mirror of
https://github.com/SELinuxProject/setools
synced 2025-03-01 10:31:19 +00:00
724 lines
28 KiB
Python
724 lines
28 KiB
Python
# Copyright 2015, Tresys Technology, LLC
|
|
#
|
|
# This file is part of SETools.
|
|
#
|
|
# SETools is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# SETools is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
import unittest
|
|
|
|
try:
|
|
from unittest.mock import Mock
|
|
except ImportError:
|
|
from mock import Mock
|
|
|
|
from setools import SELinuxPolicy
|
|
from setools.policyrep import qpol
|
|
from setools.policyrep.exception import MLSDisabled, InvalidLevel, InvalidLevelDecl, InvalidRange, \
|
|
InvalidSensitivity, InvalidCategory, NoStatement
|
|
from setools.policyrep.mls import sensitivity_factory, category_factory, level_factory, \
|
|
range_factory, level_decl_factory
|
|
|
|
|
|
class SensitivityTest(unittest.TestCase):
|
|
|
|
@classmethod
|
|
def setUpClass(cls):
|
|
cls.p = SELinuxPolicy("tests/policyrep/mls.conf")
|
|
|
|
def mock_sens_factory(self, sens, aliases=[]):
|
|
"""Factory function for Sensitivity objects, using a mock qpol object."""
|
|
mock_sens = Mock(qpol.qpol_level_t)
|
|
mock_sens.name.return_value = sens
|
|
mock_sens.isalias.return_value = False
|
|
mock_sens.value.return_value = int(sens[1:])
|
|
mock_sens.alias_iter.return_value = iter(aliases)
|
|
|
|
return sensitivity_factory(self.p.policy, mock_sens)
|
|
|
|
def test_000_mls_disabled(self):
|
|
"""Sensitivity factory on MLS-disabled policy."""
|
|
mock_p = Mock(qpol.qpol_policy_t)
|
|
mock_p.capability.return_value = False
|
|
self.assertRaises(MLSDisabled, sensitivity_factory, mock_p, None)
|
|
|
|
def test_001_lookup(self):
|
|
"""Sensitivity factory policy lookup."""
|
|
sens = sensitivity_factory(self.p.policy, "s1")
|
|
self.assertEqual("s1", sens.qpol_symbol.name(self.p.policy))
|
|
|
|
def test_002_lookup_invalid(self):
|
|
"""Sensitivity factory policy invalid lookup."""
|
|
with self.assertRaises(InvalidSensitivity):
|
|
sensitivity_factory(self.p.policy, "INVALID")
|
|
|
|
def test_010_string(self):
|
|
"""Sensitivity basic string rendering."""
|
|
sens = self.mock_sens_factory("s0")
|
|
self.assertEqual("s0", str(sens))
|
|
|
|
def test_020_statement(self):
|
|
"""Sensitivity basic statement rendering."""
|
|
sens = self.mock_sens_factory("s0")
|
|
self.assertEqual("sensitivity s0;", sens.statement())
|
|
|
|
def test_021_statement_alias(self):
|
|
"""Sensitivity one alias statement rendering."""
|
|
sens = self.mock_sens_factory("s0", ["name1"])
|
|
self.assertEqual("sensitivity s0 alias name1;", sens.statement())
|
|
|
|
def test_022_statement_alias(self):
|
|
"""Sensitivity two alias statement rendering."""
|
|
sens = self.mock_sens_factory("s0", ["name1", "name2"])
|
|
self.assertEqual("sensitivity s0 alias { name1 name2 };", sens.statement())
|
|
|
|
def test_030_value(self):
|
|
"""Sensitivity value."""
|
|
sens = self.mock_sens_factory("s17")
|
|
self.assertEqual(17, sens._value)
|
|
|
|
def test_031_equal(self):
|
|
"""Sensitivity equal."""
|
|
sens1 = self.mock_sens_factory("s0")
|
|
sens2 = self.mock_sens_factory("s0")
|
|
self.assertEqual(sens1, sens2)
|
|
|
|
def test_032_equal_str(self):
|
|
"""Sensitivity equal to string."""
|
|
sens = self.mock_sens_factory("s17")
|
|
self.assertEqual("s17", sens)
|
|
|
|
def test_033_not_equal(self):
|
|
"""Sensitivity not equal."""
