From 83441614b7bd5dd943ca2e60defe078173816bf3 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 4 Apr 2024 16:30:31 -0400 Subject: [PATCH 01/71] Move library tests to a new subdirectory. Signed-off-by: Chris PeBenito --- tests/{checker => library}/__init__.py | 0 tests/{ => library}/boolquery.conf | 0 tests/{ => library}/boundsquery.conf | 0 tests/{ => library}/categoryquery.conf | 0 .../checker}/__init__.py | 0 tests/{ => library}/checker/assertrbac.conf | 0 tests/{ => library}/checker/assertte.conf | 0 .../checker/checker-invalidoption.ini | 0 .../checker/checker-invalidtype.ini | 0 .../checker/checker-invalidvalue.ini | 0 .../checker/checker-missingtype.ini | 0 tests/{ => library}/checker/checker-valid.ini | 0 tests/{ => library}/checker/checker.conf | 0 tests/{ => library}/checker/emptyattr.conf | 0 tests/{ => library}/checker/roexec.conf | 0 .../{ => library}/checker/test_assertrbac.py | 2 +- tests/{ => library}/checker/test_assertte.py | 2 +- tests/{ => library}/checker/test_checker.py | 14 ++-- tests/{ => library}/checker/test_emptyattr.py | 2 +- tests/{ => library}/checker/test_roexec.py | 2 +- tests/{ => library}/checker/util.py | 0 tests/{ => library}/commonquery.conf | 0 tests/{ => library}/conditionalinfoflow.conf | 0 tests/{ => library}/constraintquery.conf | 0 tests/{ => library}/defaultquery.conf | 0 tests/{ => library}/devicetreeconquery.conf | 0 tests/{ => library}/diff_left.conf | 0 tests/{ => library}/diff_left_redundant.conf | 0 tests/{ => library}/diff_left_standard.conf | 0 tests/{ => library}/diff_right.conf | 0 tests/{ => library}/diff_right_rmisid.conf | 0 tests/{ => library}/dta.conf | 0 tests/{ => library}/fsusequery.conf | 0 tests/{ => library}/genfsconquery.conf | 0 tests/{ => library}/ibendportconquery.conf | 0 tests/{ => library}/ibpkeyconquery.conf | 0 tests/{ => library}/infoflow.conf | 0 tests/{ => library}/initsidquery.conf | 0 .../invalid_perm_maps/bad-class-keyword | 0 .../invalid_perm_maps/bad-perm-weight-high | 0 .../invalid_perm_maps/bad-perm-weight-low | 0 .../invalid_perm_maps/bad-permcount | 0 .../invalid_perm_maps/extra-class | 0 .../invalid_perm_maps/extra-perms | 0 .../invalid_perm_maps/invalid-flowdir | 0 .../invalid_perm_maps/invalid-perm-weight | 0 .../invalid_perm_maps/negative-classcount | 0 .../invalid_perm_maps/negative-permcount | 0 .../invalid_perm_maps/non-number-classcount | 0 tests/{ => library}/iomemconquery.conf | 0 tests/{ => library}/ioportconquery.conf | 0 tests/{ => library}/mixins.py | 0 tests/{ => library}/mlsrulequery.conf | 0 tests/{ => library}/netifconquery.conf | 0 tests/{ => library}/nodeconquery.conf | 0 tests/{ => library}/objclassquery.conf | 0 tests/{ => library}/pcideviceconquery.conf | 0 tests/{ => library}/perm_map | 0 tests/{ => library}/permmap.conf | 0 tests/{ => library}/pirqconquery.conf | 0 tests/{ => library}/polcapquery.conf | 0 tests/library/policyrep/__init__.py | 0 tests/{ => library}/policyrep/initsid.conf | 0 .../nodecon-invalid-range.conf | 0 .../user-level-not-in-range.conf | 0 tests/{ => library}/policyrep/mls.conf | 0 tests/{ => library}/policyrep/objclass.conf | 0 tests/{ => library}/policyrep/role.conf | 0 .../policyrep/selinuxpolicy.conf | 0 .../policyrep/terule_issue74.conf | 0 tests/{ => library}/policyrep/test_default.py | 0 tests/{ => library}/policyrep/test_initsid.py | 0 tests/{ => library}/policyrep/test_mls.py | 0 tests/{ => library}/policyrep/test_mlsrule.py | 0 .../{ => library}/policyrep/test_objclass.py | 0 tests/{ => library}/policyrep/test_polcap.py | 0 .../{ => library}/policyrep/test_rbacrule.py | 0 tests/{ => library}/policyrep/test_role.py | 0 .../policyrep/test_selinuxpolicy.py | 2 +- tests/{ => library}/policyrep/test_symbol.py | 0 tests/{ => library}/policyrep/test_terule.py | 2 +- .../{ => library}/policyrep/test_typeattr.py | 0 tests/{ => library}/policyrep/test_user.py | 0 tests/{ => library}/policyrep/typeattr.conf | 0 tests/{ => library}/policyrep/user.conf | 0 tests/{ => library}/policyrep/util.py | 0 tests/{ => library}/portconquery.conf | 0 tests/{ => library}/rbacrulequery.conf | 0 tests/{ => library}/rolequery.conf | 0 tests/{ => library}/sensitivityquery.conf | 0 tests/{ => library}/terulequery.conf | 0 tests/{ => library}/terulequery.py | 4 +- tests/{ => library}/terulequery2.conf | 0 tests/{ => library}/test_boolquery.py | 2 +- tests/{ => library}/test_boundsquery.py | 2 +- tests/{ => library}/test_categoryquery.py | 2 +- tests/{ => library}/test_commonquery.py | 2 +- .../{ => library}/test_conditionalinfoflow.py | 4 +- tests/{ => library}/test_constraintquery.py | 2 +- tests/{ => library}/test_defaultquery.py | 2 +- .../{ => library}/test_devicetreeconquery.py | 2 +- tests/{ => library}/test_diff.py | 20 ++--- tests/{ => library}/test_dta.py | 2 +- tests/{ => library}/test_fsusequery.py | 2 +- tests/{ => library}/test_genfsconquery.py | 2 +- tests/{ => library}/test_ibendportconquery.py | 2 +- tests/{ => library}/test_ibpkeyconquery.py | 2 +- tests/{ => library}/test_infoflow.py | 4 +- tests/{ => library}/test_initsidquery.py | 2 +- tests/{ => library}/test_iomemconquery.py | 2 +- tests/{ => library}/test_ioportconquery.py | 2 +- tests/{ => library}/test_mlsrulequery.py | 2 +- tests/{ => library}/test_netifconquery.py | 2 +- tests/{ => library}/test_nodeconquery.py | 2 +- tests/{ => library}/test_objclassquery.py | 2 +- tests/{ => library}/test_pcideviceconquery.py | 2 +- tests/{ => library}/test_permmap.py | 84 +++++++++---------- tests/{ => library}/test_pirqconquery.py | 2 +- tests/{ => library}/test_polcapquery.py | 2 +- tests/{ => library}/test_portconquery.py | 2 +- tests/{ => library}/test_rbacrulequery.py | 2 +- tests/{ => library}/test_rolequery.py | 2 +- tests/{ => library}/test_sensitivityquery.py | 2 +- tests/{ => library}/test_typeattrquery.py | 2 +- tests/{ => library}/test_typequery.py | 2 +- tests/{ => library}/test_userquery.py | 2 +- tests/{ => library}/typeattrquery.conf | 0 tests/{ => library}/typequery.conf | 0 tests/{ => library}/userquery.conf | 0 129 files changed, 100 insertions(+), 100 deletions(-) rename tests/{checker => library}/__init__.py (100%) rename tests/{ => library}/boolquery.conf (100%) rename tests/{ => library}/boundsquery.conf (100%) rename tests/{ => library}/categoryquery.conf (100%) rename tests/{policyrep => library/checker}/__init__.py (100%) rename tests/{ => library}/checker/assertrbac.conf (100%) rename tests/{ => library}/checker/assertte.conf (100%) rename tests/{ => library}/checker/checker-invalidoption.ini (100%) rename tests/{ => library}/checker/checker-invalidtype.ini (100%) rename tests/{ => library}/checker/checker-invalidvalue.ini (100%) rename tests/{ => library}/checker/checker-missingtype.ini (100%) rename tests/{ => library}/checker/checker-valid.ini (100%) rename tests/{ => library}/checker/checker.conf (100%) rename tests/{ => library}/checker/emptyattr.conf (100%) rename tests/{ => library}/checker/roexec.conf (100%) rename tests/{ => library}/checker/test_assertrbac.py (99%) rename tests/{ => library}/checker/test_assertte.py (99%) rename tests/{ => library}/checker/test_checker.py (84%) rename tests/{ => library}/checker/test_emptyattr.py (98%) rename tests/{ => library}/checker/test_roexec.py (98%) rename tests/{ => library}/checker/util.py (100%) rename tests/{ => library}/commonquery.conf (100%) rename tests/{ => library}/conditionalinfoflow.conf (100%) rename tests/{ => library}/constraintquery.conf (100%) rename tests/{ => library}/defaultquery.conf (100%) rename tests/{ => library}/devicetreeconquery.conf (100%) rename tests/{ => library}/diff_left.conf (100%) rename tests/{ => library}/diff_left_redundant.conf (100%) rename tests/{ => library}/diff_left_standard.conf (100%) rename tests/{ => library}/diff_right.conf (100%) rename tests/{ => library}/diff_right_rmisid.conf (100%) rename tests/{ => library}/dta.conf (100%) rename tests/{ => library}/fsusequery.conf (100%) rename tests/{ => library}/genfsconquery.conf (100%) rename tests/{ => library}/ibendportconquery.conf (100%) rename tests/{ => library}/ibpkeyconquery.conf (100%) rename tests/{ => library}/infoflow.conf (100%) rename tests/{ => library}/initsidquery.conf (100%) rename tests/{ => library}/invalid_perm_maps/bad-class-keyword (100%) rename tests/{ => library}/invalid_perm_maps/bad-perm-weight-high (100%) rename tests/{ => library}/invalid_perm_maps/bad-perm-weight-low (100%) rename tests/{ => library}/invalid_perm_maps/bad-permcount (100%) rename tests/{ => library}/invalid_perm_maps/extra-class (100%) rename tests/{ => library}/invalid_perm_maps/extra-perms (100%) rename tests/{ => library}/invalid_perm_maps/invalid-flowdir (100%) rename tests/{ => library}/invalid_perm_maps/invalid-perm-weight (100%) rename tests/{ => library}/invalid_perm_maps/negative-classcount (100%) rename tests/{ => library}/invalid_perm_maps/negative-permcount (100%) rename tests/{ => library}/invalid_perm_maps/non-number-classcount (100%) rename tests/{ => library}/iomemconquery.conf (100%) rename tests/{ => library}/ioportconquery.conf (100%) rename tests/{ => library}/mixins.py (100%) rename tests/{ => library}/mlsrulequery.conf (100%) rename tests/{ => library}/netifconquery.conf (100%) rename tests/{ => library}/nodeconquery.conf (100%) rename tests/{ => library}/objclassquery.conf (100%) rename tests/{ => library}/pcideviceconquery.conf (100%) rename tests/{ => library}/perm_map (100%) rename tests/{ => library}/permmap.conf (100%) rename tests/{ => library}/pirqconquery.conf (100%) rename tests/{ => library}/polcapquery.conf (100%) create mode 100644 tests/library/policyrep/__init__.py rename tests/{ => library}/policyrep/initsid.conf (100%) rename tests/{ => library}/policyrep/invalid_policies/nodecon-invalid-range.conf (100%) rename tests/{ => library}/policyrep/invalid_policies/user-level-not-in-range.conf (100%) rename tests/{ => library}/policyrep/mls.conf (100%) rename tests/{ => library}/policyrep/objclass.conf (100%) rename tests/{ => library}/policyrep/role.conf (100%) rename tests/{ => library}/policyrep/selinuxpolicy.conf (100%) rename tests/{ => library}/policyrep/terule_issue74.conf (100%) rename tests/{ => library}/policyrep/test_default.py (100%) rename tests/{ => library}/policyrep/test_initsid.py (100%) rename tests/{ => library}/policyrep/test_mls.py (100%) rename tests/{ => library}/policyrep/test_mlsrule.py (100%) rename tests/{ => library}/policyrep/test_objclass.py (100%) rename tests/{ => library}/policyrep/test_polcap.py (100%) rename tests/{ => library}/policyrep/test_rbacrule.py (100%) rename tests/{ => library}/policyrep/test_role.py (100%) rename tests/{ => library}/policyrep/test_selinuxpolicy.py (99%) rename tests/{ => library}/policyrep/test_symbol.py (100%) rename tests/{ => library}/policyrep/test_terule.py (99%) rename tests/{ => library}/policyrep/test_typeattr.py (100%) rename tests/{ => library}/policyrep/test_user.py (100%) rename tests/{ => library}/policyrep/typeattr.conf (100%) rename tests/{ => library}/policyrep/user.conf (100%) rename tests/{ => library}/policyrep/util.py (100%) rename tests/{ => library}/portconquery.conf (100%) rename