tests / selinux

Clone
Source Code
GIT

#81 Add nagios related selinux-policy tests
Opened 3 years ago by plautrba. Modified 3 years ago
tests/ plautrba/selinux selinux-policy-nagios  into  master

Merge
file added
+71 
@@ -0,0 +1,71 @@ 
 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

+ #
 

+ #   Makefile of /CoreOS/selinux-policy/Regression/bz1260306-nagios-cgi-scripts
 

+ #   Description: Login to nagios web interface and run sample scripts
 

+ #   Author: Jan Zarsky <jzarsky@redhat.com>
 

+ #
 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

+ #
 

+ #   Copyright (c) 2016 Red Hat, Inc.
 

+ #
 

+ #   This program is free software: you can redistribute it and/or
 

+ #   modify it under the terms of the GNU General Public License as
 

+ #   published by the Free Software Foundation, either version 2 of
 

+ #   the License, or (at your option) any later version.
 

+ #
 

+ #   This program is distributed in the hope that it will be
 

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied
 

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 

+ #   PURPOSE.  See the GNU General Public License for more details.
 

+ #
 

+ #   You should have received a copy of the GNU General Public License
 

+ #   along with this program. If not, see http://www.gnu.org/licenses/.
 

+ #
 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

+ 

+ export TEST=/CoreOS/selinux-policy/Regression/bz1260306-nagios-cgi-scripts
 

+ export TESTVERSION=1.0
 

+ 

+ BUILT_FILES=
 

+ 

+ FILES=$(METADATA) runtest.sh Makefile PURPOSE
 

+ 

+ .PHONY: all install download clean
 

+ 

+ run: $(FILES) build
 

+ 	./runtest.sh
 

+ 

+ build: $(BUILT_FILES)
 

+ 	test -x runtest.sh || chmod a+x runtest.sh
 

+ 	test -x runtest.sh || chcon -t bin_t runtest.sh
 

+ 

+ clean:
 

+ 	rm -f *~ $(BUILT_FILES)
 

+ 

+ include /usr/share/rhts/lib/rhts-make.include
 

+ 

+ $(METADATA): Makefile
 

+ 	@echo "Owner:           Jan Zarsky <jzarsky@redhat.com>" > $(METADATA)
 

+ 	@echo "Name:            $(TEST)" >> $(METADATA)
 

+ 	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
 

+ 	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
 

+ 	@echo "Description:     Login to nagios web interface and run sample scripts" >> $(METADATA)
 

+ 	@echo "Type:            Regression" >> $(METADATA)
 

+ 	@echo "TestTime:        10m" >> $(METADATA)
 

+ 	@echo "RunFor:          selinux-policy" >> $(METADATA)
 

+ 	@echo "Requires:        audit libselinux libselinux-utils selinux-policy nagios nagios-common nagios-plugins wget policycoreutils httpd setools-console" >> $(METADATA)
 

+ 	@echo "RhtsRequires:    library(selinux-policy/common)" >> $(METADATA)
 

+ 	@echo "Priority:        Normal" >> $(METADATA)
 

+ 	@echo "License:         GPLv2+" >> $(METADATA)
 

+ 	@echo "Confidential:    no" >> $(METADATA)
 

+ 	@echo "Destructive:     no" >> $(METADATA)
 

+ 	@echo "Releases:        -RHEL4 -RHEL5" >> $(METADATA)
 

+ 	@echo "Bug:             1260306" >> $(METADATA) # RHEL-7
 

+ 	@echo "Bug:             1426824" >> $(METADATA) # RHEL-7
 

+ 	@echo "Bug:             1427415" >> $(METADATA) # RHEL-7
 

+ 	@echo "Bug:             1620013" >> $(METADATA) # RHEL-7
 

+ 	@echo "Bug:             1760883" >> $(METADATA) # Fedora 30
 

+ 	@echo "Bug:             1815621" >> $(METADATA) # RHEL-8
 

+ 

+ 	rhts-lint $(METADATA)
 

+

file added
+5 
@@ -0,0 +1,5 @@ 
 

+ PURPOSE of /CoreOS/selinux-policy/Regression/bz1260306-nagios-cgi-scripts
 

+ Author: Jan Zarsky <jzarsky@redhat.com>
 

+ 

+ Log into nagios web interface and run sample scripts
 

+

file added
+124 
@@ -0,0 +1,124 @@ 
 

+ #!/bin/bash
 

+ # vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

+ #
 

+ #   runtest.sh of /CoreOS/selinux-policy/Regression/bz1260306-nagios-cgi-scripts
 

+ #   Description: Login to nagios web interface and run sample scripts
 

+ #   Author: Jan Zarsky <jzarsky@redhat.com>
 

+ #
 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

+ #
 

+ #   Copyright (c) 2016 Red Hat, Inc.
 

+ #
 

+ #   This program is free software: you can redistribute it and/or
 

+ #   modify it under the terms of the GNU General Public License as
 

+ #   published by the Free Software Foundation, either version 2 of
 

+ #   the License, or (at your option) any later version.
 

+ #
 

+ #   This program is distributed in the hope that it will be
 

+ #   useful, but WITHOUT ANY WARRANTY; without even the implied
 

+ #   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 

+ #   PURPOSE.  See the GNU General Public License for more details.
 

+ #
 

+ #   You should have received a copy of the GNU General Public License
 

+ #   along with this program. If not, see http://www.gnu.org/licenses/.
 

