diff --git a/tests/extended_socket_class/test b/tests/extended_socket_class/test index 6e334d1c..cc9354a5 100755 --- a/tests/extended_socket_class/test +++ b/tests/extended_socket_class/test @@ -1,7 +1,17 @@ #!/usr/bin/perl use Test; -BEGIN { plan tests => 16 } + +BEGIN { + if ( system("test -f /proc/net/if_inet6") eq 0 ) { + $test_ipv6 = 1; + plan tests => 16; + } + else { + $test_ipv6 = 0; + plan tests => 10; + } +} $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; @@ -20,17 +30,20 @@ $result = system( ); ok($result); -# Verify that test_icmp_socket_t can create an ICMPv6 socket. -$result = system( +if ($test_ipv6) { + + # Verify that test_icmp_socket_t can create an ICMPv6 socket. + $result = system( "runcon -t test_icmp_socket_t -- $basedir/sockcreate inet6 dgram icmpv6 2>&1" -); -ok( $result, 0 ); + ); + ok( $result, 0 ); -# Verify that test_no_icmp_socket_t cannot create an ICMPv6 socket. -$result = system( + # Verify that test_no_icmp_socket_t cannot create an ICMPv6 socket. + $result = system( "runcon -t test_no_icmp_socket_t -- $basedir/sockcreate inet6 dgram icmpv6 2>&1" -); -ok($result); + ); + ok($result); +} # Restore to the kernel defaults - no one allowed to create ICMP sockets. system("echo 1 0 > /proc/sys/net/ipv4/ping_group_range"); @@ -59,29 +72,32 @@ $result = system( ); ok($result); -# Verify that test_sctp_socket_t can create an IPv6 stream SCTP socket. -$result = system( - "runcon -t test_sctp_socket_t -- $basedir/sockcreate inet6 stream sctp 2>&1" -); -ok( $result, 0 ); +if ($test_ipv6) { -# Verify that test_no_sctp_socket_t cannot create an IPv6 stream SCTP socket. -$result = system( + # Verify that test_sctp_socket_t can create an IPv6 stream SCTP socket. + $result = system( +"runcon -t test_sctp_socket_t -- $basedir/sockcreate inet6 stream sctp 2>&1" + ); + ok( $result, 0 ); + + # Verify that test_no_sctp_socket_t cannot create an IPv6 stream SCTP socket. + $result = system( "runcon -t test_no_sctp_socket_t -- $basedir/sockcreate inet6 stream sctp 2>&1" -); -ok($result); + ); + ok($result); -# Verify that test_sctp_socket_t can create an IPv6 seqpacket SCTP socket. -$result = system( + # Verify that test_sctp_socket_t can create an IPv6 seqpacket SCTP socket. + $result = system( "runcon -t test_sctp_socket_t -- $basedir/sockcreate inet6 seqpacket sctp 2>&1" -); -ok( $result, 0 ); + ); + ok( $result, 0 ); # Verify that test_no_sctp_socket_t cannot create an IPv6 seqpacket SCTP socket. -$result = system( + $result = system( "runcon -t test_no_sctp_socket_t -- $basedir/sockcreate inet6 seqpacket sctp 2>&1" -); -ok($result); + ); + ok($result); +} # Verify that test_bluetooth_socket_t can create a Bluetooth socket. $result = system( diff --git a/tests/inet_socket/ipsec-load b/tests/inet_socket/ipsec-load index 21e2dfee..190f382e 100644 --- a/tests/inet_socket/ipsec-load +++ b/tests/inet_socket/ipsec-load @@ -11,7 +11,9 @@ ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto tcp dir out ctx "system_u:o ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required # IPv6 loopback -ip xfrm state add src ::1 dst ::1 proto ah spi 0x200 ctx $goodclientcon auth sha1 0123456789012345 -ip xfrm state add src ::1 dst ::1 proto ah spi 0x250 ctx $badclientcon auth sha1 0123456789012345 -ip xfrm policy add src ::1 dst ::1 proto tcp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required -ip xfrm policy add src ::1 dst ::1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required +if test -f /proc/net/if_inet6; then + ip xfrm state add src ::1 dst ::1 proto ah spi 0x200 ctx $goodclientcon auth sha1 0123456789012345 + ip xfrm state add src ::1 dst ::1 proto ah spi 0x250 ctx $badclientcon auth sha1 0123456789012345 + ip xfrm policy add src ::1 dst ::1 proto tcp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required + ip xfrm policy