Menu
▾
▴
audit-test-developer
|
From: Linda K. <lin...@hp...> - 2013-08-27 17:58:36
|
On 08/21/13 12:22, Jiri Jaburek wrote: > The old password were detected as dictionary ones by newer PAM > versions, probably due to 'paSs' substring. Odd that PaSs gets picked up but MeSs doesn't, but ok. -- ljk > > Signed-off-by: Jiri Jaburek <jja...@re...> > --- > audit-test/crypto/tests/test_cryptsetup_access.bash | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/audit-test/crypto/tests/test_cryptsetup_access.bash b/audit-test/crypto/tests/test_cryptsetup_access.bash > index c41adef..af275e3 100755 > --- a/audit-test/crypto/tests/test_cryptsetup_access.bash > +++ b/audit-test/crypto/tests/test_cryptsetup_access.bash > @@ -37,9 +37,9 @@ source tp_luks_functions.bash || exit 2 > ### defaults > DMCRYPT="cryptfs" > DMCRYPTDEV="/dev/mapper/$DMCRYPT" > -LUKSPASS="7k+paSs" > -LUKSPASSND="2nd7k+paSs!!!" > -LUKSPASSRD="paSs!!1444b_" > +LUKSPASS="kc3%a9?cF]X" > +LUKSPASSND="2nd7k+meSs!!!" > +LUKSPASSRD="meSs!!1444b_" > MOUNT="/mnt/crypt" > > ### functions > |
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:23:13
|
From: Miroslav Vadkerti <mva...@re...>
Starting from RHEL7 the default cipher mode for LUKS devices has
changed. The change is in conformance with the accepted ciphers in RHEL6
Security Target document.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/utils/tp_luks_functions.bash | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/audit-test/utils/tp_luks_functions.bash b/audit-test/utils/tp_luks_functions.bash
index 1099496..3a1a928 100644
--- a/audit-test/utils/tp_luks_functions.bash
+++ b/audit-test/utils/tp_luks_functions.bash
@@ -58,7 +58,7 @@ function check_luks {
# Check for correct parameters
egrep "Cipher name.*aes" $TMP || exit_fail "Failed check on cipher name"
- egrep "Cipher mode.*cbc-essiv:sha256" $TMP || \
+ egrep "Cipher mode.*(cbc-essiv:sha256|xts-plain64)" $TMP || \
exit_fail "Failed check on cipher mode"
egrep "Hash spec.*sha1" $TMP || exit_fail "Failed check on hash spec"
--
1.8.3.1
|
|
Re: [Audit-test-developer] [PATCH 11/19] crypto/luks_functions: Add
new cipher xts-plain64 for RHEL7
From: Linda K. <lin...@hp...> - 2013-08-27 17:59:30
|
Ok, thanks.
-- ljk
On 08/21/13 12:23, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
>
> Starting from RHEL7 the default cipher mode for LUKS devices has
> changed. The change is in conformance with the accepted ciphers in RHEL6
> Security Target document.
>
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
> audit-test/utils/tp_luks_functions.bash | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/audit-test/utils/tp_luks_functions.bash b/audit-test/utils/tp_luks_functions.bash
> index 1099496..3a1a928 100644
> --- a/audit-test/utils/tp_luks_functions.bash
> +++ b/audit-test/utils/tp_luks_functions.bash
> @@ -58,7 +58,7 @@ function check_luks {
>
> # Check for correct parameters
> egrep "Cipher name.*aes" $TMP || exit_fail "Failed check on cipher name"
> - egrep "Cipher mode.*cbc-essiv:sha256" $TMP || \
> + egrep "Cipher mode.*(cbc-essiv:sha256|xts-plain64)" $TMP || \
> exit_fail "Failed check on cipher mode"
> egrep "Hash spec.*sha1" $TMP || exit_fail "Failed check on hash spec"
>
>
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:23:27
|
From: Miroslav Vadkerti <mva...@re...>
The new cryptsetup package changed the string that is asking
for LUKS password. The patch now expectes smaller string and
so accepts all previously used strings.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/utils/tp_luks_functions.bash | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/audit-test/utils/tp_luks_functions.bash b/audit-test/utils/tp_luks_functions.bash
index 3a1a928..34d594e 100644
--- a/audit-test/utils/tp_luks_functions.bash
+++ b/audit-test/utils/tp_luks_functions.bash
@@ -33,7 +33,7 @@ function create_luks {
set timeout $TIMEOUT
spawn cryptsetup luksFormat $LOOPDEV
expect {Are you sure} {send \"YES\r\"}
- expect {Enter LUKS} {send \"$1\r\"}
+ expect {Enter} {send \"$1\r\"}
expect {Verify} {send \"$1\r\"}
expect eof
"
--
1.8.3.1
|
|
From: Linda K. <lin...@hp...> - 2013-08-27 17:59:54
|
Looks good, thanks.
-- ljk
On 08/21/13 12:23, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
>
> The new cryptsetup package changed the string that is asking
> for LUKS password. The patch now expectes smaller string and
> so accepts all previously used strings.
>
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
> audit-test/utils/tp_luks_functions.bash | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/audit-test/utils/tp_luks_functions.bash b/audit-test/utils/tp_luks_functions.bash
> index 3a1a928..34d594e 100644
> --- a/audit-test/utils/tp_luks_functions.bash
> +++ b/audit-test/utils/tp_luks_functions.bash
> @@ -33,7 +33,7 @@ function create_luks {
> set timeout $TIMEOUT
> spawn cryptsetup luksFormat $LOOPDEV
> expect {Are you sure} {send \"YES\r\"}
> - expect {Enter LUKS} {send \"$1\r\"}
> + expect {Enter} {send \"$1\r\"}
> expect {Verify} {send \"$1\r\"}
> expect eof
> "
>
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:23:38
|
From: Miroslav Vadkerti <mva...@re...>
The option --xattr is a typo. The correct option is --xattrs.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/audit-remote/tests/remote_call.bash | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/audit-test/audit-remote/tests/remote_call.bash b/audit-test/audit-remote/tests/remote_call.bash
index 3a6e7ad..77a4080 100755
--- a/audit-test/audit-remote/tests/remote_call.bash
+++ b/audit-test/audit-remote/tests/remote_call.bash
@@ -58,7 +58,7 @@ conf_backup="/tmp/audit_conf_backup.tgz"
# Configuration related functions
remote_audit_backup() {
- tar -cvz --xattr -f $conf_backup $audit_files
+ tar -cvz --xattrs -f $conf_backup $audit_files
}
# Configure NS to act as a server
--
1.8.3.1
|
|
From: Linda K. <lin...@hp...> - 2013-08-27 18:01:06
|
Yikes! How did that ever work. Looks good.
-- ljk
On 08/21/13 12:23, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
>
> The option --xattr is a typo. The correct option is --xattrs.
>
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
> audit-test/audit-remote/tests/remote_call.bash | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/audit-test/audit-remote/tests/remote_call.bash b/audit-test/audit-remote/tests/remote_call.bash
> index 3a6e7ad..77a4080 100755
> --- a/audit-test/audit-remote/tests/remote_call.bash
> +++ b/audit-test/audit-remote/tests/remote_call.bash
> @@ -58,7 +58,7 @@ conf_backup="/tmp/audit_conf_backup.tgz"
> # Configuration related functions
>
> remote_audit_backup() {
> - tar -cvz --xattr -f $conf_backup $audit_files
> + tar -cvz --xattrs -f $conf_backup $audit_files
> }
>
> # Configure NS to act as a server
>
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:23:51
|
The test description states that:
"Verify that the tar program preserves file security contexts."
and tar has an explicit option for that:
--selinux
Save the SELinux context to the archive.
This change fixes the test for RHEL7, but also makes sense for RHEL6.
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/misc/tests/test_tar.bash | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/audit-test/misc/tests/test_tar.bash b/audit-test/misc/tests/test_tar.bash
index 8ea8da9..7b2d735 100755
--- a/audit-test/misc/tests/test_tar.bash
+++ b/audit-test/misc/tests/test_tar.bash
@@ -56,7 +56,7 @@ chmod 744 $FILE_DIR/fileSecret || exit_fail
chcon -t bin_t -l Secret $FILE_DIR/fileSecret || exit_fail
# Pack up the files in the test_files directory
-tar cf $TAR_FILE --xattrs -H posix -C $FILE_DIR .
+tar cf $TAR_FILE --selinux -H posix -C $FILE_DIR .
# Verify the files were successfully packed
if [ $? != 0 ]; then
@@ -64,7 +64,7 @@ if [ $? != 0 ]; then
fi
# Unpack the files
-tar xvf $TAR_FILE --xattrs -C $EXTRACT_DIR
+tar xvf $TAR_FILE --selinux -C $EXTRACT_DIR
if [ $? != 0 ]; then
exit_error "Error unpacking tar archive"
fi
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:24:02
|
From: Miroslav Vadkerti <mva...@re...>
Due to the /bin->/usr/bin move these tests needed update. They
are now backward compatible and accept login binary paths
for both RHEL6 and RHEL7.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/libpam/tests/test_mls_default_login.bash | 4 ++--
audit-test/libpam/tests/test_mls_level_login.bash | 4 ++--
audit-test/libpam/tests/test_mls_level_login_fail.bash | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/audit-test/libpam/tests/test_mls_default_login.bash b/audit-test/libpam/tests/test_mls_default_login.bash
index d964446..6fca015 100755
--- a/audit-test/libpam/tests/test_mls_default_login.bash
+++ b/audit-test/libpam/tests/test_mls_default_login.bash
@@ -60,7 +60,7 @@ backup /var/run/utmp
pts=$(<$localtmp)
pts=${pts##*/}
-msg_1="acct=\"*$TEST_USER\"* exe=./bin/login.* terminal=pts/$pts res=success.*"
+msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*"
augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
@@ -68,6 +68,6 @@ augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
# Check for ROLE_ASSIGN event for testuser
augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match"
# Check for USER_ROLE_CHANGE for login command
-augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=./bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
+augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
exit_pass
diff --git a/audit-test/libpam/tests/test_mls_level_login.bash b/audit-test/libpam/tests/test_mls_level_login.bash
index dfc0fe0..436bcda 100755
--- a/audit-test/libpam/tests/test_mls_level_login.bash
+++ b/audit-test/libpam/tests/test_mls_level_login.bash
@@ -65,10 +65,10 @@ if [[ $sel_context != $sel_context2 ]]; then
exit_fail;
fi
-msg_1="acct=\"*$TEST_USER\"* exe=./bin/login.* res=success.*"
+msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=success.*"
augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
subj=$login_context || exit_fail
-augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=./bin/login.* res=success.*" auid=$auid || exit_fail
+augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" auid=$auid || exit_fail
exit_pass
diff --git a/audit-test/libpam/tests/test_mls_level_login_fail.bash b/audit-test/libpam/tests/test_mls_level_login_fail.bash
index bad9a54..92562f9 100755
--- a/audit-test/libpam/tests/test_mls_level_login_fail.bash
+++ b/audit-test/libpam/tests/test_mls_level_login_fail.bash
@@ -55,8 +55,8 @@ backup /var/run/utmp
expect -nocase {"authentication failure"} {close; wait}'
)
-msg_1="acct=\"*$TEST_USER\"* exe=./bin/login.* res=failed.*"
+msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=failed.*"
augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
subj=$login_context || exit_fail
-augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=./bin/login.* res=failed.*" auid=$auid || exit_fail
+augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" auid=$auid || exit_fail
exit_pass
--
1.8.3.1
|
|
From: Linda K. <lin...@hp...> - 2013-08-27 18:09:04
|
Looks good, thanks.
-- ljk
On 08/21/13 12:23, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
>
> Due to the /bin->/usr/bin move these tests needed update. They
> are now backward compatible and accept login binary paths
> for both RHEL6 and RHEL7.
>
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
> audit-test/libpam/tests/test_mls_default_login.bash | 4 ++--
> audit-test/libpam/tests/test_mls_level_login.bash | 4 ++--
> audit-test/libpam/tests/test_mls_level_login_fail.bash | 4 ++--
> 3 files changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/audit-test/libpam/tests/test_mls_default_login.bash b/audit-test/libpam/tests/test_mls_default_login.bash
> index d964446..6fca015 100755
> --- a/audit-test/libpam/tests/test_mls_default_login.bash
> +++ b/audit-test/libpam/tests/test_mls_default_login.bash
> @@ -60,7 +60,7 @@ backup /var/run/utmp
> pts=$(<$localtmp)
> pts=${pts##*/}
>
> -msg_1="acct=\"*$TEST_USER\"* exe=./bin/login.* terminal=pts/$pts res=success.*"
> +msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*"
> augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
> augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
> augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> @@ -68,6 +68,6 @@ augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> # Check for ROLE_ASSIGN event for testuser
> augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match"
> # Check for USER_ROLE_CHANGE for login command
> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=./bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
>
> exit_pass
> diff --git a/audit-test/libpam/tests/test_mls_level_login.bash b/audit-test/libpam/tests/test_mls_level_login.bash
> index dfc0fe0..436bcda 100755
> --- a/audit-test/libpam/tests/test_mls_level_login.bash
> +++ b/audit-test/libpam/tests/test_mls_level_login.bash
> @@ -65,10 +65,10 @@ if [[ $sel_context != $sel_context2 ]]; then
> exit_fail;
> fi
>
> -msg_1="acct=\"*$TEST_USER\"* exe=./bin/login.* res=success.*"
> +msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=success.*"
> augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
> augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
> augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> subj=$login_context || exit_fail
> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=./bin/login.* res=success.*" auid=$auid || exit_fail
> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" auid=$auid || exit_fail
> exit_pass
> diff --git a/audit-test/libpam/tests/test_mls_level_login_fail.bash b/audit-test/libpam/tests/test_mls_level_login_fail.bash
> index bad9a54..92562f9 100755
> --- a/audit-test/libpam/tests/test_mls_level_login_fail.bash
> +++ b/audit-test/libpam/tests/test_mls_level_login_fail.bash
> @@ -55,8 +55,8 @@ backup /var/run/utmp
> expect -nocase {"authentication failure"} {close; wait}'
> )
>
> -msg_1="acct=\"*$TEST_USER\"* exe=./bin/login.* res=failed.*"
> +msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=failed.*"
> augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> subj=$login_context || exit_fail
> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=./bin/login.* res=failed.*" auid=$auid || exit_fail
> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" auid=$auid || exit_fail
> exit_pass
>
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:24:15
|
From: Miroslav Vadkerti <mva...@re...>
In recent RHEL7 kernel changes the loginuid call fails with
pam_loginuid where loginuid already set in session.