|
|
sens1 = self.mock_sens_factory("s17")
|
|
sens2 = self.mock_sens_factory("s23")
|
|
self.assertNotEqual(sens1, sens2)
|
|
|
|
def test_034_not_equal_str(self):
|
|
"""Sensitivity not equal to string."""
|
|
sens = self.mock_sens_factory("s17")
|
|
self.assertNotEqual("s0", sens)
|
|
|
|
def test_035_lt(self):
|
|
"""Sensitivity less-than."""
|
|
# less
|
|
sens1 = self.mock_sens_factory("s17")
|
|
sens2 = self.mock_sens_factory("s23")
|
|
self.assertTrue(sens1 < sens2)
|
|
|
|
# equal
|
|
sens1 = self.mock_sens_factory("s17")
|
|
sens2 = self.mock_sens_factory("s17")
|
|
self.assertFalse(sens1 < sens2)
|
|
|
|
# greater
|
|
sens1 = self.mock_sens_factory("s17")
|
|
sens2 = self.mock_sens_factory("s0")
|
|
self.assertFalse(sens1 < sens2)
|
|
|
|
def test_036_le(self):
|
|
"""Sensitivity less-than-or-equal."""
|
|
# less
|
|
sens1 = self.mock_sens_factory("s17")
|
|
sens2 = self.mock_sens_factory("s23")
|
|
self.assertTrue(sens1 <= sens2)
|
|
|
|
# equal
|
|
sens1 = self.mock_sens_factory("s17")
|
|
sens2 = self.mock_sens_factory("s17")
|
|
self.assertTrue(sens1 <= sens2)
|
|
|
|
# greater
|
|
sens1 = self.mock_sens_factory("s17")
|
|
sens2 = self.mock_sens_factory("s0")
|
|
self.assertFalse(sens1 <= sens2)
|
|
|
|
def test_037_ge(self):
|
|
"""Sensitivity greater-than-or-equal."""
|
|
# less
|
|
sens1 = self.mock_sens_factory("s17")
|
|
sens2 = self.mock_sens_factory("s23")
|
|
self.assertFalse(sens1 >= sens2)
|
|
|
|
# equal
|
|
sens1 = self.mock_sens_factory("s17")
|
|
sens2 = self.mock_sens_factory("s17")
|
|
self.assertTrue(sens1 >= sens2)
|
|
|
|
# greater
|
|
sens1 = self.mock_sens_factory("s17")
|
|
sens2 = self.mock_sens_factory("s0")
|
|
self.assertTrue(sens1 >= sens2)
|
|
|
|
def test_038_gt(self):
|
|
"""Sensitivity greater-than."""
|
|
# less
|
|
sens1 = self.mock_sens_factory("s17")
|
|
sens2 = self.mock_sens_factory("s23")
|
|
self.assertFalse(sens1 > sens2)
|
|
|
|
# equal
|
|
sens1 = self.mock_sens_factory("s17")
|
|
sens2 = self.mock_sens_factory("s17")
|
|
self.assertFalse(sens1 > sens2)
|
|
|
|
# greater
|
|
sens1 = self.mock_sens_factory("s17")
|
|
sens2 = self.mock_sens_factory("s0")
|
|
self.assertTrue(sens1 > sens2)
|
|
|
|
|
|
class CategoryTest(unittest.TestCase):
|
|
|
|
@classmethod
|
|
def setUpClass(cls):
|
|
cls.p = SELinuxPolicy("tests/policyrep/mls.conf")
|
|
|
|
def mock_cat_factory(self, cat, aliases=[]):
|
|
"""Factory function for Category objects, using a mock qpol object."""
|
|
mock_cat = Mock(qpol.qpol_cat_t)
|
|
mock_cat.name.return_value = cat
|
|
mock_cat.isalias.return_value = False
|
|
mock_cat.value.return_value = int(cat[1:])
|
|
mock_cat.alias_iter.return_value = iter(aliases)
|
|
|
|
return category_factory(self.p.policy, mock_cat)
|
|
|
|
def test_000_mls_disabled(self):
|
|
"""Category factory on MLS-disabled policy."""
|
|
mock_p = Mock(qpol.qpol_policy_t)
|
|
mock_p.capability.return_value = False
|
|
self.assertRaises(MLSDisabled, category_factory, mock_p, None)
|
|
|
|
def test_001_lookup(self):
|
|
"""Category factory policy lookup."""