+ #
 

+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

+ 

+ # Include Beaker environment
 

+ . /usr/bin/rhts-environment.sh || exit 1
 

+ . /usr/share/beakerlib/beakerlib.sh || exit 1
 

+ 

+ PACKAGE="selinux-policy"
 

+ 

+ rlJournalStart
 

+     rlPhaseStartSetup
 

+         rlRun "rlImport 'selinux-policy/common'"
 

+         rlSESatisfyRequires
 

+ 

+         rlAssertRpm ${PACKAGE}
 

+         rlAssertRpm "nagios"
 

+         rlAssertRpm "nagios-common"
 

+         rlAssertRpm "nagios-plugins"
 

+         rlAssertRpm "wget"
 

+ 

+         rlSESetEnforce
 

+         rlSEStatus
 

+         rlSESetTimestamp
 

+         sleep 2
 

+ 

+         rlRun "service httpd start"
 

+         rlRun "service nagios start"
 

+     rlPhaseEnd
 

+ 

+     if rlIsFedora || rlIsRHEL '>=7'; then
 

+         rlPhaseStartTest "bz1260306"
 

+             rlSEMatchPathCon "/usr/lib64/nagios/cgi-bin" "nagios_script_exec_t"
 

+             rlSESearchRule "allow httpd_t nagios_script_exec_t : file { getattr open read execute }"
 

+             rlSESearchRule "type_transition httpd_t nagios_script_exec_t : process nagios_script_t"
 

+             rlSESearchRule "allow httpd_t nagios_script_t : process { transition }"
 

+         rlPhaseEnd
 

+ 

+         rlPhaseStartTest "bz#1426824 + bz#1427415"
 

+             # needed for nagios >= 4.2.4
 

+             rlSEMatchPathCon "/usr/lib64/nagios/cgi-bin/archivejson.cgi" "nagios_script_exec_t"
 

+             rlSEMatchPathCon "/var/spool/nagios/objects.cache" "nagios_spool_t"
 

+             rlSESearchRule "allow nagios_script_t nagios_spool_t : file { getattr open read } [ ]"
 

+             rlSESearchRule "allow nagios_t nagios_t : unix_stream_socket { connectto } [ ]"
 

+         rlPhaseEnd
 

+     fi
 

+ 

+     rlPhaseStartTest "bz#1620013"
 

+         rlSEMatchPathCon "/etc/nagios/cgi.cfg" "nagios_etc_t"
 

+         rlSEMatchPathCon "/var/log/nagios/nagios.log" "nagios_log_t"
 

+         rlSEMatchPathCon "/var/spool/nagios/objects.cache" "nagios_spool_t"
 

+         rlSESearchRule "allow nagios_script_t nagios_etc_t : file { map } [ ]"
 

+         rlSESearchRule "allow nagios_script_t nagios_spool_t : file { map } [ ]"
 

+         rlSESearchRule "allow nagios_script_t nagios_log_t : file { map } [ ]"
 

+     rlPhaseEnd
 

+ 

+     if rlIsFedora ; then
 

+     rlPhaseStartTest "bz#1760883"
 

+         rlSEMatchPathCon "/sys/devices/system/cpu" "sysfs_t"
 

+         rlSESearchRule "allow nagios_script_t sysfs_t : dir { read } [ ]"
 

+     rlPhaseEnd
 

+     fi
 

+ 

+     if ! rlIsRHEL 5 6 7 ; then
 

+     rlPhaseStartTest "bz#1815621"
 

+         rlSEMatchPathCon "/usr/lib64/nagios/plugins/check_file_age" "nagios_admin_plugin_exec_t"
 

+         rlSEMatchPathCon "/usr/lib64/nagios/plugins/check_mailq" "nagios_mail_plugin_exec_t"
 

+         rlSEMatchPathCon "/usr/bin/perl" "bin_t"
 

+         rlSESearchRule "allow nagios_admin_plugin_t bin_t : file { getattr open read map execute } [ ]"
 

+         rlSESearchRule "allow nagios_mail_plugin_t bin_t : file { getattr open read map execute } [ ]"
 

+         rlRun "seinfo -anagios_plugin_domain -x"
 

+     rlPhaseEnd
 

+     fi
 

+ 

+     rlPhaseStartTest "real scenario"
 

+         rlRun "htpasswd -b /etc/nagios/passwd nagiosadmin krR3f669SGTtDwgH" \
 

+             0 "Set nagios webconf password"
 

+ 

+         rlRun "wget --user=nagiosadmin --password=krR3f669SGTtDwgH http://localhost/nagios --spider -S 2>&1 | grep -q '200 OK'" \
 

+             0 "Test http://localhost/nagios"
 

+         

+         rlRun "pushd /usr/lib64/nagios/cgi-bin"
 

+         

+         for f in *.cgi; do
 

+             rlRun "wget --user=nagiosadmin --password=krR3f669SGTtDwgH http://localhost/nagios/cgi-bin/$f --spider -S 2>&1 | grep -q '200 OK'" \
 

+                 0 "Test $f script"
 

+         done
 

+ 

+         rlRun "popd"
 

+     rlPhaseEnd
 

+ 

+     rlPhaseStartCleanup
 

+         rlRun "service nagios stop"
 

+         rlRun "service httpd stop"
 

+ 

+         sleep 2
 

+         rlSECheckAVC
 

+     rlPhaseEnd
 

+ rlJournalPrintText
 

+ rlJournalEnd
 

+

no initial comment

rebased onto 7709b6818b70ee9077500d6e55a86aca621d2da1
3 years ago

[citest]

:thumbsup:

The fail is caused by BZ#1815621 which is fixed on RHEL-8.3 but not fixed in Fedora 33.

rebased onto 668939a
3 years ago

rebased onto 12f191c
3 years ago
Changes Summary 3
+71
file added
selinux-policy/nagios/Makefile
+5
file added
selinux-policy/nagios/PURPOSE
+124
file added
selinux-policy/nagios/runtest.sh
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.