RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-01-30 03:32:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implement MLS range tests on several context-based queries.

Browse Source
This commit is contained in:
Chris PeBenito 2015-02-24 15:50:08 -05:00
parent fa02fdfbb5
commit 9939f5241e
10 changed files with 950 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
tests/genfsconquery.conf
View File

@ -56,8 +56,12 @@ inherits infoflow
sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s4;
sensitivity s5;
sensitivity s6;
dominance { s0 s1 s2 }
dominance { s0 s1 s2 s3 s4 s5 s6 }
category c0;
category c1;
@ -69,6 +73,10 @@ category c4;
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s4:c0.c4;
level s5:c0.c4;
level s6:c0.c4;
#some constraints
@ -104,7 +112,7 @@ role system types { type40 type41a type41b type41c };
################################################################################
#users
user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s2:c0.c4;
user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s6:c0.c4;
user user20 roles system level s0 range s0 - s2:c0.c4;
user user21a roles system level s0 range s0 - s2:c0.c4;
user user21b roles system level s0 range s0 - s2:c0.c4;
@ -238,6 +246,66 @@ genfscon test50l / -l system:system:system:s0:c0.c4
genfscon test50p / -p system:system:system:s0:c0.c4
genfscon test50d / -d system:system:system:s0:c0.c4
# test 60:
# fs: unset
# filetype: unset
# path: unset
# user: unset
# role: unset
# type: unset
# range: equal
genfscon test60 / system:system:system:s0:c1 - s0:c0.c4
# test 61:
# fs: unset
# filetype: unset
# path: unset
# user: unset
# role: unset
# type: unset
# range: overlap
genfscon test61 / system:system:system:s1:c1 - s1:c1.c3
# test 62:
# fs: unset
# filetype: unset
# path: unset
# user: unset
# role: unset
# type: unset
# range: subset
genfscon test62 / system:system:system:s2:c1 - s2:c1.c3
# test 63:
# fs: unset
# filetype: unset
# path: unset
# user: unset
# role: unset
# type: unset
# range: superset
genfscon test63 / system:system:system:s3:c1 - s3:c1.c3
# test 64:
# fs: unset
# filetype: unset
# path: unset
# user: unset
# role: unset
# type: unset
# range: proper subset
genfscon test64 / system:system:system:s4:c1 - s4:c1.c3
# test 65:
# fs: unset
# filetype: unset
# path: unset
# user: unset
# role: unset
# type: unset
# range: proper superset
genfscon test65 / system:system:system:s5:c1 - s5:c1.c3
portcon tcp 80 system:object_r:system:s0
netifcon eth0 system:object_r:system:s0 system:object_r:system:s0

127
tests/genfsconquery.py
View File

@ -113,3 +113,130 @@ class GenfsconQueryTest(unittest.TestCase):
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test50b"], genfs)
def test_060_range_exact(self):
"""Genfscon query with context range exact match"""
q = GenfsconQuery(self.p, range_="s0:c1 - s0:c0.c4")
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test60"], genfs)
def test_061_range_overlap1(self):
"""Genfscon query with context range overlap match (equal)"""
q = GenfsconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test61"], genfs)
def test_061_range_overlap2(self):
"""Genfscon query with context range overlap match (subset)"""
q = GenfsconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test61"], genfs)
def test_061_range_overlap3(self):
"""Genfscon query with context range overlap match (superset)"""
q = GenfsconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test61"], genfs)
def test_061_range_overlap4(self):
"""Genfscon query with context range overlap match (overlap low level)"""
q = GenfsconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test61"], genfs)
def test_061_range_overlap5(self):
"""Genfscon query with context range overlap match (overlap high level)"""
q = GenfsconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test61"], genfs)
def test_062_range_subset1(self):
"""Genfscon query with context range subset match"""
q = GenfsconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test62"], genfs)
def test_062_range_subset2(self):
"""Genfscon query with context range subset match (equal)"""
q = GenfsconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test62"], genfs)
def test_063_range_superset1(self):
"""Genfscon query with context range superset match"""
q = GenfsconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test63"], genfs)
def test_063_range_superset2(self):
"""Genfscon query with context range superset match (equal)"""
q = GenfsconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test63"], genfs)
def test_064_range_proper_subset1(self):
"""Genfscon query with context range proper subset match"""
q = GenfsconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test64"], genfs)
def test_064_range_proper_subset2(self):
"""Genfscon query with context range proper subset match (equal)"""
q = GenfsconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual([], genfs)
def test_064_range_proper_subset3(self):
"""Genfscon query with context range proper subset match (equal low only)"""
q = GenfsconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test64"], genfs)
def test_064_range_proper_subset4(self):
"""Genfscon query with context range proper subset match (equal high only)"""
q = GenfsconQuery(self.p,
range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test64"], genfs)
def test_065_range_proper_superset1(self):
"""Genfscon query with context range proper superset match"""
q = GenfsconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test65"], genfs)
def test_065_range_proper_superset2(self):
"""Genfscon query with context range proper superset match (equal)"""
q = GenfsconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual([], genfs)
def test_065_range_proper_superset3(self):
"""Genfscon query with context range proper superset match (equal low)"""
q = GenfsconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test65"], genfs)
def test_065_range_proper_superset4(self):
"""Genfscon query with context range proper superset match (equal high)"""
q = GenfsconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test65"], genfs)

