From: Jiri J. <jja...@re...> - 2013-12-04 14:27:56
|
Hi, no big breakthroughs this time, just misc fixes all around the place: 2.4% audit-test/kvm/ 12.6% audit-test/misc/tests/ 3.0% audit-test/network/system/ 19.7% audit-test/trustedprograms/tests/ 1.2% audit-test/utils/selinux-policy/ 22.4% audit-test/utils/ 6.6% audit-test/ 31.7% ltp/ There are some run.bash related fixes for the log merging functionality (which was included recently), envcheck improvements, (hopefully) final solution to the tar --xattrs problem discussed in one of earlier patch series, audit-like ltp.run.log / ltp.rollup.log LTP logs, ... All in all, a peaceful patch series, just in time for December. The changes are RHEL6 compatible, tested on various RHEL6.y releases and streams by Miroslav Vadkerti. Please see commit messages of respective patches for more information, the patches are attached via In-Reply-To/References to this mail. Thanks, Jiri |
From: Jiri J. <jja...@re...> - 2013-12-04 14:28:43
|
From: Miroslav Vadkerti <mva...@re...> Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/utils/run.bash | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash index dbd45cb..49ffcc7 100755 --- a/audit-test/utils/run.bash +++ b/audit-test/utils/run.bash @@ -524,8 +524,11 @@ function generate_logs { echo -n > $opt_log echo -n > $opt_rollup - # add header to run log if exists - [ -f $opt_logdir/$header_log ] && cat $opt_logdir/$header_log > $opt_log + # add header to run and rollup log if exists + if [ -f $opt_logdir/$header_log ]; then + cat $opt_logdir/$header_log > $opt_rollup + cat $opt_logdir/$header_log > $opt_log + fi # create total run log for log in $(ls $opt_logdir/$opt_log.* | sed 's/\(.*\)\.\(.*\)/\1 \2/g' | sort -k2 -n | tr ' ' '.'); do -- 1.8.3.1 |
From: Jiri J. <jja...@re...> - 2013-12-04 14:28:42
|
This - for example - avoids execution of cleanup during --list. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/utils/run.bash | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/audit-test/utils/run.bash b/audit-test/utils/run.bash index 49ffcc7..a2a5da6 100755 --- a/audit-test/utils/run.bash +++ b/audit-test/utils/run.bash @@ -169,8 +169,6 @@ function + { # startup/cleanup #---------------------------------------------------------------------- -trap 'cleanup; close_log; exit' 0 1 2 3 15 - # early_startup runs before parsing cmdline and run.conf function early_startup { # If we're running the mls policy, check that we're in the lspp_test_r role @@ -226,6 +224,9 @@ function startup { mkdir "$opt_logdir" fi + # Open the logs before running the tests + open_log + # Initialize audit configuration and make sure auditd is running auditd_orig=$(mktemp $auditd_conf.XXXXXX) || return 2 cp -a "$auditd_conf" "$auditd_orig" || return 2 @@ -445,9 +446,6 @@ function parse_cmdline { done exit 0 fi - - # Open the logs before running the tests - open_log } function show_header { @@ -699,6 +697,7 @@ function run_tests { early_startup parse_cmdline "$@" +trap 'cleanup; close_log; exit' 0 1 2 3 15 startup || die "startup failed" run_tests exit $? -- 1.8.3.1 |
From: Jiri J. <jja...@re...> - 2013-12-04 14:28:45
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/README.run | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/audit-test/README.run b/audit-test/README.run index 22389c3..fe4e607 100644 --- a/audit-test/README.run +++ b/audit-test/README.run @@ -298,6 +298,11 @@ Note: The tests must be run from an interactive terminal; running the tests as a backgrounded task does not work, and will result in spurious test case failures. +To run only tests that were not run, failed or for some other reason didn't +PASS, you can use "rerun" instead of another "run": + +# make rerun + Notes for FIPS enabled machines: 1) When testing in FIPS mode all tests that use ipsec are expected to FAIL. Precisely these should be all the ipsec network tests and the ipsec* and @@ -478,3 +483,7 @@ On an LSPP/MLS machine (except RHEL6): On a SuSE system: # echo audit >> /etc/pwdutils/logging + +#--------------------------------------------------------------- +# prevent shell-like incorrect vim syntax highlight of this file +# vim: syntax=off : -- 1.8.3.1 |
From: Jiri J. <jja...@re...> - 2013-12-04 14:28:49
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/utils/envcheck | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck index 89d026b..2e28754 100755 --- a/audit-test/utils/envcheck +++ b/audit-test/utils/envcheck @@ -177,19 +177,28 @@ check_user_session() { ### SUITE LOCATION -check_suite_loc() { +check_suite() { local CHECK_FAILED # requires for this check [ "$AUDITDIR" ] || return 2 + # check location check "[ -d \"$AUDITDIR\" ]" check "[ -d \"$AUDITDIR/audit-test\" ]" check "[ -d \"$AUDITDIR/ltp\" ]" + # check mode [ -d "$AUDITDIR" ] && \ check "[ \"$(stat --format=%a "$AUDITDIR")\" = \"755\" ]" 0 "$AUDITDIR has mode 755" + # check context + if [ "$PPROFILE" = "lspp" ]; then + local context=$(stat -c%C "$AUDITDIR") + check "[ \"$context\" = \"system_u:object_r:lspp_test_dir_t:SystemLow\" ]" 0 \ + "$AUDITDIR has correct context" + fi + if [ "$CHECK_FAILED" ]; then echo echo "Audit-test suite not found or incorrectly installed in $AUDITDIR." @@ -197,7 +206,7 @@ check_suite_loc() { echo "Please install/extract the suite according to README.run." return 1 else - check_suite_loc_ok=1 + check_suite_ok=1 fi } @@ -350,7 +359,7 @@ check_kvm() { local CHECK_FAILED # requires for this check - [ "$AUDITDIR" -a "$check_suite_loc_ok" ] || return 2 + [ "$AUDITDIR" -a "$check_suite_ok" ] || return 2 [ "$(uname -m)" = "x86_64" ] || { echo "KVM tests not supported on $(uname -m) architecture" return 2 @@ -388,7 +397,7 @@ check_kvm() { CHECKS=" check_variables check_user_session -check_suite_loc +check_suite check_networking_if check_networking_probe check_services -- 1.8.3.1 |
