RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-03-11 07:18:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

tests: Revise unit tests for binary-only policy support.

Browse Source 
Closes #72
This commit is contained in:
Chris PeBenito 2018-01-18 17:14:40 -05:00
parent 42001334fe
commit 4684eca5bc
56 changed files with 1541 additions and 305 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tests/boolquery.conf
View File

@ -80,6 +80,8 @@ role system types system;
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
########################################
#
# Booleans Query

11
tests/boolquery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, BoolQuery
from setools import BoolQuery
from .policyrep.util import compile_policy
class BoolQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/boolquery.conf")
cls.p = compile_policy("tests/boolquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Boolean query with no criteria."""

2
tests/boundsquery.conf
View File

@ -80,6 +80,8 @@ role system types system;
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
# test 1 exact match parent
type test1_parent;
type test1_child;

14
tests/boundsquery.py
View File

@ -15,15 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, BoundsQuery, BoundsRuletype
from setools import BoundsQuery, BoundsRuletype
from .policyrep.util import compile_policy
class BoundsQueryTest(unittest.TestCase):
def setUp(self):
self.p = SELinuxPolicy("tests/boundsquery.conf")
@classmethod
def setUpClass(cls):
cls.p = compile_policy("tests/boundsquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Bounds query with no criteria."""

1
tests/categoryquery.conf
View File

@ -100,6 +100,7 @@ role system types system;
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
################################################################################

11
tests/categoryquery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, CategoryQuery
from setools import CategoryQuery
from .policyrep.util import compile_policy
class CategoryQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/categoryquery.conf")
cls.p = compile_policy("tests/categoryquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""MLS category query with no criteria."""

2
tests/commonquery.conf
View File

@ -87,6 +87,8 @@ type system;
role system;
role system types system;
allow system system:infoflow hi_r;
#users
user system roles system level med range low_s - high_s:here.lost;

11
tests/commonquery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, CommonQuery
from setools import CommonQuery
from .policyrep.util import compile_policy
class CommonQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/commonquery.conf")
cls.p = compile_policy("tests/commonquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Common query with no criteria."""

2
tests/constraintquery.conf
View File

@ -161,6 +161,8 @@ type test40t;
type test41ta;
type test41tb;
allow system system:test1 hi_r;
user system roles system level med range low_s - high_s:here.lost;
user test50u roles system level med range low_s - high_s:here.lost;
user test51u1 roles system level med range low_s - high_s:here.lost;

11
tests/constraintquery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, ConstraintQuery
from setools import ConstraintQuery
from .policyrep.util import compile_policy
class ConstraintQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/constraintquery.conf")
cls.p = compile_policy("tests/constraintquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Constraint query with no criteria."""

1
tests/defaultquery.conf
View File

@ -93,6 +93,7 @@ role system types system;
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
################################################################################

11
tests/defaultquery.py
View File

@ -15,17 +15,24 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, DefaultQuery, DefaultRuletype, DefaultValue
from setools import DefaultQuery, DefaultRuletype, DefaultValue
from setools.policyrep.exception import InvalidClass
from .policyrep.util import compile_policy
class DefaultQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/defaultquery.conf")
cls.p = compile_policy("tests/defaultquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Default query: no criteria."""

11
tests/devicetreeconquery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, DevicetreeconQuery
from setools import DevicetreeconQuery
from .policyrep.util import compile_policy
class DevicetreeconQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/devicetreeconquery.conf")
cls.p = compile_policy("tests/devicetreeconquery.conf", xen=True)
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Devicetreecon query with no criteria"""