66
tests/initsidquery.conf
View File

@ -21,6 +21,12 @@ sid test30
sid test31a
sid test31b
sid test31c
sid test40
sid test41
sid test42
sid test43
sid test44
sid test45
common infoflow
{
@ -69,8 +75,12 @@ inherits infoflow
sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s4;
sensitivity s5;
sensitivity s6;
dominance { s0 s1 s2 }
dominance { s0 s1 s2 s3 s4 s5 s6 }
category c0;
category c1;
@ -82,6 +92,10 @@ category c4;
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s4:c0.c4;
level s5:c0.c4;
level s6:c0.c4;
#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
@ -111,7 +125,7 @@ role system types { type30 type31a type31b type31c };
allow system self:infoflow hi_w;
#users
user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4;
user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s6:c0.c4;
user user10 roles system level s0 range s0 - s2:c0.c4;
user user11a roles system level s0 range s0 - s2:c0.c4;
user user11b roles system level s0 range s0 - s2:c0.c4;
@ -196,6 +210,54 @@ sid test31a system:system:type31a:s0:c0.c1
sid test31b system:system:type31b:s0:c0.c1
sid test31c system:system:type31c:s0:c0.c1
# test 40:
# name: unset
# user: unset
# role: unset
# type: unset
# range: equal
sid test40 system:system:system:s0:c1 - s0:c0.c4
# test 41:
# name: unset
# user: unset
# role: unset
# type: unset
# range: overlap
sid test41 system:system:system:s1:c1 - s1:c1.c3
# test 42:
# name: unset
# user: unset
# role: unset
# type: unset
# range: subset
sid test42 system:system:system:s2:c1 - s2:c1.c3
# test 43:
# name: unset
# user: unset
# role: unset
# type: unset
# range: superset
sid test43 system:system:system:s3:c1 - s3:c1.c3
# test 44:
# name: unset
# user: unset
# role: unset
# type: unset
# range: proper subset
sid test44 system:system:system:s4:c1 - s4:c1.c3
# test 45:
# name: unset
# user: unset
# role: unset
# type: unset
# range: proper superset
sid test45 system:system:system:s5:c1 - s5:c1.c3
#fs_use
fs_use_trans devpts system:object_r:system:s0;
fs_use_xattr ext3 system:object_r:system:s0;

