sandbox -X broken on FC20?
by Robert Horovitz
Hi,
I'm using firefox in a sandbox.
It doesn't work anymore since today:
sandbox -X -t sandbox_web_t firefox
Failed to execute command /usr/share/sandbox/sandboxX.sh: Operation not
permitted
My installed versions:
policycoreutils-sandbox-2.2.5-3.fc20.x86_64
selinux-policy-targeted-3.12.1-153.fc20.noarch
libselinux-2.2.1-6.fc20.x86_64
libselinux-python-2.2.1-6.fc20.x86_64
libselinux-utils-2.2.1-6.fc20.x86_64
selinux-policy-3.12.1-153.fc20.noarch
Anyone having the same problem? Or a fix?
thanks!
Robert
9 years, 1 month
Hosts file access
by Emmett Culley
I am continually getting getattr and read AVC errors. From my research, I believe it is because my hosts file gets modified each time I VPN into my work network.
I cause the host names and IP addresses that are part of the internal work network to be appended to the hosts file upon the VPN connection and then restore the original hosts file upon disconnection.
I have tried restorecon /etc/hosts, but I still get the warnings. I have also done the mypol fixes suggested in the troubleshooting dialog's details page. Nothing I do resolves this issue.
How can I prevent these AVC errors? Or at least properly modify my hosts file (and possibly others) the SELinux way?
Emmett
9 years, 4 months
Alert on mac_admin /usr/sbin/setfiles capability2
by Shintaro Fujiwara
I updated fedora20 now and got SELinux alert.
What's wrong?
SELinux is preventing /usr/sbin/setfiles from mac_admin access on the
capability2 .
***** Plugin catchall (100. confidence) suggests
**************************
# grep restorecon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context
unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
Target Context
unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
Target Objects [ capability2 ]
Source restorecon
Source Path /usr/sbin/setfiles
Port <Unknown>
Host localhost.localdomain
Source RPM Packages policycoreutils-2.2.5-3.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-158.fc20.noarch selinux-
policy-3.12.1-166.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
3.14.4-200.fc20.x86_64
#1 SMP Tue May 13 13:51:08 UTC 2014 x86_64
x86_64
Alert Count 3
First Seen 2014-02-20 00:11:29 JST
Last Seen 2014-05-25 19:36:13 JST
Local ID 0a51e340-8e41-42fb-8c41-4c3d3d7fee6f
Raw Audit Messages
type=AVC msg=audit(1401014173.443:796): avc: denied { mac_admin } for
pid=13598 comm="restorecon" capability=33
scontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2
type=SYSCALL msg=audit(1401014173.443:796): arch=x86_64 syscall=lsetxattr
success=no exit=EINVAL a0=7f5e992cc820 a1=7f5e9708556e a2=7f5e992cf070
a3=29 items=0 ppid=13002 pid=13598 auid=1000 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm=restorecon
exe=/usr/sbin/setfiles subj=unconfined_u:system_r:setfiles_t:s0-s0:c0.c1023
key=(null)
Hash: restorecon,setfiles_t,setfiles_t,capability2,mac_admin
--
日本にヘヴィメタル・ハードロックを根付かせるページ
http://heavymetalhardrock.no-ip.info/
世界中でセキュアOSのSELinuxを使いやすくするフリーソフト
http://sourceforge.net/projects/segatex/
CMS(PHPとPostgreSQLを使ったフリーソフト)
http://sourceforge.net/projects/webon/
9 years, 4 months
system_u process does not have system_r
by dE
I've mapped user 'de' to system_u --
semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
de system_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
system_u system_u s0-s0:c0.c1023 *
However the processes do not have system_r role, as a result the type
value of many context fail to set cause unconfined_r is not allowed to
have that type.
ps auxZ | grep nano
system_u:unconfined_r:unconfined_t:s0 de 544 0.0 0.3 115024 1568
pts/1 S+ 22:11 0:00 nano
system_u:unconfined_r:unconfined_t:s0 root 611 0.0 0.1 112632 888
pts/0 S+ 22:14 0:00 grep --color=auto nano
Actually unconfined_r role is not allowed for the user --
seinfo -uuser_u -x
user_u
default level: s0
range: s0
roles:
object_r
user_r
9 years, 4 months
Syntax error while compiling base.conf
by Harpreet
Hello
i downloaded selinux refpolicy source code from
http://oss.tresys.com/projects/refpolicy/wiki/DownloadRelease
While compiling source code am getting this following error
Compiling refpolicy base module
/usr/bin/checkmodule base.conf -o tmp/base.mod
/usr/bin/checkmodule: loading policy configuration from base.conf
base.conf:1:ERROR 'syntax error' at token 'attribute' on line 1:
Following is brief snapshot of base.conf file(from line 1)
attribute auth_file_type;
attribute boolean_type;
attribute can_change_object_identity;
attribute can_change_process_identity;
attribute can_change_process_role;
attribute can_dump_kernel;
attribute can_load_kernmodule;
attribute can_load_policy;
Please help me in solving this error.
regards
9 years, 4 months
[PATCH for f20 1/4] Add basic files for functional tests in python
by Rastislav Hepner
Hey guys,
As part of my college thesis I was attempting to unit test
libselinux-2.2.2-4 on Fedora 20 via Python (used unittest framework).
I've created bunch of tests (60) for some labeling function but result
is not very good.
Decision coverage of code under test +-45%. Caused mostly by unability stub
dependencies from C source code via Python. So tests looking more like
integration/fuctional tests.
I'm interested in your feedback if there is need for such a tests or its waste.
Thank you.
Add runner of testes and helper module which
contains usefull func def.
