audit-test-developer Mailing List for Audit Test Project (Page 10)

Test suite for Linux audit and related security functionality

Status: Beta

Brought to you by: amygriffis, jjaburek, jonwallace, lindaknippers, and 2 others

audit-test-developer — Communicate about status of bugs, patches, and features

You can subscribe to this list here.

2008	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct (8)	Nov	Dec
2009	Jan (8)	Feb (23)	Mar (11)	Apr (8)	May (2)	Jun	Jul	Aug (5)	Sep	Oct	Nov	Dec
2011	Jan	Feb (23)	Mar (140)	Apr (35)	May (49)	Jun (176)	Jul (73)	Aug (50)	Sep (78)	Oct (102)	Nov (150)	Dec (94)
2012	Jan (120)	Feb (77)	Mar (29)	Apr (4)	May (19)	Jun	Jul (19)	Aug (9)	Sep	Oct (6)	Nov (3)	Dec
2013	Jan (4)	Feb (28)	Mar (5)	Apr (69)	May (34)	Jun (11)	Jul (13)	Aug (55)	Sep (5)	Oct (31)	Nov	Dec (25)
2014	Jan (1)	Feb	Mar	Apr	May	Jun	Jul (53)	Aug (17)	Sep (50)	Oct (15)	Nov	Dec
2015	Jan	Feb	Mar (3)	Apr (9)	May (1)	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2018	Jan	Feb	Mar	Apr (1)	May (8)	Jun	Jul	Aug	Sep	Oct	Nov	Dec

Flat | Threaded

<< < 1 .. 8 9 10 11 12 .. 71 > >> (Page 10 of 71)

Re: [Audit-test-developer] [PATCH 01/19] add new sanity-checking script, envcheck

From: Linda K. <lin...@hp...> - 2013-08-28 16:27:35

Great, thanks.

- ljk

Jiri Jaburek wrote:
> On 08/28/2013 01:57 PM, Jiri Jaburek wrote:
>> PS: Looking at the final envcheck output one more time, I plan to do
>> some final minor polishing, like @ in Makefile, "daemon" -> "Daemon"
>> and a few grammar fixes.
>>
> 
> Done, attached.
> 
> Jiri
> 
> 
> 
> ------------------------------------------------------------------------
> 
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Audit-test-developer mailing list
> Aud...@li...
> https://lists.sourceforge.net/lists/listinfo/audit-test-developer

Re: [Audit-test-developer] [PATCH 01/19] add new sanity-checking script, envcheck

From: Linda K. <lin...@hp...> - 2013-08-28 16:26:45

Hi Jiri,

Thanks so much for the pictures.  That makes it clear to me.
This is really nice.   Thanks again.

-- ljk

Jiri Jaburek wrote:
> On 08/27/2013 07:23 PM, Linda Knippers wrote:
>> Hi Jiri,
>>
>> I really like the idea of having a script that validates the configuration.
>> I haven't run the script so I'm only looking at the code but it looks like
>> the script is reporting specific output for all the items that are right but
>> a generic message when something is wrong.  I note a few instances inline below.
>> It seems like it would be more helpful if we issue specific messages for the
>> things that are wrong.
>>
>> Am I reading the script right?
>>
>> Thanks,
>>
>> -- ljk
> 
> Hi Linda,
> let me show you a quick demo:
> http://i.imgur.com/kBzlChy.png
> http://i.imgur.com/aIl7FVp.png
> 
> It isn't really intended to perform *validation* of the environment,
> it's more like a configuration helper that can point out some things
> that were perhaps forgotten/skipped during the setup.
> Because of that, it mainly centers around the things that have a good
> probability of being forgotten or incorrectly configured by the user.
> 
> The idea was to show which items pass/fail and if fails occur, help
> the user resolve those fails, even in cases when the user is not too
> much familiar with the suite.
> The idea of using generic messages per groups of checks was implemented
> mainly to reduce the overhead of creating specific messages for tiny
> checks. The per-group messages should at least point out what might be
> wrong, so the user can fix it. It's not supposed to be
> a zero-user-effort kind of thing.
> I wanted to keep the envcheck quite generic, not lock it down to
> a specific known-good configuration as the suite itself is (in its
> current form) also quite generic.
> 
>> On 08/21/13 12:21, Jiri Jaburek wrote:
>>> The idea is to catch various configuration or setup errors
>>> and give useful hints, so that the user doesn't have to debug
>>> the system/suite to find out what could possibly go wrong.
>>>
>>> This script is not supposed to replace or duplicate functionality
>>> provided by the suite itself, it should be only used for basic sanity
>>> verification of the environment. It doesn't claim to reveal all
>>> configuration errors, but it can still be useful.
>>>
>>> Because of the reasons mentioned above, running this script
>>> is purely optional.
>>>
> <snip>
>>> +    for i in $vars; do
>>> +        check "env | grep \"^$i=\"" 0 "Var $i is present in environment"
>>> +    done;
>> It looks like display a message for each env variable that is set.
>> Do they also get a message if an env variable is not set?  Or do they
>> just get the generic message that the check failed below?  If would
>> be nice if we tell them specifically which ones are missing.
> 
> (see above)
> 
>>> +
>>> +    # s390x / ppc64 check? (ARCH variable)
>>> +
> <snip>
>>> +    check "[ \"$(pwd)\" = \"/usr/local/eal4_testing/audit-test\" ]" 0 \
>>> +        "\$(pwd) is /usr/local/eal4_testing/audit-test"
>> Some comment here.  If the checks fail, do we tell them that they're not in
>> /usr/local/eal4_testing/audit-test?
>>
> 
> I took extra care to ensure the consistency of things that are being
> reported as passed/failed to the user. That means I explicitly crafted
> the messages to provide a fact, an expected environment state, which
> is then validated as pass/fail. IOW, I wanted to avoid negatives, double
> negatives, ..., to keep the meaning of "pass" and "fail" as simple
> as possible.
> In this particular case, the check would print out
> "$(pwd) is /usr/local/eal4_testing/audit-test ...passed/failed",
> which has a binary meaning - the shell either is in that directory
> or it isn't.
> 
> Generally speaking, if the check fails, the statement is false. This
> applies to all checks done by envcheck - again, to avoid confusion over
> the meaning of pass/fail.
> 
> As for comments in the code of envcheck itself - I kind of hoped
> that the messages used for the "check" function would be descriptive
> enough, even for code purposes.
> In some cases, I let the checking command itself be a "documentation",
> for example "[ -d /some/dir ]" doesn't seem to need further explanation,
> but it shouldn't be a problem to add an equivalent message in English.
> 
> Thanks,
> Jiri
> 
> 
> PS: Looking at the final envcheck output one more time, I plan to do
> some final minor polishing, like @ in Makefile, "daemon" -> "Daemon"
> and a few grammar fixes.
> 
> 
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
> _______________________________________________
> Audit-test-developer mailing list
> Aud...@li...
> https://lists.sourceforge.net/lists/listinfo/audit-test-developer

Re: [Audit-test-developer] [PATCH 05/19] netfilebt: allow IPv6 ND through ebtables

From: Linda K. <lin...@hp...> - 2013-08-28 16:24:08

Thanks for the additional information.

-- ljk

Jiri Jaburek wrote:
> On 08/27/2013 07:50 PM, Linda Knippers wrote:
>> Not my area but I trust you. :-)
>>
>> -- ljk
>>
> 
> I believe that this part of README.netfilter was originally made up
> to work around the fact that no ARP/ND packets could get through:
> 
>   Setting the aging timer to a high value is helpful to the testing as
>   it prevents the learned mac addresses in the bridge's forwarding
>   database from being deleted when it hasn't seen a frame from that mac
>   address in the timer number of seconds.  The following command is
>   recommended.
> 
>     # brctl setageing <bridge name> 3600
> 
> This workaround shouldn't be needed anymore as basic link discovery
> now works.
> 
> To my best knowledge, these rules shouldn't interfere with anything,
> since they're mandatory for vast majority of traffic to work.
> They would present a problem only when doing something like static
> ARP/neighbor assignment testing (and checking that no requests
> are being sent).
> 
>>>  
>>>  ebtables -A INPUT -p arp -j ACCEPT
>>> +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-solicitation -j ACCEPT
>>> +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-advertisement -j ACCEPT
>>>  
> 
> Jiri
> 
> 
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
> _______________________________________________
> Audit-test-developer mailing list
> Aud...@li...
> https://lists.sourceforge.net/lists/listinfo/audit-test-developer

Re: [Audit-test-developer] making lblnet_tst_server inetd-only

From: Linda K. <lin...@hp...> - 2013-08-28 15:43:23

Hi Jiri,

As far as I know, we always run the daemon through xinetd.  I think
that James had some problems early on with the netfilebt tests using
the test server through xinetd but they got resolved.  I hope I'm
remembering that correctly.  I've cc'd James in case he's not following
the mailing list.