129
tests/initsidquery.py
View File

@ -91,3 +91,132 @@ class InitialSIDQueryTest(unittest.TestCase):
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test31b", "test31c"], sids)
def test_040_range_exact(self):
"""Initial SID query with context range exact match"""
q = InitialSIDQuery(self.p, range_="s0:c1 - s0:c0.c4")
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test40"], sids)
def test_041_range_overlap1(self):
"""Initial SID query with context range overlap match (equal)"""
q = InitialSIDQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test41"], sids)
def test_041_range_overlap2(self):
"""Initial SID query with context range overlap match (subset)"""
q = InitialSIDQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test41"], sids)
def test_041_range_overlap3(self):
"""Initial SID query with context range overlap match (superset)"""
q = InitialSIDQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test41"], sids)
def test_041_range_overlap4(self):
"""Initial SID query with context range overlap match (overlap low level)"""
q = InitialSIDQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test41"], sids)
def test_041_range_overlap5(self):
"""Initial SID query with context range overlap match (overlap high level)"""
q = InitialSIDQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test41"], sids)
def test_042_range_subset1(self):
"""Initial SID query with context range subset match"""
q = InitialSIDQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test42"], sids)
def test_042_range_subset2(self):
"""Initial SID query with context range subset match (equal)"""
q = InitialSIDQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test42"], sids)
def test_043_range_superset1(self):
"""Initial SID query with context range superset match"""
q = InitialSIDQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test43"], sids)
def test_043_range_superset2(self):
"""Initial SID query with context range superset match (equal)"""
q = InitialSIDQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test43"], sids)
def test_044_range_proper_subset1(self):
"""Initial SID query with context range proper subset match"""
q = InitialSIDQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test44"], sids)
def test_044_range_proper_subset2(self):
"""Initial SID query with context range proper subset match (equal)"""
q = InitialSIDQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual([], sids)
def test_044_range_proper_subset3(self):
"""Initial SID query with context range proper subset match (equal low only)"""
q = InitialSIDQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test44"], sids)
def test_044_range_proper_subset4(self):
"""Initial SID query with context range proper subset match (equal high only)"""
q = InitialSIDQuery(self.p,
range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test44"], sids)
def test_045_range_proper_superset1(self):
"""Initial SID query with context range proper superset match"""
q = InitialSIDQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test45"], sids)
def test_045_range_proper_superset2(self):
"""Initial SID query with context range proper superset match (equal)"""
q = InitialSIDQuery(self.p,
range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual([], sids)
def test_045_range_proper_superset3(self):
"""Initial SID query with context range proper superset match (equal low)"""
q = InitialSIDQuery(self.p,
range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test45"], sids)
def test_045_range_proper_superset4(self):
"""Initial SID query with context range proper superset match (equal high)"""
q = InitialSIDQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True)
sids = sorted(str(s) for s in q.results())
self.assertListEqual(["test45"], sids)

61
tests/netifconquery.conf
View File

@ -56,8 +56,12 @@ inherits infoflow
sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s4;
sensitivity s5;
sensitivity s6;
dominance { s0 s1 s2 }
dominance { s0 s1 s2 s3 s4 s5 s6 }
category c0;
category c1;
@ -69,6 +73,10 @@ category c4;
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s4:c0.c4;
level s5:c0.c4;
level s6:c0.c4;
#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
@ -98,7 +106,7 @@ role system types { type30 type31a type31b type31c };
allow system self:infoflow hi_w;
#users
user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4;
user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s6:c0.c4;
user user10 roles system level s0 range s0 - s2:c0.c4;
user user11a roles system level s0 range s0 - s2:c0.c4;
user user11b roles system level s0 range s0 - s2:c0.c4;
@ -194,6 +202,55 @@ netifcon test31a system:system:type31a:s0:c0.c1 system:object_r:system:s0
netifcon test31b system:system:type31b:s0:c0.c1 system:object_r:system:s0
netifcon test31c system:system:type31c:s0:c0.c1 system:object_r:system:s0
# test 40:
# name: unset
# user: unset
# role: unset
# type: unset
# range: equal
netifcon test40 system:system:system:s0:c1 - s0:c0.c4 system:object_r:system:s0
# test 41:
# name: unset
# user: unset
# role: unset
# type: unset
# range: overlap
netifcon test41 system:system:system:s1:c1 - s1:c1.c3 system:object_r:system:s0
# test 42:
# name: unset
# ruletype: unset
# user: unset
# role: unset
# type: unset
# range: subset
netifcon test42 system:system:system:s2:c1 - s2:c1.c3 system:object_r:system:s0
# test 43:
# name: unset
# user: unset
# role: unset
# type: unset
# range: superset
netifcon test43 system:system:system:s3:c1 - s3:c1.c3 system:object_r:system:s0
# test 44:
# name: unset
# user: unset
# role: unset
# type: unset
# range: proper subset
netifcon test44 system:system:system:s4:c1 - s4:c1.c3 system:object_r:system:s0
# test 45:
# name: unset
# user: unset
# role: unset
# type: unset
# range: proper superset
netifcon test45 system:system:system:s5:c1 - s5:c1.c3 system:object_r:system:s0
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0