---
tests/helper.py | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
tests/runtests.py | 46 +++++++++++++++++++++++++++++++++++++
2 files changed, 115 insertions(+)
create mode 100755 tests/helper.py
create mode 100755 tests/runtests.py
diff --git a/tests/helper.py b/tests/helper.py
new file mode 100755
index 0000000..8d588ff
--- /dev/null
+++ b/tests/helper.py
@@ -0,0 +1,69 @@
+#!/usr/bin/env python
+
+#This program is free software: you can redistribute it and/or modify
+#it under the terms of the GNU General Public License as published by
+#the Free Software Foundation, either version 3 of the License, or
+#(at your option) any later version.
+#This program is distributed in the hope that it will be useful,
+#but WITHOUT ANY WARRANTY; without even the implied warranty of
+#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#GNU General Public License for more details.
+#
+#For more information see <http://www.gnu.org/licenses/>
+
+
+import selinux
+import unittest
+import subprocess
+import re
+
+def findProcess(processName):
+ """Look whether process is active
+
+ Check whether process is up via bash command ps.
+
+ Args:
+ processName: Name of the process we are interested in.
+
+ Returns:
+ Lines of ouput from ps command which are describing active
+ instances of processName.
+ """
+ ps = subprocess.Popen("ps -ef | grep " + processName + " | grep -v grep",
+ shell=True, stdout=subprocess.PIPE)
+ output = ps.stdout.read()
+ ps.stdout.close()
+ ps.wait()
+ return output
+
+def contextTranslation():
+ """Check if context translation is active.
+
+ It perform this by checking if daemon mcstransd is running.
+
+ Returns:
+ True when mcstransd is up.
+ False when its not.
+ """
+ processName = "mcstransd"
+ output = findProcess(processName)
+ if re.search(processName, output) is not None:
+ return True
+ else:
+ return False
+
+def read_attr_file(self, filename, pid="self"):
+ """Reads files from /proc/.../attr/
+ """
+ file_path = "/proc/%s/attr/%s" % (str(pid), filename)
+ fo = open(file_path, "r")
+ context = fo.read()[:-1]
+ fo.close()
+
+ if context == "":
+ return None
+ else:
+ return context
+
+if __name__ == '__main__':
+ print ("Module containing helpful definitions for testing libselinux.")
diff --git a/tests/runtests.py b/tests/runtests.py
new file mode 100755
index 0000000..f6a9c5c
--- /dev/null
+++ b/tests/runtests.py
@@ -0,0 +1,46 @@
+#!/usr/bin/env python
+
+#This program is free software: you can redistribute it and/or modify
+#it under the terms of the GNU General Public License as published by
+#the Free Software Foundation, either version 3 of the License, or
+#(at your option) any later version.
+#This program is distributed in the hope that it will be useful,
+#but WITHOUT ANY WARRANTY; without even the implied warranty of
+#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#GNU General Public License for more details.
+#
+#For more information see <http://www.gnu.org/licenses/>
+
+
+import unittest
+import argparse
+import sys
+import os
+
+parser = argparse.ArgumentParser()
+parser.add_argument("-a", "--all", action="store_true", help="run all tests")
+parser.add_argument("-t", "--test", help="run single test specified
as module.testcase.test"
+ ", specify module without '.py' suffix!")
+parser.add_argument("-v", "--verbosity", type=int, choices=[0, 1, 2],
+ help="adhere verbosity of tests", default=2)
+parser.add_argument("-d", "--directory", help="choose directory with tests",
+ default=os.path.dirname(__file__))
+
+args = parser.parse_args()
+
+if args.directory and not os.path.isdir(args.directory):
+ print "No such directory!\n\n"
+ parser.print_help()
+ sys.exit(-1)
+
+if args.all:
+ suite = unittest.TestLoader().discover(args.directory)
+elif args.test:
+ suite = unittest.TestLoader().loadTestsFromName(args.test, None)
+else:
+ parser.print_help()
+ sys.exit(0)
+
+
+unittest.TextTestRunner(verbosity=args.verbosity).run(suite)
+
--
1.9.0
9 years, 4 months
[PATCH for f20 1/1] Remove changelog duplicate entries breaking timeline
by Rastislav Hepner
Due this fedpkg complained
error: %changelog not in descending chronological order
error: query of specfile /home/rasto/libselinux/libselinux.spec
failed, can't parse
---
libselinux.spec | 6 ------
1 file changed, 6 deletions(-)
diff --git a/libselinux.spec b/libselinux.spec
index e334aec..cb9460c 100644
--- a/libselinux.spec
+++ b/libselinux.spec
@@ -266,12 +266,6 @@ rm -rf %{buildroot}
* Mon Dec 23 2013 Dan Walsh <dwalsh(a)redhat.com> - 2.2.1-5
- Verify context is not null when passed into lsetfilecon_raw
-* Fri Dec 27 2013 Adam Williamson <awilliam(a)redhat.com> - 2.2.1-6
-- revert unexplained change to rhat.patch which broke SELinux disablement
-
-* Mon Dec 23 2013 Dan Walsh <dwalsh(a)redhat.com> - 2.2.1-5
-- Verify context is not null when passed into lsetfilecon_raw
-
* Wed Dec 18 2013 Dan Walsh <dwalsh(a)redhat.com> - 2.2.1-4
- Mv selinux.go to /usr/share/gocode/src/selinux
--
1.9.0
9 years, 4 months
[PATCH for f20 4/4] Add tests for file creation labeling functions
by Rastislav Hepner
getfscreatecon( raw), setfscreatecon(_raw);
---
tests/test_fileCreation_labeling.py | 129 ++++++++++++++++++++++++++++++++++++
1 file changed, 129 insertions(+)
create mode 100755 tests/test_fileCreation_labeling.py
diff --git a/tests/test_fileCreation_labeling.py
b/tests/test_fileCreation_labeling.py
new file mode 100755
index 0000000..276b307
--- /dev/null
+++ b/tests/test_fileCreation_labeling.py
@@ -0,0 +1,129 @@
+#!/usr/bin/env python
+
+#This program is free software: you can redistribute it and/or modify
+#it under the terms of the GNU General Public License as published by
+#the Free Software Foundation, either version 3 of the License, or
+#(at your option) any later version.