|
|
sens = category_factory(self.p.policy, "c1")
|
|
self.assertEqual("c1", sens.qpol_symbol.name(self.p.policy))
|
|
|
|
def test_002_lookup_invalid(self):
|
|
"""Category factory policy invalid lookup."""
|
|
with self.assertRaises(InvalidCategory):
|
|
category_factory(self.p.policy, "INVALID")
|
|
|
|
def test_010_statement(self):
|
|
"""Category basic string rendering."""
|
|
cat = self.mock_cat_factory("c0")
|
|
self.assertEqual("c0", str(cat))
|
|
|
|
def test_020_statement(self):
|
|
"""Category basic statement rendering."""
|
|
cat = self.mock_cat_factory("c0")
|
|
self.assertEqual("category c0;", cat.statement())
|
|
|
|
def test_021_statement_alias(self):
|
|
"""Category one alias statement rendering."""
|
|
cat = self.mock_cat_factory("c0", ["name1"])
|
|
self.assertEqual("category c0 alias name1;", cat.statement())
|
|
|
|
def test_022_statement_alias(self):
|
|
"""Category two alias statement rendering."""
|
|
cat = self.mock_cat_factory("c0", ["name1", "name2"])
|
|
self.assertEqual("category c0 alias { name1 name2 };", cat.statement())
|
|
|
|
def test_030_value(self):
|
|
"""Category value."""
|
|
cat = self.mock_cat_factory("c17")
|
|
self.assertEqual(17, cat._value)
|
|
|
|
|
|
class LevelDeclTest(unittest.TestCase):
|
|
|
|
@classmethod
|
|
def setUpClass(cls):
|
|
cls.p = SELinuxPolicy("tests/policyrep/mls.conf")
|
|
|
|
def mock_decl_factory(self, sens, cats=[]):
|
|
"""Factory function for LevelDecl objects, using a mock qpol object."""
|
|
mock_decl = Mock(qpol.qpol_level_t)
|
|
mock_decl.name.return_value = sens
|
|
mock_decl.isalias.return_value = False
|
|
mock_decl.value.return_value = int(sens[1:])
|
|
mock_decl.cat_iter.return_value = iter(cats)
|
|
|
|
return level_decl_factory(self.p.policy, mock_decl)
|
|
|
|
def test_000_mls_disabled(self):
|
|
"""Level declaration factory on MLS-disabled policy."""
|
|
mock_p = Mock(qpol.qpol_policy_t)
|
|
mock_p.capability.return_value = False
|
|
self.assertRaises(MLSDisabled, level_decl_factory, mock_p, None)
|
|
|
|
def test_001_lookup(self):
|
|
"""Level declaration factory policy lookup."""
|
|
decl = level_decl_factory(self.p.policy, "s1")
|
|
self.assertEqual("s1", decl.qpol_symbol.name(self.p.policy))
|
|
|
|
def test_002_lookup_invalid(self):
|
|
"""Level declaration factory policy invalid lookup."""
|
|
with self.assertRaises(InvalidLevelDecl):
|
|
level_decl_factory(self.p.policy, "INVALID")
|
|
|
|
def test_010_string(self):
|
|
"""Level declaration basic string rendering."""
|
|
decl = self.mock_decl_factory("s0")
|
|
self.assertEqual("s0", str(decl))
|
|
|
|
def test_011_string_single_cat(self):
|
|
"""Level declaration string rendering with one category"""
|
|
decl = self.mock_decl_factory("s0", ["c0"])
|
|
self.assertEqual("s0:c0", str(decl))
|
|
|
|
def test_012_string_multiple_cat(self):
|
|
"""Level declaration string rendering with multiple categories"""
|
|
decl = self.mock_decl_factory("s0", ["c0", "c3"])
|
|
self.assertEqual("s0:c0,c3", str(decl))
|
|
|
|
def test_013_string_cat_set(self):
|
|
"""Level declaration string rendering with category set"""
|
|
decl = self.mock_decl_factory("s0", ["c0", "c1", "c2", "c3"])
|
|
self.assertEqual("s0:c0.c3", str(decl))
|
|
|
|
def test_014_string_complex(self):
|
|
"""Level declaration string rendering with complex category set"""
|
|
decl = self.mock_decl_factory("s0", ["c0", "c1", "c2", "c3", "c5", "c7", "c8", "c9"])
|
|
self.assertEqual("s0:c0.c3,c5,c7.c9", str(decl))
|
|
|
|
def test_020_statement(self):
|
|
"""Level declaration basic statement rendering."""
