Re: [PATCH] selinux-testsuite: Enhance inet_socket tests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2018-06-12 at 18:02 -0400, Paul Moore wrote:
> On Fri, Apr 13, 2018 at 6:13 AM, Richard Haines via Selinux
> <selinux@xxxxxxxxxxxxx> wrote:
> > Enhance the tests as follows:
> > 1) Determine number of tests to run with current config.
> > 2) Add CALIPSO STREAM tests (DGRAM not supported in kernel. See
> > [1]).
> > 3) Add support for CIPSO TAGS 1 & 2. Closes [2].
> > 4) Run scripts using /bin/sh.
> > 5) Shorten sleep time as more tests.
> > 
> > [1] https://github.com/SELinuxProject/selinux-kernel/issues/24
> > [2] https://github.com/SELinuxProject/selinux-testsuite/issues/1
> > 
> > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
> > ---
> >  tests/inet_socket/calipso-flush                 |   5 +
> >  tests/inet_socket/calipso-load                  |   7 +
> >  tests/inet_socket/cipso-fl-flush                |   0
> >  tests/inet_socket/cipso-fl-load                 |   0
> >  tests/inet_socket/cipso-flush                   |   0
> >  tests/inet_socket/cipso-load-t1                 |  11 +
> >  tests/inet_socket/cipso-load-t2                 |  11 +
> >  tests/inet_socket/{cipso-load => cipso-load-t5} |   0
> >  tests/inet_socket/ipsec-flush                   |   0
> >  tests/inet_socket/ipsec-load                    |   0
> >  tests/inet_socket/iptables-flush                |   0
> >  tests/inet_socket/iptables-load                 |   0
> >  tests/inet_socket/server.c                      |  16 +-
> >  tests/inet_socket/test                          | 348
> > ++++++++++++++++++------
> >  14 files changed, 310 insertions(+), 88 deletions(-)
> >  create mode 100644 tests/inet_socket/calipso-flush
> >  create mode 100644 tests/inet_socket/calipso-load
> >  mode change 100755 => 100644 tests/inet_socket/cipso-fl-flush
> >  mode change 100755 => 100644 tests/inet_socket/cipso-fl-load
> >  mode change 100755 => 100644 tests/inet_socket/cipso-flush
> >  create mode 100644 tests/inet_socket/cipso-load-t1
> >  create mode 100644 tests/inet_socket/cipso-load-t2
> >  rename tests/inet_socket/{cipso-load => cipso-load-t5} (100%)
> >  mode change 100755 => 100644
> >  mode change 100755 => 100644 tests/inet_socket/ipsec-flush
> >  mode change 100755 => 100644 tests/inet_socket/ipsec-load
> >  mode change 100755 => 100644 tests/inet_socket/iptables-flush
> >  mode change 100755 => 100644 tests/inet_socket/iptables-load
> >  mode change 100755 => 100644 tests/inet_socket/test
> 
> I had to fixup the file mode bits on tests/inet_socket/test, but
> other
> than that this looks fine to me, merged.  Thanks.

The reason I have not been setting +x on the tests/*/test scripts is
that the tests/Makefile does it for you. However as all the others are
set, I'll set +x in future (as you flagged this on the sctp and binder
patches I sent).
> 
> I remain a little wary about the reduced sleep times (1s to 0.25s),
> but I'm never comfortable with arbitrary sleep-and-hope-it-works
> tricks anyway.

I've been using this value in the SCTP tests for some time and not had
any problems, that's why I used it for the inet tests (probably better
to have the client try connecting x times and do away with the wait)

> 
> > diff --git a/tests/inet_socket/calipso-flush
> > b/tests/inet_socket/calipso-flush
> > new file mode 100644
> > index 0000000..5143962
> > --- /dev/null
> > +++ b/tests/inet_socket/calipso-flush
> > @@ -0,0 +1,5 @@
> > +#!/bin/sh
> > +# Reset NetLabel configuration to unlabeled after CALIPSO/IPv6
> > tests.