+#This program is distributed in the hope that it will be useful,
+#but WITHOUT ANY WARRANTY; without even the implied warranty of
+#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#GNU General Public License for more details.
+#
+#For more information see <http://www.gnu.org/licenses/>
+
+"""Tests for:
+getfscreatecon(_raw), setfscreatecon(_con)
+"""
+
+import helper
+import selinux
+import unittest
+import sys
+
+
+class auxiliaryTestCase(unittest.TestCase):
+ """Auxiliary class.
+ """
+
+ def __init__(self, test_method="runTest"):
+ unittest.TestCase.__init__(self, test_method)
+ self.raw_con = "unconfined_u:unconfined_r:unconfined_t:s0"
+ self.trans_con = "unconfined_u:unconfined_r:unconfined_t:SystemLow"
+ self.wrong_con = "WRONG CONTEXT"
+
+ def tearDown(self):
+ """Clears the fscreate file after every test
+ """
+ selinux.setfscreatecon_raw(None)
+
+ def read_fscreate(self, pid="self"):
+ """Reads selinux context from /proc/self/attr/fscreate file.
+
+ Args:
+ pid: PID of process whose /proc/.../fscreate file should be read.
+
+ Returns:
+ None if /proc/.../fscreate contains "".
+ Fscreate selinux context otherwise.
+ """
+ return helper.read_attr_file(pid, "fscreate")
+
+
+class getfscreateconRawTestCase(auxiliaryTestCase):
+ """TestCase for getfscreatecon_raw() funciton.
+ """
+
+ def test_getfscreateconRaw_FscreateIsEmpty_ReturnedNone(self):
+ #Make sure file is empty
+ selinux.setfscreatecon_raw(None)
+ self.assertEqual(self.read_fscreate(), None, "Gathered context from "
+ "/proc/.../fscreate file should be None!")
+
+ def test_getfscreateconRaw_RawConInFscreate_ReturnsRawCon(self):
+ #Put raw_con into fscreate file first
+ selinux.setfscreatecon_raw(self.raw_con)
+ self.assertEqual(selinux.getfscreatecon_raw()[1],
self.raw_con, "raw_con was "
+ "not returned as expected")
+
+
+class setfscreateconRawTestCase(auxiliaryTestCase):
+ """TestCase for setfscreatecon_raw() funciton.
+ """
+
+ def test_setfscreateconRaw_InsertRawCon_InsertedSuccessfully(self):
+ selinux.setfscreatecon_raw(self.raw_con)
+ self.assertEqual(self.read_fscreate(), self.raw_con, "raw_con was "
+ "not put into /proc/.../fscreate file!")
+
+ def test_setfscreateconRaw_RawConRemoval_RawConRemoved(self):
+ selinux.setfscreatecon_raw(self.raw_con)
+ selinux.setfscreatecon_raw(None)
+ self.assertEqual(self.read_fscreate(), None, "Removal "
+ "of raw_con has failed! setfscreatecon_raw(None) "
+ "did not work!")
+
+ def test_setfscreateconRaw_WrongContextUsed_OSErrorRaised(self):
+ self.assertRaisesRegexp(OSError, '\[Errno 22\]',
selinux.setfscreatecon_raw,
+ self.wrong_con)
+
+
+class getfscreateconTestCase(auxiliaryTestCase):
+ """TestCase for getfscreatecon() function.
+ """
+
+ @unittest.skipIf(helper.contextTranslation(), "Context-trans active!")
+ def test_getfscreatecon_RawContextInFscreate_ReturnsRawContext(self):
+ selinux.setfscreatecon_raw(self.raw_con)
+ self.assertEqual(selinux.getfscreatecon()[1], self.raw_con,
"raw_con was "
+ "not returned as expected!")
+
+ @unittest.skipUnless(helper.contextTranslation(), "Context-trans
inactive!")
+ def test_getfscreatecon_RawContextInFscreate_ReturnsTransContext(self):
+ selinux.setfscreatecon_raw(self.raw_con)
+ self.assertEqual(selinux.getfscreatecon()[1], self.trans_con,
"trans_con was "
+ "not returned as expected!")
+
+
+class setfscreateconTestCase(auxiliaryTestCase):
+ """TestCase for setfscreatecon() funciton.
+ """
+
+ @unittest.skipUnless(helper.contextTranslation(), "Context-trans
inactive!")
+ def test_setfscreatecon_InsertTransCon_InsertedSuccessfully(self):
+ selinux.setfscreatecon(self.trans_con)
+ self.assertEqual(self.read_fscreate(), self.raw_con, "trans_con was "
+ "not put into /proc/.../fscreate file!")
+
+ def test_setfscreatecon_InsertRawCon_InsertedSuccessfully(self):
+ selinux.setfscreatecon(self.raw_con)
+ self.assertEqual(self.read_fscreate(), self.raw_con, "raw_con was "
+ "not put into /proc/.../fscreate file!")
+
+ def test_setfscreateconRaw_WrongContextUsed_OSErrorRaised(self):
+ self.assertRaisesRegexp(OSError, '\[Errno 22\]',
selinux.setfscreatecon,
+ self.wrong_con)
+
+
+if __name__ == "__main__":
+ suite = unittest.TestLoader().loadTestsFromModule(sys.modules[auxiliaryTestCase.__module__])
+ unittest.TextTestRunner(verbosity=2).run(suite)
--
1.9.0
9 years, 4 months
[PATCH for f20 3/4] Add tests for process labeling functions
by Rastislav Hepner
getcon(_raw), setcon(_raw), getexeccon(_raw),
setexeccon(_raw), getpidcon(_raw), getprevcon(_raw),
---
tests/test_process_labeling.py | 298 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 298 insertions(+)
create mode 100755 tests/test_process_labeling.py
diff --git a/tests/test_process_labeling.py b/tests/test_process_labeling.py
new file mode 100755
index 0000000..507738c
--- /dev/null
+++ b/tests/test_process_labeling.py
@@ -0,0 +1,298 @@
+#!/usr/bin/env python
+
+
+#This program is free software: you can redistribute it and/or modify
+#it under the terms of the GNU General Public License as published by
+#the Free Software Foundation, either version 3 of the License, or
+#(at your option) any later version.