|
|
decl = self.mock_decl_factory("s0")
|
|
self.assertEqual("level s0;", decl.statement())
|
|
|
|
def test_021_statement_single_cat(self):
|
|
"""Level declaration statement rendering with one category"""
|
|
decl = self.mock_decl_factory("s0", ["c0"])
|
|
self.assertEqual("level s0:c0;", decl.statement())
|
|
|
|
def test_022_statement_multiple_cat(self):
|
|
"""Level declaration statement rendering with multiple categories"""
|
|
decl = self.mock_decl_factory("s0", ["c0", "c3"])
|
|
self.assertEqual("level s0:c0,c3;", decl.statement())
|
|
|
|
def test_012_string_cat_set(self):
|
|
"""Level declaration statement rendering with category set"""
|
|
decl = self.mock_decl_factory("s0", ["c0", "c1", "c2", "c3"])
|
|
self.assertEqual("level s0:c0.c3;", decl.statement())
|
|
|
|
def test_013_statement_complex(self):
|
|
"""Level declaration statement rendering with complex category set"""
|
|
decl = self.mock_decl_factory("s0", ["c0", "c1", "c2", "c3", "c5", "c7", "c8", "c9"])
|
|
self.assertEqual("level s0:c0.c3,c5,c7.c9;", decl.statement())
|
|
|
|
def test_030_equal(self):
|
|
"""Level declaration equal."""
|
|
decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
decl2 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
self.assertEqual(decl1, decl2)
|
|
|
|
def test_031_equal_str(self):
|
|
"""Level declaration equal to string."""
|
|
decl = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
self.assertEqual("s17:c0.c3", decl)
|
|
|
|
def test_032_not_equal(self):
|
|
"""Level declaration not equal."""
|
|
decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
decl2 = self.mock_decl_factory("s23")
|
|
self.assertNotEqual(decl1, decl2)
|
|
|
|
def test_033_not_equal_str(self):
|
|
"""Level declaration not equal to string."""
|
|
decl = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
self.assertNotEqual("s0:c0.c2", decl)
|
|
|
|
def test_034_lt(self):
|
|
"""Level declaration less-than."""
|
|
# less
|
|
decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"])
|
|
self.assertTrue(decl1 < decl2)
|
|
|
|
# equal
|
|
decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
decl2 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
self.assertFalse(decl1 < decl2)
|
|
|
|
# greater
|
|
decl1 = self.mock_decl_factory("s24")
|
|
decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"])
|
|
self.assertFalse(decl1 < decl2)
|
|
|
|
def test_035_le(self):
|
|
"""Level declaration less-than-or-equal."""
|
|
# less
|
|
decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"])
|
|
self.assertTrue(decl1 <= decl2)
|
|
|
|
# equal
|
|
decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
decl2 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
self.assertTrue(decl1 <= decl2)
|
|
|
|
# greater
|
|
decl1 = self.mock_decl_factory("s24")
|
|
decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"])
|
|
self.assertFalse(decl1 <= decl2)
|
|
|
|
def test_036_ge(self):
|
|
"""Level declaration greater-than-or-equal."""
|
|
# less
|
|
decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"])
|
|
self.assertFalse(decl1 >= decl2)
|
|
|
|
# equal
|
|
decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
decl2 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
self.assertTrue(decl1 >= decl2)
|
|
|
|
# greater
|
|
decl1 = self.mock_decl_factory("s24")
|
|
decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"])
|
|
self.assertTrue(decl1 >= decl2)
|
|
|
|
def test_037_gt(self):
|
|
"""Level declaration greater-than."""
|
|
# less
|
|
decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"])
|
|
self.assertFalse(decl1 > decl2)
|
|
|
|
# equal
|
|
decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
decl2 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"])
|
|
self.assertFalse(decl1 > decl2)
|
|
|
|
# greater
|
|
decl1 = self.mock_decl_factory("s24")
|
|
decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"])
|
|
self.assertTrue(decl1 > decl2)
|
|
|
|
|
|
class LevelTest(unittest.TestCase):
|
|
|
|
@classmethod
|
|
def setUpClass(cls):
|
|
cls.p = SELinuxPolicy("tests/policyrep/mls.conf")
|
|
|
|
def mock_level_factory(self, sens, cats=[]):
|
|
"""Factory function Level objects, using a mock qpol object."""
