mirror of
https://github.com/SELinuxProject/setools
synced 2025-04-27 05:39:29 +00:00
ab4cce4fb9
The same class can be used for both ioctl and nlmsg extended permissions. Rename the current class and mark IoctlSet as deprecated. Signed-off-by: Thiébaud Weksteen <tweek@google.com>
2889 lines
125 KiB
Python
2889 lines
125 KiB
Python
# Copyright 2015-2016, Tresys Technology, LLC
|
|
# Copyright 2016, 2017, Chris PeBenito <pebenito@ieee.org>
|
|
#
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
#
|
|
from dataclasses import astuple
|
|
from ipaddress import IPv6Address, IPv4Network, IPv6Network
|
|
|
|
import pytest
|
|
import setools
|
|
from setools import PolicyDifference, PortconProtocol, PortconRange
|
|
from setools import BoundsRuletype as BRT
|
|
from setools import ConstraintRuletype as CRT
|
|
from setools import DefaultRuletype as DRT
|
|
from setools import DefaultRangeValue as DRV
|
|
from setools import DefaultValue as DV
|
|
from setools import FSUseRuletype as FSURT
|
|
from setools import MLSRuletype as MRT
|
|
from setools import RBACRuletype as RRT
|
|
from setools import TERuletype as TRT
|
|
|
|
from . import util
|
|
|
|
|
|
@pytest.fixture(scope="class")
|
|
def analysis(policy_pair: tuple[setools.SELinuxPolicy, setools.SELinuxPolicy]) -> PolicyDifference:
|
|
return PolicyDifference(*policy_pair)
|
|
|
|
|
|
@pytest.mark.obj_args("tests/library/diff_left.conf", "tests/library/diff_right.conf")
|
|
class TestPolicyDifference:
|
|
|
|
"""Policy difference tests."""
|
|
|
|
#
|
|
# Types
|
|
#
|
|
def test_added_types(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added type"""
|
|
assert set(["added_type"]) == analysis.added_types
|
|
|
|
def test_removed_types(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified type"""
|
|
assert set(["removed_type"]) == analysis.removed_types
|
|
|
|
def test_modified_types_count(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: total modified types"""
|
|
assert 6 == len(analysis.modified_types)
|
|
|
|
def test_modified_types_remove_attr(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified type with removed attribute."""
|
|
# modified_remove_attr
|
|
analysis.modified_types.sort()
|
|
type_ = analysis.modified_types[4]
|
|
assert set(["an_attr"]) == type_.removed_attributes
|
|
assert not type_.added_attributes
|
|
assert not type_.matched_attributes
|
|
assert not type_.modified_permissive
|
|
assert not type_.permissive
|
|
assert not type_.added_aliases
|
|
assert not type_.removed_aliases
|
|
assert not type_.matched_aliases
|
|
|
|
def test_modified_types_remove_alias(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified type with removed alias."""
|
|
# modified_remove_alias
|
|
analysis.modified_types.sort()
|
|
type_ = analysis.modified_types[3]
|
|
assert set(["an_alias"]) == type_.removed_aliases
|
|
assert not type_.added_attributes
|
|
assert not type_.removed_attributes
|
|
assert not type_.matched_attributes
|
|
assert not type_.modified_permissive
|
|
assert not type_.permissive
|
|
assert not type_.added_aliases
|
|
assert not type_.matched_aliases
|
|
|
|
def test_modified_types_remove_permissive(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified type with removed permissve."""
|
|
# modified_remove_permissive
|
|
analysis.modified_types.sort()
|
|
type_ = analysis.modified_types[5]
|
|
assert not type_.added_attributes
|
|
assert not type_.removed_attributes
|
|
assert not type_.matched_attributes
|
|
assert type_.modified_permissive
|
|
assert type_.permissive
|
|
assert not type_.added_aliases
|
|
assert not type_.removed_aliases
|
|
assert not type_.matched_aliases
|
|
|
|
def test_modified_types_add_attr(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified type with added attribute."""
|
|
# modified_add_attr
|
|
analysis.modified_types.sort()
|
|
type_ = analysis.modified_types[1]
|
|
assert set(["an_attr"]) == type_.added_attributes
|
|
assert not type_.removed_attributes
|
|
assert not type_.matched_attributes
|
|
assert not type_.modified_permissive
|
|
assert not type_.permissive
|
|
assert not type_.added_aliases
|
|
assert not type_.removed_aliases
|
|
assert not type_.matched_aliases
|
|
|
|
def test_modified_types_add_alias(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified type with added alias."""
|
|
# modified_add_alias
|
|
analysis.modified_types.sort()
|
|
type_ = analysis.modified_types[0]
|
|
assert set(["an_alias"]) == type_.added_aliases
|
|
assert not type_.added_attributes
|
|
assert not type_.removed_attributes
|
|
assert not type_.matched_attributes
|
|
assert not type_.modified_permissive
|
|
assert not type_.permissive
|
|
assert not type_.removed_aliases
|
|
assert not type_.matched_aliases
|
|
|
|
def test_modified_types_add_permissive(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified type with added permissive."""
|
|
# modified_add_permissive
|
|
analysis.modified_types.sort()
|
|
type_ = analysis.modified_types[2]
|
|
assert not type_.added_attributes
|
|
assert not type_.removed_attributes
|
|
assert not type_.matched_attributes
|
|
assert type_.modified_permissive
|
|
assert not type_.permissive
|
|
assert not type_.added_aliases
|
|
assert not type_.removed_aliases
|
|
assert not type_.matched_aliases
|
|
|
|
#
|
|
# Roles
|
|
#
|
|
def test_added_role(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added role."""
|
|
assert set(["added_role"]) == analysis.added_roles
|
|
|
|
def test_removed_role(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed role."""
|
|
assert set(["removed_role"]) == analysis.removed_roles
|
|
|
|
def test_modified_role_count(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified role."""
|
|
assert 2 == len(analysis.modified_roles)
|
|
|
|
def test_modified_role_add_type(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified role with added type."""
|
|
# modified_add_type
|
|
analysis.modified_roles.sort()
|
|
assert set(["system"]) == analysis.modified_roles[0].added_types
|
|
assert not analysis.modified_roles[0].removed_types
|
|
|
|
def test_modified_role_remove_type(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified role with removed type."""
|
|
# modified_remove_type
|
|
analysis.modified_roles.sort()
|
|
assert set(["system"]) == analysis.modified_roles[1].removed_types
|
|
assert not analysis.modified_roles[1].added_types
|
|
|
|
#
|
|
# Commons
|
|
#
|
|
def test_added_common(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added common."""
|
|
assert set(["added_common"]) == analysis.added_commons
|
|
|
|
def test_removed_common(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed common."""
|
|
assert set(["removed_common"]) == analysis.removed_commons
|
|
|
|
def test_modified_common_count(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified common count."""
|
|
assert 2 == len(analysis.modified_commons)
|
|
|
|
def test_modified_common_add_perm(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified common with added perm."""
|
|
# modified_add_perm
|
|
analysis.modified_commons.sort()
|
|
assert set(["added_perm"]) == analysis.modified_commons[0].added_perms
|
|
assert not analysis.modified_commons[0].removed_perms
|
|
|
|
def test_modified_common_remove_perm(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified common with removed perm."""
|
|
# modified_remove_perm
|
|
analysis.modified_commons.sort()
|
|
assert set(["removed_perm"]) == analysis.modified_commons[1].removed_perms
|
|
assert not analysis.modified_commons[1].added_perms
|
|
|
|
#
|
|
# Classes
|
|
#
|
|
def test_added_class(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added class."""
|
|
assert set(["added_class"]) == analysis.added_classes
|
|
|
|
def test_removed_class(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed class."""
|
|
assert set(["removed_class"]) == analysis.removed_classes
|
|
|
|
def test_modified_class_count(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified class count."""
|
|
assert 3 == len(analysis.modified_classes)
|
|
|
|
def test_modified_class_add_perm(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified class with added perm."""
|
|
# modified_add_perm
|
|
analysis.modified_classes.sort()
|
|
assert set(["added_perm"]) == analysis.modified_classes[0].added_perms
|
|
assert not analysis.modified_classes[0].removed_perms
|
|
|
|
def test_modified_class_remove_perm(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified class with removed perm."""
|
|
# modified_remove_perm
|
|
analysis.modified_classes.sort()
|
|
assert set(["removed_perm"]) == analysis.modified_classes[2].removed_perms
|
|
assert not analysis.modified_classes[2].added_perms
|
|
|
|
def test_modified_class_change_common(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified class due to modified common."""
|
|
# modified_change_common
|
|
analysis.modified_classes.sort()
|
|
assert set(["old_com"]) == analysis.modified_classes[1].removed_perms
|
|
assert set(["new_com"]) == analysis.modified_classes[1].added_perms
|
|
|
|
#
|
|
# Allow rules
|
|
#
|
|
def test_added_allow_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added allow rules."""
|
|
rules = sorted(analysis.added_allows)
|
|
assert 5 == len(rules)
|
|
|
|
# added rule with existing types
|
|
util.validate_rule(rules[0], TRT.allow, "added_rule_source", "added_rule_target",
|
|
tclass="infoflow", perms=set(["med_w"]))
|
|
|
|
# added rule with new type
|
|
util.validate_rule(rules[1], TRT.allow, "added_type", "added_type", tclass="infoflow2",
|
|
perms=set(["med_w"]))
|
|
|
|
# rule moved out of a conditional
|
|
util.validate_rule(rules[2], TRT.allow, "move_from_bool", "move_from_bool",
|
|
tclass="infoflow4", perms=set(["hi_r"]))
|
|
|
|
# rule moved into a conditional
|
|
util.validate_rule(rules[3], TRT.allow, "move_to_bool", "move_to_bool",
|
|
tclass="infoflow4", perms=set(["hi_w"]), cond="move_to_bool_b",
|
|
cond_block=True)
|
|
|
|
# rule moved from one conditional block to another (true to false)
|
|
util.validate_rule(rules[4], TRT.allow, "system", "switch_block", tclass="infoflow6",
|
|
perms=set(["hi_r"]), cond="switch_block_b", cond_block=False)
|
|
|
|
def test_removed_allow_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed allow rules."""
|
|
rules = sorted(analysis.removed_allows)
|
|
assert 5 == len(rules)
|
|
|
|
# rule moved out of a conditional
|
|
util.validate_rule(rules[0], TRT.allow, "move_from_bool", "move_from_bool",
|
|
tclass="infoflow4", perms=set(["hi_r"]), cond="move_from_bool_b",
|
|
cond_block=True)
|
|
|
|
# rule moved into a conditional
|
|
util.validate_rule(rules[1], TRT.allow, "move_to_bool", "move_to_bool", tclass="infoflow4",
|
|
perms=set(["hi_w"]))
|
|
|
|
# removed rule with existing types
|
|
util.validate_rule(rules[2], TRT.allow, "removed_rule_source", "removed_rule_target",
|
|
tclass="infoflow", perms=set(["hi_r"]))
|
|
|
|
# removed rule with new type
|
|
util.validate_rule(rules[3], TRT.allow, "removed_type", "removed_type", tclass="infoflow3",
|
|
perms=set(["null"]))
|
|
|
|
# rule moved from one conditional block to another (true to false)
|
|
util.validate_rule(rules[4], TRT.allow, "system", "switch_block", tclass="infoflow6",
|
|
perms=set(["hi_r"]), cond="switch_block_b", cond_block=True)
|
|
|
|
def test_modified_allow_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified allow rules."""
|
|
lst = sorted(analysis.modified_allows, key=lambda x: x.rule)
|
|
assert 3 == len(lst)
|
|
|
|
# add permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[0])
|
|
assert TRT.allow == rule.ruletype
|
|
assert "modified_rule_add_perms" == rule.source
|
|
assert "modified_rule_add_perms" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert set(["hi_w"]) == added_perms
|
|
assert not removed_perms
|
|
assert set(["hi_r"]) == matched_perms
|
|
|
|
# add and remove permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[1])
|
|
assert TRT.allow == rule.ruletype
|
|
assert "modified_rule_add_remove_perms" == rule.source
|
|
assert "modified_rule_add_remove_perms" == rule.target
|
|
assert "infoflow2" == rule.tclass
|
|
assert set(["super_r"]) == added_perms
|
|
assert set(["super_w"]) == removed_perms
|
|
assert set(["low_w"]) == matched_perms
|
|
|
|
# remove permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[2])
|
|
assert TRT.allow == rule.ruletype
|
|
assert "modified_rule_remove_perms" == rule.source
|
|
assert "modified_rule_remove_perms" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert not added_perms
|
|
assert set(["low_r"]) == removed_perms
|
|
assert set(["low_w"]) == matched_perms
|
|
|
|
#
|
|
# Auditallow rules
|
|
#
|
|
def test_added_auditallow_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added auditallow rules."""
|
|
rules = sorted(analysis.added_auditallows)
|
|
assert 5 == len(rules)
|
|
|
|
# added rule with existing types
|
|
util.validate_rule(rules[0], TRT.auditallow, "aa_added_rule_source",
|
|
"aa_added_rule_target", tclass="infoflow", perms=set(["med_w"]))
|
|
|
|
# rule moved out of a conditional
|
|
util.validate_rule(rules[1], TRT.auditallow, "aa_move_from_bool", "aa_move_from_bool",
|
|
tclass="infoflow4", perms=set(["hi_r"]))
|
|
|
|
# rule moved into a conditional
|
|
util.validate_rule(rules[2], TRT.auditallow, "aa_move_to_bool", "aa_move_to_bool",
|
|
tclass="infoflow4", perms=set(["hi_w"]), cond="aa_move_to_bool_b",
|
|
cond_block=True)
|
|
|
|
# added rule with new type
|
|
util.validate_rule(rules[3], TRT.auditallow, "added_type", "added_type", tclass="infoflow7",
|
|
perms=set(["super_none"]))
|
|
|
|
# rule moved from one conditional block to another (true to false)
|
|
util.validate_rule(rules[4], TRT.auditallow, "system", "aa_switch_block",
|
|
tclass="infoflow6", perms=set(["hi_r"]), cond="aa_switch_block_b",
|
|
cond_block=False)
|
|
|
|
def test_removed_auditallow_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed auditallow rules."""