I would love to see the sleeps removed from the tests.  21 minutes is
a long time when you're waiting for results.

-- ljk

Jiri Jaburek wrote:
> Hi,
> during my recent work on the audit-test suite, I noticed there is
> a 10sec sleep in network/netfilter/netfilebt buckets after:
> 
>   - each test fail/error
>   - each execution of *_fail_* test
> 
> Particularly the second condition is slowing down the suite somewhat,
> by approximately 1300 seconds or ~21.6 minutes.
> 
> I would like to fix that problem, however its solution could be much
> easier if I could drop the standalone daemon part of lblnet_tst_server.
> 
> Therefore my question is - would that be a problem?
> 
> The functionality could be retained by rewriting lblnet_tst_server
> a bit more (using fork), but it could be a waste of time if the server
> is (nowadays) never used as a standalone daemon, being always invoked
> by xinetd.
> 
> Thanks,
> Jiri
> 
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
> _______________________________________________
> Audit-test-developer mailing list
> Aud...@li...
> https://lists.sourceforge.net/lists/listinfo/audit-test-developer

[Audit-test-developer] making lblnet_tst_server inetd-only

From: Jiri J. <jja...@re...> - 2013-08-28 15:28:19

Hi,
during my recent work on the audit-test suite, I noticed there is
a 10sec sleep in network/netfilter/netfilebt buckets after:

  - each test fail/error
  - each execution of *_fail_* test

Particularly the second condition is slowing down the suite somewhat,
by approximately 1300 seconds or ~21.6 minutes.

I would like to fix that problem, however its solution could be much
easier if I could drop the standalone daemon part of lblnet_tst_server.

Therefore my question is - would that be a problem?

The functionality could be retained by rewriting lblnet_tst_server
a bit more (using fork), but it could be a waste of time if the server
is (nowadays) never used as a standalone daemon, being always invoked
by xinetd.

Thanks,
Jiri

Re: [Audit-test-developer] [PATCH 01/19] add new sanity-checking script, envcheck

From: Jiri J. <jja...@re...> - 2013-08-28 15:03:18

Attachments: diff.txt

On 08/28/2013 01:57 PM, Jiri Jaburek wrote:
> 
> PS: Looking at the final envcheck output one more time, I plan to do
> some final minor polishing, like @ in Makefile, "daemon" -> "Daemon"
> and a few grammar fixes.
> 

Done, attached.

Jiri

Re: [Audit-test-developer] [PATCH 02/19] implement run/rollup log result merging

From: Miroslav V. <mva...@re...> - 2013-08-28 14:10:08

Hi Linda,

----- Original Message -----
> On 08/21/13 12:21, Jiri Jaburek wrote:
> > From: Miroslav Vadkerti <mva...@re...>
> > 
> > This patch incorporates changes that make possible
> > merging of subsequent test runs.
> > 
> > The logs are now stored also separately for each test
> > in the logs subdirectory of the test bucket. The run and
> > rollup logs are generated from these logs. The output
> > of the run.bash should remain the same.
> 
> So this is for the case where you might need to re-run a particular
> test case?  So you don't have to run the complete bucket to get
> a good log?

Yes that is correct. You can run only failed tests and if previously
other tests pass you will get a good total log.

> > 
> > This patch also fixes the --list option that now does
> > not delete the contents of run and rollup log.
> > 
> > This patch adds generate (-g|--generate) option that generates
> > the total run and rollup logs. This might be useful if these
> > were deleted or not created after aborting testing with SIGINT.
> 
> Does this option catch the case where a specific test result might be
> missing?
> Is there any way to know that not all the test cases were run?

If there are missing cases the log is still generated but will contain only
the run tests. There is a way to tell that which tests weren't run and 
we want in the next patch series add an option to run.bash that will run 
all tests that did not pass or weren't run yet. You will be able also to 
combine this option with the --list option to list only those tests.

