Security-enhanced Linux (SELinux)
is an implementation of a mandatory access control mechanism. This
mechanism is in the Linux kernel, checking for allowed operations after
standard Linux discretionary access controls are checked.
RHEL4 U4 OpenPegasus 2.5.1 Test Plans
SELinux Test Scripts
- Test Script 1 - connectLocal Test.
- osinfo
- /usr/sbin/cimconfig -l -c
- /usr/sbin/cimconfig -l -p
- cimprovider -l -s
- Test Script 2 - connect Test over HTTPS to localhost.
- osinfo -h localhost -p 5989 -s
- Test Script 3 - Create a new namespace.
- cd /usr/share/Pegasus/mof/CIM29/
- cimmof -n root/test1 Core_Qualifiers.mof
Note: This operation will
create a new namespace in the repository.
- Test Script 4 - Stop the cimserver daemon.
- /etc/init.d/tog-pegasus stop
- Test Script 5 - Test forceProviderProcesses options.
Test Setup
- Verify the OpenPegasus SELinux policies are enabled.
- Start the cimserver daemon.
Option 1 (Recommended): services tog-pegasus start
Option 2: /etc/init.d/tog-pegasus start
Option 3: cimserver
Tests
Test 1 (Basic Connectivity Tests)
Run the following tests as root and a non-root user. Note:
If you are using the default
OpenPegasus file permission settings, the non-root user will need to be a member
of the pegasus group.
- Test Setup
- Verify the non-root user is a member of the pegasus group.
- Run Tests
- The following tests should run successfully.
- Test Script 1 - connectLocal Test.
- Test Script 2 - connect Test over HTTPS to localhost.
Test 2
Run the following tests as "root".
- Run Tests
- The tests following tests should run successfully.
- Test Script 3 - Create a new namespace.
- Test Script 4 - Stop the cimserver daemon.
Run the following tests as a non-root, pegasus group, user.
- Run Tests
- The tests following tests should run successfully.
- Test Script 3 - Create a new namespace.
Potentially Incorrect Behavior:
This tests succeeds. Need to determine if this is the desired
behavior.
Inconsistent Behavior:
Permissions on the created directories and files are
inconsistent with the permissions on the packaged repository
directories and files. Also, directories created by
non-root members of the pegasus group are not accessible
to them.
drwxr-x--- 5 root pegasus 4096 Jun 1 20:30 root
drwxr-x--- 5 root pegasus 4096 Jun 1 20:30 root#cimv2
drwxr-x--- 5 root pegasus 4096 Jun 1 20:30 root#PG_Internal
drwxr-x--- 5 root pegasus 4096 Jun 1 20:30 root#PG_InterOp
drwx------ 5 root root 4096 Jun 1 20:31 root#test1
- Test Script 4 - Stop the cimserver daemon.
Test 3 (Out-of-Process Provider)
- Test Setup
- /etc/init.d/tog-pegasus stop
- cimconfig -s forceProviderProcesses=true -p
- /etc/init.d/tog-pegasus start
- Run Tests
- The tests following tests should run successfully as both root and non-root. In
addition, the test should run successfully with the OpenPegasus SELinux
policies enabled and disabled.
- Test Script 1 - connectLocal Test.
- Test Script 2 - connect Test over HTTPS to localhost.
Test 4 (Run As Requestor)
- Test Setup
- Run Tests
- The tests following tests should run successfully as both root and non-root. In
addition, the test should run successfully with the OpenPegasus SELinux
policies enabled and disabled.
- osinfo
FAILURE: Test is failing when run by a
non-root user.
[guest@katmai
CIM29]$ osinfo
osinfo error: CIM_ERR_FAILED: A general error occurred that is not
covered by a more specific error code: "Failed to communicate with
cimprovagt "OperatingSystemModule"."
cimserver.trc Output
06/01/2006-20:55:17: OsAbstraction [3810:1115699552:SystemUnix.cpp:1139]: setgid failed: Operation not permitted
06/01/2006-20:55:17: DiscardedData [3810:1115699552]: System::changeUserContext() failed. userName = guest.
06/01/2006-20:55:17: OsAbstraction [3765:1115699552]: Failed to read buffer from pipe: connection closed
Test 5 (cimserver start/stop tests)
- Test Setup
- Verify the OpenPegasus SELinux policies are disabled.
# getsebool pegasus_disable_trans
pegasus_disable_trans --> active
- Run Tests
- The tests following tests should run successfully as root with
the OpenPegasus SELinux policies enabled and disabled.
# getsebool pegasus_disable_trans
- Test 1
# /etc/init.d/tog-pegasus start
# ps -ef | grep cim
# /etc/init.d/tog-pegasus stop
# ps -ef | grep cim
- Test 2
# cimserver
# ps -ef | grep cim
# cimserver -s
# ps -ef | grep cim
- Test 3
# /etc/init.d/tog-pegasus start
# ps -ef | grep cimserver
# cimserver -s
# ps -ef | grep cim FAILURE with policies DISABLED
- Test 6 (Enable/Disable Policy Tests)
- Run Tests
- The tests following tests should run successfully as root.
- Test 1
# chcon -u root -r object_r -t usr_t /usr/lib/Pegasus/providers/libOSProvider.so.1
# setsebool pegasus_disable_trans true
# cimserver
# osinfo FAILURE: OpenPegasus SELinux Policy testing is still enabled
# cimserver -s
# chcon -u system_u -r object_r -t shlib_t /usr/lib/Pegasus/providers/libOSProvider.so.1
- Test 2
# chcon -u root -r object_r -t usr_t /usr/lib/Pegasus/providers/libOSProvider.so.1
# setsebool pegasus_disable_trans true
# /etc/init.d/tog-pegasus start
# osinfo
# /etc/init.d/tog-pegasus stop
# chcon -u system_u -r object_r -t shlib_t /usr/lib/Pegasus/providers/libOSProvider.so.1
- Test 7 (Run SDK Tests)
- Run Tests
- The tests following tests should run successfully as root. In
addition, the test should run successfully with the OpenPegasus SELinux
policies enabled and disabled.
- Sample tests
# cd /usr/share/Pegasus/samples
# gmake
# gmake setupSDK
# gmake tests FAILURE: The test fails when OpenPegasus selinux policy is enabled.
- Test 8 (Run-As-Requestor - Trace Test)
- Test Setup
- Configure OS Provider to Run-As-Requestor.
- Enable tracing.
# cimconfig -s traceLevel=4
# cimconfig -s traceComponents=ALL
- Run Tests
- The tests following tests should run successfully as both root and non-root. In
addition, the test should run successfully with the OpenPegasus SELinux
policies enabled and disabled.
-
- osinfo
- Verify the appropriate trace files have been created in the directory
/var/lib/Pegasus/trace. FAILURE: Failure attempting
to create trace file when running as non-root.
阅读(2323) | 评论(0) | 转发(0) |