||
|
rlRun "semanage login -l | grep xyz" 1
|
||||||
|
rlRun "userdel -rf xyz"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
||||||
|
|
|
@ -0,0 +1,70 @@
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/policycoreutils/Regression/semanage-permissive-d-problems
|
||||||
|
# Description: semanage permissive -d accepts more than domain types, its behavior is not reliable
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2011 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/policycoreutils/Regression/semanage-permissive-d-problems
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
chmod a+x runtest.sh
|
||||||
|
chcon -t bin_t runtest.sh; :
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: semanage permissive -d accepts more than domain types, its behavior is not reliable" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 20m" >> $(METADATA)
|
||||||
|
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||||
|
@echo "Requires: policycoreutils" >> $(METADATA)
|
||||||
|
@echo "Requires: policycoreutils-python-utils" >> $(METADATA)
|
||||||
|
@echo "Requires: policycoreutils-devel" >> $(METADATA)
|
||||||
|
@echo "Requires: selinux-policy-devel" >> $(METADATA)
|
||||||
|
@echo "Requires: grep" >> $(METADATA)
|
||||||
|
@echo "Requires: coreutils" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELServer5 -RHELClient5" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
PURPOSE of /CoreOS/policycoreutils/Regression/semanage-permissive-d-problems
|
||||||
|
Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
|
||||||
|
Does semanage permissive work correctly?
|
||||||
|
|
|
@ -0,0 +1,93 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/policycoreutils/Regression/semanage-permissive-d-problems
|
||||||
|
# Description: semanage permissive -d accepts more than domain types, its behavior is not reliable
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2011 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include rhts environment
|
||||||
|
. /usr/bin/rhts-environment.sh
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh
|
||||||
|
|
||||||
|
PACKAGE="policycoreutils"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm ${PACKAGE}
|
||||||
|
rlRun "rpm -qf /usr/sbin/semanage"
|
||||||
|
OUTPUT_FILE=`mktemp`
|
||||||
|
rlRun "sestatus"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
if selinuxenabled ; then
|
||||||
|
rlPhaseStartTest
|
||||||
|
if rlIsRHEL 7 ; then
|
||||||
|
rlFileBackup /usr/share/selinux/default/Makefile
|
||||||
|
rlRun "rm -rf /usr/share/selinux/default/Makefile"
|
||||||
|
fi
|
||||||
|
rlRun "semanage permissive -l | grep fenced" 1
|
||||||
|
rlRun "semanage permissive -a fenced_t"
|
||||||
|
rlRun "semanage permissive -l | grep fenced"
|
||||||
|
rlRun "semanage permissive -d fenced_t"
|
||||||
|
rlRun "semanage permissive -l | grep fenced" 1
|
||||||
|
if rlIsRHEL 7 ; then
|
||||||
|
rlFileRestore
|
||||||
|
fi
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}"
|
||||||
|
rlRun "wc -l < ${OUTPUT_FILE} | grep ^0$"
|
||||||
|
rlRun "semanage permissive -a ypbind_t"
|
||||||
|
rlRun "semanage permissive -a ypserv_t"
|
||||||
|
rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}"
|
||||||
|
rlRun "wc -l < ${OUTPUT_FILE} | grep ^2$"
|
||||||
|
rlRun "semanage permissive -d yp" 1-255
|
||||||
|
rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}"
|
||||||
|
rlRun "wc -l < ${OUTPUT_FILE} | grep ^2$"
|
||||||
|
rlRun "semanage permissive -d ypbind_t"
|
||||||
|
rlRun "semanage permissive -d ypserv_t"
|
||||||
|
rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}"
|
||||||
|
rlRun "wc -l < ${OUTPUT_FILE} | grep ^0$"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun -s "semanage permissive -d" 1
|
||||||
|
rlAssertNotGrep 'traceback' $rlRun_LOG -iEq
|
||||||
|
rlAssertGrep 'error: the following argument is required: type' $rlRun_LOG -iEq
|
||||||
|
rm -f $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
else
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "semanage permissive -l >& ${OUTPUT_FILE}" 0,1
|
||||||
|
rlRun "grep -C 32 -i -e exception -e traceback -e error ${OUTPUT_FILE}" 1
|
||||||
|
rlPhaseEnd
|
||||||
|
fi
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rm -f ${OUTPUT_FILE}
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
||||||
|
|
|
@ -0,0 +1,71 @@
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems
|
||||||
|
# Description: semanage accepts invalid port numbers and then cannot delete them
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
chmod a+x runtest.sh