From: Jiri J. <jja...@re...> - 2013-12-04 14:28:52
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/utils/envcheck | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck index 2e28754..d43958f 100755 --- a/audit-test/utils/envcheck +++ b/audit-test/utils/envcheck @@ -143,6 +143,36 @@ check_variables() { } +### RPM DEPENDENCIES +check_rpm_deps() { + local CHECK_FAILED + + # requires for this check + which rpm &>/dev/null || { + echo "rpm binary not available, skipping rpm dependency checks" + return 2 + } + + # from README.run + local rpms="audit-libs-devel expect libselinux-devel perl-devel \ + perl-Expect perl-IO-Tty" + + for rpm in $rpms; do + check "rpm -q \"$rpm\"" 0 "rpm package $rpm is installed" + done; + + if [ "$CHECK_FAILED" ]; then + echo + echo "RPM dependency checking failed." + echo "Please make sure you have installed all necessary suite" + echo "requires / dependencies specified at the top of README.run." + return 1 + else + check_rpm_deps=1 + fi +} + + ### USER SESSION check_user_session() { local CHECK_FAILED @@ -396,6 +426,7 @@ check_kvm() { # checks to be run, ordering is important CHECKS=" check_variables +check_rpm_deps check_user_session check_suite check_networking_if -- 1.8.3.1 |
From: Stephan M. <ste...@at...> - 2013-12-04 14:57:22
|
Am Mittwoch, 4. Dezember 2013, 15:28:44 schrieb Jiri Jaburek: Hi Jiri, >Signed-off-by: Jiri Jaburek <jja...@re...> >--- > audit-test/utils/envcheck | 31 +++++++++++++++++++++++++++++++ > 1 file changed, 31 insertions(+) > >diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck >index 2e28754..d43958f 100755 >--- a/audit-test/utils/envcheck >+++ b/audit-test/utils/envcheck >@@ -143,6 +143,36 @@ check_variables() { > } > > >+### RPM DEPENDENCIES >+check_rpm_deps() { >+ local CHECK_FAILED >+ >+ # requires for this check >+ which rpm &>/dev/null || { >+ echo "rpm binary not available, skipping rpm dependency >checks" + return 2 >+ } >+ >+ # from README.run >+ local rpms="audit-libs-devel expect libselinux-devel perl-devel \ >+ perl-Expect perl-IO-Tty" Question: is it wise to hard code the RPM names? Note, other distros may use different names. >+ >+ for rpm in $rpms; do >+ check "rpm -q \"$rpm\"" 0 "rpm package $rpm is installed" >+ done; >+ >+ if [ "$CHECK_FAILED" ]; then >+ echo >+ echo "RPM dependency checking failed." >+ echo "Please make sure you have installed all necessary suite" >+ echo "requires / dependencies specified at the top of >README.run." + return 1 >+ else >+ check_rpm_deps=1 >+ fi >+} >+ >+ > ### USER SESSION > check_user_session() { > local CHECK_FAILED >@@ -396,6 +426,7 @@ check_kvm() { > # checks to be run, ordering is important > CHECKS=" > check_variables >+check_rpm_deps > check_user_session > check_suite > check_networking_if Ciao Stephan |
From: Jiri J. <jja...@re...> - 2013-12-04 15:10:29
|
On 12/04/2013 03:41 PM, Stephan Mueller wrote: > Am Mittwoch, 4. Dezember 2013, 15:28:44 schrieb Jiri Jaburek: > > Hi Jiri, > Hi Stephan, >> Signed-off-by: Jiri Jaburek <jja...@re...> >> --- >> audit-test/utils/envcheck | 31 +++++++++++++++++++++++++++++++ >> 1 file changed, 31 insertions(+) >> >> diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck >> index 2e28754..d43958f 100755 >> --- a/audit-test/utils/envcheck >> +++ b/audit-test/utils/envcheck >> @@ -143,6 +143,36 @@ check_variables() { >> } >> >> >> +### RPM DEPENDENCIES >> +check_rpm_deps() { >> + local CHECK_FAILED >> + >> + # requires for this check >> + which rpm &>/dev/null || { >> + echo "rpm binary not available, skipping rpm dependency >> checks" + return 2 >> + } >> + >> + # from README.run >> + local rpms="audit-libs-devel expect libselinux-devel perl-devel \ >> + perl-Expect perl-IO-Tty" > > Question: is it wise to hard code the RPM names? Note, other distros may > use different names. The following was mentioned in a commit which introduced envcheck: The idea is to catch various configuration or setup errors and give useful hints, so that the user doesn't have to debug the system/suite to find out what could possibly go wrong. This script is not supposed to replace or duplicate functionality provided by the suite itself, it should be only used for basic sanity verification of the environment. It doesn't claim to reveal all configuration errors, but it can still be useful. Because of the reasons mentioned above, running this script is purely optional. The idea being that it's not the ultimate checking thing, which must pass in all checks. The RPM list is taken from README.run and is thus hardcoded there as well. I've tried to limit this new rpm deps check to RPM-specific distros by checking the `rpm' command availability (which itself is a rather lame check, better ideas welcome), but I'm not against more complex verification methods. I didn't want to limit the package names to RHEL, since there may be other RPM-based distros with the same package names (ie. CentOS). If the check starts failing on RHEL-unrelated RPM-based distros, it at least makes the person double-check the required dependencies and (hopefully) report the problem on this list, so we can come up with a better solution (using case/esac, for example). Overall, a much better check would be file-based. That would, however, require some serious suite digging for truly required files, which is kind of out of the scope of the envcheck script. > >> + >> + for rpm in $rpms; do >> + check "rpm -q \"$rpm\"" 0 "rpm package $rpm is installed" >> + done; >> + >> + if [ "$CHECK_FAILED" ]; then >> + echo >> + echo "RPM dependency checking failed." >> + echo "Please make sure you have installed all necessary suite" >> + echo "requires / dependencies specified at the top of >> README.run." + return 1 >> + else >> + check_rpm_deps=1 >> + fi >> +} >> + >> + >> ### USER SESSION >> check_user_session() { >> local CHECK_FAILED >> @@ -396,6 +426,7 @@ check_kvm() { >> # checks to be run, ordering is important >> CHECKS=" >> check_variables >> +check_rpm_deps >> check_user_session >> check_suite >> check_networking_if > > > Ciao > Stephan > |
