tests: add test-selinux-checks
This commit is contained in:
parent
dcabda4155
commit
5c7290b195
|
@ -0,0 +1,10 @@
|
||||||
|
all:
|
||||||
|
@make -s --no-print-directory -C ../.. all
|
||||||
|
@basedir=../.. TEST_BASE_DIR=../ ./test.sh --all
|
||||||
|
setup:
|
||||||
|
@make --no-print-directory -C ../.. all
|
||||||
|
@basedir=../.. TEST_BASE_DIR=../ ./test.sh --setup
|
||||||
|
clean:
|
||||||
|
@basedir=../.. TEST_BASE_DIR=../ ./test.sh --clean
|
||||||
|
run:
|
||||||
|
@basedir=../.. TEST_BASE_DIR=../ ./test.sh --run
|
|
@ -0,0 +1,8 @@
|
||||||
|
template(`systemd_test_base_template', `
|
||||||
|
gen_require(`
|
||||||
|
attribute systemd_test_domain_type;
|
||||||
|
')
|
||||||
|
|
||||||
|
type $1_t, systemd_test_domain_type;
|
||||||
|
domain_type($1_t)
|
||||||
|
')
|
|
@ -0,0 +1,50 @@
|
||||||
|
policy_module(systemd_test, 0.0.1)
|
||||||
|
|
||||||
|
# declarations
|
||||||
|
attribute systemd_test_domain_type;
|
||||||
|
|
||||||
|
systemd_test_base_template(systemd_test)
|
||||||
|
systemd_test_base_template(systemd_test_status)
|
||||||
|
systemd_test_base_template(systemd_test_start)
|
||||||
|
systemd_test_base_template(systemd_test_stop)
|
||||||
|
systemd_test_base_template(systemd_test_reload)
|
||||||
|
|
||||||
|
# systemd_test_domain_type
|
||||||
|
|
||||||
|
require {
|
||||||
|
role system_r;
|
||||||
|
role unconfined_r;
|
||||||
|
type bin_t;
|
||||||
|
type initrc_t;
|
||||||
|
type systemd_systemctl_exec_t;
|
||||||
|
type unconfined_service_t;
|
||||||
|
}
|
||||||
|
|
||||||
|
role system_r types systemd_test_domain_type;
|
||||||
|
role unconfined_r types systemd_test_domain_type;
|
||||||
|
|
||||||
|
allow systemd_test_domain_type bin_t: file entrypoint;
|
||||||
|
allow systemd_test_domain_type systemd_systemctl_exec_t: file entrypoint;
|
||||||
|
allow initrc_t systemd_test_domain_type: process transition;
|
||||||
|
allow unconfined_service_t systemd_test_domain_type: process transition;
|
||||||
|
corecmd_exec_bin(systemd_test_domain_type)
|
||||||
|
init_signal_script(systemd_test_domain_type)
|
||||||
|
init_sigchld_script(systemd_test_domain_type)
|
||||||
|
systemd_exec_systemctl(systemd_test_domain_type)
|
||||||
|
userdom_use_user_ttys(systemd_test_domain_type)
|
||||||
|
userdom_use_user_ptys(systemd_test_domain_type)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
dbus_system_bus_client(systemd_test_domain_type)
|
||||||
|
init_dbus_chat(systemd_test_domain_type)
|
||||||
|
')
|
||||||
|
|
||||||
|
# systemd_test_*_t
|
||||||
|
require {
|
||||||
|
type systemd_unit_file_t;
|
||||||
|
}
|
||||||
|
|
||||||
|
allow systemd_test_status_t systemd_unit_file_t: service { status };
|
||||||
|
allow systemd_test_start_t systemd_unit_file_t: service { start };
|
||||||
|
allow systemd_test_stop_t systemd_unit_file_t: service { stop };
|
||||||
|
allow systemd_test_reload_t systemd_unit_file_t: service { reload };
|
|
@ -0,0 +1,13 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
set -x
|
||||||
|
set -e
|
||||||
|
set -o pipefail
|
||||||
|
|
||||||
|
echo 1 >/sys/fs/selinux/enforce
|
||||||
|
runcon -t systemd_test_start_t systemctl start hola
|
||||||
|
runcon -t systemd_test_reload_t systemctl reload hola
|
||||||
|
runcon -t systemd_test_stop_t systemctl stop hola
|
||||||
|
|
||||||
|
touch /testok
|
||||||
|
exit 0
|
|
@ -0,0 +1,135 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
|
||||||
|
# ex: ts=8 sw=4 sts=4 et filetype=sh
|
||||||
|
TEST_DESCRIPTION="SELinux tests"
|
||||||
|
|
||||||
|
# Requirements:
|
||||||
|
# Fedora 23
|
||||||
|
# selinux-policy-targeted
|
||||||
|
# selinux-policy-devel
|
||||||
|
|
||||||
|
. $TEST_BASE_DIR/test-functions
|
||||||
|
SETUP_SELINUX=yes
|
||||||
|
KERNEL_APPEND="$KERNEL_APPEND selinux=1"
|
||||||
|
|
||||||
|
check_result_qemu() {
|
||||||
|
ret=1
|
||||||
|
mkdir -p $TESTDIR/root
|
||||||
|
mount ${LOOPDEV}p1 $TESTDIR/root
|
||||||
|
[[ -e $TESTDIR/root/testok ]] && ret=0
|
||||||
|
[[ -f $TESTDIR/root/failed ]] && cp -a $TESTDIR/root/failed $TESTDIR
|
||||||
|
cp -a $TESTDIR/root/var/log/journal $TESTDIR
|
||||||
|
umount $TESTDIR/root
|
||||||
|
[[ -f $TESTDIR/failed ]] && cat $TESTDIR/failed
|
||||||
|
ls -l $TESTDIR/journal/*/*.journal