|
|
rules = sorted(analysis.removed_auditallows)
|
|
assert 5 == len(rules)
|
|
|
|
# rule moved out of a conditional
|
|
util.validate_rule(rules[0], TRT.auditallow, "aa_move_from_bool", "aa_move_from_bool",
|
|
tclass="infoflow4", perms=set(["hi_r"]), cond="aa_move_from_bool_b",
|
|
cond_block=True)
|
|
|
|
# rule moved into a conditional
|
|
util.validate_rule(rules[1], TRT.auditallow, "aa_move_to_bool", "aa_move_to_bool",
|
|
tclass="infoflow4", perms=set(["hi_w"]))
|
|
|
|
# removed rule with existing types
|
|
util.validate_rule(rules[2], TRT.auditallow, "aa_removed_rule_source",
|
|
"aa_removed_rule_target", tclass="infoflow", perms=set(["hi_r"]))
|
|
|
|
# removed rule with new type
|
|
util.validate_rule(rules[3], TRT.auditallow, "removed_type", "removed_type",
|
|
tclass="infoflow7", perms=set(["super_unmapped"]))
|
|
|
|
# rule moved from one conditional block to another (true to false)
|
|
util.validate_rule(rules[4], TRT.auditallow, "system", "aa_switch_block",
|
|
tclass="infoflow6", perms=set(["hi_r"]), cond="aa_switch_block_b",
|
|
cond_block=True)
|
|
|
|
def test_modified_auditallow_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified auditallow rules."""
|
|
lst = sorted(analysis.modified_auditallows, key=lambda x: x.rule)
|
|
assert 3 == len(lst)
|
|
|
|
# add permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[0])
|
|
assert TRT.auditallow == rule.ruletype
|
|
assert "aa_modified_rule_add_perms" == rule.source
|
|
assert "aa_modified_rule_add_perms" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert set(["hi_w"]) == added_perms
|
|
assert not removed_perms
|
|
assert set(["hi_r"]) == matched_perms
|
|
|
|
# add and remove permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[1])
|
|
assert TRT.auditallow == rule.ruletype
|
|
assert "aa_modified_rule_add_remove_perms" == rule.source
|
|
assert "aa_modified_rule_add_remove_perms" == rule.target
|
|
assert "infoflow2" == rule.tclass
|
|
assert set(["super_r"]) == added_perms
|
|
assert set(["super_w"]) == removed_perms
|
|
assert set(["low_w"]) == matched_perms
|
|
|
|
# remove permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[2])
|
|
assert TRT.auditallow == rule.ruletype
|
|
assert "aa_modified_rule_remove_perms" == rule.source
|
|
assert "aa_modified_rule_remove_perms" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert not added_perms
|
|
assert set(["low_r"]) == removed_perms
|
|
assert set(["low_w"]) == matched_perms
|
|
|
|
#
|
|
# Dontaudit rules
|
|
#
|
|
def test_added_dontaudit_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added dontaudit rules."""
|
|
rules = sorted(analysis.added_dontaudits)
|
|
assert 5 == len(rules)
|
|
|
|
# added rule with new type
|
|
util.validate_rule(rules[0], TRT.dontaudit, "added_type", "added_type", tclass="infoflow7",
|
|
perms=set(["super_none"]))
|
|
|
|
# added rule with existing types
|
|
util.validate_rule(rules[1], TRT.dontaudit, "da_added_rule_source", "da_added_rule_target",
|
|
tclass="infoflow", perms=set(["med_w"]))
|
|
|
|
# rule moved out of a conditional
|
|
util.validate_rule(rules[2], TRT.dontaudit, "da_move_from_bool", "da_move_from_bool",
|
|
tclass="infoflow4", perms=set(["hi_r"]))
|
|
|
|
# rule moved into a conditional
|
|
util.validate_rule(rules[3], TRT.dontaudit, "da_move_to_bool", "da_move_to_bool",
|
|
tclass="infoflow4", perms=set(["hi_w"]), cond="da_move_to_bool_b",
|
|
cond_block=True)
|
|
|
|
# rule moved from one conditional block to another (true to false)
|
|
util.validate_rule(rules[4], TRT.dontaudit, "system", "da_switch_block",
|
|
tclass="infoflow6", perms=set(["hi_r"]), cond="da_switch_block_b",
|
|
cond_block=False)
|
|
|
|
def test_removed_dontaudit_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed dontaudit rules."""
|
|
rules = sorted(analysis.removed_dontaudits)
|
|
assert 5 == len(rules)
|
|
|
|
# rule moved out of a conditional
|
|
util.validate_rule(rules[0], TRT.dontaudit, "da_move_from_bool", "da_move_from_bool",
|
|
tclass="infoflow4", perms=set(["hi_r"]), cond="da_move_from_bool_b",
|
|
cond_block=True)
|
|
|
|
# rule moved into a conditional
|
|
util.validate_rule(rules[1], TRT.dontaudit, "da_move_to_bool", "da_move_to_bool",
|
|
tclass="infoflow4", perms=set(["hi_w"]))
|
|
|
|
# removed rule with existing types
|
|
util.validate_rule(rules[2], TRT.dontaudit, "da_removed_rule_source",
|
|
"da_removed_rule_target", tclass="infoflow", perms=set(["hi_r"]))
|
|
|
|
# removed rule with new type
|
|
util.validate_rule(rules[3], TRT.dontaudit, "removed_type", "removed_type",
|
|
tclass="infoflow7", perms=set(["super_both"]))
|
|
|
|
# rule moved from one conditional block to another (true to false)
|
|
util.validate_rule(rules[4], TRT.dontaudit, "system", "da_switch_block",
|
|
tclass="infoflow6", perms=set(["hi_r"]), cond="da_switch_block_b",
|
|
cond_block=True)
|
|
|
|
def test_modified_dontaudit_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified dontaudit rules."""
|
|
lst = sorted(analysis.modified_dontaudits, key=lambda x: x.rule)
|
|
assert 3 == len(lst)
|
|
|
|
# add permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[0])
|
|
assert TRT.dontaudit == rule.ruletype
|
|
assert "da_modified_rule_add_perms" == rule.source
|
|
assert "da_modified_rule_add_perms" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert set(["hi_w"]) == added_perms
|
|
assert not removed_perms
|
|
assert set(["hi_r"]) == matched_perms
|
|
|
|
# add and remove permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[1])
|
|
assert TRT.dontaudit == rule.ruletype
|
|
assert "da_modified_rule_add_remove_perms" == rule.source
|
|
assert "da_modified_rule_add_remove_perms" == rule.target
|
|
assert "infoflow2" == rule.tclass
|
|
assert set(["super_r"]) == added_perms
|
|
assert set(["super_w"]) == removed_perms
|
|
assert set(["low_w"]) == matched_perms
|
|
|
|
# remove permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[2])
|
|
assert TRT.dontaudit == rule.ruletype
|
|
assert "da_modified_rule_remove_perms" == rule.source
|
|
assert "da_modified_rule_remove_perms" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert not added_perms
|
|
assert set(["low_r"]) == removed_perms
|
|
assert set(["low_w"]) == matched_perms
|
|
|
|
#
|
|
# Neverallow rules
|
|
#
|
|
def test_added_neverallow_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added neverallow rules."""
|
|
assert not analysis.added_neverallows
|
|
# changed after dropping source policy support
|
|
|
|
# rules = sorted(analysis.added_neverallows)
|
|
# assert 2 == len(rules)
|
|
|
|
# added rule with new type
|
|
# util.validate_rule(rules[0], TRT.neverallow, "added_type", "added_type", "added_class",
|
|
# set(["new_class_perm"]))
|
|
|
|
# added rule with existing types
|
|
# util.validate_rule(rules[1], TRT.neverallow, "na_added_rule_source",
|
|
# "na_added_rule_target", "infoflow", set(["med_w"]))
|
|
|
|
def test_removed_neverallow_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed neverallow rules."""
|
|
assert not analysis.removed_neverallows
|
|
# changed after dropping source policy support
|
|
# rules = sorted(analysis.removed_neverallows)
|
|
# assert 2 == len(rules)
|
|
|
|
# removed rule with existing types
|
|
# util.validate_rule(rules[0], TRT.neverallow, "na_removed_rule_source",
|
|
# "na_removed_rule_target", "infoflow", set(["hi_r"]))
|
|
|
|
# removed rule with new type
|
|
# util.validate_rule(rules[1], TRT.neverallow, "removed_type", "removed_type",
|
|
# "removed_class", set(["null_perm"]))
|
|
|
|
def test_modified_neverallow_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified neverallow rules."""
|
|
# changed after dropping source policy support
|
|
assert not analysis.modified_neverallows
|
|
# l = sorted(analysis.modified_neverallows, key=lambda x: x.rule)
|
|
# assert 3 == len(l)
|
|
#
|
|
# # add permissions
|
|
# rule, added_perms, removed_perms, matched_perms = l[0]
|
|
# assert TRT.neverallow == rule.ruletype
|
|
# assert "na_modified_rule_add_perms" == rule.source
|
|
# assert "na_modified_rule_add_perms" == rule.target
|
|
# assert "infoflow" == rule.tclass
|
|
# assert set(["hi_w"]) == added_perms
|
|
# assert not removed_perms
|
|
# assert set(["hi_r"]) == matched_perms
|
|
#
|
|
# # add and remove permissions
|
|
# rule, added_perms, removed_perms, matched_perms = l[1]
|
|
# assert TRT.neverallow == rule.ruletype
|
|
# assert "na_modified_rule_add_remove_perms" == rule.source
|
|
# assert "na_modified_rule_add_remove_perms" == rule.target
|
|
# assert "infoflow2" == rule.tclass
|
|
# assert set(["super_r"]) == added_perms
|
|
# assert set(["super_w"]) == removed_perms
|
|
# assert set(["low_w"]) == matched_perms
|
|
#
|
|
# # remove permissions
|
|
# rule, added_perms, removed_perms, matched_perms = l[2]
|
|
# assert TRT.neverallow == rule.ruletype
|
|
# assert "na_modified_rule_remove_perms" == rule.source
|
|
# assert "na_modified_rule_remove_perms" == rule.target
|
|
# assert "infoflow" == rule.tclass
|
|
# assert not added_perms
|
|
# assert set(["low_r"]) == removed_perms
|
|
# assert set(["low_w"]) == matched_perms
|
|
|
|
#
|
|
# Type_transition rules
|
|
#
|
|
def test_added_type_transition_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added type_transition rules."""
|
|
rules = sorted(analysis.added_type_transitions)
|
|
assert 5 == len(rules)
|
|
|
|
# added rule with new type
|
|
util.validate_rule(rules[0], TRT.type_transition, "added_type", "system",
|
|
tclass="infoflow4", default="system")
|
|
|
|
# rule moved from one conditional block to another (true to false)
|
|
util.validate_rule(rules[1], TRT.type_transition, "system", "tt_switch_block",
|
|
tclass="infoflow6", default="system", cond="tt_switch_block_b",
|
|
cond_block=False)
|
|
|
|
# added rule with existing types
|
|
util.validate_rule(rules[2], TRT.type_transition, "tt_added_rule_source",
|
|
"tt_added_rule_target", tclass="infoflow", default="system")
|
|
|
|
# rule moved out of a conditional
|
|
util.validate_rule(rules[3], TRT.type_transition, "tt_move_from_bool", "system",
|
|
tclass="infoflow4", default="system")
|
|
|
|
# rule moved into a conditional
|
|
util.validate_rule(rules[4], TRT.type_transition, "tt_move_to_bool", "system",
|
|
tclass="infoflow3", default="system", cond="tt_move_to_bool_b",
|
|
cond_block=True)
|
|
|
|
def test_removed_type_transition_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed type_transition rules."""
|
|
rules = sorted(analysis.removed_type_transitions)
|
|
assert 5 == len(rules)
|
|
|
|
# removed rule with new type
|
|
util.validate_rule(rules[0], TRT.type_transition, "removed_type", "system",
|
|
tclass="infoflow4", default="system")
|
|
|
|
# rule moved from one conditional block to another (true to false)
|
|
util.validate_rule(rules[1], TRT.type_transition, "system", "tt_switch_block",
|
|
tclass="infoflow6", default="system", cond="tt_switch_block_b",
|
|
cond_block=True)
|
|
|
|
# rule moved out of a conditional
|
|
util.validate_rule(rules[2], TRT.type_transition, "tt_move_from_bool", "system",
|
|
tclass="infoflow4", default="system", cond="tt_move_from_bool_b",
|
|
cond_block=True)
|
|
|
|
# rule moved into a conditional
|
|
util.validate_rule(rules[3], TRT.type_transition, "tt_move_to_bool", "system",
|
|
tclass="infoflow3", default="system")
|
|
|
|
# removed rule with existing types
|
|
util.validate_rule(rules[4], TRT.type_transition, "tt_removed_rule_source",
|
|
"tt_removed_rule_target", tclass="infoflow", default="system")
|
|
|
|
def test_modified_type_transition_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified type_transition rules."""
|
|
lst = sorted(analysis.modified_type_transitions, key=lambda x: x.rule)
|
|
assert 1 == len(lst)
|
|
|
|
rule, added_default, removed_default = astuple(lst[0])
|
|
assert TRT.type_transition == rule.ruletype
|
|
assert "tt_matched_source" == rule.source
|
|
assert "system" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert "tt_new_type" == added_default
|
|
assert "tt_old_type" == removed_default
|
|
|
|
#
|
|
# Type_change rules
|
|
#
|
|
def test_added_type_change_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added type_change rules."""