|
|
mock_level = Mock(qpol.qpol_mls_level_t)
|
|
mock_level.sens_name.return_value = sens
|
|
mock_level.cat_iter.return_value = iter(cats)
|
|
|
|
return level_factory(self.p.policy, mock_level)
|
|
|
|
def test_000_mls_disabled(self):
|
|
"""Level factory on MLS-disabled policy."""
|
|
mock_p = Mock(qpol.qpol_policy_t)
|
|
mock_p.capability.return_value = False
|
|
self.assertRaises(MLSDisabled, level_factory, mock_p, None)
|
|
|
|
def test_001_lookup_no_cats(self):
|
|
"""Level lookup with no categories."""
|
|
levelobj = level_factory(self.p.policy, "s2")
|
|
self.assertEqual("s2", levelobj.qpol_symbol.sens_name(self.p.policy))
|
|
self.assertEqual(str(levelobj), "s2")
|
|
|
|
def test_002_lookup_cat_range(self):
|
|
"""Level lookup with category range."""
|
|
levelobj = level_factory(self.p.policy, "s1:c0.c13")
|
|
self.assertEqual(str(levelobj), "s1:c0.c13")
|
|
|
|
def test_003_lookup_complex_cats(self):
|
|
"""Level lookup with complex category set."""
|
|
levelobj = level_factory(self.p.policy, "s2:c0.c5,c7,c9.c11,c13")
|
|
self.assertEqual(str(levelobj), "s2:c0.c5,c7,c9.c11,c13")
|
|
|
|
def test_004_lookup_bad1(self):
|
|
"""Level lookup with garbage."""
|
|
self.assertRaises(InvalidLevel, level_factory, self.p.policy, "FAIL")
|
|
|
|
def test_005_lookup_bad2(self):
|
|
"""Level lookup with : in garbage."""
|
|
self.assertRaises(InvalidLevel, level_factory, self.p.policy, "FAIL:BAD")
|
|
|
|
def test_006_lookup_bad_cat(self):
|
|
"""Level lookup with invalid category."""
|
|
self.assertRaises(InvalidLevel, level_factory, self.p.policy, "s0:FAIL")
|
|
|
|
def test_007_lookup_bad_cat_range(self):
|
|
"""Level lookup with backwards category range."""
|
|
self.assertRaises(InvalidLevel, level_factory, self.p.policy, "s0:c4.c0")
|
|
|
|
def test_008_lookup_cat_range_error(self):
|
|
"""Level lookup with category range parse error."""
|
|
self.assertRaises(InvalidLevel, level_factory, self.p.policy, "s0:c0.c2.c4")
|
|
|
|
def test_009_lookup_cat_not_assoc(self):
|
|
"""Level lookup with category not associated with sensitivity."""
|
|
# c4 is not associated with s0.
|
|
self.assertRaises(InvalidLevel, level_factory, self.p.policy, "s0:c0,c4")
|
|
|
|
def test_010_equal(self):
|
|
"""Level equal."""
|
|
level1 = self.mock_level_factory("s0", ["c0", "c1", "c2", "c3"])
|
|
level2 = self.mock_level_factory("s0", ["c0", "c1", "c2", "c3"])
|
|
self.assertEqual(level1, level2)
|
|
|
|
def test_011_equal_str(self):
|
|
"""Level equal to string."""
|
|
level = self.mock_level_factory("s2", ["c0", "c1", "c2", "c3"])
|
|
self.assertEqual("s2:c0.c3", level)
|
|
|
|
def test_012_not_equal(self):
|
|
"""Level not equal."""
|
|
level1 = self.mock_level_factory("s0", ["c0", "c1", "c2", "c3"])
|
|
level2 = self.mock_level_factory("s0")
|
|
self.assertNotEqual(level1, level2)
|
|
|
|
def test_013_not_equal_str(self):
|
|
"""Level not equal to string."""
|
|
level = self.mock_level_factory("s0", ["c0", "c2"])
|
|
self.assertNotEqual("s0:c0.c2", level)
|
|
|
|
def test_014_dom(self):
|
|
"""Level dominate (ge)."""
