python/sepolgen/tests/test_policygen.py - platform/external/selinux - Git at Google

 # Authors: Karl MacMillan <[email protected]>
 #
 # Copyright (C) 2006 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License as
 # published by the Free Software Foundation; version 2 only
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 #

 import unittest
 import sepolgen.policygen as policygen
 import sepolgen.access as access
 import sepolgen.refpolicy as refpolicy

 class TestPolicyGenerator(unittest.TestCase):
     def setUp(self):
         self.g = policygen.PolicyGenerator()

     def test_init(self):
         """ Test that extended permission AV rules are not generated by
             default. """
         self.assertFalse(self.g.xperms)

     def test_set_gen_xperms(self):
         """ Test turning on and off generating of extended permission
             AV rules. """
         self.g.set_gen_xperms(True)
         self.assertTrue(self.g.xperms)
         self.g.set_gen_xperms(False)
         self.assertFalse(self.g.xperms)

     def test_av_rules(self):
         """ Test generating of AV rules from access vectors. """
         av1 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "ioctl"])
         av2 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "open"])
         av3 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "read"])

         avs = access.AccessVectorSet()
         avs.add_av(av1)
         avs.add_av(av2)
         avs.add_av(av3)

         self.g.add_access(avs)

         self.assertEqual(len(self.g.module.children), 1)
         r = self.g.module.children[0]
         self.assertIsInstance(r, refpolicy.AVRule)
         self.assertEqual(r.to_string(),
             "allow test_src_t test_tgt_t:file { ioctl open read };")

     def test_ext_av_rules(self):
         """ Test generating of extended permission AV rules from access
             vectors. """
         self.g.set_gen_xperms(True)

         av1 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "ioctl"])
         av1.xperms['ioctl'] = refpolicy.XpermSet()
         av1.xperms['ioctl'].add(42)
         av2 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "ioctl"])
         av2.xperms['ioctl'] = refpolicy.XpermSet()
         av2.xperms['ioctl'].add(1234)
         av3 = access.AccessVector(["test_src_t", "test_tgt_t", "dir", "ioctl"])
         av3.xperms['ioctl'] = refpolicy.XpermSet()
         av3.xperms['ioctl'].add(2345)

         avs = access.AccessVectorSet()
         avs.add_av(av1)
         avs.add_av(av2)
         avs.add_av(av3)

         self.g.add_access(avs)

         self.assertEqual(len(self.g.module.children), 4)

         # we cannot sort the rules, so find all rules manually
         av_rule1 = av_rule2 = av_ext_rule1 = av_ext_rule2 = None

         for r in self.g.module.children:
             if isinstance(r, refpolicy.AVRule):
                 if 'file' in r.obj_classes:
                     av_rule1 = r
                 else:
                     av_rule2 = r
             elif isinstance(r, refpolicy.AVExtRule):
                 if 'file' in r.obj_classes:
                     av_ext_rule1 = r
                 else:
                     av_ext_rule2 = r
             else:
                 self.fail("Unexpected rule type '%s'" % type(r))

         # check that all rules are present
         self.assertNotIn(None, (av_rule1, av_rule2, av_ext_rule1, av_ext_rule2))

         self.assertEqual(av_rule1.rule_type, av_rule1.ALLOW)
         self.assertEqual(av_rule1.src_types, {"test_src_t"})
         self.assertEqual(av_rule1.tgt_types, {"test_tgt_t"})
         self.assertEqual(av_rule1.obj_classes, {"file"})
         self.assertEqual(av_rule1.perms, {"ioctl"})

         self.assertEqual(av_ext_rule1.rule_type, av_ext_rule1.ALLOWXPERM)
         self.assertEqual(av_ext_rule1.src_types, {"test_src_t"})
         self.assertEqual(av_ext_rule1.tgt_types, {"test_tgt_t"})
         self.assertEqual(av_ext_rule1.obj_classes, {"file"})
         self.assertEqual(av_ext_rule1.operation, "ioctl")
         xp1 = refpolicy.XpermSet()
         xp1.add(42)
         xp1.add(1234)
         self.assertEqual(av_ext_rule1.xperms.ranges, xp1.ranges)

         self.assertEqual(av_rule2.rule_type, av_rule2.ALLOW)
         self.assertEqual(av_rule2.src_types, {"test_src_t"})
         self.assertEqual(av_rule2.tgt_types, {"test_tgt_t"})
         self.assertEqual(av_rule2.obj_classes, {"dir"})
         self.assertEqual(av_rule2.perms, {"ioctl"})

         self.assertEqual(av_ext_rule2.rule_type, av_ext_rule2.ALLOWXPERM)
         self.assertEqual(av_ext_rule2.src_types, {"test_src_t"})
         self.assertEqual(av_ext_rule2.tgt_types, {"test_tgt_t"})
         self.assertEqual(av_ext_rule2.obj_classes, {"dir"})
         self.assertEqual(av_ext_rule2.operation, "ioctl")
         xp2 = refpolicy.XpermSet()
         xp2.add(2345)
         self.assertEqual(av_ext_rule2.xperms.ranges, xp2.ranges)
	# Authors: Karl MacMillan <[email protected]>
	#
	# Copyright (C) 2006 Red Hat
	# see file 'COPYING' for use and warranty information
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of the GNU General Public License as
	# published by the Free Software Foundation; version 2 only
	#
	# This program is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU General Public License for more details.
	#
	# You should have received a copy of the GNU General Public License
	# along with this program; if not, write to the Free Software
	# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	#

