def testProcessAttributeLine(self):
attribute_policy = SELinuxPolicy()
#test with 'normal input'
test_normal_string = 'attribute TEST_att;'
test_attribute = 'TEST_att'
attribute_policy.process_attribute_line(test_normal_string)
self.failUnless(test_attribute in attribute_policy.attributes)
def testProcessCommonLine(self):
common_policy = SELinuxPolicy()
common_offset = 279 # needs changing if file changes
self.test_file.seek(common_offset, 0)
line = self.test_file.readline()
common_policy.process_common_line(line, self.test_file)
self.failUnless('file' in common_policy.common_classes)
self.failUnless(
common_policy.common_classes['file'] == common_classes['file'])
def setUp(self):
self.test_policy = SELinuxPolicy()
self.test_file = open(policy_file_name, 'r')
self.test_policy.types = types
self.test_policy.attributes = attributes
self.test_policy.common_classes = common_classes
self.test_policy.classes = classes
self.test_policy.allow_rules = allow_rules
self.test_policy.neverallow_rules = neverallow_rules
return
def testProcessTypeLine(self):
type_policy = SELinuxPolicy()
test_normal_string = 'type TEST_type, TEST_att1, TEST_att2;'
test_type = 'TEST_type'
test_atts = ['TEST_att1', 'TEST_att2']
#test with 'normal input'
type_policy.process_type_line(test_normal_string)
self.failUnless(test_type in type_policy.types)
for a in test_atts:
self.failUnless(a in type_policy.attributes)
self.failUnless(test_type in type_policy.attributes[a])
def testFromFileName(self):
#using a special file, since the test_file has some lines which don't 'jive'
clean_policy_file = 'policy_clean_test.conf'
from_file_policy = SELinuxPolicy()
from_file_policy.from_file_name(clean_policy_file)
self.failUnless(from_file_policy.types == self.test_policy.types)
self.failUnless(
from_file_policy.attributes == self.test_policy.attributes)
self.failUnless(from_file_policy.classes == self.test_policy.classes)
self.failUnless(
from_file_policy.common_classes == self.test_policy.common_classes)
self.failUnless(
from_file_policy.allow_rules == self.test_policy.allow_rules)
self.failUnless(from_file_policy.neverallow_rules ==
self.test_policy.neverallow_rules)
def testProcessClassLine(self):
class_policy = SELinuxPolicy()
#offsets need changing if test file changes
common_offset = 279
class_initial_offset = 212
class_perm_offset = 437
self.test_file.seek(common_offset, 0)
line = self.test_file.readline()
class_policy.process_common_line(line, self.test_file)
self.test_file.seek(class_initial_offset, 0)
line = self.test_file.readline()
class_policy.process_class_line(line, self.test_file)
self.failUnless('file' in class_policy.classes)
self.test_file.seek(class_perm_offset, 0)
line = self.test_file.readline()
class_policy.process_class_line(line, self.test_file)
self.failUnless(class_policy.classes['file'] == classes['file'])
def testProcessTypeattributeLine(self):
typ_att_policy = SELinuxPolicy()
test_normal_string = 'typeattribute TEST_type TEST_att1, TEST_att2;'
test_type = 'TEST_type'
test_atts = ['TEST_att1', 'TEST_att2']
#test with 'normal input' (type should already be declared)
typ_att_policy.process_type_line('type ' + test_type + ';')
typ_att_policy.process_typeattribute_line(test_normal_string)
self.failUnless(test_type in typ_att_policy.types)
for a in test_atts:
self.failUnless(a in typ_att_policy.attributes)
self.failUnless(test_type in typ_att_policy.attributes[a])
def testProcessAvcRuleLine(self):
avc_policy = SELinuxPolicy()
allow_offset = 26091 # needs changing if file changes
neverallow_offset = 26311 # needs changing if file changes
self.test_file.seek(allow_offset, 0)
line = self.test_file.readline()
avc_policy.process_avc_rule_line(line, self.test_file)
self.failUnless(
avc_policy.allow_rules[0] == allow_rules[0]) # always '0'?
self.test_file.seek(neverallow_offset, 0)
line = self.test_file.readline()
avc_policy.process_avc_rule_line(line, self.test_file)
self.failUnless(avc_policy.neverallow_rules[0] ==
neverallow_rules[0]) # always '0'?
