From Fedora Project Wiki

 
Line 3: Line 3:
 
|setup=Ensure that {{package|policycoreutils}} package is installed.
 
|setup=Ensure that {{package|policycoreutils}} package is installed.
 
|actions=
 
|actions=
#Create file called audittmp.cil containing simple auditallow rule: '''{{command|#echo "(auditallow unconfined_t user_tmp_t (file (create)))" > audittmp.cil}}'''
+
<ol>
#Install new module '''{{command|#semodule -i audittmp.cil}}'''
+
<li>Create file called audittmp.cil containing simple auditallow rule: <pre>#echo "(auditallow unconfined_t user_tmp_t (file (create)))" > audittmp.cil</pre> </li>
#Check that the module is properly installed '''{{command|#semodule -l | grep audittmp}}'''<pre>audittmp</pre>
+
<li>Install new module: <pre>#semodule -i audittmp.cil</pre></li>
#Create new file in /tmp: '''{{command|#touch /tmp/new_file}}'''
+
<li>Check that the module is properly installed: <pre>
#Check that the file creation was logged:'''{{command|#ausearch -m avc -ts recent | grep new_file}}'''<pre>type=AVC msg=audit(1470058493.388:6693): avc:  granted  { create } for  pid=7410 comm="touch" name="new_file" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file</pre>
+
#semodule -l | grep audittmp
#Remove new module: '''{{command|#semodule -r audittmp}}'''
+
audittmp
#Check that the module is no longer listed as installed:'''{{command|#semodule -l | grep audittmp}}'''
+
</pre>
#Clean up: '''{{command|#rm -rf new_file audittmp.cil}}'''
+
</li>
 
+
<li>Create new file in /tmp: <pre>#touch /tmp/new_file</pre></li>
 +
<li>Check that the file creation was logged:<pre>#ausearch -m avc -ts recent | grep new_file
 +
type=AVC msg=audit(1470058493.388:6693): avc:  granted  { create } for  pid=7410 comm="touch" name="new_file" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file</pre></li>
 +
<li>Remove new module: <pre>#semodule -r audittmp</pre></li>
 +
<li>Check that the module is no longer listed as installed:<pre>#semodule -l | grep audittmp
 +
-</pre></li>
 +
<li>Clean up: <pre>#rm -rf new_file audittmp.cil</pre></li>
 +
</ol>
 
|results=
 
|results=
  

Latest revision as of 13:21, 4 August 2016

Description

This test case tests semodule basic functionalities (module installation/removal, listing).

Setup

Ensure that Package-x-generic-16.pngpolicycoreutils package is installed.

How to test

  1. Create file called audittmp.cil containing simple auditallow rule:
    #echo "(auditallow unconfined_t user_tmp_t (file (create)))" > audittmp.cil
  2. Install new module:
    #semodule -i audittmp.cil
  3. Check that the module is properly installed:
    #semodule -l | grep audittmp
    audittmp
    
  4. Create new file in /tmp:
    #touch /tmp/new_file
  5. Check that the file creation was logged:
    #ausearch -m avc -ts recent | grep new_file
    type=AVC msg=audit(1470058493.388:6693): avc:  granted  { create } for  pid=7410 comm="touch" name="new_file" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
  6. Remove new module:
    #semodule -r audittmp
  7. Check that the module is no longer listed as installed:
    #semodule -l | grep audittmp
    -
  8. Clean up:
    #rm -rf new_file audittmp.cil

Expected Results

  1. All commands are executed successfully
  2. AVC message simillar to the one shown above was logged