/M

> 
> -- ljk
> 
> > 
> > The distclean make target removes the new logs directory.
> > 
> > Signed-off-by: Miroslav Vadkerti <mva...@re...>
> > ---
> >  audit-test/rules.mk       |   4 +-
> >  audit-test/utils/run.bash | 132
> >  +++++++++++++++++++++++++++++++++++-----------
> >  2 files changed, 104 insertions(+), 32 deletions(-)
> > 
> > diff --git a/audit-test/rules.mk b/audit-test/rules.mk
> > index 1534c66..a53d979 100644
> > --- a/audit-test/rules.mk
> > +++ b/audit-test/rules.mk
> > @@ -194,14 +194,14 @@ _clean:
> >  
> >  clean: _clean
> >  
> > -ALL_LOGS += run.log rollup.log
> > +ALL_LOGS += run.log rollup.log logs
> >  _distclean: clean
> >  	@if [[ "$(MAKECMDGOALS)" == distclean ]]; then \
> >  	    for x in $(SUB_DIRS); do \
> >  		make -C $$x distclean; \
> >  	    done; \
> >  	fi
> > -	$(RM) $(ALL_LOGS)
> > +	$(RM) -r $(ALL_LOGS)
> >  	if [[ -L run.bash ]]; then $(RM) run.bash; fi
> >  
> >  distclean: _distclean
> > diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
> > index f70b79a..890f84a 100755
> > --- a/audit-test/utils/run.bash
> > +++ b/audit-test/utils/run.bash
> > @@ -51,6 +51,7 @@ source functions.bash || exit 2
> >  
> >  unset logging
> >  unset opt_verbose opt_debug opt_config opt_list opt_log opt_rollup
> >  opt_timeout opt_width
> > +echoing=true
> >  logging=false
> >  opt_avc=false
> >  opt_verbose=false
> > @@ -59,6 +60,7 @@ opt_quiet=false
> >  opt_config=run.conf
> >  opt_list=false
> >  opt_log=run.log
> > +opt_logdir=logs
> >  opt_rollup=rollup.log
> >  opt_timeout=30
> >  opt_width=$(stty size 2>/dev/null | cut -d' ' -f2)
> > @@ -140,9 +142,8 @@ function dmsg {
> >  }
> >  
> >  function prf {
> > -    printf "$(colorize "$1")" "${@:2}"
> > -    $logging || return
> > -    printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup" >>"$opt_log"
> > +    $echoing && printf "$(colorize "$1")" "${@:2}"
> > +    $logging && printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup"
> > >>"$opt_log"
> >  }
> >  
> >  #----------------------------------------------------------------------
> > @@ -219,6 +220,11 @@ function startup {
> >  	    trap - 1 2;
> >      fi
> >  
> > +    # Create log directory if needed
> > +    if [[ ! -d "$opt_logdir" ]]; then
> > +        mkdir "$opt_logdir"
> > +    fi
> > +
> >      # Initialize audit configuration and make sure auditd is running
> >      auditd_orig=$(mktemp $auditd_conf.XXXXXX) || return 2
> >      cp -a "$auditd_conf" "$auditd_orig" || return 2
> > @@ -341,10 +347,12 @@ Usage: ${0##*/} [OPTION]...
> >  Run a set of test cases, reporting pass/fail and tallying results.
> >  
> >      -f --config=FILE  Use a config file other than run.conf
> > +    -g --generate     Generate run.log and rollup.log from $opt_logdir
> >         --header       Don't run anything, just output the log header
> >      -l --log=FILE     Output to a log other than run.log
> >      -r --rollup=FILE  Output to a rollup other than rollup.log
> >      -t --timeout=SEC  Seconds to wait for a test to timeout, default 30
> > +    -o --logdir=DIR   Output directory of per test logs
> >      -w --width=COLS   Set COLS output width instead of auto-detect
> >      -h --help         Show this help
> >  
> > @@ -364,8 +372,8 @@ function parse_cmdline {
> >      declare args conf x
> >  
> >      # Use /usr/bin/getopt which supports GNU-style long options
> > -    args=$(getopt -o adf:hl:qr:vw: \
> > -        --long
> > config:,avc,debug,help,header,list,log:,quiet,rollup:,nocolor,verbose,width:
> > \
> > +    args=$(getopt -o adf:ghl:qr:o:vw: \
> > +        --long
> > config:,avc,debug,generate,help,header,list,log:,logdir:,quiet,rollup:,nocolor,verbose,width:
> > \
> >          -n "$0" -- "$@") || die
> >      eval set -- "$args"
> >  
> > @@ -374,6 +382,7 @@ function parse_cmdline {
> >              -a|--avc) opt_avc=true; shift ;;
> >              -d|--debug) opt_debug=true; opt_verbose=true; shift ;;
> >              -f|--config) opt_config=$2; shift 2 ;;
> > +            -g|--generate) logging=true; generate_logs; exit 0 ;;
> >              -h|--help) usage; exit 0 ;;
> >  	    --header) show_header; exit 0 ;;
> >              --list) opt_list=true; shift ;;
> > @@ -381,6 +390,7 @@ function parse_cmdline {
> >  	    -q|--quiet) opt_quiet=true; shift ;;
> >              -r|--rollup) opt_rollup=$2; shift 2 ;;
> >              -t|--timeout) opt_timeout=$2; shift 2 ;;
> > +            -o|--logdir) opt_logdir=$2; shift 2 ;;
> >              --nocolor) colorize() { monoize "$@"; }; shift ;;
> >              -v|--verbose) opt_verbose=true; shift ;;
> >  	    -w|--width) opt_width=$2; shift 2 ;;
> > @@ -389,9 +399,6 @@ function parse_cmdline {
> >          esac
> >      done
> >  
> > -    # Open the logs now that opt_log and opt_rollup are set
> > -    open_log
> > -
> >      # Load the config
> >      dmsg "Loading config from $opt_config"
> >      conf="$(<$opt_config)
> > @@ -413,8 +420,10 @@ function parse_cmdline {
> >  		done
> >  	    else
> >  		# add by number
> > -		dmsg "  [$1] ${TESTS[$1]}"
> > -		TNUMS[$1]=$1
> > +		if [ $1 -lt ${#TESTS[@]} ]; then
> > +		    dmsg "  [$1] ${TESTS[$1]}"
> > +		    TNUMS[$1]=$1
> > +		fi
> >  	    fi
> >  	    shift
> >  	done
> > @@ -435,21 +444,24 @@ function parse_cmdline {
> >  	done
> >  	exit 0
> >      fi
> > +
> > +    # Open the logs before running the tests
> > +    open_log
> >  }
> >  
> >  function show_header {
> > -    prf "\n"
> > -    prf "%-32s %s\n" Started: "$(date)"
> > -    prf "%-32s %s\n" Kernel: "$(uname -r)"
> > -    prf "%-32s %s\n" Architecture: "$(uname -m)"
> > -    prf "%-32s %s\n" Mode: "${MODE:-(native)}"
> > -    prf "%-32s %s\n" Hostname: "$(uname -n)"
> > -    prf "%-32s %s\n" Profile: "$PPROFILE"
> > -    prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
> > +    nolog prf "\n"
> > +    nolog prf "%-32s %s\n" Started: "$(date)"
> > +    nolog prf "%-32s %s\n" Kernel: "$(uname -r)"
> > +    nolog prf "%-32s %s\n" Architecture: "$(uname -m)"
> > +    nolog prf "%-32s %s\n" Mode: "${MODE:-(native)}"
> > +    nolog prf "%-32s %s\n" Hostname: "$(uname -n)"
> > +    nolog prf "%-32s %s\n" Profile: "$PPROFILE"
> > +    nolog prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q
> > selinux-policy)"
> >      if [[ $PPROFILE == lspp ]] ; then
> > -      prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep
> > lspp_test | awk '{print $2}')"
> > +      nolog prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l |
> > grep lspp_test | awk '{print $2}')"
> >      fi
> > -    prf "\n%s\n" "$(sestatus)"
> > +    nolog prf "\n%s\n" "$(sestatus)"
> >  }
> >  
> >  function fmt_test {
> > @@ -485,20 +497,55 @@ function show_test {
> >      fmt_test "[$TESTNUM]" "$@"
> >  }
> >  
> > +function noecho {
> > +    declare echoing=false
> > +    "$@"
> > +}
> > +
> >  function nolog {
> >      declare logging=false
> >      "$@"
> >  }
> >  
> > +function generate_logs {
> > +    declare pass fail error
> > +
> > +    # clear run and rollup logs
> > +    echo -n > $opt_log
> > +    echo -n > $opt_rollup
> > +
> > +    # create total run log
> > +    for log in $(ls $opt_logdir/$opt_log.* | sed 's/\(.*\)\.\(.*\)/\1
> > \2/g' | sort -k2 -n | tr ' ' '.'); do
> > +        cat $log >> $opt_log
> > +        echo >> $opt_log
> > +    done
> > +
> > +    # create total rollup log
> > +    for log in $(ls $opt_logdir/$opt_rollup.* | sed 's/\(.*\)\.\(.*\)/\1
> > \2/g' | sort -k2 -n | tr ' ' '.'); do
> > +        cat $log | sed '1,/--------/d' >> $opt_rollup
> > +    done
> > +
> > +    pass=$(grep "PASS" $opt_rollup | wc -l)
> > +    fail=$(grep "FAIL" $opt_rollup | wc -l)
> > +    error=$(grep "ERROR" $opt_rollup | wc -l)
> > +    (( total = pass + fail + error ))
> > +    llmsg
> > +    prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
> > +    prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
> > +    prf "%4d error (%d%%)\n" $error $((error * 100 / total))
> > +    prf "%s\n" "------------------"
> > +    prf "%4d total\n" $total
> > +}
> > +
> >  function run_tests {
> > -    declare TESTNUM output status hee s
> > +    declare TESTNUM output status hee s log stats header
> >      declare begin_output="<blue>--- begin output
> >      -----------------------------------------------------------"
> >      declare end_output="<blue>--- end output
> >      -------------------------------------------------------------"
> >  
> >      show_header
> > -    msg
> > -    prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
> > -    prf "%-$((opt_width-7))s %s\n" "--------" "------"
> > +    nolog msg
> > +    nolog prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
> > +    nolog prf "%-$((opt_width-7))s %s\n" "--------" "------"
> >  
> >      if $opt_debug; then
> >  	hee=/dev/stderr
> > @@ -507,6 +554,11 @@ function run_tests {
> >      fi
> >  
> >      for TESTNUM in "${TNUMS[@]}"; do
> > +	noecho prf "$(show_header)\n" ""
> > +	llmsg
> > +	noecho prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
> > +	noecho prf "%-$((opt_width-7))s %s\n" "--------" "------"
> > +
> >  	eval "set -- ${TESTS[TESTNUM]}"
> >  
> >  	if $opt_debug; then
> > @@ -587,15 +639,35 @@ function run_tests {
> >  	    msg "<blue>-- audit2allow
> >  	    -------------------------------------------------------------"
> >  	    msg "$(ausearch -ts $stime -te $etime -m avc | audit2allow)"
> >  	fi
> > +
> > +	# copy header to run and rollup log
> > +	echo "$header" >> $opt_logdir/$opt_log.$TESTNUM
> > +	echo >> $opt_logdir/$opt_log.$TESTNUM
> > +	echo "$header" >> $opt_logdir/$opt_rollup.$TESTNUM
> > +	echo >> $opt_logdir/$opt_rollup.$TESTNUM
> > +
> > +	# copy test output to own log file
> > +	cp -f $opt_log $opt_logdir/$opt_log.$TESTNUM
> > +	sed -i '/./,$!d' $opt_logdir/$opt_log.$TESTNUM
> > +	cp -f $opt_rollup $opt_logdir/$opt_rollup.$TESTNUM
> > +	sed -i '/./,$!d' $opt_logdir/$opt_rollup.$TESTNUM
> > +
> > +	# clear log and rollup
> > +	echo -n > $opt_log
> > +	echo -n > $opt_rollup
> >      done
> >  
> > +    # create current stats
> >      (( total = pass + fail + error ))
> > -    msg
> > -    prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
> > -    prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
> > -    prf "%4d error (%d%%)\n" $error $((error * 100 / total))
> > -    prf "%s\n" "------------------"
> > -    prf "%4d total\n" $total
> > +    nolog msg
> > +    nolog prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
> > +    nolog prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
> > +    nolog prf "%4d error (%d%%)\n" $error $((error * 100 / total))
> > +    nolog prf "%s\n" "------------------"
> > +    nolog prf "%4d total\n" $total
> > +
> > +    # create silently run and rollup logs
> > +    noecho generate_logs
> >  
> >      return 0
> >  }
> > 
> 
> 
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
> _______________________________________________
> Audit-test-developer mailing list
> Aud...@li...
> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
> 

-- 
Miroslav Vadkerti :: Quality Assurance Engineer / RHCE :: BaseOS QE - Security
Phone +420 532 294 129 :: CR cell +420 775 039 842 :: SR cell +421 904 135 440
IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu
Red Hat s.r.o, Purkyňova 99/71, 612 45, Brno, Czech Republic

Re: [Audit-test-developer] [PATCH 14/19] misc/tar: use --selinux instead of --xattrs

From: Jiri J. <jja...@re...> - 2013-08-28 13:34:25

On 08/27/2013 08:08 PM, Linda Knippers wrote:
> On 08/21/13 12:23, Jiri Jaburek wrote:
>> The test description states that:
>> "Verify that the tar program preserves file security contexts."
>>
>> and tar has an explicit option for that:
>>   --selinux
>>       Save the SELinux context to the archive.
> 
> I think "file security contexts" means more than SELinux context.
> What about non-selinux security information, like ACLs?  Aren't they
> also stored in extended attributes?  I guess the test was only creating/
> checking SELinux contexts but the other is important as well, even if
> not well tested.
> 

I originally assumed it's a SELinux-only test, even though it mentions
generic "security contexts". The point is that not all security
mechanisms have to use xattrs for storage and the idea of using explicit
options for tar would actually be more generic in the end.
(With an explicit --acls test.)

