diff --git a/tests/__init__.py b/tests/__init__.py index 56bc01a..d70a651 100644 --- a/tests/__init__.py +++ b/tests/__init__.py @@ -18,6 +18,7 @@ import boolquery import commonquery import dta +import initsidquery import objclassquery import polcapquery import permissivequery diff --git a/tests/initsidquery.conf b/tests/initsidquery.conf new file mode 100644 index 0000000..59313cc --- /dev/null +++ b/tests/initsidquery.conf @@ -0,0 +1,215 @@ +class infoflow +class infoflow2 +class infoflow3 +class infoflow4 +class infoflow5 +class infoflow6 +class infoflow7 + +sid test1 +sid test2a +sid test2b +sid test10 +sid test11a +sid test11b +sid test11c +sid test20 +sid test21a +sid test21b +sid test21c +sid test30 +sid test31a +sid test31b +sid test31c + +common infoflow +{ + low_w + med_w + hi_w + low_r + med_r + hi_r +} + +class infoflow +inherits infoflow + +class infoflow2 +inherits infoflow +{ + super_w + super_r +} + +class infoflow3 +{ + null +} + +class infoflow4 +inherits infoflow + +class infoflow5 +inherits infoflow + +class infoflow6 +inherits infoflow + +class infoflow7 +inherits infoflow +{ + super_w + super_r + super_none + super_both + super_unmapped +} + +sensitivity s0; +sensitivity s1; +sensitivity s2; + +dominance { s0 s1 s2 } + +category c0; +category c1; +category c2; +category c3; +category c4; + +#level decl +level s0:c0.c4; +level s1:c0.c4; +level s2:c0.c4; + +#some constraints +mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt)); + +attribute mls_exempt; + +type system; +role system; +role system types system; + +role role20_r; +role role21a_r; +role role21b_r; +role role21c_r; + +role role20_r types system; +role role21a_r types system; +role role21b_r types system; +role role21c_r types system; + +type type30; +type type31a; +type type31b; +type type31c; +role system types { type30 type31a type31b type31c }; + +allow system self:infoflow hi_w; + +#users +user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4; +user user10 roles system level s0 range s0 - s2:c0.c4; +user user11a roles system level s0 range s0 - s2:c0.c4; +user user11b roles system level s0 range s0 - s2:c0.c4; +user user11c roles system level s0 range s0 - s2:c0.c4; + +#normal constraints +constrain infoflow hi_w (u1 == u2); + +######################################### +# +# Initial SID query tests +# + +# test 1: +# name: test1, exact +# user: unset +# role: unset +# type: unset +# range: unset +sid test1 system:system:system:s0:c0.c4 + +# test 2: +# name: test2(a|b), regex +# user: unset +# role: unset +# type: unset +# range: unset +sid test2a system:system:system:s0:c0.c1 +sid test2b system:system:system:s0:c2.c4 + +# test 10: +# name: unset +# user: user10, exact +# role: unset +# type: unset +# range: unset +sid test10 user10:system:system:s0:c0.c1 + +# test 11: +# name: unset +# user: user11(a|b), regex +# role: unset +# type: unset +# range: unset +sid test11a user11a:system:system:s0:c0.c1 +sid test11b user11b:system:system:s0:c0.c1 +sid test11c user11c:system:system:s0:c0.c1 + +# test 20: +# name: unset +# user: unset +# role: role20_r, exact +# type: unset +# range: unset +sid test20 system:role20_r:system:s0:c0.c1 + +# test 21: +# name: unset +# user: unset +# role: role20(a|c)_r, regex +# type: unset +# range: unset +sid test21a system:role21a_r:system:s0:c0.c1 +sid test21b system:role21b_r:system:s0:c0.c1 +sid test21c system:role21c_r:system:s0:c0.c1 + +# test 30: +# name: unset +# user: unset +# role: unset +# type: type30 +# range: unset +sid test30 system:system:type30:s0:c0.c1 + +# test 31: +# name: unset +# user: unset +# role: unset +# type: type31(b|c) +# range: unset +sid test31a system:system:type31a:s0:c0.c1 +sid test31b system:system:type31b:s0:c0.c1 +sid test31c system:system:type31c:s0:c0.c1 + +#fs_use +fs_use_trans devpts system:object_r:system:s0; +fs_use_xattr ext3 system:object_r:system:s0; +fs_use_task pipefs system:object_r:system:s0; + +#genfscon +genfscon proc / system:object_r:system:s1 +genfscon proc /sys system:object_r:system:s0 +genfscon selinuxfs / system:object_r:system:s2:c0.c4 + +portcon tcp 80 system:object_r:system:s0 + +netifcon eth0 system:object_r:system:s0 system:object_r:system:s0 + +nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0 +nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0 + diff --git a/tests/initsidquery.py b/tests/initsidquery.py new file mode 100644 index 0000000..a7eab34 --- /dev/null +++ b/tests/initsidquery.py @@ -0,0 +1,95 @@ +# Copyright 2014, Tresys Technology, LLC +# +# This file is part of SETools. +# +# SETools is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 2 of the License, or +# (at your option) any later version. +# +# SETools is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with SETools. If not, see . +# +import unittest + +from libapol import SELinuxPolicy +from libapol.initsidquery import InitialSIDQuery + + +class InitialSIDQueryTest(unittest.TestCase): + + def setUp(self): + self.p = SELinuxPolicy("tests/initsidquery.conf") + + def test_000_unset(self): + """Initial SID query with no criteria""" + # query with no parameters gets all SIDs. + for numrules, s in enumerate(self.p.initialsids(), start=1): + pass + + q = InitialSIDQuery(self.p) + for q_numrules, s in enumerate(q.results(), start=1): + pass + + self.assertEqual(numrules, q_numrules) + + def test_001_name_exact(self): + """Initial SID query with exact match""" + q = InitialSIDQuery(self.p, name="test1", name_regex=False) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test1"], sids) + + def test_002_name_regex(self): + """Initial SID query with regex match""" + q = InitialSIDQuery(self.p, name="test2(a|b)", name_regex=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test2a", "test2b"], sids) + + def test_010_user_exact(self): + """Initial SID query with context user exact match""" + q = InitialSIDQuery(self.p, user="user10", user_regex=False) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test10"], sids) + + def test_011_user_regex(self): + """Initial SID query with context user regex match""" + q = InitialSIDQuery(self.p, user="user11(a|b)", user_regex=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test11a", "test11b"], sids) + + def test_020_role_exact(self): + """Initial SID query with context role exact match""" + q = InitialSIDQuery(self.p, role="role20_r", role_regex=False) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test20"], sids) + + def test_021_role_regex(self): + """Initial SID query with context role regex match""" + q = InitialSIDQuery(self.p, role="role21(a|c)_r", role_regex=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test21a", "test21c"], sids) + + def test_030_type_exact(self): + """Initial SID query with context type exact match""" + q = InitialSIDQuery(self.p, type_="type30", type_regex=False) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test30"], sids) + + def test_031_type_regex(self): + """Initial SID query with context type regex match""" + q = InitialSIDQuery(self.p, type_="type31(b|c)", type_regex=True) + + sids = sorted(str(s) for s in q.results()) + self.assertListEqual(["test31b", "test31c"], sids)