271
tests/diff.py
View File

@ -16,6 +16,7 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from ipaddress import IPv4Network, IPv6Network
@ -31,6 +32,7 @@ from setools import RBACRuletype as RRT
from setools import TERuletype as TRT
from .mixins import ValidateRule
from .policyrep.util import compile_policy
class PolicyDifferenceTest(ValidateRule, unittest.TestCase):
@ -39,8 +41,14 @@ class PolicyDifferenceTest(ValidateRule, unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.diff = PolicyDifference(SELinuxPolicy("tests/diff_left.conf"),
SELinuxPolicy("tests/diff_right.conf"))
cls.p_left = compile_policy("tests/diff_left.conf")
cls.p_right = compile_policy("tests/diff_right.conf")
cls.diff = PolicyDifference(cls.p_left, cls.p_right)
@classmethod
def tearDownClass(cls):
os.unlink(cls.p_left.path)
os.unlink(cls.p_right.path)
#
# Types
@ -490,64 +498,71 @@ class PolicyDifferenceTest(ValidateRule, unittest.TestCase):
#
def test_added_neverallow_rules(self):
"""Diff: added neverallow rules."""
rules = sorted(self.diff.added_neverallows)
self.assertEqual(2, len(rules))
self.assertFalse(self.diff.added_neverallows)
# changed after dropping source policy support
# rules = sorted(self.diff.added_neverallows)
# self.assertEqual(2, len(rules))
# added rule with new type
self.validate_rule(rules[0], TRT.neverallow, "added_type", "added_type", "added_class",
set(["new_class_perm"]))
# self.validate_rule(rules[0], TRT.neverallow, "added_type", "added_type", "added_class",
# set(["new_class_perm"]))
# added rule with existing types
self.validate_rule(rules[1], TRT.neverallow, "na_added_rule_source", "na_added_rule_target",
"infoflow", set(["med_w"]))
# self.validate_rule(rules[1], TRT.neverallow, "na_added_rule_source",
# "na_added_rule_target", "infoflow", set(["med_w"]))
def test_removed_neverallow_rules(self):
"""Diff: removed neverallow rules."""
rules = sorted(self.diff.removed_neverallows)
self.assertEqual(2, len(rules))
self.assertFalse(self.diff.removed_neverallows)
# changed after dropping source policy support
# rules = sorted(self.diff.removed_neverallows)
# self.assertEqual(2, len(rules))
# removed rule with existing types
self.validate_rule(rules[0], TRT.neverallow, "na_removed_rule_source",
"na_removed_rule_target", "infoflow", set(["hi_r"]))
# self.validate_rule(rules[0], TRT.neverallow, "na_removed_rule_source",
# "na_removed_rule_target", "infoflow", set(["hi_r"]))
# removed rule with new type
self.validate_rule(rules[1], TRT.neverallow, "removed_type", "removed_type",
"removed_class", set(["null_perm"]))
# self.validate_rule(rules[1], TRT.neverallow, "removed_type", "removed_type",
# "removed_class", set(["null_perm"]))
def test_modified_neverallow_rules(self):
"""Diff: modified neverallow rules."""
l = sorted(self.diff.modified_neverallows, key=lambda x: x.rule)
self.assertEqual(3, len(l))
# add permissions
rule, added_perms, removed_perms, matched_perms = l[0]
self.assertEqual(TRT.neverallow, rule.ruletype)
self.assertEqual("na_modified_rule_add_perms", rule.source)
self.assertEqual("na_modified_rule_add_perms", rule.target)
self.assertEqual("infoflow", rule.tclass)
self.assertSetEqual(set(["hi_w"]), added_perms)
self.assertFalse(removed_perms)
self.assertSetEqual(set(["hi_r"]), matched_perms)
# add and remove permissions
rule, added_perms, removed_perms, matched_perms = l[1]
self.assertEqual(TRT.neverallow, rule.ruletype)
self.assertEqual("na_modified_rule_add_remove_perms", rule.source)
self.assertEqual("na_modified_rule_add_remove_perms", rule.target)
self.assertEqual("infoflow2", rule.tclass)
self.assertSetEqual(set(["super_r"]), added_perms)
self.assertSetEqual(set(["super_w"]), removed_perms)
self.assertSetEqual(set(["low_w"]), matched_perms)
# remove permissions
rule, added_perms, removed_perms, matched_perms = l[2]
self.assertEqual(TRT.neverallow, rule.ruletype)
self.assertEqual("na_modified_rule_remove_perms", rule.source)
self.assertEqual("na_modified_rule_remove_perms", rule.target)
self.assertEqual("infoflow", rule.tclass)
self.assertFalse(added_perms)
self.assertSetEqual(set(["low_r"]), removed_perms)
self.assertSetEqual(set(["low_w"]), matched_perms)
# changed after dropping source policy support
self.assertFalse(self.diff.modified_neverallows)
# l = sorted(self.diff.modified_neverallows, key=lambda x: x.rule)
# self.assertEqual(3, len(l))
#
# # add permissions
# rule, added_perms, removed_perms, matched_perms = l[0]
# self.assertEqual(TRT.neverallow, rule.ruletype)
# self.assertEqual("na_modified_rule_add_perms", rule.source)
# self.assertEqual("na_modified_rule_add_perms", rule.target)
# self.assertEqual("infoflow", rule.tclass)
# self.assertSetEqual(set(["hi_w"]), added_perms)
# self.assertFalse(removed_perms)
# self.assertSetEqual(set(["hi_r"]), matched_perms)
#
# # add and remove permissions
# rule, added_perms, removed_perms, matched_perms = l[1]
# self.assertEqual(TRT.neverallow, rule.ruletype)
# self.assertEqual("na_modified_rule_add_remove_perms", rule.source)
# self.assertEqual("na_modified_rule_add_remove_perms", rule.target)
# self.assertEqual("infoflow2", rule.tclass)
# self.assertSetEqual(set(["super_r"]), added_perms)
# self.assertSetEqual(set(["super_w"]), removed_perms)
# self.assertSetEqual(set(["low_w"]), matched_perms)
#
# # remove permissions
# rule, added_perms, removed_perms, matched_perms = l[2]
# self.assertEqual(TRT.neverallow, rule.ruletype)
# self.assertEqual("na_modified_rule_remove_perms", rule.source)
# self.assertEqual("na_modified_rule_remove_perms", rule.target)
# self.assertEqual("infoflow", rule.tclass)
# self.assertFalse(added_perms)
# self.assertSetEqual(set(["low_r"]), removed_perms)
# self.assertSetEqual(set(["low_w"]), matched_perms)
#
# Type_transition rules
@ -990,8 +1005,9 @@ class PolicyDifferenceTest(ValidateRule, unittest.TestCase):
#
def test_added_initialsids(self):
"""Diff: added initialsids."""
self.assertSetEqual(set(["added_sid"]), self.diff.added_initialsids)
self.assertSetEqual(set(["file_labels"]), self.diff.added_initialsids)
@unittest.skip("Moved to PolicyDifferenceRmIsidTest.")
def test_removed_initialsids(self):
"""Diff: removed initialsids."""
self.assertSetEqual(set(["removed_sid"]), self.diff.removed_initialsids)
@ -999,10 +1015,10 @@ class PolicyDifferenceTest(ValidateRule, unittest.TestCase):
def test_modified_initialsids(self):
"""Diff: modified initialsids."""
self.assertEqual(1, len(self.diff.modified_initialsids))
self.assertEqual("modified_add_role:system:system:s2",
self.diff.modified_initialsids["modified_sid"].added_context)
self.assertEqual("system:system:system:s0",
self.diff.modified_initialsids["modified_sid"].removed_context)
self.diff.modified_initialsids["fs"].added_context)
self.assertEqual("removed_user:system:system:s0",
self.diff.modified_initialsids["fs"].removed_context)
#
# fs_use_*
@ -1688,64 +1704,70 @@ class PolicyDifferenceTest(ValidateRule, unittest.TestCase):
#
def test_added_neverallowxperm_rules(self):
"""Diff: added neverallowxperm rules."""
rules = sorted(self.diff.added_neverallowxperms)
self.assertEqual(2, len(rules))
# added rule with new type
self.validate_rule(rules[0], TRT.neverallowxperm, "added_type", "added_type", "infoflow7",
set([0x0009]), xperm="ioctl")
# added rule with existing types
self.validate_rule(rules[1], TRT.neverallowxperm, "nax_added_rule_source",
"nax_added_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
self.assertFalse(self.diff.added_neverallowxperms)
# changed after dropping source policy support
# rules = sorted(self.diff.added_neverallowxperms)
# self.assertEqual(2, len(rules))
#
# # added rule with new type
# self.validate_rule(rules[0], TRT.neverallowxperm, "added_type", "added_type", "infoflow7",
# set([0x0009]), xperm="ioctl")
#
# # added rule with existing types
# self.validate_rule(rules[1], TRT.neverallowxperm, "nax_added_rule_source",
# "nax_added_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
def test_removed_neverallowxperm_rules(self):
"""Diff: removed neverallowxperm rules."""
rules = sorted(self.diff.removed_neverallowxperms)
self.assertEqual(2, len(rules))
# removed rule with existing types
self.validate_rule(rules[0], TRT.neverallowxperm, "nax_removed_rule_source",
"nax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
# removed rule with new type
self.validate_rule(rules[1], TRT.neverallowxperm, "removed_type", "removed_type",
"infoflow7", set([0x0009]), xperm="ioctl")
self.assertFalse(self.diff.removed_neverallowxperms)
# changed after dropping source policy support
# rules = sorted(self.diff.removed_neverallowxperms)
# self.assertEqual(2, len(rules))
#
# # removed rule with existing types
# self.validate_rule(rules[0], TRT.neverallowxperm, "nax_removed_rule_source",
# "nax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl")
#
# # removed rule with new type
# self.validate_rule(rules[1], TRT.neverallowxperm, "removed_type", "removed_type",
# "infoflow7", set([0x0009]), xperm="ioctl")
def test_modified_neverallowxperm_rules(self):
"""Diff: modified neverallowxperm rules."""
l = sorted(self.diff.modified_neverallowxperms, key=lambda x: x.rule)
self.assertEqual(3, len(l))
# add permissions
rule, added_perms, removed_perms, matched_perms = l[0]
self.assertEqual(TRT.neverallowxperm, rule.ruletype)
self.assertEqual("nax_modified_rule_add_perms", rule.source)
self.assertEqual("nax_modified_rule_add_perms", rule.target)
self.assertEqual("infoflow", rule.tclass)
self.assertSetEqual(set([0x000f]), added_perms)
self.assertFalse(removed_perms)
self.assertSetEqual(set([0x0004]), matched_perms)
# add and remove permissions
rule, added_perms, removed_perms, matched_perms = l[1]
self.assertEqual(TRT.neverallowxperm, rule.ruletype)
self.assertEqual("nax_modified_rule_add_remove_perms", rule.source)
self.assertEqual("nax_modified_rule_add_remove_perms", rule.target)
self.assertEqual("infoflow2", rule.tclass)
self.assertSetEqual(set([0x0006]), added_perms)
self.assertSetEqual(set([0x0007]), removed_perms)
self.assertSetEqual(set([0x0008]), matched_perms)
# remove permissions
rule, added_perms, removed_perms, matched_perms = l[2]
self.assertEqual(TRT.neverallowxperm, rule.ruletype)
self.assertEqual("nax_modified_rule_remove_perms", rule.source)
self.assertEqual("nax_modified_rule_remove_perms", rule.target)
self.assertEqual("infoflow", rule.tclass)
self.assertFalse(added_perms)
self.assertSetEqual(set([0x0006]), removed_perms)
self.assertSetEqual(set([0x0005]), matched_perms)
self.assertFalse(self.diff.modified_neverallowxperms)
# changed after dropping source policy support
# l = sorted(self.diff.modified_neverallowxperms, key=lambda x: x.rule)
# self.assertEqual(3, len(l))
#
# # add permissions
# rule, added_perms, removed_perms, matched_perms = l[0]
# self.assertEqual(TRT.neverallowxperm, rule.ruletype)
# self.assertEqual("nax_modified_rule_add_perms", rule.source)
# self.assertEqual("nax_modified_rule_add_perms", rule.target)
# self.assertEqual("infoflow", rule.tclass)
# self.assertSetEqual(set([0x000f]), added_perms)
# self.assertFalse(removed_perms)
# self.assertSetEqual(set([0x0004]), matched_perms)
#
# # add and remove permissions
# rule, added_perms, removed_perms, matched_perms = l[1]
# self.assertEqual(TRT.neverallowxperm, rule.ruletype)
# self.assertEqual("nax_modified_rule_add_remove_perms", rule.source)
# self.assertEqual("nax_modified_rule_add_remove_perms", rule.target)
# self.assertEqual("infoflow2", rule.tclass)
# self.assertSetEqual(set([0x0006]), added_perms)
# self.assertSetEqual(set([0x0007]), removed_perms)
# self.assertSetEqual(set([0x0008]), matched_perms)
#
# # remove permissions
# rule, added_perms, removed_perms, matched_perms = l[2]
# self.assertEqual(TRT.neverallowxperm, rule.ruletype)
# self.assertEqual("nax_modified_rule_remove_perms", rule.source)
# self.assertEqual("nax_modified_rule_remove_perms", rule.target)
# self.assertEqual("infoflow", rule.tclass)
# self.assertFalse(added_perms)
# self.assertSetEqual(set([0x0006]), removed_perms)
# self.assertSetEqual(set([0x0005]), matched_perms)
#
# Dontauditxperm rules
@ -1812,14 +1834,45 @@ class PolicyDifferenceTest(ValidateRule, unittest.TestCase):
self.assertSetEqual(set([0x0005]), matched_perms)
class PolicyDifferenceRmIsidTest(unittest.TestCase):
"""
Policy difference test for removed initial SID.
Since initial SID names are fixed (they don't exist in the binary policy)
this cannot be in the above test suite.
"""
@classmethod
def setUpClass(cls):
cls.p_left = compile_policy("tests/diff_left.conf")
cls.p_right = compile_policy("tests/diff_right_rmisid.conf")
cls.diff = PolicyDifference(cls.p_left, cls.p_right)
@classmethod
def tearDownClass(cls):
os.unlink(cls.p_left.path)
os.unlink(cls.p_right.path)
def test_removed_initialsids(self):
"""Diff: removed initialsids."""
self.assertSetEqual(set(["file"]), self.diff.removed_initialsids)
class PolicyDifferenceTestNoDiff(unittest.TestCase):
"""Policy difference test with no policy differences."""
@classmethod
def setUpClass(cls):
cls.diff = PolicyDifference(SELinuxPolicy("tests/diff_left.conf"),
SELinuxPolicy("tests/diff_left.conf"))
cls.p_left = compile_policy("tests/diff_left.conf")
cls.p_right = compile_policy("tests/diff_left.conf")
cls.diff = PolicyDifference(cls.p_left, cls.p_right)
@classmethod
def tearDownClass(cls):
os.unlink(cls.p_left.path)
os.unlink(cls.p_right.path)
def test_added_types(self):
"""NoDiff: no added types"""
@ -2261,8 +2314,14 @@ class PolicyDifferenceTestMLStoStandard(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.diff = PolicyDifference(SELinuxPolicy("tests/diff_left.conf"),
SELinuxPolicy("tests/diff_left_standard.conf"))
cls.p_left = compile_policy("tests/diff_left.conf")
cls.p_right = compile_policy("tests/diff_left_standard.conf", mls=False)
cls.diff = PolicyDifference(cls.p_left, cls.p_right)
@classmethod
def tearDownClass(cls):
os.unlink(cls.p_left.path)
os.unlink(cls.p_right.path)
def test_added_types(self):
"""MLSvsStandardDiff: no added types"""

