mirror of
https://github.com/SELinuxProject/setools
synced 2025-03-11 07:18:15 +00:00
Implement User unit tests.
This commit is contained in:
parent
52d119c58f
commit
26e0396290
@ -17,3 +17,4 @@
|
||||
#
|
||||
from . import mls
|
||||
from . import selinuxpolicy
|
||||
from . import user
|
||||
|
136
tests/policyrep/user.conf
Normal file
136
tests/policyrep/user.conf
Normal file
@ -0,0 +1,136 @@
|
||||
class infoflow
|
||||
class infoflow2
|
||||
class infoflow3
|
||||
class infoflow4
|
||||
class infoflow5
|
||||
class infoflow6
|
||||
class infoflow7
|
||||
|
||||
sid kernel
|
||||
sid security
|
||||
|
||||
common infoflow
|
||||
{
|
||||
low_w
|
||||
med_w
|
||||
hi_w
|
||||
low_r
|
||||
med_r
|
||||
hi_r
|
||||
}
|
||||
|
||||
class infoflow
|
||||
inherits infoflow
|
||||
|
||||
class infoflow2
|
||||
inherits infoflow
|
||||
{
|
||||
super_w
|
||||
super_r
|
||||
}
|
||||
|
||||
class infoflow3
|
||||
{
|
||||
null
|
||||
}
|
||||
|
||||
class infoflow4
|
||||
inherits infoflow
|
||||
|
||||
class infoflow5
|
||||
inherits infoflow
|
||||
|
||||
class infoflow6
|
||||
inherits infoflow
|
||||
|
||||
class infoflow7
|
||||
inherits infoflow
|
||||
{
|
||||
super_w
|
||||
super_r
|
||||
super_none
|
||||
super_both
|
||||
super_unmapped
|
||||
}
|
||||
|
||||
sensitivity s0;
|
||||
sensitivity s1;
|
||||
sensitivity s2;
|
||||
|
||||
dominance { s0 s1 s2 }
|
||||
|
||||
category c0;
|
||||
category c1;
|
||||
category c2;
|
||||
category c3;
|
||||
category c4;
|
||||
category c5;
|
||||
category c6;
|
||||
category c7;
|
||||
category c8;
|
||||
category c9;
|
||||
category c10;
|
||||
category c11;
|
||||
category c12;
|
||||
category c13;
|
||||
|
||||
#level decl
|
||||
level s0:c0.c2;
|
||||
level s1:c0.c13;
|
||||
level s2:c0.c13;
|
||||
|
||||
#some constraints
|
||||
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
|
||||
|
||||
attribute mls_exempt;
|
||||
|
||||
type system;
|
||||
role system;
|
||||
role system types system;
|
||||
|
||||
role role20_r;
|
||||
role role21a_r;
|
||||
role role21b_r;
|
||||
role role21c_r;
|
||||
|
||||
role role20_r types system;
|
||||
role role21a_r types system;
|
||||
role role21b_r types system;
|
||||
role role21c_r types system;
|
||||
|
||||
type type30;
|
||||
type type31a;
|
||||
type type31b;
|
||||
type type31c;
|
||||
role system types { type30 type31a type31b type31c };
|
||||
|
||||
allow system self:infoflow hi_w;
|
||||
|
||||
#users
|
||||
user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4;
|
||||
user user10 roles system level s0 range s0 - s2:c0.c4;
|
||||
user user11a roles system level s0 range s0 - s2:c0.c4;
|
||||
user user11b roles system level s0 range s0 - s2:c0.c4;
|
||||
user user11c roles system level s0 range s0 - s2:c0.c4;
|
||||
|
||||
#normal constraints
|
||||
constrain infoflow hi_w (u1 == u2);
|
||||
|
||||
#isids
|
||||
sid kernel system:system:system:s0
|
||||
sid security system:system:system:s0
|
||||
|
||||
#fs_use
|
||||
fs_use_trans devpts system:object_r:system:s0;
|
||||
fs_use_xattr ext3 system:object_r:system:s0;
|
||||
fs_use_task pipefs system:object_r:system:s0;
|
||||
|
||||
#genfscon
|
||||
genfscon proc / system:object_r:system:s1
|
||||
genfscon proc /sys system:object_r:system:s0
|
||||
genfscon selinuxfs / system:object_r:system:s2:c0.c4
|
||||
portcon tcp 1 system:system:system:s0:c0.c1
|
||||
netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
|
||||
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
|
||||
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0
|
||||
|
132
tests/policyrep/user.py
Normal file
132
tests/policyrep/user.py
Normal file
@ -0,0 +1,132 @@
|
||||
# Copyright 2015, Tresys Technology, LLC
|
||||
#
|
||||
# This file is part of SETools.
|
||||
#
|
||||
# SETools is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# SETools is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
import unittest
|
||||
|
||||
try:
|
||||
from unittest.mock import Mock, patch
|
||||
except ImportError:
|
||||
from mock import Mock, patch
|
||||
|
||||
from setools import SELinuxPolicy
|
||||
from setools.policyrep import qpol
|
||||
from setools.policyrep.exception import MLSDisabled, InvalidUser
|
||||
from setools.policyrep.user import user_factory
|
||||
|
||||
|
||||
class UserTest(unittest.TestCase):
|
||||
|
||||
@classmethod
|
||||
def setUpClass(cls):
|
||||
cls.p = SELinuxPolicy("tests/policyrep/user.conf")
|
||||
|
||||
def mock_user_factory(self, name, roles, level=None, range_=None):
|
||||
"""Factory function for User objects, using a mock qpol object."""
