Add SELinuxPolicy test cases.

Created a test policy with prime number counts of everything so there should be no accidental correct answers.
2025-04-01 22:58:12 +00:00 · 2015-03-03 13:18:29 -05:00 · 2015-03-03 13:18:29 -05:00 · af3c5b5e3e
commit af3c5b5e3e
parent 95d67e013d
4 changed files with 3112 additions and 0 deletions
--- a/tests/policyrep/init.py
+++ b/tests/policyrep/init.py
@ -16,3 +16,4 @@
 # along with SETools.  If not, see <http://www.gnu.org/licenses/>.
 #
 from . import mls
+from . import selinuxpolicy
--- a/tests/policyrep/selinuxpolicy-bad.conf
+++ b/tests/policyrep/selinuxpolicy-bad.conf
@ -0,0 +1,134 @@
+class infoflow
+class infoflow2
+class infoflow3
+class infoflow4
+class infoflow5
+class infoflow6
+class infoflow7
+
+sid kernel
+sid security
+
+common infoflow
+{
+	low_w
+	med_w
+	hi_w
+	low_r
+	med_r
+	hi_r
+}
+
+class infoflow
+inherits infoflow
+
+class infoflow2
+inherits infoflow
+{
+	super_w
+	super_r
+}
+
+class infoflow3
+{
+	null
+}
+
+class infoflow4
+inherits infoflow
+
+class infoflow5
+inherits infoflow
+
+class infoflow6
+inherits infoflow
+
+class infoflow7
+inherits infoflow
+{
+	super_w
+	super_r
+	super_none
+	super_both
+	super_unmapped
+}
+
+sensitivity low_s;
+sensitivity medium_s alias med;
+sensitivity high_s;
+
+dominance { low_s med high_s }
+
+category here;
+category there;
+category elsewhere alias lost;
+
+#level decl
+level low_s:here.there;
+level med:here, elsewhere;
+level high_s:here.lost;
+
+#some constraints
+mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
+
+attribute mls_exempt;
+
+type system;
+role system;
+role system types system;
+
+################################################################################
+# Type enforcement declarations and rules
+
+########################################
+#
+# Booleans Query
+#
+
+# test 1
+# name: test1
+# default: unset
+bool test1 true;
+
+# test 2
+# name: test2(a|b) regex
+# default: unset
+bool test2a true;
+bool test2b true;
+
+# test 10
+# name: unset
+# default: false;
+bool test10a false;
+bool test10b false;
+
+################################################################################
+
+#users
+user system roles system level med range low_s - high_s:here.lost;
+
+#normal constraints
+constrain infoflow hi_w (u1 == u2);
+
+#isids
+sid kernel system:system:system:medium_s:here
+sid security system:system:system:high_s:lost
+
+#fs_use
+fs_use_trans devpts system:object_r:system:low_s;
+fs_use_xattr ext3 system:object_r:system:low_s;
+fs_use_task pipefs system:object_r:system:low_s;
+
+#genfscon
+genfscon proc / system:object_r:system:med
+genfscon proc /sys system:object_r:system:low_s
+genfscon selinuxfs / system:object_r:system:high_s:here.there
+
+portcon tcp 80 system:object_r:system:low_s
+
+netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s
+
+nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
+# this is an invalid context (invalid range)
+nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:elsewhere
+
--- a/tests/policyrep/selinuxpolicy.conf
+++ b/tests/policyrep/selinuxpolicy.conf
--- a/tests/policyrep/selinuxpolicy.py
+++ b/tests/policyrep/selinuxpolicy.py
@ -0,0 +1,178 @@
+# Copyright 2015, Tresys Technology, LLC
+#
+# This file is part of SETools.
+#
+# SETools is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# SETools is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with SETools.  If not, see <http://www.gnu.org/licenses/>.
+#
+import unittest
+
+from setools import SELinuxPolicy
+from setools.boolquery import BoolQuery
+
+
+class SELinuxPolicyTest(unittest.TestCase):
+
+    def setUp(self):
+        self.p = SELinuxPolicy("tests/policyrep/selinuxpolicy.conf")
+
+    def test_001_open_policy_error(self):
+        """SELinuxPolicy: error on open."""
+        self.assertRaises(OSError, SELinuxPolicy, "tests/policyrep/selinuxpolicy-bad.conf")
+
+    # def test_010_handle_unknown(self)
+    # TODO: need a binary policy
+
+    def test_011_mls(self):
+        """SELinuxPolicy: MLS status."""
+        self.assertTrue(self.p.mls)
+
+    def test_012_version(self):
+        """SELinuxPolicy: version."""
+        self.assertTrue(self.p.version)
+
+    def test_100_allow_count(self):
+        """SELinuxPolicy: allow count"""
+        self.assertEqual(self.p.allow_count, 113)
+
+    def test_101_auditallow_count(self):
+        """SELinuxPolicy: auditallow count"""
+        self.assertEqual(self.p.auditallow_count, 109)
+
+    def test_102_boolean_count(self):
+        """SELinuxPolicy: Boolean count."""