This fix temporarily disables pam_loginuid in /etc/pam.d/login
as a workaround. This has no effect on testing purpose of
this test.
The check for auid in augrok is not needed for this test.
The loginuid remains unchanged because of this workaround.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/libpam/tests/test_login.bash | 4 ++++
audit-test/libpam/tests/test_mls_default_login.bash | 9 +++++++--
audit-test/libpam/tests/test_mls_level_login.bash | 9 +++++++--
audit-test/libpam/tests/test_mls_level_login_fail.bash | 14 +++++++++++---
audit-test/libpam/tests/test_namespace.bash | 9 +++++++--
audit-test/trustedprograms/tests/test_lpq.bash | 5 +++++
6 files changed, 41 insertions(+), 9 deletions(-)
diff --git a/audit-test/libpam/tests/test_login.bash b/audit-test/libpam/tests/test_login.bash
index 3d05afa..d834900 100755
--- a/audit-test/libpam/tests/test_login.bash
+++ b/audit-test/libpam/tests/test_login.bash
@@ -26,7 +26,11 @@ chmod 666 $localtmp
# turn off screen in /etc/profile
backup /etc/profile
+backup /etc/pam.d/login
sed -i 's/\[ -w $(tty) \]/false/' /etc/profile
+# In RHEL7 the pam_loginuid fails if loginuid already set
+# for the purpose of this test we disable it temporarily
+sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
# if in LSPP mode, map the TEST_USER to staff_u
if [[ $PPROFILE == "lspp" ]]; then
diff --git a/audit-test/libpam/tests/test_mls_default_login.bash b/audit-test/libpam/tests/test_mls_default_login.bash
index 6fca015..ac7f2b7 100755
--- a/audit-test/libpam/tests/test_mls_default_login.bash
+++ b/audit-test/libpam/tests/test_mls_default_login.bash
@@ -44,6 +44,11 @@ fi
# use backup (and automatic restore) to work around this
backup /var/run/utmp
+# In RHEL7 the pam_loginuid fails if loginuid already set
+# for the purpose of this test we disable it temporarily
+backup /etc/pam.d/login
+sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
+
# test
(
export localtmp
@@ -63,11 +68,11 @@ pts=${pts##*/}
msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*"
augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
-augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
+augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
subj=$login_context || exit_fail
# Check for ROLE_ASSIGN event for testuser
augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match"
# Check for USER_ROLE_CHANGE for login command
-augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
+augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*" || exit_fail "USER_ROLE_CHANGE does not match"
exit_pass
diff --git a/audit-test/libpam/tests/test_mls_level_login.bash b/audit-test/libpam/tests/test_mls_level_login.bash
index 436bcda..063647f 100755
--- a/audit-test/libpam/tests/test_mls_level_login.bash
+++ b/audit-test/libpam/tests/test_mls_level_login.bash
@@ -42,6 +42,11 @@ fi
# use backup (and automatic restore) to work around this
backup /var/run/utmp
+# In RHEL7 the pam_loginuid fails if loginuid already set
+# for the purpose of this test we disable it temporarily
+backup /etc/pam.d/login
+sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
+
# test
(
export localtmp
@@ -68,7 +73,7 @@ fi
msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=success.*"
augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
-augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
+augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
subj=$login_context || exit_fail
-augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" auid=$auid || exit_fail
+augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" || exit_fail
exit_pass
diff --git a/audit-test/libpam/tests/test_mls_level_login_fail.bash b/audit-test/libpam/tests/test_mls_level_login_fail.bash
index 92562f9..ba04604 100755
--- a/audit-test/libpam/tests/test_mls_level_login_fail.bash
+++ b/audit-test/libpam/tests/test_mls_level_login_fail.bash
@@ -42,6 +42,11 @@ fi
# use backup (and automatic restore) to work around this
backup /var/run/utmp
+# In RHEL7 the pam_loginuid fails if loginuid already set
+# for the purpose of this test we disable it temporarily
+backup /etc/pam.d/login
+sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
+
# test
(
export localtmp
@@ -52,11 +57,14 @@ backup /var/run/utmp
expect -nocase {level} {send "Y\r"}
expect -nocase {role:} {send "\r"}
expect -nocase {level:} {send "s15\r"}
- expect -nocase {"authentication failure"} {close; wait}'
+ expect {
+ -nocase {"authentication failure"} {close; wait}
+ -nocase {"Cannot make/remove"} {close; wait}
+ }'
)
msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=failed.*"
-augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
+augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
subj=$login_context || exit_fail
-augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" auid=$auid || exit_fail
+augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" || exit_fail
exit_pass
diff --git a/audit-test/libpam/tests/test_namespace.bash b/audit-test/libpam/tests/test_namespace.bash
index 6fb20da..6642350 100755
--- a/audit-test/libpam/tests/test_namespace.bash
+++ b/audit-test/libpam/tests/test_namespace.bash
@@ -59,6 +59,11 @@ backup /var/run/utmp
backup /etc/security/namespace.conf
echo "/tmp /tmp-parent/tmp-inst/ level root,adm" > /etc/security/namespace.conf
+# In RHEL7 the pam_loginuid fails if loginuid already set
+# for the purpose of this test we disable it temporarily
+backup /etc/pam.d/login
+sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
+
tmpinstdir=/tmp-parent/tmp-inst/
tmpnewfile=/tmp/newfile
@@ -87,7 +92,7 @@ auditctl -a entry,always ${MODE:+-F arch=b$MODE} -S open -F uid=$auid || \
)
# Check the path and context in the audit record.
augrok type==SYSCALL \
- subj=$s0_context auid=$auid success=yes \
+ subj=$s0_context success=yes \
name=$tmpnewfile obj=$s0_obj\
|| exit_fail "missing audit record"
@@ -110,7 +115,7 @@ log_mark=$(stat -c %s $audit_log)
# Check the path and context in the audit record.
augrok --seek=$log_mark type==SYSCALL \
- subj=$s2_context auid=$auid success=yes \
+ subj=$s2_context success=yes \
name=$tmpnewfile obj=$s2_obj\
|| exit_fail "missing audit record"
diff --git a/audit-test/trustedprograms/tests/test_lpq.bash b/audit-test/trustedprograms/tests/test_lpq.bash
index 0cbd45f..ee0f60d 100755
--- a/audit-test/trustedprograms/tests/test_lpq.bash
+++ b/audit-test/trustedprograms/tests/test_lpq.bash
@@ -50,6 +50,11 @@ backup /var/run/utmp
semanage login -a -s staff_u -r SystemLow-SystemHigh $TEST_USER || \
exit_error "unable to set $TEST_USER to staff_u"
+# In RHEL7 the pam_loginuid fails if loginuid already set
+# for the purpose of this test we disable it temporarily
+backup /etc/pam.d/login
+sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
+
# test
prepend_cleanup rm -f $CON1OUT $CON2OUT
runcon $LPQ1CON lpq -P $printer > $CON1OUT
--
1.8.3.1
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:24:27
|
From: Miroslav Vadkerti <mva...@re...>
This patch enhances the detection of clear screen after locking
idle screen session.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
.../trustedprograms/tests/test_screen_locking.bash | 2 +-
.../trustedprograms/tests/tp_screen_functions.bash | 26 +++++++++++++---------
2 files changed, 16 insertions(+), 12 deletions(-)
diff --git a/audit-test/trustedprograms/tests/test_screen_locking.bash b/audit-test/trustedprograms/tests/test_screen_locking.bash
index 5e86dc7..ba4c69d 100755
--- a/audit-test/trustedprograms/tests/test_screen_locking.bash
+++ b/audit-test/trustedprograms/tests/test_screen_locking.bash
@@ -85,7 +85,7 @@ screen_check_badpass $TEST_USER $TEST_USER_PASSWD 2 || exit_fail \
# check if
# + escape sequence for clearing the screen sent if screen locked
# + kernel boot options contain "no-scroll" and "fbcon=scrollback:0"
-screen_check_clear $TEST_USER $TEST_USER_PASSWD 2 || exit_fail \
+screen_check_clear $TEST_USER $TEST_USER_PASSWD 5 || exit_fail \
"screen clear before locking failed ($?)"
# checks if
diff --git a/audit-test/trustedprograms/tests/tp_screen_functions.bash b/audit-test/trustedprograms/tests/tp_screen_functions.bash
index 853e1d6..c28f363 100644
--- a/audit-test/trustedprograms/tests/tp_screen_functions.bash
+++ b/audit-test/trustedprograms/tests/tp_screen_functions.bash
@@ -182,13 +182,13 @@ function screen_check_clear {
# To check you terminal type use the command
# echo $TERM
#
+ prepend_cleanup "rm -f $EXPSCRIPT"
cat > $EXPSCRIPT << EOT
set timeout $(($3+1))
spawn screen $4
-expect {
- -re ".*\\x1b\\x5c\\x5b\\x48\\x1b\\x5c\\x5b\\x4a.*" { send -- $2\r }
- -re ".*\\x1b\\x5c\\x5b\\x48\\x1b\\x5c\\x5b\\x32\\x4a.*" { send -- $2\r }
- default { exit 1 }
+expect {$1} {
+ sleep 4
+ send { send -- $2\r }
}
expect {
{$1} { send -- exit\r }
@@ -200,16 +200,20 @@ EOT
# run the expect script as user
chown ${1}:$1 $EXPSCRIPT
- /bin/su - -c "expect $EXPSCRIPT" $1
- RET=$?
+ EXPOUT=$(mktemp)
+ prepend_cleanup "rm -f $EXPOUT"
+ /bin/su - -c "expect $EXPSCRIPT" $1 &> $EXPOUT
+ hexdump -C $EXPOUT
+ # count the number of lines with clear screen
+ # screen should clear the screen 2 times after running
+ # and once after locking the screen
+ CLRCNT=$(cat $EXPOUT | xxd -p | tr -d '\n' | grep -o "$(clear | xxd -p)" | wc -l)
+ [ "$CLRCNT" -eq 3 ] && RET=0 || RET=1
# check if kernel cmdline contains required options for
# disabling framebuffer scrolling
- grep "no-scroll" /proc/cmdline || RET=4
- grep "fbcon=scrollback:0" /proc/cmdline || RET=5
-
- # remove the expect script
- rm -f $EXPSCRIPT
+ grep "no-scroll" /proc/cmdline || RET=2
+ grep "fbcon=scrollback:0" /proc/cmdline || RET=3
return $RET
}
--
1.8.3.1
|
|
From: Linda K. <lin...@hp...> - 2013-08-27 18:45:44
|
Looks better than the old code. :-)
-- ljk
On 08/21/13 12:24, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
>
> This patch enhances the detection of clear screen after locking
> idle screen session.
>
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
> .../trustedprograms/tests/test_screen_locking.bash | 2 +-
> .../trustedprograms/tests/tp_screen_functions.bash | 26 +++++++++++++---------
> 2 files changed, 16 insertions(+), 12 deletions(-)
>
> diff --git a/audit-test/trustedprograms/tests/test_screen_locking.bash b/audit-test/trustedprograms/tests/test_screen_locking.bash
> index 5e86dc7..ba4c69d 100755
> --- a/audit-test/trustedprograms/tests/test_screen_locking.bash
> +++ b/audit-test/trustedprograms/tests/test_screen_locking.bash
> @@ -85,7 +85,7 @@ screen_check_badpass $TEST_USER $TEST_USER_PASSWD 2 || exit_fail \
> # check if
> # + escape sequence for clearing the screen sent if screen locked
> # + kernel boot options contain "no-scroll" and "fbcon=scrollback:0"
> -screen_check_clear $TEST_USER $TEST_USER_PASSWD 2 || exit_fail \
> +screen_check_clear $TEST_USER $TEST_USER_PASSWD 5 || exit_fail \
> "screen clear before locking failed ($?)"
>
> # checks if
> diff --git a/audit-test/trustedprograms/tests/tp_screen_functions.bash b/audit-test/trustedprograms/tests/tp_screen_functions.bash
> index 853e1d6..c28f363 100644
> --- a/audit-test/trustedprograms/tests/tp_screen_functions.bash
> +++ b/audit-test/trustedprograms/tests/tp_screen_functions.bash
> @@ -182,13 +182,13 @@ function screen_check_clear {
> # To check you terminal type use the command
> # echo $TERM
> #
> + prepend_cleanup "rm -f $EXPSCRIPT"
> cat > $EXPSCRIPT << EOT
> set timeout $(($3+1))
> spawn screen $4
> -expect {
> - -re ".*\\x1b\\x5c\\x5b\\x48\\x1b\\x5c\\x5b\\x4a.*" { send -- $2\r }
> - -re ".*\\x1b\\x5c\\x5b\\x48\\x1b\\x5c\\x5b\\x32\\x4a.*" { send -- $2\r }
> - default { exit 1 }
> +expect {$1} {
> + sleep 4
> + send { send -- $2\r }
> }
> expect {
> {$1} { send -- exit\r }
> @@ -200,16 +200,20 @@ EOT
>
> # run the expect script as user
> chown ${1}:$1 $EXPSCRIPT
> - /bin/su - -c "expect $EXPSCRIPT" $1
> - RET=$?
> + EXPOUT=$(mktemp)
> + prepend_cleanup "rm -f $EXPOUT"
> + /bin/su - -c "expect $EXPSCRIPT" $1 &> $EXPOUT
> + hexdump -C $EXPOUT
> + # count the number of lines with clear screen
> + # screen should clear the screen 2 times after running
> + # and once after locking the screen
> + CLRCNT=$(cat $EXPOUT | xxd -p | tr -d '\n' | grep -o "$(clear | xxd -p)" | wc -l)
> + [ "$CLRCNT" -eq 3 ] && RET=0 || RET=1
>
> # check if kernel cmdline contains required options for
> # disabling framebuffer scrolling
> - grep "no-scroll" /proc/cmdline || RET=4
> - grep "fbcon=scrollback:0" /proc/cmdline || RET=5
> -
> - # remove the expect script
> - rm -f $EXPSCRIPT
> + grep "no-scroll" /proc/cmdline || RET=2
> + grep "fbcon=scrollback:0" /proc/cmdline || RET=3
>
> return $RET
> }
>
|
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:24:38
|
This fixes the following warning:
WARNING - 32/64 bit syscall mismatch, you should specify an arch
Signed-off-by: Jiri Jaburek <jja...@re...>
---
audit-test/filter/tests/test_auid.bash | 4 ++--
audit-test/filter/tests/test_dev_inode.bash | 8 ++++----
audit-test/filter/tests/test_success.bash | 2 +-
audit-test/filter/tests/test_syscall.bash | 2 +-
audit-test/filter/tests/test_type.bash | 4 ++--
5 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash
index 297ebbf..c165cf3 100755
--- a/audit-test/filter/tests/test_auid.bash
+++ b/audit-test/filter/tests/test_auid.bash
@@ -33,8 +33,8 @@ do_open_file $tmp1
augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \
&& exit_error "Unexpected record found."