from xml.etree.ElementTree import Element, SubElement, tostring
from xml.dom import minidom
import SELinux_CTS
from SELinux_CTS import SELinuxPolicy
usage = "Usage: ./gen_SELinux_CTS.py input_policy_file output_xml_avc_rules_file"
if __name__ == "__main__":
# check usage
if len(sys.argv) != 3:
print usage
exit()
input_file = sys.argv[1]
output_file = sys.argv[2]
policy = SELinuxPolicy()
policy.from_file_name(input_file) #load data from file
# expand rules into 4-tuples for SELinux.h checkAccess() check
xml_root = Element('SELinux_AVC_Rules')
count = 1
for a in policy.allow_rules:
expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(policy, a, str(count), 'allow')
if len(expanded_xml):
xml_root.append(expanded_xml)
count += 1
count = 1
for n in policy.neverallow_rules:
expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(policy, n, str(count), 'neverallow')
if len(expanded_xml):
xml_root.append(expanded_xml)
class SELinuxPolicyTests(unittest.TestCase):
def setUp(self):
self.test_policy = SELinuxPolicy()
self.test_file = open(policy_file_name, 'r')
self.test_policy.types = types
self.test_policy.attributes = attributes
self.test_policy.common_classes = common_classes
self.test_policy.classes = classes
self.test_policy.allow_rules = allow_rules
self.test_policy.neverallow_rules = neverallow_rules
return
def testExpandAvcRule(self):
#TODO: add more examples here to cover different cases
expanded_allow_list = SELinux_CTS.expand_avc_rule(
self.test_policy, self.test_policy.allow_rules[0])
for a in expected_final_allow_list[0]:
self.failUnless(a in expanded_allow_list)
expanded_neverallow_list = SELinux_CTS.expand_avc_rule(
self.test_policy, self.test_policy.neverallow_rules[0])
for n in expected_final_neverallow_list[0]:
self.failUnless(n in expanded_neverallow_list)
def testExpandBrackets(self):
#test position without bracket:
self.test_file.seek(279)
self.failIf(SELinux_CTS.expand_brackets(self.test_file))
#test position with bracket:
self.test_file.seek(26123)
self.failUnless(
SELinux_CTS.expand_brackets(self.test_file) ==
" entrypoint read execute ")
#test position with nested brackets:
self.test_file.seek(26873)
self.failUnless(
SELinux_CTS.expand_brackets(self.test_file) ==
" dir chr_file blk_file file lnk_file sock_file fifo_file ")
def testGetAvcRuleComponent(self):
#test against normal ('allow healthd healthd_exec:file ...)
self.test_file.seek(26096)
normal_src = {'flags': {'complement': False}, 'set': set(['healthd'])}
normal_tgt = {
'flags': {
'complement': False
},
'set': set(['healthd_exec'])
}
normal_class = {'flags': {'complement': False}, 'set': set(['file'])}
normal_perm = {
'flags': {
'complement': False
},
'set': set(['entrypoint', 'read', 'execute'])
}
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == normal_src)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == normal_tgt)
c = SELinux_CTS.advance_past_whitespace(self.test_file)
if c == ':':
self.test_file.read(1)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == normal_class)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == normal_perm)
#test against 'hard' ('init {fs_type ...' )
self.test_file.seek(26838)
hard_src = {'flags': {'complement': False}, 'set': set(['init'])}
hard_tgt = {
'flags': {
'complement': False
},
'set': set(['fs_type', 'dev_type', 'file_type'])
}
hard_class = {
'flags': {
'complement': False
},
'set':
set([
'dir', 'chr_file', 'blk_file', 'file', 'lnk_file', 'sock_file',
'fifo_file'
])
}
hard_perm = {'flags': {'complement': False}, 'set': set(['relabelto'])}
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == hard_src)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == hard_tgt)
#mimic ':' check:
c = SELinux_CTS.advance_past_whitespace(self.test_file)
if c == ':':
self.test_file.read(1)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == hard_class)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == hard_perm)
#test against 'multi-line' ('init {fs_type ...' )
self.test_file.seek(26967)
multi_src = {
'flags': {
'complement': False
},
'set': set(['appdomain', '-unconfineddomain'])
}
multi_tgt = {
'flags': {
'complement': False
},
'set':
set([
'audio_device', 'camera_device', 'dm_device', 'radio_device',