+        self.assertEqual(self.p.boolean_count, 127)
+
+    # def test_103_bounds_count(self):
+
+    def test_104_category_count(self):
+        """SELinuxPolicy: category count"""
+        self.assertEqual(self.p.category_count, 11)
+
+    def test_105_class_count(self):
+        """SELinuxPolicy: object class count"""
+        self.assertEqual(self.p.class_count, 5)
+
+    def test_106_common_count(self):
+        """SELinuxPolicy: common permisison set count"""
+        self.assertEqual(self.p.common_count, 3)
+
+    def test_107_conditional_count(self):
+        """SELinuxPolicy: conditional (expression) count"""
+        self.assertEqual(self.p.conditional_count, 67)
+
+    def test_108_constraint_count(self):
+        """SELinuxPolicy: standard constraint count"""
+        self.assertEqual(self.p.constraint_count, 19)
+
+    # def test_109_default_count(self):
+
+    def test_110_dontaudit_count(self):
+        """SELinuxPolicy: dontaudit rule count"""
+        self.assertEqual(self.p.dontaudit_count, 107)
+
+    def test_111_fs_use_count(self):
+        """SELinuxPolicy: fs_use_* count"""
+        self.assertEqual(self.p.fs_use_count, 149)
+
+    def test_112_genfscon_count(self):
+        """SELinuxPolicy: genfscon count"""
+        self.assertEqual(self.p.genfscon_count, 151)
+
+    def test_113_initial_sid_count(self):
+        """SELinuxPolicy: initial sid count"""
+        self.assertEqual(self.p.initialsids_count, 7)
+
+    def test_114_level_count(self):
+        """SELinuxPolicy: MLS level count"""
+        self.assertEqual(self.p.level_count, 13)
+
+    def test_115_mls_constraint_count(self):
+        """SELinuxPolicy: MLS constraint count"""
+        self.assertEqual(self.p.mlsconstraint_count, 23)
+
+    def test_116_mls_validatetrans_count(self):
+        """SELinuxPolicy: MLS validatetrans count"""
+        self.assertEqual(self.p.mlsvalidatetrans_count, 3)
+
+    def test_117_netifcon_count(self):
+        """SELinuxPolicy: netifcon count"""
+        self.assertEqual(self.p.netifcon_count, 167)
+
+    def test_118_neverallow_count(self):
+        """SELinuxPolicy: neverallow rule count"""
+        self.assertEqual(self.p.neverallow_count, 103)
+
+    def test_119_nodecon_count(self):
+        """SELinuxPolicy: nodecon count"""
+        self.assertEqual(self.p.nodecon_count, 173)
+
+    def test_120_permission_count(self):
+        """SELinuxPolicy: permission count"""
+        self.assertEqual(self.p.permission_count, 19)
+
+    def test_121_permissive_types_count(self):
+        """SELinuxPolicy: permissive types count"""
+        self.assertEqual(self.p.permissives_count, 73)
+
+    def test_122_polcap_count(self):
+        """SELinuxPolicy: policy capability count"""
+        self.assertEqual(self.p.polcap_count, 2)
+
+    def test_123_portcon_count(self):
+        self.assertEqual(self.p.portcon_count, 163)
+
+    def test_124_range_transition_count(self):
+        self.assertEqual(self.p.range_transition_count, 71)
+
+    def test_125_role_count(self):
+        """SELinuxPolicy: role count"""
+        self.assertEqual(self.p.role_count, 131)
+
+    # def test_126_role_attribute_count(self):
+
+    def test_127_role_allow_count(self):
+        """SELinuxPolicy: (role) allow count"""
+        self.assertEqual(self.p.role_allow_count, 83)
+
+    def test_128_role_transition_count(self):
+        """SELinuxPolicy: role_transition count"""
+        self.assertEqual(self.p.role_transition_count, 79)
+
+    def test_129_type_count(self):
+        """SELinuxPolicy: type count"""
+        self.assertEqual(self.p.type_count, 137)
+
+    def test_130_type_attribute_count(self):
+        """SELinuxPolicy: type attribute count"""
+        self.assertEqual(self.p.attribute_count, 157)
+
+    def test_131_type_change_count(self):
+        """SELinuxPolicy: type_change rule count"""
+        self.assertEqual(self.p.type_change_count, 89)
+
+    def test_132_type_member_count(self):
+        """SELinuxPolicy: type_member rule count"""
+        self.assertEqual(self.p.type_member_count, 61)
+
+    def test_133_type_transition_count(self):
+        """SELinuxPolicy: type_transition rule count"""
+        self.assertEqual(self.p.type_transition_count, 97)
+
+    def test_134_user_count(self):
+        """SELinuxPolicy: user count"""
+        self.assertEqual(self.p.user_count, 101)
+
+    def test_135_validatetrans_count(self):
+        """SELinuxPolicy: validatetrans count"""
+        self.assertEqual(self.p.validatetrans_count, 5)