From 01e036ef43e4029ed101804488dad9d44f35655b Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Wed, 13 May 2020 15:58:37 +0200 Subject: [PATCH] tests: Add Regression/Report-bugs-on-corresponding-components Policy packages to be used in the test are specified using TEST_PACKAGES variable in the Makefile. Corresponding avc_ file has to exist for each such package. avc_ files contain AVCs with "scontext" domain defined in policy module installed by RPM. The test verifies that setroubleshoot is able to properly identify the source package. --- .../Makefile | 68 ++++++++++++++++ .../avc_container-selinux | 2 + .../avc_flatpak-selinux | 2 + .../avc_mysql-selinux | 2 + .../avc_tpm2-abrmd-selinux | 2 + .../avc_usbguard-selinux | 2 + .../runtest.sh | 79 +++++++++++++++++++ tests/tests.yml | 1 + 8 files changed, 158 insertions(+) create mode 100644 tests/Regression/Report-bugs-on-corresponding-components/Makefile create mode 100644 tests/Regression/Report-bugs-on-corresponding-components/avc_container-selinux create mode 100644 tests/Regression/Report-bugs-on-corresponding-components/avc_flatpak-selinux create mode 100644 tests/Regression/Report-bugs-on-corresponding-components/avc_mysql-selinux create mode 100644 tests/Regression/Report-bugs-on-corresponding-components/avc_tpm2-abrmd-selinux create mode 100644 tests/Regression/Report-bugs-on-corresponding-components/avc_usbguard-selinux create mode 100755 tests/Regression/Report-bugs-on-corresponding-components/runtest.sh diff --git a/tests/Regression/Report-bugs-on-corresponding-components/Makefile b/tests/Regression/Report-bugs-on-corresponding-components/Makefile new file mode 100644 index 0000000..855e1fc --- /dev/null +++ b/tests/Regression/Report-bugs-on-corresponding-components/Makefile @@ -0,0 +1,68 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/setroubleshoot/Regression/Report-bugs-on-corresponding-components +# Description: Can sealert identify source RPM of AVC domain type? +# Author: Vit Mojzis +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2020 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/setroubleshoot/Regression/Report-bugs-on-corresponding-components +export TESTVERSION=1.0 + +# Policy packages to be used in testing +# The followng export does not work properly in Fedora CI - relying on fallback in runtest.sh +# export TEST_PACKAGES ?= flatpak-selinux tpm2-abrmd-selinux container-selinux usbguard-selinux mysql-selinux + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile avc_flatpak-selinux avc_tpm2-abrmd-selinux avc_container-selinux avc_usbguard-selinux avc_mysql-selinux + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Vit Mojzis " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test for BZ#1811644 (Let setroubleshoot to report bugs on components)" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 5m" >> $(METADATA) + @echo "RunFor: setroubleshoot" >> $(METADATA) + @echo "Requires: flatpak-selinux tpm2-abrmd-selinux container-selinux usbguard-selinux mysql-selinux" >> $(METADATA) + @echo "Requires: $(TEST_PACKAGES)" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2+" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Bug: 1811644" >> $(METADATA) + @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5 -RHEL6 -RHEL7 -RHEL7" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/Regression/Report-bugs-on-corresponding-components/avc_container-selinux b/tests/Regression/Report-bugs-on-corresponding-components/avc_container-selinux new file mode 100644 index 0000000..af18014 --- /dev/null +++ b/tests/Regression/Report-bugs-on-corresponding-components/avc_container-selinux @@ -0,0 +1,2 @@ +type=AVC msg=audit(1575985388.869:225): avc: denied { read } for pid=1365 comm="systemd-user-ru" name="secrets" dev="tmpfs" ino=32249 scontext=system_u:system_r:container_logreader_t:s0 tcontext=system_u:object_r:shadow_t:s0:c446,c857 tclass=dir permissive=0 + diff --git a/tests/Regression/Report-bugs-on-corresponding-components/avc_flatpak-selinux b/tests/Regression/Report-bugs-on-corresponding-components/avc_flatpak-selinux new file mode 100644 index 0000000..a475cf1 --- /dev/null +++ b/tests/Regression/Report-bugs-on-corresponding-components/avc_flatpak-selinux @@ -0,0 +1,2 @@ +type=AVC msg=audit(1575985388.869:225): avc: denied { connect } for pid=1365 