+#This program is distributed in the hope that it will be useful,
+#but WITHOUT ANY WARRANTY; without even the implied warranty of
+#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#GNU General Public License for more details.
+#
+#For more information see <http://www.gnu.org/licenses/>
+
+"""Tests for:
+getcon(_raw), setcon(_raw), getexeccon(_raw), setexeccon(_raw),
+getpidcon(_raw), getprevcon(_raw)
+"""
+
+import selinux
+import unittest
+import subprocess
+import os
+import sys
+import errno
+import helper
+
+
+class auxiliaryTestCase(unittest.TestCase):
+ """Auxiliary class.
+
+ Atributes:
+ raw_con: raw selinux context used in tests.
+ trans_con: translated version of raw_con
+ wrong_con: wrong context which is used as bad input.
+ raw_default_con: raw default context for unconfined process
+ trans_default_con: translated version of raw_default_con
+ cmds: tuple containing path to testing process and its input.
+ """
+
+ def __init__(self, test_method="runTest"):
+ unittest.TestCase.__init__(self, test_method)
+ self.raw_con = "unconfined_u:unconfined_r:unconfined_t:s0"
+ self.trans_con = "unconfined_u:unconfined_r:unconfined_t:SystemLow"
+ self.wrong_con = "WRONG CONTEXT"
+ self.raw_default_con =
"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
+ self.trans_default_con =
"unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh"
+ self.pid = os.getpid()
+
+
+ def kill_test_process(self, process):
+ """Kills testing process.
+ """
+
+ process.kill()
+ process.wait()
+
+ def start_test_process(self):
+ """Starts testing process.
+
+ Returns:
+ A object of started process.
+ """
+
+ p = subprocess.Popen(self.cmd)
+ return p
+
+ def read_current(self, pid="self"):
+ """Reads selinux context from /proc/self/attr/current file.
+
+ Args:
+ pid: PID of process whose /proc/.../current file should be read.
+ Returns:
+ Current selinux context of the process.
+ """
+ return helper.read_attr_file(pid, "current")
+
+ def read_prev(self, pid="self"):
+ """Reads selinux context from /proc/self/attr/prev file.
+
+ Args:
+ pid: PID of process whose /proc/.../prev file should be read.
+ Returns:
+ Previous selinux context of the process.
+ """
+ return helper.read_attr_file(pid, "prev")
+
+ def read_exec(self, pid="self"):
+ """Reads selinux context from /proc/self/attr/exec file.
+
+ Args:
+ pid: PID of process whose /proc/.../exec file should be read.
+ Returns:
+ None if /proc/.../exec contains "".
+ Exec selinux context otherwise.
+ """
+ return helper.read_attr_file(pid, "exec")
+
+
+class setexecconRawTestCase(auxiliaryTestCase):
+ """TestCase for setexeccon() function.
+ """
+ def setUp(self):
+ selinux.setexeccon_raw(None)
+
+ def test_setexecconRaw_InsertRawCon_InsertedSuccessfully(self):
+ selinux.setexeccon_raw(self.raw_con)
+ self.assertEqual(self.read_exec(), self.raw_con, "raw_con was "
+ "not put into /proc/.../exec file!")
+
+ def test_setexecconRaw_RawConRemoval_RawConRemoved(self):
+ selinux.setexeccon_raw(self.raw_con)
+ selinux.setexeccon_raw(None)
+ self.assertNotEqual(self.read_exec(), self.raw_con, "Removal "
+ "of raw_con has failed! setexeccon_raw(None) "
+ "did not work!")
+
+ def test_setexecconRaw_WrongContextUsed_OSErrorRaised(self):
+ self.assertRaisesRegexp(OSError, '\[Errno 22\]',
selinux.setexeccon_raw,
+ self.wrong_con)
+
+
+class setexecconTestCase(auxiliaryTestCase):
+ """TestCase for setexeccon() function.
+ """
+ def setUp(self):
+ selinux.setexeccon(None)
+
+ def test_setexeccon_InsertRawCon_InsertedSuccessfully(self):
+ selinux.setexeccon(self.raw_con)
+ self.assertEqual(self.read_exec(), self.raw_con, "raw_con was "
+ "not set as expected!")
+
+ @unittest.skipUnless(helper.contextTranslation(), "Context-trans
inactive!")
+ def test_setexeccon_InsertTransCon_InsertedSuccessfully(self):
+ selinux.setexeccon(self.trans_con)
+ self.assertEqual(self.read_exec(), self.raw_con, "trans_con was "
+ "not set as expected!")
+
+
+class getexecconRawTestCase(auxiliaryTestCase):
+ """TestCase for getexeccon_raw() function.
+ """
+ def setUp(self):
+ selinux.setexeccon_raw(None)
+
+ def test_getexecconRaw_ExecIsEmpty_ReturnedNone(self):
+ selinux.setexeccon_raw(None)
+ self.assertEqual(selinux.getexeccon_raw()[1], None, "Gathered
context from "
+ "/proc/.../exec file should be None!")
+
+ def test_getexecconRaw_RawConInExec_ReturnedRawCon(self):
+ selinux.setexeccon(self.raw_con)
+ self.assertEqual(selinux.getexeccon_raw()[1], self.raw_con,
"raw_con was "
+ "not returned as expected!")
+
+
+class getexecconTestCase(auxiliaryTestCase):
+ """TestCase for getexeccon_raw() function.
+ """
+ def setUp(self):
+ selinux.setexeccon_raw(None)
+
+ @unittest.skipIf(helper.contextTranslation(), "Context-trans active!")
