TEST: Test for RHBZ 1031154

Test for the problem reported in:

	https://bugzilla.redhat.com/show_bug.cgi?id=1031154

whereby the kernel's attempts to access the shmem file used by a big_key type
to store large data can be denied by the SELinux policy.

Signed-off-by: David Howells <dhowells@redhat.com>

2 files changed, 112 insertions, 0 deletions

diff --git a/tests/bugzillas/bz1031154/runtest.sh b/tests/bugzillas/bz1031154/runtest.sh
new file mode 100644
index 0000000..e4d64d4
--- /dev/null
+++ b/tests/bugzillas/bz1031154/runtest.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+
+# Test for https://bugzilla.redhat.com/show_bug.cgi?id=1031154
+
+. ../../prepare.inc.sh
+. ../../toolbox.inc.sh
+
+
+# ---- do the actual testing ----
+
+result=PASS
+echo "++++ BEGINNING TEST" >$OUTPUTFILE
+
+# we need a reference time to scan the audit log from so as not to pick up old
+# results from this test.
+base_date=`date +"%x@%X"`
+base_time=${base_date#*@}
+base_date=${base_date%@*}
+sleep 1
+
+# reset the permissive audit log autocancel thing
+load_policy
+
+# we need to be in permissive mode
+marker "ENTER SELINUX PERMISSIVE MODE"
+
+mode=`getenforce`
+
+if [ "$mode" != "Permissive" ]
+then
+	echo setenforce Permissive >>$OUTPUTFILE
+	if ! setenforce Permissive
+	then
+		failed
+	fi
+fi
+
+# create a big key to probe
+marker "CREATE BIG KEY"
+pcreate_key_by_size 8192 big_key test-key @s
+expect_keyid id
+
+# check the big key is file backed and the right size
+marker "CHECK BIG KEY"
+xid=`printf %08x $id`
+
+pk=`cat /proc/keys | grep "^$xid.*test-key: 8192 \\[file\\]"`
+echo $pk >>$OUTPUTFILE
+if [ -z "$pk" ]
+then
+	echo "+++ Incorrectly created key" >>$OUTPUTFILE
+	cat /proc/keys | grep "^$xid" >>$OUTPUTFILE
+	failed
+fi
+
+# use a separate context to access the key
+marker "ACCESS INTERCONTEXT"
+
+echo runcon system_u:system_r:httpd_t:s0-s0:c0.c1023 keyctl print $id >>$OUTPUTFILE
+if ! runcon system_u:system_r:httpd_t:s0-s0:c0.c1023 keyctl print $id >/dev/null 2>>$OUTPUTFILE
+then
+	failed
+fi
+
+# examine the audit logs
+marker "EXAMINE AUDIT LOGS"
+
+echo ausearch -m AVC -i --subject httpd_t -ts $base_date $base_time \| audit2allow \| grep '-P "allow httpd_t user_tmpfs_t:file [{] (open |read )+[}];"' >>$OUTPUTFILE
+if ausearch -m AVC -i --subject httpd_t -ts $base_date $base_time 2>>$OUTPUTFILE | audit2allow 2>>$OUTPUTFILE | grep -P "allow httpd_t user_tmpfs_t:file [{] (open |read )+[}];"
+then
+	failed
+fi
+
+marker "RESTORE SELINUX MODE"
+if [ "$mode" != "Permissive" ]
+then
+	echo setenforce $mode >>$OUTPUTFILE
+	if ! setenforce $mode
+	then
+		failed
+	fi
+fi
+
+echo "++++ FINISHED TEST: $result" >>$OUTPUTFILE
+
+# --- then report the results in the database ---
+toolbox_report_result $TEST $result
diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh
index 3f6dcac..8cc5c04 100644
--- a/tests/toolbox.inc.sh
+++ b/tests/toolbox.inc.sh
@@ -360,6 +360,31 @@ function pcreate_key ()
 
 ###############################################################################
 #
+# create a key and attach it to the new keyring, piping in the data
+#
+###############################################################################
+function pcreate_key_by_size ()
+{
+    my_exitval=0
+    if [ "x$1" = "x--fail" ]
+    then
+	my_exitval=1
+	shift
+    fi
+
+    data="$1"
+    shift
+
+    echo dd if=/dev/zero count=1 bs=$data \| keyctl padd "$@" >>$OUTPUTFILE
+    dd if=/dev/zero count=1 bs=$data 2>/dev/null | keyctl padd "$@" >>$OUTPUTFILE 2>&1
+    if [ $? != $my_exitval ]
+    then
+	failed
+    fi
+}
+
+###############################################################################
+#
 # create a key and attach it to the new keyring
 #
 ###############################################################################