add src ::1 dst ::1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required +fi diff --git a/tests/inet_socket/server.c b/tests/inet_socket/server.c index 234c2d66..7cd8f622 100644 --- a/tests/inet_socket/server.c +++ b/tests/inet_socket/server.c @@ -39,12 +39,16 @@ int main(int argc, char **argv) socklen_t sinlen; struct sockaddr_storage sin; struct addrinfo hints, *res; + sa_family_t family = AF_INET; char byte; bool nopeer = false; char *flag_file = NULL; - while ((opt = getopt(argc, argv, "f:n")) != -1) { + while ((opt = getopt(argc, argv, "6f:n")) != -1) { switch (opt) { + case '6': + family = AF_INET6; + break; case 'f': flag_file = optarg; break; @@ -61,7 +65,7 @@ int main(int argc, char **argv) memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_flags = AI_PASSIVE; - hints.ai_family = AF_INET6; + hints.ai_family = family; if (!strcmp(argv[optind], "stream")) { hints.ai_socktype = SOCK_STREAM; diff --git a/tests/inet_socket/test b/tests/inet_socket/test index 47ce1060..491db718 100755 --- a/tests/inet_socket/test +++ b/tests/inet_socket/test @@ -5,11 +5,13 @@ BEGIN { $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; - $test_count = 38; + $test_count_ipv4 = 34; + $test_count_ipv6 = 4; $test_ipsec = 0; if ( system("ip xfrm policy help 2>&1 | grep -q ctx") eq 0 ) { - $test_count += 8; + $test_count_ipv4 += 4; + $test_count_ipv6 += 4; $test_ipsec = 1; } @@ -23,10 +25,17 @@ BEGIN { $rc = `$basedir/../kvercmp $kvercur $kverminstream`; if ( $netlabelctl gt "021" and $rc > 0 ) { - $test_count += 3; + $test_count_ipv6 += 3; $test_calipso_stream = 1; } + $test_count = $test_count_ipv4; + $test_ipv6 = 0; + if ( system("test -f /proc/net/if_inet6") eq 0 ) { + $test_count += $test_count_ipv6; + $test_ipv6 = 1; + } + plan tests => $test_count; } @@ -298,16 +307,6 @@ if ($test_ipsec) { "runcon -t test_inet_bad_client_t -- $basedir/client stream 127.0.0.1 65535 2>&1"; ok( $result >> 8 eq 5 ); - # Verify that authorized client can communicate with the server. - $result = - system "runcon -t test_inet_client_t $basedir/client stream ::1 65535"; - ok( $result eq 0 ); - - # Verify that unauthorized client cannot communicate with the server. - $result = system -"runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1"; - ok( $result >> 8 eq 5 ); - # Kill the server. server_end($pid); @@ -325,24 +324,50 @@ if ($test_ipsec) { "runcon -t test_inet_bad_client_t -- $basedir/client dgram 127.0.0.1 65535 2>&1"; ok( $result >> 8 eq 8 ); - # Verify that unauthorized client cannot communicate with the server. - $result = system -"runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1"; - ok( $result >> 8 eq 8 ); - # Kill the server. server_end($pid); -# Start the dgram server for IPSEC test using IPv6 but do not request peer context. - $pid = server_start( "-t test_inet_server_t", "-n dgram 65535" ); + if ($test_ipv6) { - # This test now passes. - $result = system - "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; - ok( $result eq 0 ); + # Start the IPv6 stream server. + $pid = server_start( "-t test_inet_server_t", "-6 stream 65535" ); - # Kill the server. - server_end($pid); + # Verify that authorized client can communicate with the server. + $result = system + "runcon -t test_inet_client_t $basedir/client stream ::1 65535"; + ok( $result eq 0 ); + + # Verify that unauthorized client cannot communicate with the server. + $result = system +"runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1"; + ok( $result >> 8 eq 5 ); + + # Kill the server. + server_end($pid); + + # Start the IPv6 dgram server. + $pid = server_start( "-t test_inet_server_t", "-6 dgram 65535" ); + + # Verify that unauthorized client cannot communicate with the server. + $result = system +"runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1"; + ok( $result >> 8 eq 8 ); + + # Kill the server. + server_end($pid); + + # Start the dgram server for IPSEC test using IPv6 but do not request + # peer context. + $pid = server_start( "-t test_inet_server_t", "-6n dgram 65535" ); + + # This test now passes. + $result = system +"runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; + ok( $result eq 0 ); + + # Kill the server. + server_end($pid); + } # Flush IPSEC configuration. system "/bin/sh $basedir/ipsec-flush"; @@ -364,16 +389,6 @@ $result = system "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream 127.0.0.1 65535 2>&1"; ok( $result >> 8 eq 5 ); -# Verify that authorized client can communicate with the server. -$result = system - "runcon -t test_inet_client_t -- $basedir/client -e nopeer stream ::1 65535"; -ok( $result eq 0 ); - -# Verify that unauthorized client cannot communicate with the server. -$result = system -"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream ::1 65535 2>&1"; -ok( $result >> 8 eq 5 ); - # Kill the server. server_end($pid); @@ -390,41 +405,69 @@ $result = system "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram 127.0.0.1 65535 2>&1"; ok( $result >> 8 eq 8 ); -# Verify that authorized client can communicate with the server. -$result = system - "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; -ok( $result eq 0 ); +# Kill the server. +server_end($pid); -# Verify that unauthorized client cannot communicate with the server. -$result = system +if ($test_ipv6) { + + # Start the IPv6 stream server. + $pid = server_start( "-t test_inet_server_t", "-6n stream 65535" ); + + # Verify that authorized client can communicate with the server. + $result = system +"runcon -t test_inet_client_t -- $basedir/client -e nopeer stream ::1 65535"; + ok( $result eq 0 ); + + # Verify that unauthorized client cannot communicate with the server. + $result = system +"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream ::1 65535 2>&1"; + ok( $result >> 8 eq 5 ); + + # Kill the server. + server_end($pid); + + # Start the IPv6 dgram server. + $pid = server_start( "-t test_inet_server_t", "-6n dgram 65535" ); + + # Verify that authorized client can communicate with the server. + $result = system + "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535"; + ok( $result eq 0 ); + + # Verify that unauthorized client cannot communicate with the server. + $result = system "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram ::1 65535 2>&1"; -ok( $result >> 8 eq 8 ); + ok( $result >> 8 eq 8 ); -# Kill the server. -server_end($pid); + # Kill the server. + server_end($pid); +} # Flush iptables configuration. system "/bin/sh $basedir/iptables-flush"; -if ($test_calipso_stream) { +if ( $test_ipv6 and $test_calipso_stream ) { # Load NetLabel configuration for CALIPSO/IPv6 labeling over loopback. system "/bin/sh $basedir/calipso-load"; # Start the stream server. - $pid = server_start( "-t test_inet_server_t -l s0:c0.c10", "stream 65535" ); + $pid = + server_start( "-t test_inet_server_t -l s0:c0.c10", "-6 stream 65535" ); # Verify that authorized client can communicate with the server. $result = system "runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 stream ::1 65535"; ok( $result eq 0 ); -# Verify that authorized client can communicate with the server using different valid level. + # Verify that authorized client can communicate with the server using + # different valid level. $result = system "runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c8.c10 stream ::1 65535"; ok( $result eq 0 ); -# Verify that authorized client cannot communicate with the server using invalid level. + # Verify that authorized client cannot communicate with the server using + # invalid level. $result = system "runcon -t test_inet_client_t -l s0:c8.c12 -- $basedir/client stream ::1 65535 2>&1"; ok( $result >> 8 eq 5 );