+ def test_getexeccon_RawContextInExec_ReturnedRawContext(self):
+ selinux.setexeccon_raw(self.raw_con)
+ self.assertEqual(selinux.getexeccon()[1], self.raw_con, "raw_con was "
+ "not returned as expected!")
+
+ @unittest.skipUnless(helper.contextTranslation(), "Context-trans
inactive!")
+ def test_getexeccon_RawContextInExec_ReturnedTransContext(self):
+ selinux.setexeccon_raw(self.raw_con)
+ self.assertEqual(selinux.getexeccon()[1], self.trans_con,
"trans_con was "
+ "not returned as expected!")
+
+
+class setconTestCaseRaw(auxiliaryTestCase):
+ """TestCase for setcon() function.
+ """
+
+ def setUp(self):
+ selinux.setcon_raw(self.raw_default_con)
+
+ def test_setconRaw_InsertRawCon_InsertedSuccessfully(self):
+ selinux.setcon_raw(self.raw_con)
+ self.assertEqual(self.read_current(), self.raw_con, "raw_con was "
+ "not put into /proc/.../current file!")
+
+ def test_setconRaw_RawConRemoval_OSErrorRaised(self):
+ #We cannot clear current context
+ self.assertRaisesRegexp(OSError, '\[Errno 22\]', selinux.setcon_raw,
+ None)
+
+ def test_setconRaw_WrongContextUsed_OSErrorRaised(self):
+ self.assertRaisesRegexp(OSError, '\[Errno 22\]', selinux.setcon_raw,
+ self.wrong_con)
+
+
+class setconTestCase(auxiliaryTestCase):
+ """TestCase for setcon() function.
+ """
+ def setUp(self):
+ selinux.setcon(self.raw_default_con)
+
+ def test_setcon_InsertRawCon_InsertedSuccessfully(self):
+ selinux.setcon(self.raw_con)
+ self.assertEqual(self.read_current(), self.raw_con, "raw_con was "
+ "not set as expected!")
+
+ @unittest.skipUnless(helper.contextTranslation(), "Context-trans
inactive!")
+ def test_setcon_InsertTransCon_InsertedSuccessfully(self):
+ selinux.setcon(self.trans_con)
+ self.assertEqual(self.read_current(), self.raw_con, "trans_con was "
+ "not set as expected!")
+
+
+class getconTestRawCase(auxiliaryTestCase):
+ """TestCase for getcon() function.
+ """
+ def setUp(self):
+ selinux.setcon_raw(self.raw_default_con)
+
+ def test_getconRaw_RawConInCurrent_ReturnedRawCon(self):
+ selinux.setcon_raw(self.raw_con)
+ self.assertEqual(selinux.getcon_raw()[1], self.raw_con, "raw_con was "
+ "not returned as expected!")
+
+
+class getconTestCase(auxiliaryTestCase):
+ """TestCase for getcon() function.
+ """
+ def setUp(self):
+ selinux.setcon_raw(self.raw_default_con)
+
+ @unittest.skipIf(helper.contextTranslation(), "Context-trans active!")
+ def test_getcon_RawContextInCurrent_ReturnedRawContext(self):
+ selinux.setcon_raw(self.raw_con)
+ self.assertEqual(selinux.getcon()[1], self.raw_con, "raw_con was "
+ "not returned as expected!")
+
+ @unittest.skipUnless(helper.contextTranslation(), "Context-trans
inactive!")
+ def test_getcon_RawContextInCurrent_ReturnedTransContext(self):
+ selinux.setcon_raw(self.raw_con)
+ self.assertEqual(selinux.getcon()[1], self.trans_con, "trans_con was "
+ "not returned as expected!")
+
+class getpidconRawTestCase(auxiliaryTestCase):
+ """TestCase for getpidcon_raw() function.
+ """
+ def test_getpidconRaw_RawConInCurrent_ReturnedRawCon(self):
+ #self.pid contains pid of current process
+ selinux.setcon_raw(self.raw_con)
+ self.assertEqual(selinux.getpidcon_raw(self.pid)[1],
self.raw_con, "raw_con was "
+ "not returned as expected!")
+
+class getpidconTestCase(auxiliaryTestCase):
+ """TestCase for getpidcon() function.
+ """
+ def setUp(self):
+ selinux.setcon_raw(self.raw_default_con)
+
+ @unittest.skipIf(helper.contextTranslation(), "Context-trans active!")
+ def test_getpidcon_RawContextInCurrent_ReturnedRawContext(self):
+ selinux.setcon_raw(self.raw_con)
+ self.assertEqual(selinux.getpidcon(self.pid)[1],
self.raw_con, "raw_con was "
+ "not returned as expected!")
+
+ @unittest.skipUnless(helper.contextTranslation(), "Context-trans
inactive!")
+ def test_getpidcon_RawContextInCurrent_ReturnedTransContext(self):
+ selinux.setcon_raw(self.raw_con)
+ self.assertEqual(selinux.getpidcon(self.pid)[1],
self.trans_con, "trans_con was "
+ "not returned as expected!")
+
+class getprevconRawTestCase(auxiliaryTestCase):
+ """TestCase for getprevcon_raw() function.
+ """
+ def test_getprevconRaw_ReadingPrevCon_ReadSuccessfully(self):
+ self.assertEqual(self.read_prev(),
selinux.getprevcon_raw()[1], "prev con was "
+ "not returned as expected!")
+
+class getprevconTestCase(auxiliaryTestCase):
+ """TestCase for getprevcon_raw() function.
+ """
+ @unittest.skipUnless(helper.contextTranslation(), "Context-trans active!")
+ def test_getprevcon_ReadingPrevCon_TransConReadSuccessfully(self):
+ self.assertEqual(selinux.getprevcon()[1],
self.trans_default_con , "translated "
+ " prev con was not returned as expected!")
+
+ @unittest.skipIf(helper.contextTranslation(), "Context-trans inactive!")