12
tests/diff_left.conf
View File

@ -12,9 +12,9 @@ class modified_change_common
sid kernel
sid security
sid matched_sid
sid removed_sid
sid modified_sid
sid unlabeled
sid fs
sid file
common infoflow
{
@ -839,9 +839,9 @@ validatetrans infoflow5 ((u1 == u2 and r1 != r2) or (t3 == system));
#isids
sid kernel system:system:system:s0
sid security system:system:system:s0
sid matched_sid system:system:system:s0
sid removed_sid removed_user:system:system:s0
sid modified_sid system:system:system:s0
sid unlabeled system:system:system:s0
sid fs removed_user:system:system:s0
sid file system:system:system:s0
#fs_use
fs_use_trans devpts system:object_r:system:s0;

12
tests/diff_left_standard.conf
View File

@ -12,9 +12,9 @@ class modified_change_common
sid kernel
sid security
sid matched_sid
sid removed_sid
sid modified_sid
sid unlabeled
sid fs
sid file
common infoflow
{
@ -761,9 +761,9 @@ validatetrans infoflow5 ((u1 == u2 and r1 != r2) or (t3 == system));
#isids
sid kernel system:system:system
sid security system:system:system
sid matched_sid system:system:system
sid removed_sid removed_user:system:system
sid modified_sid system:system:system
sid unlabeled system:system:system
sid fs removed_user:system:system
sid file system:system:system
#fs_use
fs_use_trans devpts system:object_r:system;

14
tests/diff_right.conf
View File

@ -12,9 +12,10 @@ class modified_change_common
sid kernel
sid security
sid matched_sid
sid added_sid
sid modified_sid
sid unlabeled
sid fs
sid file
sid file_labels
common infoflow
{
@ -863,9 +864,10 @@ validatetrans infoflow5 ((u1 != u2 and r1 == r2) or (t3 == system));
#isids
sid kernel system:system:system:s0
sid security system:system:system:s0
sid matched_sid system:system:system:s0
sid added_sid added_user:system:system:s1
sid modified_sid modified_add_role:system:system:s2
sid unlabeled system:system:system:s0
sid fs system:system:system:s0
sid file system:system:system:s0
sid file_labels added_user:system:system:s1
#fs_use
fs_use_trans devpts system:object_r:system:s0;

