On Fri, Apr 13, 2018 at 6:13 AM, Richard Haines via Selinux <selinux@xxxxxxxxxxxxx> wrote: > Enhance the tests as follows: > 1) Determine number of tests to run with current config. > 2) Add CALIPSO STREAM tests (DGRAM not supported in kernel. See [1]). > 3) Add support for CIPSO TAGS 1 & 2. Closes [2]. > 4) Run scripts using /bin/sh. > 5) Shorten sleep time as more tests. > > [1] https://github.com/SELinuxProject/selinux-kernel/issues/24 > [2] https://github.com/SELinuxProject/selinux-testsuite/issues/1 > > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> > --- > tests/inet_socket/calipso-flush | 5 + > tests/inet_socket/calipso-load | 7 + > tests/inet_socket/cipso-fl-flush | 0 > tests/inet_socket/cipso-fl-load | 0 > tests/inet_socket/cipso-flush | 0 > tests/inet_socket/cipso-load-t1 | 11 + > tests/inet_socket/cipso-load-t2 | 11 + > tests/inet_socket/{cipso-load => cipso-load-t5} | 0 > tests/inet_socket/ipsec-flush | 0 > tests/inet_socket/ipsec-load | 0 > tests/inet_socket/iptables-flush | 0 > tests/inet_socket/iptables-load | 0 > tests/inet_socket/server.c | 16 +- > tests/inet_socket/test | 348 ++++++++++++++++++------ > 14 files changed, 310 insertions(+), 88 deletions(-) > create mode 100644 tests/inet_socket/calipso-flush > create mode 100644 tests/inet_socket/calipso-load > mode change 100755 => 100644 tests/inet_socket/cipso-fl-flush > mode change 100755 => 100644 tests/inet_socket/cipso-fl-load > mode change 100755 => 100644 tests/inet_socket/cipso-flush > create mode 100644 tests/inet_socket/cipso-load-t1 > create mode 100644 tests/inet_socket/cipso-load-t2 > rename tests/inet_socket/{cipso-load => cipso-load-t5} (100%) > mode change 100755 => 100644 > mode change 100755 => 100644 tests/inet_socket/ipsec-flush > mode change 100755 => 100644 tests/inet_socket/ipsec-load > mode change 100755 => 100644 tests/inet_socket/iptables-flush > mode change 100755 => 100644 tests/inet_socket/iptables-load > mode change 100755 => 100644 tests/inet_socket/test I had to fixup the file mode bits on tests/inet_socket/test, but other than that this looks fine to me, merged. Thanks. I remain a little wary about the reduced sleep times (1s to 0.25s), but I'm never comfortable with arbitrary sleep-and-hope-it-works tricks anyway. > diff --git a/tests/inet_socket/calipso-flush b/tests/inet_socket/calipso-flush > new file mode 100644 > index 0000000..5143962 > --- /dev/null > +++ b/tests/inet_socket/calipso-flush > @@ -0,0 +1,5 @@ > +#!/bin/sh > +# Reset NetLabel configuration to unlabeled after CALIPSO/IPv6 tests. > +netlabelctl map del default > +netlabelctl calipso del doi:16 > +netlabelctl map add default protocol:unlbl > diff --git a/tests/inet_socket/calipso-load b/tests/inet_socket/calipso-load > new file mode 100644 > index 0000000..4bb9c7f > --- /dev/null > +++ b/tests/inet_socket/calipso-load > @@ -0,0 +1,7 @@ > +#!/bin/sh > +# Define a doi for testing loopback for CALIPSO/IPv6. > +netlabelctl calipso add pass doi:16 > +netlabelctl map del default > +netlabelctl map add default address:0.0.0.0/0 protocol:unlbl > +netlabelctl map add default address:::/0 protocol:unlbl > +netlabelctl map add default address:::1 protocol:calipso,16 > diff --git a/tests/inet_socket/cipso-fl-flush b/tests/inet_socket/cipso-fl-flush > old mode 100755 > new mode 100644 > diff --git a/tests/inet_socket/cipso-fl-load b/tests/inet_socket/cipso-fl-load > old mode 100755 > new mode 100644 > diff --git a/tests/inet_socket/cipso-flush b/tests/inet_socket/cipso-flush > old mode 100755 > new mode 100644 > diff --git a/tests/inet_socket/cipso-load-t1 b/tests/inet_socket/cipso-load-t1 > new file mode 100644 > index 0000000..974e746 > --- /dev/null > +++ b/tests/inet_socket/cipso-load-t1 > @@ -0,0 +1,11 @@ > +#!