def testProcessAttributeLine(self): attribute_policy = SELinuxPolicy() #test with 'normal input' test_normal_string = 'attribute TEST_att;' test_attribute = 'TEST_att' attribute_policy.process_attribute_line(test_normal_string) self.failUnless(test_attribute in attribute_policy.attributes)
def testProcessCommonLine(self): common_policy = SELinuxPolicy() common_offset = 279 # needs changing if file changes self.test_file.seek(common_offset, 0) line = self.test_file.readline() common_policy.process_common_line(line, self.test_file) self.failUnless('file' in common_policy.common_classes) self.failUnless( common_policy.common_classes['file'] == common_classes['file'])
def setUp(self): self.test_policy = SELinuxPolicy() self.test_file = open(policy_file_name, 'r') self.test_policy.types = types self.test_policy.attributes = attributes self.test_policy.common_classes = common_classes self.test_policy.classes = classes self.test_policy.allow_rules = allow_rules self.test_policy.neverallow_rules = neverallow_rules return
def testProcessTypeLine(self): type_policy = SELinuxPolicy() test_normal_string = 'type TEST_type, TEST_att1, TEST_att2;' test_type = 'TEST_type' test_atts = ['TEST_att1', 'TEST_att2'] #test with 'normal input' type_policy.process_type_line(test_normal_string) self.failUnless(test_type in type_policy.types) for a in test_atts: self.failUnless(a in type_policy.attributes) self.failUnless(test_type in type_policy.attributes[a])
def testFromFileName(self): #using a special file, since the test_file has some lines which don't 'jive' clean_policy_file = 'policy_clean_test.conf' from_file_policy = SELinuxPolicy() from_file_policy.from_file_name(clean_policy_file) self.failUnless(from_file_policy.types == self.test_policy.types) self.failUnless( from_file_policy.attributes == self.test_policy.attributes) self.failUnless(from_file_policy.classes == self.test_policy.classes) self.failUnless( from_file_policy.common_classes == self.test_policy.common_classes) self.failUnless( from_file_policy.allow_rules == self.test_policy.allow_rules) self.failUnless(from_file_policy.neverallow_rules == self.test_policy.neverallow_rules)
def testProcessClassLine(self): class_policy = SELinuxPolicy() #offsets need changing if test file changes common_offset = 279 class_initial_offset = 212 class_perm_offset = 437 self.test_file.seek(common_offset, 0) line = self.test_file.readline() class_policy.process_common_line(line, self.test_file) self.test_file.seek(class_initial_offset, 0) line = self.test_file.readline() class_policy.process_class_line(line, self.test_file) self.failUnless('file' in class_policy.classes) self.test_file.seek(class_perm_offset, 0) line = self.test_file.readline() class_policy.process_class_line(line, self.test_file) self.failUnless(class_policy.classes['file'] == classes['file'])
def testProcessTypeattributeLine(self): typ_att_policy = SELinuxPolicy() test_normal_string = 'typeattribute TEST_type TEST_att1, TEST_att2;' test_type = 'TEST_type' test_atts = ['TEST_att1', 'TEST_att2'] #test with 'normal input' (type should already be declared) typ_att_policy.process_type_line('type ' + test_type + ';') typ_att_policy.process_typeattribute_line(test_normal_string) self.failUnless(test_type in typ_att_policy.types) for a in test_atts: self.failUnless(a in typ_att_policy.attributes) self.failUnless(test_type in typ_att_policy.attributes[a])
def testProcessAvcRuleLine(self): avc_policy = SELinuxPolicy() allow_offset = 26091 # needs changing if file changes neverallow_offset = 26311 # needs changing if file changes self.test_file.seek(allow_offset, 0) line = self.test_file.readline() avc_policy.process_avc_rule_line(line, self.test_file) self.failUnless( avc_policy.allow_rules[0] == allow_rules[0]) # always '0'? self.test_file.seek(neverallow_offset, 0) line = self.test_file.readline() avc_policy.process_avc_rule_line(line, self.test_file) self.failUnless(avc_policy.neverallow_rules[0] == neverallow_rules[0]) # always '0'?