> > +netlabelctl map del default
> > +netlabelctl calipso del doi:16
> > +netlabelctl map add default protocol:unlbl
> > diff --git a/tests/inet_socket/calipso-load
> > b/tests/inet_socket/calipso-load
> > new file mode 100644
> > index 0000000..4bb9c7f
> > --- /dev/null
> > +++ b/tests/inet_socket/calipso-load
> > @@ -0,0 +1,7 @@
> > +#!/bin/sh
> > +# Define a doi for testing loopback for CALIPSO/IPv6.
> > +netlabelctl calipso add pass doi:16
> > +netlabelctl map del default
> > +netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
> > +netlabelctl map add default address:::/0 protocol:unlbl
> > +netlabelctl map add default address:::1 protocol:calipso,16
> > diff --git a/tests/inet_socket/cipso-fl-flush
> > b/tests/inet_socket/cipso-fl-flush
> > old mode 100755
> > new mode 100644
> > diff --git a/tests/inet_socket/cipso-fl-load
> > b/tests/inet_socket/cipso-fl-load
> > old mode 100755
> > new mode 100644
> > diff --git a/tests/inet_socket/cipso-flush
> > b/tests/inet_socket/cipso-flush
> > old mode 100755
> > new mode 100644
> > diff --git a/tests/inet_socket/cipso-load-t1
> > b/tests/inet_socket/cipso-load-t1
> > new file mode 100644
> > index 0000000..974e746
> > --- /dev/null
> > +++ b/tests/inet_socket/cipso-load-t1
> > @@ -0,0 +1,11 @@
> > +#!/bin/sh
> > +# Based on http://paulmoore.livejournal.com/7234.html.
> > +#
> > +# Modifications:
> > +# - Defined a doi for testing loopback for CIPSOv4.
> > +
> > +netlabelctl cipsov4 add pass doi:16 tags:1
> > +netlabelctl map del default
> > +netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
> > +netlabelctl map add default address:::/0 protocol:unlbl
> > +netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16
> > diff --git a/tests/inet_socket/cipso-load-t2
> > b/tests/inet_socket/cipso-load-t2
> > new file mode 100644
> > index 0000000..9892f81
> > --- /dev/null
> > +++ b/tests/inet_socket/cipso-load-t2
> > @@ -0,0 +1,11 @@
> > +#!/bin/sh
> > +# Based on http://paulmoore.livejournal.com/7234.html.
> > +#
> > +# Modifications:
> > +# - Defined a doi for testing loopback for CIPSOv4.
> > +
> > +netlabelctl cipsov4 add pass doi:16 tags:2
> > +netlabelctl map del default
> > +netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
> > +netlabelctl map add default address:::/0 protocol:unlbl
> > +netlabelctl map add default address:127.0.0.1 protocol:cipsov4,16
> > diff --git a/tests/inet_socket/cipso-load
> > b/tests/inet_socket/cipso-load-t5
> > old mode 100755
> > new mode 100644
> > similarity index 100%
> > rename from tests/inet_socket/cipso-load
> > rename to tests/inet_socket/cipso-load-t5
> > diff --git a/tests/inet_socket/ipsec-flush
> > b/tests/inet_socket/ipsec-flush
> > old mode 100755
> > new mode 100644
> > diff --git a/tests/inet_socket/ipsec-load
> > b/tests/inet_socket/ipsec-load
> > old mode 100755
> > new mode 100644
> > diff --git a/tests/inet_socket/iptables-flush
> > b/tests/inet_socket/iptables-flush
> > old mode 100755
> > new mode 100644
> > diff --git a/tests/inet_socket/iptables-load
> > b/tests/inet_socket/iptables-load
> > old mode 100755
> > new mode 100644
> > diff --git a/tests/inet_socket/server.c
> > b/tests/inet_socket/server.c
> > index 2801397..c8383b4 100644
> > --- a/tests/inet_socket/server.c
> > +++ b/tests/inet_socket/server.c
> > @@ -79,11 +79,17 @@ int main(int argc, char **argv)
> >                 perror("socket");
> >                 exit(1);
> >         }
> > -       result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on,
> > sizeof(on));
> > -       if (result < 0) {
> > -               perror("setsockopt: SO_PASSSEC");
> > -               close(sock);
> > -               exit(1);
> > +
> > +       /* Allow retrieval of UDP/Datagram security contexts for
> > IPv4 as
> > +        * IPv6 is not currently supported.