/bin/sh > +# Based on http://paulmoore.livejournal.com/7234.html. > +# > +# Modifications: > +# - Defined a doi for testing loopback for CIPSOv4. > + > +netlabelctl cipsov4 add pass doi:16 tags:1 > +netlabelctl map del default > +netlabelctl map add default address:0.0.0.0/0 protocol:unlbl > +netlabelctl map add default address:::/0 protocol:unlbl > +netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16 > diff --git a/tests/inet_socket/cipso-load-t2 b/tests/inet_socket/cipso-load-t2 > new file mode 100644 > index 0000000..9892f81 > --- /dev/null > +++ b/tests/inet_socket/cipso-load-t2 > @@ -0,0 +1,11 @@ > +#!/bin/sh > +# Based on http://paulmoore.livejournal.com/7234.html. > +# > +# Modifications: > +# - Defined a doi for testing loopback for CIPSOv4. > + > +netlabelctl cipsov4 add pass doi:16 tags:2 > +netlabelctl map del default > +netlabelctl map add default address:0.0.0.0/0 protocol:unlbl > +netlabelctl map add default address:::/0 protocol:unlbl > +netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16 > diff --git a/tests/inet_socket/cipso-load b/tests/inet_socket/cipso-load-t5 > old mode 100755 > new mode 100644 > similarity index 100% > rename from tests/inet_socket/cipso-load > rename to tests/inet_socket/cipso-load-t5 > diff --git a/tests/inet_socket/ipsec-flush b/tests/inet_socket/ipsec-flush > old mode 100755 > new mode 100644 > diff --git a/tests/inet_socket/ipsec-load b/tests/inet_socket/ipsec-load > old mode 100755 > new mode 100644 > diff --git a/tests/inet_socket/iptables-flush b/tests/inet_socket/iptables-flush > old mode 100755 > new mode 100644 > diff --git a/tests/inet_socket/iptables-load b/tests/inet_socket/iptables-load > old mode 100755 > new mode 100644 > diff --git a/tests/inet_socket/server.c b/tests/inet_socket/server.c > index 2801397..c8383b4 100644 > --- a/tests/inet_socket/server.c > +++ b/tests/inet_socket/server.c > @@ -79,11 +79,17 @@ int main(int argc, char **argv) > perror("socket"); > exit(1); > } > - result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on, sizeof(on)); > - if (result < 0) { > - perror("setsockopt: SO_PASSSEC"); > - close(sock); > - exit(1); > + > + /* Allow retrieval of UDP/Datagram security contexts for IPv4 as > + * IPv6 is not currently supported. > + */ > + if (hints.ai_socktype == SOCK_DGRAM) { > + result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on, sizeof(on)); > + if (result < 0) { > + perror("setsockopt: IP_PASSSEC"); > + close(sock); > + exit(1); > + } > } > > result = setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); > diff --git a/tests/inet_socket/test b/tests/inet_socket/test > old mode 100755 > new mode 100644 > index 0bda2a4..6684260 > --- a/tests/inet_socket/test > +++ b/tests/inet_socket/test > @@ -2,27 +2,43 @@ > use Test::More; > > BEGIN { > - # check if ip xfrm supports ctx parameter > - if ( system("ip xfrm policy help 2>&1 | grep -q ctx") != 0 ) { > - plan skip_all => "ctx not supported in ip xfrm policy"; > + $basedir = $0; > + $basedir =~ s|(.*)/[^/]*|$1|; > + > + $test_count = 38; > + > + $test_ipsec = 0; > + if ( system("ip xfrm policy help 2>&1 | grep -q ctx") eq 0 ) { > + $test_count += 8; > + $test_ipsec = 1; > } > - else { > - plan tests => 33; > + > + # Determine if CALIPSO supported by netlabelctl(8) and kernel. > + $test_calipso_stream = 0; > + $netlabelctl = `netlabelctl -V`; > + $netlabelctl =~ s/\D//g; > + $kvercur = `uname -r`; > + chomp($kvercur); > + $kverminstream = "4.8"; > + > + $rc = `$basedir/../kvercmp $kvercur $kverminstream`; > + if ( $netlabelctl gt "021" and $rc > 0 ) { > + $test_count += 3; > + $test_calipso_stream = 1; > } > -} > > -$basedir = $0; > -$basedir =~ s|(.