127
tests/netifconquery.py
View File

@ -91,3 +91,130 @@ class NetifconQueryTest(unittest.TestCase):
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test31b", "test31c"], netifs)
def test_040_range_exact(self):
"""Netifcon query with context range exact match"""
q = NetifconQuery(self.p, range_="s0:c1 - s0:c0.c4")
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test40"], netifs)
def test_041_range_overlap1(self):
"""Netifcon query with context range overlap match (equal)"""
q = NetifconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test41"], netifs)
def test_041_range_overlap2(self):
"""Netifcon query with context range overlap match (subset)"""
q = NetifconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test41"], netifs)
def test_041_range_overlap3(self):
"""Netifcon query with context range overlap match (superset)"""
q = NetifconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test41"], netifs)
def test_041_range_overlap4(self):
"""Netifcon query with context range overlap match (overlap low level)"""
q = NetifconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test41"], netifs)
def test_041_range_overlap5(self):
"""Netifcon query with context range overlap match (overlap high level)"""
q = NetifconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test41"], netifs)
def test_042_range_subset1(self):
"""Netifcon query with context range subset match"""
q = NetifconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test42"], netifs)
def test_042_range_subset2(self):
"""Netifcon query with context range subset match (equal)"""
q = NetifconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test42"], netifs)
def test_043_range_superset1(self):
"""Netifcon query with context range superset match"""
q = NetifconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test43"], netifs)
def test_043_range_superset2(self):
"""Netifcon query with context range superset match (equal)"""
q = NetifconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test43"], netifs)
def test_044_range_proper_subset1(self):
"""Netifcon query with context range proper subset match"""
q = NetifconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test44"], netifs)
def test_044_range_proper_subset2(self):
"""Netifcon query with context range proper subset match (equal)"""
q = NetifconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual([], netifs)
def test_044_range_proper_subset3(self):
"""Netifcon query with context range proper subset match (equal low only)"""
q = NetifconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test44"], netifs)
def test_044_range_proper_subset4(self):
"""Netifcon query with context range proper subset match (equal high only)"""
q = NetifconQuery(self.p,
range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test44"], netifs)
def test_045_range_proper_superset1(self):
"""Netifcon query with context range proper superset match"""
q = NetifconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test45"], netifs)
def test_045_range_proper_superset2(self):
"""Netifcon query with context range proper superset match (equal)"""
q = NetifconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual([], netifs)
def test_045_range_proper_superset3(self):
"""Netifcon query with context range proper superset match (equal low)"""
q = NetifconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test45"], netifs)
def test_045_range_proper_superset4(self):
"""Netifcon query with context range proper superset match (equal high)"""
q = NetifconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test45"], netifs)

60
tests/nodeconquery.conf
View File

@ -56,8 +56,12 @@ inherits infoflow
sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s4;
sensitivity s5;
sensitivity s6;
dominance { s0 s1 s2 }
dominance { s0 s1 s2 s3 s4 s5 s6 }
category c0;
category c1;
@ -69,6 +73,10 @@ category c4;
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s4:c0.c4;
level s5:c0.c4;
level s6:c0.c4;
#some constraints
@ -104,7 +112,7 @@ role system types { type40 type41a type41b type41c };
################################################################################
#users
user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s2:c0.c4;
user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s6:c0.c4;
user user20 roles system level s0 range s0 - s2:c0.c4;
user user21a roles system level s0 range s0 - s2:c0.c4;
user user21b roles system level s0 range s0 - s2:c0.c4;
@ -185,6 +193,54 @@ nodecon 10.1.41.1 255.255.255.255 system:system:type41a:s0:c0.c1
nodecon 10.1.41.2 255.255.255.255 system:system:type41b:s0:c0.c1
nodecon 10.1.41.3 255.255.255.255 system:system:type41c:s0:c0.c1
# test 50:
# network: unset
# user: unset
# role: unset
# type: unset
# range: equal
nodecon 10.1.50.1 255.255.255.255 system:system:system:s0:c1 - s0:c0.c4
# test 51:
# network: unset
# user: unset
# role: unset
# type: unset
# range: overlap
nodecon 10.1.51.1 255.255.255.255 system:system:system:s1:c1 - s1:c1.c3
# test 52:
# network: unset
# user: unset
# role: unset
# type: unset
# range: subset
nodecon 10.1.52.1 255.255.255.255 system:system:system:s2:c1 - s2:c1.c3
# test 53:
# network: unset
# user: unset
# role: unset
# type: unset
# range: superset
nodecon 10.1.53.1 255.255.255.255 system:system:system:s3:c1 - s3:c1.c3
# test 54:
# network: unset
# user: unset
# role: unset
# type: unset
# range: proper subset
nodecon 10.1.54.1 255.255.255.255 system:system:system:s4:c1 - s4:c1.c3
# test 55:
# network: unset
# user: unset
# role: unset
# type: unset
# range: proper superset
nodecon 10.1.55.1 255.255.255.255 system:system:system:s5:c1 - s5:c1.c3
# test 100:
# network: 10.1.100.0/24, equal
# user: unset