tests/{ => library}/rbacrulequery.conf (100%) rename tests/{ => library}/rolequery.conf (100%) rename tests/{ => library}/sensitivityquery.conf (100%) rename tests/{ => library}/terulequery.conf (100%) rename tests/{ => library}/terulequery.py (99%) rename tests/{ => library}/terulequery2.conf (100%) rename tests/{ => library}/test_boolquery.py (95%) rename tests/{ => library}/test_boundsquery.py (97%) rename tests/{ => library}/test_categoryquery.py (96%) rename tests/{ => library}/test_commonquery.py (96%) rename tests/{ => library}/test_conditionalinfoflow.py (97%) rename tests/{ => library}/test_constraintquery.py (98%) rename tests/{ => library}/test_defaultquery.py (97%) rename tests/{ => library}/test_devicetreeconquery.py (99%) rename tests/{ => library}/test_diff.py (99%) rename tests/{ => library}/test_dta.py (99%) rename tests/{ => library}/test_fsusequery.py (99%) rename tests/{ => library}/test_genfsconquery.py (99%) rename tests/{ => library}/test_ibendportconquery.py (99%) rename tests/{ => library}/test_ibpkeyconquery.py (99%) rename tests/{ => library}/test_infoflow.py (99%) rename tests/{ => library}/test_initsidquery.py (99%) rename tests/{ => library}/test_iomemconquery.py (99%) rename tests/{ => library}/test_ioportconquery.py (99%) rename tests/{ => library}/test_mlsrulequery.py (99%) rename tests/{ => library}/test_netifconquery.py (99%) rename tests/{ => library}/test_nodeconquery.py (99%) rename tests/{ => library}/test_objclassquery.py (98%) rename tests/{ => library}/test_pcideviceconquery.py (99%) rename tests/{ => library}/test_permmap.py (84%) rename tests/{ => library}/test_pirqconquery.py (98%) rename tests/{ => library}/test_polcapquery.py (94%) rename tests/{ => library}/test_portconquery.py (99%) rename tests/{ => library}/test_rbacrulequery.py (98%) rename tests/{ => library}/test_rolequery.py (97%) rename tests/{ => library}/test_sensitivityquery.py (97%) rename tests/{ => library}/test_typeattrquery.py (96%) rename tests/{ => library}/test_typequery.py (98%) rename tests/{ => library}/test_userquery.py (99%) rename tests/{ => library}/typeattrquery.conf (100%) rename tests/{ => library}/typequery.conf (100%) rename tests/{ => library}/userquery.conf (100%) diff --git a/tests/checker/__init__.py b/tests/library/__init__.py similarity index 100% rename from tests/checker/__init__.py rename to tests/library/__init__.py diff --git a/tests/boolquery.conf b/tests/library/boolquery.conf similarity index 100% rename from tests/boolquery.conf rename to tests/library/boolquery.conf diff --git a/tests/boundsquery.conf b/tests/library/boundsquery.conf similarity index 100% rename from tests/boundsquery.conf rename to tests/library/boundsquery.conf diff --git a/tests/categoryquery.conf b/tests/library/categoryquery.conf similarity index 100% rename from tests/categoryquery.conf rename to tests/library/categoryquery.conf diff --git a/tests/policyrep/__init__.py b/tests/library/checker/__init__.py similarity index 100% rename from tests/policyrep/__init__.py rename to tests/library/checker/__init__.py diff --git a/tests/checker/assertrbac.conf b/tests/library/checker/assertrbac.conf similarity index 100% rename from tests/checker/assertrbac.conf rename to tests/library/checker/assertrbac.conf diff --git a/tests/checker/assertte.conf b/tests/library/checker/assertte.conf similarity index 100% rename from tests/checker/assertte.conf rename to tests/library/checker/assertte.conf diff --git a/tests/checker/checker-invalidoption.ini b/tests/library/checker/checker-invalidoption.ini similarity index 100% rename from tests/checker/checker-invalidoption.ini rename to tests/library/checker/checker-invalidoption.ini diff --git a/tests/checker/checker-invalidtype.ini b/tests/library/checker/checker-invalidtype.ini similarity index 100% rename from tests/checker/checker-invalidtype.ini rename to tests/library/checker/checker-invalidtype.ini diff --git a/tests/checker/checker-invalidvalue.ini b/tests/library/checker/checker-invalidvalue.ini similarity index 100% rename from tests/checker/checker-invalidvalue.ini rename to tests/library/checker/checker-invalidvalue.ini diff --git a/tests/checker/checker-missingtype.ini b/tests/library/checker/checker-missingtype.ini similarity index 100% rename from tests/checker/checker-missingtype.ini rename to tests/library/checker/checker-missingtype.ini diff --git a/tests/checker/checker-valid.ini b/tests/library/checker/checker-valid.ini similarity index 100% rename from tests/checker/checker-valid.ini rename to tests/library/checker/checker-valid.ini diff --git a/tests/checker/checker.conf b/tests/library/checker/checker.conf similarity index 100% rename from tests/checker/checker.conf rename to tests/library/checker/checker.conf diff --git a/tests/checker/emptyattr.conf b/tests/library/checker/emptyattr.conf similarity index 100% rename from tests/checker/emptyattr.conf rename to tests/library/checker/emptyattr.conf diff --git a/tests/checker/roexec.conf b/tests/library/checker/roexec.conf similarity index 100% rename from tests/checker/roexec.conf rename to tests/library/checker/roexec.conf diff --git a/tests/checker/test_assertrbac.py b/tests/library/checker/test_assertrbac.py similarity index 99% rename from tests/checker/test_assertrbac.py rename to tests/library/checker/test_assertrbac.py index 3b7ef7d9..90aaf071 100644 --- a/tests/checker/test_assertrbac.py +++ b/tests/library/checker/test_assertrbac.py @@ -32,7 +32,7 @@ class AssertRBACTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/checker/assertrbac.conf") + cls.p = compile_policy("tests/library/checker/assertrbac.conf") @classmethod def tearDownClass(cls): diff --git a/tests/checker/test_assertte.py b/tests/library/checker/test_assertte.py similarity index 99% rename from tests/checker/test_assertte.py rename to tests/library/checker/test_assertte.py index d9319c5c..4d97b7e6 100644 --- a/tests/checker/test_assertte.py +++ b/tests/library/checker/test_assertte.py @@ -34,7 +34,7 @@ class AssertTETest(mixins.ValidateRule, unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/checker/assertte.conf") + cls.p = compile_policy("tests/library/checker/assertte.conf") @classmethod def tearDownClass(cls): diff --git a/tests/checker/test_checker.py b/tests/library/checker/test_checker.py similarity index 84% rename from tests/checker/test_checker.py rename to tests/library/checker/test_checker.py index 3fe37eb4..19b81e84 100644 --- a/tests/checker/test_checker.py +++ b/tests/library/checker/test_checker.py @@ -32,7 +32,7 @@ class PolicyCheckerTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/checker/checker.conf") + cls.p = compile_policy("tests/library/checker/checker.conf") @classmethod def tearDownClass(cls): @@ -46,27 +46,27 @@ def test_config_empty(self): def test_config_check_missing_type(self): """Test check missing check type""" with self.assertRaises(InvalidCheckerModule): - PolicyChecker(self.p, "tests/checker/checker-missingtype.ini") + PolicyChecker(self.p, "tests/library/checker/checker-missingtype.ini") def test_config_check_invalid_type(self): """Test check invalid check type""" with self.assertRaises(InvalidCheckerModule): - PolicyChecker(self.p, "tests/checker/checker-invalidtype.ini") + PolicyChecker(self.p, "tests/library/checker/checker-invalidtype.ini") def test_config_check_invalid_option(self): """Test check invalid check option""" with self.assertRaises(InvalidCheckOption): - PolicyChecker(self.p, "tests/checker/checker-invalidoption.ini") + PolicyChecker(self.p, "tests/library/checker/checker-invalidoption.ini") def test_config_check_invalid_value(self): """Test check invalid check type""" with self.assertRaises(InvalidCheckValue): - PolicyChecker(self.p, "tests/checker/checker-invalidvalue.ini") + PolicyChecker(self.p, "tests/library/checker/checker-invalidvalue.ini") def test_run_pass(self): """Test run with passing config.""" with open(os.devnull, "w") as fd: - checker = PolicyChecker(self.p, "tests/checker/checker-valid.ini") + checker = PolicyChecker(self.p, "tests/library/checker/checker-valid.ini") # create additional disabled mock test newcheck = Mock() @@ -84,7 +84,7 @@ def test_run_pass(self): def test_run_fail(self): """Test run with failing config.""" with open(os.devnull, "w") as fd: - checker = PolicyChecker(self.p, "tests/checker/checker-valid.ini") + checker = PolicyChecker(self.p, "tests/library/checker/checker-valid.ini") # create additional failing mock test newcheck = Mock() diff --git a/tests/checker/test_emptyattr.py b/tests/library/checker/test_emptyattr.py similarity index 98% rename from tests/checker/test_emptyattr.py rename to tests/library/checker/test_emptyattr.py index 3d44ff43..320cba82 100644 --- a/tests/checker/test_emptyattr.py +++ b/tests/library/checker/test_emptyattr.py @@ -30,7 +30,7 @@ class EmptyTypeAttrTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/checker/emptyattr.conf") + cls.p = compile_policy("tests/library/checker/emptyattr.conf") @classmethod def tearDownClass(cls): diff --git a/tests/checker/test_roexec.py b/tests/library/checker/test_roexec.py similarity index 98% rename from tests/checker/test_roexec.py rename to tests/library/checker/test_roexec.py index 19b028c5..d948110b 100644 --- a/tests/checker/test_roexec.py +++ b/tests/library/checker/test_roexec.py @@ -30,7 +30,7 @@ class ReadOnlyExecutablesTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/checker/roexec.conf") + cls.p = compile_policy("tests/library/checker/roexec.conf") @classmethod def tearDownClass(cls): diff --git a/tests/checker/util.py b/tests/library/checker/util.py similarity index 100% rename from tests/checker/util.py rename to tests/library/checker/util.py diff --git a/tests/commonquery.conf b/tests/library/commonquery.conf similarity index 100% rename from tests/commonquery.conf rename to tests/library/commonquery.conf diff --git a/tests/conditionalinfoflow.conf b/tests/library/conditionalinfoflow.conf similarity index 100% rename from tests/conditionalinfoflow.conf rename to tests/library/conditionalinfoflow.conf diff --git a/tests/constraintquery.conf b/tests/library/constraintquery.conf similarity index 100% rename from tests/constraintquery.conf rename to tests/library/constraintquery.conf diff --git a/tests/defaultquery.conf b/tests/library/defaultquery.conf similarity index 100% rename from tests/defaultquery.conf rename to tests/library/defaultquery.conf diff --git a/tests/devicetreeconquery.conf b/tests/library/devicetreeconquery.conf similarity index 100% rename from tests/devicetreeconquery.conf rename to tests/library/devicetreeconquery.conf diff --git a/tests/diff_left.conf b/tests/library/diff_left.conf similarity index 100% rename from tests/diff_left.conf rename to tests/library/diff_left.conf diff --git a/tests/diff_left_redundant.conf b/tests/library/diff_left_redundant.conf similarity index 100% rename from tests/diff_left_redundant.conf rename to tests/library/diff_left_redundant.conf diff --git a/tests/diff_left_standard.conf b/tests/library/diff_left_standard.conf similarity index 100% rename from tests/diff_left_standard.conf rename to