|
|
rules = sorted(analysis.added_type_changes)
|
|
assert 5 == len(rules)
|
|
|
|
# added rule with new type
|
|
util.validate_rule(rules[0], TRT.type_change, "added_type", "system", tclass="infoflow4",
|
|
default="system")
|
|
|
|
# rule moved from one conditional block to another (true to false)
|
|
util.validate_rule(rules[1], TRT.type_change, "system", "tc_switch_block",
|
|
tclass="infoflow6", default="system", cond="tc_switch_block_b",
|
|
cond_block=False)
|
|
|
|
# added rule with existing types
|
|
util.validate_rule(rules[2], TRT.type_change, "tc_added_rule_source",
|
|
"tc_added_rule_target", tclass="infoflow", default="system")
|
|
|
|
# rule moved out of a conditional
|
|
util.validate_rule(rules[3], TRT.type_change, "tc_move_from_bool", "system",
|
|
tclass="infoflow4", default="system")
|
|
|
|
# rule moved into a conditional
|
|
util.validate_rule(rules[4], TRT.type_change, "tc_move_to_bool", "system",
|
|
tclass="infoflow3", default="system", cond="tc_move_to_bool_b",
|
|
cond_block=True)
|
|
|
|
def test_removed_type_change_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed type_change rules."""
|
|
rules = sorted(analysis.removed_type_changes)
|
|
assert 5 == len(rules)
|
|
|
|
# removed rule with new type
|
|
util.validate_rule(rules[0], TRT.type_change, "removed_type", "system", tclass="infoflow4",
|
|
default="system")
|
|
|
|
# rule moved from one conditional block to another (true to false)
|
|
util.validate_rule(rules[1], TRT.type_change, "system", "tc_switch_block",
|
|
tclass="infoflow6", default="system", cond="tc_switch_block_b",
|
|
cond_block=True)
|
|
|
|
# rule moved out of a conditional
|
|
util.validate_rule(rules[2], TRT.type_change, "tc_move_from_bool", "system",
|
|
tclass="infoflow4", default="system", cond="tc_move_from_bool_b",
|
|
cond_block=True)
|
|
|
|
# rule moved into a conditional
|
|
util.validate_rule(rules[3], TRT.type_change, "tc_move_to_bool", "system",
|
|
tclass="infoflow3", default="system")
|
|
|
|
# removed rule with existing types
|
|
util.validate_rule(rules[4], TRT.type_change, "tc_removed_rule_source",
|
|
"tc_removed_rule_target", tclass="infoflow", default="system")
|
|
|
|
def test_modified_type_change_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified type_change rules."""
|
|
lst = sorted(analysis.modified_type_changes, key=lambda x: x.rule)
|
|
assert 1 == len(lst)
|
|
|
|
rule, added_default, removed_default = astuple(lst[0])
|
|
assert TRT.type_change == rule.ruletype
|
|
assert "tc_matched_source" == rule.source
|
|
assert "system" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert "tc_new_type" == added_default
|
|
assert "tc_old_type" == removed_default
|
|
|
|
#
|
|
# Type_member rules
|
|
#
|
|
def test_added_type_member_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added type_member rules."""
|
|
rules = sorted(analysis.added_type_members)
|
|
assert 5 == len(rules)
|
|
|
|
# added rule with new type
|
|
util.validate_rule(rules[0], TRT.type_member, "added_type", "system", tclass="infoflow4",
|
|
default="system")
|
|
|
|
# rule moved from one conditional block to another (true to false)
|
|
util.validate_rule(rules[1], TRT.type_member, "system", "tm_switch_block",
|
|
tclass="infoflow6", default="system", cond="tm_switch_block_b",
|
|
cond_block=False)
|
|
|
|
# added rule with existing types
|
|
util.validate_rule(rules[2], TRT.type_member, "tm_added_rule_source",
|
|
"tm_added_rule_target", tclass="infoflow", default="system")
|
|
|
|
# rule moved out of a conditional
|
|
util.validate_rule(rules[3], TRT.type_member, "tm_move_from_bool", "system",
|
|
tclass="infoflow4", default="system")
|
|
|
|
# rule moved into a conditional
|
|
util.validate_rule(rules[4], TRT.type_member, "tm_move_to_bool", "system",
|
|
tclass="infoflow3", default="system", cond="tm_move_to_bool_b",
|
|
cond_block=True)
|
|
|
|
def test_removed_type_member_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed type_member rules."""
|
|
rules = sorted(analysis.removed_type_members)
|
|
assert 5 == len(rules)
|
|
|
|
# removed rule with new type
|
|
util.validate_rule(rules[0], TRT.type_member, "removed_type", "system", tclass="infoflow4",
|
|
default="system")
|
|
|
|
# rule moved from one conditional block to another (true to false)
|
|
util.validate_rule(rules[1], TRT.type_member, "system", "tm_switch_block",
|
|
tclass="infoflow6", default="system", cond="tm_switch_block_b",
|
|
cond_block=True)
|
|
|
|
# rule moved out of a conditional
|
|
util.validate_rule(rules[2], TRT.type_member, "tm_move_from_bool", "system",
|
|
tclass="infoflow4", default="system", cond="tm_move_from_bool_b",
|
|
cond_block=True)
|
|
|
|
# rule moved into a conditional
|
|
util.validate_rule(rules[3], TRT.type_member, "tm_move_to_bool", "system",
|
|
tclass="infoflow3", default="system")
|
|
|
|
# removed rule with existing types
|
|
util.validate_rule(rules[4], TRT.type_member, "tm_removed_rule_source",
|
|
"tm_removed_rule_target", tclass="infoflow", default="system")
|
|
|
|
def test_modified_type_member_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified type_member rules."""
|
|
lst = sorted(analysis.modified_type_members, key=lambda x: x.rule)
|
|
assert 1 == len(lst)
|
|
|
|
rule, added_default, removed_default = astuple(lst[0])
|
|
assert TRT.type_member == rule.ruletype
|
|
assert "tm_matched_source" == rule.source
|
|
assert "system" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert "tm_new_type" == added_default
|
|
assert "tm_old_type" == removed_default
|
|
|
|
#
|
|
# Range_transition rules
|
|
#
|
|
def test_added_range_transition_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added range_transition rules."""
|
|
rules = sorted(analysis.added_range_transitions)
|
|
assert 2 == len(rules)
|
|
|
|
# added rule with new type
|
|
util.validate_rule(rules[0], MRT.range_transition, "added_type", "system",
|
|
tclass="infoflow4", default="s3")
|
|
|
|
# added rule with existing types
|
|
util.validate_rule(rules[1], MRT.range_transition, "rt_added_rule_source",
|
|
"rt_added_rule_target", tclass="infoflow", default="s3")
|
|
|
|
def test_removed_range_transition_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed range_transition rules."""
|
|
rules = sorted(analysis.removed_range_transitions)
|
|
assert 2 == len(rules)
|
|
|
|
# removed rule with new type
|
|
util.validate_rule(rules[0], MRT.range_transition, "removed_type", "system",
|
|
tclass="infoflow4", default="s1")
|
|
|
|
# removed rule with existing types
|
|
util.validate_rule(rules[1], MRT.range_transition, "rt_removed_rule_source",
|
|
"rt_removed_rule_target", tclass="infoflow", default="s1")
|
|
|
|
def test_modified_range_transition_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified range_transition rules."""
|
|
lst = sorted(analysis.modified_range_transitions, key=lambda x: x.rule)
|
|
assert 1 == len(lst)
|
|
|
|
rule, added_default, removed_default = astuple(lst[0])
|
|
assert MRT.range_transition == rule.ruletype
|
|
assert "rt_matched_source" == rule.source
|
|
assert "system" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert "s0:c0,c4 - s1:c0.c2,c4" == added_default
|
|
assert "s2:c0 - s3:c0.c2" == removed_default
|
|
|
|
#
|
|
# Role allow rules
|
|
#
|
|
def test_added_role_allow_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added role_allow rules."""
|
|
rules = sorted(analysis.added_role_allows)
|
|
assert 2 == len(rules)
|
|
|
|
# added rule with existing roles
|
|
assert RRT.allow == rules[0].ruletype
|
|
assert "added_role" == rules[0].source
|
|
assert "system" == rules[0].target
|
|
|
|
# added rule with new roles
|
|
assert RRT.allow == rules[1].ruletype
|
|
assert "added_rule_source_r" == rules[1].source
|
|
assert "added_rule_target_r" == rules[1].target
|
|
|
|
def test_removed_role_allow_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed role_allow rules."""
|
|
rules = sorted(analysis.removed_role_allows)
|
|
assert 2 == len(rules)
|
|
|
|
# removed rule with removed role
|
|
assert RRT.allow == rules[0].ruletype
|
|
assert "removed_role" == rules[0].source
|
|
assert "system" == rules[0].target
|
|
|
|
# removed rule with existing roles
|
|
assert RRT.allow == rules[1].ruletype
|
|
assert "removed_rule_source_r" == rules[1].source
|
|
assert "removed_rule_target_r" == rules[1].target
|
|
|
|
#
|
|
# Role_transition rules
|
|
#
|
|
def test_added_role_transition_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added role_transition rules."""
|
|
rules = sorted(analysis.added_role_transitions)
|
|
assert 2 == len(rules)
|
|
|
|
# added rule with new role
|
|
util.validate_rule(rules[0], RRT.role_transition, "added_role", "system",
|
|
tclass="infoflow4", default="system")
|
|
|
|
# added rule with existing roles
|
|
util.validate_rule(rules[1], RRT.role_transition, "role_tr_added_rule_source",
|
|
"role_tr_added_rule_target", tclass="infoflow6", default="system")
|
|
|
|
def test_removed_role_transition_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed role_transition rules."""
|
|
rules = sorted(analysis.removed_role_transitions)
|
|
assert 2 == len(rules)
|
|
|
|
# removed rule with new role
|
|
util.validate_rule(rules[0], RRT.role_transition, "removed_role", "system",
|
|
tclass="infoflow4", default="system")
|
|
|
|
# removed rule with existing roles
|
|
util.validate_rule(rules[1], RRT.role_transition, "role_tr_removed_rule_source",
|
|
"role_tr_removed_rule_target", tclass="infoflow5", default="system")
|
|
|
|
def test_modified_role_transition_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified role_transition rules."""
|
|
lst = sorted(analysis.modified_role_transitions, key=lambda x: x.rule)
|
|
assert 1 == len(lst)
|
|
|
|
rule, added_default, removed_default = astuple(lst[0])
|
|
assert RRT.role_transition == rule.ruletype
|
|
assert "role_tr_matched_source" == rule.source
|
|
assert "role_tr_matched_target" == rule.target
|
|
assert "infoflow3" == rule.tclass
|
|
assert "role_tr_new_role" == added_default
|
|
assert "role_tr_old_role" == removed_default
|
|
|
|
#
|
|
# Users
|
|
#
|
|
def test_added_user(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added user."""
|
|
assert set(["added_user"]) == analysis.added_users
|
|
|
|
def test_removed_user(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed user."""
|
|
assert set(["removed_user"]) == analysis.removed_users
|
|
|
|
def test_modified_user_count(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified user count."""
|
|
assert 4 == len(analysis.modified_users)
|
|
|
|
def test_modified_user_add_role(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified user with added role."""
|
|
# modified_add_role
|
|
analysis.modified_users.sort()
|
|
assert set(["added_role"]) == analysis.modified_users[0].added_roles
|
|
assert not analysis.modified_users[0].removed_roles
|
|
|
|
def test_modified_user_remove_role(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified user with removed role."""
|
|
# modified_remove_role
|
|
analysis.modified_users.sort()
|
|
assert set(["removed_role"]) == analysis.modified_users[3].removed_roles
|
|
assert not analysis.modified_users[3].added_roles
|
|
|
|
def test_modified_user_change_level(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified user due to modified default level."""
|
|
# modified_change_level
|
|
analysis.modified_users.sort()
|
|
assert "s2:c0" == analysis.modified_users[1].removed_level
|
|
assert "s2:c1" == analysis.modified_users[1].added_level
|
|
|
|
def test_modified_user_change_range(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified user due to modified range."""
|
|
# modified_change_range
|
|
analysis.modified_users.sort()
|
|
assert "s3:c1 - s3:c1.c3" == analysis.modified_users[2].removed_range
|
|
assert "s3:c1 - s3:c1.c4" == analysis.modified_users[2].added_range
|
|
|
|
#
|
|
# Type attributes
|
|
#
|
|
def test_added_type_attribute(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added type attribute."""
|
|
assert set(["added_attr"]) == analysis.added_type_attributes
|
|
|
|
def test_removed_type_attribute(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed type attribute."""
|
|
assert set(["removed_attr"]) == analysis.removed_type_attributes
|
|
|
|
def test_modified_type_attribute(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified type attribute."""
|
|
assert 1 == len(analysis.modified_type_attributes)
|
|
assert set(["modified_add_attr"]) == analysis.modified_type_attributes[0].added_types
|
|
assert set(["modified_remove_attr"]) == analysis.modified_type_attributes[0].removed_types
|
|
|
|
#
|
|
# Booleans
|
|
#
|
|
def test_added_boolean(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added boolean."""
|
|
assert set(["added_bool"]) == analysis.added_booleans
|
|
|
|
def test_removed_boolean(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed boolean."""
|
|
assert set(["removed_bool"]) == analysis.removed_booleans
|
|
|
|
def test_modified_boolean(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified boolean."""
|
|
assert 1 == len(analysis.modified_booleans)
|
|
assert analysis.modified_booleans[0].added_state
|
|
assert not analysis.modified_booleans[0].removed_state
|
|
|
|
#
|
|
# Categories
|
|
#
|
|
def test_added_category(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added category."""
|
|
assert set(["c6"]) == analysis.added_categories
|
|
|
|
def test_removed_category(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed category."""
|
|
assert set(["c5"]) == analysis.removed_categories
|
|
|
|
def test_modified_category(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified categories."""