comm="systemd-user-ru" name="secrets" dev="tmpfs" ino=32249 scontext=system_u:system_r:flatpak_helper_t:s0 tcontext=system_u:object_r:shadow_t:s0:c446,c857 tclass=socket permissive=0 + diff --git a/tests/Regression/Report-bugs-on-corresponding-components/avc_mysql-selinux b/tests/Regression/Report-bugs-on-corresponding-components/avc_mysql-selinux new file mode 100644 index 0000000..a0fd742 --- /dev/null +++ b/tests/Regression/Report-bugs-on-corresponding-components/avc_mysql-selinux @@ -0,0 +1,2 @@ +type=AVC msg=audit(1582621541.469:6896): avc: denied { write } for pid=1627505 comm="python3" name="plautrba" dev="dm-4" ino=19529729 scontext=system_u:system_r:mysqld_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 + diff --git a/tests/Regression/Report-bugs-on-corresponding-components/avc_tpm2-abrmd-selinux b/tests/Regression/Report-bugs-on-corresponding-components/avc_tpm2-abrmd-selinux new file mode 100644 index 0000000..4f65a5b --- /dev/null +++ b/tests/Regression/Report-bugs-on-corresponding-components/avc_tpm2-abrmd-selinux @@ -0,0 +1,2 @@ +type=AVC msg=audit(1575985388.869:225): avc: denied { connect } for pid=1365 comm="systemd-user-ru" name="secrets" dev="tmpfs" ino=32249 scontext=system_u:system_r:tabrmd_t:s0 tcontext=system_u:object_r:shadow_t:s0:c446,c857 tclass=socket permissive=0 + diff --git a/tests/Regression/Report-bugs-on-corresponding-components/avc_usbguard-selinux b/tests/Regression/Report-bugs-on-corresponding-components/avc_usbguard-selinux new file mode 100644 index 0000000..e2b767d --- /dev/null +++ b/tests/Regression/Report-bugs-on-corresponding-components/avc_usbguard-selinux @@ -0,0 +1,2 @@ +type=AVC msg=audit(1582801464.5:491): avc: denied { map } for pid=5100 comm="bash" path="/usr/bin/bash" dev="vda1" ino=1707663 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 + diff --git a/tests/Regression/Report-bugs-on-corresponding-components/runtest.sh b/tests/Regression/Report-bugs-on-corresponding-components/runtest.sh new file mode 100755 index 0000000..51468aa --- /dev/null +++ b/tests/Regression/Report-bugs-on-corresponding-components/runtest.sh @@ -0,0 +1,79 @@ +#!/bin/bash +# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/setroubleshoot/Regression/Report-bugs-on-corresponding-components +# Description: Can sealert identify source RPM of AVC domain type? +# Author: Vit Mojzis +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2020 Red Hat, Inc. +# +# This program is free software: you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, either version 2 of +# the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="setroubleshoot" + +if [ -z "${TEST_PACKAGES+set}" ]; +then PACKAGES=(flatpak-selinux tpm2-abrmd-selinux container-selinux usbguard-selinux mysql-selinux) +else PACKAGES=(${TEST_PACKAGES[@]}) +fi + +#corresponding module names +#MODULES=(flatpak tabrmd container usbguard mysql) + +# - - +# flatpak-selinux - flatpak - flatpak_helper_t +# tpm2-abrmd-selinux - tabrmd - tabrmd_t +# container-selinux - container - docker_t +# usbguard-selinux - usbguard - usbguard_t -- fedora only +# mysql-selinux - mysql - mysql_t -- fedora only + + +rlJournalStart + rlPhaseStartSetup + rlAssertRpm $PACKAGE + OUTPUT_FILE=`mktemp` + # Package installation is handled by Makefile for now + # install availlable policy packages + # for RPM in ${PACKAGES[@]}; + # do + # sudo dnf install -y ${RPM} || continue + # done + rlPhaseEnd + + rlPhaseStartTest + for RPM in ${PACKAGES[@]}; + do + # run only for policies that are installed + rpm -q ${RPM} >& /dev/null + if [ $? -ne 0 ]; then echo "${RPM} not installed! Skipping."; continue; fi + rlRun "sealert -a ./avc_${RPM} 2>&1 | tee ${OUTPUT_FILE} | grep \"Local Policy RPM\"" + if [ $? -ne 0 ]; then cat ${OUTPUT_FILE}; fi + # test if correct rpm was identified + rlRun "grep -i \"Local Policy RPM\" ${OUTPUT_FILE} | grep \"$RPM\S*$\" -o" + done + rlPhaseEnd + + rlPhaseStartCleanup + rm -f ${OUTPUT_FILE} + rlPhaseEnd +rlJournalPrintText +rlJournalEnd diff --git a/tests/tests.yml b/tests/tests.yml index cf7c826..f11ba05 100644 --- a/tests/tests.yml +++ b/tests/tests.yml @@ -7,5 +7,6 @@ - Regression/embedded-null-byte-in-audit-records - Regression/no-plugin-exception-during-analyses - Regression/sealert-s-traceback-invalid-display + - Regression/Report-bugs-on-corresponding-components required_packages: - setroubleshoot-server