[DO NOT MERGE] Add test for attribute assignment to attributes

policy/Makefile

@@ -29,7 +29,8 @@ TARGETS = \
 	test_task_getsid.te test_task_setpgid.te test_task_setsched.te \
 	test_transition.te test_unix_socket.te \
 	test_mmap.te test_overlayfs.te test_mqueue.te \
-	test_ibpkey.te test_atsecure.te test_cgroupfs.te
+	test_ibpkey.te test_atsecure.te test_cgroupfs.te \
+	test_attribute_assignment.te
 
 ifeq (x$(DISTRO),$(filter x$(DISTRO),xRHEL4 xRHEL5 xRHEL6))
 SUPPORTS_CIL = n

policy/test_attribute_assignment.te

@@ -0,0 +1,67 @@
+##########################################
+#
+# Policy for testing attribute assignment to attributes
+#
+
+# 4 attributtes linked in a typeattribute sequence d->c->b->a
+attribute test_attribute_a;
+attribute test_attribute_b;
+attribute test_attribute_c;
+attribute test_attribute_d;
+
+typeattribute test_attribute_b test_attribute_a;
+typeattribute test_attribute_c test_attribute_b;
+typeattribute test_attribute_d test_attribute_c;
+
+# 2 types assigned to attributes b and d
+type test_attribute_setpgid_yes_t;
+type test_attribute_setpgid_no_t;
+
+typeattribute test_attribute_setpgid_no_t test_attribute_b;
+typeattribute test_attribute_setpgid_yes_t test_attribute_d;
+
+# Attribute "a" is made into a minimal domain type
+testsuite_domain_type_minimal(test_attribute_a)
+# Attribute "c" and types assigned to it can change its pgid
+testsuite_domain_type(test_attribute_c)
+
+# Allow each attribute some access so that they don't get optimized out
+allow test_attribute_a test_attribute_a:dir getattr;
+allow test_attribute_b test_attribute_b:dir getattr;
+allow test_attribute_c test_attribute_c:dir getattr;
+allow test_attribute_d test_attribute_d:dir getattr;
+
+##########################################
+#
+# repeats entrypoint test, only with attributes as proxies for every type
+#
+
+# Type that the test domain can be entered through
+attribute test_attribute_entrypoint;
+files_type(test_attribute_entrypoint)
+
+# Type that the test domain can NOT be entered through
+attribute test_attribute_entrypoint_deny;
+files_type(test_attribute_entrypoint_deny)
+
+# Test domain that can only be entered via test_attribute_entrypoint
+attribute test_attribute_domain;
+testsuite_domain_type(test_attribute_domain)
+
+# Allow test_attribute_domain to be entered via test_attribute_entrypoint.
+domain_entry_file(test_attribute_domain, test_attribute_entrypoint)
+
+# Allow test_attribute_domain to execute test_attribute_entrypoint_deny, but not
+# to enter through it
+can_exec(test_attribute_domain, test_entrypoint_deny_t)
+
+# assign corresponding types
+type test_attribute_entrypoint_t;
+typeattribute test_attribute_entrypoint_t test_attribute_entrypoint;
+
+type test_attribute_entrypoint_deny_t;
+typeattribute test_attribute_entrypoint_deny_t test_attribute_entrypoint_deny;
+
+type test_attribute_domain_t;
+typeattribute test_attribute_domain_t test_attribute_domain;
+

tests/Makefile

@@ -28,7 +28,8 @@ SUBDIRS:= domain_trans entrypoint execshare exectrace execute_no_trans \
 	task_getpgid task_setpgid file ioctl capable_file capable_net \
 	capable_sys dyntrans dyntrace bounds nnp_nosuid mmap unix_socket \
 	inet_socket/tcp inet_socket/udp overlay checkreqprot mqueue \
-	mac_admin atsecure infiniband_endport infiniband_pkey
+	mac_admin atsecure infiniband_endport infiniband_pkey \
+	attribute_assignment
 
 ifeq ($(shell grep -q cap_userns $(POLDEV)/include/support/all_perms.spt && echo true),true)
 ifneq ($(shell ./kvercmp $$(uname -r) 4.7),-1)

tests/attribute_assignment/.gitignore

@@ -0,0 +1 @@
+source

tests/attribute_assignment/Makefile

@@ -0,0 +1,5 @@
+TARGETS=source
+
+all: $(TARGETS)
+clean:
+	rm -f $(TARGETS)

tests/attribute_assignment/source.c

@@ -0,0 +1,30 @@
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+#include <stdio.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+int main(void)
+{
+	pid_t pid, group_id;
+
+	pid = getpid();
+	if ((group_id = getpgid(pid)) < 0) {
+		perror("getpgid");
+		exit(-1);
+	}
+	printf("Group ID = %d\n", group_id);
+	if (setpgid(pid, pid) < 0) {
+		perror("setpgid");
+		exit(1);
+	}
+	if ((group_id = getpgid(pid)) < 0) {
+		perror("getpgid");
+		exit(-1);
+	}
+	printf("Group ID = %d\n", group_id);
+	printf("pid = %d\n", pid);
+	exit(0);
+}

tests/attribute_assignment/test

@@ -0,0 +1,42 @@
+#!/usr/bin/perl
+
+use Test;
+BEGIN { plan tests => 4 }
+
+# task_getpgid, but all permissions are assigned using attributes (two step transition)
+
+$basedir = $0;
+$basedir =~ s|(.*)/[^/]*|$1|;
+
+# Verify that test_setpgid_yes_t can setpgid.
+$result =
+  system("runcon -t test_attribute_setpgid_yes_t -- $basedir/source 2>&1");
+ok( $result, 0 );
+
+# Verify that test_setpgid_no_t cannot setpgid.
+$result =
+  system("runcon -t test_attribute_setpgid_no_t -- $basedir/source 2>&1");
+ok($result);
+
+# entrypoint test, but all permissions are passed using attributes
+
+$basedir = $0;
+$basedir =~ s|(.*)/[^/]*|$1|;
+
+system("cp /bin/true $basedir/true");
+
+# Verify that test_attribute_domain_t cannot be entered via test_attribute_entrypoint_deny_t.
+system("chcon -t test_attribute_entrypoint_deny_t $basedir/true");
+$result = system("runcon -t test_attribute_domain_t $basedir/true 2>&1");
+ok($result);    #this should fail
+
+# Verify that test_attribute_domain_t can be entered via test_attribute_entrypoint_t.
+system("chcon -t test_attribute_entrypoint_t $basedir/true");
+$result = system("runcon -t test_attribute_domain_t $basedir/true");
+ok( $result, 0 );    #this should pass
+
+# Cleanup.
+system("rm -f $basedir/true");
+
+exit;
+

tmt/tests.fmf

@@ -24,7 +24,11 @@
         exit 1
         ;;
       esac
-
+      dnf copr enable -y vmojzis/userspace_test
+      dnf install -y checkpolicy
+      dnf list --showduplicates checkpolicy
+      dnf update -y checkpolicy
+      rpm -qa checkpolicy
       case "$STS_KERNEL" in
       default|'')
         dnf install -y kernel-modules-$(uname -r) kernel-devel-$(uname -r)