126
tests/nodeconquery.py
View File

@ -87,6 +87,132 @@ class NodeconQueryTest(unittest.TestCase):
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.41.2", "10.1.41.3"], nodecons)
def test_050_range_exact(self):
"""Nodecon query with context range exact match"""
q = NodeconQuery(self.p, range_="s0:c1 - s0:c0.c4")
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.50.1"], nodecons)
def test_051_range_overlap1(self):
"""Nodecon query with context range overlap match (equal)"""
q = NodeconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.51.1"], nodecons)
def test_051_range_overlap2(self):
"""Nodecon query with context range overlap match (subset)"""
q = NodeconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.51.1"], nodecons)
def test_051_range_overlap3(self):
"""Nodecon query with context range overlap match (superset)"""
q = NodeconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.51.1"], nodecons)
def test_051_range_overlap4(self):
"""Nodecon query with context range overlap match (overlap low level)"""
q = NodeconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.51.1"], nodecons)
def test_051_range_overlap5(self):
"""Nodecon query with context range overlap match (overlap high level)"""
q = NodeconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.51.1"], nodecons)
def test_052_range_subset1(self):
"""Nodecon query with context range subset match"""
q = NodeconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.52.1"], nodecons)
def test_052_range_subset2(self):
"""Nodecon query with context range subset match (equal)"""
q = NodeconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.52.1"], nodecons)
def test_053_range_superset1(self):
"""Nodecon query with context range superset match"""
q = NodeconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.53.1"], nodecons)
def test_053_range_superset2(self):
"""Nodecon query with context range superset match (equal)"""
q = NodeconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.53.1"], nodecons)
def test_054_range_proper_subset1(self):
"""Nodecon query with context range proper subset match"""
q = NodeconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.54.1"], nodecons)
def test_054_range_proper_subset2(self):
"""Nodecon query with context range proper subset match (equal)"""
q = NodeconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual([], nodecons)
def test_054_range_proper_subset3(self):
"""Nodecon query with context range proper subset match (equal low only)"""
q = NodeconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.54.1"], nodecons)
def test_054_range_proper_subset4(self):
"""Nodecon query with context range proper subset match (equal high only)"""
q = NodeconQuery(self.p, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.54.1"], nodecons)
def test_055_range_proper_superset1(self):
"""Nodecon query with context range proper superset match"""
q = NodeconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.55.1"], nodecons)
def test_055_range_proper_superset2(self):
"""Nodecon query with context range proper superset match (equal)"""
q = NodeconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual([], nodecons)
def test_055_range_proper_superset3(self):
"""Nodecon query with context range proper superset match (equal low)"""
q = NodeconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.55.1"], nodecons)
def test_055_range_proper_superset4(self):
"""Nodecon query with context range proper superset match (equal high)"""
q = NodeconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True)
nodecons = sorted(n.address for n in q.results())
self.assertListEqual(["10.1.55.1"], nodecons)
def test_100_v4network_equal(self):
"""Nodecon query with IPv4 equal network"""
if sys.version_info < (3, 3):