-auditctl -a exit,always -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -S open -F auid=$user_auid"
+auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
# audit log marker
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_dev_inode.bash b/audit-test/filter/tests/test_dev_inode.bash
index ae818c6..30ea580 100755
--- a/audit-test/filter/tests/test_dev_inode.bash
+++ b/audit-test/filter/tests/test_dev_inode.bash
@@ -34,12 +34,12 @@ minor=$((0x$minor))
event_obj=$(get_event_obj $1)
[[ $event_obj != $tmp1 ]] && prepend_cleanup "rm -f $event_obj"
-auditctl -a exit,always -S open -F key=$tmp1 -F inode=$inode \
- -F devmajor=$major -F devminor=$minor
+auditctl -a exit,always -F arch=b$MODE -S open -F key=$tmp1 \
+ -F inode=$inode -F devmajor=$major -F devminor=$minor
prepend_cleanup "
- auditctl -d exit,always -S open -F key=$tmp1 -F inode=$inode \
--F devmajor=$major -F devminor=$minor"
+auditctl -d exit,always -F arch=b$MODE -S open -F key=$tmp1 \
+ -F inode=$inode -F devmajor=$major -F devminor=$minor"
log_mark=$(stat -c %s $audit_log)
diff --git a/audit-test/filter/tests/test_success.bash b/audit-test/filter/tests/test_success.bash
index aa8d1b4..497959b 100755
--- a/audit-test/filter/tests/test_success.bash
+++ b/audit-test/filter/tests/test_success.bash
@@ -37,7 +37,7 @@ case $op in
;;
*) exit_fail "unknown test operation" ;;
esac
-filter_rule="exit,always -S open"
+filter_rule="exit,always -F arch=b$MODE -S open"
auditctl -a $filter_rule $filter_field
prepend_cleanup "auditctl -d $filter_rule $filter_field"
diff --git a/audit-test/filter/tests/test_syscall.bash b/audit-test/filter/tests/test_syscall.bash
index 3c96628..8159b92 100755
--- a/audit-test/filter/tests/test_syscall.bash
+++ b/audit-test/filter/tests/test_syscall.bash
@@ -27,7 +27,7 @@ syscall_num=$(augrok --resolve $syscall_name) \
op=$1
case $op in
- name) filter_rule="exit,always -S open" ;;
+ name) filter_rule="exit,always -F arch=b$MODE -S open" ;;
number) filter_rule="exit,always -S $syscall_num";;
*) exit_fail "unknown test operation" ;;
esac
diff --git a/audit-test/filter/tests/test_type.bash b/audit-test/filter/tests/test_type.bash
index 4318428..16c63f4 100755
--- a/audit-test/filter/tests/test_type.bash
+++ b/audit-test/filter/tests/test_type.bash
@@ -29,8 +29,8 @@ source filter_functions.bash || exit 2
user_auid=$(cat /proc/self/loginuid)
# setup auditctl
-auditctl -a exit,always -S open -F auid=$user_auid
-prepend_cleanup "auditctl -d exit,always -S open -F auid=$user_auid"
+auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid
+prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid"
# audit log marker
log_mark=$(stat -c %s $audit_log)
--
1.8.3.1
|
|
From: Linda K. <lin...@hp...> - 2013-08-27 18:40:14
|
Looks good, thanks. -- ljk On 08/21/13 12:24, Jiri Jaburek wrote: > This fixes the following warning: > WARNING - 32/64 bit syscall mismatch, you should specify an arch > > Signed-off-by: Jiri Jaburek <jja...@re...> > --- > audit-test/filter/tests/test_auid.bash | 4 ++-- > audit-test/filter/tests/test_dev_inode.bash | 8 ++++---- > audit-test/filter/tests/test_success.bash | 2 +- > audit-test/filter/tests/test_syscall.bash | 2 +- > audit-test/filter/tests/test_type.bash | 4 ++-- > 5 files changed, 10 insertions(+), 10 deletions(-) > > diff --git a/audit-test/filter/tests/test_auid.bash b/audit-test/filter/tests/test_auid.bash > index 297ebbf..c165cf3 100755 > --- a/audit-test/filter/tests/test_auid.bash > +++ b/audit-test/filter/tests/test_auid.bash > @@ -33,8 +33,8 @@ do_open_file $tmp1 > augrok --seek=$log_mark "name==$tmp1" "auid==$user_auid" \ > && exit_error "Unexpected record found." > > -auditctl -a exit,always -S open -F auid=$user_auid > -prepend_cleanup "auditctl -d exit,always -S open -F auid=$user_auid" > +auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid > +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid" > > # audit log marker > log_mark=$(stat -c %s $audit_log) > diff --git a/audit-test/filter/tests/test_dev_inode.bash b/audit-test/filter/tests/test_dev_inode.bash > index ae818c6..30ea580 100755 > --- a/audit-test/filter/tests/test_dev_inode.bash > +++ b/audit-test/filter/tests/test_dev_inode.bash > @@ -34,12 +34,12 @@ minor=$((0x$minor)) > event_obj=$(get_event_obj $1) > [[ $event_obj != $tmp1 ]] && prepend_cleanup "rm -f $event_obj" > > -auditctl -a exit,always -S open -F key=$tmp1 -F inode=$inode \ > - -F devmajor=$major -F devminor=$minor > +auditctl -a exit,always -F arch=b$MODE -S open -F key=$tmp1 \ > + -F inode=$inode -F devmajor=$major -F devminor=$minor > > prepend_cleanup " > - auditctl -d exit,always -S open -F key=$tmp1 -F inode=$inode \ > --F devmajor=$major -F devminor=$minor" > +auditctl -d exit,always -F arch=b$MODE -S open -F key=$tmp1 \ > + -F inode=$inode -F devmajor=$major -F devminor=$minor" > > log_mark=$(stat -c %s $audit_log) > > diff --git a/audit-test/filter/tests/test_success.bash b/audit-test/filter/tests/test_success.bash > index aa8d1b4..497959b 100755 > --- a/audit-test/filter/tests/test_success.bash > +++ b/audit-test/filter/tests/test_success.bash > @@ -37,7 +37,7 @@ case $op in > ;; > *) exit_fail "unknown test operation" ;; > esac > -filter_rule="exit,always -S open" > +filter_rule="exit,always -F arch=b$MODE -S open" > > auditctl -a $filter_rule $filter_field > prepend_cleanup "auditctl -d $filter_rule $filter_field" > diff --git a/audit-test/filter/tests/test_syscall.bash b/audit-test/filter/tests/test_syscall.bash > index 3c96628..8159b92 100755 > --- a/audit-test/filter/tests/test_syscall.bash > +++ b/audit-test/filter/tests/test_syscall.bash > @@ -27,7 +27,7 @@ syscall_num=$(augrok --resolve $syscall_name) \ > > op=$1 > case $op in > - name) filter_rule="exit,always -S open" ;; > + name) filter_rule="exit,always -F arch=b$MODE -S open" ;; > number) filter_rule="exit,always -S $syscall_num";; > *) exit_fail "unknown test operation" ;; > esac > diff --git a/audit-test/filter/tests/test_type.bash b/audit-test/filter/tests/test_type.bash > index 4318428..16c63f4 100755 > --- a/audit-test/filter/tests/test_type.bash > +++ b/audit-test/filter/tests/test_type.bash > @@ -29,8 +29,8 @@ source filter_functions.bash || exit 2 > user_auid=$(cat /proc/self/loginuid) > > # setup auditctl > -auditctl -a exit,always -S open -F auid=$user_auid > -prepend_cleanup "auditctl -d exit,always -S open -F auid=$user_auid" > +auditctl -a exit,always -F arch=b$MODE -S open -F auid=$user_auid > +prepend_cleanup "auditctl -d exit,always -F arch=b$MODE -S open -F auid=$user_auid" > > # audit log marker > log_mark=$(stat -c %s $audit_log) > |
|
From: Jiri J. <jja...@re...> - 2013-08-21 16:24:51
|
From: Miroslav Vadkerti <mva...@re...>
In RHEL6.2 the unit attribute of the memory and currentMemory
elemnts is not recognized and the units used are always in KiB.
Previous commit 4a54cf0e broke this for RHEL6.2 and this patch
brings back the XML to compatibility through all RHEL6+ releases.
Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
audit-test/kvm-cgroups/guest1-template.xml | 4 ++--
audit-test/kvm-iommu/guest1-template.xml | 4 ++--
audit-test/kvm-iommu/guest2-template.xml | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/audit-test/kvm-cgroups/guest1-template.xml b/audit-test/kvm-cgroups/guest1-template.xml
index 6dbb057..7780fcf 100644
--- a/audit-test/kvm-cgroups/guest1-template.xml
+++ b/audit-test/kvm-cgroups/guest1-template.xml
@@ -1,7 +1,7 @@
<domain type='kvm'>
<name>guest1</name>
- <memory unit='MiB'>256</memory>
- <currentMemory unit='MiB'>256</currentMemory>
+ <memory unit='KiB'>262144</memory>
+ <currentMemory unit='KiB'>262144</currentMemory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64'>hvm</type>
diff --git a/audit-test/kvm-iommu/guest1-template.xml b/audit-test/kvm-iommu/guest1-template.xml
index 7bb69e2..827d98e 100644
--- a/audit-test/kvm-iommu/guest1-template.xml
+++ b/audit-test/kvm-iommu/guest1-template.xml
@@ -1,7 +1,7 @@
<domain type='kvm'>
<name>guest1</name>
- <memory unit='MiB'>256</memory>
- <currentMemory unit='MiB'>256</currentMemory>
+ <memory unit='KiB'>262144</memory>
+ <currentMemory unit='KiB'>262144</currentMemory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64'>hvm</type>
diff --git a/audit-test/kvm-iommu/guest2-template.xml b/audit-test/kvm-iommu/guest2-template.xml
index 9981f54..fcda695 100644
--- a/audit-test/kvm-iommu/guest2-template.xml
+++ b/audit-test/kvm-iommu/guest2-template.xml
@@ -1,7 +1,7 @@
<domain type='kvm'>
<name>guest2</name>
- <memory unit='MiB'>256</memory>
- <currentMemory unit='MiB'>256</currentMemory>
+ <memory unit='KiB'>262144</memory>
+ <currentMemory unit='KiB'>262144</currentMemory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64'>hvm</type>
--
1.8.3.1
|
|
From: Linda K. <lin...@hp...> - 2013-08-27 18:41:24
|
Thanks for fixing this. -- ljk On 08/21/13 12:24, Jiri Jaburek wrote: > From: Miroslav Vadkerti <mva...@re...> > > In RHEL6.2 the unit attribute of the memory and currentMemory > elemnts is not recognized and the units used are always in KiB. > Previous commit 4a54cf0e broke this for RHEL6.2 and this patch > brings back the XML to compatibility through all RHEL6+ releases. > > Signed-off-by: Miroslav Vadkerti <mva...@re...> > --- > audit-test/kvm-cgroups/guest1-template.xml | 4 ++-- > audit-test/kvm-iommu/guest1-template.xml | 4 ++-- > audit-test/kvm-iommu/guest2-template.xml | 4 ++-- > 3 files changed, 6 insertions(+), 6 deletions(-) > > diff --git a/audit-test/kvm-cgroups/guest1-template.xml b/audit-test/kvm-cgroups/guest1-template.xml > index 6dbb057..7780fcf 100644 > --- a/audit-test/kvm-cgroups/guest1-template.xml > +++ b/audit-test/kvm-cgroups/guest1-template.xml > @@ -1,7 +1,7 @@ > <domain type='kvm'> > <name>guest1</name> > - <memory unit='MiB'>256</memory> > - <currentMemory unit='MiB'>256</currentMemory> > + <memory unit='KiB'>262144</memory> > + <currentMemory unit='KiB'>262144</currentMemory> > <vcpu>1</vcpu> > <os> > <type arch='x86_64'>hvm</type> > diff --git a/audit-test/kvm-iommu/guest1-template.xml b/audit-test/kvm-iommu/guest1-template.xml > index 7bb69e2..827d98e 100644 > --- a/audit-test/kvm-iommu/guest1-template.xml > +++ b/audit-test/kvm-iommu/guest1-template.xml > @@ -1,7 +1,7 @@ > <domain type='kvm'> > <name>guest1</name> > - <memory unit='MiB'>256</memory> > - <currentMemory unit='MiB'>256</currentMemory> > + <memory unit='KiB'>262144</memory> > + <currentMemory unit='KiB'>262144</currentMemory> > <vcpu>1</vcpu> > <os> > <type arch='x86_64'>hvm</type> > diff --git a/audit-test/kvm-iommu/guest2-template.xml b/audit-test/kvm-iommu/guest2-template.xml > index 9981f54..fcda695 100644 > --- a/audit-test/kvm-iommu/guest2-template.xml > +++ b/audit-test/kvm-iommu/guest2-template.xml > @@ -1,7 +1,7 @@ > <domain type='kvm'> > <name>guest2</name> > - <memory unit='MiB'>256</memory> > - <currentMemory unit='MiB'>256</currentMemory> > + <memory unit='KiB'>262144</memory> > + <currentMemory unit='KiB'>262144</currentMemory> > <vcpu>1</vcpu> > <os> > <type arch='x86_64'>hvm</type> > |
|
From: Linda K. <lin...@hp...> - 2013-08-27 17:37:56
|
On 08/21/13 12:21, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
>
> This patch incorporates changes that make possible
> merging of subsequent test runs.
>
> The logs are now stored also separately for each test
> in the logs subdirectory of the test bucket. The run and
> rollup logs are generated from these logs. The output
> of the run.bash should remain the same.
So this is for the case where you might need to re-run a particular
test case? So you don't have to run the complete bucket to get
a good log?
>
> This patch also fixes the --list option that now does
> not delete the contents of run and rollup log.
>
> This patch adds generate (-g|--generate) option that generates
> the total run and rollup logs. This might be useful if these
> were deleted or not created after aborting testing with SIGINT.
Does this option catch the case where a specific test result might be missing?
Is there any way to know that not all the test cases were run?
-- ljk
>
> The distclean make target removes the new logs directory.
