| |
@@ -0,0 +1,310 @@
|
| |
+ #!/bin/bash
|
| |
+ # vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
| |
+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
| |
+ #
|
| |
+ # runtest.sh of /CoreOS/selinux-policy/Regression/NetworkManager-general
|
| |
+ # Description: general NetworkManager related policy checks
|
| |
+ # Author: Karel Srot <ksrot@redhat.com>
|
| |
+ #
|
| |
+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
| |
+ #
|
| |
+ # Copyright (c) 2011 Red Hat, Inc. All rights reserved.
|
| |
+ #
|
| |
+ # This copyrighted material is made available to anyone wishing
|
| |
+ # to use, modify, copy, or redistribute it subject to the terms
|
| |
+ # and conditions of the GNU General Public License version 2.
|
| |
+ #
|
| |
+ # This program is distributed in the hope that it will be
|
| |
+ # useful, but WITHOUT ANY WARRANTY; without even the implied
|
| |
+ # warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
| |
+ # PURPOSE. See the GNU General Public License for more details.
|
| |
+ #
|
| |
+ # You should have received a copy of the GNU General Public
|
| |
+ # License along with this program; if not, write to the Free
|
| |
+ # Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
| |
+ # Boston, MA 02110-1301, USA.
|
| |
+ #
|
| |
+ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
| |
+
|
| |
+ # Include rhts environment
|
| |
+ . /usr/bin/rhts-environment.sh
|
| |
+ . /usr/share/beakerlib/beakerlib.sh
|
| |
+
|
| |
+ PACKAGE="selinux-policy"
|
| |
+ ROOT_PASSWORD="redhat"
|
| |
+
|
| |
+ rlJournalStart
|
| |
+ rlPhaseStartSetup
|
| |
+ rlRun "rlImport 'selinux-policy/common'"
|
| |
+ rlSESatisfyRequires
|
| |
+ rlAssertRpm ${PACKAGE}
|
| |
+ rlAssertRpm ${PACKAGE}-targeted
|
| |
+ rlAssertRpm NetworkManager
|
| |
+
|
| |
+ rlFileBackup /etc/shadow
|
| |
+ rlRun "echo ${ROOT_PASSWORD} | passwd --stdin root"
|
| |
+
|
| |
+ rlSESetEnforce
|
| |
+ rlSEStatus
|
| |
+ rlSESetTimestamp
|
| |
+ sleep 1
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#474342"
|
| |
+ rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t"
|
| |
+ rlSEMatchPathCon "/var/lib/dhclient" "dhcpc_state_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t dhcpc_state_t : dir { getattr open search }"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ if ! rlIsRHEL 5 ; then
|
| |
+ rlPhaseStartTest "bz#696161"
|
| |
+ # Meta-Fixed-in: selinux-policy-3.7.19-84.el6
|
| |
+ rlSESearchRule "dontaudit NetworkManager_t NetworkManager_t : capability { sys_module }"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#731760"
|
| |
+ # Meta-Fixed-in: selinux-policy-3.7.19-108.el6
|
| |
+ rlSESearchRule "allow NetworkManager_t NetworkManager_t : netlink_socket { create }"
|
| |
+ rlPhaseEnd
|
| |
+ fi
|
| |
+
|
| |
+ if ! rlIsRHEL 5 6 ; then
|
| |
+ rlPhaseStartTest "bz#1071480"
|
| |
+ rlSEMatchPathCon "/usr/libexec/nm-libreswan-service" "ipsec_mgmt_exec_t"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#920576"
|
| |
+ rlSEMatchPathCon "/etc/hostname" "hostname_etc_t"
|
| |
+ rlPhaseEnd
|
| |
+ fi
|
| |
+
|
| |
+ rlPhaseStartTest "bz#693149"
|
| |
+ # META-Fixed-in:
|
| |
+ if rlIsRHEL 5 ; then
|
| |
+ rlSESearchRule "allow NetworkManager_t tmp_t : sock_file { write }"
|
| |
+ else
|
| |
+ rlSESearchRule "allow NetworkManager_t user_tmp_t : sock_file { write }"
|
| |
+ fi
|
| |
+ rlSESearchRule "allow NetworkManager_t unconfined_t : unix_dgram_socket { sendto }"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ if ! rlIsRHEL 5 ; then
|
| |
+ rlPhaseStartTest "bz#1009661"
|
| |
+ rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t"
|
| |
+ rlSEMatchPathCon "/dev/rfkill" "wireless_device_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t wireless_device_t : chr_file { read write }"
|
| |
+ rlPhaseEnd
|
| |
+ fi
|
| |
+
|
| |
+ if rlIsRHEL 5 6 ; then
|
| |
+ rlPhaseStartTest "bz#1042838"
|
| |
+ rlSEMatchPathCon "/usr/libexec/nm-dispatcher.action" "NetworkManager_initrc_exec_t"
|
| |
+ rlSESearchRule "allow system_dbusd_t NetworkManager_initrc_exec_t : file { getattr open read execute }"
|
| |
+ rlSESearchRule "allow system_dbusd_t initrc_t : process { transition }"
|
| |
+ rlSESearchRule "type_transition system_dbusd_t NetworkManager_initrc_exec_t : process initrc_t"
|
| |
+ rlPhaseEnd
|
| |
+ else # RHEL-7 and above
|
| |
+ rlPhaseStartTest "bz#1039879"
|
| |
+ rlSEMatchPathCon "/usr/libexec/nm-dispatcher.action" "NetworkManager_exec_t"
|
| |
+ rlSESearchRule "allow init_t NetworkManager_exec_t : file { getattr open read execute }"
|
| |
+ rlSESearchRule "allow init_t NetworkManager_t : process { transition }"
|
| |
+ rlSESearchRule "type_transition init_t NetworkManager_exec_t : process NetworkManager_t"
|
| |
+ rlPhaseEnd
|
| |
+ fi
|
| |
+
|
| |
+ if ! rlIsRHEL 5 ; then
|
| |
+ rlPhaseStartTest "real scenario -- bz#1039879 + bz#1042838"
|
| |
+ DESTINATION="org.freedesktop.nm_dispatcher"
|
| |
+ if rlIsRHEL 6 ; then
|
| |
+ PROCESS_NAME="nm-dispatcher.action"
|
| |
+ PROCESS_CONTEXT="initrc_t"
|
| |
+ else # RHEL-7 and above
|
| |
+ PROCESS_NAME="nm-dispatcher"
|
| |
+ PROCESS_CONTEXT="NetworkManager_t"
|
| |
+ fi
|
| |
+ rlRun "gdbus introspect --system --object-path / --dest ${DESTINATION} >& /dev/null"
|
| |
+ sleep 1
|
| |
+ rlRun "ps -efZ | grep -v grep | grep ${PROCESS_NAME}"
|
| |
+ rlRun "ps -efZ | grep -v grep | grep \"${PROCESS_CONTEXT}.*${PROCESS_NAME}\""
|
| |
+
|
| |
+ if ! rlIsRHEL 6 ; then
|
| |
+ rlSEService ${ROOT_PASSWORD} NetworkManager-dispatcher nm-dispatcher NetworkManager_t "start status restart status stop status" 1
|
| |
+ fi
|
| |
+ rlPhaseEnd
|
| |
+ fi
|
| |
+
|
| |
+ if ! rlIsRHEL 5 6 ; then
|
| |
+ rlPhaseStartTest "bz#1040631 + bz#1041105"
|
| |
+ rlSEMatchPathCon "/usr/libexec/nm-dispatcher.action" "NetworkManager_exec_t"
|
| |
+ rlSEMatchPathCon "/etc/NetworkManager/dispatcher.d" "NetworkManager_initrc_exec_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t NetworkManager_initrc_exec_t : dir { getattr open read }"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1044723"
|
| |
+ rlSEMatchPathCon "/usr/libexec/nm-dispatcher.action" "NetworkManager_exec_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t initrc_t : process { signull }"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1055734"
|
| |
+ rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t"
|
| |
+ rlSEMatchPathCon "/usr/sbin/iscsiadm" "iscsid_exec_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t iscsid_exec_t : file { getattr open read execute }"
|
| |
+ rlSESearchRule "allow NetworkManager_t iscsid_t : process { transition }"
|
| |
+ rlSESearchRule "type_transition NetworkManager_t iscsid_exec_t : process iscsid_t"
|
| |
+ rlPhaseEnd
|
| |
+ fi
|
| |
+
|
| |
+ rlPhaseStartTest "real scenario -- bz#1040631 + bz#1041105 + bz#1069241 + bz#1070829"
|
| |
+ rlSEService ${ROOT_PASSWORD} NetworkManager NetworkManager NetworkManager_t "start status restart status" 1
|
| |
+ if ! rlIsRHEL 5 6 ; then
|
| |
+ # rlRun "ls -Z /run/systemd/resolve/resolv.conf | grep :net_conf_t"
|
| |
+ SAME_NAME=`cat /etc/hostname`
|
| |
+ rlRun "nmcli gen hostname ${SAME_NAME}"
|
| |
+ rlRun "ls -Z /etc/hostname | grep :hostname_etc_t"
