diff options
Diffstat (limited to 'tests/bugzillas')
-rw-r--r-- | tests/bugzillas/bz1031154/runtest.sh | 104 | ||||
-rw-r--r-- | tests/bugzillas/bz1033467/runtest.sh | 68 | ||||
-rw-r--r-- | tests/bugzillas/bz1071346/runtest.sh | 79 |
3 files changed, 251 insertions, 0 deletions
diff --git a/tests/bugzillas/bz1031154/runtest.sh b/tests/bugzillas/bz1031154/runtest.sh new file mode 100644 index 0000000..d90afb4 --- /dev/null +++ b/tests/bugzillas/bz1031154/runtest.sh @@ -0,0 +1,104 @@ +#!/bin/bash + +# Test for https://bugzilla.redhat.com/show_bug.cgi?id=1031154 + +. ../../prepare.inc.sh +. ../../toolbox.inc.sh + +# We intentionally generate AVCs so the test system shouldn't fail us +# because the AVCs were generated. +export AVC_ERROR=+no_avc_check +export RHTS_OPTION_STRONGER_AVC= + +# ---- do the actual testing ---- + +result=PASS + +if [ $have_big_key_type = 0 ] +then + toolbox_skip_test $TEST "SKIPPING TEST DUE TO LACK OF BIG_KEY TYPE" + exit 0 +fi + +require_selinux +require_command getenforce +require_command setenforce +require_command runcon +require_command ausearch + +echo "++++ BEGINNING TEST" >$OUTPUTFILE + +# we need a reference time to scan the audit log from so as not to pick up old +# results from this test. +base_date=`date +"%x@%X"` +base_time=${base_date#*@} +base_date=${base_date%@*} +sleep 1 + +# reset the permissive audit log autocancel thing +load_policy + +# we need to be in permissive mode +marker "ENTER SELINUX PERMISSIVE MODE" + +mode=`getenforce` + +if [ "$mode" != "Permissive" ] +then + echo setenforce Permissive >>$OUTPUTFILE + if ! setenforce Permissive + then + failed + fi +fi + +# create a big key to probe +marker "CREATE BIG KEY" +pcreate_key_by_size 8192 big_key test-key @s +expect_keyid id + +# check the big key is file backed and the right size +marker "CHECK BIG KEY" +xid=`printf %08x $id` + +pk=`cat /proc/keys | grep "^$xid.*test-key: 8192 \\[file\\]"` +echo $pk >>$OUTPUTFILE +if [ -z "$pk" ] +then + echo "+++ Incorrectly created key" >>$OUTPUTFILE + cat /proc/keys | grep "^$xid" >>$OUTPUTFILE + failed +fi + +# use a separate context to access the key +marker "ACCESS INTERCONTEXT" + +echo runcon system_u:system_r:httpd_t:s0-s0:c0.c1023 keyctl print $id >>$OUTPUTFILE +if ! runcon system_u:system_r:httpd_t:s0-s0:c0.c1023 keyctl print $id >/dev/null 2>>$OUTPUTFILE +then + failed +fi + +# examine the audit logs +marker "EXAMINE AUDIT LOGS" + +echo ausearch -m AVC -i --subject httpd_t -ts $base_date $base_time \| audit2allow \| grep '-P "allow httpd_t user_tmpfs_t:file [{] (open |read )+[}];"' >>$OUTPUTFILE +if ausearch -m AVC -i --subject httpd_t -ts $base_date $base_time 2>>$OUTPUTFILE | audit2allow 2>>$OUTPUTFILE | grep -P "allow httpd_t user_tmpfs_t:file [{] (open |read )+[}];" +then + failed +fi + +marker "RESTORE SELINUX MODE" +if [ "$mode" != "Permissive" ] +then + echo setenforce $mode >>$OUTPUTFILE + if ! setenforce $mode + then + failed + fi +fi + +echo "++++ FINISHED TEST: $result" >>$OUTPUTFILE + +# --- then report the results in the database --- +toolbox_report_result $TEST $result diff --git a/tests/bugzillas/bz1033467/runtest.sh b/tests/bugzillas/bz1033467/runtest.sh new file mode 100644 index 0000000..54ec293 --- /dev/null +++ b/tests/bugzillas/bz1033467/runtest.sh @@ -0,0 +1,68 @@ +#!