However the issue seems to be more complex than it seemed in the first
place, so let's just drop this patch now and return to it later.

Jiri

Re: [Audit-test-developer] [PATCH 05/19] netfilebt: allow IPv6 ND through ebtables

From: Jiri J. <jja...@re...> - 2013-08-28 12:11:46

On 08/27/2013 07:50 PM, Linda Knippers wrote:
> Not my area but I trust you. :-)
> 
> -- ljk
> 

I believe that this part of README.netfilter was originally made up
to work around the fact that no ARP/ND packets could get through:

  Setting the aging timer to a high value is helpful to the testing as
  it prevents the learned mac addresses in the bridge's forwarding
  database from being deleted when it hasn't seen a frame from that mac
  address in the timer number of seconds.  The following command is
  recommended.

    # brctl setageing <bridge name> 3600

This workaround shouldn't be needed anymore as basic link discovery
now works.

To my best knowledge, these rules shouldn't interfere with anything,
since they're mandatory for vast majority of traffic to work.
They would present a problem only when doing something like static
ARP/neighbor assignment testing (and checking that no requests
are being sent).

>>  
>>  ebtables -A INPUT -p arp -j ACCEPT
>> +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-solicitation -j ACCEPT
>> +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-advertisement -j ACCEPT
>>  

Jiri

Re: [Audit-test-developer] [PATCH 01/19] add new sanity-checking script, envcheck

From: Jiri J. <jja...@re...> - 2013-08-28 11:57:56

On 08/27/2013 07:23 PM, Linda Knippers wrote:
> Hi Jiri,
> 
> I really like the idea of having a script that validates the configuration.
> I haven't run the script so I'm only looking at the code but it looks like
> the script is reporting specific output for all the items that are right but
> a generic message when something is wrong.  I note a few instances inline below.
> It seems like it would be more helpful if we issue specific messages for the
> things that are wrong.
> 
> Am I reading the script right?
> 
> Thanks,
> 
> -- ljk

Hi Linda,
let me show you a quick demo:
http://i.imgur.com/kBzlChy.png
http://i.imgur.com/aIl7FVp.png

It isn't really intended to perform *validation* of the environment,
it's more like a configuration helper that can point out some things
that were perhaps forgotten/skipped during the setup.
Because of that, it mainly centers around the things that have a good
probability of being forgotten or incorrectly configured by the user.

The idea was to show which items pass/fail and if fails occur, help
the user resolve those fails, even in cases when the user is not too
much familiar with the suite.
The idea of using generic messages per groups of checks was implemented
mainly to reduce the overhead of creating specific messages for tiny
checks. The per-group messages should at least point out what might be
wrong, so the user can fix it. It's not supposed to be
a zero-user-effort kind of thing.
I wanted to keep the envcheck quite generic, not lock it down to
a specific known-good configuration as the suite itself is (in its
current form) also quite generic.

> 
> On 08/21/13 12:21, Jiri Jaburek wrote:
>> The idea is to catch various configuration or setup errors
>> and give useful hints, so that the user doesn't have to debug
>> the system/suite to find out what could possibly go wrong.
>>
>> This script is not supposed to replace or duplicate functionality
>> provided by the suite itself, it should be only used for basic sanity
>> verification of the environment. It doesn't claim to reveal all
>> configuration errors, but it can still be useful.
>>
>> Because of the reasons mentioned above, running this script
>> is purely optional.
>>
<snip>
>> +    for i in $vars; do
>> +        check "env | grep \"^$i=\"" 0 "Var $i is present in environment"
>> +    done;
> 
> It looks like display a message for each env variable that is set.
> Do they also get a message if an env variable is not set?  Or do they
> just get the generic message that the check failed below?  If would
> be nice if we tell them specifically which ones are missing.

(see above)

>> +
>> +    # s390x / ppc64 check? (ARCH variable)
>> +
<snip>
>> +    check "[ \"$(pwd)\" = \"/usr/local/eal4_testing/audit-test\" ]" 0 \
>> +        "\$(pwd) is /usr/local/eal4_testing/audit-test"
> 
> Some comment here.  If the checks fail, do we tell them that they're not in
> /usr/local/eal4_testing/audit-test?
> 

I took extra care to ensure the consistency of things that are being
reported as passed/failed to the user. That means I explicitly crafted
the messages to provide a fact, an expected environment state, which
is then validated as pass/fail. IOW, I wanted to avoid negatives, double
negatives, ..., to keep the meaning of "pass" and "fail" as simple
as possible.
In this particular case, the check would print out
"$(pwd) is /usr/local/eal4_testing/audit-test ...passed/failed",
which has a binary meaning - the shell either is in that directory
or it isn't.

Generally speaking, if the check fails, the statement is false. This
applies to all checks done by envcheck - again, to avoid confusion over
the meaning of pass/fail.

As for comments in the code of envcheck itself - I kind of hoped
that the messages used for the "check" function would be descriptive
enough, even for code purposes.
In some cases, I let the checking command itself be a "documentation",
for example "[ -d /some/dir ]" doesn't seem to need further explanation,
but it shouldn't be a problem to add an equivalent message in English.

Thanks,
Jiri

PS: Looking at the final envcheck output one more time, I plan to do
some final minor polishing, like @ in Makefile, "daemon" -> "Daemon"
and a few grammar fixes.

Re: [Audit-test-developer] [PATCH 17/19] trustedprograms/screen_locking: Enhance clear screen checking

From: Linda K. <lin...@hp...> - 2013-08-27 18:45:44

Looks better than the old code. :-)

-- ljk

On 08/21/13 12:24, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
> 
> This patch enhances the detection of clear screen after locking
> idle screen session.
> 
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
>  .../trustedprograms/tests/test_screen_locking.bash |  2 +-
>  .../trustedprograms/tests/tp_screen_functions.bash | 26 +++++++++++++---------
>  2 files changed, 16 insertions(+), 12 deletions(-)
> 
> diff --git a/audit-test/trustedprograms/tests/test_screen_locking.bash b/audit-test/trustedprograms/tests/test_screen_locking.bash
> index 5e86dc7..ba4c69d 100755
> --- a/audit-test/trustedprograms/tests/test_screen_locking.bash
> +++ b/audit-test/trustedprograms/tests/test_screen_locking.bash
> @@ -85,7 +85,7 @@ screen_check_badpass $TEST_USER $TEST_USER_PASSWD 2 || exit_fail \
>  # check if
>  # + escape sequence for clearing the screen sent if screen locked
>  # + kernel boot options contain "no-scroll" and "fbcon=scrollback:0"
> -screen_check_clear $TEST_USER $TEST_USER_PASSWD 2 || exit_fail \
> +screen_check_clear $TEST_USER $TEST_USER_PASSWD 5 || exit_fail \
>      "screen clear before locking failed ($?)"
>  
>  # checks if
> diff --git a/audit-test/trustedprograms/tests/tp_screen_functions.bash b/audit-test/trustedprograms/tests/tp_screen_functions.bash
> index 853e1d6..c28f363 100644
> --- a/audit-test/trustedprograms/tests/tp_screen_functions.bash
> +++ b/audit-test/trustedprograms/tests/tp_screen_functions.bash
> @@ -182,13 +182,13 @@ function screen_check_clear {
>      # To check you terminal type use the command
>      # echo $TERM
>      #
> +    prepend_cleanup "rm -f $EXPSCRIPT"
>      cat > $EXPSCRIPT << EOT
>  set timeout $(($3+1))
>  spawn screen $4
> -expect {
> -    -re ".*\\x1b\\x5c\\x5b\\x48\\x1b\\x5c\\x5b\\x4a.*" { send -- $2\r }
> -    -re ".*\\x1b\\x5c\\x5b\\x48\\x1b\\x5c\\x5b\\x32\\x4a.*" { send -- $2\r }
> -    default { exit 1 }
> +expect {$1} {
> +    sleep 4
> +    send { send -- $2\r }
>  }
>  expect {
>      {$1} { send -- exit\r }
> @@ -200,16 +200,20 @@ EOT
>  
>      # run the expect script as user
>      chown ${1}:$1 $EXPSCRIPT
> -    /bin/su - -c "expect $EXPSCRIPT" $1
> -    RET=$?
> +    EXPOUT=$(mktemp)
> +    prepend_cleanup "rm -f $EXPOUT"
> +    /bin/su - -c "expect $EXPSCRIPT" $1 &> $EXPOUT
> +    hexdump -C $EXPOUT
> +    # count the number of lines with clear screen
> +    # screen should clear the screen 2 times after running
> +    # and once after locking the screen
> +    CLRCNT=$(cat $EXPOUT | xxd -p | tr -d '\n' | grep -o "$(clear | xxd -p)" | wc -l)
> +    [ "$CLRCNT" -eq 3 ] && RET=0 || RET=1
>  
>      # check if kernel cmdline contains required options for
>      # disabling framebuffer scrolling
> -    grep "no-scroll" /proc/cmdline || RET=4
> -    grep "fbcon=scrollback:0" /proc/cmdline || RET=5
> -
> -    # remove the expect script
> -    rm -f $EXPSCRIPT
> +    grep "no-scroll" /proc/cmdline || RET=2
> +    grep "fbcon=scrollback:0" /proc/cmdline || RET=3
>  
>      return $RET
>  }
>