> > +        */
> > +       if (hints.ai_socktype == SOCK_DGRAM) {
> > +               result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on,
> > sizeof(on));
> > +               if (result < 0) {
> > +                       perror("setsockopt: IP_PASSSEC");
> > +                       close(sock);
> > +                       exit(1);
> > +               }
> >         }
> > 
> >         result = setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on,
> > sizeof(on));
> > diff --git a/tests/inet_socket/test b/tests/inet_socket/test
> > old mode 100755
> > new mode 100644
> > index 0bda2a4..6684260
> > --- a/tests/inet_socket/test
> > +++ b/tests/inet_socket/test
> > @@ -2,27 +2,43 @@
> >  use Test::More;
> > 
> >  BEGIN {
> > -    # check if ip xfrm supports ctx parameter
> > -    if ( system("ip xfrm policy help 2>&1 | grep -q ctx") != 0 ) {
> > -        plan skip_all => "ctx not supported in ip xfrm policy";
> > +    $basedir = $0;
> > +    $basedir =~ s|(.*)/[^/]*|$1|;
> > +
> > +    $test_count = 38;
> > +
> > +    $test_ipsec = 0;
> > +    if ( system("ip xfrm policy help 2>&1 | grep -q ctx") eq 0 ) {
> > +        $test_count += 8;
> > +        $test_ipsec = 1;
> >      }
> > -    else {
> > -        plan tests => 33;
> > +
> > +    # Determine if CALIPSO supported by netlabelctl(8) and kernel.
> > +    $test_calipso_stream = 0;
> > +    $netlabelctl         = `netlabelctl -V`;
> > +    $netlabelctl =~ s/\D//g;
> > +    $kvercur = `uname -r`;
> > +    chomp($kvercur);
> > +    $kverminstream = "4.8";
> > +
> > +    $rc = `$basedir/../kvercmp $kvercur $kverminstream`;
> > +    if ( $netlabelctl gt "021" and $rc > 0 ) {
> > +        $test_count += 3;
> > +        $test_calipso_stream = 1;
> >      }
> > -}
> > 
> > -$basedir = $0;
> > -$basedir =~ s|(.*)/[^/]*|$1|;
> > +    plan tests => $test_count;
> > +}
> > 
> > -# Load NetLabel configuration for full CIPSO4 labeling over
> > loopback.
> > -system "$basedir/cipso-fl-load";
> > +# Load NetLabel configuration for full CIPSO/IPv4 labeling over
> > loopback.
> > +system "/bin/sh $basedir/cipso-fl-load";
> > 
> >  # Start the stream server.
> >  if ( ( $pid = fork() ) == 0 ) {
> >      exec "runcon -t test_inet_server_t $basedir/server stream
> > 65535";
> >  }
> > 
> > -sleep 1;    # Give it a moment to initialize.
> > +select( undef, undef, undef, 0.25 );    # Give it a moment to
> > initialize.
> > 
> >  # Verify that authorized client can communicate with the server.
> >  $result =
> > @@ -42,7 +58,7 @@ if ( ( $pid = fork() ) == 0 ) {
> >      exec "runcon -t test_inet_server_t $basedir/server dgram
> > 65535";
> >  }
> > 
> > -sleep 1;    # Give it a moment to initialize
> > +select( undef, undef, undef, 0.25 );    # Give it a moment to
> > initialize
> > 
> >  # Verify that authorized client can communicate with the server.
> >  $result =
> > @@ -58,32 +74,90 @@ ok( $result >> 8 eq 9 );
> >  kill TERM, $pid;
> > 
> >  # Flush NetLabel configuration.
> > -system "$basedir/cipso-fl-flush";
> > +system "/bin/sh $basedir/cipso-fl-flush";
> > +
> > +# Load NetLabel configuration for CIPSO/IPv4 using TAG 1 over
> > loopback.
> > +system "/bin/sh $basedir/cipso-load-t1";
> > +
> > +# Start the stream server with a defined level.
