From Fedora Project Wiki

(Created page with "{{QA/Test_Case |description=This test case tests semodule basic functionalities (module installation/removal, listing). |setup=Ensure that {{package|policycoreutils}} package ...")
 
Line 3: Line 3:
 
|setup=Ensure that {{package|policycoreutils}} package is installed.
 
|setup=Ensure that {{package|policycoreutils}} package is installed.
 
|actions=
 
|actions=
#Create file called audittmp.cil containing simple auditallow rule:
+
#Create file called audittmp.cil containing simple auditallow rule: '''{{command|#echo "(auditallow unconfined_t user_tmp_t (file (create)))" > audittmp.cil}}'''
<pre>cd /tmp
+
#Install new module '''{{command|#semodule -i audittmp.cil}}'''
echo "(auditallow unconfined_t user_tmp_t (file (create)))" > audittmp.cil
+
#Check that the module is properly installed '''{{command|#semodule -l | grep audittmp}}'''<pre>audittmp</pre>
</pre>
+
#Create new file in /tmp: '''{{command|#touch /tmp/new_file}}'''
#Install new module {{command|semodule -i audittmp.cil}}
+
#Check that the file creation was logged:'''{{command|#ausearch -m avc -ts recent | grep new_file}}'''<pre>type=AVC msg=audit(1470058493.388:6693): avc:  granted  { create } for  pid=7410 comm="touch" name="new_file" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file</pre>
#Check that the module is properly installed
+
#Remove new module: '''{{command|#semodule -r audittmp}}'''
<pre>semodule -l | grep audittmp
+
#Check that the module is no longer listed as installed:'''{{command|#semodule -l | grep audittmp}}'''
audittmp
+
#Clean up: '''{{command|#rm -rf new_file audittmp.cil}}'''
</pre>
 
#Create new file in /tmp
 
{{command|touch /tmp/new_file}}
 
#Check that the file creation was logged
 
<pre>ausearch -m avc -ts recent | grep new_file
 
type=AVC msg=audit(1470058493.388:6693): avc:  granted  { create } for  pid=7410 comm="touch" name="new_file" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
 
</pre>
 
#Remove new module {{command|semodule -r audittmp}}
 
#Check that the module is no longer listed as installed {{command|semodule -l | grep audittmp}}
 
#Clean up {{command|rm -rf new_file audittmp.cil}}
 
  
 
|results=
 
|results=

Revision as of 15:03, 1 August 2016

Description

This test case tests semodule basic functionalities (module installation/removal, listing).

Setup

Ensure that Package-x-generic-16.pngpolicycoreutils package is installed.

How to test

  1. Create file called audittmp.cil containing simple auditallow rule: #echo "(auditallow unconfined_t user_tmp_t (file (create)))" > audittmp.cil
  2. Install new module #semodule -i audittmp.cil
  3. Check that the module is properly installed #semodule -l
    audittmp
  4. Create new file in /tmp: #touch /tmp/new_file
  5. Check that the file creation was logged:#ausearch -m avc -ts recent
    type=AVC msg=audit(1470058493.388:6693): avc:  granted  { create } for  pid=7410 comm="touch" name="new_file" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
  6. Remove new module: #semodule -r audittmp
  7. Check that the module is no longer listed as installed:#semodule -l
  8. Clean up: #rm -rf new_file audittmp.cil

Expected Results

  1. All commands are executed successfully
  2. AVC message simillar to the one shown above was logged