Re: [Audit-test-developer] [PATCH 19/19] kvm-iommu/kvm-cgroups: fix guest XMLs for RHEL 6.2

From: Linda K. <lin...@hp...> - 2013-08-27 18:41:24

Thanks for fixing this.

-- ljk

On 08/21/13 12:24, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
> 
> In RHEL6.2 the unit attribute of the memory and currentMemory
> elemnts is not recognized and the units used are always in KiB.
> Previous commit 4a54cf0e broke this for RHEL6.2 and this patch
> brings back the XML to compatibility through all RHEL6+ releases.
> 
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
>  audit-test/kvm-cgroups/guest1-template.xml | 4 ++--
>  audit-test/kvm-iommu/guest1-template.xml   | 4 ++--
>  audit-test/kvm-iommu/guest2-template.xml   | 4 ++--
>  3 files changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/audit-test/kvm-cgroups/guest1-template.xml b/audit-test/kvm-cgroups/guest1-template.xml
> index 6dbb057..7780fcf 100644
> --- a/audit-test/kvm-cgroups/guest1-template.xml
> +++ b/audit-test/kvm-cgroups/guest1-template.xml
> @@ -1,7 +1,7 @@
>  <domain type='kvm'>
>    <name>guest1</name>
> -  <memory unit='MiB'>256</memory>
> -  <currentMemory unit='MiB'>256</currentMemory>
> +  <memory unit='KiB'>262144</memory>
> +  <currentMemory unit='KiB'>262144</currentMemory>
>    <vcpu>1</vcpu>
>    <os>
>      <type arch='x86_64'>hvm</type>
> diff --git a/audit-test/kvm-iommu/guest1-template.xml b/audit-test/kvm-iommu/guest1-template.xml
> index 7bb69e2..827d98e 100644
> --- a/audit-test/kvm-iommu/guest1-template.xml
> +++ b/audit-test/kvm-iommu/guest1-template.xml
> @@ -1,7 +1,7 @@
>  <domain type='kvm'>
>    <name>guest1</name>
> -  <memory unit='MiB'>256</memory>
> -  <currentMemory unit='MiB'>256</currentMemory>
> +  <memory unit='KiB'>262144</memory>
> +  <currentMemory unit='KiB'>262144</currentMemory>
>    <vcpu>1</vcpu>
>    <os>
>      <type arch='x86_64'>hvm</type>
> diff --git a/audit-test/kvm-iommu/guest2-template.xml b/audit-test/kvm-iommu/guest2-template.xml
> index 9981f54..fcda695 100644
> --- a/audit-test/kvm-iommu/guest2-template.xml
> +++ b/audit-test/kvm-iommu/guest2-template.xml
> @@ -1,7 +1,7 @@
>  <domain type='kvm'>
>    <name>guest2</name>
> -  <memory unit='MiB'>256</memory>
> -  <currentMemory unit='MiB'>256</currentMemory>
> +  <memory unit='KiB'>262144</memory>
> +  <currentMemory unit='KiB'>262144</currentMemory>
>    <vcpu>1</vcpu>
>    <os>
>      <type arch='x86_64'>hvm</type>
>

Re: [Audit-test-developer] [PATCH 18/19] filter: specify arch= for auditctl

From: Linda K. <lin...@hp...> - 2013-08-27 18:40:14

Looks good, thanks.

-- ljk

On 08/21/13 12:24, Jiri Jaburek wrote:
> This fixes the following warning:
> WARNING - 32/64 bit syscall mismatch, you should specify an arch
> 
> Signed-off-by: Jiri Jaburek <jja...@re...>
> ---
>  audit-test/filter/tests/test_auid.bash      | 4 ++--
>  audit-test/filter/tests/test_dev_inode.bash | 8 ++++----
>  audit-test/filter/tests/test_success.bash   | 2 +-
>  audit-test/filter/tests/test_syscall.bash   | 2 +-
>  audit-test/filter/tests/test_type.bash      | 4 ++--
>  5 files changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash
> index 297ebbf..c165cf3 100755
> --- a/audit-test/filter/tests/test_auid.bash
> +++ b/audit-test/filter/tests/test_auid.bash
> @@ -33,8 +33,8 @@ do_open_file $tmp1
>  augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \
>      && exit_error "Unexpected record found."
>  
> -auditctl -a exit,always -S open -F auid=$user_auid
> -prepend_cleanup "auditctl -d exit,always -S open -F auid=$user_auid"
> +auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
> +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
>  
>  # audit log marker
>  log_mark=$(stat -c %s $audit_log)
> diff --git a/audit-test/filter/tests/test_dev_inode.bash b/audit-test/filter/tests/test_dev_inode.bash
> index ae818c6..30ea580 100755
> --- a/audit-test/filter/tests/test_dev_inode.bash
> +++ b/audit-test/filter/tests/test_dev_inode.bash
> @@ -34,12 +34,12 @@ minor=$((0x$minor))
>  event_obj=$(get_event_obj $1)
>  [[ $event_obj != $tmp1 ]] && prepend_cleanup "rm -f $event_obj"
>  
> -auditctl -a exit,always -S open -F key=$tmp1 -F inode=$inode \
> -    -F devmajor=$major -F devminor=$minor
> +auditctl -a exit,always -F arch=b$MODE -S open -F key=$tmp1 \
> +    -F inode=$inode -F devmajor=$major -F devminor=$minor
>  
>  prepend_cleanup "
> -    auditctl -d exit,always -S open -F key=$tmp1 -F inode=$inode \
> --F devmajor=$major -F devminor=$minor"
> +auditctl -d exit,always -F arch=b$MODE -S open -F key=$tmp1 \
> +    -F inode=$inode -F devmajor=$major -F devminor=$minor"
>  
>  log_mark=$(stat -c %s $audit_log)
>  
> diff --git a/audit-test/filter/tests/test_success.bash b/audit-test/filter/tests/test_success.bash
> index aa8d1b4..497959b 100755
> --- a/audit-test/filter/tests/test_success.bash
> +++ b/audit-test/filter/tests/test_success.bash
> @@ -37,7 +37,7 @@ case $op in
>          ;;
>      *) exit_fail "unknown test operation" ;;
>  esac
> -filter_rule="exit,always -S open"
> +filter_rule="exit,always -F arch=b$MODE -S open"
>  
>  auditctl -a $filter_rule $filter_field
>  prepend_cleanup "auditctl -d $filter_rule $filter_field"
> diff --git a/audit-test/filter/tests/test_syscall.bash b/audit-test/filter/tests/test_syscall.bash
> index 3c96628..8159b92 100755
> --- a/audit-test/filter/tests/test_syscall.bash
> +++ b/audit-test/filter/tests/test_syscall.bash
> @@ -27,7 +27,7 @@ syscall_num=$(augrok --resolve $syscall_name) \
>  
>  op=$1
>  case $op in
> -    name)   filter_rule="exit,always -S open" ;;
> +    name)   filter_rule="exit,always -F arch=b$MODE -S open" ;;
>      number) filter_rule="exit,always -S $syscall_num";;
>      *) exit_fail "unknown test operation" ;;
>  esac
> diff --git a/audit-test/filter/tests/test_type.bash b/audit-test/filter/tests/test_type.bash
> index 4318428..16c63f4 100755
> --- a/audit-test/filter/tests/test_type.bash
> +++ b/audit-test/filter/tests/test_type.bash
> @@ -29,8 +29,8 @@ source filter_functions.bash || exit 2
>  user_auid=$(cat /proc/self/loginuid)
>  
>  # setup auditctl
> -auditctl -a exit,always -S open -F auid=$user_auid
> -prepend_cleanup "auditctl -d exit,always -S open -F auid=$user_auid"
> +auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
> +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
>  
>  # audit log marker
>  log_mark=$(stat -c %s $audit_log)
>

Re: [Audit-test-developer] [PATCH 16/19] libpam, tp: loginuid fails if already set for current session

From: Linda K. <lin...@hp...> - 2013-08-27 18:18:39

On 08/21/13 12:24, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
> 
> In recent RHEL7 kernel changes the loginuid call fails with
> pam_loginuid where loginuid already set in session.
> 
> This fix temporarily disables pam_loginuid in /etc/pam.d/login
> as a workaround. This has no effect on testing purpose of
> this test.
> 
> The check for auid in augrok is not needed for this test.
> The loginuid remains unchanged because of this workaround.