892
tests/diff_right_rmisid.conf Normal file
View File

@ -0,0 +1,892 @@
class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
class removed_class
class modified_add_perm
class modified_remove_perm
class modified_change_common
sid kernel
sid security
sid unlabeled
sid fs
common infoflow
{
low_w
med_w
hi_w
low_r
med_r
hi_r
ioctl
}
common removed_common
{
old_com
}
common modified_remove_perm
{
same_perm
removed_perm
}
common modified_add_perm
{
matched_perm
}
class infoflow
inherits infoflow
class infoflow2
inherits infoflow
{
super_w
super_r
}
class infoflow3
{
null
}
class infoflow4
inherits infoflow
class infoflow5
inherits infoflow
class infoflow6
inherits infoflow
class infoflow7
inherits infoflow
{
super_w
super_r
super_none
super_both
super_unmapped
}
class removed_class
{
null_perm
}
class modified_add_perm
{
same_perm
}
class modified_remove_perm
{
same_perm
removed_perm
}
class modified_change_common
inherits removed_common
# matching defaults:
default_user infoflow source;
default_role infoflow source;
default_type infoflow source;
default_range infoflow source low;
# added:
# removed:
default_role infoflow3 source;
default_range infoflow3 target high;
# modified:
default_type infoflow4 source;
default_range infoflow4 source low;
# modified range:
default_range infoflow5 target low;
# modified both
default_range infoflow6 source high;
sensitivity s0 alias { al1 al2 };
sensitivity s1 alias { al3 };
sensitivity s2;
sensitivity s3;
sensitivity s40;
sensitivity s41;
sensitivity s42;
sensitivity s43;
sensitivity s44;
sensitivity s45;
sensitivity s47;
dominance { s0 s1 s2 s3 s40 s41 s42 s43 s44 s45 s47 }
category c0 alias { spam eggs };
category c1 alias { bar };
category c2;
category c3;
category c4;
category c5;
#level decl
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s40:c1;
level s41:c0.c4;
level s42:c0.c4;
level s43:c0.c4;
level s44:c0.c4;
level s45:c0.c4;
level s47:c0.c4;
# matching mls constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
# added mls constraint
# removed mls constraint
mlsconstrain infoflow4 hi_w ((l1 domby l2 and h1 domby h2) or (t1 == mls_exempt));
# remove/add mls constraint (expression change)
mlsconstrain infoflow5 hi_r ((l1 domby l2 and h1 dom h2) or (t1 == mls_exempt));
# matching mls validatetrans
mlsvalidatetrans infoflow (h1 == h2 or t3 == system);
# added mls validatetrans
# removed mls validatetrans
mlsvalidatetrans infoflow4 ((l1 == l2 and h1 == h2) or t3 == mls_exempt);
# remove/add mls validatetrans (expression change)
mlsvalidatetrans infoflow5 ((l1 dom l2 and h1 dom h2) or (t3 == mls_exempt));
attribute mls_exempt;
attribute an_attr;
attribute removed_attr;
type system;
role system;
role system types system;
################################################################################
# Type enforcement declarations and rules
type removed_type;
type modified_remove_attr, an_attr;
type modified_remove_alias alias an_alias;
type modified_remove_permissive;
permissive modified_remove_permissive;
type modified_add_attr;
type modified_add_alias;
type modified_add_permissive;
role removed_role;
role modified_add_type;
role modified_remove_type;
role modified_remove_type types { system };
# booleans
bool same_bool true;
bool removed_bool true;
bool modified_bool false;
# Allow rule differences
type matched_source;
type matched_target;
allow matched_source matched_target:infoflow hi_w;
type removed_rule_source;
type removed_rule_target;
allow removed_rule_source removed_rule_target:infoflow hi_r;
type added_rule_source;
type added_rule_target;
type modified_rule_add_perms;
allow modified_rule_add_perms self:infoflow hi_r;
type modified_rule_remove_perms;
allow modified_rule_remove_perms self:infoflow { low_r low_w };
type modified_rule_add_remove_perms;
allow modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
allow removed_type self:infoflow3 null;
type move_to_bool;
bool move_to_bool_b false;
allow move_to_bool self:infoflow4 hi_w;
type move_from_bool;
bool move_from_bool_b false;
if (move_from_bool_b) {
allow move_from_bool self:infoflow4 hi_r;
}
type switch_block;
bool switch_block_b false;
if (switch_block_b) {
allow system switch_block:infoflow5 hi_r;
allow system switch_block:infoflow6 hi_r;
} else {
allow system switch_block:infoflow7 hi_r;
}
attribute match_rule_by_attr;
type match_rule_by_attr_A_t, match_rule_by_attr;
type match_rule_by_attr_B_t, match_rule_by_attr;
allow match_rule_by_attr self:infoflow2 super_w;
attribute union_perm_a;
attribute union_perm_b;
attribute union_perm_c;
type union_perm_source, union_perm_a, union_perm_c;
type union_perm_target, union_perm_b;
allow union_perm_source union_perm_target:infoflow { hi_w med_w low_w };
# Auditallow rule differences
type aa_matched_source;
type aa_matched_target;
auditallow aa_matched_source aa_matched_target:infoflow hi_w;
type aa_removed_rule_source;
type aa_removed_rule_target;
auditallow aa_removed_rule_source aa_removed_rule_target:infoflow hi_r;
type aa_added_rule_source;
type aa_added_rule_target;
type aa_modified_rule_add_perms;
auditallow aa_modified_rule_add_perms self:infoflow hi_r;
type aa_modified_rule_remove_perms;
auditallow aa_modified_rule_remove_perms self:infoflow { low_r low_w };
type aa_modified_rule_add_remove_perms;
auditallow aa_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
auditallow removed_type self:infoflow7 super_unmapped;
type aa_move_to_bool;
bool aa_move_to_bool_b false;
auditallow aa_move_to_bool self:infoflow4 hi_w;
type aa_move_from_bool;
bool aa_move_from_bool_b false;
if (aa_move_from_bool_b) {
auditallow aa_move_from_bool self:infoflow4 hi_r;
}
type aa_switch_block;
bool aa_switch_block_b false;
if (aa_switch_block_b) {
auditallow system aa_switch_block:infoflow5 hi_r;
auditallow system aa_switch_block:infoflow6 hi_r;
} else {
auditallow system aa_switch_block:infoflow7 hi_r;
}
attribute aa_match_rule_by_attr;
type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
auditallow aa_match_rule_by_attr self:infoflow2 super_w;
attribute aa_union_perm_a;
attribute aa_union_perm_b;
attribute aa_union_perm_c;
type aa_union_perm_source, aa_union_perm_a, aa_union_perm_c;
type aa_union_perm_target, aa_union_perm_b;
auditallow aa_union_perm_source aa_union_perm_target:infoflow { hi_w med_w low_w };
# Dontaudit rule differences
type da_matched_source;
type da_matched_target;
dontaudit da_matched_source da_matched_target:infoflow hi_w;
type da_removed_rule_source;
type da_removed_rule_target;
dontaudit da_removed_rule_source da_removed_rule_target:infoflow hi_r;
type da_added_rule_source;
type da_added_rule_target;
type da_modified_rule_add_perms;
dontaudit da_modified_rule_add_perms self:infoflow hi_r;
type da_modified_rule_remove_perms;
dontaudit da_modified_rule_remove_perms self:infoflow { low_r low_w };
type da_modified_rule_add_remove_perms;
dontaudit da_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
dontaudit removed_type self:infoflow7 super_both;
type da_move_to_bool;
bool da_move_to_bool_b false;
dontaudit da_move_to_bool self:infoflow4 hi_w;
type da_move_from_bool;
bool da_move_from_bool_b false;
if (da_move_from_bool_b) {
dontaudit da_move_from_bool self:infoflow4 hi_r;
}
type da_switch_block;
bool da_switch_block_b false;
if (da_switch_block_b) {
dontaudit system da_switch_block:infoflow5 hi_r;
dontaudit system da_switch_block:infoflow6 hi_r;
} else {
dontaudit system da_switch_block:infoflow7 hi_r;
}
attribute da_match_rule_by_attr;
type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
dontaudit da_match_rule_by_attr self:infoflow2 super_w;
attribute da_union_perm_a;
attribute da_union_perm_b;
attribute da_union_perm_c;
type da_union_perm_source, da_union_perm_a, da_union_perm_c;
type da_union_perm_target, da_union_perm_b;
dontaudit da_union_perm_source da_union_perm_target:infoflow { hi_w med_w low_w };
# Neverallow rule differences
type na_matched_source;
type na_matched_target;
neverallow na_matched_source na_matched_target:infoflow hi_w;
type na_removed_rule_source;
type na_removed_rule_target;
neverallow na_removed_rule_source na_removed_rule_target:infoflow hi_r;
type na_added_rule_source;
type na_added_rule_target;
type na_modified_rule_add_perms;
neverallow na_modified_rule_add_perms self:infoflow hi_r;
type na_modified_rule_remove_perms;
neverallow na_modified_rule_remove_perms self:infoflow { low_r low_w };
type na_modified_rule_add_remove_perms;
neverallow na_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
neverallow removed_type self:removed_class null_perm;
attribute na_match_rule_by_attr;
type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
neverallow na_match_rule_by_attr self:infoflow2 super_w;
attribute na_union_perm_a;
attribute na_union_perm_b;
attribute na_union_perm_c;
type na_union_perm_source, na_union_perm_a, na_union_perm_c;
type na_union_perm_target, na_union_perm_b;
neverallow na_union_perm_source na_union_perm_target:infoflow { hi_w med_w low_w };
# type_transition rule differences
type tt_matched_source;
type tt_matched_target;
type_transition tt_matched_source tt_matched_target:infoflow system;
type tt_removed_rule_source;
type tt_removed_rule_target;
type_transition tt_removed_rule_source tt_removed_rule_target:infoflow system;
type tt_added_rule_source;
type tt_added_rule_target;
type tt_old_type;
type tt_new_type;
type_transition tt_matched_source system:infoflow tt_old_type;
type_transition removed_type system:infoflow4 system;
type tt_move_to_bool;
bool tt_move_to_bool_b false;
type_transition tt_move_to_bool system:infoflow3 system;
type tt_move_from_bool;
bool tt_move_from_bool_b false;
if (tt_move_from_bool_b) {
type_transition tt_move_from_bool system:infoflow4 system;
}
type tt_switch_block;
bool tt_switch_block_b false;
if (tt_switch_block_b) {
type_transition system tt_switch_block:infoflow5 system;
type_transition system tt_switch_block:infoflow6 system;
} else {
type_transition system tt_switch_block:infoflow7 system;
}
attribute tt_match_rule_by_attr;
type tt_match_rule_by_attr_A_t, tt_match_rule_by_attr;
type tt_match_rule_by_attr_B_t, tt_match_rule_by_attr;
type_transition tt_match_rule_by_attr system:infoflow2 system;
attribute tt_unioned_perm_via_attr;
type tt_unioned_perm_via_attr_A_t, tt_unioned_perm_via_attr;
type tt_unioned_perm_via_attr_B_t, tt_unioned_perm_via_attr;
type_transition tt_unioned_perm_via_attr system:infoflow2 system;
type_transition tt_unioned_perm_via_attr_A_t system:infoflow2 system;
type_transition tt_unioned_perm_via_attr_B_t system:infoflow2 system;
# type_change rule differences
type tc_matched_source;
type tc_matched_target;
type_change tc_matched_source tc_matched_target:infoflow system;
type tc_removed_rule_source;
type tc_removed_rule_target;
type_change tc_removed_rule_source tc_removed_rule_target:infoflow system;
type tc_added_rule_source;
type tc_added_rule_target;
type tc_old_type;
type tc_new_type;
type_change tc_matched_source system:infoflow tc_old_type;
type_change removed_type system:infoflow4 system;
type tc_move_to_bool;
bool tc_move_to_bool_b false;
type_change tc_move_to_bool system:infoflow3 system;
type tc_move_from_bool;
bool tc_move_from_bool_b false;
if (tc_move_from_bool_b) {
type_change tc_move_from_bool system:infoflow4 system;
}
type tc_switch_block;
bool tc_switch_block_b false;
if (tc_switch_block_b) {
type_change system tc_switch_block:infoflow5 system;
type_change system tc_switch_block:infoflow6 system;
} else {
type_change system tc_switch_block:infoflow7 system;
}
attribute tc_match_rule_by_attr;
type tc_match_rule_by_attr_A_t, tc_match_rule_by_attr;
type tc_match_rule_by_attr_B_t, tc_match_rule_by_attr;
type_change tc_match_rule_by_attr system:infoflow2 system;
attribute tc_unioned_perm_via_attr;
type tc_unioned_perm_via_attr_A_t, tc_unioned_perm_via_attr;
type tc_unioned_perm_via_attr_B_t, tc_unioned_perm_via_attr;
type_change tc_unioned_perm_via_attr system:infoflow2 system;
type_change tc_unioned_perm_via_attr_A_t system:infoflow2 system;
type_change tc_unioned_perm_via_attr_B_t system:infoflow2 system;
# type_member rule differences
type tm_matched_source;
type tm_matched_target;
type_member tm_matched_source tm_matched_target:infoflow system;
type tm_removed_rule_source;
type tm_removed_rule_target;
type_member tm_removed_rule_source tm_removed_rule_target:infoflow system;
