systemd/test/units/TEST-06-SELINUX.sh

#!/usr/bin/env bash
# SPDX-License-Identifier: LGPL-2.1-or-later
set -eux
set -o pipefail

. /etc/os-release
if ! [[ "$ID" =~ centos|fedora ]]; then
    echo "Skipping because only CentOS and Fedora support SELinux tests" >>/skipped
    exit 77
fi

# Note: ATTOW the following checks should work with both Fedora and upstream reference policy
#       (with or without MCS/MLS)

sestatus

# We should end up in permissive mode
[[ "$(getenforce)" == "Permissive" ]]

# Check PID 1's context
PID1_CONTEXT="$(ps -h -o label 1)"
[[ "$PID1_CONTEXT" =~ ^system_u:system_r:init_t(:s0)?$ ]]
# The same label should be attached to all PID 1's journal messages
journalctl -q -b -p info -n 5 --grep . _SELINUX_CONTEXT="$PID1_CONTEXT"

# Check context on a couple of arbitrarily-selected files/directories
[[ "$(stat --printf %C /run/systemd/journal/)" =~ ^system_u:object_r:(syslogd_runtime_t|syslogd_var_run_t)(:s0)?$ ]]
[[ "$(stat --printf %C /run/systemd/notify)" =~ ^system_u:object_r:(init_runtime_t|init_var_run_t)(:s0)?$ ]]
[[ "$(stat --printf %C /run/systemd/sessions/)" =~ ^system_u:object_r:(systemd_sessions_runtime_t|systemd_logind_sessions_t)(:s0)?$ ]]

# Check if our SELinux-related functionality works
#
# Since the SELinux policies vary wildly, use a context from some existing file
# as our test context
CONTEXT="$(stat -c %C /proc/sys/kernel/core_pattern)"

[[ "$(systemd-run --wait --pipe -p SELinuxContext="$CONTEXT" cat /proc/self/attr/current | tr -d '\0')" == "$CONTEXT" ]]
(! systemd-run --wait --pipe -p SELinuxContext="foo:bar:baz" cat /proc/self/attr/current)
(! systemd-run --wait --pipe -p ConditionSecurity='selinux' false)
systemd-run --wait --pipe -p ConditionSecurity='!selinux' false

NSPAWN_ARGS=(systemd-nspawn -q --volatile=yes --directory=/ --bind-ro=/etc --inaccessible=/etc/machine-id)
[[ "$("${NSPAWN_ARGS[@]}" cat /proc/self/attr/current | tr -d '\0')" != "$CONTEXT" ]]
[[ "$("${NSPAWN_ARGS[@]}" --selinux-context="$CONTEXT" cat /proc/self/attr/current | tr -d '\0')" == "$CONTEXT" ]]
[[ "$("${NSPAWN_ARGS[@]}" stat --printf %C /run)" != "$CONTEXT" ]]
[[ "$("${NSPAWN_ARGS[@]}" --selinux-apifs-context="$CONTEXT" stat --printf %C /run)" == "$CONTEXT" ]]
[[ "$("${NSPAWN_ARGS[@]}" --selinux-apifs-context="$CONTEXT" --tmpfs=/tmp stat --printf %C /tmp)" == "$CONTEXT" ]]

touch /testok
treewide: more portable bash shebangs As in 2a5fcfae024ffc370bb780572279f45a1da3f946 and in 3e67e5c9928f8b1e1c5a63def88d53ed1fed12eb using /usr/bin/env allows bash to be looked up in PATH rather than being hard-coded. As with the previous changes the same arguments apply - distributions have scripts to rewrite shebangs on installation and they know what locations to rely on. - For tests/compilation we should rather rely on the user to have setup there PATH correctly. In particular this makes testing from git easier on NixOS where do not provide /bin/bash to improve compose-ability. 2020-03-04 09:35:06 +00:00			`#!/usr/bin/env bash`
tests: add spdx headers to scripts and Makefiles 2021-10-17 18:13:06 +02:00			`# SPDX-License-Identifier: LGPL-2.1-or-later`
test: use set -eux and set -o pipefail everywhere This should make the scripts more robust. 2021-04-09 19:39:41 +02:00			`set -eux`
tests: add test-selinux-checks 2016-01-31 09:01:43 +00:00			`set -o pipefail`