From: Stephan M. <ste...@at...> - 2013-12-04 15:15:49
|
Am Mittwoch, 4. Dezember 2013, 16:10:15 schrieb Jiri Jaburek: Hi Jiri, >> >> Question: is it wise to hard code the RPM names? Note, other distros >> may use different names. > >The following was mentioned in a commit which introduced envcheck: Ok, I have not linked that explanation with your patch :-) Disregard my comment. Ciao Stephan |
From: Linda K. <lin...@hp...> - 2013-12-05 16:13:24
|
Jiri Jaburek wrote: > On 12/04/2013 03:41 PM, Stephan Mueller wrote: >> Am Mittwoch, 4. Dezember 2013, 15:28:44 schrieb Jiri Jaburek: >> >> Hi Jiri, >> > > Hi Stephan, > >>> Signed-off-by: Jiri Jaburek <jja...@re...> >>> --- >>> audit-test/utils/envcheck | 31 +++++++++++++++++++++++++++++++ >>> 1 file changed, 31 insertions(+) >>> >>> diff --git a/audit-test/utils/envcheck b/audit-test/utils/envcheck >>> index 2e28754..d43958f 100755 >>> --- a/audit-test/utils/envcheck >>> +++ b/audit-test/utils/envcheck >>> @@ -143,6 +143,36 @@ check_variables() { >>> } >>> >>> >>> +### RPM DEPENDENCIES >>> +check_rpm_deps() { >>> + local CHECK_FAILED >>> + >>> + # requires for this check >>> + which rpm &>/dev/null || { >>> + echo "rpm binary not available, skipping rpm dependency >>> checks" + return 2 >>> + } >>> + >>> + # from README.run >>> + local rpms="audit-libs-devel expect libselinux-devel perl-devel \ >>> + perl-Expect perl-IO-Tty" >> Question: is it wise to hard code the RPM names? Note, other distros may >> use different names. > > The following was mentioned in a commit which introduced envcheck: > > The idea is to catch various configuration or setup errors > and give useful hints, so that the user doesn't have to debug > the system/suite to find out what could possibly go wrong. > > This script is not supposed to replace or duplicate functionality > provided by the suite itself, it should be only used for basic sanity > verification of the environment. It doesn't claim to reveal all > configuration errors, but it can still be useful. > > Because of the reasons mentioned above, running this script > is purely optional. > > The idea being that it's not the ultimate checking thing, which must > pass in all checks. > > The RPM list is taken from README.run and is thus hardcoded there as > well. I've tried to limit this new rpm deps check to RPM-specific > distros by checking the `rpm' command availability (which itself is > a rather lame check, better ideas welcome), but I'm not against more > complex verification methods. > I didn't want to limit the package names to RHEL, since there may be > other RPM-based distros with the same package names (ie. CentOS). > If the check starts failing on RHEL-unrelated RPM-based distros, > it at least makes the person double-check the required dependencies > and (hopefully) report the problem on this list, so we can come up with > a better solution (using case/esac, for example). > > Overall, a much better check would be file-based. That would, however, > require some serious suite digging for truly required files, which is > kind of out of the scope of the envcheck script. There is code in rules.mk that tries to identify the distro (at least SLES, Fedora and RHEL) so if necessary, would conditionalize these kind of checks if a distro cares to add the code to do that. We export a DISTRO variable that can be used. I know of no one who has tried this on a debian-based distro but patches welcome. :-) -- ljk > >>> + >>> + for rpm in $rpms; do >>> + check "rpm -q \"$rpm\"" 0 "rpm package $rpm is installed" >>> + done; >>> + >>> + if [ "$CHECK_FAILED" ]; then >>> + echo >>> + echo "RPM dependency checking failed." >>> + echo "Please make sure you have installed all necessary suite" >>> + echo "requires / dependencies specified at the top of >>> README.run." + return 1 >>> + else >>> + check_rpm_deps=1 >>> + fi >>> +} >>> + >>> + >>> ### USER SESSION >>> check_user_session() { >>> local CHECK_FAILED >>> @@ -396,6 +426,7 @@ check_kvm() { >>> # checks to be run, ordering is important >>> CHECKS=" >>> check_variables >>> +check_rpm_deps >>> check_user_session >>> check_suite >>> check_networking_if >> >> Ciao >> Stephan >> > > > ------------------------------------------------------------------------------ > Sponsored by Intel(R) XDK > Develop, test and display web and hybrid apps with a single code base. > Download it for free now! > http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer |
From: Jiri J. <jja...@re...> - 2013-12-04 14:28:56
|
This feature was useful back when the suite was hard-locked to using only the first NIC as lblnet. This limitation has been lifted and the interface is now selectable by the user (using LOCAL_* variables), which means that "getaddress" can no longer automatically guess what interface or addresses are going to be used (by design). The current behavior is to just echo what the user provided in LOCAL_IPV* variables. Furthermore, the Makefile target depends on install_check, which makes the user set LBLNET_SVR_IPV* as well. In conclusion, the getaddress is now simply useless as it prints out already known information, entered by the user. Its usage, as recommended by README.run, is also invalid as it fails on LBLNET_SVR_IPV4 being unset at that time. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/README.run | 4 ---- audit-test/network/system/Makefile | 7 +------ 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/audit-test/README.run b/audit-test/README.run index fe4e607..e8f1493 100644 --- a/audit-test/README.run +++ b/audit-test/README.run @@ -163,10 +163,6 @@ Confirm that the the network test server contains both the IPv4 and IPv6 addresses of the test machine. -NOTE: If you need to determine the test machine's IP addresses to add to the -client_list.txt file, run the following commands on the test machine: -# make -C network/system getaddress - Configure the KVM tests ----------------------- diff --git a/audit-test/network/system/Makefile b/audit-test/network/system/Makefile index 7ce3f63..8fa0627 100644 --- a/audit-test/network/system/Makefile +++ b/audit-test/network/system/Makefile @@ -20,7 +20,7 @@ include $(TOPDIR)/rules.mk # XXX - all this stuff for the config files is a kludge and needs cleanup -.PHONY: install getaddress \ +.PHONY: install \ install_client install_server \ install_check install_setrans install_netlabel \ install_ipsec_client install_ipsec_server @@ -28,11 +28,6 @@ include $(TOPDIR)/rules.mk # perform the client install by default install: install_client -# helper target to get local addresses -getaddress: install_check - @echo "Local IPv4 address -> %LOCAL_IPV4%" | ./addr_filter.bash - @echo "Local IPv6 address -> %LOCAL_IPV6%" | ./addr_filter.bash - install_client: install_setrans install_ipsec_client install_netlabel cat rc.local.client | ./addr_filter.bash > rc.local install -o root -g root -m 755 rc.local /etc/rc.d -- 1.8.3.1 |
From: Jiri J. <jja...@re...> - 2013-12-04 14:28:59
|
Also make tar use explicit --selinux and --acls. The --xattrs is a custom RHEL feature on RHEL5/RHEL6 that backs up and extracts all xattrs, incl. all namespaces (security, system, trusted, user). On RHEL7, the --xattrs comes from upstream version of tar, which backs up only the user namespace by default. This can be changed to RHEL5/RHEL6 behavior using --xattrs-include='*', but this would not be backwards compatible and - furthermore - is not very correct. The fact is that test_tar checks for SELinux contexts using ls -Z, not *any* generic file contexts. Therefore we want tar to back up and restore SELinux file contexts, regardless of how they're implemented internally (ie. using xattrs). It thus makes sense to use explicit --selinux switch (available on RHEL5/RHEL6/RHEL7). Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/misc/tests/test_tar.bash | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/audit-test/misc/tests/test_tar.bash b/audit-test/misc/tests/test_tar.bash index 8ea8da9..f83b45f 100755 --- a/audit-test/misc/tests/test_tar.bash +++ b/audit-test/misc/tests/test_tar.bash @@ -20,13 +20,14 @@ # FILE : test_tar.bash # # TEST DESCRIPTION: Verify that the tar program preserves file security -# contexts. Pack up files with various contexts using tar, -# unpack them in another directory, and compare the file -# contexts using ls -Z. The file contexts should all -# be preserved. +# (SELinux) contexts and ACLs. Pack up files with various +# attributes using tar, unpack them in another directory +# and compare the file contexts and ACLs. Both the file +# contexts and ACLs should all be preserved. # # HISTORY: 05/2007 created by Lisa Smith <lis...@hp...> # 08/2011 ported to audit-test by Tony Ernst <te...@sg...> +# 10/2013 added ACL testing by Jiri Jaburek <jja...@re...> # ############################################################################# source misc_functions.bash || exit 2 @@ -55,8 +56,12 @@ chcon -t tmp_t -l SystemLow $FILE_DIR/fileLow || exit_fail chmod 744 $FILE_DIR/fileSecret || exit_fail chcon -t bin_t -l Secret $FILE_DIR/fileSecret || exit_fail +# Add some ACL entries to one of the files +setfacl -n -m u:1234:rwx $FILE_DIR/fileSecret +setfacl -n -m g:4321:--x $FILE_DIR/fileSecret + # Pack up the files in the test_files directory -tar cf $TAR_FILE --xattrs -H posix -C $FILE_DIR . +tar cf $TAR_FILE --selinux --acls -H posix -C $FILE_DIR . # Verify the files were successfully packed if [ $? != 0 ]; then @@ -64,7 +69,7 @@ if [ $? != 0 ]; then fi # Unpack the files -tar xvf $TAR_FILE --xattrs -C $EXTRACT_DIR +tar xvf $TAR_FILE --selinux --acls -C $EXTRACT_DIR if [ $? != 0 ]; then exit_error "Error unpacking tar archive" fi @@ -77,4 +82,8 @@ if [ $? != 0 ]; then exit_fail "tar did not preserve correct files and/or security contexts" fi +# Check ACLs +getfacl $EXTRACT_DIR/fileSecret | grep user:1234:rwx || exit_fail +getfacl $EXTRACT_DIR/fileSecret | grep group:4321:--x || exit_fail + exit_pass -- 1.8.3.1 |
From: Linda K. <lin...@hp...> - 2013-12-05 16:48:10
|
Jiri Jaburek wrote: > Also make tar use explicit --selinux and --acls. > > The --xattrs is a custom RHEL feature on RHEL5/RHEL6 that backs up > and extracts all xattrs, incl. all namespaces (security, system, > trusted, user). > On RHEL7, the --xattrs comes from upstream version of tar, which > backs up only the user namespace by default. This is just a side question - is this change going to be obvious to RHEL customers who upgrade from RHEL6 to RHEL7? If they're using --xattrs, they're not getting what they used to get. > This can be changed > to RHEL5/RHEL6 behavior using --xattrs-include='*', but this would > not be backwards compatible and - furthermore - is not very correct. > > The fact is that test_tar checks for SELinux contexts using ls -Z, > not *any* generic file contexts. Therefore we want tar to back up > and restore SELinux file contexts, regardless of how they're implemented > internally (ie. using xattrs). It thus makes sense to use explicit > --selinux switch (available on RHEL5/RHEL6/RHEL7). Is --selinux RHEL-specific or also upstream? If someone wants to test ACLs on a non-SELinux distro, they will need to separate this test into 2 tests, one for ACLs and one for file contexts. I only mention this because of Stephan's comment on a previous patch about RPMs. -- ljk > > Signed-off-by: Jiri Jaburek <jja...