tests/library/diff_left_standard.conf diff --git a/tests/diff_right.conf b/tests/library/diff_right.conf similarity index 100% rename from tests/diff_right.conf rename to tests/library/diff_right.conf diff --git a/tests/diff_right_rmisid.conf b/tests/library/diff_right_rmisid.conf similarity index 100% rename from tests/diff_right_rmisid.conf rename to tests/library/diff_right_rmisid.conf diff --git a/tests/dta.conf b/tests/library/dta.conf similarity index 100% rename from tests/dta.conf rename to tests/library/dta.conf diff --git a/tests/fsusequery.conf b/tests/library/fsusequery.conf similarity index 100% rename from tests/fsusequery.conf rename to tests/library/fsusequery.conf diff --git a/tests/genfsconquery.conf b/tests/library/genfsconquery.conf similarity index 100% rename from tests/genfsconquery.conf rename to tests/library/genfsconquery.conf diff --git a/tests/ibendportconquery.conf b/tests/library/ibendportconquery.conf similarity index 100% rename from tests/ibendportconquery.conf rename to tests/library/ibendportconquery.conf diff --git a/tests/ibpkeyconquery.conf b/tests/library/ibpkeyconquery.conf similarity index 100% rename from tests/ibpkeyconquery.conf rename to tests/library/ibpkeyconquery.conf diff --git a/tests/infoflow.conf b/tests/library/infoflow.conf similarity index 100% rename from tests/infoflow.conf rename to tests/library/infoflow.conf diff --git a/tests/initsidquery.conf b/tests/library/initsidquery.conf similarity index 100% rename from tests/initsidquery.conf rename to tests/library/initsidquery.conf diff --git a/tests/invalid_perm_maps/bad-class-keyword b/tests/library/invalid_perm_maps/bad-class-keyword similarity index 100% rename from tests/invalid_perm_maps/bad-class-keyword rename to tests/library/invalid_perm_maps/bad-class-keyword diff --git a/tests/invalid_perm_maps/bad-perm-weight-high b/tests/library/invalid_perm_maps/bad-perm-weight-high similarity index 100% rename from tests/invalid_perm_maps/bad-perm-weight-high rename to tests/library/invalid_perm_maps/bad-perm-weight-high diff --git a/tests/invalid_perm_maps/bad-perm-weight-low b/tests/library/invalid_perm_maps/bad-perm-weight-low similarity index 100% rename from tests/invalid_perm_maps/bad-perm-weight-low rename to tests/library/invalid_perm_maps/bad-perm-weight-low diff --git a/tests/invalid_perm_maps/bad-permcount b/tests/library/invalid_perm_maps/bad-permcount similarity index 100% rename from tests/invalid_perm_maps/bad-permcount rename to tests/library/invalid_perm_maps/bad-permcount diff --git a/tests/invalid_perm_maps/extra-class b/tests/library/invalid_perm_maps/extra-class similarity index 100% rename from tests/invalid_perm_maps/extra-class rename to tests/library/invalid_perm_maps/extra-class diff --git a/tests/invalid_perm_maps/extra-perms b/tests/library/invalid_perm_maps/extra-perms similarity index 100% rename from tests/invalid_perm_maps/extra-perms rename to tests/library/invalid_perm_maps/extra-perms diff --git a/tests/invalid_perm_maps/invalid-flowdir b/tests/library/invalid_perm_maps/invalid-flowdir similarity index 100% rename from tests/invalid_perm_maps/invalid-flowdir rename to tests/library/invalid_perm_maps/invalid-flowdir diff --git a/tests/invalid_perm_maps/invalid-perm-weight b/tests/library/invalid_perm_maps/invalid-perm-weight similarity index 100% rename from tests/invalid_perm_maps/invalid-perm-weight rename to tests/library/invalid_perm_maps/invalid-perm-weight diff --git a/tests/invalid_perm_maps/negative-classcount b/tests/library/invalid_perm_maps/negative-classcount similarity index 100% rename from tests/invalid_perm_maps/negative-classcount rename to tests/library/invalid_perm_maps/negative-classcount diff --git a/tests/invalid_perm_maps/negative-permcount b/tests/library/invalid_perm_maps/negative-permcount similarity index 100% rename from tests/invalid_perm_maps/negative-permcount rename to tests/library/invalid_perm_maps/negative-permcount diff --git a/tests/invalid_perm_maps/non-number-classcount b/tests/library/invalid_perm_maps/non-number-classcount similarity index 100% rename from tests/invalid_perm_maps/non-number-classcount rename to tests/library/invalid_perm_maps/non-number-classcount diff --git a/tests/iomemconquery.conf b/tests/library/iomemconquery.conf similarity index 100% rename from tests/iomemconquery.conf rename to tests/library/iomemconquery.conf diff --git a/tests/ioportconquery.conf b/tests/library/ioportconquery.conf similarity index 100% rename from tests/ioportconquery.conf rename to tests/library/ioportconquery.conf diff --git a/tests/mixins.py b/tests/library/mixins.py similarity index 100% rename from tests/mixins.py rename to tests/library/mixins.py diff --git a/tests/mlsrulequery.conf b/tests/library/mlsrulequery.conf similarity index 100% rename from tests/mlsrulequery.conf rename to tests/library/mlsrulequery.conf diff --git a/tests/netifconquery.conf b/tests/library/netifconquery.conf similarity index 100% rename from tests/netifconquery.conf rename to tests/library/netifconquery.conf diff --git a/tests/nodeconquery.conf b/tests/library/nodeconquery.conf similarity index 100% rename from tests/nodeconquery.conf rename to tests/library/nodeconquery.conf diff --git a/tests/objclassquery.conf b/tests/library/objclassquery.conf similarity index 100% rename from tests/objclassquery.conf rename to tests/library/objclassquery.conf diff --git a/tests/pcideviceconquery.conf b/tests/library/pcideviceconquery.conf similarity index 100% rename from tests/pcideviceconquery.conf rename to tests/library/pcideviceconquery.conf diff --git a/tests/perm_map b/tests/library/perm_map similarity index 100% rename from tests/perm_map rename to tests/library/perm_map diff --git a/tests/permmap.conf b/tests/library/permmap.conf similarity index 100% rename from tests/permmap.conf rename to tests/library/permmap.conf diff --git a/tests/pirqconquery.conf b/tests/library/pirqconquery.conf similarity index 100% rename from tests/pirqconquery.conf rename to tests/library/pirqconquery.conf diff --git a/tests/polcapquery.conf b/tests/library/polcapquery.conf similarity index 100% rename from tests/polcapquery.conf rename to tests/library/polcapquery.conf diff --git a/tests/library/policyrep/__init__.py b/tests/library/policyrep/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/tests/policyrep/initsid.conf b/tests/library/policyrep/initsid.conf similarity index 100% rename from tests/policyrep/initsid.conf rename to tests/library/policyrep/initsid.conf diff --git a/tests/policyrep/invalid_policies/nodecon-invalid-range.conf b/tests/library/policyrep/invalid_policies/nodecon-invalid-range.conf similarity index 100% rename from tests/policyrep/invalid_policies/nodecon-invalid-range.conf rename to tests/library/policyrep/invalid_policies/nodecon-invalid-range.conf diff --git a/tests/policyrep/invalid_policies/user-level-not-in-range.conf b/tests/library/policyrep/invalid_policies/user-level-not-in-range.conf similarity index 100% rename from tests/policyrep/invalid_policies/user-level-not-in-range.conf rename to tests/library/policyrep/invalid_policies/user-level-not-in-range.conf diff --git a/tests/policyrep/mls.conf b/tests/library/policyrep/mls.conf similarity index 100% rename from tests/policyrep/mls.conf rename to tests/library/policyrep/mls.conf diff --git a/tests/policyrep/objclass.conf b/tests/library/policyrep/objclass.conf similarity index 100% rename from tests/policyrep/objclass.conf rename to tests/library/policyrep/objclass.conf diff --git a/tests/policyrep/role.conf b/tests/library/policyrep/role.conf similarity index 100% rename from tests/policyrep/role.conf rename to tests/library/policyrep/role.conf diff --git a/tests/policyrep/selinuxpolicy.conf b/tests/library/policyrep/selinuxpolicy.conf similarity index 100% rename from tests/policyrep/selinuxpolicy.conf rename to tests/library/policyrep/selinuxpolicy.conf diff --git a/tests/policyrep/terule_issue74.conf b/tests/library/policyrep/terule_issue74.conf similarity index 100% rename from tests/policyrep/terule_issue74.conf rename to tests/library/policyrep/terule_issue74.conf diff --git a/tests/policyrep/test_default.py b/tests/library/policyrep/test_default.py similarity index 100% rename from tests/policyrep/test_default.py rename to tests/library/policyrep/test_default.py diff --git a/tests/policyrep/test_initsid.py b/tests/library/policyrep/test_initsid.py similarity index 100% rename from tests/policyrep/test_initsid.py rename to tests/library/policyrep/test_initsid.py diff --git a/tests/policyrep/test_mls.py b/tests/library/policyrep/test_mls.py similarity index 100% rename from tests/policyrep/test_mls.py rename to tests/library/policyrep/test_mls.py diff --git a/tests/policyrep/test_mlsrule.py b/tests/library/policyrep/test_mlsrule.py similarity index 100% rename from tests/policyrep/test_mlsrule.py rename to tests/library/policyrep/test_mlsrule.py diff --git a/tests/policyrep/test_objclass.py b/tests/library/policyrep/test_objclass.py similarity index 100% rename from tests/policyrep/test_objclass.py rename to tests/library/policyrep/test_objclass.py diff --git a/tests/policyrep/test_polcap.py b/tests/library/policyrep/test_polcap.py similarity index 100% rename from tests/policyrep/test_polcap.py rename to tests/library/policyrep/test_polcap.py diff --git a/tests/policyrep/test_rbacrule.py b/tests/library/policyrep/test_rbacrule.py similarity index 100% rename from tests/policyrep/test_rbacrule.py rename to tests/library/policyrep/test_rbacrule.py diff --git a/tests/policyrep/test_role.py b/tests/library/policyrep/test_role.py similarity index 100% rename from tests/policyrep/test_role.py rename to tests/library/policyrep/test_role.py diff --git a/tests/policyrep/test_selinuxpolicy.py b/tests/library/policyrep/test_selinuxpolicy.py similarity index 99% rename from tests/policyrep/test_selinuxpolicy.py rename to tests/library/policyrep/test_selinuxpolicy.py index ddca49b9..648c6467 100644 --- a/tests/policyrep/test_selinuxpolicy.py +++ b/tests/library/policyrep/test_selinuxpolicy.py @@ -18,7 +18,7 @@ class SELinuxPolicyTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/policyrep/selinuxpolicy.conf") + cls.p = compile_policy("tests/library/policyrep/selinuxpolicy.conf") @classmethod def tearDownClass(cls): diff --git a/tests/policyrep/test_symbol.py b/tests/library/policyrep/test_symbol.py similarity index 100% rename from tests/policyrep/test_symbol.py rename to tests/library/policyrep/test_symbol.py diff --git a/tests/policyrep/test_terule.py b/tests/library/policyrep/test_terule.py similarity index 99% rename from tests/policyrep/test_terule.py rename to tests/library/policyrep/test_terule.py index 4603f330..39ecb5e0 100644 --- a/tests/policyrep/test_terule.py +++ b/tests/library/policyrep/test_terule.py @@ -260,7 +260,7 @@ class AVRuleXpermTestIssue74(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/policyrep/terule_issue74.conf") + cls.p = compile_policy("tests/library/policyrep/terule_issue74.conf") def test_issue74_regression(self): """Regression test for GitHub issue 74.""" diff --git a/tests/policyrep/test_typeattr.py