|
|
# equal
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertTrue(level1 >= level2)
|
|
|
|
# sens dominate
|
|
level1 = self.mock_level_factory("s2", ["c0", "c1", "c2", "c3"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertTrue(level1 >= level2)
|
|
|
|
# cat set dominate
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3", "c4"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertTrue(level1 >= level2)
|
|
|
|
# sens domby
|
|
level1 = self.mock_level_factory("s0", ["c0", "c1", "c2", "c3"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertFalse(level1 >= level2)
|
|
|
|
# cat set domby
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertFalse(level1 >= level2)
|
|
|
|
# incomp
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"])
|
|
level2 = self.mock_level_factory("s1", ["c7", "c8", "c9"])
|
|
self.assertFalse(level1 >= level2)
|
|
|
|
def test_015_domby(self):
|
|
"""Level dominate-by (le)."""
|
|
# equal
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertTrue(level1 <= level2)
|
|
|
|
# sens dominate
|
|
level1 = self.mock_level_factory("s2", ["c0", "c1", "c2", "c3"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertFalse(level1 <= level2)
|
|
|
|
# cat set dominate
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3", "c4"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertFalse(level1 <= level2)
|
|
|
|
# sens domby
|
|
level1 = self.mock_level_factory("s0", ["c0", "c1", "c2", "c3"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertTrue(level1 <= level2)
|
|
|
|
# cat set domby
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertTrue(level1 <= level2)
|
|
|
|
# incomp
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"])
|
|
level2 = self.mock_level_factory("s1", ["c7", "c8", "c9"])
|
|
self.assertFalse(level1 <= level2)
|
|
|
|
def test_016_proper_dom(self):
|
|
"""Level proper dominate (gt)."""
|
|
# equal
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertFalse(level1 > level2)
|
|
|
|
# sens dominate
|
|
level1 = self.mock_level_factory("s2", ["c0", "c1", "c2", "c3"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertTrue(level1 > level2)
|
|
|
|
# cat set dominate
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3", "c4"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertTrue(level1 > level2)
|
|
|
|
# sens domby
|
|
level1 = self.mock_level_factory("s0", ["c0", "c1", "c2", "c3"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertFalse(level1 > level2)
|
|
|
|
# cat set domby
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertFalse(level1 > level2)
|
|
|
|
# incomp
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"])
|
|
level2 = self.mock_level_factory("s1", ["c7", "c8", "c9"])
|
|
self.assertFalse(level1 > level2)
|
|
|
|
def test_017_proper_domby(self):
|
|
"""Level proper dominate-by (lt)."""
|
|
# equal
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertFalse(level1 < level2)
|
|
|
|
# sens dominate
|
|
level1 = self.mock_level_factory("s2", ["c0", "c1", "c2", "c3"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertFalse(level1 < level2)
|
|
|
|
# cat set dominate
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3", "c4"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertFalse(level1 < level2)
|
|
|
|
# sens domby
|
|
level1 = self.mock_level_factory("s0", ["c0", "c1", "c2", "c3"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertTrue(level1 < level2)
|
|
|
|
# cat set domby
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"])
|
|
level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"])
|
|
self.assertTrue(level1 < level2)
|
|
|
|
# incomp
|
|
level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"])
|
|
level2 = self.mock_level_factory("s1", ["c7", "c8", "c9"])
|
|
self.assertFalse(level1 < level2)
|
|
|
|
def test_020_level_statement(self):
|
|
"""Level has no statement."""
|
|
level = self.mock_level_factory("s1")
|
|
with self.assertRaises(NoStatement):
|
|
level.statement()
|
|
|
|
|
|
class RangeTest(unittest.TestCase):
|
|
|
|
@classmethod
|
|
def setUpClass(cls):
|
|
cls.p = SELinuxPolicy("tests/policyrep/mls.conf")
|
|
|
|
def test_000_mls_disabled(self):
|
|
"""Range factory on MLS-disabled policy."""
|
|
mock_p = Mock(qpol.qpol_policy_t)
|
|
mock_p.capability.return_value = False
|
|
self.assertRaises(MLSDisabled, range_factory, mock_p, None)
|
|
|
|
def test_001_range_lookup_single_level(self):
|
|
"""Range lookup with single-level range."""
|
|
rangeobj = range_factory(self.p.policy, "s0")
|
|
self.assertEqual(str(rangeobj), "s0")
|
|
|
|
def test_002_range_lookup_single_level_redundant(self):
|
|
"""Range lookup with single-level range (same range listed twice)."""