Sorry, but I don't understand what you're saying here.

What's broken?
Why is this workaround ok?
Why don't we need to check the auid when having it set correctly
is an important part of logging in?

If something has changed causing us to no longer have a valid
login test, I'd rather see the test fail until we do have a valid
login test.

-- ljk

> 
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
>  audit-test/libpam/tests/test_login.bash                |  4 ++++
>  audit-test/libpam/tests/test_mls_default_login.bash    |  9 +++++++--
>  audit-test/libpam/tests/test_mls_level_login.bash      |  9 +++++++--
>  audit-test/libpam/tests/test_mls_level_login_fail.bash | 14 +++++++++++---
>  audit-test/libpam/tests/test_namespace.bash            |  9 +++++++--
>  audit-test/trustedprograms/tests/test_lpq.bash         |  5 +++++
>  6 files changed, 41 insertions(+), 9 deletions(-)
> 
> diff --git a/audit-test/libpam/tests/test_login.bash b/audit-test/libpam/tests/test_login.bash
> index 3d05afa..d834900 100755
> --- a/audit-test/libpam/tests/test_login.bash
> +++ b/audit-test/libpam/tests/test_login.bash
> @@ -26,7 +26,11 @@ chmod 666 $localtmp
>  
>  # turn off screen in /etc/profile
>  backup /etc/profile
> +backup /etc/pam.d/login
>  sed -i 's/\[ -w $(tty) \]/false/' /etc/profile
> +# In RHEL7 the pam_loginuid fails if loginuid already set
> +# for the purpose of this test we disable it temporarily
> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
>  
>  # if in LSPP mode, map the TEST_USER to staff_u
>  if [[ $PPROFILE == "lspp" ]]; then
> diff --git a/audit-test/libpam/tests/test_mls_default_login.bash b/audit-test/libpam/tests/test_mls_default_login.bash
> index 6fca015..ac7f2b7 100755
> --- a/audit-test/libpam/tests/test_mls_default_login.bash
> +++ b/audit-test/libpam/tests/test_mls_default_login.bash
> @@ -44,6 +44,11 @@ fi
>  # use backup (and automatic restore) to work around this
>  backup /var/run/utmp
>  
> +# In RHEL7 the pam_loginuid fails if loginuid already set
> +# for the purpose of this test we disable it temporarily
> +backup /etc/pam.d/login
> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> +
>  # test
>  (
>      export localtmp
> @@ -63,11 +68,11 @@ pts=${pts##*/}
>  msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*"
>  augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
>  augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
>  	subj=$login_context || exit_fail
>  # Check for ROLE_ASSIGN event for testuser
>  augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match"
>  # Check for USER_ROLE_CHANGE for login command
> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*" || exit_fail "USER_ROLE_CHANGE does not match"
>  
>  exit_pass
> diff --git a/audit-test/libpam/tests/test_mls_level_login.bash b/audit-test/libpam/tests/test_mls_level_login.bash
> index 436bcda..063647f 100755
> --- a/audit-test/libpam/tests/test_mls_level_login.bash
> +++ b/audit-test/libpam/tests/test_mls_level_login.bash
> @@ -42,6 +42,11 @@ fi
>  # use backup (and automatic restore) to work around this
>  backup /var/run/utmp
>  
> +# In RHEL7 the pam_loginuid fails if loginuid already set
> +# for the purpose of this test we disable it temporarily
> +backup /etc/pam.d/login
> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> +
>  # test
>  (
>      export localtmp
> @@ -68,7 +73,7 @@ fi
>  msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=success.*"
>  augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
>  augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
>  	subj=$login_context || exit_fail
> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" auid=$auid || exit_fail
> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" || exit_fail
>  exit_pass
> diff --git a/audit-test/libpam/tests/test_mls_level_login_fail.bash b/audit-test/libpam/tests/test_mls_level_login_fail.bash
> index 92562f9..ba04604 100755
> --- a/audit-test/libpam/tests/test_mls_level_login_fail.bash
> +++ b/audit-test/libpam/tests/test_mls_level_login_fail.bash
> @@ -42,6 +42,11 @@ fi
>  # use backup (and automatic restore) to work around this
>  backup /var/run/utmp
>  
> +# In RHEL7 the pam_loginuid fails if loginuid already set
> +# for the purpose of this test we disable it temporarily
> +backup /etc/pam.d/login
> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> +
>  # test
>  (
>      export localtmp
> @@ -52,11 +57,14 @@ backup /var/run/utmp
>  	expect -nocase {level} {send "Y\r"}
>  	expect -nocase {role:} {send "\r"}
>  	expect -nocase {level:} {send "s15\r"}
> -	expect -nocase {"authentication failure"} {close; wait}'
> +	expect {
> +		-nocase {"authentication failure"} {close; wait}
> +		-nocase {"Cannot make/remove"} {close; wait}
> +	}'
>  )
>  
>  msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=failed.*"
> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
>  	subj=$login_context || exit_fail
> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" auid=$auid || exit_fail
> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" || exit_fail
>  exit_pass
> diff --git a/audit-test/libpam/tests/test_namespace.bash b/audit-test/libpam/tests/test_namespace.bash
> index 6fb20da..6642350 100755
> --- a/audit-test/libpam/tests/test_namespace.bash
> +++ b/audit-test/libpam/tests/test_namespace.bash
> @@ -59,6 +59,11 @@ backup /var/run/utmp
>  backup /etc/security/namespace.conf
>  echo "/tmp /tmp-parent/tmp-inst/ level root,adm" > /etc/security/namespace.conf
>  
> +# In RHEL7 the pam_loginuid fails if loginuid already set
> +# for the purpose of this test we disable it temporarily
> +backup /etc/pam.d/login
> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> +
>  tmpinstdir=/tmp-parent/tmp-inst/
>  tmpnewfile=/tmp/newfile
>  
> @@ -87,7 +92,7 @@ auditctl -a entry,always ${MODE:+-F arch=b$MODE} -S open -F uid=$auid || \
>  )
>  # Check the path and context in the audit record.
>  augrok type==SYSCALL \
> -	subj=$s0_context auid=$auid success=yes \
> +	subj=$s0_context success=yes \
>  	name=$tmpnewfile obj=$s0_obj\
>  	|| exit_fail "missing audit record"
>  
> @@ -110,7 +115,7 @@ log_mark=$(stat -c %s $audit_log)
>  
>  # Check the path and context in the audit record.
>  augrok --seek=$log_mark type==SYSCALL \
> -	subj=$s2_context auid=$auid success=yes \
> +	subj=$s2_context success=yes \
>  	name=$tmpnewfile obj=$s2_obj\
>  	|| exit_fail "missing audit record"
>  
> diff --git a/audit-test/trustedprograms/tests/test_lpq.bash b/audit-test/trustedprograms/tests/test_lpq.bash
> index 0cbd45f..ee0f60d 100755
> --- a/audit-test/trustedprograms/tests/test_lpq.bash
> +++ b/audit-test/trustedprograms/tests/test_lpq.bash
> @@ -50,6 +50,11 @@ backup /var/run/utmp
>  semanage login -a -s staff_u -r SystemLow-SystemHigh $TEST_USER || \
>    exit_error "unable to set $TEST_USER to staff_u"
>  
> +# In RHEL7 the pam_loginuid fails if loginuid already set
> +# for the purpose of this test we disable it temporarily
> +backup /etc/pam.d/login
> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> +
>  # test
>  prepend_cleanup rm -f $CON1OUT $CON2OUT
>  runcon $LPQ1CON lpq -P $printer > $CON1OUT
>

Re: [Audit-test-developer] [PATCH 15/19] libpam/test_mls*: make login path in augrok RHEL7 compatible

From: Linda K. <lin...@hp...> - 2013-08-27 18:09:04

Looks good, thanks.