>
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
> audit-test/rules.mk | 4 +-
> audit-test/utils/run.bash | 132 +++++++++++++++++++++++++++++++++++-----------
> 2 files changed, 104 insertions(+), 32 deletions(-)
>
> diff --git a/audit-test/rules.mk b/audit-test/rules.mk
> index 1534c66..a53d979 100644
> --- a/audit-test/rules.mk
> +++ b/audit-test/rules.mk
> @@ -194,14 +194,14 @@ _clean:
>
> clean: _clean
>
> -ALL_LOGS += run.log rollup.log
> +ALL_LOGS += run.log rollup.log logs
> _distclean: clean
> @if [[ "$(MAKECMDGOALS)" == distclean ]]; then \
> for x in $(SUB_DIRS); do \
> make -C $$x distclean; \
> done; \
> fi
> - $(RM) $(ALL_LOGS)
> + $(RM) -r $(ALL_LOGS)
> if [[ -L run.bash ]]; then $(RM) run.bash; fi
>
> distclean: _distclean
> diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
> index f70b79a..890f84a 100755
> --- a/audit-test/utils/run.bash
> +++ b/audit-test/utils/run.bash
> @@ -51,6 +51,7 @@ source functions.bash || exit 2
>
> unset logging
> unset opt_verbose opt_debug opt_config opt_list opt_log opt_rollup opt_timeout opt_width
> +echoing=true
> logging=false
> opt_avc=false
> opt_verbose=false
> @@ -59,6 +60,7 @@ opt_quiet=false
> opt_config=run.conf
> opt_list=false
> opt_log=run.log
> +opt_logdir=logs
> opt_rollup=rollup.log
> opt_timeout=30
> opt_width=$(stty size 2>/dev/null | cut -d' ' -f2)
> @@ -140,9 +142,8 @@ function dmsg {
> }
>
> function prf {
> - printf "$(colorize "$1")" "${@:2}"
> - $logging || return
> - printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup" >>"$opt_log"
> + $echoing && printf "$(colorize "$1")" "${@:2}"
> + $logging && printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup" >>"$opt_log"
> }
>
> #----------------------------------------------------------------------
> @@ -219,6 +220,11 @@ function startup {
> trap - 1 2;
> fi
>
> + # Create log directory if needed
> + if [[ ! -d "$opt_logdir" ]]; then
> + mkdir "$opt_logdir"
> + fi
> +
> # Initialize audit configuration and make sure auditd is running
> auditd_orig=$(mktemp $auditd_conf.XXXXXX) || return 2
> cp -a "$auditd_conf" "$auditd_orig" || return 2
> @@ -341,10 +347,12 @@ Usage: ${0##*/} [OPTION]...
> Run a set of test cases, reporting pass/fail and tallying results.
>
> -f --config=FILE Use a config file other than run.conf
> + -g --generate Generate run.log and rollup.log from $opt_logdir
> --header Don't run anything, just output the log header
> -l --log=FILE Output to a log other than run.log
> -r --rollup=FILE Output to a rollup other than rollup.log
> -t --timeout=SEC Seconds to wait for a test to timeout, default 30
> + -o --logdir=DIR Output directory of per test logs
> -w --width=COLS Set COLS output width instead of auto-detect
> -h --help Show this help
>
> @@ -364,8 +372,8 @@ function parse_cmdline {
> declare args conf x
>
> # Use /usr/bin/getopt which supports GNU-style long options
> - args=$(getopt -o adf:hl:qr:vw: \
> - --long config:,avc,debug,help,header,list,log:,quiet,rollup:,nocolor,verbose,width: \
> + args=$(getopt -o adf:ghl:qr:o:vw: \
> + --long config:,avc,debug,generate,help,header,list,log:,logdir:,quiet,rollup:,nocolor,verbose,width: \
> -n "$0" -- "$@") || die
> eval set -- "$args"
>
> @@ -374,6 +382,7 @@ function parse_cmdline {
> -a|--avc) opt_avc=true; shift ;;
> -d|--debug) opt_debug=true; opt_verbose=true; shift ;;
> -f|--config) opt_config=$2; shift 2 ;;
> + -g|--generate) logging=true; generate_logs; exit 0 ;;
> -h|--help) usage; exit 0 ;;
> --header) show_header; exit 0 ;;
> --list) opt_list=true; shift ;;
> @@ -381,6 +390,7 @@ function parse_cmdline {
> -q|--quiet) opt_quiet=true; shift ;;
> -r|--rollup) opt_rollup=$2; shift 2 ;;
> -t|--timeout) opt_timeout=$2; shift 2 ;;
> + -o|--logdir) opt_logdir=$2; shift 2 ;;
> --nocolor) colorize() { monoize "$@"; }; shift ;;
> -v|--verbose) opt_verbose=true; shift ;;
> -w|--width) opt_width=$2; shift 2 ;;
> @@ -389,9 +399,6 @@ function parse_cmdline {
> esac
> done
>
> - # Open the logs now that opt_log and opt_rollup are set
> - open_log
> -
> # Load the config
> dmsg "Loading config from $opt_config"
> conf="$(<$opt_config)
> @@ -413,8 +420,10 @@ function parse_cmdline {
> done
> else
> # add by number
> - dmsg " [$1] ${TESTS[$1]}"
> - TNUMS[$1]=$1
> + if [ $1 -lt ${#TESTS[@]} ]; then
> + dmsg " [$1] ${TESTS[$1]}"
> + TNUMS[$1]=$1
> + fi
> fi
> shift
> done
> @@ -435,21 +444,24 @@ function parse_cmdline {
> done
> exit 0
> fi
> +
> + # Open the logs before running the tests
> + open_log
> }
>
> function show_header {
> - prf "\n"
> - prf "%-32s %s\n" Started: "$(date)"
> - prf "%-32s %s\n" Kernel: "$(uname -r)"
> - prf "%-32s %s\n" Architecture: "$(uname -m)"
> - prf "%-32s %s\n" Mode: "${MODE:-(native)}"
> - prf "%-32s %s\n" Hostname: "$(uname -n)"
> - prf "%-32s %s\n" Profile: "$PPROFILE"
> - prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
> + nolog prf "\n"
> + nolog prf "%-32s %s\n" Started: "$(date)"
> + nolog prf "%-32s %s\n" Kernel: "$(uname -r)"
> + nolog prf "%-32s %s\n" Architecture: "$(uname -m)"
> + nolog prf "%-32s %s\n" Mode: "${MODE:-(native)}"
> + nolog prf "%-32s %s\n" Hostname: "$(uname -n)"
> + nolog prf "%-32s %s\n" Profile: "$PPROFILE"
> + nolog prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
> if [[ $PPROFILE == lspp ]] ; then
> - prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
> + nolog prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep lspp_test | awk '{print $2}')"
> fi
> - prf "\n%s\n" "$(sestatus)"
> + nolog prf "\n%s\n" "$(sestatus)"
> }
>
> function fmt_test {
> @@ -485,20 +497,55 @@ function show_test {
> fmt_test "[$TESTNUM]" "$@"
> }
>
> +function noecho {
> + declare echoing=false
> + "$@"
> +}
> +
> function nolog {
> declare logging=false
> "$@"
> }
>
> +function generate_logs {
> + declare pass fail error
> +
> + # clear run and rollup logs
> + echo -n > $opt_log
> + echo -n > $opt_rollup
> +
> + # create total run log
> + for log in $(ls $opt_logdir/$opt_log.* | sed 's/\(.*\)\.\(.*\)/\1 \2/g' | sort -k2 -n | tr ' ' '.'); do
> + cat $log >> $opt_log
> + echo >> $opt_log
> + done
> +
> + # create total rollup log
> + for log in $(ls $opt_logdir/$opt_rollup.* | sed 's/\(.*\)\.\(.*\)/\1 \2/g' | sort -k2 -n | tr ' ' '.'); do
> + cat $log | sed '1,/--------/d' >> $opt_rollup
> + done
> +
> + pass=$(grep "PASS" $opt_rollup | wc -l)
> + fail=$(grep "FAIL" $opt_rollup | wc -l)
> + error=$(grep "ERROR" $opt_rollup | wc -l)
> + (( total = pass + fail + error ))
> + llmsg
> + prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
> + prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
> + prf "%4d error (%d%%)\n" $error $((error * 100 / total))
> + prf "%s\n" "------------------"
> + prf "%4d total\n" $total
> +}
> +
> function run_tests {
> - declare TESTNUM output status hee s
> + declare TESTNUM output status hee s log stats header
> declare begin_output="<blue>--- begin output -----------------------------------------------------------"
> declare end_output="<blue>--- end output -------------------------------------------------------------"
>
> show_header
> - msg
> - prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
> - prf "%-$((opt_width-7))s %s\n" "--------" "------"
> + nolog msg
> + nolog prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
> + nolog prf "%-$((opt_width-7))s %s\n" "--------" "------"
>
> if $opt_debug; then
> hee=/dev/stderr
> @@ -507,6 +554,11 @@ function run_tests {
> fi
>
> for TESTNUM in "${TNUMS[@]}"; do
> + noecho prf "$(show_header)\n" ""
> + llmsg
> + noecho prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
> + noecho prf "%-$((opt_width-7))s %s\n" "--------" "------"
> +
> eval "set -- ${TESTS[TESTNUM]}"
>
> if $opt_debug; then
> @@ -587,15 +639,35 @@ function run_tests {
> msg "<blue>-- audit2allow -------------------------------------------------------------"
> msg "$(ausearch -ts $stime -te $etime -m avc | audit2allow)"
> fi
> +
> + # copy header to run and rollup log
> + echo "$header" >> $opt_logdir/$opt_log.$TESTNUM
> + echo >> $opt_logdir/$opt_log.$TESTNUM
> + echo "$header" >> $opt_logdir/$opt_rollup.$TESTNUM
> + echo >> $opt_logdir/$opt_rollup.$TESTNUM
> +
> + # copy test output to own log file
> + cp -f $opt_log $opt_logdir/$opt_log.$TESTNUM
> + sed -i '/./,$!d' $opt_logdir/$opt_log.$TESTNUM
> + cp -f $opt_rollup $opt_logdir/$opt_rollup.$TESTNUM
> + sed -i '/./,$!d' $opt_logdir/$opt_rollup.$TESTNUM
> +
> + # clear log and rollup
> + echo -n > $opt_log
> + echo -n > $opt_rollup
> done
>
> + # create current stats
> (( total = pass + fail + error ))
> - msg
> - prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
> - prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
> - prf "%4d error (%d%%)\n" $error $((error * 100 / total))
> - prf "%s\n" "------------------"
> - prf "%4d total\n" $total
> + nolog msg
> + nolog prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
> + nolog prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
> + nolog prf "%4d error (%d%%)\n" $error $((error * 100 / total))
> + nolog prf "%s\n" "------------------"
> + nolog prf "%4d total\n" $total
> +
> + # create silently run and rollup logs
> + noecho generate_logs
>
> return 0
> }
>
|
|
From: Linda K. <lin...@hp...> - 2013-08-27 18:08:23
|
On 08/21/13 12:23, Jiri Jaburek wrote: > The test description states that: > "Verify that the tar program preserves file security contexts." > > and tar has an explicit option for that: > --selinux > Save the SELinux context to the archive. I think "file security contexts" means more than SELinux context. What about non-selinux security information, like ACLs? Aren't they also stored in extended attributes? I guess the test was only creating/ checking SELinux contexts but the other is important as well, even if not well tested. > This change fixes the test for RHEL7, but also makes sense for RHEL6. What was broken with RHEL7? -- ljk > > Signed-off-by: Jiri Jaburek <jja...@re...> > --- > audit-test/misc/tests/test_tar.bash | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/audit-test/misc/tests/test_tar.bash b/audit-test/misc/tests/test_tar.bash > index 8ea8da9..7b2d735 100755 > --- a/audit-test/misc/tests/test_tar.bash > +++ b/audit-test/misc/tests/test_tar.bash > @@ -56,7 +56,7 @@ chmod 744 $FILE_DIR/fileSecret || exit_fail > chcon -t bin_t -l Secret $FILE_DIR/fileSecret || exit_fail > > # Pack up the files in the test_files directory > -tar cf $TAR_FILE --xattrs -H posix -C $FILE_DIR . > +tar cf $TAR_FILE --selinux -H posix -C $FILE_DIR . > > # Verify the files were successfully packed > if [ $? != 0 ]; then > @@ -64,7 +64,7 @@ if [ $? != 0 ]; then > fi > > # Unpack the files > -tar xvf $TAR_FILE --xattrs -C $EXTRACT_DIR > +tar xvf $TAR_FILE --selinux -C $EXTRACT_DIR > if [ $? != 0 ]; then > exit_error "Error unpacking tar archive" > fi > |
|
From: Jiri J. <jja...@re...> - 2013-08-28 13:34:25
|
On 08/27/2013 08:08 PM, Linda Knippers wrote: > On 08/21/13 12:23, Jiri Jaburek wrote: >> The test description states that: >> "Verify that the tar program preserves file security contexts." >> >> and tar has an explicit option for that: >> --selinux >> Save the SELinux context to the archive. > > I think "file security contexts" means more than SELinux context. > What about non-selinux security information, like ACLs? Aren't they > also stored in extended attributes? I guess the test was only creating/ > checking SELinux contexts but the other is important as well, even if > not well tested. > I originally assumed it's a SELinux-only test, even though it mentions generic "security contexts". The point is that not all security mechanisms have to use xattrs for storage and the idea of using explicit options for tar would actually be more generic in the end. (With an explicit --acls test.) However the issue seems to be more complex than it seemed in the first place, so let's just drop this patch now and return to it later. Jiri |
|
From: Linda K. <lin...@hp...> - 2013-08-27 18:18:39
|
On 08/21/13 12:24, Jiri Jaburek wrote:
> From: Miroslav Vadkerti <mva...@re...>
>
> In recent RHEL7 kernel changes the loginuid call fails with
> pam_loginuid where loginuid already set in session.
>
> This fix temporarily disables pam_loginuid in /etc/pam.d/login
> as a workaround. This has no effect on testing purpose of
> this test.
>
> The check for auid in augrok is not needed for this test.
> The loginuid remains unchanged because of this workaround.
Sorry, but I don't understand what you're saying here.
What's broken?
Why is this workaround ok?
Why don't we need to check the auid when having it set correctly
is an important part of logging in?
If something has changed causing us to no longer have a valid
login test, I'd rather see the test fail until we do have a valid
login test.