@re...> > --- > audit-test/misc/tests/test_tar.bash | 21 +++++++++++++++------ > 1 file changed, 15 insertions(+), 6 deletions(-) > > diff --git a/audit-test/misc/tests/test_tar.bash b/audit-test/misc/tests/test_tar.bash > index 8ea8da9..f83b45f 100755 > --- a/audit-test/misc/tests/test_tar.bash > +++ b/audit-test/misc/tests/test_tar.bash > @@ -20,13 +20,14 @@ > # FILE : test_tar.bash > # > # TEST DESCRIPTION: Verify that the tar program preserves file security > -# contexts. Pack up files with various contexts using tar, > -# unpack them in another directory, and compare the file > -# contexts using ls -Z. The file contexts should all > -# be preserved. > +# (SELinux) contexts and ACLs. Pack up files with various > +# attributes using tar, unpack them in another directory > +# and compare the file contexts and ACLs. Both the file > +# contexts and ACLs should all be preserved. > # > # HISTORY: 05/2007 created by Lisa Smith <lis...@hp...> > # 08/2011 ported to audit-test by Tony Ernst <te...@sg...> > +# 10/2013 added ACL testing by Jiri Jaburek <jja...@re...> > # > ############################################################################# > source misc_functions.bash || exit 2 > @@ -55,8 +56,12 @@ chcon -t tmp_t -l SystemLow $FILE_DIR/fileLow || exit_fail > chmod 744 $FILE_DIR/fileSecret || exit_fail > chcon -t bin_t -l Secret $FILE_DIR/fileSecret || exit_fail > > +# Add some ACL entries to one of the files > +setfacl -n -m u:1234:rwx $FILE_DIR/fileSecret > +setfacl -n -m g:4321:--x $FILE_DIR/fileSecret > + > # Pack up the files in the test_files directory > -tar cf $TAR_FILE --xattrs -H posix -C $FILE_DIR . > +tar cf $TAR_FILE --selinux --acls -H posix -C $FILE_DIR . > > # Verify the files were successfully packed > if [ $? != 0 ]; then > @@ -64,7 +69,7 @@ if [ $? != 0 ]; then > fi > > # Unpack the files > -tar xvf $TAR_FILE --xattrs -C $EXTRACT_DIR > +tar xvf $TAR_FILE --selinux --acls -C $EXTRACT_DIR > if [ $? != 0 ]; then > exit_error "Error unpacking tar archive" > fi > @@ -77,4 +82,8 @@ if [ $? != 0 ]; then > exit_fail "tar did not preserve correct files and/or security contexts" > fi > > +# Check ACLs > +getfacl $EXTRACT_DIR/fileSecret | grep user:1234:rwx || exit_fail > +getfacl $EXTRACT_DIR/fileSecret | grep group:4321:--x || exit_fail > + > exit_pass |
From: Linda K. <lin...@hp...> - 2013-12-06 15:01:15
|
Jiri Jaburek wrote: > Hi Linda, > > On 12/05/2013 05:29 PM, Linda Knippers wrote: >> Jiri Jaburek wrote: >>> Also make tar use explicit --selinux and --acls. >>> >>> The --xattrs is a custom RHEL feature on RHEL5/RHEL6 that backs up >>> and extracts all xattrs, incl. all namespaces (security, system, >>> trusted, user). >>> On RHEL7, the --xattrs comes from upstream version of tar, which >>> backs up only the user namespace by default. >> This is just a side question - is this change going to be obvious >> to RHEL customers who upgrade from RHEL6 to RHEL7? If they're using >> --xattrs, they're not getting what they used to get. > > Indeed, we're aware of this. In fact, I was the one who created a bug > regarding this. All I can say for sure is that it's been taken care of > and is not really relevant to this case (since we're not doing usability > testing here). > >>> This can be changed >>> to RHEL5/RHEL6 behavior using --xattrs-include='*', but this would >>> not be backwards compatible and - furthermore - is not very correct. >>> >>> The fact is that test_tar checks for SELinux contexts using ls -Z, >>> not *any* generic file contexts. Therefore we want tar to back up >>> and restore SELinux file contexts, regardless of how they're implemented >>> internally (ie. using xattrs). It thus makes sense to use explicit >>> --selinux switch (available on RHEL5/RHEL6/RHEL7). >> Is --selinux RHEL-specific or also upstream? > > All of --xattrs, --xattrs-*, --selinux and --acls are upstream. See ie. > http://repo.or.cz/w/tar.git/commit/696338043e52f440853e11 > http://repo.or.cz/w/tar.git/commit/d36f5a3cc3280d6c4a5836 > http://repo.or.cz/w/tar.git/commit/085cace1805308589c6211 > as proof. Thanks! >> If someone wants to test ACLs on a non-SELinux distro, they will >> need to separate this test into 2 tests, one for ACLs and one for >> file contexts. I only mention this because of Stephan's comment >> on a previous patch about RPMs. > > Well, they might not need to. Tar with --selinux will work fine in all > cases, just the `ls -Z' check will fail, which is indifferent from the > previous "version" of the test. > That is - unless the distro builds GNU tar --without-selinux. > > Non-selinux-enabled distros will have bigger problems anyway as > PPROFILE=lspp kind of needs selinux for more than just one tar test. > (yes, this tar test is lspp-only) Right. I assume that a non-SELinux would only run in CAPP mode, although even in CAPP mode SELinux is optional. In some cases we've used the DISTRO variable to skip them. The misc tests actually run in CAPP and LSPP mode, don't they? > If anything, this patch is moving from rhel-specific tar flags to > distro-independent flags, which is a good thing if one wants to run the > suite on other distros. :) Yes, all a good thing. If another distro wants to pick apart the tests, they can post the patches. :-) Thanks, -- ljk > > Thanks, > Jiri > |
From: Jiri J. <jja...@re...> - 2013-12-09 10:06:55
|
