From: Ramon de C. V. <rc...@li...> - 2011-06-07 17:12:06
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/07/2011 02:03 PM, Linda Knippers wrote: > Ramon de Carvalho Valle wrote: > On 06/07/2011 01:02 PM, Linda Knippers wrote: >>>> Ramon de Carvalho Valle wrote: >>>> On 06/06/2011 07:57 PM, Linda Knippers wrote: >>>>>>> rc...@li... wrote: >>>>>>>> From: Ramon de Carvalho Valle <rc...@br...> >>>>>>>> >>>>>>>> Signed-off-by: Ramon de Carvalho Valle <rc...@br...> >>>>>>>> --- >>>>>>>> audit/kvm/test_selinux_trans_from_qemu.bash | 48 +++++++++++++++++++++++++++ >>>>>>>> 1 files changed, 48 insertions(+), 0 deletions(-) >>>>>>>> create mode 100755 audit/kvm/test_selinux_trans_from_qemu.bash >>>>>>>> >>>>>>>> diff --git a/audit/kvm/test_selinux_trans_from_qemu.bash b/audit/kvm/test_selinux_trans_from_qemu.bash >>>>>>>> new file mode 100755 >>>>>>>> index 0000000..fc2ba75 >>>>>>>> --- /dev/null >>>>>>>> +++ b/audit/kvm/test_selinux_trans_from_qemu.bash >>>>>>>> @@ -0,0 +1,48 @@ >>>>>>>> +#!/usr/bin/env bash >>>>>>>> +# >>>>>>>> +# Copyright 2010, 2011 International Business Machines Corp. >>>>>>>> +# Copyright 2010, 2011 Ramon de Carvalho Valle >>>>>>>> +# >>>>>>>> +# This program is free software: you can redistribute it and/or modify >>>>>>>> +# it under the terms of the GNU General Public License as published by >>>>>>>> +# the Free Software Foundation, either version 2 of the License, or >>>>>>>> +# (at your option) any later version. >>>>>>>> +# >>>>>>>> +# This program is distributed in the hope that it will be useful, >>>>>>>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of >>>>>>>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >>>>>>>> +# GNU General Public License for more details. >>>>>>>> +# >>>>>>>> +# You should have received a copy of the GNU General Public License >>>>>>>> +# along with this program. If not, see <http://www.gnu.org/licenses/>. >>>>>>>> +# >>>>>>>> + >>>>>>>> +# test_selinux_trans_from_qemu.bash >>>>>>>> +# >>>>>>>> +# Assert processes executing with qemu_t SELinux type are allowed to >>>>>>>> +# transition to smbd_t, ptchown_t, and abrt_helper_t only. >>>>>>> This seems like an unmaintainable test since next week there could be some >>>>>>> other good reason to allow qemu_t to be able to transition to some other >>>>>>> domain What's special about these 3? What is this test really trying to >>>>>>> accomplish? Even as a policy test, its only testing that the policy says >>>>>>> something shouldn't be allowed. Its not actually testing that the policy >>>>>>> is enforced correctly. >>>> This also already was extensively discussed in the Common Criteria >>>> mailing list. >>>> >>>>> That doesn't help the poor slob trying to run this test case on RHEL6.4 >>>>> or RHEL7. This test case will break as soon as there's a 4th type that >>>>> someone decides qemu_t needs to transition to. And what's special about >>>>> these 3 types? Why are these ok? > I think there is a misunderstanding from both parts. All test cases > being discussed since then (the KVM Audit Test) were written to certify > the KVM hypervisor on both Red Hat Enterprise Linux 5 and Red Hat > Enterprise Linux 6 under Common Criteria at Evaluation Assurance Level > (EAL) 4+ and only. > >> I believe that the expectation is that these test cases will be reused >> in the future. Parts of this test suite go back to RHEL3 and were written >> by IBM. We have used them on RHEL3, RHEL4, RHEL5 and now RHEL6. They've >> been used by multiple vendors, including SGI and Dell, for subsequent >> evaluations. For the last couple of weeks aren't you making a lot of changes to the Audit Test Project just to make it work in RHEL 6? > >> Unless Red Hat stops producing new releases or the vendors stop caring about >> common criteria certifications, I'm quite certain that someone will want >> to run these tests in a future release. In the past, HP has run these >> tests as regression tests on each update. If I were Red Hat, I'd want to >> do the same. > >> The tests need to be maintainable, not disposable. Do you have any suggestions of how to make this test case maintainable? > >>>> Furthermore, this is a policy test, not a policy >>>> enforcement test. Policy enforcement tests can be done in separate test >>>> cases if needed or in regular SELinux tests. >>>> >>>>> Your test assertion makes it sound like an enforcement test case. >>>>> We have some general policy enforcement tests so maybe those are >>>>> sufficient, but I think your assertion is unclear. > I don't agree. > >> If a reasonably competent person can't read what you wrote and understand what >> you meant, that is unclear by definition. Of course its clear to you, >> since you wrote it! > >> Your test assertion doesn't have the word "policy" in it so how is one to understand >> that it is a policy test, not a policy enforcement test? If he can't figure out what it does just by reading the assertion and looking at those few lines of code, he shouldn't be executing it at all. > >> -- ljk > > >>>> >>>>>>> -- ljk >>>>>>> >>>>>>>> + >>>>>>>> + >>>>>>>> +source testcase.bash || exit 2 >>>>>>>> + >>>>>>>> +set -x >>>>>>>> + >>>>>>>> +allowed=$(sesearch -s qemu_t -c process -p transition --allow) >>>>>>>> +allowed=$(echo "$allowed" | grep -E "^.*allow") >>>>>>>> +allowed=$(echo "$allowed" | awk '{ print $3 }') >>>>>>>> +allowed=$(echo "$allowed" | sed "/lspp_harness_t/d") >>>>>>>> +allowed_count=$(echo "$allowed" | wc -l) >>>>>>>> + >>>>>>>> +if [[ $allowed_count -eq 0 ]]; then >>>>>>>> + exit_fail >>>>>>>> +fi >>>>>>>> + >>>>>>>> +for type in $allowed; do >>>>>>>> + if [[ ! "$type" =~ smbd_t|ptchown_t|abrt_helper_t ]]; then >>>>>>>> + exit_fail >>>>>>>> + fi >>>>>>>> +done >>>>>>>> + >>>>>>>> +exit_pass >>>>>>>> + >>>>>>>> +# vim: set noet sw=8 ts=8 tw=0: > >> - -- Ramon de Carvalho Valle Security Engineer IBM Linux Technology Center rc...@li... http://rcvalle.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk3uW9IACgkQkcIYeh81wLkdCACfRb6m3kyU0MovqlIGCwendYMy MwIAn3W+JDdt3XlyavvYvS0BxW8WM8ar =SWv2 -----END PGP SIGNATURE----- |