/bin/bash + +# Test for https://bugzilla.redhat.com/show_bug.cgi?id=1033467 + +. ../../prepare.inc.sh +. ../../toolbox.inc.sh + + +# ---- do the actual testing ---- + +result=PASS +echo "++++ BEGINNING TEST" >$OUTPUTFILE + +# create a keyring and attach it to the session keyring +marker "ADD SANDBOX KEYRING" +create_keyring sandbox @s +expect_keyid sandbox + +# create a bunch of nested keyrings in the sandbox +marker "ADD NESTED KEYRINGS" +declare -a ring +for ((i=0; i<=16; i++)) +do + create_keyring ring$i $sandbox + expect_keyid "ring[$i]" +done + +# create a key in each of those keyrings +marker "ADD KEYS" +keys="" +for ((i=0; i<=16; i++)) +do + create_key user a$i a ${ring[$i]} + expect_keyid id + keys="$keys $id" +done + +# search for the added keys, beginning at sandbox and exercising the nesting +marker "SEARCH KEYS" +keys2="" +for ((i=0; i<=16; i++)) +do + search_for_key $sandbox user a$i + expect_keyid id + keys2="$keys2 $id" +done + +marker "COMPARE KEY LISTS" +if [ "$keys" != "$keys2" ] +then + echo "Key lists differ" >>$OUTPUTFILE + echo List 1: "\"$keys\"" >>$OUTPUTFILE + echo List 2: "\"$keys2\"" >>$OUTPUTFILE + failed +fi + +# search for some unadded keys and make sure we get an error +marker "SEARCH MISSES" +for ((i=17; i<=20; i++)) +do + search_for_key --fail $sandbox user a$i + expect_error ENOKEY +done + +echo "++++ FINISHED TEST: $result" >>$OUTPUTFILE + +# --- then report the results in the database --- +toolbox_report_result $TEST $result diff --git a/tests/bugzillas/bz1071346/runtest.sh b/tests/bugzillas/bz1071346/runtest.sh new file mode 100644 index 0000000..45f0a02 --- /dev/null +++ b/tests/bugzillas/bz1071346/runtest.sh @@ -0,0 +1,79 @@ +#!/bin/bash + +# Test for https://bugzilla.redhat.com/show_bug.cgi?id=1071346 + +. ../../prepare.inc.sh +. ../../toolbox.inc.sh + + +# ---- do the actual testing ---- + +result=PASS +echo "++++ BEGINNING TEST" >$OUTPUTFILE + +# create a keyring and attach it to the session keyring +marker "ADD SANDBOX KEYRING" +create_keyring sandbox @s +expect_keyid sandbox + +# Add a second keyring of the same name into the sandbox +marker "ADD SECOND SANDBOX KEYRING" +create_keyring sandbox $sandbox +expect_keyid second + +# Now try and link keyrings together in ways that should fail +marker "CHECK NO LINK SESSION TO SECOND" +link_key --fail @s $second +expect_error EDEADLK +marker "CHECK NO LINK SANDBOX TO SECOND" +link_key --fail $sandbox $second +expect_error EDEADLK +marker "CHECK NO LINK SECOND TO SECOND" +link_key --fail $second $second +expect_error EDEADLK + +# Add another keyring into sandbox and stick a third sandbox keyring in that +marker "ADD SIDE KEYRING" +create_keyring side $sandbox +expect_keyid side +marker "ADD THIRD SANDBOX KEYRING" +create_keyring sandbox $side +expect_keyid third + +# Make sure we can't link the session keyring, the sandbox, the side +# keyring or the third keyring itself into the third keyring. +marker "CHECK NO LINK SESSION TO THIRD" +link_key --fail @s $third +expect_error EDEADLK +marker "CHECK NO LINK SANDBOX TO THIRD" +link_key --fail $sandbox $third +expect_error EDEADLK +marker "CHECK NO LINK SIDE TO THIRD" +link_key --fail $side $third +expect_error EDEADLK +marker "CHECK NO LINK THIRD TO THIRD" +link_key --fail $sandbox $third +expect_error EDEADLK + +# We should, however, be able to link second to third but not then +# third to second +marker "CHECK LINK SECOND TO THIRD" +link_key $second $third +marker "CHECK NO LINK THIRD TO SECOND" +link_key --fail $third $second +expect_error EDEADLK + +# We can then detach the link we just made and check the reverse +# linkage. +marker "UNLINK SECOND FROM THIRD" +unlink_key $second $third +marker "CHECK LINK THIRD TO SECOND" +link_key $third $second +marker "CHECK NO LINK SECOND TO THIRD" +link_key --fail $second $third +expect_error EDEADLK + +echo "++++ FINISHED TEST: $result" >>$OUTPUTFILE + +# --- then report the results in the database --- +toolbox_report_result $TEST $result |