On 12/06/2013 04:01 PM, Linda Knippers wrote: >> Well, they might not need to. Tar with --selinux will work fine in all >> cases, just the `ls -Z' check will fail, which is indifferent from the >> previous "version" of the test. >> That is - unless the distro builds GNU tar --without-selinux. >> >> Non-selinux-enabled distros will have bigger problems anyway as >> PPROFILE=lspp kind of needs selinux for more than just one tar test. >> (yes, this tar test is lspp-only) > > Right. I assume that a non-SELinux would only run in CAPP mode, > although even in CAPP mode SELinux is optional. In some cases > we've used the DISTRO variable to skip them. > > The misc tests actually run in CAPP and LSPP mode, don't they? > At the bottom of misc/run.conf: if [[ $PPROFILE == lspp ]]; then + tar fi So I believe my implicit assumption of SELinux being available should be fine. If a distro provides SELinux as an optional feature, that distro probably builds tar --with-selinux anyway. Jiri |
From: Linda K. <lin...@hp...> - 2013-12-09 15:38:13
|
Jiri Jaburek wrote: > On 12/06/2013 04:01 PM, Linda Knippers wrote: >>> Well, they might not need to. Tar with --selinux will work fine in all >>> cases, just the `ls -Z' check will fail, which is indifferent from the >>> previous "version" of the test. >>> That is - unless the distro builds GNU tar --without-selinux. >>> >>> Non-selinux-enabled distros will have bigger problems anyway as >>> PPROFILE=lspp kind of needs selinux for more than just one tar test. >>> (yes, this tar test is lspp-only) >> Right. I assume that a non-SELinux would only run in CAPP mode, >> although even in CAPP mode SELinux is optional. In some cases >> we've used the DISTRO variable to skip them. >> >> The misc tests actually run in CAPP and LSPP mode, don't they? >> > > At the bottom of misc/run.conf: > > if [[ $PPROFILE == lspp ]]; then > + tar > fi Oops, missed that. > So I believe my implicit assumption of SELinux being available > should be fine. If a distro provides SELinux as an optional feature, > that distro probably builds tar --with-selinux anyway. True. Thanks, -- ljk > > Jiri > |
From: Jiri J. <jja...@re...> - 2013-12-06 09:15:24
|
Hi Linda, On 12/05/2013 05:29 PM, Linda Knippers wrote: > Jiri Jaburek wrote: >> Also make tar use explicit --selinux and --acls. >> >> The --xattrs is a custom RHEL feature on RHEL5/RHEL6 that backs up >> and extracts all xattrs, incl. all namespaces (security, system, >> trusted, user). >> On RHEL7, the --xattrs comes from upstream version of tar, which >> backs up only the user namespace by default. > > This is just a side question - is this change going to be obvious > to RHEL customers who upgrade from RHEL6 to RHEL7? If they're using > --xattrs, they're not getting what they used to get. Indeed, we're aware of this. In fact, I was the one who created a bug regarding this. All I can say for sure is that it's been taken care of and is not really relevant to this case (since we're not doing usability testing here). > >> This can be changed >> to RHEL5/RHEL6 behavior using --xattrs-include='*', but this would >> not be backwards compatible and - furthermore - is not very correct. >> >> The fact is that test_tar checks for SELinux contexts using ls -Z, >> not *any* generic file contexts. Therefore we want tar to back up >> and restore SELinux file contexts, regardless of how they're implemented >> internally (ie. using xattrs). It thus makes sense to use explicit >> --selinux switch (available on RHEL5/RHEL6/RHEL7). > > Is --selinux RHEL-specific or also upstream? All of --xattrs, --xattrs-*, --selinux and --acls are upstream. See ie. http://repo.or.cz/w/tar.git/commit/696338043e52f440853e11 http://repo.or.cz/w/tar.git/commit/d36f5a3cc3280d6c4a5836 http://repo.or.cz/w/tar.git/commit/085cace1805308589c6211 as proof. > > If someone wants to test ACLs on a non-SELinux distro, they will > need to separate this test into 2 tests, one for ACLs and one for > file contexts. I only mention this because of Stephan's comment > on a previous patch about RPMs. Well, they might not need to. Tar with --selinux will work fine in all cases, just the `ls -Z' check will fail, which is indifferent from the previous "version" of the test. That is - unless the distro builds GNU tar --without-selinux. Non-selinux-enabled distros will have bigger problems anyway as PPROFILE=lspp kind of needs selinux for more than just one tar test. (yes, this tar test is lspp-only) If anything, this patch is moving from rhel-specific tar flags to distro-independent flags, which is a good thing if one wants to run the suite on other distros. :) Thanks, Jiri |
From: Jiri J. <jja...@re...> - 2013-12-04 14:29:02
|
From: Miroslav Vadkerti <mva...@re...> On some machines using run_init in capp profile can cause the sshd service startup failure. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/utils/tp_ssh_functions.bash | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/audit-test/utils/tp_ssh_functions.bash b/audit-test/utils/tp_ssh_functions.bash index bcbc885..4b8280d 100644 --- a/audit-test/utils/tp_ssh_functions.bash +++ b/audit-test/utils/tp_ssh_functions.bash @@ -33,13 +33,17 @@ TIMEOUT=600 # Restart ssh daemon function ssh_restart_daemon { - expect -c " + if [ $PPROFILE = lspp ]; then + expect -c " set timeout $TIMEOUT spawn run_init service sshd restart expect { -nocase {password:} {send \"$PASSWD\r\"; exp_continue} eof }" + else + service sshd restart + fi } # Remove SSH_USE_STRONG_RNG from environment -- 1.8.3.1 |
From: Jiri J. <jja...@re...> - 2013-12-04 14:29:06
|