	import unittest
	import sepolgen.policygen as policygen
	import sepolgen.access as access
	import sepolgen.refpolicy as refpolicy

	class TestPolicyGenerator(unittest.TestCase):
	def setUp(self):
	self.g = policygen.PolicyGenerator()

	def test_init(self):
	""" Test that extended permission AV rules are not generated by
	default. """
	self.assertFalse(self.g.xperms)

	def test_set_gen_xperms(self):
	""" Test turning on and off generating of extended permission
	AV rules. """
	self.g.set_gen_xperms(True)
	self.assertTrue(self.g.xperms)
	self.g.set_gen_xperms(False)
	self.assertFalse(self.g.xperms)

	def test_av_rules(self):
	""" Test generating of AV rules from access vectors. """
	av1 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "ioctl"])
	av2 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "open"])
	av3 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "read"])

	avs = access.AccessVectorSet()
	avs.add_av(av1)
	avs.add_av(av2)
	avs.add_av(av3)

	self.g.add_access(avs)

	self.assertEqual(len(self.g.module.children), 1)
	r = self.g.module.children[0]
	self.assertIsInstance(r, refpolicy.AVRule)
	self.assertEqual(r.to_string(),
	"allow test_src_t test_tgt_t:file { ioctl open read };")

	def test_ext_av_rules(self):
	""" Test generating of extended permission AV rules from access
	vectors. """
	self.g.set_gen_xperms(True)

	av1 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "ioctl"])
	av1.xperms['ioctl'] = refpolicy.XpermSet()
	av1.xperms['ioctl'].add(42)
	av2 = access.AccessVector(["test_src_t", "test_tgt_t", "file", "ioctl"])
	av2.xperms['ioctl'] = refpolicy.XpermSet()
	av2.xperms['ioctl'].add(1234)
	av3 = access.AccessVector(["test_src_t", "test_tgt_t", "dir", "ioctl"])
	av3.xperms['ioctl'] = refpolicy.XpermSet()
	av3.xperms['ioctl'].add(2345)

	avs = access.AccessVectorSet()
	avs.add_av(av1)
	avs.add_av(av2)
	avs.add_av(av3)

	self.g.add_access(avs)

	self.assertEqual(len(self.g.module.children), 4)

	# we cannot sort the rules, so find all rules manually
	av_rule1 = av_rule2 = av_ext_rule1 = av_ext_rule2 = None

	for r in self.g.module.children:
	if isinstance(r, refpolicy.AVRule):
	if 'file' in r.obj_classes:
	av_rule1 = r
	else:
	av_rule2 = r
	elif isinstance(r, refpolicy.AVExtRule):
	if 'file' in r.obj_classes:
	av_ext_rule1 = r
	else:
	av_ext_rule2 = r
	else:
	self.fail("Unexpected rule type '%s'" % type(r))

	# check that all rules are present
	self.assertNotIn(None, (av_rule1, av_rule2, av_ext_rule1, av_ext_rule2))

	self.assertEqual(av_rule1.rule_type, av_rule1.ALLOW)
	self.assertEqual(av_rule1.src_types, {"test_src_t"})
	self.assertEqual(av_rule1.tgt_types, {"test_tgt_t"})
	self.assertEqual(av_rule1.obj_classes, {"file"})
	self.assertEqual(av_rule1.perms, {"ioctl"})

	self.assertEqual(av_ext_rule1.rule_type, av_ext_rule1.ALLOWXPERM)
	self.assertEqual(av_ext_rule1.src_types, {"test_src_t"})
	self.assertEqual(av_ext_rule1.tgt_types, {"test_tgt_t"})
	self.assertEqual(av_ext_rule1.obj_classes, {"file"})
	self.assertEqual(av_ext_rule1.operation, "ioctl")
	xp1 = refpolicy.XpermSet()
	xp1.add(42)
	xp1.add(1234)
	self.assertEqual(av_ext_rule1.xperms.ranges, xp1.ranges)

	self.assertEqual(av_rule2.rule_type, av_rule2.ALLOW)
	self.assertEqual(av_rule2.src_types, {"test_src_t"})
	self.assertEqual(av_rule2.tgt_types, {"test_tgt_t"})
	self.assertEqual(av_rule2.obj_classes, {"dir"})
	self.assertEqual(av_rule2.perms, {"ioctl"})

	self.assertEqual(av_ext_rule2.rule_type, av_ext_rule2.ALLOWXPERM)
	self.assertEqual(av_ext_rule2.src_types, {"test_src_t"})
	self.assertEqual(av_ext_rule2.tgt_types, {"test_tgt_t"})
	self.assertEqual(av_ext_rule2.obj_classes, {"dir"})
	self.assertEqual(av_ext_rule2.operation, "ioctl")
	xp2 = refpolicy.XpermSet()
	xp2.add(2345)
	self.assertEqual(av_ext_rule2.xperms.ranges, xp2.ranges)