Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1157048
  • 博文数量: 309
  • 博客积分: 6093
  • 博客等级: 准将
  • 技术积分: 3038
  • 用 户 组: 普通用户
  • 注册时间: 2008-02-03 17:14
个人简介

linux学习记录

文章分类

全部博文(309)

文章存档

2014年(2)

2012年(37)

2011年(41)

2010年(87)

2009年(54)

2008年(88)

分类:

2008-09-25 15:17:08

Security-enhanced Linux (SELinux) is an implementation of a mandatory access control mechanism. This mechanism is in the Linux kernel, checking for allowed operations after standard Linux discretionary access controls are checked.

RHEL4 U4 OpenPegasus 2.5.1 Test Plans

SELinux Test Scripts

  • Test Script 1 - connectLocal Test.
    • osinfo
    • /usr/sbin/cimconfig -l -c
    • /usr/sbin/cimconfig -l -p
    • cimprovider -l -s
  • Test Script 2 - connect Test over HTTPS to localhost.
    • osinfo -h localhost -p 5989 -s
  • Test Script 3 - Create a new namespace.
    • cd /usr/share/Pegasus/mof/CIM29/
    • cimmof -n root/test1 Core_Qualifiers.mof
      Note: This operation will create a new namespace in the repository.
  • Test Script 4 - Stop the cimserver daemon.
    • /etc/init.d/tog-pegasus stop
  • Test Script 5 - Test forceProviderProcesses options.
    • osinfo

Test Setup

  • Verify the OpenPegasus SELinux policies are enabled.
  • Start the cimserver daemon.
      Option 1 (Recommended): services tog-pegasus start
      Option 2: /etc/init.d/tog-pegasus start
      Option 3: cimserver

Tests

  • Test 1 (Basic Connectivity Tests)

      Run the following tests as root and a non-root user. Note: If you are using the default OpenPegasus file permission settings, the non-root user will need to be a member of the pegasus group.

      • Test Setup
        • Verify the non-root user is a member of the pegasus group.
          • grep `whoami` /etc/group
      • Run Tests
        • The following tests should run successfully.
          • Test Script 1 - connectLocal Test.
          • Test Script 2 - connect Test over HTTPS to localhost.
  • Test 2

      Run the following tests as "root".

      • Run Tests
        • The tests following tests should run successfully.
          • Test Script 3 - Create a new namespace.
          • Test Script 4 - Stop the cimserver daemon.

      Run the following tests as a non-root, pegasus group, user.

      • Run Tests
        • The tests following tests should run successfully.
          • Test Script 3 - Create a new namespace.

              Potentially Incorrect Behavior:  This tests succeeds. Need to determine if this is the desired behavior.

              Inconsistent Behavior:  Permissions on the created directories and files are inconsistent with the permissions on the packaged repository directories and files. Also, directories created by non-root members of the pegasus group are not accessible to them.

                drwxr-x--- 5 root pegasus 4096 Jun 1 20:30 root
                drwxr-x--- 5 root pegasus 4096 Jun 1 20:30 root#cimv2
                drwxr-x--- 5 root pegasus 4096 Jun 1 20:30 root#PG_Internal
                drwxr-x--- 5 root pegasus 4096 Jun 1 20:30 root#PG_InterOp
                drwx------ 5 root root 4096 Jun 1 20:31 root#test1
          • Test Script 4 - Stop the cimserver daemon.

              This test should fail.

  • Test 3 (Out-of-Process Provider)
      • Test Setup
        • /etc/init.d/tog-pegasus stop
        • cimconfig -s forceProviderProcesses=true -p
        • /etc/init.d/tog-pegasus start
      • Run Tests
        • The tests following tests should run successfully as both root and non-root. In addition, the test should run successfully with the OpenPegasus SELinux policies enabled and disabled.
          • Test Script 1 - connectLocal Test.
          • Test Script 2 - connect Test over HTTPS to localhost.
  • Test 4 (Run As Requestor)
      • Test Setup
        • cimprovider -r -m OperatingSystemModule
        • Modify the PG_Provider Module instance definition in /usr/share/Pegasus/mof/Pegasus/PG_OperatingSystem20R.mof as follows:

          • Change the InterfaceVersion from "2.1.0" to "2.5.0".
          • Add the new property
              UserContext = 2;
        • cimmof -n root/PG_InterOp /usr/share/Pegasus/mof/Pegasus/PG_OperatingSystem20R.mof
      • Run Tests
        • The tests following tests should run successfully as both root and non-root. In addition, the test should run successfully with the OpenPegasus SELinux policies enabled and disabled.
          • osinfo

              FAILURE: Test is failing when run by a non-root user.

