From b5ddd6cd6d3100b90801eff0efbadef34f0086a7 Mon Sep 17 00:00:00 2001 From: Milos Malik Date: Tue, 22 Oct 2019 09:06:14 +0200 Subject: [PATCH] Add new test for sedta utility Basic test which covers the sedta tool. - test invalid values - test transitivity, reflexivity, non-existent relation etc --- tests/Sanity/sedta/Makefile | 63 ++++++++++++++++++++++ tests/Sanity/sedta/PURPOSE | 3 ++ tests/Sanity/sedta/runtest.sh | 88 +++++++++++++++++++++++++++++++ tests/Sanity/sedta/testpolicy.cil | 21 ++++++++ 4 files changed, 175 insertions(+) create mode 100644 tests/Sanity/sedta/Makefile create mode 100644 tests/Sanity/sedta/PURPOSE create mode 100755 tests/Sanity/sedta/runtest.sh create mode 100644 tests/Sanity/sedta/testpolicy.cil diff --git a/tests/Sanity/sedta/Makefile b/tests/Sanity/sedta/Makefile new file mode 100644 index 0000000..e45b9de --- /dev/null +++ b/tests/Sanity/sedta/Makefile @@ -0,0 +1,63 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/setools/Sanity/sedta +# Description: Does sedta work as expected? Does it support all features? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2019 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/setools/Sanity/sedta +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE testpolicy.cil + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Does sedta work as expected? Does it support all features?" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 1h" >> $(METADATA) + @echo "RunFor: setools" >> $(METADATA) + @echo "Requires: policycoreutils setools-console-analyses" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHEL6 -RHEL7 -RHELClient5 -RHELServer5" >> $(METADATA) + + rhts-lint $(METADATA) + diff --git a/tests/Sanity/sedta/PURPOSE b/tests/Sanity/sedta/PURPOSE new file mode 100644 index 0000000..db04487 --- /dev/null +++ b/tests/Sanity/sedta/PURPOSE @@ -0,0 +1,3 @@ +PURPOSE of /CoreOS/setools/Sanity/sedta +Description: Does sedta work as expected? Does it support all features? +Author: Milos Malik diff --git a/tests/Sanity/sedta/runtest.sh b/tests/Sanity/sedta/runtest.sh new file mode 100755 index 0000000..4fb0483 --- /dev/null +++ b/tests/Sanity/sedta/runtest.sh @@ -0,0 +1,88 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/setools/Sanity/sedta +# Description: Does sedta work as expected? Does it support all features? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2019 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="setools" + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm ${PACKAGE}-console-analyses + OUTPUT_FILE=`mktemp` + rlRun "semodule -i testpolicy.cil" + rlRun "semodule -l | grep testpolicy" + rlPhaseEnd + + rlPhaseStartTest "invalid values" + rlRun "sedta -s unknown_t >& ${OUTPUT_FILE}" 1 + rlRun "grep -i 'not a valid type' ${OUTPUT_FILE}" + rlRun "sedta -s apmd_t -t unknown_t -S >& ${OUTPUT_FILE}" 1 + rlRun "grep -i 'not a valid type' ${OUTPUT_FILE}" + rlRun "sedta -s unknown_t -p /etc/selinux/unknown/policy/policy.31 >& ${OUTPUT_FILE}" 1 + rlRun "grep -i 'no such file or directory' ${OUTPUT_FILE}" + rlRun "sedta -s apmd_t -t var_lib_t -A -1 >& ${OUTPUT_FILE}" 1 + rlRun "grep -i 'must be positive' ${OUTPUT_FILE}" + rlRun "sedta -s xyz_t >& ${OUTPUT_FILE}" + rlRun "grep -i '^0.*transition.*found' ${OUTPUT_FILE}" + rlPhaseEnd + + rlPhaseStartTest "valid values" + # transitivity + rlRun "sedta -s first_t -t second_t -S >& ${OUTPUT_FILE}" + rlRun "grep -i '^1 domain transition path.*found' ${OUTPUT_FILE}" + rlRun "sedta -s second_t -t third_t -S >& ${OUTPUT_FILE}" + rlRun "grep -i '^1 domain transition path.*found' ${OUTPUT_FILE}" + rlRun "sedta -s first_t -t third_t -S >& ${OUTPUT_FILE}" + rlRun "grep -i '^1 domain transition path.*found' ${OUTPUT_FILE}" + # reflexivity + rlRun "sedta -s first_t -t first_t -S >& ${OUTPUT_FILE}" + rlRun "grep -i '^1 domain transition path.*found' ${OUTPUT_FILE}" + rlRun "sedta -s second_t -t second_t -S >& ${OUTPUT_FILE}" + rlRun "grep -i '^1 domain transition path.*found' ${OUTPUT_FILE}" + rlRun "sedta -s third_t -t third_t -S >& ${OUTPUT_FILE}" + rlRun "grep -i '^1 domain transition path.*found' ${OUTPUT_FILE}" + # path is longer than limit + rlRun "sedta -s first_t -t third_t -A 1 >& ${OUTPUT_FILE}" + rlRun "grep -i '^0 domain transition path.*found' ${OUTPUT_FILE}" + # non-existent relation + rlRun "sedta -s first_t -t third_t -S -r >& ${OUTPUT_FILE}" + rlRun "grep -i '^0 domain transition path.*found' ${OUTPUT_FILE}" + # non-existent relation + rlRun "sedta -s third_t -t first_t -S >& ${OUTPUT_FILE}" + rlRun "grep -i '^0 domain transition path.*found' ${OUTPUT_FILE}" + rlPhaseEnd + + rlPhaseStartCleanup + rlRun "semodule -r testpolicy" + rlRun "semodule -l | grep testpolicy" 1 + rm -f ${OUTPUT_FILE} + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/tests/Sanity/sedta/testpolicy.cil b/tests/Sanity/sedta/testpolicy.cil new file mode 100644 index 0000000..cc39d72 --- /dev/null +++ b/tests/Sanity/sedta/testpolicy.cil @@ -0,0 +1,21 @@ +( type xyz_t ) + +( type first_t ) +( type first_exec_t ) +( type second_t ) +( type second_exec_t ) +( type third_t ) +( type third_exec_t ) + +( typetransition first_t second_exec_t process second_t ) +( typetransition second_t third_exec_t process third_t ) + +( allow first_t second_exec_t ( file ( getattr open read execute ))) +( allow first_t second_t ( process ( transition ))) +( allow second_t third_exec_t ( file ( getattr open read execute ))) +( allow second_t third_t ( process ( transition ))) + +( allow first_t first_exec_t ( file ( entrypoint ))) +( allow second_t second_exec_t ( file ( entrypoint ))) +( allow third_t third_exec_t ( file ( entrypoint ))) +