> > +if ( ( $pid = fork() ) == 0 ) {
> > +    exec
> > +"runcon -t test_inet_server_t -l s0:c20.c250 $basedir/server
> > stream 65535";
> > +}
> > +
> > +select( undef, undef, undef, 0.25 );    # Give it a moment to
> > initialize.
> > +
> > +# Verify that authorized client can communicate with the server
> > using level within T1 range.
> > +$result = system
> > +"runcon -t test_inet_client_t -l s0:c61.c239 $basedir/client -e
> > system_u:object_r:netlabel_peer_t:s0:c61.c239 stream 127.0.0.1
> > 65535";
> > +ok( $result eq 0 );
> > +
> > +# Verify that authorized client cannot communicate with the server
> > using different level.
> > +$result = system
> > +"runcon -t test_inet_client_t -l s0:c19,c120 $basedir/client
> > stream 127.0.0.1 65535 2>&1";
> > +ok( $result >> 8 eq 5 );
> > +
> > +# TAG 1 allows categories 0 to 239 to be sent, if greater then
> > ENOSPC (No space left on device)
> > +$result = system
> > +"runcon -t test_inet_client_t -l s0:c0.c240 $basedir/client stream
> > 127.0.0.1 65535 2>&1";
> > +ok( $result >> 8 eq 5 );
> > +
> > +# Kill the server.
> > +kill TERM, $pid;
> > +
> > +# Start the dgram server with a defined level.
> > +if ( ( $pid = fork() ) == 0 ) {
> > +    exec
> > +      "runcon -t test_inet_server_t -l s0:c20.c50 $basedir/server
> > dgram 65535";
> > +}
> > +
> > +select( undef, undef, undef, 0.25 );    # Give it a moment to
> > initialize.
> > +
> > +# Verify that authorized client can communicate with the server
> > using same levels.
> > +$result = system
> > +"runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e
> > system_u:object_r:netlabel_peer_t:s0:c20.c50 dgram 127.0.0.1
> > 65535";
> > +ok( $result eq 0 );
> > +
> > +# Verify that authorized client cannot communicate with the server
> > using levels dominating the server.
> > +$result = system
> > +"runcon -t test_inet_client_t -l s0:c40.c51 $basedir/client dgram
> > 127.0.0.1 65535 2>&1";
> > +ok( $result >> 8 eq 9 );
> > +
> > +# Kill the server.
> > +kill TERM, $pid;
> > +
> > +# Flush NetLabel configuration.
> > +system "/bin/sh $basedir/cipso-flush";
> > 
> > -# Load NetLabel configuration for CIPSO4 over loopback.
> > -system "$basedir/cipso-load";
> > +# Load NetLabel configuration for CIPSO/IPv4 using TAG 2 over
> > loopback.
> > +system "/bin/sh $basedir/cipso-load-t2";
> > 
> >  # Start the stream server with a defined level.
> >  if ( ( $pid = fork() ) == 0 ) {
> >      exec
> > -      "runcon -t test_inet_server_t -l s0:c0.c10 $basedir/server
> > stream 65535";
> > +      "runcon -t test_inet_server_t -l s0:c0.c100 $basedir/server
> > stream 65535";
> >  }
> > 
> > -sleep 1;    # Give it a moment to initialize.
> > +select( undef, undef, undef, 0.25 );    # Give it a moment to
> > initialize.
> > 
> >  # Verify that authorized client can communicate with the server
> > using level.
> >  $result = system
> > -"runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e
> > system_u:object_r:netlabel_peer_t:s0:c0.c10 stream 127.0.0.1
> > 65535";
> > +"runcon -t test_inet_client_t -l s0:c90.c100 $basedir/client -e
> > system_u:object_r:netlabel_peer_t:s0:c90.c100 stream 127.0.0.1
> > 65535";
> >  ok( $result eq 0 );
> > 
> >  # Verify that authorized client can communicate with the server
> > using level.
> >  $result = system
> > -"runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e
> > system_u:object_r:netlabel_peer_t:s0:c8.c10 stream 127.0.0.1
> > 65535";
> > +"runcon -t test_inet_client_t -l s0:c0.c14 $basedir/client -e
> > system_u:object_r:netlabel_peer_t:s0:c0.c14 stream 127.0.0.1
> > 65535";
> >  ok( $result eq 0 );
> > 
> >  # Verify that authorized client cannot communicate with the server
> > using different level.