                [guest@katmai CIM29]$ osinfo osinfo error: CIM_ERR_FAILED: A general error occurred that is not covered by a more specific error code: "Failed to communicate with cimprovagt "OperatingSystemModule"."

                cimserver.trc Output

                06/01/2006-20:55:17: OsAbstraction [3810:1115699552:SystemUnix.cpp:1139]: setgid failed: Operation not permitted
                06/01/2006-20:55:17: DiscardedData [3810:1115699552]: System::changeUserContext() failed. userName = guest.
                06/01/2006-20:55:17: OsAbstraction [3765:1115699552]: Failed to read buffer from pipe: connection closed

  • Test 5 (cimserver start/stop tests)
      • Test Setup
        • Verify the OpenPegasus SELinux policies are disabled.
            # getsebool pegasus_disable_trans
            pegasus_disable_trans --> active
          • Run Tests
            • The tests following tests should run successfully as root with the OpenPegasus SELinux policies enabled and disabled.
                # getsebool pegasus_disable_trans
              • Test 1
                  # /etc/init.d/tog-pegasus start
                  # ps -ef | grep cim
                  # /etc/init.d/tog-pegasus stop
                  # ps -ef | grep cim
              • Test 2
                  # cimserver
                  # ps -ef | grep cim
                  # cimserver -s
                  # ps -ef | grep cim
              • Test 3
                  # /etc/init.d/tog-pegasus start
                  # ps -ef | grep cimserver
                  # cimserver -s
                  # ps -ef | grep cim FAILURE with policies DISABLED
      • Test 6 (Enable/Disable Policy Tests)
          • Run Tests
            • The tests following tests should run successfully as root.
              • Test 1
                  # chcon -u root -r object_r -t usr_t /usr/lib/Pegasus/providers/libOSProvider.so.1
                  # setsebool pegasus_disable_trans true
                  # cimserver
                  # osinfo FAILURE: OpenPegasus SELinux Policy testing is still enabled
                  # cimserver -s
                  # chcon -u system_u -r object_r -t shlib_t /usr/lib/Pegasus/providers/libOSProvider.so.1
              • Test 2
                  # chcon -u root -r object_r -t usr_t /usr/lib/Pegasus/providers/libOSProvider.so.1
                  # setsebool pegasus_disable_trans true
                  # /etc/init.d/tog-pegasus start
                  # osinfo
                  # /etc/init.d/tog-pegasus stop
                  # chcon -u system_u -r object_r -t shlib_t /usr/lib/Pegasus/providers/libOSProvider.so.1
      • Test 7 (Run SDK Tests)
          • Run Tests
            • The tests following tests should run successfully as root. In addition, the test should run successfully with the OpenPegasus SELinux policies enabled and disabled.
              • Sample tests
                  # cd /usr/share/Pegasus/samples
                  # gmake
                  # gmake setupSDK
                  # gmake tests FAILURE: The test fails when OpenPegasus selinux policy is enabled.
      • Test 8 (Run-As-Requestor - Trace Test)
          • Test Setup
            • Configure OS Provider to Run-As-Requestor.
            • Enable tracing.
                # cimconfig -s traceLevel=4
                # cimconfig -s traceComponents=ALL
          • Run Tests
            • The tests following tests should run successfully as both root and non-root. In addition, the test should run successfully with the OpenPegasus SELinux policies enabled and disabled.
                • osinfo
                • Verify the appropriate trace files have been created in the directory /var/lib/Pegasus/trace. FAILURE: Failure attempting to create trace file when running as non-root.
  • 阅读(2323) | 评论(0) | 转发(0) |
    给主人留下些什么吧!~~