Hi Lakshmi, Mimi, all, @Lakshmi TL;DR: I added some fixes in my fork, branch ima/selinux.v2.draft, https://github.com/pevik/ltp/commits/ima/selinux.v2.draft + added 3 additional commits, one of them as you as the author. I moved some functions to testcases/lib/tst_security.sh, renamed them. Can you please have a look and test? I don't have any SELinux machine. @Mimi, all: any comment to this test? My changes are just LTP cleanup so you can comment it on this patchset. I suppose you get to this in January. Some notes for my changes: As files are quite similar (checks etc), I put both tests into single file ima_selinux.sh. > New functionality is being added to IMA to measure data provided by > kernel components. With this feature, IMA policy can be set to enable > measuring data provided by Linux Security Modules (LSM). Currently one > such LSM namely selinux is being updated to use this functionality. > This new functionality needs test automation in LTP. > Add test cases which verify that the IMA subsystem correctly measures > the data provided by selinux. Could you please put into commit message and test kernel commit hash relevant for the test. Is that 8861d0af642c646c8e148ce34c294bdef6f32f6a (merged into v5.10-rc1) or there are more relevant commits? ... > +### IMA SELinux test > + > +To enable IMA to measure SELinux state and policy, `ima_selinux_policy.sh` > +and `ima_selinux_state.sh` require a readable IMA policy, as well as > +a loaded measure policy with > +`measure func=CRITICAL_DATA data_sources=selinux template=ima-buf` I put this into testcases/kernel/security/integrity/ima/datafiles/ima_selinux/selinux.policy and mention it in docs. > +test1() > +{ > + local policy_digest expected_policy_digest algorithm > + local data_source_name="selinux" > + local pattern="data_sources=[^[:space:]]*$data_source_name" > + local tmp_file="$TST_TMPDIR/selinux_policy_tmp_file.txt" > + > + check_policy_pattern "$pattern" $FUNC_CRITICAL_DATA $TEMPLATE_BUF > $tmp_file || return > + > + tst_res TINFO "Verifying selinux policy measurement" > + > + # > + # Trigger a measurement by changing selinux state > + # > + update_selinux_state Here I used tst_update_selinux_state. ... > --- a/testcases/kernel/security/integrity/ima/tests/ima_setup.sh > +# > +# Update selinux state. This is used for validating IMA > +# measurement of selinux constructs. > +# > +update_selinux_state() > +{ > + local cur_val new_val > + > + cur_val=$(cat $SELINUX_FOLDER/checkreqprot) > + > + if [ $cur_val = 1 ]; then > + new_val=0 > + else > + new_val=1 > + fi > + > + echo $new_val > $SELINUX_FOLDER/checkreqprot > +} > + > +# > +# Verify selinux is enabled in the system > +# > +check_selinux_state() > +{ > + [ -d $SELINUX_FOLDER ] || tst_brk TCONF "selinux is not enabled" > +} As I mentioned above, this is not needed as I put them under different names in testcases/lib/tst_security.sh. > mount_helper() > { > local type="$1" > @@ -238,6 +265,7 @@ ima_setup() > ASCII_MEASUREMENTS="$IMA_DIR/ascii_runtime_measurements" > BINARY_MEASUREMENTS="$IMA_DIR/binary_runtime_measurements" > IMA_POLICY="$IMA_DIR/policy" > + SELINUX_FOLDER="$SYSFS/fs/selinux" nit: I renamed it to $SELINUX_DIR (for consistency with $IMA_DIR) and moved to ima_selinux.sh. Kind regards, Petr