type tm_added_rule_source;
type tm_added_rule_target;
type tm_old_type;
type tm_new_type;
type_member tm_matched_source system:infoflow tm_old_type;
type_member removed_type system:infoflow4 system;
type tm_move_to_bool;
bool tm_move_to_bool_b false;
type_member tm_move_to_bool system:infoflow3 system;
type tm_move_from_bool;
bool tm_move_from_bool_b false;
if (tm_move_from_bool_b) {
type_member tm_move_from_bool system:infoflow4 system;
}
type tm_switch_block;
bool tm_switch_block_b false;
if (tm_switch_block_b) {
type_member system tm_switch_block:infoflow5 system;
type_member system tm_switch_block:infoflow6 system;
} else {
type_member system tm_switch_block:infoflow7 system;
}
attribute tm_match_rule_by_attr;
type tm_match_rule_by_attr_A_t, tm_match_rule_by_attr;
type tm_match_rule_by_attr_B_t, tm_match_rule_by_attr;
type_member tm_match_rule_by_attr system:infoflow2 system;
attribute tm_unioned_perm_via_attr;
type tm_unioned_perm_via_attr_A_t, tm_unioned_perm_via_attr;
type tm_unioned_perm_via_attr_B_t, tm_unioned_perm_via_attr;
type_member tm_unioned_perm_via_attr system:infoflow2 system;
type_member tm_unioned_perm_via_attr_A_t system:infoflow2 system;
type_member tm_unioned_perm_via_attr_B_t system:infoflow2 system;
# range_transition rule differences
type rt_matched_source;
type rt_matched_target;
range_transition rt_matched_source rt_matched_target:infoflow s0;
type rt_removed_rule_source;
type rt_removed_rule_target;
range_transition rt_removed_rule_source rt_removed_rule_target:infoflow s1;
type rt_added_rule_source;
type rt_added_rule_target;
range_transition rt_matched_source system:infoflow s2:c0 - s3:c0.c2;
range_transition removed_type system:infoflow4 s1;
# range transitions cannot be conditional.
#type rt_move_to_bool;
#bool rt_move_to_bool_b false;
#range_transition rt_move_to_bool system:infoflow3 s0;
#type rt_move_from_bool;
#bool rt_move_from_bool_b false;
#if (rt_move_from_bool_b) {
#range_transition rt_move_from_bool system:infoflow4 s0;
#}
#type rt_switch_block;
#bool rt_switch_block_b false;
#if (rt_switch_block_b) {
#range_transition system rt_switch_block:infoflow5 s0;
#range_transition system rt_switch_block:infoflow6 s0;
#} else {
#range_transition system rt_switch_block:infoflow7 s0;
#}
attribute rt_match_rule_by_attr;
type rt_match_rule_by_attr_A_t, rt_match_rule_by_attr;
type rt_match_rule_by_attr_B_t, rt_match_rule_by_attr;
range_transition rt_match_rule_by_attr system:infoflow2 s0;
attribute rt_unioned_perm_via_attr;
type rt_unioned_perm_via_attr_A_t, rt_unioned_perm_via_attr;
type rt_unioned_perm_via_attr_B_t, rt_unioned_perm_via_attr;
range_transition rt_unioned_perm_via_attr system:infoflow2 s0;
range_transition rt_unioned_perm_via_attr_A_t system:infoflow2 s0;
# role allow
role matched_source_r;
role matched_target_r;
allow matched_source_r matched_target_r;
role removed_rule_source_r;
role removed_rule_target_r;
allow removed_rule_source_r removed_rule_target_r;
role added_rule_source_r;
role added_rule_target_r;
allow removed_role system;
# role_transition
role role_tr_matched_source;
type role_tr_matched_target;
role_transition role_tr_matched_source role_tr_matched_target:infoflow system;
role role_tr_removed_rule_source;
type role_tr_removed_rule_target;
role_transition role_tr_removed_rule_source role_tr_removed_rule_target:infoflow5 system;
role role_tr_added_rule_source;
type role_tr_added_rule_target;
role_transition removed_role system:infoflow4 system;
role role_tr_old_role;
role role_tr_new_role;
role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_old_role;
# Allowxperm rule differences
type ax_matched_source;
type ax_matched_target;
allowxperm ax_matched_source ax_matched_target:infoflow ioctl 0x0001;
type ax_removed_rule_source;
type ax_removed_rule_target;
allowxperm ax_removed_rule_source ax_removed_rule_target:infoflow ioctl 0x0002;
type ax_added_rule_source;
type ax_added_rule_target;
type ax_modified_rule_add_perms;
allowxperm ax_modified_rule_add_perms self:infoflow ioctl 0x0004;
type ax_modified_rule_remove_perms;
allowxperm ax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
type ax_modified_rule_add_remove_perms;
allowxperm ax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
allowxperm removed_type self:infoflow7 ioctl 0x0009;
attribute ax_match_rule_by_attr;
type ax_match_rule_by_attr_A_t, ax_match_rule_by_attr;
type ax_match_rule_by_attr_B_t, ax_match_rule_by_attr;
allowxperm ax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
attribute ax_union_perm_a;
attribute ax_union_perm_b;
attribute ax_union_perm_c;
type ax_union_perm_source, ax_union_perm_a, ax_union_perm_c;
type ax_union_perm_target, ax_union_perm_b;
allowxperm ax_union_perm_source ax_union_perm_target:infoflow ioctl { 0x1-0x3 };
# Auditallowxperm rule differences
type aax_matched_source;
type aax_matched_target;
auditallowxperm aax_matched_source aax_matched_target:infoflow ioctl 0x0001;
type aax_removed_rule_source;
type aax_removed_rule_target;
auditallowxperm aax_removed_rule_source aax_removed_rule_target:infoflow ioctl 0x0002;
type aax_added_rule_source;
type aax_added_rule_target;
type aax_modified_rule_add_perms;
auditallowxperm aax_modified_rule_add_perms self:infoflow ioctl 0x0004;
type aax_modified_rule_remove_perms;
auditallowxperm aax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
type aax_modified_rule_add_remove_perms;
auditallowxperm aax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
auditallowxperm removed_type self:infoflow7 ioctl 0x0009;
attribute aax_match_rule_by_attr;
type aax_match_rule_by_attr_A_t, aax_match_rule_by_attr;
type aax_match_rule_by_attr_B_t, aax_match_rule_by_attr;
auditallowxperm aax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
attribute aax_union_perm_a;
attribute aax_union_perm_b;
attribute aax_union_perm_c;
type aax_union_perm_source, aax_union_perm_a, aax_union_perm_c;
type aax_union_perm_target, aax_union_perm_b;
auditallowxperm aax_union_perm_source aax_union_perm_target:infoflow ioctl { 0x1-0x3 };
# Neverallowxperm rule differences
type nax_matched_source;
type nax_matched_target;
neverallowxperm nax_matched_source nax_matched_target:infoflow ioctl 0x0001;
type nax_removed_rule_source;
type nax_removed_rule_target;
neverallowxperm nax_removed_rule_source nax_removed_rule_target:infoflow ioctl 0x0002;
type nax_added_rule_source;
type nax_added_rule_target;
type nax_modified_rule_add_perms;
neverallowxperm nax_modified_rule_add_perms self:infoflow ioctl 0x0004;
type nax_modified_rule_remove_perms;
neverallowxperm nax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
type nax_modified_rule_add_remove_perms;
neverallowxperm nax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
neverallowxperm removed_type self:infoflow7 ioctl 0x0009;
attribute nax_match_rule_by_attr;
type nax_match_rule_by_attr_A_t, nax_match_rule_by_attr;
type nax_match_rule_by_attr_B_t, nax_match_rule_by_attr;
neverallowxperm nax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
attribute nax_union_perm_a;
attribute nax_union_perm_b;
attribute nax_union_perm_c;
type nax_union_perm_source, nax_union_perm_a, nax_union_perm_c;
type nax_union_perm_target, nax_union_perm_b;
neverallowxperm nax_union_perm_source nax_union_perm_target:infoflow ioctl { 0x1-0x3 };
# Dontauditxperm rule differences
type dax_matched_source;
type dax_matched_target;
dontauditxperm dax_matched_source dax_matched_target:infoflow ioctl 0x0001;
type dax_removed_rule_source;
type dax_removed_rule_target;
dontauditxperm dax_removed_rule_source dax_removed_rule_target:infoflow ioctl 0x0002;
type dax_added_rule_source;
type dax_added_rule_target;
type dax_modified_rule_add_perms;
dontauditxperm dax_modified_rule_add_perms self:infoflow ioctl 0x0004;
type dax_modified_rule_remove_perms;
dontauditxperm dax_modified_rule_remove_perms self:infoflow ioctl { 0x0005 0x0006 };
type dax_modified_rule_add_remove_perms;
dontauditxperm dax_modified_rule_add_remove_perms self:infoflow2 ioctl { 0x0007 0x0008 };
dontauditxperm removed_type self:infoflow7 ioctl 0x0009;
attribute dax_match_rule_by_attr;
type dax_match_rule_by_attr_A_t, dax_match_rule_by_attr;
type dax_match_rule_by_attr_B_t, dax_match_rule_by_attr;
dontauditxperm dax_match_rule_by_attr self:infoflow2 ioctl 0x000a;
attribute dax_union_perm_a;
attribute dax_union_perm_b;
attribute dax_union_perm_c;
type dax_union_perm_source, dax_union_perm_a, dax_union_perm_c;
type dax_union_perm_target, dax_union_perm_b;
dontauditxperm dax_union_perm_source dax_union_perm_target:infoflow ioctl { 0x1-0x3 };
################################################################################
# matching typebounds
type match_parent;
type match_child;
typebounds match_parent match_child;
# removed typebounds
type removed_parent;
type removed_child;
typebounds removed_parent removed_child;
# added typebounds
type added_parent;
type added_child;
# modified typebounds
type mod_parent_removed;
type mod_parent_added;
type mod_child;
typebounds mod_parent_removed mod_child;
# policycaps
policycap open_perms;
policycap network_peer_controls;
#users
user system roles system level s0 range s0;
user removed_user roles system level s0 range s0;
user modified_add_role roles system level s2 range s2;
user modified_remove_role roles { system removed_role } level s2 range s2;
user modified_change_level roles system level s2:c0 range s2:c0 - s2:c0,c1;
user modified_change_range roles system level s3:c1 range s3:c1 - s3:c1.c3;
# matching constraints
constrain infoflow hi_w (u1 == u2 or t1 == system);
constrain infoflow hi_w (t1 == t2 or t1 == system);
constrain infoflow hi_r (r1 == r2 or t1 == system);
# added constraint
# removed constraint
constrain infoflow4 hi_w (u1 != u2);
# remove/add constraint (expression change)
constrain infoflow5 hi_r ((u1 == u2 and r1 == r2) or (t1 == system));
# matching validatetrans
validatetrans infoflow (u1 == u2 or t3 == system);
validatetrans infoflow (r1 == r2 or t3 == system);
validatetrans infoflow2 (u1 == u2 or t3 == system);
# added validatetrans
# removed validatetrans
validatetrans infoflow4 (u1 == u2 or t3 == system);
# remove/add validatetrans (expression change)
validatetrans infoflow5 ((u1 == u2 and r1 != r2) or (t3 == system));
#isids
sid kernel system:system:system:s0
sid security system:system:system:s0
sid unlabeled system:system:system:s0
sid fs removed_user:system:system:s0
#fs_use
fs_use_trans devpts system:object_r:system:s0;
fs_use_xattr ext3 system:object_r:system:s0;
fs_use_task pipefs system:object_r:system:s0;
fs_use_task removed_fsuse system:object_r:system:s0;
fs_use_trans modified_fsuse removed_user:object_r:system:s0;
#genfscon
genfscon proc / system:object_r:system:s0
genfscon proc /sys system:object_r:system:s0
genfscon selinuxfs / system:object_r:system:s0
genfscon removed_genfs / system:object_r:system:s0
genfscon change_path /old system:object_r:system:s0
genfscon modified_genfs / -s removed_user:object_r:system:s0
# matched portcons
portcon tcp 80 system:object_r:system:s0
portcon udp 80 system:object_r:system:s0
portcon udp 30-40 system:object_r:system:s0
# removed portcons
portcon udp 1024 system:object_r:system:s0
portcon tcp 1024-1026 system:object_r:system:s0
# modified portcons
portcon udp 3024 removed_user:object_r:system:s0
portcon tcp 3024-3026 removed_user:object_r:system:s0
netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
netifcon removed_netif system:object_r:system:s0 system:object_r:system:s0
netifcon mod_ctx_netif removed_user:object_r:system:s0 system:object_r:system:s0
netifcon mod_pkt_netif system:object_r:system:s0 removed_user:object_r:system:s0
netifcon mod_both_netif removed_user:object_r:system:s0 removed_user:object_r:system:s0
# matched nodecons
nodecon 121.0.0.0 255.0.0.0 system:object_r:system:s0
nodecon ff01:: ffff:ffff:ffff:fffc:: system:object_r:system:s0
# removed nodecons
nodecon 122.0.0.0 255.0.0.0 removed_user:object_r:system:s0
nodecon ff02:: ffff:ffff:ffff:fffc:: removed_user:object_r:system:s0
# modified nodecons
nodecon 123.0.0.0 255.0.0.0 modified_change_level:object_r:system:s2:c1
nodecon ff03:: ffff:ffff:ffff:fffc:: modified_change_level:object_r:system:s2:c0,c1
# change netmask (add/remove)
nodecon 125.0.0.0 255.0.0.0 system:object_r:system:s0
nodecon ff05:: ffff:ffff:ffff:fffc:: system:object_r:system:s0