b/tests/library/policyrep/test_typeattr.py similarity index 100% rename from tests/policyrep/test_typeattr.py rename to tests/library/policyrep/test_typeattr.py diff --git a/tests/policyrep/test_user.py b/tests/library/policyrep/test_user.py similarity index 100% rename from tests/policyrep/test_user.py rename to tests/library/policyrep/test_user.py diff --git a/tests/policyrep/typeattr.conf b/tests/library/policyrep/typeattr.conf similarity index 100% rename from tests/policyrep/typeattr.conf rename to tests/library/policyrep/typeattr.conf diff --git a/tests/policyrep/user.conf b/tests/library/policyrep/user.conf similarity index 100% rename from tests/policyrep/user.conf rename to tests/library/policyrep/user.conf diff --git a/tests/policyrep/util.py b/tests/library/policyrep/util.py similarity index 100% rename from tests/policyrep/util.py rename to tests/library/policyrep/util.py diff --git a/tests/portconquery.conf b/tests/library/portconquery.conf similarity index 100% rename from tests/portconquery.conf rename to tests/library/portconquery.conf diff --git a/tests/rbacrulequery.conf b/tests/library/rbacrulequery.conf similarity index 100% rename from tests/rbacrulequery.conf rename to tests/library/rbacrulequery.conf diff --git a/tests/rolequery.conf b/tests/library/rolequery.conf similarity index 100% rename from tests/rolequery.conf rename to tests/library/rolequery.conf diff --git a/tests/sensitivityquery.conf b/tests/library/sensitivityquery.conf similarity index 100% rename from tests/sensitivityquery.conf rename to tests/library/sensitivityquery.conf diff --git a/tests/terulequery.conf b/tests/library/terulequery.conf similarity index 100% rename from tests/terulequery.conf rename to tests/library/terulequery.conf diff --git a/tests/terulequery.py b/tests/library/terulequery.py similarity index 99% rename from tests/terulequery.py rename to tests/library/terulequery.py index 61b619b3..1d9b9d92 100644 --- a/tests/terulequery.py +++ b/tests/library/terulequery.py @@ -20,7 +20,7 @@ class TERuleQueryTest(mixins.ValidateRule, unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/terulequery.conf") + cls.p = compile_policy("tests/library/terulequery.conf") @classmethod def tearDownClass(cls): @@ -286,7 +286,7 @@ class TERuleQueryXperm(mixins.ValidateRule, unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/terulequery2.conf") + cls.p = compile_policy("tests/library/terulequery2.conf") @classmethod def tearDownClass(cls): diff --git a/tests/terulequery2.conf b/tests/library/terulequery2.conf similarity index 100% rename from tests/terulequery2.conf rename to tests/library/terulequery2.conf diff --git a/tests/test_boolquery.py b/tests/library/test_boolquery.py similarity index 95% rename from tests/test_boolquery.py rename to tests/library/test_boolquery.py index 5d083b90..ae70fd84 100644 --- a/tests/test_boolquery.py +++ b/tests/library/test_boolquery.py @@ -14,7 +14,7 @@ class BoolQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/boolquery.conf") + cls.p = compile_policy("tests/library/boolquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_boundsquery.py b/tests/library/test_boundsquery.py similarity index 97% rename from tests/test_boundsquery.py rename to tests/library/test_boundsquery.py index f1be083a..17a857f7 100644 --- a/tests/test_boundsquery.py +++ b/tests/library/test_boundsquery.py @@ -14,7 +14,7 @@ class BoundsQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/boundsquery.conf") + cls.p = compile_policy("tests/library/boundsquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_categoryquery.py b/tests/library/test_categoryquery.py similarity index 96% rename from tests/test_categoryquery.py rename to tests/library/test_categoryquery.py index ba9a7004..6de14193 100644 --- a/tests/test_categoryquery.py +++ b/tests/library/test_categoryquery.py @@ -14,7 +14,7 @@ class CategoryQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/categoryquery.conf") + cls.p = compile_policy("tests/library/categoryquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_commonquery.py b/tests/library/test_commonquery.py similarity index 96% rename from tests/test_commonquery.py rename to tests/library/test_commonquery.py index ae031850..1b3de495 100644 --- a/tests/test_commonquery.py +++ b/tests/library/test_commonquery.py @@ -14,7 +14,7 @@ class CommonQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/commonquery.conf") + cls.p = compile_policy("tests/library/commonquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_conditionalinfoflow.py b/tests/library/test_conditionalinfoflow.py similarity index 97% rename from tests/test_conditionalinfoflow.py rename to tests/library/test_conditionalinfoflow.py index 71bdf8f2..53e427d8 100644 --- a/tests/test_conditionalinfoflow.py +++ b/tests/library/test_conditionalinfoflow.py @@ -25,8 +25,8 @@ class ConditionalInfoFlowAnalysisTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/conditionalinfoflow.conf", mls=False) - cls.m = PermissionMap("tests/perm_map") + cls.p = compile_policy("tests/library/conditionalinfoflow.conf", mls=False) + cls.m = PermissionMap("tests/library/perm_map") cls.a = InfoFlowAnalysis(cls.p, cls.m) @classmethod diff --git a/tests/test_constraintquery.py b/tests/library/test_constraintquery.py similarity index 98% rename from tests/test_constraintquery.py rename to tests/library/test_constraintquery.py index 97055317..e30b1048 100644 --- a/tests/test_constraintquery.py +++ b/tests/library/test_constraintquery.py @@ -14,7 +14,7 @@ class ConstraintQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/constraintquery.conf") + cls.p = compile_policy("tests/library/constraintquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_defaultquery.py b/tests/library/test_defaultquery.py similarity index 97% rename from tests/test_defaultquery.py rename to tests/library/test_defaultquery.py index 9e673ebb..683e2a8e 100644 --- a/tests/test_defaultquery.py +++ b/tests/library/test_defaultquery.py @@ -15,7 +15,7 @@ class DefaultQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/defaultquery.conf") + cls.p = compile_policy("tests/library/defaultquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_devicetreeconquery.py b/tests/library/test_devicetreeconquery.py similarity index 99% rename from tests/test_devicetreeconquery.py rename to tests/library/test_devicetreeconquery.py index 470356cf..17eb730d 100644 --- a/tests/test_devicetreeconquery.py +++ b/tests/library/test_devicetreeconquery.py @@ -14,7 +14,7 @@ class DevicetreeconQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/devicetreeconquery.conf", xen=True) + cls.p = compile_policy("tests/library/devicetreeconquery.conf", xen=True) @classmethod def tearDownClass(cls): diff --git a/tests/test_diff.py b/tests/library/test_diff.py similarity index 99% rename from tests/test_diff.py rename to tests/library/test_diff.py index 986c8cc7..681cbc37 100644 --- a/tests/test_diff.py +++ b/tests/library/test_diff.py @@ -29,8 +29,8 @@ class PolicyDifferenceTest(ValidateRule, unittest.TestCase): @classmethod def setUpClass(cls): - cls.p_left = compile_policy("tests/diff_left.conf") - cls.p_right = compile_policy("tests/diff_right.conf") + cls.p_left = compile_policy("tests/library/diff_left.conf") + cls.p_right = compile_policy("tests/library/diff_right.conf") cls.diff = PolicyDifference(cls.p_left, cls.p_right) @classmethod @@ -1951,8 +1951,8 @@ class PolicyDifferenceRmIsidTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p_left = compile_policy("tests/diff_left.conf") - cls.p_right = compile_policy("tests/diff_right_rmisid.conf") + cls.p_left = compile_policy("tests/library/diff_left.conf") + cls.p_right = compile_policy("tests/library/diff_right_rmisid.conf") cls.diff = PolicyDifference(cls.p_left, cls.p_right) @classmethod @@ -1971,8 +1971,8 @@ class PolicyDifferenceTestNoDiff(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p_left = compile_policy("tests/diff_left.conf") - cls.p_right = compile_policy("tests/diff_left.conf") + cls.p_left = compile_policy("tests/library/diff_left.conf") + cls.p_right = compile_policy("tests/library/diff_left.conf") cls.diff = PolicyDifference(cls.p_left, cls.p_right) @classmethod @@ -2440,8 +2440,8 @@ class PolicyDifferenceTestMLStoStandard(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p_left = compile_policy("tests/diff_left.conf") - cls.p_right = compile_policy("tests/diff_left_standard.conf", mls=False) + cls.p_left = compile_policy("tests/library/diff_left.conf") + cls.p_right = compile_policy("tests/library/diff_left_standard.conf", mls=False) cls.diff = PolicyDifference(cls.p_left, cls.p_right) @classmethod @@ -2923,8 +2923,8 @@ class PolicyDifferenceTestRedundant(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p_left = compile_policy("tests/diff_left.conf") - cls.p_right = compile_policy("tests/diff_left_redundant.conf") + cls.p_left = compile_policy("tests/library/diff_left.conf") + cls.p_right = compile_policy("tests/library/diff_left_redundant.conf") cls.diff = PolicyDifference(cls.p_left, cls.p_right) @classmethod diff --git a/tests/test_dta.py b/tests/library/test_dta.py similarity index 99% rename from tests/test_dta.py rename to tests/library/test_dta.py index 2398b3f8..2c9e73e1 100644 --- a/tests/test_dta.py +++ b/tests/library/test_dta.py @@ -18,7 +18,7 @@ class DomainTransitionAnalysisTest(mixins.ValidateRule, unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/dta.conf") + cls.p = compile_policy("tests/library/dta.conf") cls.a = DomainTransitionAnalysis(cls.p) cls.a._build_graph() diff --git a/tests/test_fsusequery.py b/tests/library/test_fsusequery.py similarity index 99% rename from tests/test_fsusequery.py rename to tests/library/test_fsusequery.py index 4b5be832..5319308b 100644 --- a/tests/test_fsusequery.py +++ b/tests/library/test_fsusequery.py @@ -14,7 +14,7 @@ class FSUseQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/fsusequery.conf") + cls.p = compile_policy("tests/library/fsusequery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_genfsconquery.py b/tests/library/test_genfsconquery.py similarity index 99% rename from tests/test_genfsconquery.py rename to tests/library/test_genfsconquery.py index 472fcde0..2248c2c2 100644 --- a/tests/test_genfsconquery.py +++ b/tests/library/test_genfsconquery.py @@ -15,7 +15,7 @@ class GenfsconQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/genfsconquery.conf") + cls.p = compile_policy("tests/library/genfsconquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_ibendportconquery.py b/tests/library/test_ibendportconquery.py similarity index 99% rename from tests/test_ibendportconquery.py rename to tests/library/test_ibendportconquery.py index 14fd2480..0ec282dc 100644 --- a/tests/test_ibendportconquery.py +++ b/tests/library/test_ibendportconquery.py @@ -14,7 +14,7 @@ class IbendportconQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/ibendportconquery.conf") + cls.p = compile_policy("tests/library/ibendportconquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_ibpkeyconquery.py b/tests/library/test_ibpkeyconquery.py similarity index 99% rename from