*)/[^/]*|$1|; > + plan tests => $test_count; > +} > > -# Load NetLabel configuration for full CIPSO4 labeling over loopback. > -system "$basedir/cipso-fl-load"; > +# Load NetLabel configuration for full CIPSO/IPv4 labeling over loopback. > +system "/bin/sh $basedir/cipso-fl-load"; > > # Start the stream server. > if ( ( $pid = fork() ) == 0 ) { > exec "runcon -t test_inet_server_t $basedir/server stream 65535"; > } > > -sleep 1; # Give it a moment to initialize. > +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. > > # Verify that authorized client can communicate with the server. > $result = > @@ -42,7 +58,7 @@ if ( ( $pid = fork() ) == 0 ) { > exec "runcon -t test_inet_server_t $basedir/server dgram 65535"; > } > > -sleep 1; # Give it a moment to initialize > +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize > > # Verify that authorized client can communicate with the server. > $result = > @@ -58,32 +74,90 @@ ok( $result >> 8 eq 9 ); > kill TERM, $pid; > > # Flush NetLabel configuration. > -system "$basedir/cipso-fl-flush"; > +system "/bin/sh $basedir/cipso-fl-flush"; > + > +# Load NetLabel configuration for CIPSO/IPv4 using TAG 1 over loopback. > +system "/bin/sh $basedir/cipso-load-t1"; > + > +# Start the stream server with a defined level. > +if ( ( $pid = fork() ) == 0 ) { > + exec > +"runcon -t test_inet_server_t -l s0:c20.c250 $basedir/server stream 65535"; > +} > + > +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. > + > +# Verify that authorized client can communicate with the server using level within T1 range. > +$result = system > +"runcon -t test_inet_client_t -l s0:c61.c239 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c61.c239 stream 127.0.0.1 65535"; > +ok( $result eq 0 ); > + > +# Verify that authorized client cannot communicate with the server using different level. > +$result = system > +"runcon -t test_inet_client_t -l s0:c19,c120 $basedir/client stream 127.0.0.1 65535 2>&1"; > +ok( $result >> 8 eq 5 ); > + > +# TAG 1 allows categories 0 to 239 to be sent, if greater then ENOSPC (No space left on device) > +$result = system > +"runcon -t test_inet_client_t -l s0:c0.c240 $basedir/client stream 127.0.0.1 65535 2>&1"; > +ok( $result >> 8 eq 5 ); > + > +# Kill the server. > +kill TERM, $pid; > + > +# Start the dgram server with a defined level. > +if ( ( $pid = fork() ) == 0 ) { > + exec > + "runcon -t test_inet_server_t -l s0:c20.c50 $basedir/server dgram 65535"; > +} > + > +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. > + > +# Verify that authorized client can communicate with the server using same levels. > +$result = system > +"runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c20.c50 dgram 127.0.0.1 65535"; > +ok( $result eq 0 ); > + > +# Verify that authorized client cannot communicate with the server using levels dominating the server. > +$result = system > +"runcon -t test_inet_client_t -l s0:c40.c51 $basedir/client dgram 127.0.0.1 65535 2>&1"; > +ok( $result >> 8 eq 9 ); > + > +# Kill the server. > +kill TERM, $pid; > + > +# Flush NetLabel configuration. > +system "/bin/sh $basedir/cipso-flush"; > > -# Load NetLabel configuration for CIPSO4 over loopback. > -system "$basedir/cipso-load"; > +# Load NetLabel configuration for CIPSO/IPv4 using TAG 2 over loopback. > +system "/bin/sh $basedir/cipso-load-t2"; > > # Start the stream server with a defined level. > if ( ( $pid = fork() ) == 0 ) { > exec > - "runcon -t test_inet_server_t -l s0:c0.c10 $basedir/server stream 65535"; > + "runcon -t test_inet_server_t -l s0:c0.c100 $basedir/server stream 65535"; > } > > -sleep 1; # Give it a moment to initialize. > +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. > > # Verify that authorized client can communicate with the server using level. > $result = system > -"runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 stream 127.0.0.1 65535"; > +"runcon -t test_inet_client_t -l s0:c90.