-- ljk
>
> Signed-off-by: Miroslav Vadkerti <mva...@re...>
> ---
> audit-test/libpam/tests/test_login.bash | 4 ++++
> audit-test/libpam/tests/test_mls_default_login.bash | 9 +++++++--
> audit-test/libpam/tests/test_mls_level_login.bash | 9 +++++++--
> audit-test/libpam/tests/test_mls_level_login_fail.bash | 14 +++++++++++---
> audit-test/libpam/tests/test_namespace.bash | 9 +++++++--
> audit-test/trustedprograms/tests/test_lpq.bash | 5 +++++
> 6 files changed, 41 insertions(+), 9 deletions(-)
>
> diff --git a/audit-test/libpam/tests/test_login.bash b/audit-test/libpam/tests/test_login.bash
> index 3d05afa..d834900 100755
> --- a/audit-test/libpam/tests/test_login.bash
> +++ b/audit-test/libpam/tests/test_login.bash
> @@ -26,7 +26,11 @@ chmod 666 $localtmp
>
> # turn off screen in /etc/profile
> backup /etc/profile
> +backup /etc/pam.d/login
> sed -i 's/\[ -w $(tty) \]/false/' /etc/profile
> +# In RHEL7 the pam_loginuid fails if loginuid already set
> +# for the purpose of this test we disable it temporarily
> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
>
> # if in LSPP mode, map the TEST_USER to staff_u
> if [[ $PPROFILE == "lspp" ]]; then
> diff --git a/audit-test/libpam/tests/test_mls_default_login.bash b/audit-test/libpam/tests/test_mls_default_login.bash
> index 6fca015..ac7f2b7 100755
> --- a/audit-test/libpam/tests/test_mls_default_login.bash
> +++ b/audit-test/libpam/tests/test_mls_default_login.bash
> @@ -44,6 +44,11 @@ fi
> # use backup (and automatic restore) to work around this
> backup /var/run/utmp
>
> +# In RHEL7 the pam_loginuid fails if loginuid already set
> +# for the purpose of this test we disable it temporarily
> +backup /etc/pam.d/login
> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> +
> # test
> (
> export localtmp
> @@ -63,11 +68,11 @@ pts=${pts##*/}
> msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*"
> augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
> augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
> subj=$login_context || exit_fail
> # Check for ROLE_ASSIGN event for testuser
> augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match"
> # Check for USER_ROLE_CHANGE for login command
> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts res=success.*" || exit_fail "USER_ROLE_CHANGE does not match"
>
> exit_pass
> diff --git a/audit-test/libpam/tests/test_mls_level_login.bash b/audit-test/libpam/tests/test_mls_level_login.bash
> index 436bcda..063647f 100755
> --- a/audit-test/libpam/tests/test_mls_level_login.bash
> +++ b/audit-test/libpam/tests/test_mls_level_login.bash
> @@ -42,6 +42,11 @@ fi
> # use backup (and automatic restore) to work around this
> backup /var/run/utmp
>
> +# In RHEL7 the pam_loginuid fails if loginuid already set
> +# for the purpose of this test we disable it temporarily
> +backup /etc/pam.d/login
> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> +
> # test
> (
> export localtmp
> @@ -68,7 +73,7 @@ fi
> msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=success.*"
> augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
> augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
> subj=$login_context || exit_fail
> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" auid=$auid || exit_fail
> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" || exit_fail
> exit_pass
> diff --git a/audit-test/libpam/tests/test_mls_level_login_fail.bash b/audit-test/libpam/tests/test_mls_level_login_fail.bash
> index 92562f9..ba04604 100755
> --- a/audit-test/libpam/tests/test_mls_level_login_fail.bash
> +++ b/audit-test/libpam/tests/test_mls_level_login_fail.bash
> @@ -42,6 +42,11 @@ fi
> # use backup (and automatic restore) to work around this
> backup /var/run/utmp
>
> +# In RHEL7 the pam_loginuid fails if loginuid already set
> +# for the purpose of this test we disable it temporarily
> +backup /etc/pam.d/login
> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> +
> # test
> (
> export localtmp
> @@ -52,11 +57,14 @@ backup /var/run/utmp
> expect -nocase {level} {send "Y\r"}
> expect -nocase {role:} {send "\r"}
> expect -nocase {level:} {send "s15\r"}
> - expect -nocase {"authentication failure"} {close; wait}'
> + expect {
> + -nocase {"authentication failure"} {close; wait}
> + -nocase {"Cannot make/remove"} {close; wait}
> + }'
> )
>
> msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=failed.*"
> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
> subj=$login_context || exit_fail
> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" auid=$auid || exit_fail
> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" || exit_fail
> exit_pass
> diff --git a/audit-test/libpam/tests/test_namespace.bash b/audit-test/libpam/tests/test_namespace.bash
> index 6fb20da..6642350 100755
> --- a/audit-test/libpam/tests/test_namespace.bash
> +++ b/audit-test/libpam/tests/test_namespace.bash
> @@ -59,6 +59,11 @@ backup /var/run/utmp
> backup /etc/security/namespace.conf
> echo "/tmp /tmp-parent/tmp-inst/ level root,adm" > /etc/security/namespace.conf
>
> +# In RHEL7 the pam_loginuid fails if loginuid already set
> +# for the purpose of this test we disable it temporarily
> +backup /etc/pam.d/login
> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> +
> tmpinstdir=/tmp-parent/tmp-inst/
> tmpnewfile=/tmp/newfile
>
> @@ -87,7 +92,7 @@ auditctl -a entry,always ${MODE:+-F arch=b$MODE} -S open -F uid=$auid || \
> )
> # Check the path and context in the audit record.
> augrok type==SYSCALL \
> - subj=$s0_context auid=$auid success=yes \
> + subj=$s0_context success=yes \
> name=$tmpnewfile obj=$s0_obj\
> || exit_fail "missing audit record"
>
> @@ -110,7 +115,7 @@ log_mark=$(stat -c %s $audit_log)
>
> # Check the path and context in the audit record.
> augrok --seek=$log_mark type==SYSCALL \
> - subj=$s2_context auid=$auid success=yes \
> + subj=$s2_context success=yes \
> name=$tmpnewfile obj=$s2_obj\
> || exit_fail "missing audit record"
>
> diff --git a/audit-test/trustedprograms/tests/test_lpq.bash b/audit-test/trustedprograms/tests/test_lpq.bash
> index 0cbd45f..ee0f60d 100755
> --- a/audit-test/trustedprograms/tests/test_lpq.bash
> +++ b/audit-test/trustedprograms/tests/test_lpq.bash
> @@ -50,6 +50,11 @@ backup /var/run/utmp
> semanage login -a -s staff_u -r SystemLow-SystemHigh $TEST_USER || \
> exit_error "unable to set $TEST_USER to staff_u"
>
> +# In RHEL7 the pam_loginuid fails if loginuid already set
> +# for the purpose of this test we disable it temporarily
> +backup /etc/pam.d/login
> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> +
> # test
> prepend_cleanup rm -f $CON1OUT $CON2OUT
> runcon $LPQ1CON lpq -P $printer > $CON1OUT
>
|
|
From: Miroslav V. <mva...@re...> - 2013-08-28 14:10:08
|
Hi Linda,
----- Original Message -----
> On 08/21/13 12:21, Jiri Jaburek wrote:
> > From: Miroslav Vadkerti <mva...@re...>
> >
> > This patch incorporates changes that make possible
> > merging of subsequent test runs.
> >
> > The logs are now stored also separately for each test
> > in the logs subdirectory of the test bucket. The run and
> > rollup logs are generated from these logs. The output
> > of the run.bash should remain the same.
>
> So this is for the case where you might need to re-run a particular
> test case? So you don't have to run the complete bucket to get
> a good log?
Yes that is correct. You can run only failed tests and if previously
other tests pass you will get a good total log.
> >
> > This patch also fixes the --list option that now does
> > not delete the contents of run and rollup log.
> >
> > This patch adds generate (-g|--generate) option that generates
> > the total run and rollup logs. This might be useful if these
> > were deleted or not created after aborting testing with SIGINT.
>
> Does this option catch the case where a specific test result might be
> missing?
> Is there any way to know that not all the test cases were run?
If there are missing cases the log is still generated but will contain only
the run tests. There is a way to tell that which tests weren't run and
we want in the next patch series add an option to run.bash that will run
all tests that did not pass or weren't run yet. You will be able also to
combine this option with the --list option to list only those tests.
/M
>
> -- ljk
>
> >
> > The distclean make target removes the new logs directory.
> >
> > Signed-off-by: Miroslav Vadkerti <mva...@re...>
> > ---
> > audit-test/rules.mk | 4 +-
> > audit-test/utils/run.bash | 132
> > +++++++++++++++++++++++++++++++++++-----------
> > 2 files changed, 104 insertions(+), 32 deletions(-)
> >
> > diff --git a/audit-test/rules.mk b/audit-test/rules.mk
> > index 1534c66..a53d979 100644
> > --- a/audit-test/rules.mk
> > +++ b/audit-test/rules.mk
> > @@ -194,14 +194,14 @@ _clean:
> >
> > clean: _clean
> >
> > -ALL_LOGS += run.log rollup.log
> > +ALL_LOGS += run.log rollup.log logs
> > _distclean: clean
> > @if [[ "$(MAKECMDGOALS)" == distclean ]]; then \
> > for x in $(SUB_DIRS); do \
> > make -C $$x distclean; \
> > done; \
> > fi
> > - $(RM) $(ALL_LOGS)
> > + $(RM) -r $(ALL_LOGS)
> > if [[ -L run.bash ]]; then $(RM) run.bash; fi
> >
> > distclean: _distclean
> > diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
> > index f70b79a..890f84a 100755
> > --- a/audit-test/utils/run.bash
> > +++ b/audit-test/utils/run.bash
> > @@ -51,6 +51,7 @@ source functions.bash || exit 2
> >
> > unset logging
> > unset opt_verbose opt_debug opt_config opt_list opt_log opt_rollup
> > opt_timeout opt_width
> > +echoing=true
> > logging=false
> > opt_avc=false
> > opt_verbose=false
> > @@ -59,6 +60,7 @@ opt_quiet=false
> > opt_config=run.conf
> > opt_list=false
> > opt_log=run.log
> > +opt_logdir=logs
> > opt_rollup=rollup.log
> > opt_timeout=30
> > opt_width=$(stty size 2>/dev/null | cut -d' ' -f2)
> > @@ -140,9 +142,8 @@ function dmsg {
> > }
> >
> > function prf {
> > - printf "$(colorize "$1")" "${@:2}"
> > - $logging || return
> > - printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup" >>"$opt_log"
> > + $echoing && printf "$(colorize "$1")" "${@:2}"
> > + $logging && printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup"
> > >>"$opt_log"
> > }
> >
> > #----------------------------------------------------------------------
> > @@ -219,6 +220,11 @@ function startup {
> > trap - 1 2;
> > fi
> >
> > + # Create log directory if needed
> > + if [[ ! -d "$opt_logdir" ]]; then
> > + mkdir "$opt_logdir"
> > + fi
> > +
> > # Initialize audit configuration and make sure auditd is running
> > auditd_orig=$(mktemp $auditd_conf.XXXXXX) || return 2
> > cp -a "$auditd_conf" "$auditd_orig" || return 2
> > @@ -341,10 +347,12 @@ Usage: ${0##*/} [OPTION]...
> > Run a set of test cases, reporting pass/fail and tallying results.
