[PATCH 0/4] Fix the selinux-testsuite for RHEL5,6,7 and Rawhide

[PATCH 0/4] Fix the selinux-testsuite for RHEL5,6,7 and Rawhide

[Paul Moore]

This patchset allows the SELinux testsuite to run on current versions
of RHEL5, RHEL6, RHEL7, and Fedora Rawhide.  RHEL4 should also work,
but I don't have a RHEL4 system handy to test.

Patches for other SELinux distributions are welcome.

---

Paul Moore (3):
      selinux-testsuite: add improved OS detection
      selinux-testsuite: allow the file test to work with all coreutils versions
      selinux-testsuite: enable task_setscheduler to work with cgroups

Stephen Smalley (1):
      selinux-testsuite: allow unconfined_t entrypoint to test_nnp_bounded_exec_t

[PATCH 1/4] selinux-testsuite: add improved OS detection

[Paul Moore]

Add a script which will handle OS/distribution detection.  The initial
version of the script is very basic, handling only different RHEL
versions, but it is easily expanded as needed.

Signed-off-by: Paul Moore <pmoore@redhat.com>
---
 0 files changed

diff --git a/tests/Makefile b/tests/Makefile
index 7c27787..e9d4646 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -1,19 +1,18 @@
-RHEL_VER=$(shell cat /etc/redhat-release)
-RHEL_VER_PREFIX=Red Hat Enterprise Linux Server release 
+DISTRO=$(shell ./os_detect)
 
 SUBDIRS_COMMON:=domain_trans entrypoint execshare exectrace execute_no_trans fdreceive inherit link mkdir msg open ptrace readlink relabel rename rxdir sem setattr setnice shm sigkill stat sysctl task_create task_setnice task_setscheduler task_getscheduler task_getsid task_getpgid task_setpgid wait file ioctl capable_file capable_net capable_sys
 
 SUBDIRS:= $(SUBDIRS_COMMON) dyntrans dyntrace bounds nnp
 
-ifeq ($(RHEL_VER_PREFIX)4, $(findstring $(RHEL_VER_PREFIX)4, $(RHEL_VER)))
+ifeq ($(DISTRO),RHEL4)
     SUBDIRS:=$(SUBDIRS_COMMON)
 endif
 
-ifeq ($(RHEL_VER_PREFIX)5, $(findstring $(RHEL_VER_PREFIX)5, $(RHEL_VER)))
+ifeq ($(DISTRO),RHEL5)
     SUBDIRS:=$(SUBDIRS_COMMON) dyntrace dyntrans
 endif
 
-ifeq ($(RHEL_VER_PREFIX)6, $(findstring $(RHEL_VER_PREFIX)6, $(RHEL_VER)))
+ifeq ($(DISTRO),RHEL6)
     SUBDIRS:=$(SUBDIRS_COMMON) dyntrace dyntrans bounds
 endif
 
diff --git a/tests/os_detect b/tests/os_detect
new file mode 100755
index 0000000..cddcb85
--- /dev/null
+++ b/tests/os_detect
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if [[ -r /etc/redhat-release ]]; then
+	ver=$(cat /etc/redhat-release | sed -ne '/^Red Hat Enterprise Linux/p')
+	if [[ -n $ver ]]; then
+		echo "$ver" | \
+			sed -e 's/Red Hat Enterprise Linux[ \ta-zA-Z]*\([0-9]\+\).*/RHEL\1/'
+	fi
+fi

[PATCH 2/4] selinux-testsuite: allow the file test to work with all coreutils versions

[Paul Moore]

Prior to coreutils v8.23 the 'ls -Z' output looked like the following:

  # /bin/ls -Z test
  -rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 test

However, with the coreutils v8.23 release the output changed to:

  # /bin/ls -Z test
  system_u:object_r:test_file_t:s0 test

This patch attempts to detect the version of /bin/ls in use and adjusts
accordingly.

Signed-off-by: Paul Moore <pmoore@redhat.com>
---
 0 files changed

diff --git a/tests/file/test b/tests/file/test
index e6ed44d..e52744f 100755
--- a/tests/file/test
+++ b/tests/file/test
@@ -47,7 +47,11 @@ system "chcon -t fileop_exec_t $basedir/wait_io 2>&1 > /dev/null";
 #
 $output = `ls -Z $basedir/temp_file`;
 @arr = split(' ', $output);
-$good_file_sid = $arr[3];
+if (index($arr[0], ":") != -1) {
+	$good_file_sid = $arr[0]
+} else {
+	$good_file_sid = $arr[3]
+}
 
 #
 # Attempt to access a restricted file as the 'good' domain.  The first test

[PATCH 3/4] selinux-testsuite: enable task_setscheduler to work with cgroups

[Paul Moore]

On recent systemd based distributions, systemd manages cgroups
automatically and we may be running in a cgroup by default.
Unfortunately, this can cause problems when trying to set the
scheduler policy so we need to move the target process to the root
cgroup (no scheduler policy restrictions in the root cgroup) before
we attempt to change the scheduler settings.

Signed-off-by: Paul Moore <pmoore@redhat.com>
---
 0 files changed

diff --git a/tests/task_setscheduler/test b/tests/task_setscheduler/test
index f1b71eb..f63db07 100755
--- a/tests/task_setscheduler/test
+++ b/tests/task_setscheduler/test
@@ -12,6 +12,15 @@ if ( ($pid = fork()) == 0 ) {
 
 sleep 1; # Give it a second to start
 
+$cgroup_cpu = "/sys/fs/cgroup/cpu/tasks";
+if ( -w $cgroup_cpu ) {
+	# We can only set the scheduler policy fo SCHED_{RR,FIFO} in the root
+	# cgroup so move our target process to the root cgroup.
+	open(my $fd, ">>", $cgroup_cpu);
+	print $fd $pid;
+	close $fd;
+}
+
 # Verify that test_setsched_yes_t can change the scheduling.
 # SCHED_OTHER	0	priority must == 0
 # SCHED_FIFO	1	priority 1..99

[PATCH 4/4] selinux-testsuite: allow unconfined_t entrypoint to test_nnp_bounded_exec_t

[Paul Moore]

From: Stephen Smalley <sds@tycho.nsa.gov>

A necessary fix for recent systems running the NNP tests from the
unconfined_t domain.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: tweaked the subject line and added a brief description]
Signed-off-by: Paul Moore <pmoore@redhat.com>
---
 0 files changed

diff --git a/policy/test_nnp.te b/policy/test_nnp.te
index 69cd714..54ebfd3 100644
--- a/policy/test_nnp.te
+++ b/policy/test_nnp.te
@@ -13,6 +13,7 @@ typebounds unconfined_t test_nnp_bounded_t;
 type test_nnp_bounded_exec_t;
 files_type(test_nnp_bounded_exec_t)
 domain_entry_file(test_nnp_bounded_t, test_nnp_bounded_exec_t)
+domain_entry_file(unconfined_t, test_nnp_bounded_exec_t)
 
 # Run it!  This should succeed on v3.18 or later, fail on older kernels.
 unconfined_runs_test(test_nnp_bounded_t)