[Audit-test-developer] [PATCH 09/14] tp/semanage*: detect default roles

[Jiri J. <jja...@re...>]

From: Miroslav Vadkerti <mva...@re...>

This patch enhances the semanage_chglvl and semanage_role_remove
tests to detect the default roles for a SELinux user from the system.

Signed-off-by: Miroslav Vadkerti <mva...@re...>
---
 audit-test/trustedprograms/tests/test_semanage_chglvl.bash     |  7 ++++++-
 .../trustedprograms/tests/test_semanage_role_remove.bash       | 10 +++++++---
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/audit-test/trustedprograms/tests/test_semanage_chglvl.bash b/audit-test/trustedprograms/tests/test_semanage_chglvl.bash
index dc36b1c..2c1a10b 100755
--- a/audit-test/trustedprograms/tests/test_semanage_chglvl.bash
+++ b/audit-test/trustedprograms/tests/test_semanage_chglvl.bash
@@ -37,7 +37,12 @@ if [ $? -ne 0 ]; then
   exit_error "semange returned an error"
 fi
 
-msg_1="op=login-range acct=\"$user\" old-seuser=$seuser old-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r old-range=s0-s15:c0.c1023 new-seuser=$seuser new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$range exe=/usr/sbin/semanage.*res=success.*"
+# find out the default roles for $seuser role
+role=$(semanage user -l | awk "/$seuser/ {for(i=5; i<NF; i++) { printf \"%s,\", \$i } printf \"%s\", \$NF}")
+[ -z "$role" ] && exit_error "Cannot determine $seuser role(s)"
+
+# check for correct ROLE_ASSIGN audit record
+msg_1="op=login-range acct=\"$user\" old-seuser=$seuser old-role=$role old-range=s0-s15:c0.c1023 new-seuser=$seuser new-role=$role new-range=$range exe=/usr/sbin/semanage.*res=success.*"
 
 augrok -q type=ROLE_ASSIGN auid=$auid msg_1=~"$msg_1" \
 	|| exit_fail "ROLE_ASSIGN event missing: \"$msg_1\""
diff --git a/audit-test/trustedprograms/tests/test_semanage_role_remove.bash b/audit-test/trustedprograms/tests/test_semanage_role_remove.bash
index 19817a1..030bfd1 100755
--- a/audit-test/trustedprograms/tests/test_semanage_role_remove.bash
+++ b/audit-test/trustedprograms/tests/test_semanage_role_remove.bash
@@ -49,14 +49,18 @@ if [ $? -eq 0 ]; then
   exit_fail "semange login -l still shows SELinux login record"
 fi
 
-# check for ROLE_ASSIGN audit record
-msg_1="op=login-sename,role,range acct=\"$user\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r new-range=$def_range exe=/usr/sbin/semanage.*res=success.*"
+# find out the default roles for $seuser role
+role=$(semanage user -l | awk "/$seuser/ {for(i=5; i<NF; i++) { printf \"%s,\", \$i } printf \"%s\", \$NF}")
+[ -z "$role" ] && exit_error "Cannot determine $seuser roles"
+
+# check for correct ROLE_ASSIGN audit record
+msg_1="op=login-sename,role,range acct=\"$user\" old-seuser=user_u old-role=user_r old-range=s0 new-seuser=staff_u new-role=$role new-range=$def_range exe=/usr/sbin/semanage.*res=success.*"
 
 augrok -q type=ROLE_ASSIGN auid=$auid msg_1=~"$msg_1" \
 	|| exit_fail "ROLE_ASSIGN event missing: \"$msg_1\""
 
 # check for ROLE_REMOVE audit record
-msg_1="op=login acct=\"$user\" old-seuser=$seuser old-role=auditadm_r,staff_r,lspp_test_r,secadm_r,sysadm_r old-range=$def_range new-seuser=user_u new-role=user_r new-range=s0 exe=/usr/sbin/semanage.*res=success.*"
+msg_1="op=login acct=\"$user\" old-seuser=$seuser old-role=$role old-range=$def_range new-seuser=user_u new-role=user_r new-range=s0 exe=/usr/sbin/semanage.*res=success.*"
 
 augrok -q type=ROLE_REMOVE auid=$auid msg_1=~"$msg_1" \
 	|| exit_fail "ROLE_REMOVE event missing: \"$msg_1\""
-- 
1.8.3.1