diff options
| -rw-r--r-- | src/core/dbus-unit.c | 18 | ||||
| -rw-r--r-- | src/core/job.c | 12 | ||||
| -rw-r--r-- | src/core/job.h | 2 | ||||
| -rw-r--r-- | test/TEST-06-SELINUX/Makefile | 10 | ||||
| -rw-r--r-- | test/TEST-06-SELINUX/systemd_test.if | 8 | ||||
| -rw-r--r-- | test/TEST-06-SELINUX/systemd_test.te | 50 | ||||
| -rwxr-xr-x | test/TEST-06-SELINUX/test-selinux-checks.sh | 13 | ||||
| -rwxr-xr-x | test/TEST-06-SELINUX/test.sh | 135 | 
8 files changed, 241 insertions, 7 deletions
| diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c index 386ea96d1b..dca9f77528 100644 --- a/src/core/dbus-unit.c +++ b/src/core/dbus-unit.c @@ -458,7 +458,10 @@ int bus_unit_method_start_generic(          assert(u);          assert(job_type >= 0 && job_type < _JOB_TYPE_MAX); -        r = mac_selinux_unit_access_check(u, message, job_type == JOB_STOP ? "stop" : "start", error); +        r = mac_selinux_unit_access_check( +                        u, message, +                        job_type_to_access_method(job_type), +                        error);          if (r < 0)                  return r; @@ -983,6 +986,13 @@ int bus_unit_queue_job(          assert(type >= 0 && type < _JOB_TYPE_MAX);          assert(mode >= 0 && mode < _JOB_MODE_MAX); +        r = mac_selinux_unit_access_check( +                        u, message, +                        job_type_to_access_method(type), +                        error); +        if (r < 0) +                return r; +          if (reload_if_possible && unit_can_reload(u)) {                  if (type == JOB_RESTART)                          type = JOB_RELOAD_OR_START; @@ -990,12 +1000,6 @@ int bus_unit_queue_job(                          type = JOB_TRY_RELOAD;          } -        r = mac_selinux_unit_access_check( -                        u, message, -                        (type == JOB_START || type == JOB_RESTART || type == JOB_TRY_RESTART) ? "start" : -                        type == JOB_STOP ? "stop" : "reload", error); -        if (r < 0) -                return r;          if (type == JOB_STOP &&              (u->load_state == UNIT_NOT_FOUND || u->load_state == UNIT_ERROR) && diff --git a/src/core/job.c b/src/core/job.c index 4e111ffb46..d8fdf1b53f 100644 --- a/src/core/job.c +++ b/src/core/job.c @@ -1240,3 +1240,15 @@ static const char* const job_result_table[_JOB_RESULT_MAX] = {  };  DEFINE_STRING_TABLE_LOOKUP(job_result, JobResult); + +const char* job_type_to_access_method(JobType t) { +        assert(t >= 0); +        assert(t < _JOB_TYPE_MAX); + +        if (IN_SET(t, JOB_START, JOB_RESTART, JOB_TRY_RESTART)) +                return "start"; +        else if (t == JOB_STOP) +                return "stop"; +        else +                return "reload"; +} diff --git a/src/core/job.h b/src/core/job.h index 52866fdc48..bbf5471e8b 100644 --- a/src/core/job.h +++ b/src/core/job.h @@ -240,3 +240,5 @@ const char* job_result_to_string(JobResult t) _const_;  JobResult job_result_from_string(const char *s) _pure_;  int job_get_timeout(Job *j, uint64_t *timeout) _pure_; + +const char* job_type_to_access_method(JobType t); diff --git a/test/TEST-06-SELINUX/Makefile b/test/TEST-06-SELINUX/Makefile new file mode 100644 index 0000000000..5e89a29eff --- /dev/null +++ b/test/TEST-06-SELINUX/Makefile @@ -0,0 +1,10 @@ +all: +	@make -s --no-print-directory -C ../.. all +	@basedir=../.. TEST_BASE_DIR=../ ./test.sh --all +setup: +	@make --no-print-directory -C ../.. all +	@basedir=../.. TEST_BASE_DIR=../ ./test.sh --setup +clean: +	@basedir=../.. TEST_BASE_DIR=../ ./test.sh --clean +run: +	@basedir=../.. TEST_BASE_DIR=../ ./test.sh --run diff --git a/test/TEST-06-SELINUX/systemd_test.if b/test/TEST-06-SELINUX/systemd_test.if new file mode 100644 index 0000000000..25c91adce9 --- /dev/null +++ b/test/TEST-06-SELINUX/systemd_test.if @@ -0,0 +1,8 @@ +template(`systemd_test_base_template', ` +	gen_require(` +		attribute systemd_test_domain_type; +	') + +	type $1_t, systemd_test_domain_type; +	domain_type($1_t) +') diff --git a/test/TEST-06-SELINUX/systemd_test.te b/test/TEST-06-SELINUX/systemd_test.te new file mode 100644 index 0000000000..ff01c09b5e --- /dev/null +++ b/test/TEST-06-SELINUX/systemd_test.te @@ -0,0 +1,50 @@ +policy_module(systemd_test, 0.0.1) + +# declarations +attribute systemd_test_domain_type; + +systemd_test_base_template(systemd_test) +systemd_test_base_template(systemd_test_status) +systemd_test_base_template(systemd_test_start) +systemd_test_base_template(systemd_test_stop) +systemd_test_base_template(systemd_test_reload) + +# systemd_test_domain_type + +require { +	role system_r; +	role unconfined_r; +	type bin_t; +	type initrc_t; +	type systemd_systemctl_exec_t; +	type unconfined_service_t; +} + +role system_r types systemd_test_domain_type; +role unconfined_r types systemd_test_domain_type; + +allow systemd_test_domain_type bin_t: file entrypoint; +allow systemd_test_domain_type systemd_systemctl_exec_t: file entrypoint; +allow initrc_t systemd_test_domain_type: process transition; +allow unconfined_service_t systemd_test_domain_type: process transition; +corecmd_exec_bin(systemd_test_domain_type) +init_signal_script(systemd_test_domain_type) +init_sigchld_script(systemd_test_domain_type) +systemd_exec_systemctl(systemd_test_domain_type) +userdom_use_user_ttys(systemd_test_domain_type) +userdom_use_user_ptys(systemd_test_domain_type) + +optional_policy(` +	dbus_system_bus_client(systemd_test_domain_type) +	init_dbus_chat(systemd_test_domain_type) +') + +# systemd_test_*_t +require { +	type systemd_unit_file_t; +} + +allow systemd_test_status_t systemd_unit_file_t: service { status }; +allow systemd_test_start_t systemd_unit_file_t: service { start }; +allow systemd_test_stop_t systemd_unit_file_t: service { stop }; +allow systemd_test_reload_t systemd_unit_file_t: service { reload }; diff --git a/test/TEST-06-SELINUX/test-selinux-checks.sh b/test/TEST-06-SELINUX/test-selinux-checks.sh new file mode 100755 index 0000000000..08d2ddf4f0 --- /dev/null +++ b/test/TEST-06-SELINUX/test-selinux-checks.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +set -x +set -e +set -o pipefail + +echo 1 >/sys/fs/selinux/enforce +runcon -t systemd_test_start_t systemctl start hola +runcon -t systemd_test_reload_t systemctl reload hola +runcon -t systemd_test_stop_t systemctl stop hola + +touch /testok +exit 0 diff --git a/test/TEST-06-SELINUX/test.sh b/test/TEST-06-SELINUX/test.sh new file mode 100755 index 0000000000..4f5895be66 --- /dev/null +++ b/test/TEST-06-SELINUX/test.sh @@ -0,0 +1,135 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh +TEST_DESCRIPTION="SELinux tests" + +# Requirements: +# Fedora 23 +# selinux-policy-targeted +# selinux-policy-devel + +. $TEST_BASE_DIR/test-functions +SETUP_SELINUX=yes +KERNEL_APPEND="$KERNEL_APPEND selinux=1" + +check_result_qemu() { +    ret=1 +    mkdir -p $TESTDIR/root +    mount ${LOOPDEV}p1 $TESTDIR/root +    [[ -e $TESTDIR/root/testok ]] && ret=0 +    [[ -f $TESTDIR/root/failed ]] && cp -a $TESTDIR/root/failed $TESTDIR +    cp -a $TESTDIR/root/var/log/journal $TESTDIR +    umount $TESTDIR/root +    [[ -f $TESTDIR/failed ]] && cat $TESTDIR/failed +    ls -l $TESTDIR/journal/*/*.journal +    test -s $TESTDIR/failed && ret=$(($ret+1)) +    return $ret +} + +test_run() { +    if run_qemu; then +        check_result_qemu || return 1 +    else +        dwarn "can't run QEMU, skipping" +    fi +    return 0 +} + +test_setup() { +    create_empty_image +    mkdir -p $TESTDIR/root +    mount ${LOOPDEV}p1 $TESTDIR/root + +    # Create what will eventually be our root filesystem onto an overlay +    ( +        LOG_LEVEL=5 +        eval $(udevadm info --export --query=env --name=${LOOPDEV}p2) + +        setup_basic_environment + +        # setup the testsuite service +        cat <<EOF >$initdir/etc/systemd/system/testsuite.service +[Unit] +Description=Testsuite service +After=multi-user.target + +[Service] +ExecStart=/test-selinux-checks.sh +Type=oneshot +EOF + +        cat <<EOF >$initdir/etc/systemd/system/hola.service +[Service] +Type=oneshot +ExecStart=/bin/echo Start Hola +ExecReload=/bin/echo Reload Hola +ExecStop=/bin/echo Stop Hola +RemainAfterExit=yes +EOF + +        setup_testsuite + +        cat <<EOF >$initdir/etc/systemd/system/load-systemd-test-module.service +[Unit] +Description=Load systemd-test module +DefaultDependencies=no +Requires=local-fs.target +Conflicts=shutdown.target +After=local-fs.target +Before=sysinit.target shutdown.target autorelabel.service +ConditionSecurity=selinux +ConditionPathExists=|/.load-systemd-test-module + +[Service] +ExecStart=/bin/sh -x -c 'echo 0 >/sys/fs/selinux/enforce && cd /systemd-test-module && make -f /usr/share/selinux/devel/Makefile load  && rm /.load-systemd-test-module' +Type=oneshot +TimeoutSec=0 +RemainAfterExit=yes +EOF + +        touch $initdir/.load-systemd-test-module +        mkdir -p $initdir/etc/systemd/system/basic.target.wants +        ln -fs load-systemd-test-module.service $initdir/etc/systemd/system/basic.target.wants/load-systemd-test-module.service + +        local _modules_dir=/var/lib/selinux +        rm -rf $initdir/$_modules_dir +        if ! cp -ar $_modules_dir $initdir/$_modules_dir; then +            dfatal "Failed to copy $_modules_dir" +            exit 1 +        fi + +        local _policy_headers_dir=/usr/share/selinux/devel +        rm -rf $initdir/$_policy_headers_dir +        inst_dir /usr/share/selinux +        if ! cp -ar $_policy_headers_dir $initdir/$_policy_headers_dir; then +            dfatal "Failed to copy $_policy_headers_dir" +            exit 1 +        fi + +        mkdir $initdir/systemd-test-module +        cp systemd_test.te $initdir/systemd-test-module +        cp systemd_test.if $initdir/systemd-test-module +        cp test-selinux-checks.sh $initdir +        dracut_install -o sesearch +        dracut_install runcon +        dracut_install checkmodule semodule semodule_package m4 make /usr/libexec/selinux/hll/pp load_policy sefcontext_compile +    ) || return 1 + +    # mask some services that we do not want to run in these tests +    ln -s /dev/null $initdir/etc/systemd/system/systemd-hwdb-update.service +    ln -s /dev/null $initdir/etc/systemd/system/systemd-journal-catalog-update.service +    ln -s /dev/null $initdir/etc/systemd/system/systemd-networkd.service +    ln -s /dev/null $initdir/etc/systemd/system/systemd-networkd.socket +    ln -s /dev/null $initdir/etc/systemd/system/systemd-resolved.service + +    ddebug "umount $TESTDIR/root" +    umount $TESTDIR/root +} + +test_cleanup() { +    umount $TESTDIR/root 2>/dev/null +    [[ $LOOPDEV ]] && losetup -d $LOOPDEV +    return 0 +} + +do_test "$@" | 