-- ljk

On 08/21/13 12:23, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
> 
> Due to the /bin->/usr/bin move these tests needed update. They
> are now backward compatible and accept login binary paths
> for both RHEL6 and RHEL7.
> 
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
>  audit-test/libpam/tests/test_mls_default_login.bash    | 4 ++--
>  audit-test/libpam/tests/test_mls_level_login.bash      | 4 ++--
>  audit-test/libpam/tests/test_mls_level_login_fail.bash | 4 ++--
>  3 files changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/audit-test/libpam/tests/test_mls_default_login.bash b/audit-test/libpam/tests/test_mls_default_login.bash
> index d964446..6fca015 100755
> --- a/audit-test/libpam/tests/test_mls_default_login.bash
> +++ b/audit-test/libpam/tests/test_mls_default_login.bash
> @@ -60,7 +60,7 @@ backup /var/run/utmp
>  pts=$(<$localtmp)
>  pts=${pts##*/}
>  
> -msg_1="acct=\"*$TEST_USER\"* exe=./bin/login.* terminal=pts/$pts res=success.*"
> +msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*"
>  augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
>  augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
>  augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> @@ -68,6 +68,6 @@ augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
>  # Check for ROLE_ASSIGN event for testuser
>  augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match"
>  # Check for USER_ROLE_CHANGE for login command
> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=./bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
>  
>  exit_pass
> diff --git a/audit-test/libpam/tests/test_mls_level_login.bash b/audit-test/libpam/tests/test_mls_level_login.bash
> index dfc0fe0..436bcda 100755
> --- a/audit-test/libpam/tests/test_mls_level_login.bash
> +++ b/audit-test/libpam/tests/test_mls_level_login.bash
> @@ -65,10 +65,10 @@ if [[ $sel_context != $sel_context2 ]]; then
>  	exit_fail;
>  fi
>  
> -msg_1="acct=\"*$TEST_USER\"* exe=./bin/login.* res=success.*"
> +msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=success.*"
>  augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
>  augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
>  augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
>  	subj=$login_context || exit_fail
> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=./bin/login.* res=success.*" auid=$auid || exit_fail
> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" auid=$auid || exit_fail
>  exit_pass
> diff --git a/audit-test/libpam/tests/test_mls_level_login_fail.bash b/audit-test/libpam/tests/test_mls_level_login_fail.bash
> index bad9a54..92562f9 100755
> --- a/audit-test/libpam/tests/test_mls_level_login_fail.bash
> +++ b/audit-test/libpam/tests/test_mls_level_login_fail.bash
> @@ -55,8 +55,8 @@ backup /var/run/utmp
>  	expect -nocase {"authentication failure"} {close; wait}'
>  )
>  
> -msg_1="acct=\"*$TEST_USER\"* exe=./bin/login.* res=failed.*"
> +msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=failed.*"
>  augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
>  	subj=$login_context || exit_fail
> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=./bin/login.* res=failed.*" auid=$auid || exit_fail
> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" auid=$auid || exit_fail
>  exit_pass
>

Re: [Audit-test-developer] [PATCH 14/19] misc/tar: use --selinux instead of --xattrs

From: Linda K. <lin...@hp...> - 2013-08-27 18:08:23

On 08/21/13 12:23, Jiri Jaburek wrote:
> The test description states that:
> "Verify that the tar program preserves file security contexts."
> 
> and tar has an explicit option for that:
>   --selinux
>       Save the SELinux context to the archive.

I think "file security contexts" means more than SELinux context.
What about non-selinux security information, like ACLs?  Aren't they
also stored in extended attributes?  I guess the test was only creating/
checking SELinux contexts but the other is important as well, even if
not well tested.

> This change fixes the test for RHEL7, but also makes sense for RHEL6.

What was broken with RHEL7?

-- ljk

> 
> Signed-off-by: Jiri Jaburek <jja...@re...>
> ---
>  audit-test/misc/tests/test_tar.bash | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/audit-test/misc/tests/test_tar.bash b/audit-test/misc/tests/test_tar.bash
> index 8ea8da9..7b2d735 100755
> --- a/audit-test/misc/tests/test_tar.bash
> +++ b/audit-test/misc/tests/test_tar.bash
> @@ -56,7 +56,7 @@ chmod 744 $FILE_DIR/fileSecret || exit_fail
>  chcon -t bin_t -l Secret $FILE_DIR/fileSecret || exit_fail
>  
>  # Pack up the files in the test_files directory
> -tar cf $TAR_FILE --xattrs -H posix -C $FILE_DIR .
> +tar cf $TAR_FILE --selinux -H posix -C $FILE_DIR .
>  
>  # Verify the files were successfully packed
>  if [ $? != 0 ]; then
> @@ -64,7 +64,7 @@ if [ $? != 0 ]; then
>  fi
>  
>  # Unpack the files
> -tar xvf $TAR_FILE --xattrs -C $EXTRACT_DIR
> +tar xvf $TAR_FILE --selinux -C $EXTRACT_DIR
>  if [ $? != 0 ]; then
>  	exit_error "Error unpacking tar archive"
>  fi
>

Re: [Audit-test-developer] [PATCH 13/19] audit-remote/remote_call: fix typo in tar command

From: Linda K. <lin...@hp...> - 2013-08-27 18:01:06

Yikes!  How did that ever work.  Looks good.

-- ljk

On 08/21/13 12:23, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
> 
> The option --xattr is a typo. The correct option is --xattrs.
> 
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
>  audit-test/audit-remote/tests/remote_call.bash | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/audit-test/audit-remote/tests/remote_call.bash b/audit-test/audit-remote/tests/remote_call.bash
> index 3a6e7ad..77a4080 100755
> --- a/audit-test/audit-remote/tests/remote_call.bash
> +++ b/audit-test/audit-remote/tests/remote_call.bash
> @@ -58,7 +58,7 @@ conf_backup="/tmp/audit_conf_backup.tgz"
>  # Configuration related functions
>  
>  remote_audit_backup() {
> -    tar -cvz --xattr -f $conf_backup $audit_files
> +    tar -cvz --xattrs -f $conf_backup $audit_files
>  }
>  
>  # Configure NS to act as a server
>

Re: [Audit-test-developer] [PATCH 12/19] crypto: fix expect string in tp_luks_functions

From: Linda K. <lin...@hp...> - 2013-08-27 17:59:54

Looks good, thanks.

-- ljk

On 08/21/13 12:23, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
> 
> The new cryptsetup package changed the string that is asking
> for LUKS password. The patch now expectes smaller string and
> so accepts all previously used strings.
> 
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
>  audit-test/utils/tp_luks_functions.bash | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/audit-test/utils/tp_luks_functions.bash b/audit-test/utils/tp_luks_functions.bash
> index 3a1a928..34d594e 100644
> --- a/audit-test/utils/tp_luks_functions.bash
> +++ b/audit-test/utils/tp_luks_functions.bash
> @@ -33,7 +33,7 @@ function create_luks {
>  		set timeout $TIMEOUT
>  		spawn cryptsetup luksFormat $LOOPDEV
>  		expect {Are you sure} {send \"YES\r\"}
> -		expect {Enter LUKS} {send \"$1\r\"}
> +		expect {Enter} {send \"$1\r\"}
>  		expect {Verify} {send \"$1\r\"}
>  		expect eof
>  	"
>

Re: [Audit-test-developer] [PATCH 11/19] crypto/luks_functions: Add new cipher xts-plain64 for RHEL7

From: Linda K. <lin...@hp...> - 2013-08-27 17:59:30

Ok, thanks.

-- ljk

On 08/21/13 12:23, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
> 
> Starting from RHEL7 the default cipher mode for LUKS devices has
> changed. The change is in conformance with the accepted ciphers in RHEL6
> Security Target document.
> 
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
>  audit-test/utils/tp_luks_functions.bash | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/audit-test/utils/tp_luks_functions.bash b/audit-test/utils/tp_luks_functions.bash
> index 1099496..3a1a928 100644
> --- a/audit-test/utils/tp_luks_functions.bash
> +++ b/audit-test/utils/tp_luks_functions.bash
> @@ -58,7 +58,7 @@ function check_luks {
>  
>  	# Check for correct parameters
>  	egrep "Cipher name.*aes" $TMP || exit_fail "Failed check on cipher name"
> -	egrep "Cipher mode.*cbc-essiv:sha256" $TMP || \
> +	egrep "Cipher mode.*(cbc-essiv:sha256|xts-plain64)" $TMP || \
>  		exit_fail "Failed check on cipher mode"
>  	egrep "Hash spec.*sha1" $TMP || exit_fail "Failed check on hash spec"
>  
>

Re: [Audit-test-developer] [PATCH 10/19] crypto: change cryptsetup passwords

From: Linda K. <lin...@hp...> - 2013-08-27 17:58:36

On 08/21/13 12:22, Jiri Jaburek wrote:
> The old password were detected as dictionary ones by newer PAM
> versions, probably due to 'paSs' substring.

