Re: [Audit-test-developer] [PATCH 07/14] misc/tar: add support for ACL testing

[Linda K. <lin...@hp...>]

Jiri Jaburek wrote:
> Also make tar use explicit --selinux and --acls.
> 
> The --xattrs is a custom RHEL feature on RHEL5/RHEL6 that backs up
> and extracts all xattrs, incl. all namespaces (security, system,
> trusted, user).
> On RHEL7, the --xattrs comes from upstream version of tar, which
> backs up only the user namespace by default. 

This is just a side question - is this change going to be obvious
to RHEL customers who upgrade from RHEL6 to RHEL7?  If they're using
--xattrs, they're not getting what they used to get.

> This can be changed
> to RHEL5/RHEL6 behavior using --xattrs-include='*', but this would
> not be backwards compatible and - furthermore - is not very correct.
> 
> The fact is that test_tar checks for SELinux contexts using ls -Z,
> not *any* generic file contexts. Therefore we want tar to back up
> and restore SELinux file contexts, regardless of how they're implemented
> internally (ie. using xattrs). It thus makes sense to use explicit
> --selinux switch (available on RHEL5/RHEL6/RHEL7).

Is --selinux RHEL-specific or also upstream?

If someone wants to test ACLs on a non-SELinux distro, they will
need to separate this test into 2 tests, one for ACLs and one for
file contexts.  I only mention this because of Stephan's comment
on a previous patch about RPMs.

-- ljk
> 
> Signed-off-by: Jiri Jaburek <jja...@re...>
> ---
>  audit-test/misc/tests/test_tar.bash | 21 +++++++++++++++------
>  1 file changed, 15 insertions(+), 6 deletions(-)
> 
> diff --git a/audit-test/misc/tests/test_tar.bash b/audit-test/misc/tests/test_tar.bash
> index 8ea8da9..f83b45f 100755
> --- a/audit-test/misc/tests/test_tar.bash
> +++ b/audit-test/misc/tests/test_tar.bash
> @@ -20,13 +20,14 @@
>  #  FILE   : test_tar.bash
>  #
>  #  TEST DESCRIPTION: Verify that the tar program preserves file security
> -#		     contexts. Pack up files with various contexts using tar,
> -#		     unpack them in another directory, and compare the file
> -#		     contexts using ls -Z.  The file contexts should all
> -# 		     be preserved.
> +#		     (SELinux) contexts and ACLs. Pack up files with various
> +#		     attributes using tar, unpack them in another directory
> +#		     and compare the file contexts and ACLs. Both the file
> +#		     contexts and ACLs should all be preserved.
>  #
>  #  HISTORY:  05/2007  created by Lisa Smith <lis...@hp...>
>  #            08/2011  ported to audit-test by Tony Ernst <te...@sg...>
> +#            10/2013  added ACL testing by Jiri Jaburek <jja...@re...>
>  #
>  #############################################################################
>  source misc_functions.bash || exit 2
> @@ -55,8 +56,12 @@ chcon -t tmp_t -l SystemLow $FILE_DIR/fileLow || exit_fail
>  chmod 744 $FILE_DIR/fileSecret || exit_fail
>  chcon -t bin_t -l Secret $FILE_DIR/fileSecret || exit_fail
>  
> +# Add some ACL entries to one of the files
> +setfacl -n -m u:1234:rwx $FILE_DIR/fileSecret
> +setfacl -n -m g:4321:--x $FILE_DIR/fileSecret
> +
>  # Pack up the files in the test_files directory
> -tar cf $TAR_FILE --xattrs -H posix -C $FILE_DIR .
> +tar cf $TAR_FILE --selinux --acls -H posix -C $FILE_DIR .
>  
>  # Verify the files were successfully packed
>  if [ $? != 0 ]; then
> @@ -64,7 +69,7 @@ if [ $? != 0 ]; then
>  fi
>  
>  # Unpack the files
> -tar xvf $TAR_FILE --xattrs -C $EXTRACT_DIR
> +tar xvf $TAR_FILE --selinux --acls -C $EXTRACT_DIR
>  if [ $? != 0 ]; then
>  	exit_error "Error unpacking tar archive"
>  fi
> @@ -77,4 +82,8 @@ if [ $? != 0 ]; then
>          exit_fail "tar did not preserve correct files and/or security contexts"
>  fi
>  
> +# Check ACLs
> +getfacl $EXTRACT_DIR/fileSecret | grep user:1234:rwx || exit_fail
> +getfacl $EXTRACT_DIR/fileSecret | grep group:4321:--x || exit_fail
> +
>  exit_pass