10
tests/dta.py
View File

@ -15,24 +15,30 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, DomainTransitionAnalysis
from setools import DomainTransitionAnalysis
from setools import TERuletype as TERT
from setools.policyrep.exception import InvalidType
from setools.policyrep.libpolicyrep import Type
from . import mixins
from .policyrep.util import compile_policy
class DomainTransitionAnalysisTest(mixins.ValidateRule, unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/dta.conf")
cls.p = compile_policy("tests/dta.conf")
cls.a = DomainTransitionAnalysis(cls.p)
cls.a._build_graph()
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_graph_structure(self):
"""DTA: verify graph structure."""
# don't check node list since the disconnected nodes are not

2
tests/fsusequery.conf
View File

@ -106,7 +106,7 @@ role system types { type40 type41a type41b type41c };
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
################################################################################

11
tests/fsusequery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, FSUseQuery
from setools import FSUseQuery
from .policyrep.util import compile_policy
class FSUseQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/fsusequery.conf")
cls.p = compile_policy("tests/fsusequery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""fs_use_* query with no criteria"""

2
tests/genfsconquery.conf
View File

@ -107,7 +107,7 @@ role system types { type40 type41a type41b type41c };
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
################################################################################

11
tests/genfsconquery.py
View File

@ -15,17 +15,24 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
import stat
from setools import SELinuxPolicy, GenfsconQuery
from setools import GenfsconQuery
from .policyrep.util import compile_policy
class GenfsconQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/genfsconquery.conf")
cls.p = compile_policy("tests/genfsconquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Genfscon query with no criteria"""

10
tests/infoflow.py
View File

@ -15,15 +15,17 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, InfoFlowAnalysis
from setools import InfoFlowAnalysis
from setools import TERuletype as TERT
from setools.permmap import PermissionMap
from setools.policyrep.exception import InvalidType
from setools.policyrep.libpolicyrep import Type
from . import mixins
from .policyrep.util import compile_policy
# Note: the testing for having correct rules on every edge is only
@ -36,10 +38,14 @@ class InfoFlowAnalysisTest(mixins.ValidateRule, unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/infoflow.conf")
cls.p = compile_policy("tests/infoflow.conf")
cls.m = PermissionMap("tests/perm_map")
cls.a = InfoFlowAnalysis(cls.p, cls.m)
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_001_full_graph(self):
"""Information flow analysis full graph."""

88
tests/initsidquery.conf
View File

@ -6,27 +6,27 @@ class infoflow5
class infoflow6
class infoflow7
sid test1
sid test2a
sid test2b
sid test10
sid test11a
sid test11b
sid test11c
sid test20
sid test21a
sid test21b
sid test21c
sid test30
sid test31a
sid test31b
sid test31c
sid test40
sid test41
sid test42
sid test43
sid test44
sid test45
sid kernel
sid security
sid unlabeled
sid fs
sid file
sid file_labels
sid init
sid any_socket
sid port
sid netif
sid netmsg
sid node
sid igmp_packet
sid icmp_socket
sid tcp_socket
sid sysctl_modprobe
sid sysctl
sid sysctl_fs
sid sysctl_kernel
sid sysctl_net
sid sysctl_net_unix
common infoflow
{
@ -140,21 +140,21 @@ constrain infoflow hi_w (u1 == u2);
#
# test 1:
# name: test1, exact
# name: kernel, exact
# user: unset
# role: unset
# type: unset
# range: unset
sid test1 system:system:system:s0:c0.c4
sid kernel system:system:system:s0:c0.c4
# test 2:
# name: test2(a|b), regex
# name: (security|unlabeled), regex
# user: unset
# role: unset
# type: unset
# range: unset
sid test2a system:system:system:s0:c0.c1
sid test2b system:system:system:s0:c2.c4
sid security system:system:system:s0:c0.c1
sid unlabeled system:system:system:s0:c2.c4
# test 10:
# name: unset
@ -162,7 +162,7 @@ sid test2b system:system:system:s0:c2.c4
# role: unset
# type: unset
# range: unset
sid test10 user10:system:system:s0:c0.c1
sid fs user10:system:system:s0:c0.c1
# test 11:
# name: unset
@ -170,9 +170,9 @@ sid test10 user10:system:system:s0:c0.c1
# role: unset
# type: unset
# range: unset
sid test11a user11a:system:system:s0:c0.c1
sid test11b user11b:system:system:s0:c0.c1
sid test11c user11c:system:system:s0:c0.c1
sid file user11a:system:system:s0:c0.c1
sid file_labels user11b:system:system:s0:c0.c1
sid init user11c:system:system:s0:c0.c1
# test 20:
# name: unset
@ -180,7 +180,7 @@ sid test11c user11c:system:system:s0:c0.c1
# role: role20_r, exact
# type: unset
# range: unset
sid test20 system:role20_r:system:s0:c0.c1
sid any_socket system:role20_r:system:s0:c0.c1
# test 21:
# name: unset
@ -188,9 +188,9 @@ sid test20 system:role20_r:system:s0:c0.c1
# role: role20(a|c)_r, regex
# type: unset
# range: unset
sid test21a system:role21a_r:system:s0:c0.c1
sid test21b system:role21b_r:system:s0:c0.c1
sid test21c system:role21c_r:system:s0:c0.c1
sid port system:role21a_r:system:s0:c0.c1
sid netif system:role21b_r:system:s0:c0.c1
sid netmsg system:role21c_r:system:s0:c0.c1
# test 30:
# name: unset
@ -198,7 +198,7 @@ sid test21c system:role21c_r:system:s0:c0.c1
# role: unset
# type: type30
# range: unset
sid test30 system:system:type30:s0:c0.c1
sid node system:system:type30:s0:c0.c1
# test 31:
# name: unset
@ -206,9 +206,9 @@ sid test30 system:system:type30:s0:c0.c1
# role: unset
# type: type31(b|c)
# range: unset
sid test31a system:system:type31a:s0:c0.c1
sid test31b system:system:type31b:s0:c0.c1
sid test31c system:system:type31c:s0:c0.c1
sid igmp_packet system:system:type31a:s0:c0.c1
sid icmp_socket system:system:type31b:s0:c0.c1
sid tcp_socket system:system:type31c:s0:c0.c1
# test 40:
# name: unset
@ -216,7 +216,7 @@ sid test31c system:system:type31c:s0:c0.c1
# role: unset
# type: unset
# range: equal
sid test40 system:system:system:s0:c1 - s0:c0.c4
sid sysctl_modprobe system:system:system:s0:c1 - s0:c0.c4
# test 41:
# name: unset
@ -224,7 +224,7 @@ sid test40 system:system:system:s0:c1 - s0:c0.c4
# role: unset
# type: unset
# range: overlap
sid test41 system:system:system:s1:c1 - s1:c1.c3
sid sysctl system:system:system:s1:c1 - s1:c1.c3
# test 42:
# name: unset
@ -232,7 +232,7 @@ sid test41 system:system:system:s1:c1 - s1:c1.c3
# role: unset
# type: unset
# range: subset
sid test42 system:system:system:s2:c1 - s2:c1.c3
sid sysctl_fs system:system:system:s2:c1 - s2:c1.c3
# test 43:
# name: unset
@ -240,7 +240,7 @@ sid test42 system:system:system:s2:c1 - s2:c1.c3
# role: unset
# type: unset
# range: superset
sid test43 system:system:system:s3:c1 - s3:c1.c3
sid sysctl_kernel system:system:system:s3:c1 - s3:c1.c3
# test 44:
# name: unset
@ -248,7 +248,7 @@ sid test43 system:system:system:s3:c1 - s3:c1.c3
# role: unset
# type: unset
# range: proper subset
sid test44 system:system:system:s4:c1 - s4:c1.c3
sid sysctl_net system:system:system:s4:c1 - s4:c1.c3
# test 45:
# name: unset
@ -256,7 +256,7 @@ sid test44 system:system:system:s4:c1 - s4:c1.c3
# role: unset
# type: unset
# range: proper superset
sid test45 system:system:system:s5:c1 - s5:c1.c3
sid sysctl_net_unix system:system:system:s5:c1 - s5:c1.c3
#fs_use
fs_use_trans devpts system:object_r:system:s0;