+ def test_getprevcon_ReadingPrevCon_RawConReadSuccessfully(self):
+ self.assertEqual(selinux.getprevcon()[1], self.raw_default_con, "raw "
+ "previous con was not returned as expected!")
+
+
+if __name__ == "__main__":
+ suite = unittest.TestLoader().loadTestsFromModule(sys.modules[auxiliaryTestCase.__module__])
+ unittest.TextTestRunner(verbosity=2).run(suite)
+
--
1.9.0
9 years, 4 months
[PATCH for f20 2/4] Add tests for file labeling functions
by Rastislav Hepner
getfilecon(_raw), setfilecon(_raw),
lgetfilecon(_raw), fgetfilecon(_raw),
lsetfilecon(_raw);
---
tests/test_file_labeling.py | 408 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 408 insertions(+)
create mode 100755 tests/test_file_labeling.py
diff --git a/tests/test_file_labeling.py b/tests/test_file_labeling.py
new file mode 100755
index 0000000..420dc78
--- /dev/null
+++ b/tests/test_file_labeling.py
@@ -0,0 +1,408 @@
+#!/usr/bin/env python
+
+#This program is free software: you can redistribute it and/or modify
+#it under the terms of the GNU General Public License as published by
+#the Free Software Foundation, either version 3 of the License, or
+#(at your option) any later version.
+#This program is distributed in the hope that it will be useful,
+#but WITHOUT ANY WARRANTY; without even the implied warranty of
+#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#GNU General Public License for more details.
+#
+#For more information see <http://www.gnu.org/licenses/>
+
+"""Tests for:
+getfilecon(_raw), setfilecon(_raw), lgetfilecon(_raw), fgetfilecon(_raw)
+lsetfilecon(_raw)
+"""
+
+import selinux
+import unittest
+import xattr
+import os
+import sys
+import errno
+import uuid
+import helper
+
+class auxiliaryTestCase(unittest.TestCase):
+ """Auxiliary class.
+
+ Atributes:
+ testfile: path to testing file.
+ testfile_symlink: path to link of testing file.
+ fo_testfile: file object of testfile.
+ fo_testfile_symlink: file object of testfile_symlink.
+ raw_con: testing selinux context.
+ wrong_con: non-existing selinux context.
+ """
+
+ def __init__(self, test_method="runTest"):
+ unittest.TestCase.__init__(self, test_method)
+ self.fo_testfile = None
+ self.fo_testfile_symlink = None
+ self.raw_con = "system_u:object_r:tmp_t:s0"
+ self.trans_con = "system_u:object_r:tmp_t:SystemLow"
+ self.wrong_con = "WRONG CONTEXT"
+
+ def setUp(self):
+ self.setUpFileOnly()
+ #Creates unique filename for symlink
+ self.testfile_symlink = "/tmp/" + str(uuid.uuid4())
+ #Use that unique filename for creating file
+ self.create_test_file_symlink()
+
+ def setUpFileOnly(self):
+ """SetUp only file without symlink
+ """
+ self.testfile = "/tmp/" + str(uuid.uuid4())
+ self.create_test_file()
+
+ def remove_file(self, path):
+ try:
+ os.remove(path)
+ #If file with path did not exist continue
+ except OSError as e:
+ if e.errno != errno.ENOENT:
+ raise e
+
+ def tearDown(self):
+ self.remove_file(self.testfile_symlink)
+ self.testfile_symlink = ""
+ self.fo_testfile_symlink = None
+ self.tearDownFileOnly()
+
+
+ def tearDownFileOnly(self):
+ self.remove_file(self.testfile)
+ self.testfile = ""
+ self.fo_testfile = None
+
+
+ def create_test_file(self):
+ """Creates test file.
+
+ Creates file with filename saved in self.testfile and
+ sets attribute self.fo_testfile with file object of the new file.
+ """
+
+ self.fo_testfile = open(self.testfile,"w")
+
+ def create_test_file_symlink(self):
+ """Creates symlink to test file.
+
+ Creates symlink for self.testfile.
+ """
+
+ os.symlink(self.testfile, self.testfile_symlink)
+ self.fo_testfile_symlink = open(self.testfile_symlink, "r")
+
+
+ def read_file_con(self, filepath, nofollow=False):
+ """Reads selinux context from file.
+
+ Args:
+ filepath: Path to file, from which context shall be read.
+ nofollow: If true function will read con of symlink.
+ Returns:
+ List where [0] is length of context with \00.
+ [1] is selinux context string without trailing \00.
+ """
+
+ output_list = []
+ if nofollow:
+ context = xattr.get(filepath, "security.selinux", True)
+ else:
+ context = xattr.get(filepath,"security.selinux")
+ output_list.append(len(context))
+ output_list.append(context[:-1])
+ return output_list
+
+ def set_file_con(self, fileid, context, nofollow=False):
+ """Writes selinux context from file.
+
+ Args:
+ fileid: Path or fd of the file, to which context shall be written.
+ context: Context we want to write to the file.
+ nofollow: If true function will write con to the symlink.
+ """
+
+ xattr.set(fileid, "security.selinux", context, 0, nofollow)
+
+
+class setfileconRawTestCase(auxiliaryTestCase):
+ """TestCase for setfilecon_raw() function.
+ """
+
+ def setUp(self):
+ self.setUpFileOnly()
+
+ def tearDown(self):
+ self.tearDownFileOnly()
+
+ def test_setfileconRaw_InsertRawCon_InsertedSuccessfully(self):
+ selinux.setfilecon_raw(self.testfile, self.raw_con)
+ self.assertEqual(self.read_file_con(self.testfile)[1], self.raw_con,
+ "File context of testfile was not changed after call "
+ "setfilecon_raw()!")