'gps_device', 'rpmsg_device'
])
}
multi_class = {
'flags': {
'complement': False
},
'set': set(['chr_file'])
}
multi_perm = {
'flags': {
'complement': False
},
'set': set(['read', 'write'])
}
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == multi_src)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == multi_tgt)
c = SELinux_CTS.advance_past_whitespace(self.test_file)
if c == ':':
self.test_file.read(1)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == multi_class)
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == multi_perm)
#test against 'complement'
self.test_file.seek(26806)
complement = {
'flags': {
'complement': True
},
'set': set(['entrypoint', 'relabelto'])
}
self.failUnless(
SELinux_CTS.get_avc_rule_component(self.test_file) == complement)
def testGetLineType(self):
self.failUnless(
SELinux_CTS.get_line_type('type bluetooth, domain;') ==
SELinux_CTS.TYPE)
self.failUnless(
SELinux_CTS.get_line_type('attribute unconfineddomain;') ==
SELinux_CTS.ATTRIBUTE)
self.failUnless(
SELinux_CTS.get_line_type('typeattribute bluetooth appdomain;') ==
SELinux_CTS.TYPEATTRIBUTE)
self.failUnless(
SELinux_CTS.get_line_type('class file') == SELinux_CTS.CLASS)
self.failUnless(
SELinux_CTS.get_line_type('common file') == SELinux_CTS.COMMON)
self.failUnless(
SELinux_CTS.get_line_type(
'allow healthd healthd_exec:file { entrypoint read execute };')
== SELinux_CTS.ALLOW_RULE)
self.failUnless(
SELinux_CTS.get_line_type(
'neverallow { appdomain -unconfineddomain -bluetooth } self:capability *;'
) == SELinux_CTS.NEVERALLOW_RULE)
self.failUnless(
SELinux_CTS.get_line_type('# FLASK') == SELinux_CTS.OTHER)
def testIsMultiLine(self):
self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.TYPE))
self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.ATTRIBUTE))
self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.TYPEATTRIBUTE))
self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.CLASS))
self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.COMMON))
self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.ALLOW_RULE))
self.failUnless(SELinux_CTS.is_multi_line(SELinux_CTS.NEVERALLOW_RULE))
self.failIf(SELinux_CTS.is_multi_line(SELinux_CTS.OTHER))
def testProcessInheritsSegment(self):
inherit_offset = 448 # needs changing if file changes
self.test_file.seek(inherit_offset, 0)
inherit_result = SELinux_CTS.process_inherits_segment(self.test_file)
self.failUnless(inherit_result == 'file')
return
def testFromFileName(self):
#using a special file, since the test_file has some lines which don't 'jive'
clean_policy_file = 'policy_clean_test.conf'
from_file_policy = SELinuxPolicy()
from_file_policy.from_file_name(clean_policy_file)
self.failUnless(from_file_policy.types == self.test_policy.types)
self.failUnless(
from_file_policy.attributes == self.test_policy.attributes)
self.failUnless(from_file_policy.classes == self.test_policy.classes)
self.failUnless(
from_file_policy.common_classes == self.test_policy.common_classes)
self.failUnless(
from_file_policy.allow_rules == self.test_policy.allow_rules)
self.failUnless(from_file_policy.neverallow_rules ==
self.test_policy.neverallow_rules)
def testExpandPermissions(self):
#test general case
test_class_obj = 'file'
general_set = set(['read', 'write', 'execute'])
expanded_general_set = general_set
self.failUnless(
self.test_policy.expand_permissions(test_class_obj, general_set) ==
general_set)
star_set = set(['*'])
expanded_star_set = self.test_policy.classes[
'file'] #everything in the class
self.failUnless(
self.test_policy.expand_permissions(test_class_obj, star_set) ==
expanded_star_set)
complement_set = set(['*', '-open'])
expanded_complement_set = self.test_policy.classes['file'] - set(
['open'])
self.failUnless(
self.test_policy.expand_permissions(test_class_obj, complement_set)
== expanded_complement_set)
def testExpandTypes(self):
#test general case and '-' handling
test_source_set = set(['domain', '-bluetooth'])
expanded_test_source_set = set(['healthd', 'testTYPE'])
self.failUnless(
self.test_policy.expand_types(test_source_set) ==
expanded_test_source_set)
#test '*' handling
test_source_set = set(['*'])
expanded_test_source_set = set(['bluetooth', 'healthd', 'testTYPE'])