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c90.c100 stream 127.0.0.1 65535"; > ok( $result eq 0 ); > > # Verify that authorized client can communicate with the server using level. > $result = system > -"runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c10 stream 127.0.0.1 65535"; > +"runcon -t test_inet_client_t -l s0:c0.c14 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c14 stream 127.0.0.1 65535"; > ok( $result eq 0 ); > > # Verify that authorized client cannot communicate with the server using different level. > $result = system > -"runcon -t test_inet_client_t -l s0:c8.c12 $basedir/client stream 127.0.0.1 65535 2>&1"; > +"runcon -t test_inet_client_t -l s0:c101 $basedir/client stream 127.0.0.1 65535 2>&1"; > +ok( $result >> 8 eq 5 ); > + > +# TAG 2 allows a maximum of 15 categories in exchange, if greater then ENOSPC (No space left on device) > +$result = system > +"runcon -t test_inet_client_t -l s0:c0.c16 -- $basedir/client dgram 127.0.0.1 65535 2>&1"; > ok( $result >> 8 eq 5 ); > > # Kill the server. > @@ -92,26 +166,95 @@ kill TERM, $pid; > # Start the dgram server with a defined level. > if ( ( $pid = fork() ) == 0 ) { > exec > - "runcon -t test_inet_server_t -l s0:c20.c50 $basedir/server dgram 65535"; > + "runcon -t test_inet_server_t -l s0:c0.c14 $basedir/server dgram 65535"; > } > > -sleep 1; # Give it a moment to initialize. > +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. > > # Verify that authorized client can communicate with the server using same levels. > $result = system > -"runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c20.c50 dgram 127.0.0.1 65535"; > +"runcon -t test_inet_client_t -l s0:c0.c14 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c14 dgram 127.0.0.1 65535"; > ok( $result eq 0 ); > > # Verify that authorized client cannot communicate with the server using levels dominating the server. > $result = system > -"runcon -t test_inet_client_t -l s0:c40.c51 $basedir/client dgram 127.0.0.1 65535 2>&1"; > +"runcon -t test_inet_client_t -l s0:c15 $basedir/client dgram 127.0.0.1 65535 2>&1"; > ok( $result >> 8 eq 9 ); > > # Kill the server. > kill TERM, $pid; > > # Flush NetLabel configuration. > -system "$basedir/cipso-flush"; > +system "/bin/sh $basedir/cipso-flush"; > + > +# Load NetLabel configuration for CIPSO/IPv4 using TAG 5 over loopback. > +# TAG 5 allows a maximum of 7 ranges in exchange, if greater then ENOSPC (No space left on device), however > +# note from kernel net/ipv4/cipso_ipv4.c comments: > +# * You may note that the IETF draft states that the maximum number > +# * of category ranges is 7, but if the low end of the last category range is > +# * zero then it is possible to fit 8 category ranges because the zero should > +# * be omitted. */ > +system "/bin/sh $basedir/cipso-load-t5"; > + > +# Start the stream server with a defined level. > +if ( ( $pid = fork() ) == 0 ) { > + exec > + "runcon -t test_inet_server_t -l s0:c0.c100 $basedir/server stream 65535"; > +} > + > +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. > + > +# Verify that authorized client can communicate with the server using level. > +$result = system > +"runcon -t test_inet_client_t -l s0:c0.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c100 stream 127.0.0.1 65535"; > +ok( $result eq 0 ); > + > +# Verify that authorized client can communicate with the server using level. > +$result = system > +"runcon -t test_inet_client_t -l s0:c8.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c100 stream 127.0.0.1 65535"; > +ok( $result eq 0 ); > + > +# Verify that authorized client cannot communicate with the server using different level. > +$result = system > +"runcon -t test_inet_client_t -l s0:c8.c101 $basedir/client stream 127.0.0.1 65535 2>&1"; > +ok( $result >> 8 eq 5 ); > + > +# Verify ok with the 8 entries when cat c0: > +$result = system > +"runcon -t test_inet_client_t -l s0:c0.c3,c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c3,c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88 stream 127.0.0.1 65535"; > +ok( $result eq 0 ); > + > +# Verify fail with the 8 entries when cat !c0: > +$result = system > +"runcon -t test_inet_client_t -l s0:c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88,c90.c99 $basedir/client stream 127.0.0.1 65535 2>&1"; > +ok( $result >> 8 eq 5 ); > + > +# Kill the server. > +kill TERM, $pid; > + > +# Start the dgram server with a defined level. > +if ( ( $pid = fork() ) == 0 ) { > + exec > + "runcon -t test_inet_server_t -l s0:c0.c100 $basedir/server dgram 65535"; > +} > + > +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. > + > +# Verify that authorized client can communicate with the server using same levels. > +$result = system > +"runcon -t test_inet_client_t -l s0:c0.c100 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c100 dgram 127.0.0.1 65535"; > +ok( $result eq 0 ); > + > +# Verify that authorized client cannot communicate with the server using levels dominating the server. > +$result = system > +"runcon -t test_inet_client_t -l s0:c40.c101 $basedir/client dgram 127.0.0.1 65535 2>&1"; > +ok( $result >> 8 eq 9 ); > + > +# Kill the server. > +kill TERM, $pid; > + > +# Flush NetLabel configuration. > +system "/bin/sh $basedir/cipso-flush"; > > # Verify that authorized domain can bind UDP sockets. > $result = system "runcon -t test_inet_bind_t -- $basedir/bind dgram 65535 2>&1"; > @@ -151,91 +294,96 @@ $result = > system "runcon -t test_inet_no_name_connect_t -- $basedir/connect 65535 2>&1"; > ok($result); > > -# Load IPSEC configuration. > -system "$basedir/ipsec-load"; > +if ($test_ipsec) { > > -# Start the stream server. > -if ( ( $pid = fork() ) == 0 ) { > - exec "runcon -t test_inet_server_t $basedir/server stream 65535"; > -} > + # Load IPSEC configuration. > + system "/bin/sh $basedir/ipsec-load"; > > -sleep 1; # Give it a moment to initialize. > + # Start the stream server. > + if ( ( $pid = fork() ) == 0 ) { > + exec "runcon -t test_inet_server_t $basedir/server stream 65535"; > + } > > -# Verify that authorized client can communicate with the server. > -$result = > - system "runcon -t test_inet_client_t $basedir/client stream 127.0.0.1 65535"; > -ok( $result eq 0 ); > + select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. > > -# Verify that unauthorized client cannot communicate with the server. > -$result = system > + # Verify that authorized client can communicate with the server. > + $result = > + system > + "runcon -t test_inet_client_t $basedir/client stream 127.0.0.1 65535"; > + ok( $result eq 0 ); > + > + # Verify that unauthorized client cannot communicate with the server. > + $result = system > "runcon -t test_inet_bad_client_t -- $basedir/client stream 127.0.0.1 65535 2>&1"; > -ok( $result >> 8 eq 5 ); > + ok( $result >> 8 eq 5 ); > > -# Verify that authorized client can communicate with the server. > -$result = > - system "runcon -t test_inet_client_t $basedir/client stream ::1 65535"; > -ok( $result eq 0 ); > + # Verify that authorized client can communicate with the server. > + $result = > + system "runcon -t test_inet_client_t $basedir/client stream ::1 65535"; > + ok( $result eq 0 ); > > -# Verify that unauthorized client cannot communicate with the server. > -$result = system > - "runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1"; > -ok( $result >> 8 eq 5 ); > + # Verify that unauthorized client cannot communicate with the server. > + $result = system > +"runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1"; > + ok( $result >> 8 eq 5 ); > > -# Kill the server. > -kill TERM, $pid; > + # Kill the server. > + kill TERM, $pid; > > -# Start the dgram server. > -if ( ( $pid = fork() ) == 0 ) { > - exec "runcon -t test_inet_server_t $basedir/server dgram 65535"; > -} > + # Start the dgram server. > + if ( ( $pid = fork() ) == 0 ) { > + exec "runcon -t test_inet_server_t $basedir/server dgram 65535"; > + } > > -sleep 1; # Give it a moment to initialize > + select( undef, undef, undef, 0.25 ); # Give it a moment to initialize > > -# Verify that authorized client can communicate with the server. > -$result = > - system "runcon -t test_inet_client_t $basedir/client dgram 127.0.0.1 65535"; > -ok( $result eq 0 ); > + # Verify that authorized client can communicate with the server. > + $result = > + system > + "runcon -t test_inet_client_t $basedir/client dgram 127.0.0.1 65535"; > + ok( $result eq 0 ); > > -# Verify