|
||||
assert (level and range_) or (not level and not range_)
|
||||
|
||||
# inject object_r, like the compiler does
|
||||
roles_with_objr = roles
|
||||
roles_with_objr.append('object_r')
|
||||
|
||||
mock_user = Mock(qpol.qpol_user_t)
|
||||
mock_user.name.return_value = name
|
||||
mock_user.role_iter.return_value = iter(roles_with_objr)
|
||||
mock_user.dfltlevel.return_value = level
|
||||
mock_user.range.return_value = range_
|
||||
|
||||
return user_factory(self.p.policy, mock_user)
|
||||
|
||||
def test_001_lookup(self):
|
||||
"""User factory policy lookup."""
|
||||
user = user_factory(self.p.policy, "user10")
|
||||
self.assertEqual("user10", user.qpol_symbol.name(self.p.policy))
|
||||
|
||||
def test_002_lookup_invalid(self):
|
||||
"""Sensitivity factory policy invalid lookup."""
|
||||
with self.assertRaises(InvalidUser):
|
||||
user_factory(self.p.policy, "INVALID")
|
||||
|
||||
def test_010_string(self):
|
||||
"""User basic string rendering."""
|
||||
user = self.mock_user_factory("username", ['role1'])
|
||||
self.assertEqual("username", str(user))
|
||||
|
||||
def test_020_statement_role(self):
|
||||
"""User statement, one role."""
|
||||
with patch('setools.policyrep.mls.enabled', return_value=False):
|
||||
user = self.mock_user_factory("username", ['role20_r'])
|
||||
self.assertEqual("user username roles role20_r;", user.statement())
|
||||
|
||||
def test_021_statement_two_roles(self):
|
||||
"""User statement, two roles."""
|
||||
with patch('setools.policyrep.mls.enabled', return_value=False):
|
||||
user = self.mock_user_factory("username", ['role20_r', 'role21a_r'])
|
||||
# roles are stored in a set, so the role order may vary
|
||||
self.assertRegexpMatches(user.statement(), "("
|
||||
"user username roles { role20_r role21a_r };"
|
||||
"|"
|
||||
"user username roles { role21a_r role20_r };"
|
||||
")")
|
||||
|
||||
def test_022_statement_one_role_mls(self):
|
||||
"""User statement, one role, MLS."""
|
||||
user = self.mock_user_factory("username", ['role20_r'], level="s0", range_="s0-s2")
|
||||
self.assertEqual("user username roles role20_r level s0 range s0 - s2;", user.statement())
|
||||
|
||||
def test_023_statement_two_roles_mls(self):
|
||||
"""User statement, two roles, MLS."""
|
||||
user = self.mock_user_factory("username", ['role20_r', 'role21a_r'],
|
||||
level="s0", range_="s0 - s2")
|
||||
# roles are stored in a set, so the role order may vary
|
||||
self.assertRegexpMatches(
|
||||
user.statement(), "("
|
||||
"user username roles { role20_r role21a_r } level s0 range s0 - s2;"
|
||||
"|"
|
||||
"user username roles { role21a_r role20_r } level s0 range s0 - s2;"
|
||||
")")
|
||||
|
||||
def test_030_roles(self):
|
||||
"""User roles."""
|
||||
user = self.mock_user_factory("username", ['role20_r', 'role21a_r'])
|
||||
self.assertSetEqual(user.roles, set(['role20_r', 'role21a_r']))
|
||||
|
||||
def test_040_level(self):
|
||||
"""User level."""
|
||||
user = self.mock_user_factory("username", ['role20_r', 'role21a_r'],
|
||||
level="s0", range_="s0-s2")
|
||||
self.assertEqual("s0", user.mls_level)
|
||||
|
||||
def test_041_level_non_mls(self):
|
||||
"""User level, MLS disabled."""
|
||||
user = self.mock_user_factory("username", ['role20_r', 'role21a_r'])
|
||||
with patch('setools.policyrep.mls.enabled', return_value=False):
|
||||
with self.assertRaises(MLSDisabled):
|
||||
user.mls_level
|
||||
|
||||
def test_050_range(self):
|
||||
"""User level."""
|
||||
user = self.mock_user_factory("username", ['role20_r', 'role21a_r'],
|
||||
level="s0", range_="s0-s2")
|
||||
self.assertEqual("s0 - s2", user.mls_range)
|
||||
|
||||
def test_051_range_non_mls(self):
|
||||
"""User level, MLS disabled."""
|
||||
user = self.mock_user_factory("username", ['role20_r', 'role21a_r'],
|
||||
level="s0", range_="s0-s2")
|
||||
with patch('setools.policyrep.mls.enabled', return_value=False):
|
||||
with self.assertRaises(MLSDisabled):
|
||||
user.mls_range
|
Loading…
Reference in New Issue
Block a user