From: Ramon de C. V. <rc...@li...> - 2011-06-07 16:33:54
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/07/2011 12:56 PM, Linda Knippers wrote: > Ramon de Carvalho Valle wrote: > On 06/06/2011 07:51 PM, Linda Knippers wrote: >>>> rc...@li... wrote: >>>>> From: Ramon de Carvalho Valle <rc...@br...> >>>>> >>>>> Signed-off-by: Ramon de Carvalho Valle <rc...@br...> >>>>> --- >>>>> audit/kvm/test_selinux_chcon_resource.bash | 68 ++++++++++++++++++++++++++++ >>>>> 1 files changed, 68 insertions(+), 0 deletions(-) >>>>> create mode 100755 audit/kvm/test_selinux_chcon_resource.bash >>>>> >>>>> diff --git a/audit/kvm/test_selinux_chcon_resource.bash b/audit/kvm/test_selinux_chcon_resource.bash >>>>> new file mode 100755 >>>>> index 0000000..395ec3f >>>>> --- /dev/null >>>>> +++ b/audit/kvm/test_selinux_chcon_resource.bash >>>>> @@ -0,0 +1,68 @@ >>>>> +#!/usr/bin/env bash >>>>> +# >>>>> +# Copyright 2010, 2011 International Business Machines Corp. >>>>> +# Copyright 2010, 2011 Ramon de Carvalho Valle >>>>> +# >>>>> +# This program is free software: you can redistribute it and/or modify >>>>> +# it under the terms of the GNU General Public License as published by >>>>> +# the Free Software Foundation, either version 2 of the License, or >>>>> +# (at your option) any later version. >>>>> +# >>>>> +# This program is distributed in the hope that it will be useful, >>>>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of >>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >>>>> +# GNU General Public License for more details. >>>>> +# >>>>> +# You should have received a copy of the GNU General Public License >>>>> +# along with this program. If not, see <http://www.gnu.org/licenses/>. >>>>> +# >>>>> + >>>>> +# test_selinux_chcon_resource.bash >>>>> +# >>>>> +# Assert only superuser is allowed to change virtual machine resource >>>>> +# category labels. >>>>> + >>>>> + >>>>> +source testcase.bash || exit 2 >>>>> + >>>>> +set -x >>>>> + >>>>> +userdel -fr testuser1 >>>>> +groupdel testuser1 >>>>> +useradd testuser1 -G libvirt >>>> append_cleanup? > No harm. Next revision. > >>>>> + >>>>> +if [[ $? -ne 0 ]]; then >>>>> + exit_error >>>>> +fi >>>>> + >>>>> +userdel -fr testuser2 >>>>> +groupdel testuser2 >>>>> +useradd testuser2 >>>> Append_cleanup? > No harm. Next revision. > >>>>> + >>>>> +if [[ $? -ne 0 ]]; then >>>>> + exit_error >>>>> +fi >>>>> + >>>>> +for i in $(seq $first $last); do >>>>> + eval "runcon -t svirt_t -- chcon -l s0:c1,c3 \$kvm_guest_${i}_resource" >>>>> + >>>>> + if [[ $? -eq 0 ]]; then >>>>> + exit_fail >>>>> + fi >>>>> + >>>>> + eval "/bin/su - testuser1 -c \"chcon -l s0:c1,c3 \$kvm_guest_${i}_resource\"" >>>> Would testuser1 be able to do it if you had the same 'runcon -t svirt_t' command? >>>> Is it the DAC check that's preventing it from working or the type enforcement check? > The svirt_t type is not supposed to be allowed to change the security > attributes of the virtual machine resources. > >>>>> + >>>>> + if [[ $? -eq 0 ]]; then >>>>> + exit_fail >>>>> + fi >>>>> + >>>>> + eval "/bin/su - testuser2 -c \"chcon -l s0:c1,c3 \$kvm_guest_${i}_resource\"" >>>>> + >>>>> + if [[ $? -eq 0 ]]; then >>>>> + exit_fail >>>>> + fi >>>> If only root should be able to perform the operation and you're testing as >>>> root, testuser1, and testuser2, shouldn't the result be different in the root >>>> case? It looks like you're checking for the same status or am I missing >>>> something? > Notice the runcon -t svirt_t in the superuser case. > >> Yeah, I saw that (notice I asked about it above). However, your test >> assertion doesn't make any statements about svirt_t so I'm not sure why >> its here. The svirt_t type is the type virtual machine environments execute with, it should not be allowed to change the security attributes of virtual machine resources even if it has superuser privileges. > >> I think what I'm struggling with here is that its not obvious which >> operations ought to succeed and which should fail. A few comments >> would go a long way. > > >>>> Do we care that any of this is audited? > >> I'll ask again. In general, access decisions are auditable events >> so does Stephan care about any of this? This is not an Audit test. Audit test cases should be in separate test cases with this specific purpose. > > >>>> >>>>> +done >>>>> + >>>>> +exit_pass >>>>> + >>>>> +# vim: set noet sw=8 ts=8 tw=0: > - -- Ramon de Carvalho Valle Security Engineer IBM Linux Technology Center rc...@li... http://rcvalle.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk3uUtgACgkQkcIYeh81wLlvRwCgjOXRmJEqhcKfZ2qBx3maa1We 1C4AoIXJZeFu8ruNdUgJJm7WKIBnQmJ1 =cUU5 -----END PGP SIGNATURE----- |