test: Skip TEST-06-SELINUX early if not on fedora/centos Other distributions may be able to install selinux but they are not expected to use it. The distribution is tested rather than whether selinux is enabled because it is expected to work on CentOS and Fedora and we want it to fail noisily. 2024-04-30 18:02:51 +01:00			`. /etc/os-release`
			`if ! [[ "$ID" =~ centos\|fedora ]]; then`
			`echo "Skipping because only CentOS and Fedora support SELinux tests" >>/skipped`
			`exit 77`
			`fi`

test: make TEST-06-SELINUX work with the refpolicy and beef it up a bit Currently the test works only with policy shipped by Fedora, which makes it pretty much useless in most of our CIs. Let's drop the custom module and make the test more generic, so it works with the refpolicy as well, which should allow us to run it on Arch and probably even in Ubuntu CI. 2023-11-14 12:53:51 +01:00			`# Note: ATTOW the following checks should work with both Fedora and upstream reference policy`
			`# (with or without MCS/MLS)`

			`sestatus`

			`# We should end up in permissive mode`
			`[[ "$(getenforce)" == "Permissive" ]]`

			`# Check PID 1's context`
			`PID1_CONTEXT="$(ps -h -o label 1)"`
			`[[ "$PID1_CONTEXT" =~ ^system_u:system_r:init_t(:s0)?$ ]]`
			`# The same label should be attached to all PID 1's journal messages`
			`journalctl -q -b -p info -n 5 --grep . _SELINUX_CONTEXT="$PID1_CONTEXT"`

			`# Check context on a couple of arbitrarily-selected files/directories`
			`[[ "$(stat --printf %C /run/systemd/journal/)" =~ ^system_u:object_r:(syslogd_runtime_t\|syslogd_var_run_t)(:s0)?$ ]]`
			`[[ "$(stat --printf %C /run/systemd/notify)" =~ ^system_u:object_r:(init_runtime_t\|init_var_run_t)(:s0)?$ ]]`
			`[[ "$(stat --printf %C /run/systemd/sessions/)" =~ ^system_u:object_r:(systemd_sessions_runtime_t\|systemd_logind_sessions_t)(:s0)?$ ]]`

			`# Check if our SELinux-related functionality works`
			`#`
			`# Since the SELinux policies vary wildly, use a context from some existing file`
			`# as our test context`
			`CONTEXT="$(stat -c %C /proc/sys/kernel/core_pattern)"`

			`[[ "$(systemd-run --wait --pipe -p SELinuxContext="$CONTEXT" cat /proc/self/attr/current \| tr -d '\0')" == "$CONTEXT" ]]`
			`(! systemd-run --wait --pipe -p SELinuxContext="foo:bar:baz" cat /proc/self/attr/current)`
			`(! systemd-run --wait --pipe -p ConditionSecurity='selinux' false)`
			`systemd-run --wait --pipe -p ConditionSecurity='!selinux' false`

			`NSPAWN_ARGS=(systemd-nspawn -q --volatile=yes --directory=/ --bind-ro=/etc --inaccessible=/etc/machine-id)`
			`[[ "$("${NSPAWN_ARGS[@]}" cat /proc/self/attr/current \| tr -d '\0')" != "$CONTEXT" ]]`
			`[[ "$("${NSPAWN_ARGS[@]}" --selinux-context="$CONTEXT" cat /proc/self/attr/current \| tr -d '\0')" == "$CONTEXT" ]]`
			`[[ "$("${NSPAWN_ARGS[@]}" stat --printf %C /run)" != "$CONTEXT" ]]`
			`[[ "$("${NSPAWN_ARGS[@]}" --selinux-apifs-context="$CONTEXT" stat --printf %C /run)" == "$CONTEXT" ]]`
			`[[ "$("${NSPAWN_ARGS[@]}" --selinux-apifs-context="$CONTEXT" --tmpfs=/tmp stat --printf %C /tmp)" == "$CONTEXT" ]]`
tests: add test-selinux-checks 2016-01-31 09:01:43 +00:00
			`touch /testok`