> >  $result = system
> > -"runcon -t test_inet_client_t -l s0:c8.c12 $basedir/client stream
> > 127.0.0.1 65535 2>&1";
> > +"runcon -t test_inet_client_t -l s0:c101 $basedir/client stream
> > 127.0.0.1 65535 2>&1";
> > +ok( $result >> 8 eq 5 );
> > +
> > +# TAG 2 allows a maximum of 15 categories in exchange, if greater
> > then ENOSPC (No space left on device)
> > +$result = system
> > +"runcon -t test_inet_client_t -l s0:c0.c16 -- $basedir/client
> > dgram 127.0.0.1 65535 2>&1";
> >  ok( $result >> 8 eq 5 );
> > 
> >  # Kill the server.
> > @@ -92,26 +166,95 @@ kill TERM, $pid;
> >  # Start the dgram server with a defined level.
> >  if ( ( $pid = fork() ) == 0 ) {
> >      exec
> > -      "runcon -t test_inet_server_t -l s0:c20.c50 $basedir/server
> > dgram 65535";
> > +      "runcon -t test_inet_server_t -l s0:c0.c14 $basedir/server
> > dgram 65535";
> >  }
> > 
> > -sleep 1;    # Give it a moment to initialize.
> > +select( undef, undef, undef, 0.25 );    # Give it a moment to
> > initialize.
> > 
> >  # Verify that authorized client can communicate with the server
> > using same levels.
> >  $result = system
> > -"runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e
> > system_u:object_r:netlabel_peer_t:s0:c20.c50 dgram 127.0.0.1
> > 65535";
> > +"runcon -t test_inet_client_t -l s0:c0.c14 $basedir/client -e
> > system_u:object_r:netlabel_peer_t:s0:c0.c14 dgram 127.0.0.1 65535";
> >  ok( $result eq 0 );
> > 
> >  # Verify that authorized client cannot communicate with the server
> > using levels dominating the server.
> >  $result = system
> > -"runcon -t test_inet_client_t -l s0:c40.c51 $basedir/client dgram
> > 127.0.0.1 65535 2>&1";
> > +"runcon -t test_inet_client_t -l s0:c15 $basedir/client dgram
> > 127.0.0.1 65535 2>&1";
> >  ok( $result >> 8 eq 9 );
> > 
> >  # Kill the server.
> >  kill TERM, $pid;
> > 
> >  # Flush NetLabel configuration.
> > -system "$basedir/cipso-flush";
> > +system "/bin/sh $basedir/cipso-flush";
> > +
> > +# Load NetLabel configuration for CIPSO/IPv4 using TAG 5 over
> > loopback.
> > +# TAG 5 allows a maximum of 7 ranges in exchange, if greater then
> > ENOSPC (No space left on device), however
> > +# note from kernel net/ipv4/cipso_ipv4.c comments:
> > +# * You may note that the IETF draft states that the maximum
> > number
> > +# * of category ranges is 7, but if the low end of the last
> > category range is
> > +# * zero then it is possible to fit 8 category ranges because the
> > zero should
> > +# * be omitted. */
> > +system "/bin/sh $basedir/cipso-load-t5";
> > +
> > +# Start the stream server with a defined level.
> > +if ( ( $pid = fork() ) == 0 ) {
> > +    exec
> > +      "runcon -t test_inet_server_t -l s0:c0.c100 $basedir/server
> > stream 65535";
> > +}
> > +
> > +select( undef, undef, undef, 0.25 );    # Give it a moment to
> > initialize.
> > +
> > +# Verify that authorized client can communicate with the server
> > using level.
> > +$result = system
> > +"runcon -t test_inet_client_t -l s0:c0.c100 $basedir/client -e
> > system_u:object_r:netlabel_peer_t:s0:c0.c100 stream 127.0.0.1
> > 65535";
> > +ok( $result eq 0 );
> > +
> > +# Verify that authorized client can communicate with the server
> > using level.