> >
> > -f --config=FILE Use a config file other than run.conf
> > + -g --generate Generate run.log and rollup.log from $opt_logdir
> > --header Don't run anything, just output the log header
> > -l --log=FILE Output to a log other than run.log
> > -r --rollup=FILE Output to a rollup other than rollup.log
> > -t --timeout=SEC Seconds to wait for a test to timeout, default 30
> > + -o --logdir=DIR Output directory of per test logs
> > -w --width=COLS Set COLS output width instead of auto-detect
> > -h --help Show this help
> >
> > @@ -364,8 +372,8 @@ function parse_cmdline {
> > declare args conf x
> >
> > # Use /usr/bin/getopt which supports GNU-style long options
> > - args=$(getopt -o adf:hl:qr:vw: \
> > - --long
> > config:,avc,debug,help,header,list,log:,quiet,rollup:,nocolor,verbose,width:
> > \
> > + args=$(getopt -o adf:ghl:qr:o:vw: \
> > + --long
> > config:,avc,debug,generate,help,header,list,log:,logdir:,quiet,rollup:,nocolor,verbose,width:
> > \
> > -n "$0" -- "$@") || die
> > eval set -- "$args"
> >
> > @@ -374,6 +382,7 @@ function parse_cmdline {
> > -a|--avc) opt_avc=true; shift ;;
> > -d|--debug) opt_debug=true; opt_verbose=true; shift ;;
> > -f|--config) opt_config=$2; shift 2 ;;
> > + -g|--generate) logging=true; generate_logs; exit 0 ;;
> > -h|--help) usage; exit 0 ;;
> > --header) show_header; exit 0 ;;
> > --list) opt_list=true; shift ;;
> > @@ -381,6 +390,7 @@ function parse_cmdline {
> > -q|--quiet) opt_quiet=true; shift ;;
> > -r|--rollup) opt_rollup=$2; shift 2 ;;
> > -t|--timeout) opt_timeout=$2; shift 2 ;;
> > + -o|--logdir) opt_logdir=$2; shift 2 ;;
> > --nocolor) colorize() { monoize "$@"; }; shift ;;
> > -v|--verbose) opt_verbose=true; shift ;;
> > -w|--width) opt_width=$2; shift 2 ;;
> > @@ -389,9 +399,6 @@ function parse_cmdline {
> > esac
> > done
> >
> > - # Open the logs now that opt_log and opt_rollup are set
> > - open_log
> > -
> > # Load the config
> > dmsg "Loading config from $opt_config"
> > conf="$(<$opt_config)
> > @@ -413,8 +420,10 @@ function parse_cmdline {
> > done
> > else
> > # add by number
> > - dmsg " [$1] ${TESTS[$1]}"
> > - TNUMS[$1]=$1
> > + if [ $1 -lt ${#TESTS[@]} ]; then
> > + dmsg " [$1] ${TESTS[$1]}"
> > + TNUMS[$1]=$1
> > + fi
> > fi
> > shift
> > done
> > @@ -435,21 +444,24 @@ function parse_cmdline {
> > done
> > exit 0
> > fi
> > +
> > + # Open the logs before running the tests
> > + open_log
> > }
> >
> > function show_header {
> > - prf "\n"
> > - prf "%-32s %s\n" Started: "$(date)"
> > - prf "%-32s %s\n" Kernel: "$(uname -r)"
> > - prf "%-32s %s\n" Architecture: "$(uname -m)"
> > - prf "%-32s %s\n" Mode: "${MODE:-(native)}"
> > - prf "%-32s %s\n" Hostname: "$(uname -n)"
> > - prf "%-32s %s\n" Profile: "$PPROFILE"
> > - prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
> > + nolog prf "\n"
> > + nolog prf "%-32s %s\n" Started: "$(date)"
> > + nolog prf "%-32s %s\n" Kernel: "$(uname -r)"
> > + nolog prf "%-32s %s\n" Architecture: "$(uname -m)"
> > + nolog prf "%-32s %s\n" Mode: "${MODE:-(native)}"
> > + nolog prf "%-32s %s\n" Hostname: "$(uname -n)"
> > + nolog prf "%-32s %s\n" Profile: "$PPROFILE"
> > + nolog prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q
> > selinux-policy)"
> > if [[ $PPROFILE == lspp ]] ; then
> > - prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep
> > lspp_test | awk '{print $2}')"
> > + nolog prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l |
> > grep lspp_test | awk '{print $2}')"
> > fi
> > - prf "\n%s\n" "$(sestatus)"
> > + nolog prf "\n%s\n" "$(sestatus)"
> > }
> >
> > function fmt_test {
> > @@ -485,20 +497,55 @@ function show_test {
> > fmt_test "[$TESTNUM]" "$@"
> > }
> >
> > +function noecho {
> > + declare echoing=false
> > + "$@"
> > +}
> > +
> > function nolog {
> > declare logging=false
> > "$@"
> > }
> >
> > +function generate_logs {
> > + declare pass fail error
> > +
> > + # clear run and rollup logs
> > + echo -n > $opt_log
> > + echo -n > $opt_rollup
> > +
> > + # create total run log
> > + for log in $(ls $opt_logdir/$opt_log.* | sed 's/\(.*\)\.\(.*\)/\1
> > \2/g' | sort -k2 -n | tr ' ' '.'); do
> > + cat $log >> $opt_log
> > + echo >> $opt_log
> > + done
> > +
> > + # create total rollup log
> > + for log in $(ls $opt_logdir/$opt_rollup.* | sed 's/\(.*\)\.\(.*\)/\1
> > \2/g' | sort -k2 -n | tr ' ' '.'); do
> > + cat $log | sed '1,/--------/d' >> $opt_rollup
> > + done
> > +
> > + pass=$(grep "PASS" $opt_rollup | wc -l)
> > + fail=$(grep "FAIL" $opt_rollup | wc -l)
> > + error=$(grep "ERROR" $opt_rollup | wc -l)
> > + (( total = pass + fail + error ))
> > + llmsg
> > + prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
> > + prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
> > + prf "%4d error (%d%%)\n" $error $((error * 100 / total))
> > + prf "%s\n" "------------------"
> > + prf "%4d total\n" $total
> > +}
> > +
> > function run_tests {
> > - declare TESTNUM output status hee s
> > + declare TESTNUM output status hee s log stats header
> > declare begin_output="<blue>--- begin output
> > -----------------------------------------------------------"
> > declare end_output="<blue>--- end output
> > -------------------------------------------------------------"
> >
> > show_header
> > - msg
> > - prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
> > - prf "%-$((opt_width-7))s %s\n" "--------" "------"
> > + nolog msg
> > + nolog prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
> > + nolog prf "%-$((opt_width-7))s %s\n" "--------" "------"
> >
> > if $opt_debug; then
> > hee=/dev/stderr
> > @@ -507,6 +554,11 @@ function run_tests {
> > fi
> >
> > for TESTNUM in "${TNUMS[@]}"; do
> > + noecho prf "$(show_header)\n" ""
> > + llmsg
> > + noecho prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
> > + noecho prf "%-$((opt_width-7))s %s\n" "--------" "------"
> > +
> > eval "set -- ${TESTS[TESTNUM]}"
> >
> > if $opt_debug; then
> > @@ -587,15 +639,35 @@ function run_tests {
> > msg "<blue>-- audit2allow
> > -------------------------------------------------------------"
> > msg "$(ausearch -ts $stime -te $etime -m avc | audit2allow)"
> > fi
> > +
> > + # copy header to run and rollup log
> > + echo "$header" >> $opt_logdir/$opt_log.$TESTNUM
> > + echo >> $opt_logdir/$opt_log.$TESTNUM
> > + echo "$header" >> $opt_logdir/$opt_rollup.$TESTNUM
> > + echo >> $opt_logdir/$opt_rollup.$TESTNUM
> > +
> > + # copy test output to own log file
> > + cp -f $opt_log $opt_logdir/$opt_log.$TESTNUM
> > + sed -i '/./,$!d' $opt_logdir/$opt_log.$TESTNUM
> > + cp -f $opt_rollup $opt_logdir/$opt_rollup.$TESTNUM
> > + sed -i '/./,$!d' $opt_logdir/$opt_rollup.$TESTNUM
> > +
> > + # clear log and rollup
> > + echo -n > $opt_log
> > + echo -n > $opt_rollup
> > done
> >
> > + # create current stats
> > (( total = pass + fail + error ))
> > - msg
> > - prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
> > - prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
> > - prf "%4d error (%d%%)\n" $error $((error * 100 / total))
> > - prf "%s\n" "------------------"
> > - prf "%4d total\n" $total
> > + nolog msg
> > + nolog prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
> > + nolog prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
> > + nolog prf "%4d error (%d%%)\n" $error $((error * 100 / total))
> > + nolog prf "%s\n" "------------------"
> > + nolog prf "%4d total\n" $total
> > +
> > + # create silently run and rollup logs
> > + noecho generate_logs
> >
> > return 0
> > }
> >
>
>
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
> _______________________________________________
> Audit-test-developer mailing list
> Aud...@li...
> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
>
--
Miroslav Vadkerti :: Quality Assurance Engineer / RHCE :: BaseOS QE - Security
Phone +420 532 294 129 :: CR cell +420 775 039 842 :: SR cell +421 904 135 440
IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu
Red Hat s.r.o, Purkyňova 99/71, 612 45, Brno, Czech Republic
|
|
From: Linda K. <lin...@hp...> - 2013-08-28 16:29:12
|
Hi Miroslav,
Miroslav Vadkerti wrote:
> Hi Linda,
>
> ----- Original Message -----
>> On 08/21/13 12:21, Jiri Jaburek wrote:
>>> From: Miroslav Vadkerti <mva...@re...>
>>>
>>> This patch incorporates changes that make possible
>>> merging of subsequent test runs.
>>>
>>> The logs are now stored also separately for each test
>>> in the logs subdirectory of the test bucket. The run and
>>> rollup logs are generated from these logs. The output
>>> of the run.bash should remain the same.
>> So this is for the case where you might need to re-run a particular
>> test case? So you don't have to run the complete bucket to get
>> a good log?
>
> Yes that is correct. You can run only failed tests and if previously
> other tests pass you will get a good total log.
>
>>> This patch also fixes the --list option that now does
>>> not delete the contents of run and rollup log.
>>>
>>> This patch adds generate (-g|--generate) option that generates
>>> the total run and rollup logs. This might be useful if these
>>> were deleted or not created after aborting testing with SIGINT.
>> Does this option catch the case where a specific test result might be
>> missing?
>> Is there any way to know that not all the test cases were run?
>
> If there are missing cases the log is still generated but will contain only
> the run tests. There is a way to tell that which tests weren't run and
> we want in the next patch series add an option to run.bash that will run
> all tests that did not pass or weren't run yet. You will be able also to
> combine this option with the --list option to list only those tests.
Ok, thanks for the explanation.
This patch is fine with me.
-- ljk
>
> /M
>
>> -- ljk
>>
>>> The distclean make target removes the new logs directory.
>>>
>>> Signed-off-by: Miroslav Vadkerti <mva...@re...>
>>> ---
>>> audit-test/rules.mk | 4 +-
>>> audit-test/utils/run.bash | 132
>>> +++++++++++++++++++++++++++++++++++-----------
>>> 2 files changed, 104 insertions(+), 32 deletions(-)
>>>
>>> diff --git a/audit-test/rules.mk b/audit-test/rules.mk
>>> index 1534c66..a53d979 100644
>>> --- a/audit-test/rules.mk
>>> +++ b/audit-test/rules.mk
>>> @@ -194,14 +194,14 @@ _clean:
>>>
>>> clean: _clean
>>>
>>> -ALL_LOGS += run.log rollup.log
>>> +ALL_LOGS += run.log rollup.log logs
>>> _distclean: clean
>>> @if [[ "$(MAKECMDGOALS)" == distclean ]]; then \
>>> for x in $(SUB_DIRS); do \
>>> make -C $$x distclean; \
>>> done; \
>>> fi
>>> - $(RM) $(ALL_LOGS)
>>> + $(RM) -r $(ALL_LOGS)
>>> if [[ -L run.bash ]]; then $(RM) run.bash; fi
>>>
>>> distclean: _distclean
>>> diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash
>>> index f70b79a..890f84a 100755
>>> --- a/audit-test/utils/run.bash
>>> +++ b/audit-test/utils/run.bash
>>> @@ -51,6 +51,7 @@ source functions.bash || exit 2
>>>
>>> unset logging
>>> unset opt_verbose opt_debug opt_config opt_list opt_log opt_rollup
>>> opt_timeout opt_width
>>> +echoing=true
>>> logging=false
>>> opt_avc=false
>>> opt_verbose=false
>>> @@ -59,6 +60,7 @@ opt_quiet=false
>>> opt_config=run.conf
>>> opt_list=false
>>> opt_log=run.log
>>> +opt_logdir=logs
>>> opt_rollup=rollup.log
>>> opt_timeout=30
>>> opt_width=$(stty size 2>/dev/null | cut -d' ' -f2)
>>> @@ -140,9 +142,8 @@ function dmsg {
>>> }
>>>
>>> function prf {
>>> - printf "$(colorize "$1")" "${@:2}"
>>> - $logging || return
>>> - printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup" >>"$opt_log"
>>> + $echoing && printf "$(colorize "$1")" "${@:2}"
>>> + $logging && printf "$(monoize "$1")" "${@:2}" | tee -a "$opt_rollup"
>>>>> "$opt_log"
>>> }
>>>
>>> #----------------------------------------------------------------------
>>> @@ -219,6 +220,11 @@ function startup {
>>> trap - 1 2;
>>> fi
>>>
>>> + # Create log directory if needed
>>> + if [[ ! -d "$opt_logdir" ]]; then
>>> + mkdir "$opt_logdir"
>>> + fi
>>> +
>>> # Initialize audit configuration and make sure auditd is running
>>> auditd_orig=$(mktemp $auditd_conf.XXXXXX) || return 2
>>> cp -a "$auditd_conf" "$auditd_orig" || return 2
>>> @@ -341,10 +347,12 @@ Usage: ${0##*/} [OPTION]...
>>> Run a set of test cases, reporting pass/fail and tallying results.