|
| |
+ rlRun "restorecon -v /etc/hostname"
|
| |
+ fi
|
| |
+ rlSEService ${ROOT_PASSWORD} NetworkManager NetworkManager NetworkManager_t "stop status" 1
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ if ! rlIsRHEL 5 6 ; then
|
| |
+ rlPhaseStartTest "bz#1069241"
|
| |
+ rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t"
|
| |
+ rlSEMatchPathCon "/etc/hostname" "hostname_etc_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t hostname_etc_t : file { unlink }"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1070829"
|
| |
+ rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t"
|
| |
+ rlSEMatchPathCon "/etc" "etc_t"
|
| |
+ rlSEMatchPathCon "/etc/hostname" "hostname_etc_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t hostname_etc_t : file { create }"
|
| |
+ rlRun "sesearch -T -s NetworkManager_t -t etc_t -c file | grep \"hostname_etc_t.*hostname\""
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1234954"
|
| |
+ rlSESearchRule "allow NetworkManager_t systemd_hostnamed_t : dbus { send_msg }"
|
| |
+ rlSESearchRule "allow NetworkManager_t sysfs_t : dir { write }"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1192810"
|
| |
+ rlRun "sesearch -c file -T | grep 'nm-dhclient\.'" 1
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1212498"
|
| |
+ rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t"
|
| |
+ rlSEMatchPathCon "/dev/rfcomm0" "tty_device_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t NetworkManager_initrc_exec_t : lnk_file { getattr read }"
|
| |
+ rlSESearchRule "allow NetworkManager_t sysfs_t : dir { write }"
|
| |
+ rlSESearchRule "allow NetworkManager_t tty_device_t : chr_file { getattr open read } [ ]"
|
| |
+ rlSESearchRule "allow NetworkManager_t etc_t : dir { read write getattr open search add_name remove_name } [ ]"
|
| |
+ rlRun "sesearch -s NetworkManager_t -t etc_t -c lnk_file -T | grep \"net_conf_t.*resolv.conf.NetworkManager\""
|
| |
+ rlSESearchRule "allow NetworkManager_t net_conf_t : lnk_file { create }"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1336722"
|
| |
+ rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t dnsmasq_t : dbus { send_msg } [ ]"
|
| |
+ rlSESearchRule "allow dnsmasq_t NetworkManager_t : dbus { send_msg } [ ]"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1342401 + bz#1344505"
|
| |
+ rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t"
|
| |
+ rlSEMatchPathCon "/etc/resolv.conf" "net_conf_t"
|
| |
+ rlSEMatchPathCon "/etc/resolv.conf.GWNQIY" "net_conf_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t net_conf_t : file { create rename }"
|
| |
+ rlRun "sesearch -s NetworkManager_t -t etc_t -c file -T | grep \"type_transition .* net_conf_t;\""
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1517247"
|
| |
+ rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t openvswitch_t : unix_stream_socket { connectto } [ ]"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1517895"
|
| |
+ rlSESearchRule "allow NetworkManager_t unlabeled_t : infiniband_pkey { access }"
|
| |
+ rlSESearchRule "allow NetworkManager_t unlabeled_t : infiniband_endport { manage_subnet }"
|
| |
+ rlPhaseEnd
|
| |
+ fi
|
| |
+
|
| |
+ if ! rlIsRHEL 5 ; then
|
| |
+ rlPhaseStartTest "bz#1078900 + bz#1209854"
|
| |
+ rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t"
|
| |
+ rlSEMatchPathCon "/sbin/arping" "netutils_exec_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t netutils_exec_t : file { getattr open read execute_no_trans }"
|
| |
+ rlSESearchRule "allow NetworkManager_t netutils_t : process { transition }" 1