66
tests/portconquery.conf
View File

@ -56,8 +56,12 @@ inherits infoflow
sensitivity s0;
sensitivity s1;
sensitivity s2;
sensitivity s3;
sensitivity s4;
sensitivity s5;
sensitivity s6;
dominance { s0 s1 s2 }
dominance { s0 s1 s2 s3 s4 s5 s6 }
category c0;
category c1;
@ -69,6 +73,10 @@ category c4;
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
level s3:c0.c4;
level s4:c0.c4;
level s5:c0.c4;
level s6:c0.c4;
#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
@ -98,7 +106,7 @@ role system types { type30 type31a type31b type31c };
allow system self:infoflow hi_w;
#users
user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4;
user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s6:c0.c4;
user user10 roles system level s0 range s0 - s2:c0.c4;
user user11a roles system level s0 range s0 - s2:c0.c4;
user user11b roles system level s0 range s0 - s2:c0.c4;
@ -190,6 +198,60 @@ portcon tcp 31 system:system:type31a:s0:c0.c1
portcon tcp 31000 system:system:type31b:s0:c0.c1
portcon tcp 31001 system:system:type31c:s0:c0.c1
# test 40:
# protocol: unset
# ports: unset
# user: unset
# role: unset
# type: unset
# range: equal
portcon tcp 40 system:system:system:s0:c1 - s0:c0.c4
# test 41:
# protocol: unset
# ports: unset
# user: unset
# role: unset
# type: unset
# range: overlap
portcon tcp 41 system:system:system:s1:c1 - s1:c1.c3
# test 42:
# protocol: unset
# ports: unset
# user: unset
# role: unset
# type: unset
# range: subset
portcon tcp 42 system:system:system:s2:c1 - s2:c1.c3
# test 43:
# protocol: unset
# ports: unset
# user: unset
# role: unset
# type: unset
# range: superset
portcon tcp 43 system:system:system:s3:c1 - s3:c1.c3
# test 44:
# protocol: unset
# ports: unset
# user: unset
# role: unset
# type: unset
# range: proper subset
portcon tcp 44 system:system:system:s4:c1 - s4:c1.c3
# test 45:
# protocol: unset
# ports: unset
# user: unset
# role: unset
# type: unset
# range: proper superset
portcon tcp 45 system:system:system:s5:c1 - s5:c1.c3
# test 50:
# protocol: unset
# ports: (50, 50)

126
tests/portconquery.py
View File

@ -86,6 +86,132 @@ class PortconQueryTest(unittest.TestCase):
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(31000, 31000), (31001, 31001)], ports)
def test_040_range_exact(self):
"""Portcon query with context range exact match"""
q = PortconQuery(self.p, range_="s0:c1 - s0:c0.c4")
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(40, 40)], ports)
def test_041_range_overlap1(self):
"""Portcon query with context range overlap match (equal)"""
q = PortconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(41, 41)], ports)
def test_041_range_overlap2(self):
"""Portcon query with context range overlap match (subset)"""
q = PortconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(41, 41)], ports)
def test_041_range_overlap3(self):
"""Portcon query with context range overlap match (superset)"""
q = PortconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(41, 41)], ports)
def test_041_range_overlap4(self):
"""Portcon query with context range overlap match (overlap low level)"""
q = PortconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(41, 41)], ports)
def test_041_range_overlap5(self):
"""Portcon query with context range overlap match (overlap high level)"""
q = PortconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(41, 41)], ports)
def test_042_range_subset1(self):
"""Portcon query with context range subset match"""
q = PortconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(42, 42)], ports)
def test_042_range_subset2(self):
"""Portcon query with context range subset match (equal)"""
q = PortconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(42, 42)], ports)
def test_043_range_superset1(self):
"""Portcon query with context range superset match"""
q = PortconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(43, 43)], ports)
def test_043_range_superset2(self):
"""Portcon query with context range superset match (equal)"""
q = PortconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(43, 43)], ports)
def test_044_range_proper_subset1(self):
"""Portcon query with context range proper subset match"""
q = PortconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(44, 44)], ports)
def test_044_range_proper_subset2(self):
"""Portcon query with context range proper subset match (equal)"""
q = PortconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([], ports)
def test_044_range_proper_subset3(self):
"""Portcon query with context range proper subset match (equal low only)"""
q = PortconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(44, 44)], ports)
def test_044_range_proper_subset4(self):
"""Portcon query with context range proper subset match (equal high only)"""
q = PortconQuery(self.p, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(44, 44)], ports)
def test_045_range_proper_superset1(self):
"""Portcon query with context range proper superset match"""
q = PortconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(45, 45)], ports)
def test_045_range_proper_superset2(self):
"""Portcon query with context range proper superset match (equal)"""
q = PortconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([], ports)
def test_045_range_proper_superset3(self):
"""Portcon query with context range proper superset match (equal low)"""
q = PortconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(45, 45)], ports)
def test_045_range_proper_superset4(self):
"""Portcon query with context range proper superset match (equal high)"""
q = PortconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True)
ports = sorted(p.ports for p in q.results())
self.assertListEqual([(45, 45)], ports)
def test_050_single_equal(self):
"""Portcon query with single port exact match"""
q = PortconQuery(self.p, ports=(50, 50))