>>>
>>> -f --config=FILE Use a config file other than run.conf
>>> + -g --generate Generate run.log and rollup.log from $opt_logdir
>>> --header Don't run anything, just output the log header
>>> -l --log=FILE Output to a log other than run.log
>>> -r --rollup=FILE Output to a rollup other than rollup.log
>>> -t --timeout=SEC Seconds to wait for a test to timeout, default 30
>>> + -o --logdir=DIR Output directory of per test logs
>>> -w --width=COLS Set COLS output width instead of auto-detect
>>> -h --help Show this help
>>>
>>> @@ -364,8 +372,8 @@ function parse_cmdline {
>>> declare args conf x
>>>
>>> # Use /usr/bin/getopt which supports GNU-style long options
>>> - args=$(getopt -o adf:hl:qr:vw: \
>>> - --long
>>> config:,avc,debug,help,header,list,log:,quiet,rollup:,nocolor,verbose,width:
>>> \
>>> + args=$(getopt -o adf:ghl:qr:o:vw: \
>>> + --long
>>> config:,avc,debug,generate,help,header,list,log:,logdir:,quiet,rollup:,nocolor,verbose,width:
>>> \
>>> -n "$0" -- "$@") || die
>>> eval set -- "$args"
>>>
>>> @@ -374,6 +382,7 @@ function parse_cmdline {
>>> -a|--avc) opt_avc=true; shift ;;
>>> -d|--debug) opt_debug=true; opt_verbose=true; shift ;;
>>> -f|--config) opt_config=$2; shift 2 ;;
>>> + -g|--generate) logging=true; generate_logs; exit 0 ;;
>>> -h|--help) usage; exit 0 ;;
>>> --header) show_header; exit 0 ;;
>>> --list) opt_list=true; shift ;;
>>> @@ -381,6 +390,7 @@ function parse_cmdline {
>>> -q|--quiet) opt_quiet=true; shift ;;
>>> -r|--rollup) opt_rollup=$2; shift 2 ;;
>>> -t|--timeout) opt_timeout=$2; shift 2 ;;
>>> + -o|--logdir) opt_logdir=$2; shift 2 ;;
>>> --nocolor) colorize() { monoize "$@"; }; shift ;;
>>> -v|--verbose) opt_verbose=true; shift ;;
>>> -w|--width) opt_width=$2; shift 2 ;;
>>> @@ -389,9 +399,6 @@ function parse_cmdline {
>>> esac
>>> done
>>>
>>> - # Open the logs now that opt_log and opt_rollup are set
>>> - open_log
>>> -
>>> # Load the config
>>> dmsg "Loading config from $opt_config"
>>> conf="$(<$opt_config)
>>> @@ -413,8 +420,10 @@ function parse_cmdline {
>>> done
>>> else
>>> # add by number
>>> - dmsg " [$1] ${TESTS[$1]}"
>>> - TNUMS[$1]=$1
>>> + if [ $1 -lt ${#TESTS[@]} ]; then
>>> + dmsg " [$1] ${TESTS[$1]}"
>>> + TNUMS[$1]=$1
>>> + fi
>>> fi
>>> shift
>>> done
>>> @@ -435,21 +444,24 @@ function parse_cmdline {
>>> done
>>> exit 0
>>> fi
>>> +
>>> + # Open the logs before running the tests
>>> + open_log
>>> }
>>>
>>> function show_header {
>>> - prf "\n"
>>> - prf "%-32s %s\n" Started: "$(date)"
>>> - prf "%-32s %s\n" Kernel: "$(uname -r)"
>>> - prf "%-32s %s\n" Architecture: "$(uname -m)"
>>> - prf "%-32s %s\n" Mode: "${MODE:-(native)}"
>>> - prf "%-32s %s\n" Hostname: "$(uname -n)"
>>> - prf "%-32s %s\n" Profile: "$PPROFILE"
>>> - prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q selinux-policy)"
>>> + nolog prf "\n"
>>> + nolog prf "%-32s %s\n" Started: "$(date)"
>>> + nolog prf "%-32s %s\n" Kernel: "$(uname -r)"
>>> + nolog prf "%-32s %s\n" Architecture: "$(uname -m)"
>>> + nolog prf "%-32s %s\n" Mode: "${MODE:-(native)}"
>>> + nolog prf "%-32s %s\n" Hostname: "$(uname -n)"
>>> + nolog prf "%-32s %s\n" Profile: "$PPROFILE"
>>> + nolog prf "%-32s %s\n" "selinux-policy version:" "$(rpm -q
>>> selinux-policy)"
>>> if [[ $PPROFILE == lspp ]] ; then
>>> - prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l | grep
>>> lspp_test | awk '{print $2}')"
>>> + nolog prf "%-32s %s\n" "lspp_test policy version:" "$(semodule -l |
>>> grep lspp_test | awk '{print $2}')"
>>> fi
>>> - prf "\n%s\n" "$(sestatus)"
>>> + nolog prf "\n%s\n" "$(sestatus)"
>>> }
>>>
>>> function fmt_test {
>>> @@ -485,20 +497,55 @@ function show_test {
>>> fmt_test "[$TESTNUM]" "$@"
>>> }
>>>
>>> +function noecho {
>>> + declare echoing=false
>>> + "$@"
>>> +}
>>> +
>>> function nolog {
>>> declare logging=false
>>> "$@"
>>> }
>>>
>>> +function generate_logs {
>>> + declare pass fail error
>>> +
>>> + # clear run and rollup logs
>>> + echo -n > $opt_log
>>> + echo -n > $opt_rollup
>>> +
>>> + # create total run log
>>> + for log in $(ls $opt_logdir/$opt_log.* | sed 's/\(.*\)\.\(.*\)/\1
>>> \2/g' | sort -k2 -n | tr ' ' '.'); do
>>> + cat $log >> $opt_log
>>> + echo >> $opt_log
>>> + done
>>> +
>>> + # create total rollup log
>>> + for log in $(ls $opt_logdir/$opt_rollup.* | sed 's/\(.*\)\.\(.*\)/\1
>>> \2/g' | sort -k2 -n | tr ' ' '.'); do
>>> + cat $log | sed '1,/--------/d' >> $opt_rollup
>>> + done
>>> +
>>> + pass=$(grep "PASS" $opt_rollup | wc -l)
>>> + fail=$(grep "FAIL" $opt_rollup | wc -l)
>>> + error=$(grep "ERROR" $opt_rollup | wc -l)
>>> + (( total = pass + fail + error ))
>>> + llmsg
>>> + prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
>>> + prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
>>> + prf "%4d error (%d%%)\n" $error $((error * 100 / total))
>>> + prf "%s\n" "------------------"
>>> + prf "%4d total\n" $total
>>> +}
>>> +
>>> function run_tests {
>>> - declare TESTNUM output status hee s
>>> + declare TESTNUM output status hee s log stats header
>>> declare begin_output="<blue>--- begin output
>>> -----------------------------------------------------------"
>>> declare end_output="<blue>--- end output
>>> -------------------------------------------------------------"
>>>
>>> show_header
>>> - msg
>>> - prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
>>> - prf "%-$((opt_width-7))s %s\n" "--------" "------"
>>> + nolog msg
>>> + nolog prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
>>> + nolog prf "%-$((opt_width-7))s %s\n" "--------" "------"
>>>
>>> if $opt_debug; then
>>> hee=/dev/stderr
>>> @@ -507,6 +554,11 @@ function run_tests {
>>> fi
>>>
>>> for TESTNUM in "${TNUMS[@]}"; do
>>> + noecho prf "$(show_header)\n" ""
>>> + llmsg
>>> + noecho prf "%-$((opt_width-7))s %s\n" "Testcase" "Result"
>>> + noecho prf "%-$((opt_width-7))s %s\n" "--------" "------"
>>> +
>>> eval "set -- ${TESTS[TESTNUM]}"
>>>
>>> if $opt_debug; then
>>> @@ -587,15 +639,35 @@ function run_tests {
>>> msg "<blue>-- audit2allow
>>> -------------------------------------------------------------"
>>> msg "$(ausearch -ts $stime -te $etime -m avc | audit2allow)"
>>> fi
>>> +
>>> + # copy header to run and rollup log
>>> + echo "$header" >> $opt_logdir/$opt_log.$TESTNUM
>>> + echo >> $opt_logdir/$opt_log.$TESTNUM
>>> + echo "$header" >> $opt_logdir/$opt_rollup.$TESTNUM
>>> + echo >> $opt_logdir/$opt_rollup.$TESTNUM
>>> +
>>> + # copy test output to own log file
>>> + cp -f $opt_log $opt_logdir/$opt_log.$TESTNUM
>>> + sed -i '/./,$!d' $opt_logdir/$opt_log.$TESTNUM
>>> + cp -f $opt_rollup $opt_logdir/$opt_rollup.$TESTNUM
>>> + sed -i '/./,$!d' $opt_logdir/$opt_rollup.$TESTNUM
>>> +
>>> + # clear log and rollup
>>> + echo -n > $opt_log
>>> + echo -n > $opt_rollup
>>> done
>>>
>>> + # create current stats
>>> (( total = pass + fail + error ))
>>> - msg
>>> - prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
>>> - prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
>>> - prf "%4d error (%d%%)\n" $error $((error * 100 / total))
>>> - prf "%s\n" "------------------"
>>> - prf "%4d total\n" $total
>>> + nolog msg
>>> + nolog prf "%4d pass (%d%%)\n" $pass $((pass * 100 / total))
>>> + nolog prf "%4d fail (%d%%)\n" $fail $((fail * 100 / total))
>>> + nolog prf "%4d error (%d%%)\n" $error $((error * 100 / total))
>>> + nolog prf "%s\n" "------------------"
>>> + nolog prf "%4d total\n" $total
>>> +
>>> + # create silently run and rollup logs
>>> + noecho generate_logs
>>>
>>> return 0
>>> }
>>>
>>
>> ------------------------------------------------------------------------------
>> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
>> Discover the easy way to master current and previous Microsoft technologies
>> and advance your career. Get an incredible 1,500+ hours of step-by-step
>> tutorial videos with LearnDevNow. Subscribe today and save!
>> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Audit-test-developer mailing list
>> Aud...@li...
>> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
>>
>
|
|
From: Miroslav V. <mva...@re...> - 2013-08-29 12:42:06
|
Hi Linda, let me try to explain in more detail
----- Original Message -----
> On 08/21/13 12:24, Jiri Jaburek wrote:
> > From: Miroslav Vadkerti <mva...@re...>
> >
> > In recent RHEL7 kernel changes the loginuid call fails with
> > pam_loginuid where loginuid already set in session.
> >
> > This fix temporarily disables pam_loginuid in /etc/pam.d/login
> > as a workaround. This has no effect on testing purpose of
> > this test.
> >
> > The check for auid in augrok is not needed for this test.
> > The loginuid remains unchanged because of this workaround.
>
> Sorry, but I don't understand what you're saying here.
>
> What's broken?
In RHEL7 pam_loginuid will kick you out if login uid (auid) is already set. This
is a change in behavior compared to RHEL6 where this worked. This change is not a bug
but a feature - as I was told from our developers. As a consequence all tests that
use login command (in expect snippets) will fail.
> Why is this workaround ok?
> Why don't we need to check the auid when having it set correctly
> is an important part of logging in?
I think it is enough to test the pam_loginuid functionality with one login mechanism.
In current upstream code this is tested only with the tests that this patch touches
using login command. The truth is I believed also other login mechanism (ssh) is used to check
the correct auid value. So this patch set will need more work. I would suggest to move
the currently removed auid testing to the ssh tests. This should be sufficient for checking
the correct functionality of pam_loginuid.
>
> If something has changed causing us to no longer have a valid
> login test, I'd rather see the test fail until we do have a valid
> login test.
I think when we introduce the auid testing part to the ssh tests the login testing is again
on pair with the current upstream code.
Hopefully my intentions are more clear now :)
/M
>
> -- ljk
>
> >
> > Signed-off-by: Miroslav Vadkerti <mva...@re...>
> > ---
> > audit-test/libpam/tests/test_login.bash | 4 ++++
> > audit-test/libpam/tests/test_mls_default_login.bash | 9 +++++++--
> > audit-test/libpam/tests/test_mls_level_login.bash | 9 +++++++--
> > audit-test/libpam/tests/test_mls_level_login_fail.bash | 14 +++++++++++---
> > audit-test/libpam/tests/test_namespace.bash | 9 +++++++--
> > audit-test/trustedprograms/tests/test_lpq.bash | 5 +++++
> > 6 files changed, 41 insertions(+), 9 deletions(-)
> >
> > diff --git a/audit-test/libpam/tests/test_login.bash
> > b/audit-test/libpam/tests/test_login.bash
> > index 3d05afa..d834900 100755
> > --- a/audit-test/libpam/tests/test_login.bash
> > +++ b/audit-test/libpam/tests/test_login.bash
> > @@ -26,7 +26,11 @@ chmod 666 $localtmp
> >
> > # turn off screen in /etc/profile
> > backup /etc/profile
> > +backup /etc/pam.d/login
> > sed -i 's/\[ -w $(tty) \]/false/' /etc/profile
> > +# In RHEL7 the pam_loginuid fails if loginuid already set
> > +# for the purpose of this test we disable it temporarily
> > +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> >
> > # if in LSPP mode, map the TEST_USER to staff_u
> > if [[ $PPROFILE == "lspp" ]]; then
> > diff --git a/audit-test/libpam/tests/test_mls_default_login.bash
> > b/audit-test/libpam/tests/test_mls_default_login.bash
> > index 6fca015..ac7f2b7 100755
> > --- a/audit-test/libpam/tests/test_mls_default_login.bash
> > +++ b/audit-test/libpam/tests/test_mls_default_login.bash
> > @@ -44,6 +44,11 @@ fi
> > # use backup (and automatic restore) to work around this
> > backup /var/run/utmp
> >
> > +# In RHEL7 the pam_loginuid fails if loginuid already set
> > +# for the purpose of this test we disable it temporarily
> > +backup /etc/pam.d/login
> > +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> > +
> > # test
> > (
> > export localtmp
> > @@ -63,11 +68,11 @@ pts=${pts##*/}
> > msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* terminal=pts/$pts
> > res=success.*"
> > augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
> > augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
> > -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> > +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
> > subj=$login_context || exit_fail
> > # Check for ROLE_ASSIGN event for testuser
> > augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range
> > acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0
> > new-seuser=staff_u
> > new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r
> > new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match"
> > # Check for USER_ROLE_CHANGE for login command
> > -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
> > selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts
> > res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
> > +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
> > selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts
> > res=success.*" || exit_fail "USER_ROLE_CHANGE does not match"
> >
> > exit_pass
> > diff --git a/audit-test/libpam/tests/test_mls_level_login.bash
> > b/audit-test/libpam/tests/test_mls_level_login.bash
> > index 436bcda..063647f 100755
> > --- a/audit-test/libpam/tests/test_mls_level_login.bash
> > +++ b/audit-test/libpam/tests/test_mls_level_login.bash
> > @@ -42,6 +42,11 @@ fi
> > # use backup (and automatic restore) to work around this
> > backup /var/run/utmp
> >
> > +# In RHEL7 the pam_loginuid fails if loginuid already set
> > +# for the purpose of this test we disable it temporarily
> > +backup /etc/pam.d/login
> > +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> > +
> > # test
> > (
> > export localtmp
> > @@ -68,7 +73,7 @@ fi
> > msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=success.*"
> > augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
> > augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
> > -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> > +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
> > subj=$login_context || exit_fail
> > -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
> > selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*"
> > auid=$auid || exit_fail
> > +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
> > selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" ||
> > exit_fail
> > exit_pass
> > diff --git a/audit-test/libpam/tests/test_mls_level_login_fail.bash
> > b/audit-test/libpam/tests/test_mls_level_login_fail.bash
> > index 92562f9..ba04604 100755
> > --- a/audit-test/libpam/tests/test_mls_level_login_fail.bash
> > +++ b/audit-test/libpam/tests/test_mls_level_login_fail.bash
> > @@ -42,6 +42,11 @@ fi
> > # use backup (and automatic restore) to work around this
> > backup /var/run/utmp
> >
> > +# In RHEL7 the pam_loginuid fails if loginuid already set
> > +# for the purpose of this test we disable it temporarily
> > +backup /etc/pam.d/login
> > +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> > +
> > # test
> > (
> > export localtmp
> > @@ -52,11 +57,14 @@ backup /var/run/utmp
> > expect -nocase {level} {send "Y\r"}
> > expect -nocase {role:} {send "\r"}
> > expect -nocase {level:} {send "s15\r"}
> > - expect -nocase {"authentication failure"} {close; wait}'
> > + expect {
> > + -nocase {"authentication failure"} {close; wait}
> > + -nocase {"Cannot make/remove"} {close; wait}
> > + }'
> > )
> >
> > msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=failed.*"
> > -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
> > +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
> > subj=$login_context || exit_fail
> > -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
> > selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*"
> > auid=$auid || exit_fail
> > +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
> > selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" ||
> > exit_fail
> > exit_pass
> > diff --git a/audit-test/libpam/tests/test_namespace.bash
> > b/audit-test/libpam/tests/test_namespace.bash
> > index 6fb20da..6642350 100755
> > --- a/audit-test/libpam/tests/test_namespace.bash
> > +++ b/audit-test/libpam/tests/test_namespace.bash
> > @@ -59,6 +59,11 @@ backup /var/run/utmp
> > backup /etc/security/namespace.conf
> > echo "/tmp /tmp-parent/tmp-inst/ level root,adm" >
> > /etc/security/namespace.conf
> >
> > +# In RHEL7 the pam_loginuid fails if loginuid already set
> > +# for the purpose of this test we disable it temporarily
> > +backup /etc/pam.d/login
> > +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> > +
> > tmpinstdir=/tmp-parent/tmp-inst/
> > tmpnewfile=/tmp/newfile
> >
> > @@ -87,7 +92,7 @@ auditctl -a entry,always ${MODE:+-F arch=b$MODE} -S open
> > -F uid=$auid || \
> > )
> > # Check the path and context in the audit record.