> > +$result = system
> > +"runcon -t test_inet_client_t -l s0:c8.c100 $basedir/client -e
> > system_u:object_r:netlabel_peer_t:s0:c8.c100 stream 127.0.0.1
> > 65535";
> > +ok( $result eq 0 );
> > +
> > +# Verify that authorized client cannot communicate with the server
> > using different level.
> > +$result = system
> > +"runcon -t test_inet_client_t -l s0:c8.c101 $basedir/client stream
> > 127.0.0.1 65535 2>&1";
> > +ok( $result >> 8 eq 5 );
> > +
> > +# Verify ok with the 8 entries when cat c0:
> > +$result = system
> > +"runcon -t test_inet_client_t -l
> > s0:c0.c3,c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88
> > $basedir/client -e
> > system_u:object_r:netlabel_peer_t:s0:c0.c3,c20.c25,c30.c36,c40.c45,
> > c50.c55,c60.c66,c70.c78,c80.c88 stream 127.0.0.1 65535";
> > +ok( $result eq 0 );
> > +
> > +# Verify fail with the 8 entries when cat !c0:
> > +$result = system
> > +"runcon -t test_inet_client_t -l
> > s0:c20.c25,c30.c36,c40.c45,c50.c55,c60.c66,c70.c78,c80.c88,c90.c99
> > $basedir/client stream 127.0.0.1 65535 2>&1";
> > +ok( $result >> 8 eq 5 );
> > +
> > +# Kill the server.
> > +kill TERM, $pid;
> > +
> > +# Start the dgram server with a defined level.
> > +if ( ( $pid = fork() ) == 0 ) {
> > +    exec
> > +      "runcon -t test_inet_server_t -l s0:c0.c100 $basedir/server
> > dgram 65535";
> > +}
> > +
> > +select( undef, undef, undef, 0.25 );    # Give it a moment to
> > initialize.
> > +
> > +# Verify that authorized client can communicate with the server
> > using same levels.
> > +$result = system
> > +"runcon -t test_inet_client_t -l s0:c0.c100 $basedir/client -e
> > system_u:object_r:netlabel_peer_t:s0:c0.c100 dgram 127.0.0.1
> > 65535";
> > +ok( $result eq 0 );
> > +
> > +# Verify that authorized client cannot communicate with the server
> > using levels dominating the server.
> > +$result = system
> > +"runcon -t test_inet_client_t -l s0:c40.c101 $basedir/client dgram
> > 127.0.0.1 65535 2>&1";
> > +ok( $result >> 8 eq 9 );
> > +
> > +# Kill the server.
> > +kill TERM, $pid;
> > +
> > +# Flush NetLabel configuration.
> > +system "/bin/sh $basedir/cipso-flush";
> > 
> >  # Verify that authorized domain can bind UDP sockets.
> >  $result = system "runcon -t test_inet_bind_t -- $basedir/bind
> > dgram 65535 2>&1";
> > @@ -151,91 +294,96 @@ $result =
> >    system "runcon -t test_inet_no_name_connect_t --
> > $basedir/connect 65535 2>&1";
> >  ok($result);
> > 
> > -# Load IPSEC configuration.
> > -system "$basedir/ipsec-load";
> > +if ($test_ipsec) {
> > 
> > -# Start the stream server.
> > -if ( ( $pid = fork() ) == 0 ) {
> > -    exec "runcon -t test_inet_server_t $basedir/server stream
> > 65535";
> > -}
> > +    # Load IPSEC configuration.
> > +    system "/bin/sh $basedir/ipsec-load";
> > 
> > -sleep 1;    # Give it a moment to initialize.
> > +    # Start the stream server.
> > +    if ( ( $pid = fork() ) == 0 ) {
> > +        exec "runcon -t test_inet_server_t $basedir/server stream
> > 65535";
> > +    }
> > 
> > -# Verify that authorized client can communicate with the server.
> > -$result =
> > -  system "runcon -t test_inet_client_t $basedir/client stream
> > 127.0.0.1 65535";
> > -ok( $result eq 0 );
> > +    select( undef, undef, undef, 0.25 );    # Give it a moment to
> > initialize.