from xml.etree.ElementTree import Element, SubElement, tostring from xml.dom import minidom import SELinux_CTS from SELinux_CTS import SELinuxPolicy usage = "Usage: ./gen_SELinux_CTS.py input_policy_file output_xml_avc_rules_file" if __name__ == "__main__": # check usage if len(sys.argv) != 3: print usage exit() input_file = sys.argv[1] output_file = sys.argv[2] policy = SELinuxPolicy() policy.from_file_name(input_file) #load data from file # expand rules into 4-tuples for SELinux.h checkAccess() check xml_root = Element('SELinux_AVC_Rules') count = 1 for a in policy.allow_rules: expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(policy, a, str(count), 'allow') if len(expanded_xml): xml_root.append(expanded_xml) count += 1 count = 1 for n in policy.neverallow_rules: expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(policy, n, str(count), 'neverallow') if len(expanded_xml): xml_root.append(expanded_xml)
class SELinuxPolicyTests(unittest.TestCase): def setUp(self): self.test_policy = SELinuxPolicy() self.test_file = open(policy_file_name, 'r') self.test_policy.types = types self.test_policy.attributes = attributes self.test_policy.common_classes = common_classes self.test_policy.classes = classes self.test_policy.allow_rules = allow_rules self.test_policy.neverallow_rules = neverallow_rules return def testExpandAvcRule(self): #TODO: add more examples here to cover different cases expanded_allow_list = SELinux_CTS.expand_avc_rule( self.test_policy, self.test_policy.allow_rules[0]) for a in expected_final_allow_list[0]: self.failUnless(a in expanded_allow_list) expanded_neverallow_list = SELinux_CTS.expand_avc_rule( self.test_policy, self.test_policy.neverallow_rules[0]) for n in expected_final_neverallow_list[0]: self.failUnless(n in expanded_neverallow_list) def testExpandBrackets(self): #test position without bracket: self.test_file.seek(279) self.failIf(SELinux_CTS.expand_brackets(self.test_file)) #test position with bracket: self.test_file.seek(26123) self.failUnless( SELinux_CTS.expand_brackets(self.test_file) == " entrypoint read execute ") #test position with nested brackets: self.test_file.seek(26873) self.failUnless( SELinux_CTS.expand_brackets(self.test_file) == " dir chr_file blk_file file lnk_file sock_file fifo_file ") def testGetAvcRuleComponent(self): #test against normal ('allow healthd healthd_exec:file ...) self.test_file.seek(26096) normal_src = {'flags': {'complement': False}, 'set': set(['healthd'])} normal_tgt = { 'flags': { 'complement': False }, 'set': set(['healthd_exec']) } normal_class = {'flags': {'complement': False}, 'set': set(['file'])} normal_perm = { 'flags': { 'complement': False }, 'set': set(['entrypoint', 'read', 'execute']) } self.failUnless( SELinux_CTS.get_avc_rule_component(self.test_file) == normal_src) self.failUnless( SELinux_CTS.get_avc_rule_component(self.test_file) == normal_tgt) c = SELinux_CTS.advance_past_whitespace(self.test_file) if c == ':': self.test_file.read(1) self.failUnless( SELinux_CTS.get_avc_rule_component(self.test_file) == normal_class) self.failUnless( SELinux_CTS.get_avc_rule_component(self.test_file) == normal_perm) #test against 'hard' ('init {fs_type ...' ) self.test_file.seek(26838) hard_src = {'flags': {'complement': False}, 'set': set(['init'])} hard_tgt = { 'flags': { 'complement': False }, 'set': set(['fs_type', 'dev_type', 'file_type']) } hard_class = { 'flags': { 'complement': False }, 'set': set([ 'dir', 'chr_file', 'blk_file', 'file', 'lnk_file', 'sock_file', 'fifo_file' ]) } hard_perm = {'flags': {'complement': False}, 'set': set(['relabelto'])} self.failUnless( SELinux_CTS.get_avc_rule_component(self.test_file) == hard_src) self.failUnless( SELinux_CTS.get_avc_rule_component(self.test_file) == hard_tgt) #mimic ':' check: c = SELinux_CTS.advance_past_whitespace(self.test_file) if c == ':': self.test_file.read(1) self.failUnless( SELinux_CTS.get_avc_rule_component(self.test_file) == hard_class) self.failUnless( SELinux_CTS.get_avc_rule_component(self.test_file) == hard_perm) #test against 'multi-line' ('init {fs_type ...' ) self.test_file.seek(26967) multi_src = { 'flags': { 'complement': False }, 'set': set(['appdomain', '-unconfineddomain']) } multi_tgt = { 'flags': { 'complement': False }, 'set': set([ 