From: Linda K. <lin...@hp...> - 2011-06-07 15:56:36
|
Ramon de Carvalho Valle wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 06/06/2011 07:51 PM, Linda Knippers wrote: >> rc...@li... wrote: >>> From: Ramon de Carvalho Valle <rc...@br...> >>> >>> Signed-off-by: Ramon de Carvalho Valle <rc...@br...> >>> --- >>> audit/kvm/test_selinux_chcon_resource.bash | 68 ++++++++++++++++++++++++++++ >>> 1 files changed, 68 insertions(+), 0 deletions(-) >>> create mode 100755 audit/kvm/test_selinux_chcon_resource.bash >>> >>> diff --git a/audit/kvm/test_selinux_chcon_resource.bash b/audit/kvm/test_selinux_chcon_resource.bash >>> new file mode 100755 >>> index 0000000..395ec3f >>> --- /dev/null >>> +++ b/audit/kvm/test_selinux_chcon_resource.bash >>> @@ -0,0 +1,68 @@ >>> +#!/usr/bin/env bash >>> +# >>> +# Copyright 2010, 2011 International Business Machines Corp. >>> +# Copyright 2010, 2011 Ramon de Carvalho Valle >>> +# >>> +# This program is free software: you can redistribute it and/or modify >>> +# it under the terms of the GNU General Public License as published by >>> +# the Free Software Foundation, either version 2 of the License, or >>> +# (at your option) any later version. >>> +# >>> +# This program is distributed in the hope that it will be useful, >>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of >>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >>> +# GNU General Public License for more details. >>> +# >>> +# You should have received a copy of the GNU General Public License >>> +# along with this program. If not, see <http://www.gnu.org/licenses/>. >>> +# >>> + >>> +# test_selinux_chcon_resource.bash >>> +# >>> +# Assert only superuser is allowed to change virtual machine resource >>> +# category labels. >>> + >>> + >>> +source testcase.bash || exit 2 >>> + >>> +set -x >>> + >>> +userdel -fr testuser1 >>> +groupdel testuser1 >>> +useradd testuser1 -G libvirt >> append_cleanup? > No harm. Next revision. > >>> + >>> +if [[ $? -ne 0 ]]; then >>> + exit_error >>> +fi >>> + >>> +userdel -fr testuser2 >>> +groupdel testuser2 >>> +useradd testuser2 >> Append_cleanup? > No harm. Next revision. > >>> + >>> +if [[ $? -ne 0 ]]; then >>> + exit_error >>> +fi >>> + >>> +for i in $(seq $first $last); do >>> + eval "runcon -t svirt_t -- chcon -l s0:c1,c3 \$kvm_guest_${i}_resource" >>> + >>> + if [[ $? -eq 0 ]]; then >>> + exit_fail >>> + fi >>> + >>> + eval "/bin/su - testuser1 -c \"chcon -l s0:c1,c3 \$kvm_guest_${i}_resource\"" >> Would testuser1 be able to do it if you had the same 'runcon -t svirt_t' command? >> Is it the DAC check that's preventing it from working or the type enforcement check? > The svirt_t type is not supposed to be allowed to change the security > attributes of the virtual machine resources. > >>> + >>> + if [[ $? -eq 0 ]]; then >>> + exit_fail >>> + fi >>> + >>> + eval "/bin/su - testuser2 -c \"chcon -l s0:c1,c3 \$kvm_guest_${i}_resource\"" >>> + >>> + if [[ $? -eq 0 ]]; then >>> + exit_fail >>> + fi >> If only root should be able to perform the operation and you're testing as >> root, testuser1, and testuser2, shouldn't the result be different in the root >> case? It looks like you're checking for the same status or am I missing >> something? > Notice the runcon -t svirt_t in the superuser case. Yeah, I saw that (notice I asked about it above). However, your test assertion doesn't make any statements about svirt_t so I'm not sure why its here. I think what I'm struggling with here is that its not obvious which operations ought to succeed and which should fail. A few comments would go a long way. > >> Do we care that any of this is audited? I'll ask again. In general, access decisions are auditable events so does Stephan care about any of this? >> >>> +done >>> + >>> +exit_pass >>> + >>> +# vim: set noet sw=8 ts=8 tw=0: > > - -- > Ramon de Carvalho Valle > Security Engineer > IBM Linux Technology Center > rc...@li... > http://rcvalle.com/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEARECAAYFAk3tlq4ACgkQkcIYeh81wLlj8QCfdZNI6CxhvoHip0a1ka9Y1p/s > ErsAn3sfymZl+hFAcigx7vU0ZzwIx7w5 > =oxS1 > -----END PGP SIGNATURE----- |