tests/test_ibpkeyconquery.py rename to tests/library/test_ibpkeyconquery.py index 6a1fa465..308e5168 100644 --- a/tests/test_ibpkeyconquery.py +++ b/tests/library/test_ibpkeyconquery.py @@ -14,7 +14,7 @@ class IbpkeyconQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/ibpkeyconquery.conf") + cls.p = compile_policy("tests/library/ibpkeyconquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_infoflow.py b/tests/library/test_infoflow.py similarity index 99% rename from tests/test_infoflow.py rename to tests/library/test_infoflow.py index ba2983f6..d6ed4539 100644 --- a/tests/test_infoflow.py +++ b/tests/library/test_infoflow.py @@ -25,8 +25,8 @@ class InfoFlowAnalysisTest(mixins.ValidateRule, unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/infoflow.conf") - cls.m = PermissionMap("tests/perm_map") + cls.p = compile_policy("tests/library/infoflow.conf") + cls.m = PermissionMap("tests/library/perm_map") cls.a = InfoFlowAnalysis(cls.p, cls.m) @classmethod diff --git a/tests/test_initsidquery.py b/tests/library/test_initsidquery.py similarity index 99% rename from tests/test_initsidquery.py rename to tests/library/test_initsidquery.py index cf79555d..6f05cec6 100644 --- a/tests/test_initsidquery.py +++ b/tests/library/test_initsidquery.py @@ -14,7 +14,7 @@ class InitialSIDQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/initsidquery.conf") + cls.p = compile_policy("tests/library/initsidquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_iomemconquery.py b/tests/library/test_iomemconquery.py similarity index 99% rename from tests/test_iomemconquery.py rename to tests/library/test_iomemconquery.py index 03b33f45..1e27597b 100644 --- a/tests/test_iomemconquery.py +++ b/tests/library/test_iomemconquery.py @@ -14,7 +14,7 @@ class IomemconQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/iomemconquery.conf", xen=True) + cls.p = compile_policy("tests/library/iomemconquery.conf", xen=True) @classmethod def tearDownClass(cls): diff --git a/tests/test_ioportconquery.py b/tests/library/test_ioportconquery.py similarity index 99% rename from tests/test_ioportconquery.py rename to tests/library/test_ioportconquery.py index d472c55a..f0ace2ee 100644 --- a/tests/test_ioportconquery.py +++ b/tests/library/test_ioportconquery.py @@ -14,7 +14,7 @@ class IoportconQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/ioportconquery.conf", xen=True) + cls.p = compile_policy("tests/library/ioportconquery.conf", xen=True) @classmethod def tearDownClass(cls): diff --git a/tests/test_mlsrulequery.py b/tests/library/test_mlsrulequery.py similarity index 99% rename from tests/test_mlsrulequery.py rename to tests/library/test_mlsrulequery.py index 4d9fb2ae..37265a34 100644 --- a/tests/test_mlsrulequery.py +++ b/tests/library/test_mlsrulequery.py @@ -22,7 +22,7 @@ class MLSRuleQueryTest(mixins.ValidateRule, unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/mlsrulequery.conf") + cls.p = compile_policy("tests/library/mlsrulequery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_netifconquery.py b/tests/library/test_netifconquery.py similarity index 99% rename from tests/test_netifconquery.py rename to tests/library/test_netifconquery.py index 4cdb9390..9a7214bf 100644 --- a/tests/test_netifconquery.py +++ b/tests/library/test_netifconquery.py @@ -14,7 +14,7 @@ class NetifconQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/netifconquery.conf") + cls.p = compile_policy("tests/library/netifconquery.conf") def test_000_unset(self): """Netifcon query with no criteria""" diff --git a/tests/test_nodeconquery.py b/tests/library/test_nodeconquery.py similarity index 99% rename from tests/test_nodeconquery.py rename to tests/library/test_nodeconquery.py index 7c0f40d6..0739fd33 100644 --- a/tests/test_nodeconquery.py +++ b/tests/library/test_nodeconquery.py @@ -17,7 +17,7 @@ class NodeconQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/nodeconquery.conf") + cls.p = compile_policy("tests/library/nodeconquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_objclassquery.py b/tests/library/test_objclassquery.py similarity index 98% rename from tests/test_objclassquery.py rename to tests/library/test_objclassquery.py index a0f7284b..ee1ea4dc 100644 --- a/tests/test_objclassquery.py +++ b/tests/library/test_objclassquery.py @@ -14,7 +14,7 @@ class ObjClassQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/objclassquery.conf") + cls.p = compile_policy("tests/library/objclassquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_pcideviceconquery.py b/tests/library/test_pcideviceconquery.py similarity index 99% rename from tests/test_pcideviceconquery.py rename to tests/library/test_pcideviceconquery.py index a8d4d7e0..c6bcfd46 100644 --- a/tests/test_pcideviceconquery.py +++ b/tests/library/test_pcideviceconquery.py @@ -14,7 +14,7 @@ class PcideviceconQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/pcideviceconquery.conf", xen=True) + cls.p = compile_policy("tests/library/pcideviceconquery.conf", xen=True) @classmethod def tearDownClass(cls): diff --git a/tests/test_permmap.py b/tests/library/test_permmap.py similarity index 84% rename from tests/test_permmap.py rename to tests/library/test_permmap.py index 6388d5f0..c112ace2 100644 --- a/tests/test_permmap.py +++ b/tests/library/test_permmap.py @@ -19,7 +19,7 @@ class PermissionMapTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/permmap.conf") + cls.p = compile_policy("tests/library/permmap.conf") @classmethod def tearDownClass(cls): @@ -42,7 +42,7 @@ def validate_permmap_entry(self, permmap, cls, perm, direction, weight, enabled) def test_001_load(self): """PermMap open from path.""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") # validate permission map contents self.assertEqual(5, len(permmap._permmap)) @@ -92,70 +92,70 @@ def test_002_load_invalid(self): def test_002_load_negative_class_count(self): """PermMap load negative class count""" with self.assertRaises(PermissionMapParseError): - PermissionMap("tests/invalid_perm_maps/negative-classcount") + PermissionMap("tests/library/invalid_perm_maps/negative-classcount") def test_003_load_non_number_class_count(self): """PermMap load non-number class count""" with self.assertRaises(PermissionMapParseError): - PermissionMap("tests/invalid_perm_maps/non-number-classcount") + PermissionMap("tests/library/invalid_perm_maps/non-number-classcount") def test_004_load_extra_class(self): """PermMap load extra class""" with self.assertRaises(PermissionMapParseError): - PermissionMap("tests/invalid_perm_maps/extra-class") + PermissionMap("tests/library/invalid_perm_maps/extra-class") def test_005_load_bad_class_keyword(self): """PermMap load bad class keyword""" with self.assertRaises(PermissionMapParseError): - PermissionMap("tests/invalid_perm_maps/bad-class-keyword") + PermissionMap("tests/library/invalid_perm_maps/bad-class-keyword") # test 6: bad class name(?) def test_007_load_negative_perm_count(self): """PermMap load negative permission count""" with self.assertRaises(PermissionMapParseError): - PermissionMap("tests/invalid_perm_maps/negative-permcount") + PermissionMap("tests/library/invalid_perm_maps/negative-permcount") def test_008_load_bad_perm_count(self): """PermMap load bad permission count""" with self.assertRaises(PermissionMapParseError): - PermissionMap("tests/invalid_perm_maps/bad-permcount") + PermissionMap("tests/library/invalid_perm_maps/bad-permcount") # test 9: bad perm name(?) def test_010_load_extra_perms(self): """PermMap load negative permission count""" with self.assertRaises(PermissionMapParseError): - PermissionMap("tests/invalid_perm_maps/extra-perms") + PermissionMap("tests/library/invalid_perm_maps/extra-perms") def test_011_load_invalid_flow_direction(self): """PermMap load invalid flow direction""" with self.assertRaises(PermissionMapParseError): - PermissionMap("tests/invalid_perm_maps/invalid-flowdir") + PermissionMap("tests/library/invalid_perm_maps/invalid-flowdir") def test_012_load_bad_perm_weight(self): """PermMap load too high/low permission weight""" with self.assertRaises(PermissionMapParseError): - PermissionMap("tests/invalid_perm_maps/bad-perm-weight-high") + PermissionMap("tests/library/invalid_perm_maps/bad-perm-weight-high") with self.assertRaises(PermissionMapParseError): - PermissionMap("tests/invalid_perm_maps/bad-perm-weight-low") + PermissionMap("tests/library/invalid_perm_maps/bad-perm-weight-low") def test_013_load_invalid_weight(self): """PermMap load invalid permission weight""" with self.assertRaises(PermissionMapParseError): - PermissionMap("tests/invalid_perm_maps/invalid-perm-weight") + PermissionMap("tests/library/invalid_perm_maps/invalid-perm-weight") def test_100_set_weight(self): """PermMap set weight""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") self.validate_permmap_entry(permmap._permmap, 'infoflow2', 'low_w', 'w', 1, True) permmap.set_weight("infoflow2", "low_w", 10) self.validate_permmap_entry(permmap._permmap, 'infoflow2', 'low_w', 'w', 10, True) def test_101_set_weight_low(self): """PermMap set weight low""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") with self.assertRaises(ValueError): permmap.set_weight("infoflow2", "low_w", 0) @@ -164,7 +164,7 @@ def test_101_set_weight_low(self): def test_102_set_weight_low(self): """PermMap set weight high""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") with self.assertRaises(ValueError): permmap.set_weight("infoflow2", "low_w", 11) @@ -173,62 +173,62 @@ def test_102_set_weight_low(self): def test_103_set_weight_unmapped_class(self): """PermMap set weight unmapped class""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") with self.assertRaises(UnmappedClass): permmap.set_weight("UNMAPPED", "write", 10) def test_104_set_weight_unmapped_permission(self): """PermMap set weight unmapped class""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") with self.assertRaises(UnmappedPermission): permmap.set_weight("infoflow2", "UNMAPPED", 10) def test_110_set_direction(self): """PermMap set direction""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") self.validate_permmap_entry(permmap._permmap, 'infoflow2', 'low_w', 'w', 1, True) permmap.set_direction("infoflow2", "low_w", "r") self.validate_permmap_entry(permmap._permmap, 'infoflow2', 'low_w', 'r', 1, True) def test_111_set_direction_invalid(self): """PermMap set invalid direction""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") with self.assertRaises(ValueError): permmap.set_direction("infoflow2", "low_w", "X") def test_112_set_direction_unmapped_class(self): """PermMap set direction unmapped class""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") with self.assertRaises(UnmappedClass): permmap.set_direction("UNMAPPED", "write", "w") def test_113_set_direction_unmapped_permission(self): """PermMap set direction unmapped class""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") with self.assertRaises(UnmappedPermission): permmap.set_direction("infoflow2", "UNMAPPED", "w") def test_120_exclude_perm(self): """PermMap exclude permission.""