|
|
assert 2 == len(analysis.modified_categories)
|
|
analysis.modified_categories.sort()
|
|
|
|
# add alias on c1
|
|
assert set(["foo"]) == analysis.modified_categories[1].added_aliases
|
|
assert not analysis.modified_categories[1].removed_aliases
|
|
|
|
# remove alias on c0
|
|
assert not analysis.modified_categories[0].added_aliases
|
|
assert set(["eggs"]) == analysis.modified_categories[0].removed_aliases
|
|
|
|
#
|
|
# Sensitivity
|
|
#
|
|
def test_added_sensitivities(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added sensitivities."""
|
|
assert set(["s46"]) == analysis.added_sensitivities
|
|
|
|
def test_removed_sensitivities(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed sensitivities."""
|
|
assert set(["s47"]) == analysis.removed_sensitivities
|
|
|
|
def test_modified_sensitivities(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified sensitivities."""
|
|
assert 2 == len(analysis.modified_sensitivities)
|
|
analysis.modified_sensitivities.sort()
|
|
|
|
# add alias to s1
|
|
assert set(["al4"]) == analysis.modified_sensitivities[1].added_aliases
|
|
assert not analysis.modified_sensitivities[1].removed_aliases
|
|
|
|
# remove alias from s0
|
|
assert not analysis.modified_sensitivities[0].added_aliases
|
|
assert set(["al2"]) == analysis.modified_sensitivities[0].removed_aliases
|
|
|
|
#
|
|
# Initial SIDs
|
|
#
|
|
def test_added_initialsids(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added initialsids."""
|
|
assert set(["file_labels"]) == analysis.added_initialsids
|
|
|
|
@pytest.mark.skip("Moved to PolicyDifferenceRmIsidTest.")
|
|
def test_removed_initialsids(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed initialsids."""
|
|
assert set(["removed_sid"]) == analysis.removed_initialsids
|
|
|
|
def test_modified_initialsids(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified initialsids."""
|
|
assert 1 == len(analysis.modified_initialsids)
|
|
assert "system:system:system:s0" == analysis.modified_initialsids[0].added_context
|
|
assert "removed_user:system:system:s0" == analysis.modified_initialsids[0].removed_context
|
|
|
|
#
|
|
# fs_use_*
|
|
#
|
|
def test_added_fs_uses(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added fs_uses."""
|
|
lst = sorted(analysis.added_fs_uses)
|
|
assert 1 == len(lst)
|
|
|
|
rule = lst[0]
|
|
assert FSURT.fs_use_xattr == rule.ruletype
|
|
assert "added_fsuse" == rule.fs
|
|
assert "system:object_r:system:s0" == rule.context
|
|
|
|
def test_removed_fs_uses(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed fs_uses."""
|
|
lst = sorted(analysis.removed_fs_uses)
|
|
assert 1 == len(lst)
|
|
|
|
rule = lst[0]
|
|
assert FSURT.fs_use_task == rule.ruletype
|
|
assert "removed_fsuse" == rule.fs
|
|
assert "system:object_r:system:s0" == rule.context
|
|
|
|
def test_modified_fs_uses(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified fs_uses."""
|
|
lst = sorted(analysis.modified_fs_uses, key=lambda x: x.rule)
|
|
assert 1 == len(lst)
|
|
|
|
rule, added_context, removed_context = astuple(lst[0])
|
|
assert FSURT.fs_use_trans == rule.ruletype
|
|
assert "modified_fsuse" == rule.fs
|
|
assert "added_user:object_r:system:s1" == added_context
|
|
assert "removed_user:object_r:system:s0" == removed_context
|
|
|
|
#
|
|
# genfscon
|
|
#
|
|
def test_added_genfscons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added genfscons."""
|
|
lst = sorted(analysis.added_genfscons)
|
|
assert 2 == len(lst)
|
|
|
|
rule = lst[0]
|
|
assert "added_genfs" == rule.fs
|
|
assert "/" == rule.path
|
|
assert "added_user:object_r:system:s0" == rule.context
|
|
|
|
rule = lst[1]
|
|
assert "change_path" == rule.fs
|
|
assert "/new" == rule.path
|
|
assert "system:object_r:system:s0" == rule.context
|
|
|
|
def test_removed_genfscons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed genfscons."""
|
|
lst = sorted(analysis.removed_genfscons)
|
|
assert 2 == len(lst)
|
|
|
|
rule = lst[0]
|
|
assert "change_path" == rule.fs
|
|
assert "/old" == rule.path
|
|
assert "system:object_r:system:s0" == rule.context
|
|
|
|
rule = lst[1]
|
|
assert "removed_genfs" == rule.fs
|
|
assert "/" == rule.path
|
|
assert "system:object_r:system:s0" == rule.context
|
|
|
|
def test_modified_genfscons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified genfscons."""
|
|
lst = sorted(analysis.modified_genfscons, key=lambda x: x.rule)
|
|
assert 1 == len(lst)
|
|
|
|
rule, added_context, removed_context = astuple(lst[0])
|
|
assert "modified_genfs" == rule.fs
|
|
assert "/" == rule.path
|
|
assert "added_user:object_r:system:s0" == added_context
|
|
assert "removed_user:object_r:system:s0" == removed_context
|
|
|
|
#
|
|
# level decl
|
|
#
|
|
def test_added_levels(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added levels."""
|
|
lst = sorted(analysis.added_levels)
|
|
assert 1 == len(lst)
|
|
assert "s46:c0.c4" == lst[0]
|
|
|
|
def test_removed_levels(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed levels."""
|
|
lst = sorted(analysis.removed_levels)
|
|
assert 1 == len(lst)
|
|
assert "s47:c0.c4" == lst[0]
|
|
|
|
def test_modified_levels(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified levels."""
|
|
lst = sorted(analysis.modified_levels)
|
|
assert 2 == len(lst)
|
|
|
|
level = lst[0]
|
|
assert "s40" == level.level.sensitivity
|
|
assert set(["c3"]) == level.added_categories
|
|
assert not level.removed_categories
|
|
|
|
level = lst[1]
|
|
assert "s41" == level.level.sensitivity
|
|
assert not level.added_categories
|
|
assert set(["c4"]) == level.removed_categories
|
|
|
|
#
|
|
# netifcon
|
|
#
|
|
def test_added_netifcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added netifcons."""
|
|
lst = sorted(analysis.added_netifcons)
|
|
assert 1 == len(lst)
|
|
|
|
rule = lst[0]
|
|
assert "added_netif" == rule.netif
|
|
assert "system:object_r:system:s0" == rule.context
|
|
assert "system:object_r:system:s0" == rule.packet
|
|
|
|
def test_removed_netifcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed netifcons."""
|
|
lst = sorted(analysis.removed_netifcons)
|
|
assert 1 == len(lst)
|
|
|
|
rule = lst[0]
|
|
assert "removed_netif" == rule.netif
|
|
assert "system:object_r:system:s0" == rule.context
|
|
assert "system:object_r:system:s0" == rule.packet
|
|
|
|
def test_modified_netifcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified netifcons."""
|
|
lst = sorted(analysis.modified_netifcons, key=lambda x: x.rule)
|
|
assert 3 == len(lst)
|
|
|
|
# modified both contexts
|
|
rule, added_context, removed_context, added_packet, removed_packet = astuple(lst[0])
|
|
assert "mod_both_netif" == rule.netif
|
|
assert "added_user:object_r:system:s0" == added_context
|
|
assert "removed_user:object_r:system:s0" == removed_context
|
|
assert "added_user:object_r:system:s0" == added_packet
|
|
assert "removed_user:object_r:system:s0" == removed_packet
|
|
|
|
# modified context
|
|
rule, added_context, removed_context, added_packet, removed_packet = astuple(lst[1])
|
|
assert "mod_ctx_netif" == rule.netif
|
|
assert "added_user:object_r:system:s0" == added_context
|
|
assert "removed_user:object_r:system:s0" == removed_context
|
|
assert added_packet is None
|
|
assert removed_packet is None
|
|
|
|
# modified packet context
|
|
rule, added_context, removed_context, added_packet, removed_packet = astuple(lst[2])
|
|
assert "mod_pkt_netif" == rule.netif
|
|
assert added_context is None
|
|
assert removed_context is None
|
|
assert "added_user:object_r:system:s0" == added_packet
|
|
assert "removed_user:object_r:system:s0" == removed_packet
|
|
|
|
#
|
|
# nodecons
|
|
#
|
|
def test_added_nodecons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added nodecons."""
|
|
lst = sorted(analysis.added_nodecons)
|
|
assert 4 == len(lst)
|
|
|
|
# new IPv4
|
|
nodecon = lst[0]
|
|
assert IPv4Network("124.0.0.0/8") == nodecon.network
|
|
|
|
# changed IPv4 netmask
|
|
nodecon = lst[1]
|
|
assert IPv4Network("125.0.0.0/16") == nodecon.network
|
|
|
|
# new IPv6
|
|
nodecon = lst[2]
|
|
assert IPv6Network("ff04::/62") == nodecon.network
|
|
|
|
# changed IPv6 netmask
|
|
nodecon = lst[3]
|
|
assert IPv6Network("ff05::/60") == nodecon.network
|
|
|
|
def test_removed_nodecons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed nodecons."""
|
|
lst = sorted(analysis.removed_nodecons)
|
|
assert 4 == len(lst)
|
|
|
|
# new IPv4
|
|
nodecon = lst[0]
|
|
assert IPv4Network("122.0.0.0/8") == nodecon.network
|
|
|
|
# changed IPv4 netmask
|
|
nodecon = lst[1]
|
|
assert IPv4Network("125.0.0.0/8") == nodecon.network
|
|
|
|
# new IPv6
|
|
nodecon = lst[2]
|
|
assert IPv6Network("ff02::/62") == nodecon.network
|
|
|
|
# changed IPv6 netmask
|
|
nodecon = lst[3]
|
|
assert IPv6Network("ff05::/62") == nodecon.network
|
|
|
|
def test_modified_nodecons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified nodecons."""
|
|
lst = sorted(analysis.modified_nodecons, key=lambda x: x.rule)
|
|
assert 2 == len(lst)
|
|
|
|
# changed IPv4
|
|
nodecon, added_context, removed_context = astuple(lst[0])
|
|
assert IPv4Network("123.0.0.0/8") == nodecon.network
|
|
assert "modified_change_level:object_r:system:s2:c0" == added_context
|
|
assert "modified_change_level:object_r:system:s2:c1" == removed_context
|
|
|
|
# changed IPv6
|
|
nodecon, added_context, removed_context = astuple(lst[1])
|
|
assert IPv6Network("ff03::/62") == nodecon.network
|
|
assert "modified_change_level:object_r:system:s2:c1" == added_context
|
|
assert "modified_change_level:object_r:system:s2:c0.c1" == removed_context
|
|
|
|
#
|
|
# Policy capabilities
|
|
#
|
|
def test_added_polcaps(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added polcaps."""
|
|
assert set(["always_check_network"]) == analysis.added_polcaps
|
|
|
|
def test_removed_polcaps(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed polcaps."""
|
|
assert set(["network_peer_controls"]) == analysis.removed_polcaps
|
|
|
|
#
|
|
# portcons
|
|
#
|
|
def test_added_portcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added portcons."""
|
|
lst = sorted(analysis.added_portcons)
|
|
assert 2 == len(lst)
|
|
|
|
portcon = lst[0]
|
|
assert PortconProtocol.tcp == portcon.protocol
|
|
assert PortconRange(2024, 2026) == portcon.ports
|
|
|
|
portcon = lst[1]
|
|
assert PortconProtocol.udp == portcon.protocol
|
|
assert PortconRange(2024, 2024) == portcon.ports
|
|
|
|
def test_removed_portcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed portcons."""
|
|
lst = sorted(analysis.removed_portcons)
|
|
assert 2 == len(lst)
|
|
|
|
portcon = lst[0]
|
|
assert PortconProtocol.tcp == portcon.protocol
|
|
assert PortconRange(1024, 1026) == portcon.ports
|
|
|
|
portcon = lst[1]
|
|
assert PortconProtocol.udp == portcon.protocol
|
|
assert PortconRange(1024, 1024) == portcon.ports
|
|
|
|
def test_modified_portcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified portcons."""
|
|
lst = sorted(analysis.modified_portcons, key=lambda x: x.rule)
|
|
assert 2 == len(lst)
|
|
|
|
portcon, added_context, removed_context = astuple(lst[0])
|
|
assert PortconProtocol.tcp == portcon.protocol
|
|
assert PortconRange(3024, 3026) == portcon.ports
|
|
assert "added_user:object_r:system:s1" == added_context
|
|
assert "removed_user:object_r:system:s0" == removed_context
|
|
|
|
portcon, added_context, removed_context = astuple(lst[1])
|
|
assert PortconProtocol.udp == portcon.protocol
|
|
assert PortconRange(3024, 3024) == portcon.ports
|
|
assert "added_user:object_r:system:s1" == added_context
|
|
assert "removed_user:object_r:system:s0" == removed_context
|
|
|
|
#
|
|
# defaults
|
|
#
|
|
def test_added_defaults(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added defaults."""
|
|
lst = sorted(analysis.added_defaults)
|
|
assert 2 == len(lst)
|
|
|
|
default = lst[0]
|
|
assert DRT.default_range == default.ruletype
|
|
assert "infoflow2" == default.tclass
|
|
|
|
default = lst[1]
|
|
assert DRT.default_user == default.ruletype
|
|
assert "infoflow2" == default.tclass
|
|
|
|
def test_removed_defaults(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed defaults."""
|
|
lst = sorted(analysis.removed_defaults)
|
|
assert 2 == len(lst)
|
|
|
|
default = lst[0]
|
|
assert DRT.default_range == default.ruletype
|
|
assert "infoflow3" == default.tclass
|
|
|
|
default = lst[1]
|
|
assert DRT.default_role == default.ruletype
|
|
assert "infoflow3" == default.tclass
|
|
|
|
def test_modified_defaults(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified defaults."""
