summaryrefslogtreecommitdiffstats
path: root/test/TEST-06-SELINUX
diff options
context:
space:
mode:
Diffstat (limited to '')
l---------test/TEST-06-SELINUX/Makefile1
-rw-r--r--test/TEST-06-SELINUX/systemd_test.fc2
-rw-r--r--test/TEST-06-SELINUX/systemd_test.if9
-rw-r--r--test/TEST-06-SELINUX/systemd_test.te51
-rwxr-xr-xtest/TEST-06-SELINUX/test.sh58
5 files changed, 121 insertions, 0 deletions
diff --git a/test/TEST-06-SELINUX/Makefile b/test/TEST-06-SELINUX/Makefile
new file mode 120000
index 0000000..e9f93b1
--- /dev/null
+++ b/test/TEST-06-SELINUX/Makefile
@@ -0,0 +1 @@
+../TEST-01-BASIC/Makefile \ No newline at end of file
diff --git a/test/TEST-06-SELINUX/systemd_test.fc b/test/TEST-06-SELINUX/systemd_test.fc
new file mode 100644
index 0000000..2aa442c
--- /dev/null
+++ b/test/TEST-06-SELINUX/systemd_test.fc
@@ -0,0 +1,2 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+/usr/lib/systemd/tests/testdata/testsuite-06\.units(/.*)? system_u:object_r:systemd_unit_file_t:s0
diff --git a/test/TEST-06-SELINUX/systemd_test.if b/test/TEST-06-SELINUX/systemd_test.if
new file mode 100644
index 0000000..1e74e1d
--- /dev/null
+++ b/test/TEST-06-SELINUX/systemd_test.if
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+template(`systemd_test_base_template', `
+ gen_require(`
+ attribute systemd_test_domain_type;
+ ')
+
+ type $1_t, systemd_test_domain_type;
+ domain_type($1_t)
+')
diff --git a/test/TEST-06-SELINUX/systemd_test.te b/test/TEST-06-SELINUX/systemd_test.te
new file mode 100644
index 0000000..43dbf3e
--- /dev/null
+++ b/test/TEST-06-SELINUX/systemd_test.te
@@ -0,0 +1,51 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+policy_module(systemd_test, 0.0.1)
+
+# declarations
+attribute systemd_test_domain_type;
+
+systemd_test_base_template(systemd_test)
+systemd_test_base_template(systemd_test_status)
+systemd_test_base_template(systemd_test_start)
+systemd_test_base_template(systemd_test_stop)
+systemd_test_base_template(systemd_test_reload)
+
+# systemd_test_domain_type
+
+require {
+ role system_r;
+ role unconfined_r;
+ type bin_t;
+ type initrc_t;
+ type systemd_systemctl_exec_t;
+ type unconfined_service_t;
+}
+
+role system_r types systemd_test_domain_type;
+role unconfined_r types systemd_test_domain_type;
+
+allow systemd_test_domain_type bin_t: file entrypoint;
+allow systemd_test_domain_type systemd_systemctl_exec_t: file entrypoint;
+allow initrc_t systemd_test_domain_type: process transition;
+allow unconfined_service_t systemd_test_domain_type: process transition;
+corecmd_exec_bin(systemd_test_domain_type)
+init_signal_script(systemd_test_domain_type)
+init_sigchld_script(systemd_test_domain_type)
+systemd_exec_systemctl(systemd_test_domain_type)
+userdom_use_user_ttys(systemd_test_domain_type)
+userdom_use_user_ptys(systemd_test_domain_type)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_test_domain_type)
+ init_dbus_chat(systemd_test_domain_type)
+')
+
+# systemd_test_*_t
+require {
+ type systemd_unit_file_t;
+}
+
+allow systemd_test_status_t systemd_unit_file_t: service { status };
+allow systemd_test_start_t systemd_unit_file_t: service { start };
+allow systemd_test_stop_t systemd_unit_file_t: service { stop };
+allow systemd_test_reload_t systemd_unit_file_t: service { reload };
diff --git a/test/TEST-06-SELINUX/test.sh b/test/TEST-06-SELINUX/test.sh
new file mode 100755
index 0000000..a867dea
--- /dev/null
+++ b/test/TEST-06-SELINUX/test.sh
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+TEST_DESCRIPTION="SELinux tests"
+IMAGE_NAME="selinux"
+TEST_NO_NSPAWN=1
+
+# Requirements:
+# Fedora 23
+# selinux-policy-targeted
+# selinux-policy-devel
+
+# Check if selinux-policy-devel is installed, and if it isn't bail out early instead of failing
+test -f /usr/share/selinux/devel/include/system/systemd.if || exit 0
+
+# shellcheck source=test/test-functions
+. "${TEST_BASE_DIR:?}/test-functions"
+
+SETUP_SELINUX=yes
+KERNEL_APPEND="${KERNEL_APPEND:=} selinux=1 security=selinux"
+
+test_append_files() {
+ (
+ local workspace="${1:?}"
+ local policy_headers_dir=/usr/share/selinux/devel
+ local modules_dir=/var/lib/selinux
+
+ setup_selinux
+ # Make sure we never expand this to "/..."
+ rm -rf "${workspace:?}/$modules_dir"
+
+ if ! cp -ar "$modules_dir" "$workspace/$modules_dir"; then
+ dfatal "Failed to copy $modules_dir"
+ exit 1
+ fi
+
+ rm -rf "${workspace:?}/$policy_headers_dir"
+ inst_dir /usr/share/selinux
+
+ if ! cp -ar "$policy_headers_dir" "$workspace/$policy_headers_dir"; then
+ dfatal "Failed to copy $policy_headers_dir"
+ exit 1
+ fi
+
+ mkdir "$workspace/systemd-test-module"
+ cp systemd_test.te "$workspace/systemd-test-module"
+ cp systemd_test.if "$workspace/systemd-test-module"
+ cp systemd_test.fc "$workspace/systemd-test-module"
+ image_install -o sesearch
+ image_install runcon
+ image_install checkmodule semodule semodule_package m4 make load_policy sefcontext_compile
+ image_install -o /usr/libexec/selinux/hll/pp # Fedora/RHEL/...
+ image_install -o /usr/lib/selinux/hll/pp # Debian/Ubuntu/...
+ )
+}
+
+do_test "$@"