63
tests/initsidquery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, InitialSIDQuery
from setools import InitialSIDQuery
from .policyrep.util import compile_policy
class InitialSIDQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/initsidquery.conf")
cls.p = compile_policy("tests/initsidquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Initial SID query with no criteria"""
@ -38,136 +45,136 @@ class InitialSIDQueryTest(unittest.TestCase):
def test_001_name_exact(self):
"""Initial SID query with exact match"""
q = InitialSIDQuery(self.p, name="test1", name_regex=False)
q = InitialSIDQuery(self.p, name="kernel", name_regex=False)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test1"], sids)
self.assertListEqual(["kernel"], sids)
def test_002_name_regex(self):
"""Initial SID query with regex match"""
q = InitialSIDQuery(self.p, name="test2(a|b)", name_regex=True)
q = InitialSIDQuery(self.p, name="(security|unlabeled)", name_regex=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test2a", "test2b"], sids)
self.assertListEqual(["security", "unlabeled"], sids)
def test_010_user_exact(self):
"""Initial SID query with context user exact match"""
q = InitialSIDQuery(self.p, user="user10", user_regex=False)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test10"], sids)
self.assertListEqual(["fs"], sids)
def test_011_user_regex(self):
"""Initial SID query with context user regex match"""
q = InitialSIDQuery(self.p, user="user11(a|b)", user_regex=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test11a", "test11b"], sids)
self.assertListEqual(["file", "file_labels"], sids)
def test_020_role_exact(self):
"""Initial SID query with context role exact match"""
q = InitialSIDQuery(self.p, role="role20_r", role_regex=False)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test20"], sids)
self.assertListEqual(["any_socket"], sids)
def test_021_role_regex(self):
"""Initial SID query with context role regex match"""
q = InitialSIDQuery(self.p, role="role21(a|c)_r", role_regex=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test21a", "test21c"], sids)
self.assertListEqual(["netmsg", "port"], sids)
def test_030_type_exact(self):
"""Initial SID query with context type exact match"""
q = InitialSIDQuery(self.p, type_="type30", type_regex=False)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test30"], sids)
self.assertListEqual(["node"], sids)
def test_031_type_regex(self):
"""Initial SID query with context type regex match"""
q = InitialSIDQuery(self.p, type_="type31(b|c)", type_regex=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test31b", "test31c"], sids)
self.assertListEqual(["icmp_socket", "tcp_socket"], sids)
def test_040_range_exact(self):
"""Initial SID query with context range exact match"""
q = InitialSIDQuery(self.p, range_="s0:c1 - s0:c0.c4")
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test40"], sids)
self.assertListEqual(["sysctl_modprobe"], sids)
def test_041_range_overlap1(self):
"""Initial SID query with context range overlap match (equal)"""
q = InitialSIDQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test41"], sids)
self.assertListEqual(["sysctl"], sids)
def test_041_range_overlap2(self):
"""Initial SID query with context range overlap match (subset)"""
q = InitialSIDQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test41"], sids)
self.assertListEqual(["sysctl"], sids)
def test_041_range_overlap3(self):
"""Initial SID query with context range overlap match (superset)"""
q = InitialSIDQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test41"], sids)
self.assertListEqual(["sysctl"], sids)
def test_041_range_overlap4(self):
"""Initial SID query with context range overlap match (overlap low level)"""
q = InitialSIDQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test41"], sids)
self.assertListEqual(["sysctl"], sids)
def test_041_range_overlap5(self):
"""Initial SID query with context range overlap match (overlap high level)"""
q = InitialSIDQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test41"], sids)
self.assertListEqual(["sysctl"], sids)
def test_042_range_subset1(self):
"""Initial SID query with context range subset match"""
q = InitialSIDQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test42"], sids)
self.assertListEqual(["sysctl_fs"], sids)
def test_042_range_subset2(self):
"""Initial SID query with context range subset match (equal)"""
q = InitialSIDQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test42"], sids)
self.assertListEqual(["sysctl_fs"], sids)
def test_043_range_superset1(self):
"""Initial SID query with context range superset match"""
q = InitialSIDQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test43"], sids)
self.assertListEqual(["sysctl_kernel"], sids)
def test_043_range_superset2(self):
"""Initial SID query with context range superset match (equal)"""
q = InitialSIDQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test43"], sids)
self.assertListEqual(["sysctl_kernel"], sids)
def test_044_range_proper_subset1(self):
"""Initial SID query with context range proper subset match"""
q = InitialSIDQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test44"], sids)
self.assertListEqual(["sysctl_net"], sids)
def test_044_range_proper_subset2(self):
"""Initial SID query with context range proper subset match (equal)"""
@ -181,7 +188,7 @@ class InitialSIDQueryTest(unittest.TestCase):
q = InitialSIDQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test44"], sids)
self.assertListEqual(["sysctl_net"], sids)
def test_044_range_proper_subset4(self):
"""Initial SID query with context range proper subset match (equal high only)"""
@ -189,14 +196,14 @@ class InitialSIDQueryTest(unittest.TestCase):
range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test44"], sids)
self.assertListEqual(["sysctl_net"], sids)
def test_045_range_proper_superset1(self):
"""Initial SID query with context range proper superset match"""
q = InitialSIDQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test45"], sids)
self.assertListEqual(["sysctl_net_unix"], sids)
def test_045_range_proper_superset2(self):
"""Initial SID query with context range proper superset match (equal)"""
@ -212,11 +219,11 @@ class InitialSIDQueryTest(unittest.TestCase):
range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test45"], sids)
self.assertListEqual(["sysctl_net_unix"], sids)
def test_045_range_proper_superset4(self):
"""Initial SID query with context range proper superset match (equal high)"""
q = InitialSIDQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test45"], sids)
self.assertListEqual(["sysctl_net_unix"], sids)

11
tests/iomemconquery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, IomemconQuery
from setools import IomemconQuery
from .policyrep.util import compile_policy
class IomemconQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/iomemconquery.conf")
cls.p = compile_policy("tests/iomemconquery.conf", xen=True)
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Iomemcon query with no criteria"""

11
tests/ioportconquery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, IoportconQuery
from setools import IoportconQuery
from .policyrep.util import compile_policy
class IoportconQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/ioportconquery.conf")
cls.p = compile_policy("tests/ioportconquery.conf", xen=True)
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Ioportcon query with no criteria"""

4
tests/mlsrulequery.conf
View File

@ -98,9 +98,11 @@ role system types system;
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
########################################
#
# TE Rule Query
# MLS Rule Query
#
# test 1

10
tests/mlsrulequery.py
View File

@ -15,12 +15,14 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, MLSRuleQuery
from setools import MLSRuleQuery
from setools import MLSRuletype as RT
from . import mixins
from .policyrep.util import compile_policy
# Note: the test policy has been written assuming range_transition
# statements could have attributes. However, range_transition
@ -33,7 +35,11 @@ class MLSRuleQueryTest(mixins.ValidateRule, unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/mlsrulequery.conf")
cls.p = compile_policy("tests/mlsrulequery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""MLS rule query with no criteria."""

7
tests/netifconquery.py
View File

@ -15,16 +15,19 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, NetifconQuery
from setools import NetifconQuery
from .policyrep.util import compile_policy
class NetifconQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/netifconquery.conf")
cls.p = compile_policy("tests/netifconquery.conf")
def test_000_unset(self):
"""Netifcon query with no criteria"""

2
tests/nodeconquery.conf
View File

@ -107,7 +107,7 @@ role system types { type40 type41a type41b type41c };
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
################################################################################

12
tests/nodeconquery.py
View File

@ -16,19 +16,25 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os
import unittest
from socket import AF_INET6
from ipaddress import IPv4Network, IPv6Network
from setools import SELinuxPolicy, NodeconQuery
from setools import NodeconQuery
from .policyrep.util import compile_policy
class NodeconQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/nodeconquery.conf")
cls.p = compile_policy("tests/nodeconquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Nodecon query with no criteria"""

2
tests/objclassquery.conf
View File

@ -120,6 +120,8 @@ type system;
role system;
role system types system;
allow system system:infoflow3 null;
#users
user system roles system level med range low_s - high_s:here.lost;

11
tests/objclassquery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, ObjClassQuery
from setools import ObjClassQuery
from .policyrep.util import compile_policy
class ObjClassQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/objclassquery.conf")
cls.p = compile_policy("tests/objclassquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Class query with no criteria."""

11
tests/pcideviceconquery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, PcideviceconQuery
from setools import PcideviceconQuery
from .policyrep.util import compile_policy
class PcideviceconQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/pcideviceconquery.conf")
cls.p = compile_policy("tests/pcideviceconquery.conf", xen=True)
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Pcidevicecon query with no criteria"""

16
tests/permmap.py
View File

@ -16,17 +16,28 @@
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import unittest
import os
from unittest.mock import Mock
from setools import SELinuxPolicy, PermissionMap, TERuletype
from setools import PermissionMap, TERuletype
from setools.exception import PermissionMapParseError, RuleTypeError, \
UnmappedClass, UnmappedPermission
from .policyrep.util import compile_policy
class PermissionMapTest(unittest.TestCase):
"""Permission map unit tests."""
@classmethod
def setUpClass(cls):
cls.p = compile_policy("tests/permmap.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def validate_permmap_entry(self, permmap, cls, perm, direction, weight, enabled):
"""Validate a permission map entry and settings."""
self.assertIn(cls, permmap)
@ -384,9 +395,8 @@ class PermissionMapTest(unittest.TestCase):
def test_150_map_policy(self):
"""PermMap create mappings for classes/perms in a policy."""
policy = SELinuxPolicy("tests/permmap.conf")
permmap = PermissionMap("tests/perm_map")
permmap.map_policy(policy)
permmap.map_policy(self.p)
self.validate_permmap_entry(permmap.permmap, 'infoflow2', 'new_perm', 'u', 1, True)

11
tests/pirqconquery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, PirqconQuery
from setools import PirqconQuery
from .policyrep.util import compile_policy
class PirqconQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/pirqconquery.conf")
cls.p = compile_policy("tests/pirqconquery.conf", xen=True)
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Pirqcon query with no criteria"""

2
tests/polcapquery.conf
View File

@ -80,6 +80,8 @@ role system types system;
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
########################################
#
# Policy capabilities query

11
tests/polcapquery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, PolCapQuery
from setools import PolCapQuery
from .policyrep.util import compile_policy
class PolCapQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/polcapquery.conf")
cls.p = compile_policy("tests/polcapquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Policy capability query with no criteria"""