self.failUnless(
self.test_policy.expand_types(test_source_set) == types)
#test - handling
test_source_set = set(['*', '-bluetooth'])
expanded_test_source_set = set(['healthd', 'healthd_exec', 'testTYPE'])
self.failUnless(
self.test_policy.expand_types(test_source_set) ==
expanded_test_source_set)
def testProcessAttributeLine(self):
attribute_policy = SELinuxPolicy()
#test with 'normal input'
test_normal_string = 'attribute TEST_att;'
test_attribute = 'TEST_att'
attribute_policy.process_attribute_line(test_normal_string)
self.failUnless(test_attribute in attribute_policy.attributes)
#TODO: test on bogus inputs
def testProcessClassLine(self):
class_policy = SELinuxPolicy()
#offsets need changing if test file changes
common_offset = 279
class_initial_offset = 212
class_perm_offset = 437
self.test_file.seek(common_offset, 0)
line = self.test_file.readline()
class_policy.process_common_line(line, self.test_file)
self.test_file.seek(class_initial_offset, 0)
line = self.test_file.readline()
class_policy.process_class_line(line, self.test_file)
self.failUnless('file' in class_policy.classes)
self.test_file.seek(class_perm_offset, 0)
line = self.test_file.readline()
class_policy.process_class_line(line, self.test_file)
self.failUnless(class_policy.classes['file'] == classes['file'])
def testProcessCommonLine(self):
common_policy = SELinuxPolicy()
common_offset = 279 # needs changing if file changes
self.test_file.seek(common_offset, 0)
line = self.test_file.readline()
common_policy.process_common_line(line, self.test_file)
self.failUnless('file' in common_policy.common_classes)
self.failUnless(
common_policy.common_classes['file'] == common_classes['file'])
def testProcessAvcRuleLine(self):
avc_policy = SELinuxPolicy()
allow_offset = 26091 # needs changing if file changes
neverallow_offset = 26311 # needs changing if file changes
self.test_file.seek(allow_offset, 0)
line = self.test_file.readline()
avc_policy.process_avc_rule_line(line, self.test_file)
self.failUnless(
avc_policy.allow_rules[0] == allow_rules[0]) # always '0'?
self.test_file.seek(neverallow_offset, 0)
line = self.test_file.readline()
avc_policy.process_avc_rule_line(line, self.test_file)
self.failUnless(avc_policy.neverallow_rules[0] ==
neverallow_rules[0]) # always '0'?
def testProcessTypeLine(self):
type_policy = SELinuxPolicy()
test_normal_string = 'type TEST_type, TEST_att1, TEST_att2;'
test_type = 'TEST_type'
test_atts = ['TEST_att1', 'TEST_att2']
#test with 'normal input'
type_policy.process_type_line(test_normal_string)
self.failUnless(test_type in type_policy.types)
for a in test_atts:
self.failUnless(a in type_policy.attributes)
self.failUnless(test_type in type_policy.attributes[a])
#TODO: test with domain only, no attributes
# and test on bogus inputs
def testProcessTypeattributeLine(self):
typ_att_policy = SELinuxPolicy()
test_normal_string = 'typeattribute TEST_type TEST_att1, TEST_att2;'
test_type = 'TEST_type'
test_atts = ['TEST_att1', 'TEST_att2']
#test with 'normal input' (type should already be declared)
typ_att_policy.process_type_line('type ' + test_type + ';')
typ_att_policy.process_typeattribute_line(test_normal_string)
self.failUnless(test_type in typ_att_policy.types)
for a in test_atts:
self.failUnless(a in typ_att_policy.attributes)
self.failUnless(test_type in typ_att_policy.attributes[a])
from xml.etree.ElementTree import Element, SubElement, tostring
from xml.dom import minidom
import SELinux_CTS
from SELinux_CTS import SELinuxPolicy
usage = "Usage: ./gen_SELinux_CTS.py input_policy_file output_xml_avc_rules_file"
if __name__ == "__main__":
# check usage
if len(sys.argv) != 3:
print usage
exit()
input_file = sys.argv[1]
output_file = sys.argv[2]
policy = SELinuxPolicy()
policy.from_file_name(input_file) #load data from file
# expand rules into 4-tuples for SELinux.h checkAccess() check
xml_root = Element('SELinux_AVC_Rules')
count = 1
for a in policy.allow_rules:
expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(
policy, a, str(count), 'allow')
if len(expanded_xml):
xml_root.append(expanded_xml)
count += 1
count = 1
for n in policy.neverallow_rules:
expanded_xml = SELinux_CTS.expand_avc_rule_to_xml(
policy, n, str(count), 'neverallow')