'audio_device', 'camera_device', 'dm_device', 'radio_device', 'gps_device', 'rpmsg_device' ]) } multi_class = { 'flags': { 'complement': False }, 'set': set(['chr_file']) } multi_perm = { 'flags': { 'complement': False }, 'set': set(['read', 'write']) } self.failUnless( SELinux_CTS.get_avc_rule_component(self.test_file) == multi_src) self.failUnless( SELinux_CTS.get_avc_rule_component(self.test_file) == multi_tgt) c = SELinux_CTS.advance_past_whitespace(self.test_file) if c == ':': self.test_file.read(1) self.failUnless( SELinux_CTS.get_avc_rule_component(self.test_file) == multi_class) self.failUnless( SELinux_CTS.get_avc_rule_component(self.test_file) == multi_perm) #test against 'complement' self.test_file.seek(26806) complement = { 'flags': { 'complement': True }, 'set': set(['entrypoint', 'relabelto']) } self.failUnless( SELinux_CTS.get_avc_rule_component(self.test_file) == complement) def testGetLineType(self): self.failUnless( SELinux_CTS.get_line_type('type bluetooth, domain;') == SELinux_CTS.TYPE) self.failUnless( SELinux_CTS.get_line_type('attribute unconfineddomain;') == SELinux_CTS.ATTRIBUTE) self.failUnless( SELinux_CTS.get_line_type('typeattribute bluetooth appdomain;') == SELinux_CTS.TYPEATTRIBUTE) self.failUnless( SELinux_CTS.get_line_type('class file') == SELinux_CTS.CLASS) self.failUnless( SELinux_CTS.get_line_type('common file') == SELinux_CTS.COMMON) self.failUnless( SELinux_CTS.get_line_type( 'allow healthd healthd_exec:file { entrypoint read execute };') == SELinux_CTS.ALLOW_RULE) self.failUnless( SELinux_CTS.get_line_type( 'neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;' ) == SELinux_CTS.NEVERALLOW_RULE) self.failUnless( SELinux_CTS.get_line_type('# FLASK') == SELinux_CTS.OTHER) def testIsMultiLine(self): self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.TYPE)) self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.ATTRIBUTE)) self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.TYPEATTRIBUTE)) self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.CLASS)) self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.COMMON)) self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.ALLOW_RULE)) self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.NEVERALLOW_RULE)) self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.OTHER)) def testProcessInheritsSegment(self): inherit_offset = 448 # needs changing if file changes self.test_file.seek(inherit_offset, 0) inherit_result = SELinux_CTS.process_inherits_segment(self.test_file) self.failUnless(inherit_result == 'file') return def testFromFileName(self): #using a special file, since the test_file has some lines which don't 'jive' clean_policy_file = 'policy_clean_test.conf' from_file_policy = SELinuxPolicy() from_file_policy.from_file_name(clean_policy_file) self.failUnless(from_file_policy.types == self.test_policy.types) self.failUnless( from_file_policy.attributes == self.test_policy.attributes) self.failUnless(from_file_policy.classes == self.test_policy.classes) self.failUnless( from_file_policy.common_classes == self.test_policy.common_classes) self.failUnless( from_file_policy.allow_rules == self.test_policy.allow_rules) self.failUnless(from_file_policy.neverallow_rules == self.test_policy.neverallow_rules) def testExpandPermissions(self): #test general case test_class_obj = 'file' general_set = set(['read', 'write', 'execute']) expanded_general_set = general_set self.failUnless( self.test_policy.expand_permissions(test_class_obj, general_set) == general_set) star_set = set(['*']) expanded_star_set = self.test_policy.classes[ 'file'] #everything in the class self.failUnless( self.test_policy.expand_permissions(test_class_obj, star_set) == expanded_star_set) complement_set = set(['*', '-open']) expanded_complement_set = self.test_policy.classes['file'] - set( ['open']) self.failUnless( self.test_policy.expand_permissions(test_class_obj, complement_set) == expanded_complement_set) def testExpandTypes(self): #test general case and '-' handling test_source_set = set(['domain', '-bluetooth']) expanded_test_source_set = set(['healthd', 'testTYPE']) self.failUnless( self.test_policy.expand_types(test_source_set) == expanded_test_source_set) #test '*' handling test_source_set = set(['*']) expanded_test_source_set = set(['bluetooth', 'healthd', 'testTYPE']) self.failUnless( self.test_policy.expand_types(test_source_set) == types) #test - handling test_source_set = set(['*', '-bluetooth']) expanded_test_source_set = set(['healthd', 'healthd_exec', 'testTYPE']) self.failUnless( self.test_policy.expand_types(test_source_set) == expanded_test_source_set) def testProcessAttributeLine(self): attribute_policy = SELinuxPolicy() #test with 'normal input' test_normal_string = 'attribute TEST_att;' test_attribute = 'TEST_att' attribute_policy.process_attribute_line(test_normal_string) self.failUnless(test_attribute in attribute_policy.attributes) #TODO: test on bogus inputs def testProcessClassLine(self): class_policy = SELinuxPolicy() #offsets need changing if test file changes common_offset = 279 class_initial_offset = 212 class_perm_offset = 437 self.test_file.seek(common_offset, 0) line = self.test_file.readline() class_policy.process_common_line(line, self.test_file) self.test_file.seek(class_initial_offset, 0) line = self.test_file.readline() class_policy.process_class_line(line, self.test_file) self.failUnless('file' in class_policy.classes) self.test_file.seek(class_perm_offset, 0) line = self.test_file.readline() class_policy.process_class_line(line, self.test_file) self.failUnless(class_policy.classes['file'] == classes['file']) def testProcessCommonLine(self): common_policy = SELinuxPolicy() common_offset = 279 # needs changing if file changes self.test_file.seek(common_offset, 0) line = self.test_file.readline() common_policy.process_common_line(line, self.test_file) self.failUnless('file' in common_policy.common_classes) self.failUnless( common_policy.common_classes['file'] == common_classes['file']) def testProcessAvcRuleLine(self): avc_policy = SELinuxPolicy() allow_offset = 26091 # needs changing if file changes neverallow_offset = 26311 # needs changing if file changes self.test_file.seek(allow_offset, 0) line = self.test_file.readline() avc_policy.process_avc_rule_line(line, self.test_file) self.failUnless( avc_policy.allow_rules[0] == allow_rules[0]) # always '0'? self.test_file.seek(neverallow_offset, 0) line = self.test_file.readline() avc_policy.process_avc_rule_line(line, self.test_file) self.failUnless(avc_policy.neverallow_rules[0] == neverallow_rules[0]) # always '0'? def testProcessTypeLine(self): type_policy = SELinuxPolicy() test_normal_string = 'type TEST_type, TEST_att1, TEST_att2;' test_type = 'TEST_type' test_atts = ['TEST_att1', 'TEST_att2'] #test with 'normal input' type_policy.process_type_line(test_normal_string) self.failUnless(test_type in type_policy.types) for a in test_atts: self.failUnless(a in type_policy.attributes) self.failUnless(test_type in type_policy.attributes[a]) #TODO: test with domain only, no attributes # and test on bogus inputs def testProcessTypeattributeLine(self): typ_att_policy = SELinuxPolicy() test_normal_string = 'typeattribute TEST_type TEST_att1, TEST_att2;' test_type = 'TEST_type' test_atts = ['TEST_att1', 'TEST_att2'] #test with 'normal input' (type should already be declared) typ_att_policy.process_type_line('type ' + test_type + ';') typ_att_policy.process_typeattribute_line(test_normal_string) self.failUnless(test_type in typ_att_policy.types) for a in test_atts: self.failUnless(a in typ_att_policy.attributes) self.failUnless(test_type in typ_att_policy.attributes[a])
from xml.etree.ElementTree import Element, SubElement, tostring from xml.dom import minidom import SELinux_CTS from SELinux_CTS import SELinuxPolicy usage = "Usage: ./gen_SELinux_CTS.py input_policy_file output_xml_avc_rules_file" if __name__ == "__main__": # check usage if len(sys.argv) != 3: print usage exit() input_file = sys.argv[1] output_file = sys.argv[2] policy = SELinuxPolicy() policy.from_file_name(input_file) #load data from file # expand rules into 4-tuples for SELinux.h checkAccess() check xml_root = Element('SELinux_AVC_Rules') count = 1 for a in policy.allow_rules: expanded_xml = SELinux_CTS.expand_avc_rule_to_xml( policy, a, str(count), 'allow') if len(expanded_xml): xml_root.append(expanded_xml) count += 1 count = 1 for n in policy.neverallow_rules: expanded_xml = SELinux_CTS.expand_avc_rule_to_xml( policy, n, str(count), 'neverallow')