Odd that PaSs gets picked up but MeSs doesn't, but ok.

-- ljk

> 
> Signed-off-by: Jiri Jaburek <jja...@re...>
> ---
>  audit-test/crypto/tests/test_cryptsetup_access.bash | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/audit-test/crypto/tests/test_cryptsetup_access.bash b/audit-test/crypto/tests/test_cryptsetup_access.bash
> index c41adef..af275e3 100755
> --- a/audit-test/crypto/tests/test_cryptsetup_access.bash
> +++ b/audit-test/crypto/tests/test_cryptsetup_access.bash
> @@ -37,9 +37,9 @@ source tp_luks_functions.bash || exit 2
>  ### defaults
>  DMCRYPT="cryptfs"
>  DMCRYPTDEV="/dev/mapper/$DMCRYPT"
> -LUKSPASS="7k+paSs"
> -LUKSPASSND="2nd7k+paSs!!!"
> -LUKSPASSRD="paSs!!1444b_"
> +LUKSPASS="kc3%a9?cF]X"
> +LUKSPASSND="2nd7k+meSs!!!"
> +LUKSPASSRD="meSs!!1444b_"
>  MOUNT="/mnt/crypt"
>  
>  ### functions
>

Re: [Audit-test-developer] [PATCH 09/19] kvm/selinux_chcon_resource: qemu_t is an alias to svirt_t in RHEL7

From: Linda K. <lin...@hp...> - 2013-08-27 17:55:02

Looks good, thanks.

-- ljk

On 08/21/13 12:22, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
> 
> In RHEL7 qemu_t became an alias to the svirt_t domain. This patch
> fixes expected AVC scontext because of this change.
> 
> This change is backward compatible with RHEL6.
> 
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
>  audit-test/kvm/test_selinux_chcon_resource.bash | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/audit-test/kvm/test_selinux_chcon_resource.bash b/audit-test/kvm/test_selinux_chcon_resource.bash
> index e9646d3..edf4517 100755
> --- a/audit-test/kvm/test_selinux_chcon_resource.bash
> +++ b/audit-test/kvm/test_selinux_chcon_resource.bash
> @@ -64,7 +64,8 @@ for i in $(seq $first $last); do
>  		exit_fail
>  	fi
>  
> -	expression="type==AVC and extra_text=~denied and comm==runcon and scontext=~qemu_t"
> +	# We need to check for svirt_t starting from RHEL7 too because qemu_t became an alias to it
> +	expression="type==AVC and extra_text=~denied and comm==runcon and scontext=~(qemu_t|svirt_t)"
>  
>  	if [[ $(augrok -c --seek $offset $expression) -eq 0 ]]; then
>  		exit_fail
>

Re: [Audit-test-developer] [PATCH 08/19] kvm: add zerombr kickstart command

From: Linda K. <lin...@hp...> - 2013-08-27 17:54:25

Thanks for the fix.

-- ljk

On 08/21/13 12:22, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
> 
> Starting from RHEL6.3 the clearpart --initlabel does not initialize
> devices. The zerombr command is needed for the installation to work
> with guests >= RHEL6.3.
> 
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
>  audit-test/kvm/KVM-Guest-N-ks.cfg | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/audit-test/kvm/KVM-Guest-N-ks.cfg b/audit-test/kvm/KVM-Guest-N-ks.cfg
> index db11011..f54d1bf 100644
> --- a/audit-test/kvm/KVM-Guest-N-ks.cfg
> +++ b/audit-test/kvm/KVM-Guest-N-ks.cfg
> @@ -32,6 +32,7 @@ poweroff
>  for i in $(find /dev -regex '^/dev/\(hd\|sd\|vd\|xvd\)[a-z]+$' -print | sort); do
>  	dev=$(basename $i)
>  	echo "clearpart --all --drives=$dev --initlabel" > /tmp/part-include
> +	echo "zerombr" >> /tmp/part-include
>  	echo "part /boot --fstype ext3 --size=100 --ondisk=$dev" >> /tmp/part-include
>  	echo "part pv.1 --size=1 --grow --ondisk=$dev" >> /tmp/part-include
>  	echo "volgroup VolGroup00 --pesize=32768 pv.1" >> /tmp/part-include
>

Re: [Audit-test-developer] [PATCH 07/19] kvm-iommu/usb_passthrough: fix for RHEL7

From: Linda K. <lin...@hp...> - 2013-08-27 17:53:49

Looks good, thanks.

-- ljk

On 08/21/13 12:22, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
> 
> For specifying USB passthrough device the USB bus and device numbers
> need to be specified in the xml for RHEL7.
> 
> This change should be backward compatible.
> 
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
>  audit-test/kvm-iommu/test_usb_passthrough.bash | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/audit-test/kvm-iommu/test_usb_passthrough.bash b/audit-test/kvm-iommu/test_usb_passthrough.bash
> index f3d0198..1d256a2 100755
> --- a/audit-test/kvm-iommu/test_usb_passthrough.bash
> +++ b/audit-test/kvm-iommu/test_usb_passthrough.bash
> @@ -113,6 +113,7 @@ generate_usb_dev_file() {
>          <source>
>              <vendor id='0x$usb_vendor'/>
>              <product id='0x$usb_product'/>
> +            <address bus='$usb_bus' device='$usb_device'/>
>          </source>
>      </hostdev>
>  EOX
>

Re: [Audit-test-developer] [PATCH 06/19] kvm-iommu: remove duplicated check_usb_device

From: Linda K. <lin...@hp...> - 2013-08-27 17:53:27

Thanks for the cleanup.

-- ljk

On 08/21/13 12:22, Jiri Jaburek wrote:
> Signed-off-by: Jiri Jaburek <jja...@re...>
> ---
>  audit-test/kvm-iommu/test_usb_passthrough.bash | 13 -------------
>  1 file changed, 13 deletions(-)
> 
> diff --git a/audit-test/kvm-iommu/test_usb_passthrough.bash b/audit-test/kvm-iommu/test_usb_passthrough.bash
> index e9cf702..f3d0198 100755
> --- a/audit-test/kvm-iommu/test_usb_passthrough.bash
> +++ b/audit-test/kvm-iommu/test_usb_passthrough.bash
> @@ -230,19 +230,6 @@ check_usb_device_dynamic() {
>      return $rc
>  }
>  
> -# Check if USB device has the owner and SELinux label
> -# set to the host system and no guest
> -check_usb_device() {
> -    local owner label
> -    owner=$(stat -c "%U:%G" /dev/bus/usb/$usb_bus/$usb_device)
> -    [ $owner != "qemu:qemu" ] && ((rc+=1))
> -
> -    label=$(stat -c "%C" /dev/bus/usb/$usb_bus/$usb_device)
> -    echo $label | grep "svirt_image_t:s0:c50,c70" || ((rc+=1))
> -
> -    return $rc
> -}
> -
>  # Check if USB device cannot be accessed by an rogue VM
>  # This test expects
>  rogue_usb_device_access() {
>

Re: [Audit-test-developer] [PATCH 05/19] netfilebt: allow IPv6 ND through ebtables

From: Linda K. <lin...@hp...> - 2013-08-27 17:50:26

Not my area but I trust you. :-)

-- ljk

On 08/21/13 12:21, Jiri Jaburek wrote:
> This supplements commit d3e623abc0 by allowing an IPv6 version
> of (IPv4) ARP, making discovery of IPv6:MAC possible on a link.
> 
> Signed-off-by: Jiri Jaburek <jja...@re...>
> ---
>  audit-test/netfilebt/run.conf | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/audit-test/netfilebt/run.conf b/audit-test/netfilebt/run.conf
> index 14318be..290bb5e 100644
> --- a/audit-test/netfilebt/run.conf
> +++ b/audit-test/netfilebt/run.conf
> @@ -526,6 +526,8 @@ prepend_cleanup 'network_cleanup'
>  function ebtaudit_setup {
>  
>  ebtables -A INPUT -p arp -j ACCEPT
> +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-solicitation -j ACCEPT
> +ebtables -A INPUT -p ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type neighbour-advertisement -j ACCEPT
>  
>  ebtables -N AUDIT_DROP
>  ebtables -A AUDIT_DROP -j AUDIT --audit-type DROP
>

5 messages has been excluded from this view by a project administrator.

Flat | Threaded

<< < 1 .. 8 9 10 11 12 .. 71 > >> (Page 10 of 71)