|
||||||
|
chcon -t bin_t runtest.sh;:
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: semanage accepts invalid port numbers and then cannot delete them" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 15m" >> $(METADATA)
|
||||||
|
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||||
|
@echo "Requires: policycoreutils" >> $(METADATA)
|
||||||
|
@echo "Requires: policycoreutils-python-utils" >> $(METADATA)
|
||||||
|
@echo "Requires: setools-console" >> $(METADATA)
|
||||||
|
@echo "Requires: libselinux" >> $(METADATA)
|
||||||
|
@echo "Requires: libselinux-utils" >> $(METADATA)
|
||||||
|
@echo "Requires: coreutils" >> $(METADATA)
|
||||||
|
@echo "Requires: grep" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
PURPOSE of /CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems
|
||||||
|
Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
|
||||||
|
semanage accepts invalid port numbers and then cannot delete them
|
||||||
|
|
|
@ -0,0 +1,137 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# vim: dict=/usr/share/rhts-library/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems
|
||||||
|
# Description: semanage accepts invalid port numbers and then cannot delete them
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="policycoreutils"
|
||||||
|
PORT_NAME="ldap_port_t"
|
||||||
|
BAD_PORT_NUMBER="123456"
|
||||||
|
GOOD_PORT_NUMBER="1389"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm ${PACKAGE}
|
||||||
|
rlRun "rpm -qf /usr/sbin/semanage"
|
||||||
|
rlRun "rpm -qf /usr/bin/seinfo"
|
||||||
|
OUTPUT_FILE=`mktemp`
|
||||||
|
rlRun "setenforce 1"
|
||||||
|
rlRun "sestatus"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "semanage port -l | grep ${PORT_NAME}"
|
||||||
|
|
||||||
|
rlRun "semanage port -l | grep ${PORT_NAME} | tee -a ${OUTPUT_FILE}"
|
||||||
|
rlRun "semanage port -a -t ${PORT_NAME} -p tcp ${BAD_PORT_NUMBER}" 1
|
||||||
|
rlRun "semanage port -l | grep ${PORT_NAME} | tee -a ${OUTPUT_FILE}"
|
||||||
|
rlRun "semanage port -d -t ${PORT_NAME} -p tcp ${BAD_PORT_NUMBER}" 1
|
||||||
|
rlRun "semanage port -l | grep ${PORT_NAME} | tee -a ${OUTPUT_FILE}"
|
||||||
|
#rlRun "sort ${OUTPUT_FILE} | uniq | wc -l | grep '^2$'"
|
||||||
|
|
||||||
|
rlRun "semanage port -l | grep ${PORT_NAME} | grep ${GOOD_PORT_NUMBER}" 1
|
||||||
|
rlRun "semanage port -a -t ${PORT_NAME} -p tcp ${GOOD_PORT_NUMBER}"
|
||||||
|
rlRun "semanage port -l | grep ${PORT_NAME} | grep ${GOOD_PORT_NUMBER}"
|
||||||
|
rlRun "semanage port -d -t ${PORT_NAME} -p tcp ${GOOD_PORT_NUMBER}"
|
||||||
|
rlRun "semanage port -l | grep ${PORT_NAME} | grep ${GOOD_PORT_NUMBER}" 1
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "semanage port -a -t syslogd_port_t -p tcp 60514-60516 2>&1 | grep -i traceback" 1
|
||||||
|
rlRun "semanage port -l | grep syslogd_port_t"
|
||||||
|
rlRun "semanage port -d -t syslogd_port_t -p tcp 60514-60516 2>&1 | grep -i traceback" 1
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
if rlIsRHEL ; then
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "ps -efZ | grep -v grep | grep \"auditd_t.*auditd\""
|
||||||
|
if rlIsRHEL 5 6; then
|
||||||
|
PORT_TYPE="syslogd_port_t"
|
||||||
|
else
|
||||||
|
PORT_TYPE="commplex_link_port_t"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# adding a port number to a type
|
||||||
|
START_DATE_TIME=`date "+%m/%d/%Y %T"`
|
||||||
|
sleep 1
|
||||||
|
rlRun "semanage port -a -p tcp -t $PORT_TYPE 5005"
|
||||||
|
sleep 2
|
||||||
|
|
||||||
|
# Check for user_avc
|
||||||
|
rlRun "ausearch -m user_avc -ts ${START_DATE_TIME} > ${OUTPUT_FILE}" 0,1
|
||||||
|
LINE_COUNT=`wc -l < ${OUTPUT_FILE}`
|
||||||
|
rlRun "cat ${OUTPUT_FILE}"
|
||||||
|
rlAssert0 "number of lines in ${OUTPUT_FILE} should be 0" ${LINE_COUNT}
|
||||||
|
|
||||||
|
# deleting a port number from a type
|
||||||
|
START_DATE_TIME=`date "+%m/%d/%Y %T"`
|
||||||
|
sleep 1
|
||||||
|
rlRun "semanage port -d -p tcp -t $PORT_TYPE 5005"
|
||||||
|
sleep 2
|
||||||
|
|
||||||
|
# Check for user_avc
|
||||||
|
rlRun "ausearch -m user_avc -ts ${START_DATE_TIME} > ${OUTPUT_FILE}" 0,1
|
||||||
|
LINE_COUNT=`wc -l < ${OUTPUT_FILE}`
|
||||||
|
rlRun "cat ${OUTPUT_FILE}"
|
||||||
|
rlAssert0 "number of lines in ${OUTPUT_FILE} should be 0" ${LINE_COUNT}
|
||||||
|
rlPhaseEnd
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! rlIsRHEL 5 ; then
|
||||||
|
rlPhaseStartTest
|
||||||
|
rlRun "seinfo --portcon | grep :hi_reserved_port_t:"
|
||||||
|
rlRun "seinfo --portcon | grep :reserved_port_t:"
|
||||||
|
rlRun "semanage port -l | grep ^hi_reserved_port_t"