|
||||||
|
test -s $TESTDIR/failed && ret=$(($ret+1))
|
||||||
|
return $ret
|
||||||
|
}
|
||||||
|
|
||||||
|
test_run() {
|
||||||
|
if run_qemu; then
|
||||||
|
check_result_qemu || return 1
|
||||||
|
else
|
||||||
|
dwarn "can't run QEMU, skipping"
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
test_setup() {
|
||||||
|
create_empty_image
|
||||||
|
mkdir -p $TESTDIR/root
|
||||||
|
mount ${LOOPDEV}p1 $TESTDIR/root
|
||||||
|
|
||||||
|
# Create what will eventually be our root filesystem onto an overlay
|
||||||
|
(
|
||||||
|
LOG_LEVEL=5
|
||||||
|
eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
|
||||||
|
|
||||||
|
setup_basic_environment
|
||||||
|
|
||||||
|
# setup the testsuite service
|
||||||
|
cat <<EOF >$initdir/etc/systemd/system/testsuite.service
|
||||||
|
[Unit]
|
||||||
|
Description=Testsuite service
|
||||||
|
After=multi-user.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart=/test-selinux-checks.sh
|
||||||
|
Type=oneshot
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat <<EOF >$initdir/etc/systemd/system/hola.service
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/bin/echo Start Hola
|
||||||
|
ExecReload=/bin/echo Reload Hola
|
||||||
|
ExecStop=/bin/echo Stop Hola
|
||||||
|
RemainAfterExit=yes
|
||||||
|
EOF
|
||||||
|
|
||||||
|
setup_testsuite
|
||||||
|
|
||||||
|
cat <<EOF >$initdir/etc/systemd/system/load-systemd-test-module.service
|
||||||
|
[Unit]
|
||||||
|
Description=Load systemd-test module
|
||||||
|
DefaultDependencies=no
|
||||||
|
Requires=local-fs.target
|
||||||
|
Conflicts=shutdown.target
|
||||||
|
After=local-fs.target
|
||||||
|
Before=sysinit.target shutdown.target autorelabel.service
|
||||||
|
ConditionSecurity=selinux
|
||||||
|
ConditionPathExists=|/.load-systemd-test-module
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart=/bin/sh -x -c 'echo 0 >/sys/fs/selinux/enforce && cd /systemd-test-module && make -f /usr/share/selinux/devel/Makefile load && rm /.load-systemd-test-module'
|
||||||
|
Type=oneshot
|
||||||
|
TimeoutSec=0
|
||||||
|
RemainAfterExit=yes
|
||||||
|
EOF
|
||||||
|
|
||||||
|
touch $initdir/.load-systemd-test-module
|
||||||
|
mkdir -p $initdir/etc/systemd/system/basic.target.wants
|
||||||
|
ln -fs load-systemd-test-module.service $initdir/etc/systemd/system/basic.target.wants/load-systemd-test-module.service
|
||||||
|
|
||||||
|
local _modules_dir=/var/lib/selinux
|
||||||
|
rm -rf $initdir/$_modules_dir
|
||||||
|
if ! cp -ar $_modules_dir $initdir/$_modules_dir; then
|
||||||
|
dfatal "Failed to copy $_modules_dir"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
local _policy_headers_dir=/usr/share/selinux/devel
|
||||||
|
rm -rf $initdir/$_policy_headers_dir
|
||||||
|
inst_dir /usr/share/selinux
|
||||||
|
if ! cp -ar $_policy_headers_dir $initdir/$_policy_headers_dir; then
|
||||||
|
dfatal "Failed to copy $_policy_headers_dir"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
mkdir $initdir/systemd-test-module
|
||||||
|
cp systemd_test.te $initdir/systemd-test-module
|
||||||
|
cp systemd_test.if $initdir/systemd-test-module
|
||||||
|
cp test-selinux-checks.sh $initdir
|
||||||
|
dracut_install -o sesearch
|
||||||
|
dracut_install runcon
|
||||||
|
dracut_install checkmodule semodule semodule_package m4 make /usr/libexec/selinux/hll/pp load_policy sefcontext_compile
|
||||||
|
) || return 1
|
||||||
|
|
||||||
|
# mask some services that we do not want to run in these tests
|
||||||
|
ln -s /dev/null $initdir/etc/systemd/system/systemd-hwdb-update.service
|
||||||
|
ln -s /dev/null $initdir/etc/systemd/system/systemd-journal-catalog-update.service
|
||||||
|
ln -s /dev/null $initdir/etc/systemd/system/systemd-networkd.service
|
||||||
|
ln -s /dev/null $initdir/etc/systemd/system/systemd-networkd.socket
|
||||||
|
ln -s /dev/null $initdir/etc/systemd/system/systemd-resolved.service
|
||||||
|
|
||||||
|
ddebug "umount $TESTDIR/root"
|
||||||
|
umount $TESTDIR/root
|
||||||
|
}
|
||||||
|
|
||||||
|
test_cleanup() {
|
||||||
|
umount $TESTDIR/root 2>/dev/null
|
||||||
|
[[ $LOOPDEV ]] && losetup -d $LOOPDEV
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
do_test "$@"
|
Loading…
Reference in New Issue