[Audit-test-developer] [PATCH 1/2] Fixed tests affected by BZ#784595

[<mva...@re...>]

From: Miroslav Vadkerti <mva...@re...>

This patch fixes 3 tests affected by policycoreutils change.
For more information see:
https://bugzilla.redhat.com/show_bug.cgi?id=784595

Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
 audit/libpam/tests/test_mls_default_login.bash     |   18 +++++++++++++-----
 audit/libpam/tests/test_mls_level_login_fail.bash  |    8 ++++----
 .../tests/test_semanage_chglvl.bash                |   10 +++++-----
 3 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/audit/libpam/tests/test_mls_default_login.bash b/audit/libpam/tests/test_mls_default_login.bash
index 831cf73..50956a4 100755
--- a/audit/libpam/tests/test_mls_default_login.bash
+++ b/audit/libpam/tests/test_mls_default_login.bash
@@ -14,9 +14,10 @@
 #   You should have received a copy of the GNU General Public License
 #   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 ###############################################################################
-# 
+#
 # PURPOSE:
 # Verify audit of successful login including default subject context.
+# The test also checks if assigning default role to the user gets audited.
 
 source pam_functions.bash || exit 2
 
@@ -28,11 +29,14 @@ chmod 666 $localtmp
 if [[ $PPROFILE == "lspp" ]]; then
 	semanage login -d $TEST_USER
 	semanage login -a -s staff_u $TEST_USER
-	# XXX should compute the default context from the policy
-	def_context=staff_u:staff_r:staff_t:s0
+	# the added users range is taken from the default range
+	# of the user who is running semanage:
+	# see https://bugzilla.redhat.com/show_bug.cgi?id=785678#c8
+	def_range=s0-s15:c0.c1023
+	def_context=staff_u:staff_r:staff_t:$def_range
 	auid=$(id -u "$TEST_USER")
 	append_cleanup user_cleanup
-else 
+else
 	exit_error "Not in lspp mode"
 fi
 
@@ -61,5 +65,9 @@ augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
 augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
 augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
 	subj=$login_context || exit_fail
-augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context: exe=./bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail
+# Check for ROLE_ASSIGN event for testuser
+augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match"
+# Check for USER_ROLE_CHANGE for login command
+augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context: exe=./bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
+
 exit_pass
diff --git a/audit/libpam/tests/test_mls_level_login_fail.bash b/audit/libpam/tests/test_mls_level_login_fail.bash
index 7203eee..8846f93 100755
--- a/audit/libpam/tests/test_mls_level_login_fail.bash
+++ b/audit/libpam/tests/test_mls_level_login_fail.bash
@@ -14,7 +14,7 @@
 #   You should have received a copy of the GNU General Public License
 #   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 ###############################################################################
-# 
+#
 # PURPOSE:
 # Verify audit of failed login when user selects and invalid level.
 # User is only allowed s0 but picks s15.
@@ -28,13 +28,13 @@ chmod 666 $localtmp
 # if in LSPP mode, map the TEST_USER to staff_u
 if [[ $PPROFILE == "lspp" ]]; then
 	semanage login -d $TEST_USER
-	semanage login -a -s staff_u $TEST_USER
+	semanage login -a -s staff_u -r s0 $TEST_USER
 	# XXX should compute the default context from the policy
 	def_context=staff_u:staff_r:staff_t:s0
 	sel_context=staff_u:staff_r:staff_t:s15
 	auid=$(id -u "$TEST_USER")
 	append_cleanup user_cleanup
-else 
+else
 	exit_error "Not in lspp mode"
 fi
 
@@ -57,6 +57,6 @@ backup /var/run/utmp
 
 msg_1="acct=\"*$TEST_USER\"* exe=./bin/login.* res=failed.*"
 augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
-	subj=$login_context || exit_fail 
+	subj=$login_context || exit_fail
 augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context: exe=./bin/login.* res=failed.*" auid=$auid || exit_fail
 exit_pass
diff --git a/audit/trustedprograms/tests/test_semanage_chglvl.bash b/audit/trustedprograms/tests/test_semanage_chglvl.bash
index 7b8eb13..dc36b1c 100755
--- a/audit/trustedprograms/tests/test_semanage_chglvl.bash
+++ b/audit/trustedprograms/tests/test_semanage_chglvl.bash
@@ -14,7 +14,7 @@
 #   You should have received a copy of the GNU General Public License
 #   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 ###############################################################################
-# 
+#
 # PURPOSE:
 # Use semanage to change the level range of a user
 # Start with the sample test user, and change their level range from the
@@ -37,12 +37,12 @@ if [ $? -ne 0 ]; then
   exit_error "semange returned an error"
 fi
 
-msg_1="op=modify selinux user mapping acct=\"*$user\"* old-seuser=$seuser old-role=\? old-range=s0 new-seuser=$seuser new-role=\? new-range=$range exe=/usr/sbin/semanage.*res=success.*"
+msg_1="op=login-range acct=\"$user\" old-seuser=$seuser old-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r old-range=s0-s15:c0.c1023 new-seuser=$seuser new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$range exe=/usr/sbin/semanage.*res=success.*"
 
-augrok -q type=USER_ROLE_CHANGE auid=$auid \
-  msg_1=~"$msg_1" || exit_fail "missing: \"$msg_1\""
+augrok -q type=ROLE_ASSIGN auid=$auid msg_1=~"$msg_1" \
+	|| exit_fail "ROLE_ASSIGN event missing: \"$msg_1\""
 
-# cleanup 
+# cleanup
 # deluser handled by tp_auth_functions
 
 exit_pass
-- 
1.7.1