|
||||||
|
rlRun "semanage port -l | grep ^reserved_port_t"
|
||||||
|
if ! rlIsRHEL 6 ; then
|
||||||
|
rlRun "seinfo --portcon | grep :unreserved_port_t:"
|
||||||
|
rlRun "semanage port -l | grep ^unreserved_port_t"
|
||||||
|
fi
|
||||||
|
rlPhaseEnd
|
||||||
|
fi
|
||||||
|
|
||||||
|
rlPhaseStartTest "manipulation with hard-wired ports"
|
||||||
|
rlRun "semanage port -l | grep 'smtp_port_t.*tcp.*25'"
|
||||||
|
rlRun "semanage port -a -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}"
|
||||||
|
rlAssertGrep "port .* already defined" ${OUTPUT_FILE} -i
|
||||||
|
rlRun "semanage port -a -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}"
|
||||||
|
rlAssertGrep "port .* already defined" ${OUTPUT_FILE} -i
|
||||||
|
rlRun "semanage port -l | grep 'smtp_port_t.*tcp.*25'"
|
||||||
|
rlRun "semanage port -d -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}"
|
||||||
|
rlAssertGrep "port .* is defined in policy.*cannot be deleted" ${OUTPUT_FILE} -i
|
||||||
|
rlRun "semanage port -d -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}"
|
||||||
|
rlAssertGrep "port .* is defined in policy.*cannot be deleted" ${OUTPUT_FILE} -i
|
||||||
|
rlRun "semanage port -l | grep 'smtp_port_t.*tcp.*25'"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rm -f ${OUTPUT_FILE}
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
||||||
|
|
|
@ -0,0 +1,65 @@
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/policycoreutils/Regression/semanage-user
|
||||||
|
# Description: Does semanage user ... work correctly?
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/policycoreutils/Regression/semanage-user
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE testpolicy.te
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
test -x runtest.sh || chcon -t bin_t runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Does semanage user ... work correctly?" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 20m" >> $(METADATA)
|
||||||
|
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||||
|
@echo "Requires: policycoreutils policycoreutils-python-utils grep selinux-policy-devel selinux-policy-minimum selinux-policy-mls selinux-policy-targeted selinux-policy-devel" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
PURPOSE of /CoreOS/policycoreutils/Regression/semanage-user
|
||||||
|
Description: Does semanage user ... work correctly?
|
||||||
|
Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
|
|
@ -0,0 +1,76 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/policycoreutils/Regression/semanage-user
|
||||||
|
# Description: Does semanage user ... work correctly?
|
||||||
|
# Author: Milos Malik <mmalik@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="policycoreutils"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm ${PACKAGE}
|
||||||
|
rlRun "make -f /usr/share/selinux/devel/Makefile"
|
||||||
|
rlRun "ls -l testpolicy.pp"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest
|
||||||
|
if rlIsRHEL 5 6; then
|
||||||
|
rlRun "semanage user --help" 1
|
||||||
|
else
|
||||||
|
rlRun "semanage user --help" 0
|
||||||
|
# semanage: list option can not be used with --level ("semanage user -l")
|
||||||
|
rlRun "semanage user --help | grep fcontext" 1
|
||||||
|
fi
|
||||||
|
for POLICY_TYPE in minimum mls targeted ; do
|
||||||
|
if [ ! -d /etc/selinux/${POLICY_TYPE} ] ; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
rlRun "semanage user -l -S ${POLICY_TYPE}"
|
||||||
|
done
|
||||||
|
if ! rlIsRHEL 5; then
|
||||||
|
rlRun "semanage user -l -S unknown 2>&1 | grep \"store cannot be accessed\""
|
||||||
|
fi
|
||||||
|
rlRun "semanage user -a -P user -R xyz_r xyz_u 2>&1 | grep -i -e 'undefined' -e 'error' -e 'could not'"
|
||||||
|
rlRun "semanage user -m xyz_u" 1
|
||||||
|
rlRun "semanage user -d xyz_u" 1
|
||||||
|
rlRun "semodule -i testpolicy.pp"
|
||||||
|
rlRun "semanage user -a -P user -R xyz_r xyz_u"
|
||||||
|
rlRun "semanage user -m -r s0 xyz_u"
|
||||||
|
rlRun "semanage user -l | grep \"xyz_u.*s0.*s0.*xyz_r\""
|
||||||
|
rlRun "semanage user -d xyz_u"
|
||||||
|
rlRun "semanage user -l | grep xyz_u" 1
|
||||||
|
rlRun "semodule -r testpolicy"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "rm -rf tmp testpolicy.{fc,if,pp}"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
module testpolicy 1.0;
|
||||||
|
|
||||||
|
type xyz_t;
|
||||||
|
role xyz_r;
|
||||||
|
|
||||||
|
require {
|
||||||
|
type xyz_t;
|
||||||
|
}
|
||||||
|
|
||||||
|
role xyz_r types xyz_t;
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue