On Thu, Mar 19, 2020 at 4:20 PM Joshua Brindle
<joshua.brindle@xxxxxxxxxxxxxxx> wrote:
> selinux-testsuite adds test for default_range glblub
> which can only be inserted into the policy via cil, so add
> CIL_TARGETS to policy and an attempt to detect whether the policy is MCS,
> meaning it only has 1 sensitivity and more need to be added, or MLS
> and therefore fine to test on.
>
> Signed-off-by: Joshua Brindle <joshua.brindle@xxxxxxxxxxxxxxx>
Thanks, looks good to me now, just one minor issue with the
selinuxuser statement - see below.
> ---
> policy/Makefile | 15 ++++++--
> policy/test_add_levels.cil | 34 ++++++++++++++++++
> policy/test_glblub.cil | 4 +++
> tests/Makefile | 19 ++++++++--
> tests/glblub/.gitignore | 1 +
> tests/glblub/Makefile | 7 ++++
> tests/glblub/default_range.c | 66 +++++++++++++++++++++++++++++++++++
> tests/glblub/test | 67 ++++++++++++++++++++++++++++++++++++
> tests/pol_detect | 17 +++++++++
> 9 files changed, 226 insertions(+), 4 deletions(-)
> create mode 100644 policy/test_add_levels.cil
> create mode 100644 policy/test_glblub.cil
> create mode 100644 tests/glblub/.gitignore
> create mode 100644 tests/glblub/Makefile
> create mode 100644 tests/glblub/default_range.c
> create mode 100755 tests/glblub/test
> create mode 100755 tests/pol_detect
>
[...]
> diff --git a/policy/test_add_levels.cil b/policy/test_add_levels.cil
> new file mode 100644
> index 0000000..374e970
> --- /dev/null
> +++ b/policy/test_add_levels.cil
> @@ -0,0 +1,34 @@
> +(sensitivity s1)
> +(sensitivitycategory s1 (range c0 c1023))
> +(sensitivity s2)
> +(sensitivitycategory s2 (range c0 c1023))
> +(sensitivity s3)
> +(sensitivitycategory s3 (range c0 c1023))
> +(sensitivity s4)
> +(sensitivitycategory s4 (range c0 c1023))
> +(sensitivity s5)
> +(sensitivitycategory s5 (range c0 c1023))
> +(sensitivity s6)
> +(sensitivitycategory s6 (range c0 c1023))
> +(sensitivity s7)
> +(sensitivitycategory s7 (range c0 c1023))
> +(sensitivity s8)
> +(sensitivitycategory s8 (range c0 c1023))
> +(sensitivity s9)
> +(sensitivitycategory s9 (range c0 c1023))
> +(sensitivity s10)
> +(sensitivitycategory s10 (range c0 c1023))
> +(sensitivity s11)
> +(sensitivitycategory s11 (range c0 c1023))
> +(sensitivity s12)
> +(sensitivitycategory s12 (range c0 c1023))
> +(sensitivity s13)
> +(sensitivitycategory s13 (range c0 c1023))
> +(sensitivity s14)
> +(sensitivitycategory s14 (range c0 c1023))
> +(sensitivity s15)
> +(sensitivitycategory s15 (range c0 c1023))
> +(sensitivityorder (s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15))
> +
> +(selinuxuser system_u system_u ((s0) (s15 (range c0 c1023))))
This line causes a warning to be triggered when installing the module
into policy store:
# semodule -i test_add_levels.cil
libsemanage.add_user: user system_u not in password file
Should that first "sysadm_u" argument actually be "root"? And are
these two lines really necessary? The test passes without them for me
on a non-MLS system.
> +(userrange system_u ((s0) (s15 (range c0 c1023))))
[...]
> diff --git a/tests/glblub/test b/tests/glblub/test
> new file mode 100755
> index 0000000..212fef6
> --- /dev/null
> +++ b/tests/glblub/test
> @@ -0,0 +1,67 @@
> +#!/usr/bin/perl
> +
> +use Test;
> +BEGIN { plan tests => 9 }
> +
> +$basedir = $0;
> +$basedir =~ s|(.*)/[^/]*|$1|;
> +
> +sub run_test {
> + my ( $src, $tgt, $objclass, $res ) = @_;
> + my $con = "system_u:object_r:kernel_t";
> +
> + my $result =
> + system("$basedir/default_range $con:$src $con:$tgt $objclass $con:$res");
> +
> + ok( $result, 0 );
> +}
> +
> +sub run_test_fail {
> + my ( $src, $tgt ) = @_;
> + my $con = "system_u:object_r:kernel_t";
> +
> + my $result = system("$basedir/default_range $con:$src $con:$tgt db_table");
> +
> + ok( $result >> 8, 3 );
> +}
> +
> +# Verify glblub range_transition behavior
> +run_test(
> + "s0:c0.c100-s10:c0.c150", "s5:c50.c100-s15:c0.c149",
> + "db_table", "s5:c50.c100-s10:c0.c149"
> +);
> +
> +run_test(
> + "s5:c50.c100-s15:c0.c149", "s0:c0.c100-s10:c0.c150",
> + "db_table", "s5:c50.c100-s10:c0.c149"
> +);
> +
> +run_test( "s0:c0.c100-s10:c0.c150", "s0", "db_table", "s0" );
> +
> +run_test(
> + "s5:c512.c550,c552.c1023-s5:c0.c550,c552.c1023",
> + "s5:c512.c550,c553.c1023-s5:c0,c1,c4,c5,c6,c512.c550,c553.c1023",
> + "db_table",
> + "s5:c512.c550,c553.c1023-s5:c0,c1,c4.c6,c512.c550,c553.c1023"
> +);
> +
> +run_test( "s5:c50.c100-s15:c0.c149",
> + "s5:c512.c550,c552.c1023-s5:c0.c550,c552.c1023",
> + "db_table", "s5-s5:c0.c149" );
> +
> +# Verify incompatible contexts
> +run_test_fail( "s5:c50.c100-s15:c0.c149", "s4-s4:c0.c1023" );
> +
> +run_test_fail( "s4-s4:c0.c1023", "s5:c50.c100-s15:c0.c149" );
> +
> +# Verify default (source-low) behavior
> +run_test(
> + "s0:c0.c100-s10:c0.c150", "s5:c50.c100-s15:c0.c149",
> + "new_class_no_default_range", "s0:c0.c100"
> +);
> +
> +run_test(
> + "s5:c50.c100-s15:c0.c149", "s0:c0.c100-s10:c0.c150",
> + "new_class_no_default_range", "s5:c50.c100"
> +);
> +
git am still complains about extra empty line at EOF here. I can fix
that easily when merging, but if you're going to respin the patch
because of the selinuxuser warning, then it would be nice to fix this,
too :)
[...]
--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.