From: Miroslav Vadkerti <mva...@re...> This patch enhances the semanage_chglvl and semanage_role_remove tests to detect the default roles for a SELinux user from the system. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/trustedprograms/tests/test_semanage_chglvl.bash | 7 ++++++- .../trustedprograms/tests/test_semanage_role_remove.bash | 10 +++++++--- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/audit-test/trustedprograms/tests/test_semanage_chglvl.bash b/audit-test/trustedprograms/tests/test_semanage_chglvl.bash index dc36b1c..2c1a10b 100755 --- a/audit-test/trustedprograms/tests/test_semanage_chglvl.bash +++ b/audit-test/trustedprograms/tests/test_semanage_chglvl.bash @@ -37,7 +37,12 @@ if [ $? -ne 0 ]; then exit_error "semange returned an error" fi -msg_1="op=login-range acct=\"$user\" old-seuser=$seuser old-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r old-range=s0-s15:c0.c1023 new-seuser=$seuser new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$range exe=/usr/sbin/semanage.*res=success.*" +# find out the default roles for $seuser role +role=$(semanage user -l | awk "/$seuser/ {for(i=5; i<NF; i++) { printf \"%s,\", \$i } printf \"%s\", \$NF}") +[ -z "$role" ] && exit_error "Cannot determine $seuser role(s)" + +# check for correct ROLE_ASSIGN audit record +msg_1="op=login-range acct=\"$user\" old-seuser=$seuser old-role=$role old-range=s0-s15:c0.c1023 new-seuser=$seuser new-role=$role new-range=$range exe=/usr/sbin/semanage.*res=success.*" augrok -q type=ROLE_ASSIGN auid=$auid msg_1=~"$msg_1" \ || exit_fail "ROLE_ASSIGN event missing: \"$msg_1\"" diff --git a/audit-test/trustedprograms/tests/test_semanage_role_remove.bash b/audit-test/trustedprograms/tests/test_semanage_role_remove.bash index 19817a1..030bfd1 100755 --- a/audit-test/trustedprograms/tests/test_semanage_role_remove.bash +++ b/audit-test/trustedprograms/tests/test_semanage_role_remove.bash @@ -49,14 +49,18 @@ if [ $? -eq 0 ]; then exit_fail "semange login -l still shows SELinux login record" fi -# check for ROLE_ASSIGN audit record -msg_1="op=login-sename,role,range acct=\"$user\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$def_range exe=/usr/sbin/semanage.*res=success.*" +# find out the default roles for $seuser role +role=$(semanage user -l | awk "/$seuser/ {for(i=5; i<NF; i++) { printf \"%s,\", \$i } printf \"%s\", \$NF}") +[ -z "$role" ] && exit_error "Cannot determine $seuser roles" + +# check for correct ROLE_ASSIGN audit record +msg_1="op=login-sename,role,range acct=\"$user\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=$role new-range=$def_range exe=/usr/sbin/semanage.*res=success.*" augrok -q type=ROLE_ASSIGN auid=$auid msg_1=~"$msg_1" \ || exit_fail "ROLE_ASSIGN event missing: \"$msg_1\"" # check for ROLE_REMOVE audit record -msg_1="op=login acct=\"$user\" old-seuser=$seuser old-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r old-range=$def_range new-seuser=user_u new-role=user_r new-range=s0 exe=/usr/sbin/semanage.*res=success.*" +msg_1="op=login acct=\"$user\" old-seuser=$seuser old-role=$role old-range=$def_range new-seuser=user_u new-role=user_r new-range=s0 exe=/usr/sbin/semanage.*res=success.*" augrok -q type=ROLE_REMOVE auid=$auid msg_1=~"$msg_1" \ || exit_fail "ROLE_REMOVE event missing: \"$msg_1\"" -- 1.8.3.1 |
From: Jiri J. <jja...@re...> - 2013-12-04 14:29:08
|
Use restorecon directly instead of wrapping it with fixfiles. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/utils/selinux-policy/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/audit-test/utils/selinux-policy/Makefile b/audit-test/utils/selinux-policy/Makefile index d966c46..c6969eb 100644 --- a/audit-test/utils/selinux-policy/Makefile +++ b/audit-test/utils/selinux-policy/Makefile @@ -78,7 +78,7 @@ verify: echo "not installed"; \ fi; @echo -n " Number of LSPP test files labeled incorrectly: "; \ - fixfiles -l /dev/stdout check $(TEST_BASEDIR) | wc -l; + restorecon -rvn $(TEST_BASEDIR) | wc -l; # During this install a role is added to an SELinux user which we use # as a positive test of semanage. If this did not work correctly the -- 1.8.3.1 |
From: Jiri J. <jja...@re...> - 2013-12-04 14:29:12
|
Signed-off-by: Jiri Jaburek <jja...@re...> --- ltp/Makefile | 59 ++++++++++++++++++++++++++++++++++------------------------- 1 file changed, 34 insertions(+), 25 deletions(-) diff --git a/ltp/Makefile b/ltp/Makefile index 278be2b..d4fda67 100644 --- a/ltp/Makefile +++ b/ltp/Makefile @@ -30,17 +30,11 @@ TOPDIR = . include $(TOPDIR)/rules.mk -RUN_LOG = run.log -ROLLUP_LOG = rollup.log - LTP_BASE = ltp-full LTP_BASE_PATH = $(CURDIR)/$(LTP_BASE) PATCH_DIR = $(CURDIR)/patch MDIR = $(CURDIR) -LTP_ROLLUP_LOG = .rollup.log -LTP_RUN_LOG = .run.log - LTP_FULL = ltp-full.tar.bz2 LTP_SOURCE = http://sourceforge.net/projects/ltp/files/LTP%20Source/ltp-20110915/ltp-full-20110915.bz2/download @@ -89,11 +83,15 @@ clean:: echo "Makefile: clean" # remove installed ltp rm -rf /opt/ltp - # remove all logs, downloaded and created files/dirs - rm -f cc_ospp$(LTP_ROLLUP_LOG) cc_ospp$(LTP_RUN_LOG) - rm -f syscalls$(LTP_ROLLUP_LOG) syscalls$(LTP_RUN_LOG) - rm -f mnt_syscalls$(LTP_ROLLUP_LOG) mnt_syscalls$(LTP_RUN_LOG) - rm -f $(LTP_FULL) $(RUN_LOG) $(ROLLUP_LOG) + # remove logs + for logtype in rollup run; do \ + for testset in syscalls cc_ospp mnt_syscalls; do \ + rm -f "$$testset.$$logtype.log"; \ + done; \ + done; \ + rm -f ltp.rollup.log ltp.run.log + # remove downloaded and created files/dirs + rm -f $(LTP_FULL) rm -rf $(LTP_BASE) download:: @@ -113,28 +111,39 @@ runtests:: sysctl kernel.msgmni=700 # run tests echo "Running syscalls tests" - /opt/ltp/testscripts/syscalls.sh -p -d ${LTP_TMPDIR} -l $(MDIR)/syscalls$(LTP_ROLLUP_LOG) 2>&1 | tee syscalls$(LTP_RUN_LOG) + /opt/ltp/testscripts/syscalls.sh -p -d ${LTP_TMPDIR} -l $(MDIR)/syscalls.rollup.log 2>&1 | tee syscalls.run.log echo "Running cc_ospp tests" - /opt/ltp/testscripts/cc_ospp.sh -p -d ${LTP_TMPDIR} -l $(MDIR)/cc_ospp$(LTP_ROLLUP_LOG) 2>&1 | tee cc_ospp$(LTP_RUN_LOG) + /opt/ltp/testscripts/cc_ospp.sh -p -d ${LTP_TMPDIR} -l $(MDIR)/cc_ospp.rollup.log 2>&1 | tee cc_ospp.run.log echo "Running mnt_syscalls tests" - /opt/ltp/testscripts/mnt_syscalls.sh -p -d ${LTP_TMPDIR} -l $(MDIR)/mnt_syscalls$(LTP_ROLLUP_LOG) 2>&1 | tee mnt_syscalls$(LTP_RUN_LOG) + /opt/ltp/testscripts/mnt_syscalls.sh -p -d ${LTP_TMPDIR} -l $(MDIR)/mnt_syscalls.rollup.log 2>&1 | tee mnt_syscalls.run.log # cleanup setsebool allow_execmem=$(ORIG_BOOL) sysctl