> > augrok type==SYSCALL \
> > - subj=$s0_context auid=$auid success=yes \
> > + subj=$s0_context success=yes \
> > name=$tmpnewfile obj=$s0_obj\
> > || exit_fail "missing audit record"
> >
> > @@ -110,7 +115,7 @@ log_mark=$(stat -c %s $audit_log)
> >
> > # Check the path and context in the audit record.
> > augrok --seek=$log_mark type==SYSCALL \
> > - subj=$s2_context auid=$auid success=yes \
> > + subj=$s2_context success=yes \
> > name=$tmpnewfile obj=$s2_obj\
> > || exit_fail "missing audit record"
> >
> > diff --git a/audit-test/trustedprograms/tests/test_lpq.bash
> > b/audit-test/trustedprograms/tests/test_lpq.bash
> > index 0cbd45f..ee0f60d 100755
> > --- a/audit-test/trustedprograms/tests/test_lpq.bash
> > +++ b/audit-test/trustedprograms/tests/test_lpq.bash
> > @@ -50,6 +50,11 @@ backup /var/run/utmp
> > semanage login -a -s staff_u -r SystemLow-SystemHigh $TEST_USER || \
> > exit_error "unable to set $TEST_USER to staff_u"
> >
> > +# In RHEL7 the pam_loginuid fails if loginuid already set
> > +# for the purpose of this test we disable it temporarily
> > +backup /etc/pam.d/login
> > +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
> > +
> > # test
> > prepend_cleanup rm -f $CON1OUT $CON2OUT
> > runcon $LPQ1CON lpq -P $printer > $CON1OUT
> >
>
>
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
> _______________________________________________
> Audit-test-developer mailing list
> Aud...@li...
> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
>
--
Miroslav Vadkerti :: Quality Assurance Engineer / RHCE :: BaseOS QE - Security
Phone +420 532 294 129 :: CR cell +420 775 039 842 :: SR cell +421 904 135 440
IRC mvadkert at #qe #urt #brno #rpmdiff :: GnuPG ID 0x25881087 at pgp.mit.edu
Red Hat s.r.o, Purkyňova 99/71, 612 45, Brno, Czech Republic
|
|
From: Linda K. <lin...@hp...> - 2013-08-29 17:57:47
|
On 08/29/13 08:41, Miroslav Vadkerti wrote:
> Hi Linda, let me try to explain in more detail
>
> ----- Original Message -----
>> On 08/21/13 12:24, Jiri Jaburek wrote:
>>> From: Miroslav Vadkerti <mva...@re...>
>>>
>>> In recent RHEL7 kernel changes the loginuid call fails with
>>> pam_loginuid where loginuid already set in session.
>>>
>>> This fix temporarily disables pam_loginuid in /etc/pam.d/login
>>> as a workaround. This has no effect on testing purpose of
>>> this test.
>>>
>>> The check for auid in augrok is not needed for this test.
>>> The loginuid remains unchanged because of this workaround.
>>
>> Sorry, but I don't understand what you're saying here.
>>
>> What's broken?
> In RHEL7 pam_loginuid will kick you out if login uid (auid) is already set. This
> is a change in behavior compared to RHEL6 where this worked. This change is not a bug
> but a feature - as I was told from our developers.
That's bizarre. I wonder what else that's going to break - beyond just the
test cases. Does it really cause the login to fail or does it just not update
the auid? Causing the login to fail doesn't seem right.
> As a consequence all tests that
> use login command (in expect snippets) will fail.
>
>> Why is this workaround ok?
>> Why don't we need to check the auid when having it set correctly
>> is an important part of logging in?
> I think it is enough to test the pam_loginuid functionality with one login mechanism.
> In current upstream code this is tested only with the tests that this patch touches
> using login command. The truth is I believed also other login mechanism (ssh) is used to check
> the correct auid value. So this patch set will need more work. I would suggest to move
> the currently removed auid testing to the ssh tests. This should be sufficient for checking
> the correct functionality of pam_loginuid.
I agree that we don't need to test things in multiple places. We have other
tests for pam_loginuid, such as fail-safe/tests/test_loginuid.bash. It uses ssh
to verify that users can't log in if auditd isn't running, which is something
that is enforced with that pam module. We could have a test case
that uses ssh and explicitly tests auid as a libpam test.
>> If something has changed causing us to no longer have a valid
>> login test, I'd rather see the test fail until we do have a valid
>> login test.
> I think when we introduce the auid testing part to the ssh tests the login testing is again
> on pair with the current upstream code.
What's bothering me here is that these login tests are supposed to test the
pam configuration for login, and the first thing it does is modify the pam
configuration for login to not be in the evaluated configuration. It seems
to me like we no longer have a good set of tests for login. For example, if
the system didn't have that session line in /etc/pam.d/login, how would we know?
The tests would succeed but the system would in fact be broken.
> Hopefully my intentions are more clear now :)
They are, and hopefully my concerns are clearer too. I think we're going
to have to figure out how to test login in the evaluated configuration.
In the meantime, I think these tests should just fail if it doesn't work.
-- ljk
>
> /M
>
>>
>> -- ljk
>>
>>>
>>> Signed-off-by: Miroslav Vadkerti <mva...@re...>
>>> ---
>>> audit-test/libpam/tests/test_login.bash | 4 ++++
>>> audit-test/libpam/tests/test_mls_default_login.bash | 9 +++++++--
>>> audit-test/libpam/tests/test_mls_level_login.bash | 9 +++++++--
>>> audit-test/libpam/tests/test_mls_level_login_fail.bash | 14 +++++++++++---
>>> audit-test/libpam/tests/test_namespace.bash | 9 +++++++--
>>> audit-test/trustedprograms/tests/test_lpq.bash | 5 +++++
>>> 6 files changed, 41 insertions(+), 9 deletions(-)
>>>
>>> diff --git a/audit-test/libpam/tests/test_login.bash
>>> b/audit-test/libpam/tests/test_login.bash
>>> index 3d05afa..d834900 100755
>>> --- a/audit-test/libpam/tests/test_login.bash
>>> +++ b/audit-test/libpam/tests/test_login.bash
>>> @@ -26,7 +26,11 @@ chmod 666 $localtmp
>>>
>>> # turn off screen in /etc/profile
>>> backup /etc/profile
>>> +backup /etc/pam.d/login
>>> sed -i 's/\[ -w $(tty) \]/false/' /etc/profile
>>> +# In RHEL7 the pam_loginuid fails if loginuid already set
>>> +# for the purpose of this test we disable it temporarily
>>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
>>>
>>> # if in LSPP mode, map the TEST_USER to staff_u
>>> if [[ $PPROFILE == "lspp" ]]; then
>>> diff --git a/audit-test/libpam/tests/test_mls_default_login.bash
>>> b/audit-test/libpam/tests/test_mls_default_login.bash
>>> index 6fca015..ac7f2b7 100755
>>> --- a/audit-test/libpam/tests/test_mls_default_login.bash
>>> +++ b/audit-test/libpam/tests/test_mls_default_login.bash
>>> @@ -44,6 +44,11 @@ fi
>>> # use backup (and automatic restore) to work around this
>>> backup /var/run/utmp
>>>
>>> +# In RHEL7 the pam_loginuid fails if loginuid already set
>>> +# for the purpose of this test we disable it temporarily
>>> +backup /etc/pam.d/login
>>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
>>> +
>>> # test
>>> (
>>> export localtmp
>>> @@ -63,11 +68,11 @@ pts=${pts##*/}
>>> msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* terminal=pts/$pts
>>> res=success.*"
>>> augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
>>> augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
>>> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
>>> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
>>> subj=$login_context || exit_fail
>>> # Check for ROLE_ASSIGN event for testuser
>>> augrok -q type=ROLE_ASSIGN msg_1=~"op=login-sename,role,range
>>> acct=\"$TEST_USER\" old-seuser=user_u old-role=user_r old-range=s0
>>> new-seuser=staff_u
>>> new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r
>>> new-range=$def_range" || exit_fail "ROLE_ASSIGN event does not match"
>>> # Check for USER_ROLE_CHANGE for login command
>>> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
>>> selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts
>>> res=success.*" auid=$auid || exit_fail "USER_ROLE_CHANGE does not match"
>>> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
>>> selected-context=$def_context.*exe=.(/usr)?/bin/login.* terminal=pts/$pts
>>> res=success.*" || exit_fail "USER_ROLE_CHANGE does not match"
>>>
>>> exit_pass
>>> diff --git a/audit-test/libpam/tests/test_mls_level_login.bash
>>> b/audit-test/libpam/tests/test_mls_level_login.bash
>>> index 436bcda..063647f 100755
>>> --- a/audit-test/libpam/tests/test_mls_level_login.bash
>>> +++ b/audit-test/libpam/tests/test_mls_level_login.bash
>>> @@ -42,6 +42,11 @@ fi
>>> # use backup (and automatic restore) to work around this
>>> backup /var/run/utmp
>>>
>>> +# In RHEL7 the pam_loginuid fails if loginuid already set
>>> +# for the purpose of this test we disable it temporarily
>>> +backup /etc/pam.d/login
>>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
>>> +
>>> # test
>>> (
>>> export localtmp
>>> @@ -68,7 +73,7 @@ fi
>>> msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=success.*"
>>> augrok -q type=USER_AUTH msg_1=~"PAM:authentication $msg_1" || exit_fail
>>> augrok -q type=USER_ACCT msg_1=~"PAM:accounting $msg_1" || exit_fail
>>> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
>>> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
>>> subj=$login_context || exit_fail
>>> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
>>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*"
>>> auid=$auid || exit_fail
>>> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
>>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=success.*" ||
>>> exit_fail
>>> exit_pass
>>> diff --git a/audit-test/libpam/tests/test_mls_level_login_fail.bash
>>> b/audit-test/libpam/tests/test_mls_level_login_fail.bash
>>> index 92562f9..ba04604 100755
>>> --- a/audit-test/libpam/tests/test_mls_level_login_fail.bash
>>> +++ b/audit-test/libpam/tests/test_mls_level_login_fail.bash
>>> @@ -42,6 +42,11 @@ fi
>>> # use backup (and automatic restore) to work around this
>>> backup /var/run/utmp
>>>
>>> +# In RHEL7 the pam_loginuid fails if loginuid already set
>>> +# for the purpose of this test we disable it temporarily
>>> +backup /etc/pam.d/login
>>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
>>> +
>>> # test
>>> (
>>> export localtmp
>>> @@ -52,11 +57,14 @@ backup /var/run/utmp
>>> expect -nocase {level} {send "Y\r"}
>>> expect -nocase {role:} {send "\r"}
>>> expect -nocase {level:} {send "s15\r"}
>>> - expect -nocase {"authentication failure"} {close; wait}'
>>> + expect {
>>> + -nocase {"authentication failure"} {close; wait}
>>> + -nocase {"Cannot make/remove"} {close; wait}
>>> + }'
>>> )
>>>
>>> msg_1="acct=\"*$TEST_USER\"* exe=.(/usr)?/bin/login.* res=failed.*"
>>> -augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" auid=$auid \
>>> +augrok -q type=USER_START msg_1=~"PAM:session_open $msg_1" \
>>> subj=$login_context || exit_fail
>>> -augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
>>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*"
>>> auid=$auid || exit_fail
>>> +augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context
>>> selected-context=$sel_context.*exe=.(/usr)?/bin/login.* res=failed.*" ||
>>> exit_fail
>>> exit_pass
>>> diff --git a/audit-test/libpam/tests/test_namespace.bash
>>> b/audit-test/libpam/tests/test_namespace.bash
>>> index 6fb20da..6642350 100755
>>> --- a/audit-test/libpam/tests/test_namespace.bash
>>> +++ b/audit-test/libpam/tests/test_namespace.bash
>>> @@ -59,6 +59,11 @@ backup /var/run/utmp
>>> backup /etc/security/namespace.conf
>>> echo "/tmp /tmp-parent/tmp-inst/ level root,adm" >
>>> /etc/security/namespace.conf
>>>
>>> +# In RHEL7 the pam_loginuid fails if loginuid already set
>>> +# for the purpose of this test we disable it temporarily
>>> +backup /etc/pam.d/login
>>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
>>> +
>>> tmpinstdir=/tmp-parent/tmp-inst/
>>> tmpnewfile=/tmp/newfile
>>>
>>> @@ -87,7 +92,7 @@ auditctl -a entry,always ${MODE:+-F arch=b$MODE} -S open
>>> -F uid=$auid || \
>>> )
>>> # Check the path and context in the audit record.
>>> augrok type==SYSCALL \
>>> - subj=$s0_context auid=$auid success=yes \
>>> + subj=$s0_context success=yes \
>>> name=$tmpnewfile obj=$s0_obj\
>>> || exit_fail "missing audit record"
>>>
>>> @@ -110,7 +115,7 @@ log_mark=$(stat -c %s $audit_log)
>>>
>>> # Check the path and context in the audit record.
>>> augrok --seek=$log_mark type==SYSCALL \
>>> - subj=$s2_context auid=$auid success=yes \
>>> + subj=$s2_context success=yes \
>>> name=$tmpnewfile obj=$s2_obj\
>>> || exit_fail "missing audit record"
>>>
>>> diff --git a/audit-test/trustedprograms/tests/test_lpq.bash
>>> b/audit-test/trustedprograms/tests/test_lpq.bash
>>> index 0cbd45f..ee0f60d 100755
>>> --- a/audit-test/trustedprograms/tests/test_lpq.bash
>>> +++ b/audit-test/trustedprograms/tests/test_lpq.bash
>>> @@ -50,6 +50,11 @@ backup /var/run/utmp
>>> semanage login -a -s staff_u -r SystemLow-SystemHigh $TEST_USER || \
>>> exit_error "unable to set $TEST_USER to staff_u"
>>>
>>> +# In RHEL7 the pam_loginuid fails if loginuid already set
>>> +# for the purpose of this test we disable it temporarily
>>> +backup /etc/pam.d/login
>>> +sed -i 's/\(^session.*pam_loginuid.*$\)/\#\1/' /etc/pam.d/login
>>> +
>>> # test
>>> prepend_cleanup rm -f $CON1OUT $CON2OUT
>>> runcon $LPQ1CON lpq -P $printer > $CON1OUT
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
>> Discover the easy way to master current and previous Microsoft technologies
>> and advance your career. Get an incredible 1,500+ hours of step-by-step
>> tutorial videos with LearnDevNow. Subscribe today and save!
>> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Audit-test-developer mailing list
>> Aud...@li...
>> https://lists.sourceforge.net/lists/listinfo/audit-test-developer
>>
>
|
Thanks for helping keep SourceForge clean.
X