|
|
rangeobj = range_factory(self.p.policy, "s1-s1")
|
|
self.assertEqual(str(rangeobj), "s1")
|
|
|
|
def test_003_range_lookup_simple(self):
|
|
"""Range lookup with simple range."""
|
|
rangeobj = range_factory(self.p.policy, "s0-s1:c0.c10")
|
|
self.assertEqual(str(rangeobj), "s0 - s1:c0.c10")
|
|
|
|
def test_004_range_lookup_no_cats(self):
|
|
"""Range lookup with no categories."""
|
|
rangeobj = range_factory(self.p.policy, "s0-s1")
|
|
self.assertEqual(str(rangeobj), "s0 - s1")
|
|
|
|
def test_005_range_lookup_complex(self):
|
|
"""Range lookup with complex category set."""
|
|
rangeobj = range_factory(self.p.policy, "s0:c0.c2-s2:c0.c5,c7,c9.c11,c13")
|
|
self.assertEqual(str(rangeobj), "s0:c0.c2 - s2:c0.c5,c7,c9.c11,c13")
|
|
|
|
def test_006_range_lookup_non_dom(self):
|
|
"""Range lookup with non-dominating high level."""
|
|
self.assertRaises(InvalidRange, range_factory, self.p.policy, "s1-s0")
|
|
|
|
def test_007_range_lookup_invalid_range_low(self):
|
|
"""Range lookup with an invalid range (low)."""
|
|
# c13 is not associated with s0.
|
|
self.assertRaises(InvalidRange, range_factory, self.p.policy, "s0:c13-s2:c13")
|
|
|
|
def test_008_range_lookup_invalid_range_high(self):
|
|
"""Range lookup with an invalid range (high)."""
|
|
# c13 is not associated with s0.
|
|
self.assertRaises(InvalidRange, range_factory, self.p.policy, "s0-s0:c13")
|
|
|
|
def test_020_equal(self):
|
|
"""Range equality."""
|
|
rangeobj1 = range_factory(self.p.policy, "s0:c0.c2-s2:c0.c5,c7,c9.c11,c13")
|
|
rangeobj2 = range_factory(self.p.policy, "s0:c0.c2-s2:c0.c5,c7,c9.c11,c13")
|
|
self.assertEqual(rangeobj1, rangeobj2)
|
|
|
|
def test_021_equal(self):
|
|
"""Range equal to string."""
|
|
rangeobj = range_factory(self.p.policy, "s0:c0.c2-s2:c0.c5,c7,c9.c11,c13")
|
|
self.assertEqual("s0:c0.c2-s2:c0.c5,c7,c9.c11,c13", rangeobj)
|
|
self.assertEqual("s0:c0.c2- s2:c0.c5,c7,c9.c11,c13", rangeobj)
|
|
self.assertEqual("s0:c0.c2 -s2:c0.c5,c7,c9.c11,c13", rangeobj)
|
|
self.assertEqual("s0:c0.c2 - s2:c0.c5,c7,c9.c11,c13", rangeobj)
|
|
|
|
def test_022_contains(self):
|
|
"""Range contains a level."""
|
|
rangeobj = range_factory(self.p.policy, "s0:c1-s2:c0.c10")
|
|
|
|
# too low
|
|
level1 = level_factory(self.p.policy, "s0")
|
|
self.assertNotIn(level1, rangeobj)
|
|
|
|
# low level
|
|
level2 = level_factory(self.p.policy, "s0:c1")
|
|
self.assertIn(level2, rangeobj)
|
|
|
|
# mid
|
|
level3 = level_factory(self.p.policy, "s1:c1,c5")
|
|
self.assertIn(level3, rangeobj)
|
|
|
|
# high level
|
|
level4 = level_factory(self.p.policy, "s2:c0.c10")
|
|
self.assertIn(level4, rangeobj)
|
|
|
|
# too high
|
|
level5 = level_factory(self.p.policy, "s2:c0.c11")
|
|
self.assertNotIn(level5, rangeobj)
|
|
|
|
def test_030_range_statement(self):
|
|
"""Range has no statement."""
|
|
rangeobj = range_factory(self.p.policy, "s0")
|
|
with self.assertRaises(NoStatement):
|
|
rangeobj.statement()
|