Add tests covering confined user policy generation

Signed-off-by: Vit Mojzis <[email protected]>

tests/test_confined_abcdgilmns.cil

@@ -0,0 +1,24 @@
+(boolean my_container_exec_content true)
+(role my_container_r)
+(type my_container_dbus_t)
+(type my_container_gkeyringd_t)
+(type my_container_ssh_agent_t)
+(type my_container_sudo_t)
+(type my_container_sudo_tmp_t)
+(type my_container_t)
+(type my_container_userhelper_t)
+(user my_container_u)
+(userrole my_container_u my_container_r)
+(userlevel my_container_u (s0))
+(userrange my_container_u ((s0 ) (s0 (c0))))
+
+(call confinedom_admin_commands_macro (my_container_t my_container_r my_container_sudo_t))
+(call confinedom_graphical_login_macro (my_container_t my_container_r my_container_dbus_t))
+(call confinedom_mozilla_usage_macro (my_container_t my_container_r))
+(call confinedom_networking_macro (my_container_t my_container_r))
+(call confinedom_security_advanced_macro (my_container_t my_container_r my_container_sudo_t my_container_userhelper_t))
+(call confinedom_security_basic_macro (my_container_t my_container_r))
+(call confinedom_sudo_macro (my_container_t my_container_r my_container_sudo_t my_container_sudo_tmp_t))
+(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content))
+(call confined_ssh_connect_macro (my_container_t my_container_r my_container_ssh_agent_t))
+(call confined_use_basic_commands_macro (my_container_t my_container_r))

tests/test_confined_cla.cil

@@ -0,0 +1,15 @@
+(boolean my_container_exec_content true)
+(role my_container_r)
+(type my_container_dbus_t)
+(type my_container_gkeyringd_t)
+(type my_container_ssh_agent_t)
+(type my_container_sudo_t)
+(type my_container_t)
+(user my_container_u)
+(userrole my_container_u my_container_r)
+(userlevel my_container_u (s0))
+(userrange my_container_u ((s0 ) (s0 (c0))))
+
+(call confinedom_admin_commands_macro (my_container_t my_container_r my_container_sudo_t))
+(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content))
+(call confined_ssh_connect_macro (my_container_t my_container_r my_container_ssh_agent_t))

tests/test_confined_lb.cil

@@ -0,0 +1,12 @@
+(boolean my_container_exec_content true)
+(role my_container_r)
+(type my_container_dbus_t)
+(type my_container_gkeyringd_t)
+(type my_container_t)
+(user my_container_u)
+(userrole my_container_u my_container_r)
+(userlevel my_container_u (s0))
+(userrange my_container_u ((s0 ) (s0 (c0))))
+
+(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content))
+(call confined_use_basic_commands_macro (my_container_t my_container_r))

tests/test_confined_lsid.cil

@@ -0,0 +1,17 @@
+(boolean my_container_exec_content true)
+(role my_container_r)
+(type my_container_dbus_t)
+(type my_container_gkeyringd_t)
+(type my_container_sudo_t)
+(type my_container_sudo_tmp_t)
+(type my_container_t)
+(type my_container_userhelper_t)
+(user my_container_u)
+(userrole my_container_u my_container_r)
+(userlevel my_container_u (s0))
+(userrange my_container_u ((s0 ) (s0 (c0))))
+
+(call confinedom_security_advanced_macro (my_container_t my_container_r my_container_sudo_t my_container_userhelper_t))
+(call confinedom_security_basic_macro (my_container_t my_container_r))
+(call confinedom_sudo_macro (my_container_t my_container_r my_container_sudo_t my_container_sudo_tmp_t))
+(call confinedom_user_login_macro (my_container_t my_container_r my_container_gkeyringd_t my_container_dbus_t my_container_exec_content))

tests/test_main.py

@@ -369,7 +369,26 @@ def test_device_access_podman(self):
         self.assert_templates(output, ["base_container"])
         self.assert_policy(test_file("test_devices.podman.cil"))
 
-    def run_udica(self, args):
+    # Confined user tests
+    def test_confined_user(self):
+        """udica confined_user <args> --level s0 --range s0:c0 my_container"""
+        for arg in ["cla", "lb", "lsid", "abcdgilmns"]:
+            output = self.run_udica(
+                [
+                    "udica",
+                    "confined_user",
+                    "-{}".format(arg),
+                    "--level",
+                    "s0",
+                    "--range",
+                    "s0:c0",
+                    "my_container",
+                ],
+                True,
+            )
+            self.assert_policy(test_file("test_confined_{}.cil".format(arg)))
+
+    def run_udica(self, args, confined=False):
         with patch("sys.argv", args):
             with patch("sys.stderr.write") as mock_err, patch(
                 "sys.stdout.write"
@@ -383,10 +402,16 @@ def store_output(output):
                 udica.__main__.main()
                 mock_err.assert_not_called()
 
-        self.assertRegex(mock_out.output, "Policy my_container created")
-        self.assertRegex(
-            mock_out.output, "--security-opt label=type:my_container.process"
-        )
+        if confined:
+            self.assertRegex(mock_out.output, "semodule -i my_container.cil")
+            self.assertRegex(
+                mock_out.output, "semanage login -a -s my_container_u my_container"
+            )
+        else:
+            self.assertRegex(mock_out.output, "Policy my_container created")
+            self.assertRegex(
+                mock_out.output, "--security-opt label=type:my_container.process"
+            )
 
         return mock_out.output