+
+ def test_setfileconRaw_FileDoesNotExist_OSErrorRaised(self):
+ os.remove(self.testfile)
+ self.assertRaisesRegexp(OSError, '\[Errno 2\]', selinux.setfilecon_raw,
+ self.testfile, self.raw_con)
+
+ def test_setfileconRaw_InsertWrongCon_OSErrorRaised(self):
+ self.assertRaisesRegexp(OSError, '\[Errno 22\]',
selinux.setfilecon_raw,
+ self.testfile, self.wrong_con)
+
+
+
+
+class setfileconTestCase(auxiliaryTestCase):
+ """TestCase for setfilecon() function.
+ """
+
+ def setUp(self):
+ self.setUpFileOnly()
+
+ def tearDown(self):
+ self.tearDownFileOnly()
+
+ @unittest.skipUnless(helper.contextTranslation(),
"Context-translation inactive!")
+ def test_setfilecon_InsertTransCon_InsertedSuccessfully(self):
+ selinux.setfilecon(self.testfile, self.trans_con)
+ self.assertEqual(self.read_file_con(self.testfile)[1], self.raw_con,
+ "File context of testfile was not changed after call "
+ "setfilecon()!")
+
+ def test_setfilecon_InsertRawCon_InsertedSuccessfully(self):
+ selinux.setfilecon(self.testfile, self.raw_con)
+ self.assertEqual(self.read_file_con(self.testfile)[1], self.raw_con,
+ "File context of testfile was not changed after call "
+ "setfilecon()!")
+
+
+
+class lsetfileconRawTestCase(auxiliaryTestCase):
+ """TestCase for lsetfilecon_raw() function.
+ """
+
+ def test_lsetfileconRaw_InsertRawCon_InsertedSuccessfully(self):
+ selinux.lsetfilecon_raw(self.testfile_symlink, self.raw_con)
+ self.assertEqual(self.read_file_con(self.testfile_symlink, True)[1],
+ self.raw_con, "File context of symbolic link to"
+ "testfile was not changed after call"
+ "lsetfilecon_raw()!")
+
+ def test_lsetfileconRaw_FileDoesNotExist_OSErrorRaised(self):
+ self.fo_testfile.close()
+ self.remove_file(self.testfile_symlink)
+ self.assertRaisesRegexp(OSError, '\[Errno 2\]', selinux.lsetfilecon,
+ self.testfile_symlink, self.raw_con)
+
+ def test_lsetfileconRaw_InsertWrongCon_OSErrorRaised(self):
+ self.assertRaisesRegexp(OSError, '\[Errno 22\]', selinux.lsetfilecon,
+ self.testfile_symlink, self.wrong_con)
+
+
+class lsetfileconTestCase(auxiliaryTestCase):
+ """TestCase for lsetfilecon_raw() function.
+ """
+
+ def test_lsetfilecon_InsertRawCon_InsertedSuccessfully(self):
+ selinux.lsetfilecon(self.testfile_symlink, self.raw_con)
+ self.assertEqual(self.read_file_con(self.testfile_symlink,
True)[1], self.raw_con,
+ "File context of symbolic link to testfile was not "
+ "changed after call lsetfilecon()!")
+
+ @unittest.skipUnless(helper.contextTranslation(),
"Context-translation inactive!")
+ def test_lsetfilecon_InsertTransCon_InsertedSuccessfully(self):
+ selinux.lsetfilecon(self.testfile_symlink, self.trans_con)
+ self.assertEqual(self.read_file_con(self.testfile_symlink,
True)[1], self.raw_con,
+ "File context of symbolic link to testfile was not "
+ "changed after call lsetfilecon()!")
+
+
+
+class fsetfileconRawTestCase(auxiliaryTestCase):
+ """TestCase for fsetfilecon_raw() function.
+ """
+
+ def setUp(self):
+ self.setUpFileOnly()
+
+ def tearDown(self):
+ self.tearDownFileOnly()
+
+ def test_fsetfileconRaw_InsertRawCon_InsertedSuccessfully(self):
+ selinux.fsetfilecon_raw(self.fo_testfile.fileno(), self.raw_con)
+ self.assertEqual(self.read_file_con(self.testfile)[1], self.raw_con,
+ "File context of testfile was not changed after call "
+ "fsetfilecon_raw()!")
+
+ def test_fsetfileconRaw_InsertWrongCon_OSErrorRaised(self):
+ fd = self.fo_testfile.fileno()
+ self.assertRaisesRegexp(OSError, '\[Errno 22\]',
selinux.fsetfilecon_raw, fd,
+ self.wrong_con)
+
+ def test_fsetfileconRaw_BadDescriptorUsed_OSErrorRaised(self):
+ fd = self.fo_testfile.fileno()
+ self.fo_testfile.close()
+ self.assertRaisesRegexp(OSError, '\[Errno 9\]',
selinux.fsetfilecon_raw, fd,
+ self.raw_con)
+
+
+class fsetfileconTestCase(auxiliaryTestCase):
+ """TestCase for fsetfilecon() function.
+ """
+
+ def setUp(self):
+ self.setUpFileOnly()
+
+ def tearDown(self):
+ self.tearDownFileOnly()
+
+ def test_fsetfileconRaw_InsertRawCon_InsertedSuccessfully(self):
+ selinux.fsetfilecon(self.fo_testfile.fileno(), self.raw_con)
+ self.assertEqual(self.read_file_con(self.testfile)[1], self.raw_con,
+ "File context of testfile was not changed after call "
+ "fsetfilecon()!")
+
+ @unittest.skipUnless(helper.contextTranslation(),
"Context-translation inactive!")
+ def test_fsetfileconRaw_InsertTransCon_InsertedSuccessfully(self):
+ selinux.fsetfilecon(self.fo_testfile.fileno(), self.trans_con)
+ self.assertEqual(self.read_file_con(self.testfile)[1], self.raw_con,
+ "File context of testfile was not changed after call "
+ "fsetfilecon()!")
+
+class getfileconRawTestCase(auxiliaryTestCase):
+ """TestCase for getfilecon_raw() function.
+ """
+
+ def setUp(self):
+ self.setUpFileOnly()
+
+ def tearDown(self):
+ self.tearDownFileOnly()
+
+ def test_getfileconRaw_GatherContext_ReturnedGoodOne(self):
+ output_list1 = selinux.getfilecon_raw(self.testfile)
+ output_list2 = self.read_file_con(self.testfile)
+ self.assertListEqual(output_list1, output_list2, "getfilecon_raw()"
+ "did not return the right context!")
+
+ def test_getfileconRaw_FileDoesNotExist_OSErrorRaised(self):
+ self.remove_file(self.testfile)
+ self.assertRaisesRegexp(OSError, '\[Errno 2\]', selinux.getfilecon_raw,
+ self.testfile)
+
+class getfileconTestCase(auxiliaryTestCase):
+ """TestCase for getfilecon() function.
+ """
+
+ def setUp(self):
+ self.setUpFileOnly()
+
+ def tearDown(self):
+ self.tearDownFileOnly()
+
+ @unittest.skipIf(helper.contextTranslation(),
"Context-translation active!")
+ def test_getfilecon_GatherContext_ReturnedGoodOne(self):
+ output_list1 = selinux.getfilecon(self.testfile)
+ output_list2 = self.read_file_con(self.testfile)
+ self.assertListEqual(output_list1, output_list2,
"getfilecon() did not "
+ "return the right context!")
+
+ @unittest.skipUnless(helper.contextTranslation(),
"Context-translation inactive!")
+ def test_getfilecon_GatherTransCon_ReturnedGoodOne(self):
+ self.set_file_con(self.testfile, self.raw_con)
+ self.assertEqual(selinux.getfilecon(self.testfile)[1], self.trans_con,
+ "File context, which was gathered after "
+ "calling getfilecon() is not right one!")
+
+
+class lgetfileconRawTestCase(auxiliaryTestCase):
+ """TestCase for lgetfilecon_raw() function.
+ """
+
+ def test_lgetfileconRaw_GatherContext_ReturnedGoodOne(self):
+ output_list1 = selinux.lgetfilecon_raw(self.testfile_symlink)
+ output_list2 = self.read_file_con(self.testfile_symlink, True)
+ self.assertListEqual(output_list1, output_list2,
"lgetfilecon_raw() did"
+ "not return the right context!")
+
+ def test_getfileconRaw_FileDoesNotExist_OSErrorRaised(self):
+ self.remove_file(self.testfile_symlink)
+ self.assertRaisesRegexp(OSError, '\[Errno 2\]',
selinux.lgetfilecon_raw,
+ self.testfile_symlink)
+
+
+class lgetfileconTestCase(auxiliaryTestCase):
+ """TestCase for lgetfilecon() function.
+ """
+
+ @unittest.skipIf(helper.contextTranslation(),
"Context-translation active!")
+ def test_lgetfilecon_GatherContext_ReturnedGoodOne(self):
+ output_list1 = selinux.lgetfilecon(self.testfile_symlink)
+ output_list2 = self.read_file_con(self.testfile_symlink)
+ self.assertListEqual(output_list1, output_list2,
"lgetfilecon() did not "
+ "return the right context!")
+
+ @unittest.skipUnless(helper.contextTranslation(),
"Context-translation inactive!")
+ def test_lgetfilecon_GatherTransCon_ReturnedGoodOne(self):
+ self.set_file_con(self.testfile_symlink, self.raw_con, True)
+ self.assertEqual(selinux.lgetfilecon(self.testfile_symlink)[1],
+ self.trans_con, "File context, which was gathered "
+ "after calling lgetfilecon() is not right one!")
+
+class fgetfileconRawTestCase(auxiliaryTestCase):
+ """TestCase for fgetfilecon_raw() function.
+ """
+
+ def setUp(self):
+ self.setUpFileOnly()
+
+ def tearDown(self):
+ self.tearDownFileOnly()
+
+ def test_fgetfileconRaw_BadDescriptorUsed_OSErrorRaised(self):
+ fd = self.fo_testfile.fileno()
+ self.fo_testfile.close()
+ self.assertRaisesRegexp(OSError, '\[Errno 9\]',
selinux.fgetfilecon_raw, fd)
+
+ def test_fgetfileconRaw_GatherContext_ReturnedGoodOne(self):
+ output_list1 = selinux.fgetfilecon_raw(self.fo_testfile.fileno())
+ output_list2 = self.read_file_con(self.testfile)
+ self.assertListEqual(output_list1, output_list2, "fgetfilecon_raw() "
+ "did not return the right context!")
+
+
+class fgetfileconTestCase(auxiliaryTestCase):
+ """TestCase for fgetfilecon() function.
+ """
+
+ def setUp(self):
+ self.setUpFileOnly()
+
+ def tearDown(self):
+ self.tearDownFileOnly()
+
+ @unittest.skipIf(helper.contextTranslation(),
"Context-translation active!")
+ def test_fgetfilecon_GatherContext_ReturnedGoodOne(self):
+ output_list1 = selinux.fgetfilecon(self.fo_testfile.fileno())
+ output_list2 = self.read_file_con(self.testfile)
+ self.assertListEqual(output_list1, output_list2,
"fgetfilecon() did not "
+ "return the right context!")
+
+ @unittest.skipUnless(helper.contextTranslation(), "Context-translation "
+ "inactive!")
+ def test_fgetfilecon_GatherTransCon_ReturnedGoodOne(self):
+ fd = self.fo_testfile.fileno()
+ self.set_file_con(fd, self.raw_con)
+ self.assertEqual(selinux.fgetfilecon(fd)[1], self.trans_con,
+ "File context, which was gathered after "
+ "calling fgetfilecon() is not right one!")
+
+if __name__ == "__main__":
+ suite = unittest.TestLoader().loadTestsFromModule(sys.modules[auxiliaryTestCase.__module__])
+ unittest.TextTestRunner(verbosity=2).run(suite)
--
1.9.0
9 years, 4 months