kernel.msgmni=$(ORIG_KPARAM) report:: echo "Makefile: report" - # create rollup.log - echo "TESTS PASSED = "$$(grep PASS cc_ospp$(LTP_ROLLUP_LOG) syscalls$(LTP_ROLLUP_LOG) mnt_syscalls$(LTP_ROLLUP_LOG) 2>&1 | wc -l) > $(ROLLUP_LOG) - echo " FAILED =" $$(grep FAIL cc_ospp$(LTP_ROLLUP_LOG) syscalls$(LTP_ROLLUP_LOG) mnt_syscalls$(LTP_ROLLUP_LOG) 2>&1 | wc -l) >> $(ROLLUP_LOG) - echo >> $(ROLLUP_LOG) - if [ "x$$(grep FAIL cc_ospp$(LTP_ROLLUP_LOG) syscalls$(LTP_ROLLUP_LOG) mnt_syscalls$(LTP_ROLLUP_LOG) 2>&1 | wc -l)" != "x0" ]; then \ - echo "Failed tests:" >> $(ROLLUP_LOG); \ - echo "-------------" >> $(ROLLUP_LOG); \ - grep -H "\WFAIL\W" cc_ospp$(LTP_ROLLUP_LOG) syscalls$(LTP_ROLLUP_LOG) mnt_syscalls$(LTP_ROLLUP_LOG) >> $(ROLLUP_LOG); \ - fi - # create run.log - cat cc_ospp$(LTP_RUN_LOG) syscalls$(LTP_RUN_LOG) mnt_syscalls$(LTP_RUN_LOG) > $(RUN_LOG) + @for logtype in rollup run; do \ + for testset in syscalls cc_ospp mnt_syscalls; do \ + echo "::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"; \ + printf "::: %-52s :::\n" "$$testset"; \ + echo "::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"; \ + echo; \ + if [ -f "$$testset.$$logtype.log" ]; then cat "$$testset.$$logtype.log"; fi; \ + echo; \ + done &> ltp.$$logtype.log; \ + done; \ + { \ + echo "Summary:"; \ + echo "--------"; \ + echo; \ + echo "TESTS PASSED = $$(sort -u < ltp.rollup.log | grep -c ' PASS ')"; \ + echo " FAILED = $$(sort -u < ltp.rollup.log | grep -c ' FAIL ')"; \ + echo; \ + echo "Failed tests:"; \ + echo "-------------"; \ + cat ltp.rollup.log | grep ' FAIL '; \ + } 2>&1 >> ltp.rollup.log; \ + exit 0 dist: rev=$$(git log | head -n 1| awk '/^commit/{print $$2}' | cut -b 1-6 ) && \ -- 1.8.3.1 |
From: Jiri J. <jja...@re...> - 2013-12-04 14:29:16
|
This piece of code never actually worked as the "for" loop after it always rewrites the file(s). After recent changes, which incorporate the header into rollup logs of every bucket, this line shouldn't be needed at all. Signed-off-by: Jiri Jaburek <jja...@re...> --- audit-test/Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/audit-test/Makefile b/audit-test/Makefile index c13b504..e596cc1 100644 --- a/audit-test/Makefile +++ b/audit-test/Makefile @@ -94,7 +94,6 @@ report: @# tty output has color, generated logs don't, so collect them @# instead of redirecting output of the above loop. @for l in run rollup; do \ - ( utils/run.bash --header; echo ) &> audit.$$l.log; \ for x in $(RUN_DIRS); do \ echo; \ echo "::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::"; \ -- 1.8.3.1 |
From: Jiri J. <jja...@re...> - 2013-12-04 14:29:20
|
From: Miroslav Vadkerti <mva...@re...> Replace hardcoded audit.log location with already defined audit_log variable. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/utils/functions.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/audit-test/utils/functions.bash b/audit-test/utils/functions.bash index fece1a6..9ee8ebd 100644 --- a/audit-test/utils/functions.bash +++ b/audit-test/utils/functions.bash @@ -270,7 +270,7 @@ function restart_auditd { function rotate_audit_logs { declare tmp num_logs - if [[ -f /var/log/audit/audit.log ]]; then + if [[ -f "$audit_log" ]]; then pushd /var/log/audit >/dev/null tmp=$(mktemp $PWD/rotating.XXXXXX) || return 2 ln -f audit.log "$tmp" || return 2 -- 1.8.3.1 |
From: Jiri J. <jja...@re...> - 2013-12-04 14:29:23
|
From: Miroslav Vadkerti <mva...@re...> According to Red Hat SELinux developers a new domain unconfined_execmem_t is allowed to transition to svirt_t domain. Signed-off-by: Miroslav Vadkerti <mva...@re...> --- audit-test/kvm/test_selinux_trans_to_svirt.bash | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audit-test/kvm/test_selinux_trans_to_svirt.bash b/audit-test/kvm/test_selinux_trans_to_svirt.bash index 45c9805..646797a 100755 --- a/audit-test/kvm/test_selinux_trans_to_svirt.bash +++ b/audit-test/kvm/test_selinux_trans_to_svirt.bash @@ -38,8 +38,8 @@ if [[ $allowed_count -eq 0 ]]; then fi for type in $allowed; do - if [[ ! "$type" =~ unconfined_t|virtd_t ]]; then - exit_fail + if [[ ! "$type" =~ unconfined_t|unconfined_execmem_t|virtd_t ]]; then + exit_fail "$type is not allowed to transition to svirt_t" fi done -- 1.8.3.1 |
From: Linda K. <lin...@hp...> - 2013-12-05 16:32:55
|
Jiri Jaburek wrote: > Hi, > no big breakthroughs this time, just misc fixes all around the place: > > 2.4% audit-test/kvm/ > 12.6% audit-test/misc/tests/ > 3.0% audit-test/network/system/ > 19.7% audit-test/trustedprograms/tests/ > 1.2% audit-test/utils/selinux-policy/ > 22.4% audit-test/utils/ > 6.6% audit-test/ > 31.7% ltp/ > > There are some run.bash related fixes for the log merging functionality > (which was included recently), envcheck improvements, (hopefully) final > solution to the tar --xattrs problem discussed in one of earlier patch > series, audit-like ltp.run.log / ltp.rollup.log LTP logs, ... > > All in all, a peaceful patch series, just in time for December. > > The changes are RHEL6 compatible, tested on various RHEL6.y releases > and streams by Miroslav Vadkerti. Thanks very much. I had a few comments but the patches look good to me. Miroslav, please push them. Thanks to you both, -- ljk > Please see commit messages of respective patches for more information, > the patches are attached via In-Reply-To/References to this mail. > > Thanks, > Jiri > > ------------------------------------------------------------------------------ > Sponsored by Intel(R) XDK > Develop, test and display web and hybrid apps with a single code base. > Download it for free now! > http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk > _______________________________________________ > Audit-test-developer mailing list > Aud...@li... > https://lists.sourceforge.net/lists/listinfo/audit-test-developer |