|
|
lst = sorted(analysis.modified_defaults, key=lambda x: x.rule)
|
|
assert 4 == len(lst)
|
|
|
|
default, added_default, removed_default, added_range, removed_range = astuple(lst[0])
|
|
assert DRT.default_range == default.ruletype
|
|
assert "infoflow4" == default.tclass
|
|
assert DV.target == added_default
|
|
assert DV.source == removed_default
|
|
assert added_range is None
|
|
assert removed_range is None
|
|
|
|
default, added_default, removed_default, added_range, removed_range = astuple(lst[1])
|
|
assert DRT.default_range == default.ruletype
|
|
assert "infoflow5" == default.tclass
|
|
assert added_default is None
|
|
assert removed_default is None
|
|
assert DRV.high == added_range
|
|
assert DRV.low == removed_range
|
|
|
|
default, added_default, removed_default, added_range, removed_range = astuple(lst[2])
|
|
assert DRT.default_range == default.ruletype
|
|
assert "infoflow6" == default.tclass
|
|
assert DV.target == added_default
|
|
assert DV.source == removed_default
|
|
assert DRV.low == added_range
|
|
assert DRV.high == removed_range
|
|
|
|
default, added_default, removed_default, added_range, removed_range = astuple(lst[3])
|
|
assert DRT.default_type == default.ruletype
|
|
assert "infoflow4" == default.tclass
|
|
assert DV.target == added_default
|
|
assert DV.source == removed_default
|
|
assert added_range is None
|
|
assert removed_range is None
|
|
|
|
#
|
|
# constrains
|
|
#
|
|
def test_added_constrains(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added constrains."""
|
|
lst = sorted(analysis.added_constrains)
|
|
assert 2 == len(lst)
|
|
|
|
constrain = lst[0]
|
|
assert CRT.constrain == constrain.ruletype
|
|
assert "infoflow3" == constrain.tclass
|
|
assert set(["null"]) == constrain.perms
|
|
assert ["u1", "u2", "!="] == constrain.expression
|
|
|
|
constrain = lst[1]
|
|
assert CRT.constrain == constrain.ruletype
|
|
assert "infoflow5" == constrain.tclass
|
|
assert set(["hi_r"]) == constrain.perms
|
|
assert ['u1', 'u2', '==', 'r1', 'r2', '==', 'and', 't1', set(["system"]), '!=', 'or'] \
|
|
== constrain.expression
|
|
|
|
def test_removed_constrains(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed constrains."""
|
|
lst = sorted(analysis.removed_constrains)
|
|
assert 2 == len(lst)
|
|
|
|
constrain = lst[0]
|
|
assert CRT.constrain == constrain.ruletype
|
|
assert "infoflow4" == constrain.tclass
|
|
assert set(["hi_w"]) == constrain.perms
|
|
assert ["u1", "u2", "!="] == constrain.expression
|
|
|
|
constrain = lst[1]
|
|
assert CRT.constrain == constrain.ruletype
|
|
assert "infoflow5" == constrain.tclass
|
|
assert set(["hi_r"]) == constrain.perms
|
|
assert ['u1', 'u2', '==', 'r1', 'r2', '==', 'and', 't1', set(["system"]), '==', 'or'] == \
|
|
constrain.expression
|
|
|
|
#
|
|
# mlsconstrains
|
|
#
|
|
def test_added_mlsconstrains(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added mlsconstrains."""
|
|
lst = sorted(analysis.added_mlsconstrains)
|
|
assert 2 == len(lst)
|
|
|
|
mlsconstrain = lst[0]
|
|
assert CRT.mlsconstrain == mlsconstrain.ruletype
|
|
assert "infoflow3" == mlsconstrain.tclass
|
|
assert set(["null"]) == mlsconstrain.perms
|
|
assert ['l1', 'l2', 'domby', 'h1', 'h2', 'domby', 'and',
|
|
't1', set(["mls_exempt"]), '!=', 'or'] == mlsconstrain.expression
|
|
|
|
mlsconstrain = lst[1]
|
|
assert CRT.mlsconstrain == mlsconstrain.ruletype
|
|
assert "infoflow5" == mlsconstrain.tclass
|
|
assert set(["hi_r"]) == mlsconstrain.perms
|
|
assert ['l1', 'l2', 'domby', 'h1', 'h2', 'incomp',
|
|
'and', 't1', set(["mls_exempt"]), '==', 'or'] == mlsconstrain.expression
|
|
|
|
def test_removed_mlsconstrains(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed mlsconstrains."""
|
|
lst = sorted(analysis.removed_mlsconstrains)
|
|
assert 2 == len(lst)
|
|
|
|
mlsconstrain = lst[0]
|
|
assert CRT.mlsconstrain == mlsconstrain.ruletype
|
|
assert "infoflow4" == mlsconstrain.tclass
|
|
assert set(["hi_w"]) == mlsconstrain.perms
|
|
assert ['l1', 'l2', 'domby', 'h1', 'h2', 'domby', 'and',
|
|
't1', set(["mls_exempt"]), '==', 'or'] == mlsconstrain.expression
|
|
|
|
mlsconstrain = lst[1]
|
|
assert CRT.mlsconstrain == mlsconstrain.ruletype
|
|
assert "infoflow5" == mlsconstrain.tclass
|
|
assert set(["hi_r"]) == mlsconstrain.perms
|
|
assert ['l1', 'l2', 'domby', 'h1', 'h2', 'dom', 'and', 't1', set(["mls_exempt"]), '==',
|
|
'or'] == mlsconstrain.expression
|
|
|
|
#
|
|
# validatetrans
|
|
#
|
|
def test_added_validatetrans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added validatetrans."""
|
|
lst = sorted(analysis.added_validatetrans)
|
|
assert 2 == len(lst)
|
|
|
|
validatetrans = lst[0]
|
|
assert CRT.validatetrans == validatetrans.ruletype
|
|
assert "infoflow3" == validatetrans.tclass
|
|
assert ['t1', 't2', '==', 't3', set(["system"]), '==', 'or'] == validatetrans.expression
|
|
|
|
validatetrans = lst[1]
|
|
assert CRT.validatetrans == validatetrans.ruletype
|
|
assert "infoflow5" == validatetrans.tclass
|
|
assert ['u1', 'u2', '!=', 'r1', 'r2', '==', 'and', 't3', set(["system"]), '==', 'or'] \
|
|
== validatetrans.expression
|
|
|
|
def test_removed_validatetrans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed validatetrans."""
|
|
lst = sorted(analysis.removed_validatetrans)
|
|
assert 2 == len(lst)
|
|
|
|
validatetrans = lst[0]
|
|
assert CRT.validatetrans == validatetrans.ruletype
|
|
assert "infoflow4" == validatetrans.tclass
|
|
assert ['u1', 'u2', '==', 't3', set(["system"]), '==', 'or'] == validatetrans.expression
|
|
|
|
validatetrans = lst[1]
|
|
assert CRT.validatetrans == validatetrans.ruletype
|
|
assert "infoflow5" == validatetrans.tclass
|
|
assert ['u1', 'u2', '==', 'r1', 'r2', '!=', 'and', 't3', set(["system"]), '==', 'or'] \
|
|
== validatetrans.expression
|
|
|
|
#
|
|
# mlsvalidatetrans
|
|
#
|
|
def test_added_mlsvalidatetrans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added mlsvalidatetrans."""
|
|
lst = sorted(analysis.added_mlsvalidatetrans)
|
|
assert 2 == len(lst)
|
|
|
|
mlsvalidatetrans = lst[0]
|
|
assert CRT.mlsvalidatetrans == mlsvalidatetrans.ruletype
|
|
assert "infoflow3" == mlsvalidatetrans.tclass
|
|
assert ['l1', 'l2', '==', 'h1', 'h2', '==', 'and', 't3', set(["mls_exempt"]), '==',
|
|
'or'] == mlsvalidatetrans.expression
|
|
|
|
mlsvalidatetrans = lst[1]
|
|
assert CRT.mlsvalidatetrans == mlsvalidatetrans.ruletype
|
|
assert "infoflow5" == mlsvalidatetrans.tclass
|
|
assert ['l1', 'l2', 'incomp', 'h1', 'h2', 'domby', 'and', 't3', set(["mls_exempt"]), '==',
|
|
'or'] == mlsvalidatetrans.expression
|
|
|
|
def test_removed_mlsvalidatetrans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed mlsvalidatetrans."""
|
|
lst = sorted(analysis.removed_mlsvalidatetrans)
|
|
assert 2 == len(lst)
|
|
|
|
mlsvalidatetrans = lst[0]
|
|
assert CRT.mlsvalidatetrans == mlsvalidatetrans.ruletype
|
|
assert "infoflow4" == mlsvalidatetrans.tclass
|
|
assert ['l1', 'l2', '==', 'h1', 'h2', '==', 'and', 't3', set(["mls_exempt"]), '==',
|
|
'or'] == mlsvalidatetrans.expression
|
|
|
|
mlsvalidatetrans = lst[1]
|
|
assert CRT.mlsvalidatetrans == mlsvalidatetrans.ruletype
|
|
assert "infoflow5" == mlsvalidatetrans.tclass
|
|
assert ['l1', 'l2', 'dom', 'h1', 'h2', 'dom', 'and', 't3', set(["mls_exempt"]), '==',
|
|
'or'] == mlsvalidatetrans.expression
|
|
|
|
#
|
|
# typebounds
|
|
#
|
|
def test_added_typebounds(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added typebounds."""
|
|
lst = sorted(analysis.added_typebounds)
|
|
assert 1 == len(lst)
|
|
|
|
bounds = lst[0]
|
|
assert BRT.typebounds == bounds.ruletype
|
|
assert "added_parent" == bounds.parent
|
|
assert "added_child" == bounds.child
|
|
|
|
def test_removed_typebounds(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed typebounds."""
|
|
lst = sorted(analysis.removed_typebounds)
|
|
assert 1 == len(lst)
|
|
|
|
bounds = lst[0]
|
|
assert BRT.typebounds == bounds.ruletype
|
|
assert "removed_parent" == bounds.parent
|
|
assert "removed_child" == bounds.child
|
|
|
|
def test_modified_typebounds(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified typebounds."""
|
|
lst = sorted(analysis.modified_typebounds, key=lambda x: x.rule)
|
|
assert 1 == len(lst)
|
|
|
|
bounds, added_bound, removed_bound = astuple(lst[0])
|
|
assert BRT.typebounds == bounds.ruletype
|
|
assert "mod_child" == bounds.child
|
|
assert "mod_parent_added" == added_bound
|
|
assert "mod_parent_removed" == removed_bound
|
|
|
|
#
|
|
# Allowxperm rules
|
|
#
|
|
def test_added_allowxperm_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added allowxperm rules."""
|
|
rules = sorted(analysis.added_allowxperms)
|
|
assert 2 == len(rules)
|
|
|
|
# added rule with new type
|
|
util.validate_rule(rules[0], TRT.allowxperm, "added_type", "added_type",
|
|
tclass="infoflow7", perms=setools.XpermSet([0x0009]), xperm="ioctl")
|
|
|
|
# added rule with existing types
|
|
util.validate_rule(rules[1], TRT.allowxperm, "ax_added_rule_source",
|
|
"ax_added_rule_target", tclass="infoflow",
|
|
perms=setools.XpermSet([0x0002]), xperm="ioctl")
|
|
|
|
def test_removed_allowxperm_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed allowxperm rules."""
|
|
rules = sorted(analysis.removed_allowxperms)
|
|
assert 2 == len(rules)
|
|
|
|
# removed rule with existing types
|
|
util.validate_rule(rules[0], TRT.allowxperm, "ax_removed_rule_source",
|
|
"ax_removed_rule_target", tclass="infoflow",
|
|
perms=setools.XpermSet([0x0002]), xperm="ioctl")
|
|
|
|
# removed rule with new type
|
|
util.validate_rule(rules[1], TRT.allowxperm, "removed_type", "removed_type",
|
|
tclass="infoflow7", perms=setools.XpermSet([0x0009]), xperm="ioctl")
|
|
|
|
def test_modified_allowxperm_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified allowxperm rules."""
|
|
lst = sorted(analysis.modified_allowxperms, key=lambda x: x.rule)
|
|
assert 3 == len(lst)
|
|
|
|
# add permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[0])
|
|
assert TRT.allowxperm == rule.ruletype
|
|
assert "ax_modified_rule_add_perms" == rule.source
|
|
assert "ax_modified_rule_add_perms" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert setools.XpermSet([0x000f]) == added_perms
|
|
assert not removed_perms
|
|
assert setools.XpermSet([0x0004]) == matched_perms
|
|
|
|
# add and remove permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[1])
|
|
assert TRT.allowxperm == rule.ruletype
|
|
assert "ax_modified_rule_add_remove_perms" == rule.source
|
|
assert "ax_modified_rule_add_remove_perms" == rule.target
|
|
assert "infoflow2" == rule.tclass
|
|
assert setools.XpermSet([0x0006]) == added_perms
|
|
assert setools.XpermSet([0x0007]) == removed_perms
|
|
assert setools.XpermSet([0x0008]) == matched_perms
|
|
|
|
# remove permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[2])
|
|
assert TRT.allowxperm == rule.ruletype
|
|
assert "ax_modified_rule_remove_perms" == rule.source
|
|
assert "ax_modified_rule_remove_perms" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert not added_perms
|
|
assert setools.XpermSet([0x0006]) == removed_perms
|
|
assert setools.XpermSet([0x0005]) == matched_perms
|
|
|
|
#
|
|
# Auditallowxperm rules
|
|
#
|
|
def test_added_auditallowxperm_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added auditallowxperm rules."""
|
|
rules = sorted(analysis.added_auditallowxperms)
|
|
assert 2 == len(rules)
|
|
|
|
# added rule with existing types
|
|
util.validate_rule(rules[0], TRT.auditallowxperm, "aax_added_rule_source",
|
|
"aax_added_rule_target", tclass="infoflow",
|
|
perms=setools.XpermSet([0x0002]), xperm="ioctl")
|
|
|
|
# added rule with new type
|
|
util.validate_rule(rules[1], TRT.auditallowxperm, "added_type", "added_type",
|
|
tclass="infoflow7", perms=setools.XpermSet([0x0009]), xperm="ioctl")
|
|
|
|
def test_removed_auditallowxperm_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed auditallowxperm rules."""