> > 
> > -# Verify that unauthorized client cannot communicate with the
> > server.
> > -$result = system
> > +    # Verify that authorized client can communicate with the
> > server.
> > +    $result =
> > +      system
> > +      "runcon -t test_inet_client_t $basedir/client stream
> > 127.0.0.1 65535";
> > +    ok( $result eq 0 );
> > +
> > +    # Verify that unauthorized client cannot communicate with the
> > server.
> > +    $result = system
> >  "runcon -t test_inet_bad_client_t -- $basedir/client stream
> > 127.0.0.1 65535 2>&1";
> > -ok( $result >> 8 eq 5 );
> > +    ok( $result >> 8 eq 5 );
> > 
> > -# Verify that authorized client can communicate with the server.
> > -$result =
> > -  system "runcon -t test_inet_client_t $basedir/client stream ::1
> > 65535";
> > -ok( $result eq 0 );
> > +    # Verify that authorized client can communicate with the
> > server.
> > +    $result =
> > +      system "runcon -t test_inet_client_t $basedir/client stream
> > ::1 65535";
> > +    ok( $result eq 0 );
> > 
> > -# Verify that unauthorized client cannot communicate with the
> > server.
> > -$result = system
> > -  "runcon -t test_inet_bad_client_t -- $basedir/client stream ::1
> > 65535 2>&1";
> > -ok( $result >> 8 eq 5 );
> > +    # Verify that unauthorized client cannot communicate with the
> > server.
> > +    $result = system
> > +"runcon -t test_inet_bad_client_t -- $basedir/client stream ::1
> > 65535 2>&1";
> > +    ok( $result >> 8 eq 5 );
> > 
> > -# Kill the server.
> > -kill TERM, $pid;
> > +    # Kill the server.
> > +    kill TERM, $pid;
> > 
> > -# Start the dgram server.
> > -if ( ( $pid = fork() ) == 0 ) {
> > -    exec "runcon -t test_inet_server_t $basedir/server dgram
> > 65535";
> > -}
> > +    # Start the dgram server.
> > +    if ( ( $pid = fork() ) == 0 ) {
> > +        exec "runcon -t test_inet_server_t $basedir/server dgram
> > 65535";
> > +    }
> > 
> > -sleep 1;    # Give it a moment to initialize
> > +    select( undef, undef, undef, 0.25 );    # Give it a moment to
> > initialize
> > 
> > -# Verify that authorized client can communicate with the server.
> > -$result =
> > -  system "runcon -t test_inet_client_t $basedir/client dgram
> > 127.0.0.1 65535";
> > -ok( $result eq 0 );
> > +    # Verify that authorized client can communicate with the
> > server.
> > +    $result =
> > +      system
> > +      "runcon -t test_inet_client_t $basedir/client dgram
> > 127.0.0.1 65535";
> > +    ok( $result eq 0 );
> > 
> > -# Verify that unauthorized client cannot communicate with the
> > server.
> > -$result = system
> > +    # Verify that unauthorized client cannot communicate with the
> > server.
> > +    $result = system
> >  "runcon -t test_inet_bad_client_t -- $basedir/client dgram
> > 127.0.0.1 65535 2>&1";
> > -ok( $result >> 8 eq 8 );
> > +    ok( $result >> 8 eq 8 );
> > 
> > -# Verify that unauthorized client cannot communicate with the
> > server.
> > -$result = system
> > -  "runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1
> > 65535 2>&1";
> > -ok( $result >> 8 eq 8 );
> > +    # Verify that unauthorized client cannot communicate with the
> > server.
> > +    $result = system
> > +"runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1
> > 65535 2>&1";
> > +    ok( $result >> 8 eq 8 );
> > 
> > -# Kill the server.
> > -kill TERM, $pid;
> > +    # Kill the server.
> > +    kill TERM, $pid;
> > 
> >  # Start the dgram server for IPSEC test using IPv6 but do not
> > request peer context.