48
tests/policyrep/selinuxpolicy.py
View File

@ -19,55 +19,29 @@
import copy
import os
import sys
import subprocess
import tempfile
import unittest
from setools import SELinuxPolicy, HandleUnknown
from setools.policyrep.exception import InvalidPolicy
from .util import compile_policy
class SELinuxPolicyTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
# create a temp file for the binary policy
# and then have checkpolicy overwrite it.
fd, cls.policy_path = tempfile.mkstemp()
os.close(fd)
try:
command = [os.environ['CHECKPOLICY']]
except KeyError:
command = ["/usr/bin/checkpolicy"]
command.extend(["-M", "-o", cls.policy_path, "-U", "reject",
"tests/policyrep/selinuxpolicy.conf"])
with open(os.devnull, "w") as null:
subprocess.check_call(command, stdout=null, shell=False, close_fds=True)
try:
cls.p = SELinuxPolicy("tests/policyrep/selinuxpolicy.conf")
cls.p_binary = SELinuxPolicy(cls.policy_path)
except:
# This should never be hit, since this policy
# successfully compiled with checkpolicy above.
# If we do, clean up the binary policy since
# tearDownClass() does not run.
os.unlink(cls.policy_path)
raise
cls.p = compile_policy("tests/policyrep/selinuxpolicy.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.policy_path)
os.unlink(cls.p.path)
@unittest.skip("Retired for the SELinuxPolicyLoadError test suite.")
def test_001_open_policy_error(self):
"""SELinuxPolicy: Invalid policy on open."""
# source policies not supported
self.assertRaises(InvalidPolicy, SELinuxPolicy, "tests/policyrep/selinuxpolicy-bad.conf")
sys.stderr.write(
"The \"category can not be associated\" error above is expected.")
def test_002_open_policy_non_existant(self):
"""SELinuxPolicy: Non existant policy on open."""
@ -82,7 +56,7 @@ class SELinuxPolicyTest(unittest.TestCase):
def test_010_handle_unknown(self):
"""SELinuxPolicy: handle unknown setting."""
self.assertEqual(self.p_binary.handle_unknown, HandleUnknown.reject)
self.assertEqual(self.p.handle_unknown, HandleUnknown.reject)
def test_011_mls(self):
"""SELinuxPolicy: MLS status."""
@ -162,8 +136,9 @@ class SELinuxPolicyTest(unittest.TestCase):
def test_118_neverallow_count(self):
"""SELinuxPolicy: neverallow rule count"""
self.assertEqual(self.p.neverallow_count, 103)
self.assertEqual(self.p_binary.neverallow_count, 0)
# changed after dropping source policy support
# self.assertEqual(self.p.neverallow_count, 103)
self.assertEqual(self.p.neverallow_count, 0)
def test_119_nodecon_count(self):
"""SELinuxPolicy: nodecon count"""
@ -241,13 +216,16 @@ class SELinuxPolicyTest(unittest.TestCase):
def test_138_neverallowxperm_count(self):
"""SELinuxPolicy: neverallowxperm rount"""
self.assertEqual(self.p.neverallowxperm_count, 191)
# changed after dropping source policy support
# self.assertEqual(self.p.neverallowxperm_count, 191)
self.assertEqual(self.p.neverallowxperm_count, 0)
def test_139_allowxperm_count(self):
"""SELinuxPolicy: dontauditxperm rount"""
self.assertEqual(self.p.dontauditxperm_count, 193)
@unittest.skip("No longer necessary since source policy support was dropped.")
class SELinuxPolicyLoadError(unittest.TestCase):
"""Test attempted loading of non-compiling policies."""

66
tests/policyrep/util.py Normal file
View File

@ -0,0 +1,66 @@
# Copyright 2015, Tresys Technology, LLC
# Copyright 2018, Chris PeBenito <pebenito@ieee.org>
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import subprocess
import tempfile
from setools import SELinuxPolicy
def compile_policy(source_file, mls=True, xen=False):
"""
Compile the specified source policy. Checkpolicy is
assumed to be /usr/bin/checkpolicy. Otherwise the path
must be specified in the CHECKPOLICY environment variable.
Return:
A SELinuxPolicy object.
"""
# create a temp file for the binary policy
# and then have checkpolicy overwrite it.
fd, policy_path = tempfile.mkstemp()
os.close(fd)
try:
command = [os.environ['CHECKPOLICY']]
except KeyError:
command = ["/usr/bin/checkpolicy"]
if mls:
command.append("-M")
if xen:
command.extend(["-t", "xen", "-c", "30"])
command.extend(["-o", policy_path, "-U", "reject", source_file])
with open(os.devnull, "w") as null:
subprocess.check_call(command, stdout=null, shell=False, close_fds=True)
try:
policy = SELinuxPolicy(policy_path)
except Exception:
# This should never be hit, since this policy
# successfully compiled with checkpolicy above.
# If we do, clean up the binary policy since
# tearDownClass() does not run.
os.unlink(policy_path)
raise
return policy

11
tests/portconquery.py
View File

@ -15,17 +15,24 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from socket import IPPROTO_UDP
from setools import SELinuxPolicy, PortconQuery
from setools import PortconQuery
from .policyrep.util import compile_policy
class PortconQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/portconquery.conf")
cls.p = compile_policy("tests/portconquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Portcon query with no criteria"""

2
tests/rbacrulequery.conf
View File

@ -84,6 +84,8 @@ type system;
role system;
role system types system;
allow system system:infoflow3 null;
################################################################################
# RBAC

10
tests/rbacrulequery.py
View File

@ -17,13 +17,15 @@
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
# pylint: disable=invalid-name,too-many-public-methods
import os
import unittest
from setools import SELinuxPolicy, RBACRuleQuery
from setools import RBACRuleQuery
from setools import RBACRuletype as RRT
from setools.policyrep.exception import RuleUseError, RuleNotConditional
from . import mixins
from .policyrep.util import compile_policy
class RBACRuleQueryTest(mixins.ValidateRule, unittest.TestCase):
@ -32,7 +34,11 @@ class RBACRuleQueryTest(mixins.ValidateRule, unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/rbacrulequery.conf")
cls.p = compile_policy("tests/rbacrulequery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def validate_allow(self, rule, source, target):
"""Validate a role allow rule."""

2
tests/rolequery.conf
View File

@ -80,6 +80,8 @@ role system types system;
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
########################################
#
# Role Query

11
tests/rolequery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, RoleQuery
from setools import RoleQuery
from .policyrep.util import compile_policy
class RoleQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/rolequery.conf")
cls.p = compile_policy("tests/rolequery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Role query with no criteria."""

1
tests/sensitivityquery.conf
View File

@ -137,6 +137,7 @@ role system types system;
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
################################################################################

11
tests/sensitivityquery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, SensitivityQuery
from setools import SensitivityQuery
from .policyrep.util import compile_policy
class SensitivityQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/sensitivityquery.conf")
cls.p = compile_policy("tests/sensitivityquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Sensitivity query with no criteria."""

36
tests/terulequery.py
View File

@ -17,12 +17,14 @@
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
# pylint: disable=invalid-name,too-many-public-methods
import os
import unittest
from setools import SELinuxPolicy, TERuleQuery
from setools import TERuleQuery
from setools import TERuletype as TRT
from . import mixins
from .policyrep.util import compile_policy
class TERuleQueryTest(mixins.ValidateRule, unittest.TestCase):
@ -31,7 +33,11 @@ class TERuleQueryTest(mixins.ValidateRule, unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/terulequery.conf")
cls.p = compile_policy("tests/terulequery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""TE rule query with no criteria."""
@ -293,7 +299,11 @@ class TERuleQueryXperm(mixins.ValidateRule, unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/terulequery2.conf")
cls.p = compile_policy("tests/terulequery2.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_001_source_direct(self):
"""Xperm rule query with exact, direct, source match."""
@ -421,11 +431,13 @@ class TERuleQueryXperm(mixins.ValidateRule, unittest.TestCase):
perms=set(["ioctl", "hi_w"]), perms_equal=False)
r = sorted(q.results())
self.assertEqual(len(r), 2)
self.validate_rule(r[0], TRT.neverallow, "test100", "system", "infoflow2",
set(["ioctl", "hi_w"]))
self.validate_rule(r[1], TRT.neverallowxperm, "test100", "test100", "infoflow2",
set([0x1234]), xperm="ioctl")
self.assertEqual(len(r), 0)
# changed after dropping source policy support
# self.assertEqual(len(r), 2)
# self.validate_rule(r[0], TRT.neverallow, "test100", "system", "infoflow2",
# set(["ioctl", "hi_w"]))
# self.validate_rule(r[1], TRT.neverallowxperm, "test100", "test100", "infoflow2",
# set([0x1234]), xperm="ioctl")
def test_100_std_perm_equal(self):
"""Xperm rule query match by standard permission, equal perm set."""
@ -433,9 +445,11 @@ class TERuleQueryXperm(mixins.ValidateRule, unittest.TestCase):
perms=set(["ioctl", "hi_w"]), perms_equal=True)
r = sorted(q.results())
self.assertEqual(len(r), 1)
self.validate_rule(r[0], TRT.neverallow, "test100", "system", "infoflow2",
set(["ioctl", "hi_w"]))
self.assertEqual(len(r), 0)
# changed after dropping source policy support
# self.assertEqual(len(r), 1)
# self.validate_rule(r[0], TRT.neverallow, "test100", "system", "infoflow2",
# set(["ioctl", "hi_w"]))
def test_101_xperm_any(self):
"""Xperm rule query match any perm set."""

2
tests/typeattrquery.conf
View File

@ -80,6 +80,8 @@ role system types system;
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
########################################
#
# Type Query

11
tests/typeattrquery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, TypeAttributeQuery
from setools import TypeAttributeQuery
from .policyrep.util import compile_policy
class TypeAttributeQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/typeattrquery.conf")
cls.p = compile_policy("tests/typeattrquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Type attribute query with no criteria."""

2
tests/typequery.conf
View File

@ -80,6 +80,8 @@ role system types system;
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
########################################
#
# Type Query

11
tests/typequery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, TypeQuery
from setools import TypeQuery
from .policyrep.util import compile_policy
class TypeQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/typequery.conf")
cls.p = compile_policy("tests/typequery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""Type query with no criteria."""

2
tests/userquery.conf
View File

@ -93,6 +93,8 @@ role system types system;
################################################################################
# Type enforcement declarations and rules
allow system system:infoflow3 null;
########################################
#
# User Query

11
tests/userquery.py
View File

@ -15,16 +15,23 @@
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import os
import unittest
from setools import SELinuxPolicy, UserQuery
from setools import UserQuery
from .policyrep.util import compile_policy
class UserQueryTest(unittest.TestCase):
@classmethod
def setUpClass(cls):
cls.p = SELinuxPolicy("tests/userquery.conf")
cls.p = compile_policy("tests/userquery.conf")
@classmethod
def tearDownClass(cls):
os.unlink(cls.p.path)
def test_000_unset(self):
"""User query with no criteria."""