that unauthorized client cannot communicate with the server. > -$result = system > + # Verify that unauthorized client cannot communicate with the server. > + $result = system > "runcon -t test_inet_bad_client_t -- $basedir/client dgram 127.0.0.1 65535 2>&1"; > -ok( $result >> 8 eq 8 ); > + ok( $result >> 8 eq 8 ); > > -# Verify that unauthorized client cannot communicate with the server. > -$result = system > - "runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1"; > -ok( $result >> 8 eq 8 ); > + # Verify that unauthorized client cannot communicate with the server. > + $result = system > +"runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1"; > + ok( $result >> 8 eq 8 ); > > -# Kill the server. > -kill TERM, $pid; > + # Kill the server. > + kill TERM, $pid; > > # Start the dgram server for IPSEC test using IPv6 but do not request peer context. > -if ( ( $pid = fork() ) == 0 ) { > - exec "runcon -t test_inet_server_t $basedir/server -n dgram 65535"; > -} > + if ( ( $pid = fork() ) == 0 ) { > + exec "runcon -t test_inet_server_t $basedir/server -n dgram 65535"; > + } > > -sleep 1; # Give it a moment to initialize > + select( undef, undef, undef, 0.25 ); # Give it a moment to initialize > > -# This test now passes. > -$result = system > - "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; > -ok( $result eq 0 ); > + # This test now passes. > + $result = system > + "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; > + ok( $result eq 0 ); > > -# Kill the server. > -kill TERM, $pid; > + # Kill the server. > + kill TERM, $pid; > > -# Flush IPSEC configuration. > -system "$basedir/ipsec-flush"; > + # Flush IPSEC configuration. > + system "/bin/sh $basedir/ipsec-flush"; > +} > > # Load iptables (IPv4 & IPv6) configuration. > -system "$basedir/iptables-load"; > +system "/bin/sh $basedir/iptables-load"; > > # Start the stream server. > if ( ( $pid = fork() ) == 0 ) { > exec "runcon -t test_inet_server_t -- $basedir/server -n stream 65535"; > } > > -sleep 1; # Give it a moment to initialize. > +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. > > # Verify that authorized client can communicate with the server. > $result = system > @@ -265,7 +413,7 @@ if ( ( $pid = fork() ) == 0 ) { > exec "runcon -t test_inet_server_t $basedir/server -n dgram 65535"; > } > > -sleep 1; # Give it a moment to initialize > +select( undef, undef, undef, 0.25 ); # Give it a moment to initialize > > # Verify that authorized client can communicate with the server. > $result = system > @@ -291,6 +439,40 @@ ok( $result >> 8 eq 8 ); > kill TERM, $pid; > > # Flush iptables configuration. > -system "$basedir/iptables-flush"; > +system "/bin/sh $basedir/iptables-flush"; > + > +if ($test_calipso_stream) { > + > + # Load NetLabel configuration for CALIPSO/IPv6 labeling over loopback. > + system "/bin/sh $basedir/calipso-load"; > + > + # Start the stream server. > + if ( ( $pid = fork() ) == 0 ) { > + exec > +"runcon -t test_inet_server_t -l s0:c0.c10 $basedir/server stream 65535"; > + } > + > + select( undef, undef, undef, 0.25 ); # Give it a moment to initialize. > + > + # Verify that authorized client can communicate with the server. > + $result = system > +"runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 stream ::1 65535"; > + ok( $result eq 0 ); > + > +# Verify that authorized client can communicate with the server using different valid level. > + $result = system > +"runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c10 stream ::1 65535"; > + ok( $result eq 0 ); > + > +# Verify that authorized client cannot communicate with the server using invalid level. > + $result = system > +"runcon -t test_inet_client_t -l s0:c8.c12 -- $basedir/client stream ::1 65535 2>&1"; > + ok( $result >> 8 eq 5 ); > + > + # Kill the stream server. > + kill TERM, $pid; > + > + system "/bin/sh $basedir/calipso-flush"; > +} > > exit; > -- > 2.14.3 > > -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