> > -if ( ( $pid = fork() ) == 0 ) {
> > -    exec "runcon -t test_inet_server_t $basedir/server -n dgram
> > 65535";
> > -}
> > +    if ( ( $pid = fork() ) == 0 ) {
> > +        exec "runcon -t test_inet_server_t $basedir/server -n
> > dgram 65535";
> > +    }
> > 
> > -sleep 1;    # Give it a moment to initialize
> > +    select( undef, undef, undef, 0.25 );    # Give it a moment to
> > initialize
> > 
> > -# This test now passes.
> > -$result = system
> > -  "runcon -t test_inet_client_t $basedir/client -e nopeer dgram
> > ::1 65535";
> > -ok( $result eq 0 );
> > +    # This test now passes.
> > +    $result = system
> > +      "runcon -t test_inet_client_t $basedir/client -e nopeer
> > dgram ::1 65535";
> > +    ok( $result eq 0 );
> > 
> > -# Kill the server.
> > -kill TERM, $pid;
> > +    # Kill the server.
> > +    kill TERM, $pid;
> > 
> > -# Flush IPSEC configuration.
> > -system "$basedir/ipsec-flush";
> > +    # Flush IPSEC configuration.
> > +    system "/bin/sh $basedir/ipsec-flush";
> > +}
> > 
> >  # Load iptables (IPv4 & IPv6) configuration.
> > -system "$basedir/iptables-load";
> > +system "/bin/sh $basedir/iptables-load";
> > 
> >  # Start the stream server.
> >  if ( ( $pid = fork() ) == 0 ) {
> >      exec "runcon -t test_inet_server_t -- $basedir/server -n
> > stream 65535";
> >  }
> > 
> > -sleep 1;    # Give it a moment to initialize.
> > +select( undef, undef, undef, 0.25 );    # Give it a moment to
> > initialize.
> > 
> >  # Verify that authorized client can communicate with the server.
> >  $result = system
> > @@ -265,7 +413,7 @@ if ( ( $pid = fork() ) == 0 ) {
> >      exec "runcon -t test_inet_server_t $basedir/server -n dgram
> > 65535";
> >  }
> > 
> > -sleep 1;    # Give it a moment to initialize
> > +select( undef, undef, undef, 0.25 );    # Give it a moment to
> > initialize
> > 
> >  # Verify that authorized client can communicate with the server.
> >  $result = system
> > @@ -291,6 +439,40 @@ ok( $result >> 8 eq 8 );
> >  kill TERM, $pid;
> > 
> >  # Flush iptables configuration.
> > -system "$basedir/iptables-flush";
> > +system "/bin/sh $basedir/iptables-flush";
> > +
> > +if ($test_calipso_stream) {
> > +
> > +    # Load NetLabel configuration for CALIPSO/IPv6 labeling over
> > loopback.
> > +    system "/bin/sh $basedir/calipso-load";
> > +
> > +    # Start the stream server.
> > +    if ( ( $pid = fork() ) == 0 ) {
> > +        exec
> > +"runcon -t test_inet_server_t -l s0:c0.c10 $basedir/server stream
> > 65535";
> > +    }
> > +
> > +    select( undef, undef, undef, 0.25 );    # Give it a moment to
> > initialize.
> > +
> > +    # Verify that authorized client can communicate with the
> > server.
> > +    $result = system
> > +"runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e
> > system_u:object_r:netlabel_peer_t:s0:c0.c10 stream ::1 65535";
> > +    ok( $result eq 0 );
> > +
> > +# Verify that authorized client can communicate with the server
> > using different valid level.
> > +    $result = system
> > +"runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client
> > -e  system_u:object_r:netlabel_peer_t:s0:c8.c10 stream ::1 65535";
> > +    ok( $result eq 0 );
> > +
> > +# Verify that authorized client cannot communicate with the server
> > using invalid level.
> > +    $result = system
> > +"runcon -t test_inet_client_t -l s0:c8.c12 -- $basedir/client
> > stream ::1 65535 2>&1";
> > +    ok( $result >> 8 eq 5 );
> > +
> > +    # Kill the stream server.
> > +    kill TERM, $pid;
> > +
> > +    system "/bin/sh $basedir/calipso-flush";
> > +}
> > 
> >  exit;
> > --
> > 2.14.3
> > 
> > 
> 
> 
> 

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux