From: <mva...@re...> - 2012-02-16 10:39:13
|
From: Miroslav Vadkerti <mva...@re...> This patch fixes 3 tests affected by policycoreutils change. For more information see: https://bugzilla.redhat.com/show_bug.cgi?id=784595 Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit/libpam/tests/test_mls_default_login.bash | 18 +++++++++++++----- audit/libpam/tests/test_mls_level_login_fail.bash | 8 ++++---- .../tests/test_semanage_chglvl.bash | 10 +++++----- 3 files changed, 22 insertions(+), 14 deletions(-) diff --git a/audit/libpam/tests/test_mls_default_login.bash b/audit/libpam/tests/test_mls_default_login.bash index 831cf73..50956a4 100755 --- a/audit/libpam/tests/test_mls_default_login.bash +++ b/audit/libpam/tests/test_mls_default_login.bash @@ -14,9 +14,10 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. ############################################################################### -# +# # PURPOSE: # Verify audit of successful login including default subject context. +# The test also checks if assigning default role to the user gets audited. source pam_functions.bash || exit 2 @@ -28,11 +29,14 @@ chmod 666 $localtmp if [[ $PPROFILE == "lspp" ]]; then semanage login -d $TEST_USER semanage login -a -s staff_u $TEST_USER - # XXX should compute the default context from the policy - def_context=staff_u:staff_r:staff_t:s0 + # the added users range is taken from the default range + # of the user who is running semanage: + # see https://bugzilla.redhat.com/show_bug.cgi?id=785678#c8 + def_range=s0-s15:c0.c1023 + def_context=staff_u:staff_r:staff_t:$def_range auid=$(id -u "$TEST_USER") append_cleanup user_cleanup -else +else exit_error "Not in lspp mode" fi @@ -61,5 +65,9 @@ augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \ subj=$login_context || exit_fail -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context: exe=./bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail +# Check for ROLE_ASSIGN event for testuser +augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match" +# Check for USER_ROLE_CHANGE for login command +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context: exe=./bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match" + exit_pass diff --git a/audit/libpam/tests/test_mls_level_login_fail.bash b/audit/libpam/tests/test_mls_level_login_fail.bash index 7203eee..8846f93 100755 --- a/audit/libpam/tests/test_mls_level_login_fail.bash +++ b/audit/libpam/tests/test_mls_level_login_fail.bash @@ -14,7 +14,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. ############################################################################### -# +# # PURPOSE: # Verify audit of failed login when user selects and invalid level. # User is only allowed s0 but picks s15. @@ -28,13 +28,13 @@ chmod 666 $localtmp # if in LSPP mode, map the TEST_USER to staff_u if [[ $PPROFILE == "lspp" ]]; then semanage login -d $TEST_USER - semanage login -a -s staff_u $TEST_USER + semanage login -a -s staff_u -r s0 $TEST_USER # XXX should compute the default context from the policy def_context=staff_u:staff_r:staff_t:s0 sel_context=staff_u:staff_r:staff_t:s15 auid=$(id -u "$TEST_USER") append_cleanup user_cleanup -else +else exit_error "Not in lspp mode" fi @@ -57,6 +57,6 @@ backup /var/run/utmp msg_1="acct=\"*$TEST_USER\"* exe=./bin/login.* res=failed.*" augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \ - subj=$login_context || exit_fail + subj=$login_context || exit_fail augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context: exe=./bin/login.* res=failed.*" auid=$auid || exit_fail exit_pass diff --git a/audit/trustedprograms/tests/test_semanage_chglvl.bash b/audit/trustedprograms/tests/test_semanage_chglvl.bash index 7b8eb13..dc36b1c 100755 --- a/audit/trustedprograms/tests/test_semanage_chglvl.bash +++ b/audit/trustedprograms/tests/test_semanage_chglvl.bash @@ -14,7 +14,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. ############################################################################### -# +# # PURPOSE: # Use semanage to change the level range of a user # Start with the sample test user, and change their level range from the @@ -37,12 +37,12 @@ if [ $? -ne 0 ]; then exit_error "semange returned an error" fi -msg_1="op=modify selinux user mapping acct=\"*$user\"* old-seuser=$seuser old-role=\? old-range=s0 new-seuser=$seuser new-role=\? new-range=$range exe=/usr/sbin/semanage.*res=success.*" +msg_1="op=login-range acct=\"$user\" old-seuser=$seuser old-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r old-range=s0-s15:c0.c1023 new-seuser=$seuser new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$range exe=/usr/sbin/semanage.*res=success.*" -augrok -q type=USER_ROLE_CHANGE auid=$auid \ - msg_1=~"$msg_1" || exit_fail "missing: \"$msg_1\"" +augrok -q type=ROLE_ASSIGN auid=$auid msg_1=~"$msg_1" \ + || exit_fail "ROLE_ASSIGN event missing: \"$msg_1\"" -# cleanup +# cleanup # deluser handled by tp_auth_functions exit_pass -- 1.7.1 |