|
|
rules = sorted(analysis.removed_auditallowxperms)
|
|
assert 2 == len(rules)
|
|
|
|
# removed rule with existing types
|
|
util.validate_rule(rules[0], TRT.auditallowxperm, "aax_removed_rule_source",
|
|
"aax_removed_rule_target", tclass="infoflow",
|
|
perms=setools.XpermSet([0x0002]), xperm="ioctl")
|
|
|
|
# removed rule with new type
|
|
util.validate_rule(rules[1], TRT.auditallowxperm, "removed_type", "removed_type",
|
|
tclass="infoflow7", perms=setools.XpermSet([0x0009]), xperm="ioctl")
|
|
|
|
def test_modified_auditallowxperm_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified auditallowxperm rules."""
|
|
lst = sorted(analysis.modified_auditallowxperms, key=lambda x: x.rule)
|
|
assert 3 == len(lst)
|
|
|
|
# add permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[0])
|
|
assert TRT.auditallowxperm == rule.ruletype
|
|
assert "aax_modified_rule_add_perms" == rule.source
|
|
assert "aax_modified_rule_add_perms" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert setools.XpermSet([0x000f]) == added_perms
|
|
assert not removed_perms
|
|
assert setools.XpermSet([0x0004]) == matched_perms
|
|
|
|
# add and remove permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[1])
|
|
assert TRT.auditallowxperm == rule.ruletype
|
|
assert "aax_modified_rule_add_remove_perms" == rule.source
|
|
assert "aax_modified_rule_add_remove_perms" == rule.target
|
|
assert "infoflow2" == rule.tclass
|
|
assert setools.XpermSet([0x0006]) == added_perms
|
|
assert setools.XpermSet([0x0007]) == removed_perms
|
|
assert setools.XpermSet([0x0008]) == matched_perms
|
|
|
|
# remove permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[2])
|
|
assert TRT.auditallowxperm == rule.ruletype
|
|
assert "aax_modified_rule_remove_perms" == rule.source
|
|
assert "aax_modified_rule_remove_perms" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert not added_perms
|
|
assert setools.XpermSet([0x0006]) == removed_perms
|
|
assert setools.XpermSet([0x0005]) == matched_perms
|
|
|
|
#
|
|
# Neverallowxperm rules
|
|
#
|
|
def test_added_neverallowxperm_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added neverallowxperm rules."""
|
|
assert not analysis.added_neverallowxperms
|
|
# changed after dropping source policy support
|
|
# rules = sorted(analysis.added_neverallowxperms)
|
|
# assert 2 == len(rules)
|
|
#
|
|
# # added rule with new type
|
|
# util.validate_rule(rules[0], TRT.neverallowxperm, "added_type", "added_type",
|
|
# "infoflow7", setools.XpermSet([0x0009]), xperm="ioctl")
|
|
#
|
|
# # added rule with existing types
|
|
# util.validate_rule(rules[1], TRT.neverallowxperm, "nax_added_rule_source",
|
|
# "nax_added_rule_target", "infoflow", setools.XpermSet([0x0002]),
|
|
# xperm="ioctl")
|
|
|
|
def test_removed_neverallowxperm_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed neverallowxperm rules."""
|
|
assert not analysis.removed_neverallowxperms
|
|
# changed after dropping source policy support
|
|
# rules = sorted(analysis.removed_neverallowxperms)
|
|
# assert 2 == len(rules)
|
|
#
|
|
# # removed rule with existing types
|
|
# util.validate_rule(rules[0], TRT.neverallowxperm, "nax_removed_rule_source",
|
|
# "nax_removed_rule_target", "infoflow", setools.XpermSet([0x0002]),
|
|
# xperm="ioctl")
|
|
#
|
|
# # removed rule with new type
|
|
# util.validate_rule(rules[1], TRT.neverallowxperm, "removed_type", "removed_type",
|
|
# "infoflow7", setools.XpermSet([0x0009]), xperm="ioctl")
|
|
|
|
def test_modified_neverallowxperm_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified neverallowxperm rules."""
|
|
assert not analysis.modified_neverallowxperms
|
|
# changed after dropping source policy support
|
|
# l = sorted(analysis.modified_neverallowxperms, key=lambda x: x.rule)
|
|
# assert 3 == len(l)
|
|
#
|
|
# # add permissions
|
|
# rule, added_perms, removed_perms, matched_perms = l[0]
|
|
# assert TRT.neverallowxperm == rule.ruletype
|
|
# assert "nax_modified_rule_add_perms" == rule.source
|
|
# assert "nax_modified_rule_add_perms" == rule.target
|
|
# assert "infoflow" == rule.tclass
|
|
# assert setools.XpermSet([0x000f]) == added_perms
|
|
# assert not removed_perms
|
|
# assert setools.XpermSet([0x0004]) == matched_perms
|
|
#
|
|
# # add and remove permissions
|
|
# rule, added_perms, removed_perms, matched_perms = l[1]
|
|
# assert TRT.neverallowxperm == rule.ruletype
|
|
# assert "nax_modified_rule_add_remove_perms" == rule.source
|
|
# assert "nax_modified_rule_add_remove_perms" == rule.target
|
|
# assert "infoflow2" == rule.tclass
|
|
# assert setools.XpermSet([0x0006]) == added_perms
|
|
# assert setools.XpermSet([0x0007]) == removed_perms
|
|
# assert setools.XpermSet([0x0008]) == matched_perms
|
|
#
|
|
# # remove permissions
|
|
# rule, added_perms, removed_perms, matched_perms = l[2]
|
|
# assert TRT.neverallowxperm == rule.ruletype
|
|
# assert "nax_modified_rule_remove_perms" == rule.source
|
|
# assert "nax_modified_rule_remove_perms" == rule.target
|
|
# assert "infoflow" == rule.tclass
|
|
# assert not added_perms
|
|
# assert setools.XpermSet([0x0006]) == removed_perms
|
|
# assert setools.XpermSet([0x0005]) == matched_perms
|
|
|
|
#
|
|
# Dontauditxperm rules
|
|
#
|
|
def test_added_dontauditxperm_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added dontauditxperm rules."""
|
|
rules = sorted(analysis.added_dontauditxperms)
|
|
assert 2 == len(rules)
|
|
|
|
# added rule with new type
|
|
util.validate_rule(rules[0], TRT.dontauditxperm, "added_type", "added_type",
|
|
tclass="infoflow7", perms=setools.XpermSet([0x0009]), xperm="ioctl")
|
|
|
|
# added rule with existing types
|
|
util.validate_rule(rules[1], TRT.dontauditxperm, "dax_added_rule_source",
|
|
"dax_added_rule_target", tclass="infoflow",
|
|
perms=setools.XpermSet([0x0002]), xperm="ioctl")
|
|
|
|
def test_removed_dontauditxperm_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed dontauditxperm rules."""
|
|
rules = sorted(analysis.removed_dontauditxperms)
|
|
assert 2 == len(rules)
|
|
|
|
# removed rule with existing types
|
|
util.validate_rule(rules[0], TRT.dontauditxperm, "dax_removed_rule_source",
|
|
"dax_removed_rule_target", tclass="infoflow",
|
|
perms=setools.XpermSet([0x0002]), xperm="ioctl")
|
|
|
|
# removed rule with new type
|
|
util.validate_rule(rules[1], TRT.dontauditxperm, "removed_type", "removed_type",
|
|
tclass="infoflow7", perms=setools.XpermSet([0x0009]), xperm="ioctl")
|
|
|
|
def test_modified_dontauditxperm_rules(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified dontauditxperm rules."""
|
|
lst = sorted(analysis.modified_dontauditxperms, key=lambda x: x.rule)
|
|
assert 3 == len(lst)
|
|
|
|
# add permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[0])
|
|
assert TRT.dontauditxperm == rule.ruletype
|
|
assert "dax_modified_rule_add_perms" == rule.source
|
|
assert "dax_modified_rule_add_perms" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert setools.XpermSet([0x000f]) == added_perms
|
|
assert not removed_perms
|
|
assert setools.XpermSet([0x0004]) == matched_perms
|
|
|
|
# add and remove permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[1])
|
|
assert TRT.dontauditxperm == rule.ruletype
|
|
assert "dax_modified_rule_add_remove_perms" == rule.source
|
|
assert "dax_modified_rule_add_remove_perms" == rule.target
|
|
assert "infoflow2" == rule.tclass
|
|
assert setools.XpermSet([0x0006]) == added_perms
|
|
assert setools.XpermSet([0x0007]) == removed_perms
|
|
assert setools.XpermSet([0x0008]) == matched_perms
|
|
|
|
# remove permissions
|
|
rule, added_perms, removed_perms, matched_perms = astuple(lst[2])
|
|
assert TRT.dontauditxperm == rule.ruletype
|
|
assert "dax_modified_rule_remove_perms" == rule.source
|
|
assert "dax_modified_rule_remove_perms" == rule.target
|
|
assert "infoflow" == rule.tclass
|
|
assert not added_perms
|
|
assert setools.XpermSet([0x0006]) == removed_perms
|
|
assert setools.XpermSet([0x0005]) == matched_perms
|
|
|
|
#
|
|
# Ibendportcon statements
|
|
#
|
|
def test_added_ibendportcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added ibendportcon statements."""
|
|
rules = sorted(analysis.added_ibendportcons)
|
|
assert 1 == len(rules)
|
|
assert "add" == rules[0].name
|
|
assert 23 == rules[0].port
|
|
assert "system:system:system:s0" == rules[0].context
|
|
|
|
def test_removed_ibendportcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed ibendportcon statements."""
|
|
rules = sorted(analysis.removed_ibendportcons)
|
|
assert 1 == len(rules)
|
|
assert "removed" == rules[0].name
|
|
assert 7 == rules[0].port
|
|
assert "system:system:system:s0" == rules[0].context
|
|
|
|
def test_modified_ibendportcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified ibendportcon statements"""
|
|
rules = sorted(analysis.modified_ibendportcons)
|
|
assert 1 == len(rules)
|
|
|
|
rule, added, removed = astuple(rules[0])
|
|
assert "modified" == rule.name
|
|
assert 13 == rule.port
|
|
assert "modified_change_level:object_r:system:s2" == added
|
|
assert "modified_change_level:object_r:system:s2:c0.c1" == removed
|
|
|
|
#
|
|
# Ibpkeycon statements
|
|
#
|
|
def test_added_ibpkeycons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: added ibpkeycon statements."""
|
|
rules = sorted(analysis.added_ibpkeycons)
|
|
assert 2 == len(rules)
|
|
|
|
rule = rules[0]
|
|
assert IPv6Address("beef::") == rule.subnet_prefix
|
|
assert 0xe == rule.pkeys.low
|
|
assert 0xe == rule.pkeys.high
|
|
assert "system:system:system:s0" == rule.context
|
|
|
|
rule = rules[1]
|
|
assert IPv6Address("dead::") == rule.subnet_prefix
|
|
assert 0xbeef == rule.pkeys.low
|
|
assert 0xdead == rule.pkeys.high
|
|
assert "system:system:system:s0" == rule.context
|
|
|
|
def test_removed_ibpkeycons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed ibpkeycon statements."""
|
|
rules = sorted(analysis.removed_ibpkeycons)
|
|
assert 2 == len(rules)
|
|
|
|
rule = rules[0]
|
|
assert IPv6Address("dccc::") == rule.subnet_prefix
|
|
assert 0xc == rule.pkeys.low
|
|
assert 0xc == rule.pkeys.high
|
|
assert "system:system:system:s0" == rule.context
|
|
|
|
rule = rules[1]
|
|
assert IPv6Address("feee::") == rule.subnet_prefix
|
|
assert 0xaaaa == rule.pkeys.low
|
|
assert 0xbbbb == rule.pkeys.high
|
|
assert "system:system:system:s0" == rule.context
|
|
|
|
def test_modified_ibpkeycons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: modified ibpkeycon statements"""
|
|
rules = sorted(analysis.modified_ibpkeycons)
|
|
assert 2 == len(rules)
|
|
|
|
rule, added, removed = astuple(rules[0])
|
|
assert IPv6Address("aaaa::") == rule.subnet_prefix
|
|
assert 0xcccc == rule.pkeys.low
|
|
assert 0xdddd == rule.pkeys.high
|
|
assert "modified_change_level:object_r:system:s2:c0" == added
|
|
assert "modified_change_level:object_r:system:s2:c1" == removed
|
|
|
|
rule, added, removed = astuple(rules[1])
|
|
assert IPv6Address("bbbb::") == rule.subnet_prefix
|
|
assert 0xf == rule.pkeys.low
|
|
assert 0xf == rule.pkeys.high
|
|
assert "modified_change_level:object_r:system:s2:c1" == added
|
|
assert "modified_change_level:object_r:system:s2:c0.c1" == removed
|
|
|
|
|
|
@pytest.mark.obj_args("tests/library/diff_left.conf", "tests/library/diff_right_rmisid.conf")
|
|
class TestPolicyDifferenceRmIsid:
|
|
|
|
"""
|
|
Policy difference test for removed initial SID.
|
|
|
|
Since initial SID names are fixed (they don't exist in the binary policy)
|
|
this cannot be in the above test suite.
|
|
"""
|
|
|
|
def test_removed_initialsids(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Diff: removed initialsids."""
|
|
assert set(["file"]) == analysis.removed_initialsids
|
|
|
|
|
|
@pytest.mark.obj_args("tests/library/diff_left.conf", "tests/library/diff_left.conf")
|
|
class TestPolicyDifferenceTestNoDiff:
|
|
|
|
"""Policy difference test with no policy differences."""
|
|
|
|
def test_added_types(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added types"""
|
|
assert not analysis.added_types
|
|
|
|
def test_removed_types(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed types"""
|
|
assert not analysis.removed_types
|
|
|
|
def test_modified_types(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified types"""
|
|
assert not analysis.modified_types
|
|
|
|
def test_added_roles(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added roles."""
|
|
assert not analysis.added_roles
|
|
|
|
def test_removed_roles(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed roles."""
|
|
assert not analysis.removed_roles
|
|
|
|
def test_modified_roles(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified roles."""
|
|
assert not analysis.modified_roles
|
|
|
|
def test_added_commons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added commons."""
|
|
assert not analysis.added_commons
|
|
|
|
def test_removed_commons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed commons."""
|
|
assert not analysis.removed_commons
|
|
|
|
def test_modified_commons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified commons."""
|
|
assert not analysis.modified_commons
|
|
|
|
def test_added_classes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added classes."""
|
|
assert not analysis.added_classes
|
|
|
|
def test_removed_classes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed classes."""
|
|
assert not analysis.removed_classes
|
|
|
|
def test_modified_classes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified classes."""
|
|
assert not analysis.modified_classes
|
|
|
|
def test_added_allows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added allow rules."""
|
|
assert not analysis.added_allows
|
|
|
|
def test_removed_allows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed allow rules."""
|
|
assert not analysis.removed_allows
|
|
|
|
def test_modified_allows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified allow rules."""
|
|
assert not analysis.modified_allows
|
|
|
|
def test_added_auditallows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added auditallow rules."""
|
|
assert not analysis.added_auditallows
|
|
|
|
def test_removed_auditallows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed auditallow rules."""
|
|
assert not analysis.removed_auditallows
|
|
|
|
def test_modified_auditallows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified auditallow rules."""
|
|
assert not analysis.modified_auditallows
|
|
|
|
def test_added_neverallows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added neverallow rules."""
|
|
assert not analysis.added_neverallows
|
|
|
|
def test_removed_neverallows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed neverallow rules."""
|
|
assert not analysis.removed_neverallows
|
|
|
|
def test_modified_neverallows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified neverallow rules."""
|
|
assert not analysis.modified_neverallows
|
|
|
|
def test_added_dontaudits(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added dontaudit rules."""
|
|
assert not analysis.added_dontaudits
|
|
|
|
def test_removed_dontaudits(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed dontaudit rules."""
|
|
assert not analysis.removed_dontaudits
|
|
|
|
def test_modified_dontaudits(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified dontaudit rules."""
|
|
assert not analysis.modified_dontaudits
|
|
|
|
def test_added_type_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added type_transition rules."""
|
|
assert not analysis.added_type_transitions
|
|
|
|
def test_removed_type_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed type_transition rules."""
|
|
assert not analysis.removed_type_transitions
|
|
|
|
def test_modified_type_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified type_transition rules."""
|
|
assert not analysis.modified_type_transitions
|
|
|
|
def test_added_type_changes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added type_change rules."""
|
|
assert not analysis.added_type_changes
|
|
|
|
def test_removed_type_changes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed type_change rules."""
|
|
assert not analysis.removed_type_changes
|
|
|
|
def test_modified_type_changes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified type_change rules."""
|
|
assert not analysis.modified_type_changes
|
|
|
|
def test_added_type_members(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added type_member rules."""
|
|
assert not analysis.added_type_members
|
|
|
|
def test_removed_type_members(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed type_member rules."""
|
|
assert not analysis.removed_type_members
|
|
|
|
def test_modified_type_members(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified type_member rules."""
|
|
assert not analysis.modified_type_members
|
|
|
|
def test_added_range_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added range_transition rules."""
|
|
assert not analysis.added_range_transitions
|
|
|
|
def test_removed_range_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed range_transition rules."""
|
|
assert not analysis.removed_range_transitions
|
|
|
|
def test_modified_range_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified range_transition rules."""
|
|
assert not analysis.modified_range_transitions
|
|
|
|
def test_added_role_allows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added role_allow rules."""
|
|
assert not analysis.added_role_allows
|
|
|
|
def test_removed_role_allows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed role_allow rules."""
|
|
assert not analysis.removed_role_allows
|
|
|
|
def test_added_role_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added role_transition rules."""
|
|
assert not analysis.added_role_transitions
|
|
|
|
def test_removed_role_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed role_transition rules."""
|
|
assert not analysis.removed_role_transitions
|
|
|
|
def test_modified_role_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified role_transition rules."""
|
|
assert not analysis.modified_role_transitions
|
|
|
|
def test_added_users(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added users."""
|
|
assert not analysis.added_users
|
|
|
|
def test_removed_users(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed users."""
|
|
assert not analysis.removed_users
|
|
|
|
def test_modified_users(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified user rules."""
|
|
assert not analysis.modified_users
|
|
|
|
def test_added_type_attributes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added type attribute."""
|
|
assert not analysis.added_type_attributes
|
|
|
|
def test_removed_type_attributes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed type attributes."""
|
|
assert not analysis.removed_type_attributes
|
|
|
|
def test_modified_type_attributes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified type attributes."""
|
|
assert not analysis.modified_type_attributes
|
|
|
|
def test_added_booleans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added booleans."""
|
|
assert not analysis.added_booleans
|
|
|
|
def test_removed_booleans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed booleans."""
|
|
assert not analysis.removed_booleans
|
|
|
|
def test_modified_booleans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified booleans."""
|
|
assert not analysis.modified_booleans
|
|
|
|
def test_added_categories(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added categories."""
|
|
assert not analysis.added_categories
|
|
|
|
def test_removed_categories(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed categories."""
|
|
assert not analysis.removed_categories
|
|
|
|
def test_modified_categories(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified categories."""
|
|
assert not analysis.modified_categories
|
|
|
|
def test_added_sensitivities(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added sensitivities."""
|
|
assert not analysis.added_sensitivities
|
|
|
|
def test_removed_sensitivities(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed sensitivities."""
|
|
assert not analysis.removed_sensitivities
|
|
|
|
def test_modified_sensitivities(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified sensitivities."""
|
|
assert not analysis.modified_sensitivities
|
|
|
|
def test_added_initialsids(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added initialsids."""
|
|
assert not analysis.added_initialsids
|
|
|
|
def test_removed_initialsids(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed initialsids."""
|
|
assert not analysis.removed_initialsids
|
|
|
|
def test_modified_initialsids(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified initialsids."""
|
|
assert not analysis.modified_initialsids
|
|
|
|
def test_added_fs_uses(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added fs_uses."""
|
|
assert not analysis.added_fs_uses
|
|
|
|
def test_removed_fs_uses(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed fs_uses."""
|
|
assert not analysis.removed_fs_uses
|
|
|
|
def test_modified_fs_uses(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified fs_uses."""
|
|
assert not analysis.modified_fs_uses
|
|
|
|
def test_added_genfscons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added genfscons."""
|
|
assert not analysis.added_genfscons
|
|
|
|
def test_removed_genfscons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed genfscons."""
|
|
assert not analysis.removed_genfscons
|
|
|
|
def test_modified_genfscons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified genfscons."""
|
|
assert not analysis.modified_genfscons
|
|
|
|
def test_added_levels(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added levels."""
|
|
assert not analysis.added_levels
|
|
|
|
def test_removed_levels(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed levels."""
|
|
assert not analysis.removed_levels
|
|
|
|
def test_modified_levels(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified levels."""
|
|
assert not analysis.modified_levels
|
|
|
|
def test_added_netifcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added netifcons."""
|
|
assert not analysis.added_netifcons
|
|
|
|
def test_removed_netifcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed netifcons."""
|
|
assert not analysis.removed_netifcons
|
|
|
|
def test_modified_netifcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified netifcons."""
|
|
assert not analysis.modified_netifcons
|
|
|
|
def test_added_nodecons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added nodecons."""
|
|
assert not analysis.added_nodecons
|
|
|
|
def test_removed_nodecons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed nodecons."""
|
|
assert not analysis.removed_nodecons
|
|
|
|
def test_modified_nodecons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified nodecons."""
|
|
assert not analysis.modified_nodecons
|
|
|
|
def test_added_polcaps(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added polcaps."""
|
|
assert not analysis.added_polcaps
|
|
|
|
def test_removed_polcaps(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed polcaps."""
|
|
assert not analysis.removed_polcaps
|
|
|
|
def test_added_portcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added portcons."""
|
|
assert not analysis.added_portcons
|
|
|
|
def test_removed_portcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed portcons."""
|
|
assert not analysis.removed_portcons
|
|
|
|
def test_modified_portcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified portcons."""
|
|
assert not analysis.modified_portcons
|
|
|
|
def test_modified_properties(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified properties."""
|
|
assert not analysis.modified_properties
|
|
|
|
def test_added_defaults(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added defaults."""
|
|
assert not analysis.added_defaults
|
|
|
|
def test_removed_defaults(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed defaults."""
|
|
assert not analysis.removed_defaults
|
|
|
|
def test_modified_defaults(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified defaults."""
|
|
assert not analysis.modified_defaults
|
|
|
|
def test_added_constrains(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added constrains."""
|
|
assert not analysis.added_constrains
|
|
|
|
def test_removed_constrains(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed constrains."""
|
|
assert not analysis.removed_constrains
|
|
|
|
def test_added_mlsconstrains(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added mlsconstrains."""
|
|
assert not analysis.added_mlsconstrains
|
|
|
|
def test_removed_mlsconstrains(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed mlsconstrains."""
|
|
assert not analysis.removed_mlsconstrains
|
|
|
|
def test_added_validatetrans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added validatetrans."""
|
|
assert not analysis.added_validatetrans
|
|
|
|
def test_removed_validatetrans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed validatetrans."""
|
|
assert not analysis.removed_validatetrans
|
|
|
|
def test_added_mlsvalidatetrans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added mlsvalidatetrans."""
|
|
assert not analysis.added_mlsvalidatetrans
|
|
|
|
def test_removed_mlsvalidatetrans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed mlsvalidatetrans."""
|
|
assert not analysis.removed_mlsvalidatetrans
|
|
|
|
def test_added_typebounds(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added typebounds."""
|
|
assert not analysis.added_typebounds
|
|
|
|
def test_removed_typebounds(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed typebounds."""
|
|
assert not analysis.removed_typebounds
|
|
|
|
def test_modified_typebounds(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified typebounds."""
|
|
assert not analysis.modified_typebounds
|
|
|
|
def test_added_allowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added allowxperm rules."""
|
|
assert not analysis.added_allowxperms
|
|
|
|
def test_removed_allowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed allowxperm rules."""
|
|
assert not analysis.removed_allowxperms
|
|
|
|
def test_modified_allowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified allowxperm rules."""
|
|
assert not analysis.modified_allowxperms
|
|
|
|
def test_added_auditallowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added auditallowxperm rules."""
|
|
assert not analysis.added_auditallowxperms
|
|
|
|
def test_removed_auditallowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed auditallowxperm rules."""
|
|
assert not analysis.removed_auditallowxperms
|
|
|
|
def test_modified_auditallowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified auditallowxperm rules."""
|
|
assert not analysis.modified_auditallowxperms
|
|
|
|
def test_added_neverallowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added neverallowxperm rules."""
|
|
assert not analysis.added_neverallowxperms
|
|
|
|
def test_removed_neverallowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed neverallowxperm rules."""
|
|
assert not analysis.removed_neverallowxperms
|
|
|
|
def test_modified_neverallowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified neverallowxperm rules."""
|
|
assert not analysis.modified_neverallowxperms
|
|
|
|
def test_added_dontauditxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added dontauditxperm rules."""
|
|
assert not analysis.added_dontauditxperms
|
|
|
|
def test_removed_dontauditxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed dontauditxperm rules."""
|
|
assert not analysis.removed_dontauditxperms
|
|
|
|
def test_modified_dontauditxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified dontauditxperm rules."""
|
|
assert not analysis.modified_dontauditxperms
|
|
|
|
def test_added_ibendportcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added ibendportcon rules."""
|
|
assert not analysis.added_ibendportcons
|
|
|
|
def test_removed_ibendportcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed ibendportcon rules."""
|
|
assert not analysis.removed_ibendportcons
|
|
|
|
def test_modified_ibendportcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified ibendportcon rules."""
|
|
assert not analysis.modified_ibendportcons
|
|
|
|
def test_added_ibpkeycons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added ibpkeycon rules."""
|
|
assert not analysis.added_ibpkeycons
|
|
|
|
def test_removed_ibpkeycons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed ibpkeycon rules."""
|
|
assert not analysis.removed_ibpkeycons
|
|
|
|
def test_modified_ibpkeycons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified ibpkeycon rules."""
|
|
assert not analysis.modified_ibpkeycons
|
|
|
|
|
|
@pytest.mark.obj_args("tests/library/diff_left.conf", "tests/library/diff_left_standard.conf",
|
|
mls_right=False)
|
|
class TestPolicyDifferenceTestMLStoStandard:
|
|
|
|
"""
|
|
Policy difference test between MLS and standard (non-MLS) policy.
|
|
|
|
The left policy is an MLS policy. The right policy is identical to the
|
|
left policy, except with MLS disabled.
|
|
"""
|
|
|
|
def test_added_types(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added types"""
|
|
assert not analysis.added_types
|
|
|
|
def test_removed_types(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed types"""
|
|
assert not analysis.removed_types
|
|
|
|
def test_modified_types(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified types"""
|
|
assert not analysis.modified_types
|
|
|
|
def test_added_roles(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added roles."""
|
|
assert not analysis.added_roles
|
|
|
|
def test_removed_roles(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed roles."""
|
|
assert not analysis.removed_roles
|
|
|
|
def test_modified_roles(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified roles."""
|
|
assert not analysis.modified_roles
|
|
|
|
def test_added_commons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added commons."""
|
|
assert not analysis.added_commons
|
|
|
|
def test_removed_commons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed commons."""
|
|
assert not analysis.removed_commons
|
|
|
|
def test_modified_commons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified commons."""
|
|
assert not analysis.modified_commons
|
|
|
|
def test_added_classes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added classes."""
|
|
assert not analysis.added_classes
|
|
|
|
def test_removed_classes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed classes."""
|
|
assert not analysis.removed_classes
|
|
|
|
def test_modified_classes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified classes."""
|
|
assert not analysis.modified_classes
|
|
|
|
def test_added_allows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added allow rules."""
|
|
assert not analysis.added_allows
|
|
|
|
def test_removed_allows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed allow rules."""
|
|
assert not analysis.removed_allows
|
|
|
|
def test_modified_allows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified allow rules."""
|
|
assert not analysis.modified_allows
|
|
|
|
def test_added_auditallows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added auditallow rules."""
|
|
assert not analysis.added_auditallows
|
|
|
|
def test_removed_auditallows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed auditallow rules."""
|
|
assert not analysis.removed_auditallows
|
|
|
|
def test_modified_auditallows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified auditallow rules."""
|
|
assert not analysis.modified_auditallows
|
|
|
|
def test_added_neverallows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added neverallow rules."""
|
|
assert not analysis.added_neverallows
|
|
|
|
def test_removed_neverallows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed neverallow rules."""
|
|
assert not analysis.removed_neverallows
|
|
|
|
def test_modified_neverallows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified neverallow rules."""
|
|
assert not analysis.modified_neverallows
|
|
|
|
def test_added_dontaudits(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added dontaudit rules."""
|
|
assert not analysis.added_dontaudits
|
|
|
|
def test_removed_dontaudits(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed dontaudit rules."""
|
|
assert not analysis.removed_dontaudits
|
|
|
|
def test_modified_dontaudits(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified dontaudit rules."""
|
|
assert not analysis.modified_dontaudits
|
|
|
|
def test_added_type_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added type_transition rules."""
|
|
assert not analysis.added_type_transitions
|
|
|
|
def test_removed_type_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed type_transition rules."""
|
|
assert not analysis.removed_type_transitions
|
|
|
|
def test_modified_type_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified type_transition rules."""
|
|
assert not analysis.modified_type_transitions
|
|
|
|
def test_added_type_changes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added type_change rules."""
|
|
assert not analysis.added_type_changes
|
|
|
|
def test_removed_type_changes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed type_change rules."""
|
|
assert not analysis.removed_type_changes
|
|
|
|
def test_modified_type_changes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified type_change rules."""
|
|
assert not analysis.modified_type_changes
|
|
|
|
def test_added_type_members(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added type_member rules."""
|
|
assert not analysis.added_type_members
|
|
|
|
def test_removed_type_members(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed type_member rules."""
|
|
assert not analysis.removed_type_members
|
|
|
|
def test_modified_type_members(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified type_member rules."""
|
|
assert not analysis.modified_type_members
|
|
|
|
def test_added_range_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added range_transition rules."""
|
|
assert not analysis.added_range_transitions
|
|
|
|
def test_removed_range_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: all range_transition rules removed."""
|
|
assert analysis.left_policy.range_transition_count == \
|
|
len(analysis.removed_range_transitions)
|
|
|
|
def test_modified_range_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified range_transition rules."""
|
|
assert not analysis.modified_range_transitions
|
|
|
|
def test_added_role_allows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added role_allow rules."""
|
|
assert not analysis.added_role_allows
|
|
|
|
def test_removed_role_allows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed role_allow rules."""
|
|
assert not analysis.removed_role_allows
|
|
|
|
def test_added_role_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added role_transition rules."""
|
|
assert not analysis.added_role_transitions
|
|
|
|
def test_removed_role_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed role_transition rules."""
|
|
assert not analysis.removed_role_transitions
|
|
|
|
def test_modified_role_transitions(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified role_transition rules."""
|
|
assert not analysis.modified_role_transitions
|
|
|
|
def test_added_users(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added users."""
|
|
assert not analysis.added_users
|
|
|
|
def test_removed_users(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed users."""
|
|
assert not analysis.removed_users
|
|
|
|
def test_modified_users(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: all users modified."""
|
|
assert analysis.left_policy.user_count == len(analysis.modified_users)
|
|
|
|
def test_added_type_attributes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added type attribute."""
|
|
assert not analysis.added_type_attributes
|
|
|
|
def test_removed_type_attributes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed type attributes."""
|
|
assert not analysis.removed_type_attributes
|
|
|
|
def test_modified_type_attributes(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified type attributes."""
|
|
assert not analysis.modified_type_attributes
|
|
|
|
def test_added_booleans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added booleans."""
|
|
assert not analysis.added_booleans
|
|
|
|
def test_removed_booleans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed booleans."""
|
|
assert not analysis.removed_booleans
|
|
|
|
def test_modified_booleans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified booleans."""
|
|
assert not analysis.modified_booleans
|
|
|
|
def test_added_categories(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added categories."""
|
|
assert not analysis.added_categories
|
|
|
|
def test_removed_categories(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: all categories removed."""
|
|
assert analysis.left_policy.category_count == len(analysis.removed_categories)
|
|
|
|
def test_modified_categories(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified categories."""
|
|
assert not analysis.modified_categories
|
|
|
|
def test_added_sensitivities(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added sensitivities."""
|
|
assert not analysis.added_sensitivities
|
|
|
|
def test_removed_sensitivities(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: all sensitivities removed."""
|
|
assert analysis.left_policy.level_count == len(analysis.removed_sensitivities)
|
|
|
|
def test_modified_sensitivities(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified sensitivities."""
|
|
assert not analysis.modified_sensitivities
|
|
|
|
def test_added_initialsids(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added initialsids."""
|
|
assert not analysis.added_initialsids
|
|
|
|
def test_removed_initialsids(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed initialsids."""
|
|
assert not analysis.removed_initialsids
|
|
|
|
def test_modified_initialsids(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: all initialsids modified."""
|
|
assert analysis.left_policy.initialsids_count == len(analysis.modified_initialsids)
|
|
|
|
def test_added_fs_uses(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added fs_uses."""
|
|
assert not analysis.added_fs_uses
|
|
|
|
def test_removed_fs_uses(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed fs_uses."""
|
|
assert not analysis.removed_fs_uses
|
|
|
|
def test_modified_fs_uses(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: all fs_uses modified."""
|
|
assert analysis.left_policy.fs_use_count == len(analysis.modified_fs_uses)
|
|
|
|
def test_added_genfscons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added genfscons."""
|
|
assert not analysis.added_genfscons
|
|
|
|
def test_removed_genfscons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed genfscons."""
|
|
assert not analysis.removed_genfscons
|
|
|
|
def test_modified_genfscons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: all genfscons modified."""
|
|
assert analysis.left_policy.genfscon_count == len(analysis.modified_genfscons)
|
|
|
|
def test_added_levels(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added levels."""
|
|
assert not analysis.added_levels
|
|
|
|
def test_removed_levels(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: all levels removed."""
|
|
assert analysis.left_policy.level_count == len(analysis.removed_levels)
|
|
|
|
def test_modified_levels(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified levels."""
|
|
assert not analysis.modified_levels
|
|
|
|
def test_added_netifcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added netifcons."""
|
|
assert not analysis.added_netifcons
|
|
|
|
def test_removed_netifcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed netifcons."""
|
|
assert not analysis.removed_netifcons
|
|
|
|
def test_modified_netifcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: all netifcons modified."""
|
|
assert analysis.left_policy.netifcon_count == len(analysis.modified_netifcons)
|
|
|
|
def test_added_nodecons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added nodecons."""
|
|
assert not analysis.added_nodecons
|
|
|
|
def test_removed_nodecons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed nodecons."""
|
|
assert not analysis.removed_nodecons
|
|
|
|
def test_modified_nodecons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: all nodecons modified."""
|
|
assert analysis.left_policy.nodecon_count == len(analysis.modified_nodecons)
|
|
|
|
def test_added_polcaps(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added polcaps."""
|
|
assert not analysis.added_polcaps
|
|
|
|
def test_removed_polcaps(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed polcaps."""
|
|
assert not analysis.removed_polcaps
|
|
|
|
def test_added_portcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added portcons."""
|
|
assert not analysis.added_portcons
|
|
|
|
def test_removed_portcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed portcons."""
|
|
assert not analysis.removed_portcons
|
|
|
|
def test_modified_portcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: all portcons modified."""
|
|
assert analysis.left_policy.portcon_count == len(analysis.modified_portcons)
|
|
|
|
def test_modified_properties(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: MLS property modified only."""
|
|
assert 1 == len(analysis.modified_properties)
|
|
|
|
name, added, removed = astuple(analysis.modified_properties[0])
|
|
assert "MLS" == name
|
|
assert added is False
|
|
assert removed is True
|
|
|
|
def test_added_defaults(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added defaults."""
|
|
assert not analysis.added_defaults
|
|
|
|
def test_removed_defaults(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: all default_range removed."""
|
|
assert sum(1 for d in analysis.left_policy.defaults() if d.ruletype == DRT.default_range) \
|
|
== len(analysis.removed_defaults)
|
|
|
|
def test_modified_defaults(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no defaults modified."""
|
|
assert not analysis.modified_defaults
|
|
|
|
def test_added_constraints(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added constraints."""
|
|
assert not analysis.added_constrains
|
|
|
|
def test_removed_constraints(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed constraints."""
|
|
assert not analysis.removed_constrains
|
|
|
|
def test_added_validatetrans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added validatetrans."""
|
|
assert not analysis.added_validatetrans
|
|
|
|
def test_removed_validatetrans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed validatetrans."""
|
|
assert not analysis.removed_validatetrans
|
|
|
|
def test_added_mlsconstraints(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added mlsconstraints."""
|
|
assert not analysis.added_mlsconstrains
|
|
|
|
def test_removed_mlsconstraints(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: all mlsconstraints removed."""
|
|
assert sum(1 for m in analysis.left_policy.constraints() if
|
|
m.ruletype == CRT.mlsconstrain) == len(analysis.removed_mlsconstrains)
|
|
|
|
def test_added_mlsvalidatetrans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added mlsvalidatetrans."""
|
|
assert not analysis.added_mlsvalidatetrans
|
|
|
|
def test_removed_mlsvalidatetrans(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: all mlsvalidatetrans removed."""
|
|
assert sum(1 for m in analysis.left_policy.constraints()
|
|
if m.ruletype == CRT.mlsvalidatetrans) == \
|
|
len(analysis.removed_mlsvalidatetrans)
|
|
|
|
def test_added_typebounds(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no added typebounds."""
|
|
assert not analysis.added_typebounds
|
|
|
|
def test_removed_typebounds(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no removed typebounds."""
|
|
assert not analysis.removed_typebounds
|
|
|
|
def test_modified_typebounds(self, analysis: setools.PolicyDifference) -> None:
|
|
"""MLSvsStandardDiff: no modified typebounds."""
|
|
assert not analysis.modified_typebounds
|
|
|
|
def test_added_allowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added allowxperm rules."""
|
|
assert not analysis.added_allowxperms
|
|
|
|
def test_removed_allowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed allowxperm rules."""
|
|
assert not analysis.removed_allowxperms
|
|
|
|
def test_modified_allowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified allowxperm rules."""
|
|
assert not analysis.modified_allowxperms
|
|
|
|
def test_added_auditallowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added auditallowxperm rules."""
|
|
assert not analysis.added_auditallowxperms
|
|
|
|
def test_removed_auditallowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed auditallowxperm rules."""
|
|
assert not analysis.removed_auditallowxperms
|
|
|
|
def test_modified_auditallowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified auditallowxperm rules."""
|
|
assert not analysis.modified_auditallowxperms
|
|
|
|
def test_added_neverallowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added neverallowxperm rules."""
|
|
assert not analysis.added_neverallowxperms
|
|
|
|
def test_removed_neverallowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed neverallowxperm rules."""
|
|
assert not analysis.removed_neverallowxperms
|
|
|
|
def test_modified_neverallowxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified neverallowxperm rules."""
|
|
assert not analysis.modified_neverallowxperms
|
|
|
|
def test_added_dontauditxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added dontauditxperm rules."""
|
|
assert not analysis.added_dontauditxperms
|
|
|
|
def test_removed_dontauditxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed dontauditxperm rules."""
|
|
assert not analysis.removed_dontauditxperms
|
|
|
|
def test_modified_dontauditxperms(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified dontauditxperm rules."""
|
|
assert not analysis.modified_dontauditxperms
|
|
|
|
def test_added_ibpkeycons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added ibpkeycon rules."""
|
|
assert not analysis.added_ibpkeycons
|
|
|
|
def test_removed_ibpkeycons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed ibpkeycon rules."""
|
|
assert not analysis.removed_ibpkeycons
|
|
|
|
def test_modified_ibpkeycons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified ibpkeycon rules."""
|
|
assert analysis.left_policy.ibpkeycon_count == len(analysis.modified_ibpkeycons)
|
|
|
|
def test_added_ibendportcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no added ibendportcon rules."""
|
|
assert not analysis.added_ibendportcons
|
|
|
|
def test_removed_ibendportcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no removed ibendportcon rules."""
|
|
assert not analysis.removed_ibendportcons
|
|
|
|
def test_modified_ibendportcons(self, analysis: setools.PolicyDifference) -> None:
|
|
"""NoDiff: no modified ibendportcon rules."""
|
|
assert analysis.left_policy.ibendportcon_count == len(analysis.modified_ibendportcons)
|
|
|
|
|
|
@pytest.mark.obj_args("tests/library/diff_left.conf", "tests/library/diff_left_redundant.conf")
|
|
class TestPolicyDifferenceTestRedundant:
|
|
|
|
"""
|
|
Policy difference test with redundant rules.
|
|
There should be no policy differences.
|
|
"""
|
|
|
|
def test_added_allows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Redundant: no added allow rules."""
|
|
assert not analysis.added_allows
|
|
|
|
def test_removed_allows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Redundant: no removed allow rules."""
|
|
assert not analysis.removed_allows
|
|
|
|
def test_modified_allows(self, analysis: setools.PolicyDifference) -> None:
|
|
"""Redundant: no modified allow rules."""
|
|
assert not analysis.modified_allows
|