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1214747"
|
| |
+ rlSEMatchPathCon "/usr/libexec/nm-vpnc-service" "bin_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t kernel_t : process { signull }"
|
| |
+ rlPhaseEnd
|
| |
+ fi
|
| |
+
|
| |
+ if ! rlIsRHEL 5 6 7 ; then
|
| |
+ rlPhaseStartTest "bz#1530297"
|
| |
+ rlSEMatchPathCon "/run/systemd/resolve" "systemd_resolved_var_run_t"
|
| |
+ rlSEMatchPathCon "/run/systemd/resolve/resolv.conf" "net_conf_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t net_conf_t : file { getattr } [ ]"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1747768"
|
| |
+ rlSEMatchPathCon "/usr/sbin/NetworkManager" "NetworkManager_exec_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t NetworkManager_t : bluetooth_socket { create } [ deny_bluetooth ]"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1777506"
|
| |
+ rlSEMatchPathCon "/usr/libexec/nm-dispatcher" "NetworkManager_exec_t"
|
| |
+ rlSEMatchPathCon "/usr/lib/NetworkManager/dispatcher.d" "NetworkManager_initrc_exec_t"
|
| |
+ rlSEMatchPathCon "/usr/lib/NetworkManager/dispatcher.d/30-winbind" "NetworkManager_initrc_exec_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t NetworkManager_initrc_exec_t : file { getattr open read execute map } [ ]"
|
| |
+ rlSESearchRule "type_transition NetworkManager_t NetworkManager_initrc_exec_t : process initrc_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t initrc_t : process { transition } [ ]"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1781806"
|
| |
+ rlSEMatchPathCon "/usr/lib/systemd/system/winbind.service" "samba_unit_file_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t samba_unit_file_t : service { status } [ ]"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1806894"
|
| |
+ rlSEMatchPathCon "/usr/lib/systemd/system/nm-cloud-setup.service" "NetworkManager_unit_file_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t NetworkManager_unit_file_t : file { getattr } [ ]"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1831630"
|
| |
+ rlSEMatchPathCon "/usr/sbin/rfkill" "bin_t"
|
| |
+ rlSEMatchPathCon "/dev/rfkill" "wireless_device_t"
|
| |
+ for USER_TYPE in staff_t user_t sysadm_t xguest_t unconfined_t ; do
|
| |
+ rlSESearchRule "allow ${USER_TYPE} wireless_device_t : chr_file { read write } [ ]"
|
| |
+ done
|
| |
+ rlPhaseEnd
|
| |
+ fi
|
| |
+
|
| |
+ # TODO: add real scenario where confined users run rfkill {,list,event}
|
| |
+
|
| |
+ if ! rlIsRHEL 5 6 ; then
|
| |
+ rlPhaseStartTest "bz#1597729"
|
| |
+ rlSEMatchPathCon "/usr/sbin/openvpn" "openvpn_exec_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t openvpn_exec_t : file { map }"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1598506"
|
| |
+ rlSEMatchPathCon "/usr/sbin/dnsmasq" "dnsmasq_exec_t"
|
| |
+ rlSESearchRule "allow NetworkManager_t dnsmasq_exec_t : file { map }"
|
| |
+ rlPhaseEnd
|
| |
+
|
| |
+ rlPhaseStartTest "bz#1723877"
|
| |
+ rlSESearchRule "allow NetworkManager_t systemd_resolved_t : dbus { send_msg } [ ]"
|
| |
+ rlSESearchRule "allow systemd_resolved_t NetworkManager_t : dbus { send_msg } [ ]"
|
| |
+ rlPhaseEnd
|
| |
+ fi
|
| |
+
|
| |
+ rlPhaseStartCleanup
|
| |
+ sleep 2
|
| |
+ rlSECheckAVC
|
| |
+
|
| |
+ rlFileRestore
|
| |
+ rlPhaseEnd
|
| |
+ rlJournalPrintText
|
| |
+ rlJournalEnd
|
| |
+
|
| |
plautrba
commented 3 years ago
SELinux interferes with NetworkManager, nm-dispatcher and related programs.
NetworkManager can interact with arping, systemd-hostnamed, iscsiadm, dnsmasq,
openvswitch.