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") permmap.exclude_permission("infoflow", "med_w") self.validate_permmap_entry(permmap._permmap, 'infoflow', 'med_w', 'w', 5, False) def test_121_exclude_perm_unmapped_class(self): """PermMap exclude permission unmapped class.""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") with self.assertRaises(UnmappedClass): permmap.exclude_permission("UNMAPPED", "med_w") def test_122_exclude_perm_unmapped_perm(self): """PermMap exclude permission unmapped permission.""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") with self.assertRaises(UnmappedPermission): permmap.exclude_permission("infoflow", "UNMAPPED") def test_123_include_perm(self): """PermMap include permission.""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") permmap.exclude_permission("infoflow", "med_w") self.validate_permmap_entry(permmap._permmap, 'infoflow', 'med_w', 'w', 5, False) @@ -237,32 +237,32 @@ def test_123_include_perm(self): def test_124_include_perm_unmapped_class(self): """PermMap include permission unmapped class.""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") with self.assertRaises(UnmappedClass): permmap.include_permission("UNMAPPED", "med_w") def test_125_include_perm_unmapped_perm(self): """PermMap include permission unmapped permission.""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") with self.assertRaises(UnmappedPermission): permmap.include_permission("infoflow", "UNMAPPED") def test_130_exclude_class(self): """PermMap exclude class.""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") permmap.exclude_class("file") self.validate_permmap_entry(permmap._permmap, 'file', 'execute', 'r', 10, False) self.validate_permmap_entry(permmap._permmap, 'file', 'entrypoint', 'r', 10, False) def test_131_exclude_class_unmapped_class(self): """PermMap exclude class unmapped class.""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") with self.assertRaises(UnmappedClass): permmap.exclude_class("UNMAPPED") def test_132_include_class(self): """PermMap exclude class.""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") permmap.exclude_class("file") self.validate_permmap_entry(permmap._permmap, 'file', 'execute', 'r', 10, False) self.validate_permmap_entry(permmap._permmap, 'file', 'entrypoint', 'r', 10, False) @@ -273,7 +273,7 @@ def test_132_include_class(self): def test_133_include_class_unmapped_class(self): """PermMap include class unmapped class.""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") with self.assertRaises(UnmappedClass): permmap.include_class("UNMAPPED") @@ -284,7 +284,7 @@ def test_140_weight_read_only(self): rule.tclass = "infoflow" rule.perms = set(["med_r", "hi_r"]) - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") weight = permmap.rule_weight(rule) self.assertEqual(weight.read, 10) self.assertEqual(weight.write, 0) @@ -296,7 +296,7 @@ def test_141_weight_write_only(self): rule.tclass = "infoflow" rule.perms = set(["low_w", "med_w"]) - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") weight = permmap.rule_weight(rule) self.assertEqual(weight.read, 0) self.assertEqual(weight.write, 5) @@ -308,7 +308,7 @@ def test_142_weight_both(self): rule.tclass = "infoflow" rule.perms = set(["low_r", "hi_w"]) - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") weight = permmap.rule_weight(rule) self.assertEqual(weight.read, 1) self.assertEqual(weight.write, 10) @@ -320,7 +320,7 @@ def test_143_weight_none(self): rule.tclass = "infoflow3" rule.perms = set(["null"]) - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") weight = permmap.rule_weight(rule) self.assertEqual(weight.read, 0) self.assertEqual(weight.write, 0) @@ -332,7 +332,7 @@ def test_144_weight_unmapped_class(self): rule.tclass = "unmapped" rule.perms = set(["null"]) - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") self.assertRaises(UnmappedClass, permmap.rule_weight, rule) def test_145_weight_unmapped_permission(self): @@ -342,7 +342,7 @@ def test_145_weight_unmapped_permission(self): rule.tclass = "infoflow" rule.perms = set(["low_r", "unmapped"]) - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") self.assertRaises(UnmappedPermission, permmap.rule_weight, rule) def test_146_weight_wrong_rule_type(self): @@ -351,7 +351,7 @@ def test_146_weight_wrong_rule_type(self): rule.ruletype = TERuletype.type_transition rule.tclass = "infoflow" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") self.assertRaises(RuleTypeError, permmap.rule_weight, rule) def test_147_weight_excluded_permission(self): @@ -361,7 +361,7 @@ def test_147_weight_excluded_permission(self): rule.tclass = "infoflow" rule.perms = set(["med_r", "hi_r"]) - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") permmap.exclude_permission("infoflow", "hi_r") weight = permmap.rule_weight(rule) self.assertEqual(weight.read, 5) @@ -374,7 +374,7 @@ def test_148_weight_excluded_class(self): rule.tclass = "infoflow" rule.perms = set(["low_r", "med_r", "hi_r", "low_w", "med_w", "hi_w"]) - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") permmap.exclude_class("infoflow") weight = permmap.rule_weight(rule) self.assertEqual(weight.read, 0) @@ -382,7 +382,7 @@ def test_148_weight_excluded_class(self): def test_150_map_policy(self): """PermMap create mappings for classes/perms in a policy.""" - permmap = PermissionMap("tests/perm_map") + permmap = PermissionMap("tests/library/perm_map") permmap.map_policy(self.p) self.validate_permmap_entry(permmap._permmap, 'infoflow2', 'new_perm', 'u', 1, True) diff --git a/tests/test_pirqconquery.py b/tests/library/test_pirqconquery.py similarity index 98% rename from tests/test_pirqconquery.py rename to tests/library/test_pirqconquery.py index 21dce3db..7a1c3d89 100644 --- a/tests/test_pirqconquery.py +++ b/tests/library/test_pirqconquery.py @@ -14,7 +14,7 @@ class PirqconQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/pirqconquery.conf", xen=True) + cls.p = compile_policy("tests/library/pirqconquery.conf", xen=True) @classmethod def tearDownClass(cls): diff --git a/tests/test_polcapquery.py b/tests/library/test_polcapquery.py similarity index 94% rename from tests/test_polcapquery.py rename to tests/library/test_polcapquery.py index 577a8a68..3176b00c 100644 --- a/tests/test_polcapquery.py +++ b/tests/library/test_polcapquery.py @@ -14,7 +14,7 @@ class PolCapQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/polcapquery.conf") + cls.p = compile_policy("tests/library/polcapquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_portconquery.py b/tests/library/test_portconquery.py similarity index 99% rename from tests/test_portconquery.py rename to tests/library/test_portconquery.py index 4dd50d9c..e876901e 100644 --- a/tests/test_portconquery.py +++ b/tests/library/test_portconquery.py @@ -15,7 +15,7 @@ class PortconQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/portconquery.conf") + cls.p = compile_policy("tests/library/portconquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_rbacrulequery.py b/tests/library/test_rbacrulequery.py similarity index 98% rename from tests/test_rbacrulequery.py rename to tests/library/test_rbacrulequery.py index a0d0fcd4..220ffd90 100644 --- a/tests/test_rbacrulequery.py +++ b/tests/library/test_rbacrulequery.py @@ -21,7 +21,7 @@ class RBACRuleQueryTest(mixins.ValidateRule, unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/rbacrulequery.conf") + cls.p = compile_policy("tests/library/rbacrulequery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_rolequery.py b/tests/library/test_rolequery.py similarity index 97% rename from tests/test_rolequery.py rename to tests/library/test_rolequery.py index ba315112..74d3a986 100644 --- a/tests/test_rolequery.py +++ b/tests/library/test_rolequery.py @@ -14,7 +14,7 @@ class RoleQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/rolequery.conf") + cls.p = compile_policy("tests/library/rolequery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_sensitivityquery.py b/tests/library/test_sensitivityquery.py similarity index 97% rename from tests/test_sensitivityquery.py rename to tests/library/test_sensitivityquery.py index 4796539d..8ad4bd2a 100644 --- a/tests/test_sensitivityquery.py +++ b/tests/library/test_sensitivityquery.py @@ -14,7 +14,7 @@ class SensitivityQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/sensitivityquery.conf") + cls.p = compile_policy("tests/library/sensitivityquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_typeattrquery.py b/tests/library/test_typeattrquery.py similarity index 96% rename from tests/test_typeattrquery.py rename to tests/library/test_typeattrquery.py index 68f51f16..9f084f9a 100644 --- a/tests/test_typeattrquery.py +++ b/tests/library/test_typeattrquery.py @@ -14,7 +14,7 @@ class TypeAttributeQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/typeattrquery.conf") + cls.p = compile_policy("tests/library/typeattrquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_typequery.py b/tests/library/test_typequery.py similarity index 98% rename from tests/test_typequery.py rename to tests/library/test_typequery.py index d78dd61f..b2bf5d58 100644 --- a/tests/test_typequery.py +++ b/tests/library/test_typequery.py @@ -15,7 +15,7 @@ class TypeQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/typequery.conf") + cls.p = compile_policy("tests/library/typequery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/test_userquery.py b/tests/library/test_userquery.py similarity index 99% rename from tests/test_userquery.py rename to tests/library/test_userquery.py index ed51e94c..1b494790 100644 --- a/tests/test_userquery.py +++ b/tests/library/test_userquery.py @@ -14,7 +14,7 @@ class UserQueryTest(unittest.TestCase): @classmethod def setUpClass(cls): - cls.p = compile_policy("tests/userquery.conf") + cls.p = compile_policy("tests/library/userquery.conf") @classmethod def tearDownClass(cls): diff --git a/tests/typeattrquery.conf b/tests/library/typeattrquery.conf similarity index 100% rename from tests/typeattrquery.conf rename to tests/library/typeattrquery.conf diff --git a/tests/typequery.conf b/tests/library/typequery.conf similarity index 100% rename from tests/typequery.conf rename to tests/library/typequery.conf diff --git a/tests/userquery.conf b/tests/library/userquery.conf similarity index 100% rename from tests/userquery.conf rename to tests/library/userquery.conf From 88fe56031af35710f23ac4e66b090cb3b2d375fb Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 4 Apr 2024 16:35:51 -0400 Subject: [PATCH 02/71] Move GUI tests under new directory. Signed-off-by: Chris PeBenito --- pyproject.toml | 2 +- {tests-gui => tests}/conftest.py | 0 {tests-gui => tests/gui}/__init__.py | 0 {tests-gui => tests/gui}/widgets/__init__.py | 0 {tests-gui => tests/gui}/widgets/criteria/__init__.py | 0 {tests-gui => tests/gui}/widgets/criteria/test_boolean.py | 0 {tests-gui => tests/gui}/widgets/criteria/test_checkboxset.py | 0 {tests-gui => tests/gui}/widgets/criteria/test_common.py | 0 {tests-gui => tests/gui}/widgets/criteria/test_list.py | 0 {tests-gui => tests/gui}/widgets/criteria/test_name.py | 0 {tests-gui => tests/gui}/widgets/criteria/test_objclass.py | 0 {tests-gui => tests/gui}/widgets/criteria/test_permission.py | 0 {tests-gui => tests/gui}/widgets/criteria/test_rbacruletype.py | 0 {tests-gui => tests/gui}/widgets/criteria/test_role.py | 0 {tests-gui => tests/gui}/widgets/criteria/test_teruletype.py | 0 {tests-gui => tests/gui}/widgets/criteria/test_type.py | 0 {tests-gui => tests/gui}/widgets/criteria/test_user.py | 0 {tests-gui => tests/gui}/widgets/test_boolquery.py | 0 {tests-gui => tests/gui}/widgets/test_boundsquery.py | 0 {tests-gui => tests/gui}/widgets/test_categoryquery.py | 0 {tests-gui => tests/gui}/widgets/test_commonquery.py | 0 {tests-gui => tests/gui}/widgets/test_constraintquery.py | 0 {tests-gui => tests/gui}/widgets/test_defaultquery.py | 0 {tests-gui => tests/gui}/widgets/test_fsusequery.py | 0 {tests-gui => tests/gui}/widgets/test_genfsconquery.py | 0 {tests-gui => tests/gui}/widgets/test_ibendportconquery.py | 0 {tests-gui => tests/gui}/widgets/test_ibpkeyconquery.py | 0 {tests-gui => tests/gui}/widgets/test_initialsidquery.py | 0 {tests-gui => tests/gui}/widgets/test_mlsrulequery.py | 0 {tests-gui => tests/gui}/widgets/test_netifconquery.py | 0 {tests-gui => tests/gui}/widgets/test_nodeconquery.py | 0 {tests-gui => tests/gui}/widgets/test_objclassquery.py | 0 {tests-gui => tests/gui}/widgets/test_portconquery.py | 0 {tests-gui => tests/gui}/widgets/test_rbacrulequery.py | 0 {tests-gui => tests/gui}/widgets/test_rolequery.py | 0 {tests-gui => tests/gui}/widgets/test_sensitivityquery.py | 0 {tests-gui => tests/gui}/widgets/test_tab.py | 0 {tests-gui => tests/gui}/widgets/test_terulequery.py | 0 {tests-gui => tests/gui}/widgets/test_typeattrquery.py | 0 {tests-gui => tests/gui}/widgets/test_typequery.py | 0 {tests-gui => tests/gui}/widgets/test_userquery.py | 0 41 files changed, 1 insertion(+), 1 deletion(-) rename {tests-gui => tests}/conftest.py (100%) rename {tests-gui => tests/gui}/__init__.py (100%) rename {tests-gui => tests/gui}/widgets/__init__.py (100%) rename {tests-gui => tests/gui}/widgets/criteria/__init__.py (100%) rename {tests-gui => tests/gui}/widgets/criteria/test_boolean.py (100%) rename {tests-gui => tests/gui}/widgets/criteria/test_checkboxset.py (100%) rename {tests-gui => tests/gui}/widgets/criteria/test_common.py (100%) rename {tests-gui => tests/gui}/widgets/criteria/test_list.py (100%) rename {tests-gui => tests/gui}/widgets/criteria/test_name.py (100%) rename {tests-gui => tests/gui}/widgets/criteria/test_objclass.py (100%) rename {tests-gui => tests/gui}/widgets/criteria/test_permission.py (100%) rename {tests-gui => tests/gui}/widgets/criteria/test_rbacruletype.py (100%) rename {tests-gui => tests/gui}/widgets/criteria/test_role.py (100%) rename {tests-gui => tests/gui}/widgets/criteria/test_teruletype.py (100%) rename {tests-gui => tests/gui}/widgets/criteria/test_type.py (100%) rename {tests-gui => tests/gui}/widgets/criteria/test_user.py (100%) rename {tests-gui => tests/gui}/widgets/test_boolquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_boundsquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_categoryquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_commonquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_constraintquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_defaultquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_fsusequery.py (100%) rename {tests-gui => tests/gui}/widgets/test_genfsconquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_ibendportconquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_ibpkeyconquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_initialsidquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_mlsrulequery.py (100%) rename {tests-gui => tests/gui}/widgets/test_netifconquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_nodeconquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_objclassquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_portconquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_rbacrulequery.py (100%) rename {tests-gui => tests/gui}/widgets/test_rolequery.py (100%) rename {tests-gui => tests/gui}/widgets/test_sensitivityquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_tab.py (100%) rename {tests-gui => tests/gui}/widgets/test_terulequery.py (100%) rename {tests-gui => tests/gui}/widgets/test_typeattrquery.py (100%) rename {tests-gui => tests/gui}/widgets/test_typequery.py (100%) rename {tests-gui => tests/gui}/widgets/test_userquery.py (100%) diff --git a/pyproject.toml b/pyproject.toml index a7a28828..08e61a33 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -49,7 +49,7 @@ module = ['networkx.*', ignore_missing_imports = true [[tool.mypy.overrides]] -module = ['tests-gui.*'] +module = ['tests.gui.*'] # PyQt has many Optional[] returns since Qt doesn't throw exceptions. Fixing # this with type narrowing asserts in the code would add no value as the # test case would fail either way. diff --git a/tests-gui/conftest.py b/tests/conftest.py similarity index 100% rename from tests-gui/conftest.py rename to tests/conftest.py diff --git a/tests-gui/__init__.py b/tests/gui/__init__.py similarity index 100% rename from tests-gui/__init__.py rename to tests/gui/__init__.py diff --git a/tests-gui/widgets/__init__.py b/tests/gui/widgets/__init__.py similarity index 100% rename from tests-gui/widgets/__init__.py rename to tests/gui/widgets/__init__.py diff --git a/tests-gui/widgets/criteria/__init__.py b/tests/gui/widgets/criteria/__init__.py similarity index 100% rename from tests-gui/widgets/criteria/__init__.py rename to tests/gui/widgets/criteria/__init__.py diff --git a/tests-gui/widgets/criteria/test_boolean.py b/tests/gui/widgets/criteria/test_boolean.py similarity index 100% rename from tests-gui/widgets/criteria/test_boolean.py rename to tests/gui/widgets/criteria/test_boolean.py diff --git a/tests-gui/widgets/criteria/test_checkboxset.py b/tests/gui/widgets/criteria/test_checkboxset.py similarity index 100% rename from tests-gui/widgets/criteria/test_checkboxset.py rename to tests/gui/widgets/criteria/test_checkboxset.py diff --git a/tests-gui/widgets/criteria/test_common.py b/tests/gui/widgets/criteria/test_common.py similarity index 100% rename from tests-gui/widgets/criteria/test_common.py rename to tests/gui/widgets/criteria/test_common.py diff --git a/tests-gui/widgets/criteria/test_list.py b/tests/gui/widgets/criteria/test_list.py similarity index 100% rename from tests-gui/widgets/criteria/test_list.py rename to tests/gui/widgets/criteria/test_list.py diff --git a/tests-gui/widgets/criteria/test_name.py b/tests/gui/widgets/criteria/test_name.py similarity index 100% rename from tests-gui/widgets/criteria/test_name.py rename to tests/gui/widgets/criteria/test_name.py diff --git a/tests-gui/widgets/criteria/test_objclass.py b/tests/gui/widgets/criteria/test_objclass.py similarity index 100% rename from tests-gui/widgets/criteria/test_objclass.py rename to tests/gui/widgets/criteria/test_objclass.py diff --git a/tests-gui/widgets/criteria/test_permission.py b/tests/gui/widgets/criteria/test_permission.py similarity index 100% rename from tests-gui/widgets/criteria/test_permission.py rename to tests/gui/widgets/criteria/test_permission.py diff --git a/tests-gui/widgets/criteria/test_rbacruletype.py b/tests/gui/widgets/criteria/test_rbacruletype.py similarity index 100% rename from tests-gui/widgets/criteria/test_rbacruletype.py rename to tests/gui/widgets/criteria/test_rbacruletype.py diff --git a/tests-gui/widgets/criteria/test_role.py b/tests/gui/widgets/criteria/test_role.py similarity index 100% rename from tests-gui/widgets/criteria/test_role.py rename to tests/gui/widgets/criteria/test_role.py diff --git a/tests-gui/widgets/criteria/test_teruletype.py b/tests/gui/widgets/criteria/test_teruletype.py similarity index 100% rename from tests-gui/widgets/criteria/test_teruletype.py rename to tests/gui/widgets/criteria/test_teruletype.py diff --git a/tests-gui/widgets/criteria/test_type.py b/tests/gui/widgets/criteria/test_type.py similarity index 100% rename from tests-gui/widgets/criteria/test_type.py rename to tests/gui/widgets/criteria/test_type.py diff --git a/tests-gui/widgets/criteria/test_user.py b/tests/gui/widgets/criteria/test_user.py similarity index 100% rename from tests-gui/widgets/criteria/test_user.py rename to tests/gui/widgets/criteria/test_user.py diff --git a/tests-gui/widgets/test_boolquery.py b/tests/gui/widgets/test_boolquery.py similarity index 100% rename from tests-gui/widgets/test_boolquery.py rename to tests/gui/widgets/test_boolquery.py diff --git a/tests-gui/widgets/test_boundsquery.py b/tests/gui/widgets/test_boundsquery.py similarity index 100% rename from tests-gui/widgets/test_boundsquery.py rename to tests/gui/widgets/test_boundsquery.py diff --git a/tests-gui/widgets/test_categoryquery.py b/tests/gui/widgets/test_categoryquery.py similarity index 100% rename from tests-gui/widgets/test_categoryquery.py rename to tests/gui/widgets/test_categoryquery.py diff --git a/tests-gui/widgets/test_commonquery.py b/tests/gui/widgets/test_commonquery.py similarity index 100% rename from tests-gui/widgets/test_commonquery.py rename to tests/gui/widgets/test_commonquery.py diff --git a/tests-gui/widgets/test_constraintquery.py b/tests/gui/widgets/test_constraintquery.py similarity index 100% rename from tests-gui/widgets/test_constraintquery.py rename to tests/gui/widgets/test_constraintquery.py diff --git a/tests-gui/widgets/test_defaultquery.py b/tests/gui/widgets/test_defaultquery.py similarity index 100% rename from tests-gui/widgets/test_defaultquery.py rename to tests/gui/widgets/test_defaultquery.py diff --git a/tests-gui/widgets/test_fsusequery.py b/tests/gui/widgets/test_fsusequery.py similarity index 100% rename from tests-gui/widgets/test_fsusequery.py rename to tests/gui/widgets/test_fsusequery.py diff --git a/tests-gui/widgets/test_genfsconquery.py b/tests/gui/widgets/test_genfsconquery.py similarity index 100% rename from tests-gui/widgets/test_genfsconquery.py rename to tests/gui/widgets/test_genfsconquery.py diff --git a/tests-gui/widgets/test_ibendportconquery.py b/tests/gui/widgets/test_ibendportconquery.py similarity index 100% rename from tests-gui/widgets/test_ibendportconquery.py rename to tests/gui/widgets/test_ibendportconquery.py diff --git a/tests-gui/widgets/test_ibpkeyconquery.py b/tests/gui/widgets/test_ibpkeyconquery.py similarity index 100% rename from tests-gui/widgets/test_ibpkeyconquery.py rename to tests/gui/widgets/test_ibpkeyconquery.py diff --git a/tests-gui/widgets/test_initialsidquery.py b/tests/gui/widgets/test_initialsidquery.py similarity index 100% rename from tests-gui/widgets/test_initialsidquery.py rename to tests/gui/widgets/test_initialsidquery.py diff --git a/tests-gui/widgets/test_mlsrulequery.py b/tests/gui/widgets/test_mlsrulequery.py similarity index 100% rename from tests-gui/widgets/test_mlsrulequery.py rename to tests/gui/widgets/test_mlsrulequery.py diff --git a/tests-gui/widgets/test_netifconquery.py b/tests/gui/widgets/test_netifconquery.py similarity index 100% rename from tests-gui/widgets/test_netifconquery.py rename to tests/gui/widgets/test_netifconquery.py diff --git a/tests-gui/widgets/test_nodeconquery.py b/tests/gui/widgets/test_nodeconquery.py similarity index 100% rename from tests-gui/widgets/test_nodeconquery.py rename to tests/gui/widgets/test_nodeconquery.py diff --git a/tests-gui/widgets/test_objclassquery.py b/tests/gui/widgets/test_objclassquery.py similarity index 100% rename from tests-gui/widgets/test_objclassquery.py rename to tests/gui/widgets/test_objclassquery.py diff --git a/tests-gui/widgets/test_portconquery.py b/tests/gui/widgets/test_portconquery.py similarity index 100% rename from tests-gui/widgets/test_portconquery.py rename to tests/gui/widgets/test_portconquery.py diff --git a/tests-gui/widgets/test_rbacrulequery.py b/tests/gui/widgets/test_rbacrulequery.py similarity index 100% rename from tests-gui/widgets/test_rbacrulequery.py rename to tests/gui/widgets/test_rbacrulequery.py diff --git a/tests-gui/widgets/test_rolequery.py b/tests/gui/widgets/test_rolequery.py similarity index 100% rename from tests-gui/widgets/test_rolequery.py rename to tests/gui/widgets/test_rolequery.py diff --git a/tests-gui/widgets/test_sensitivityquery.py b/tests/gui/widgets/test_sensitivityquery.py similarity index 100% rename from tests-gui/widgets/test_sensitivityquery.py rename to tests/gui/widgets/test_sensitivityquery.py diff --git a/tests-gui/widgets/test_tab.py b/tests/gui/widgets/test_tab.py similarity index 100% rename from tests-gui/widgets/test_tab.py rename to tests/gui/widgets/test_tab.py diff --git a/tests-gui/widgets/test_terulequery.py b/tests/gui/widgets/test_terulequery.py similarity index 100% rename from tests-gui/widgets/test_terulequery.py rename to tests/gui/widgets/test_terulequery.py diff --git a/tests-gui/widgets/test_typeattrquery.py b/tests/gui/widgets/test_typeattrquery.py similarity index 100% rename from tests-gui/widgets/test_typeattrquery.py rename to tests/gui/widgets/test_typeattrquery.py diff --git a/tests-gui/widgets/test_typequery.py b/tests/gui/widgets/test_typequery.py similarity index 100% rename from tests-gui/widgets/test_typequery.py rename to tests/gui/widgets/test_typequery.py diff --git a/tests-gui/widgets/test_userquery.py b/tests/gui/widgets/test_userquery.py similarity index 100% rename from tests-gui/widgets/test_userquery.py rename to tests/gui/widgets/test_userquery.py From ab494214b9cb158082c4f09d25000272afa97110 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 4 Apr 2024 16:36:07 -0400 Subject: [PATCH 03/71] tox.ini: Update for test restructuring. Signed-off-by: Chris PeBenito --- tox.ini | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tox.ini b/tox.ini index 551ce15c..ff94e95c 100644 --- a/tox.ini +++ b/tox.ini @@ -9,7 +9,7 @@ max-line-length = 100 deps = {[testenv]deps} pycodestyle commands_pre = pycodestyle --version -commands = pycodestyle setools/ setoolsgui/ tests/ tests-gui/ seinfo seinfoflow sedta sesearch sediff sechecker apol --statistics +commands = pycodestyle setools/ setoolsgui/ tests/ seinfo seinfoflow sedta sesearch sediff sechecker apol --statistics [testenv:coverage] #setenv = SETOOLS_COVERAGE = 1 @@ -20,7 +20,7 @@ extras = toml commands_pre = coverage --version coverage erase {[testenv]commands_pre} -commands = coverage run --source=setools,setoolsgui -m pytest tests tests-gui +commands = coverage run --source=setools,setoolsgui -m pytest tests coverage report [testenv:lint] @@ -29,14 +29,14 @@ deps = {[testenv]deps} pylint>=2.8.0 commands_pre = pylint --version {[testenv]commands_pre} -commands = pylint -E setools setoolsgui tests tests-gui seinfo seinfoflow sedta sesearch sediff sechecker apol +commands = pylint -E setools setoolsgui tests seinfo seinfoflow sedta sesearch sediff sechecker apol [testenv:mypy] deps = {[testenv]deps} types-setuptools mypy>=1.6.0 commands_pre = mypy --version -commands = mypy -p setools -p setoolsgui -p tests -p tests-gui +commands = mypy -p setools -p setoolsgui -p tests mypy --scripts-are-modules seinfo seinfoflow sedta sesearch sediff sechecker apol [testenv:install] @@ -55,4 +55,4 @@ deps = networkx>=2.6 pytest-qt pytest-xvfb commands_pre = {envpython} setup.py build_ext -i -commands = {envpython} -m pytest tests tests-gui +commands = {envpython} -m pytest tests From 11f76f60cf8a6a9f96f0deb0b8d987eb57521be7 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 5 Apr 2024 09:27:21 -0400 Subject: [PATCH 04/71] mock_user, mock_role: Create new pytest fixture to generate mock users and roles. Signed-off-by: Chris PeBenito --- tests/conftest.py | 76 +++++++++++++++++++++++----- tests/library/policyrep/test_role.py | 8 --- tests/library/policyrep/test_user.py | 16 ------ 3 files changed, 62 insertions(+), 38 deletions(-) diff --git a/tests/conftest.py b/tests/conftest.py index 1b44eb30..0463e3be 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -1,6 +1,7 @@ # SPDX-License-Identifier: GPL-2.0-only # pylint: disable=attribute-defined-outside-init +from contextlib import suppress from unittest.mock import Mock import pytest @@ -19,7 +20,62 @@ def __repr__(self): @pytest.fixture -def mock_policy() -> Mock: +def mock_role(): + generated_roles: dict[str, setools.Role] = {} + + def _factory(name: str, /, *, types: frozenset[setools.Type] | None = None) -> setools.Role: + """Factory function for Role objects.""" + with suppress(KeyError): + return generated_roles[name] + + role = SortableMock(setools.Role) + role.name = name + + if types is not None: + role.types.return_value = types + + generated_roles[name] = role + return role + + return _factory + + +@pytest.fixture +def mock_user(mock_role): + generated_users: dict[str, setools.User] = {} + + def _factory(name: str, /, *, roles: frozenset[setools.Role] | None = None, + level: setools.Level | None = None, + range_: setools.Range | None = None) -> setools.User: + """Factory function for User objects.""" + with suppress(KeyError): + return generated_users[name] + + assert (level and range_) or (not level and not range_) + + user = SortableMock(setools.User) + user.name = name + + if roles is not None: + # inject object_r, like the compiler does + full_roles = {mock_role("object_r"), *roles} + user.roles.return_value = frozenset(full_roles) + + if level: + user._level = level + user._range = range_ + else: + user._level = None + user._range = None + + generated_users[name] = user + return user + + return _factory + + +@pytest.fixture +def mock_policy(mock_user, mock_role) -> setools.SELinuxPolicy: """Build a mock policy.""" foo_bool = SortableMock(setools.Boolean) foo_bool.name = "foo_bool" @@ -53,19 +109,11 @@ def mock_policy() -> Mock: bar_t.attributes.return_value = (barattr,) barattr.expand.return_value = (bar_t,) - foo_r = SortableMock(setools.Role) - foo_r.name = "foo_r" - foo_r.types.return_value = (foo_t,) - bar_r = SortableMock(setools.Role) - bar_r.name = "bar_r" - bar_r.types.return_value = (bar_t,) + foo_r = mock_role("foo_r", types=frozenset((foo_t,))) + bar_r = mock_role("bar_r", types=frozenset((bar_t,))) - foo_u = SortableMock(setools.User) - foo_u.name = "foo_u" - foo_u.roles.return_value = (foo_r,) - bar_u = SortableMock(setools.User) - bar_u.name = "bar_u" - bar_u.roles.return_value = (bar_r,) + foo_u = mock_user("foo_u", roles=frozenset((foo_r,))) + bar_u = mock_user("bar_u", roles=frozenset((bar_r,))) foo_cat = SortableMock(setools.Category) foo_cat.name = "foo_cat" @@ -96,7 +144,7 @@ def mock_policy() -> Mock: @pytest.fixture -def mock_query(mock_policy) -> Mock: +def mock_query(mock_policy) -> setools.PolicyQuery: """Build a mock query with mocked policy.""" query = Mock(setools.PolicyQuery) query.policy = mock_policy diff --git a/tests/library/policyrep/test_role.py b/tests/library/policyrep/test_role.py index 75863a44..9c125772 100644 --- a/tests/library/policyrep/test_role.py +++ b/tests/library/policyrep/test_role.py @@ -18,14 +18,6 @@ class RoleTest(unittest.TestCase): def setUpClass(cls): cls.p = SELinuxPolicy("tests/policyrep/role.conf") - def mock_role_factory(self, name, types): - """Factory function for Role objects, using a mock qpol object.""" - mock_role = Mock(qpol.qpol_role_t) - mock_role.name.return_value = name - mock_role.type_iter = lambda x: iter(types) - - return role_factory(self.p.policy, mock_role) - def test_001_lookup(self): """Role factory policy lookup.""" role = role_factory(self.p.policy, "role20_r") diff --git a/tests/library/policyrep/test_user.py b/tests/library/policyrep/test_user.py index 1ed7983b..492a91b1 100644 --- a/tests/library/policyrep/test_user.py +++ b/tests/library/policyrep/test_user.py @@ -18,22 +18,6 @@ class UserTest(unittest.TestCase): def setUpClass(cls): cls.p = SELinuxPolicy("tests/policyrep/user.conf") - def mock_user_factory(self, name, roles, level=None, range_=None): - """Factory function for User objects, using a mock qpol object.""" - assert (level and range_) or (not level and not range_) - - # inject object_r, like the compiler does - roles_with_objr = roles - roles_with_objr.append('object_r') - - mock_user = Mock(qpol.qpol_user_t) - mock_user.name.return_value = name - mock_user.role_iter = lambda x: iter(roles_with_objr) - mock_user.dfltlevel.return_value = level - mock_user.range.return_value = range_ - - return user_factory(self.p.policy, mock_user) - def test_001_lookup(self): """User factory policy lookup.""" user = user_factory(self.p.policy, "user10") From 6c5b8d247136891bf1607bd12443cbe411d828cc Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 5 Apr 2024 15:01:51 -0400 Subject: [PATCH 05/71] TestUser: Update User tests to pytest fixtures and for Cython User implementation. This was skipped since policyrep changed from SWIG to Cython. Signed-off-by: Chris PeBenito --- tests/conftest.py | 36 ++++- tests/library/policyrep/test_user.py | 139 +++++++----------- .../policyrep/{user.conf => user_mls.conf} | 6 +- tests/library/policyrep/user_standard.conf | 105 +++++++++++++ 4 files changed, 196 insertions(+), 90 deletions(-) rename tests/library/policyrep/{user.conf => user_mls.conf} (90%) create mode 100644 tests/library/policyrep/user_standard.conf diff --git a/tests/conftest.py b/tests/conftest.py index 0463e3be..65d448e8 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -1,7 +1,10 @@ # SPDX-License-Identifier: GPL-2.0-only # pylint: disable=attribute-defined-outside-init - +import os +from collections.abc import Iterable from contextlib import suppress +import subprocess +import tempfile from unittest.mock import Mock import pytest @@ -149,3 +152,34 @@ def mock_query(mock_policy) -> setools.PolicyQuery: query = Mock(setools.PolicyQuery) query.policy = mock_policy return query + + +@pytest.fixture(scope="class") +def compiled_policy(request: pytest.FixtureRequest) -> Iterable[setools.SELinuxPolicy]: + """Build a compiled policy.""" + marker = request.node.get_closest_marker("obj_args") + args = marker.args if marker else () + kwargs = marker.kwargs if marker else {} + + source_file = args[0] + + if "USERSPACE_SRC" in os.environ: + command = [os.environ['USERSPACE_SRC'] + "/checkpolicy/checkpolicy"] + elif "CHECKPOLICY" in os.environ: + command = [os.environ['CHECKPOLICY']] + else: + command = ["/usr/bin/checkpolicy"] + + if kwargs.get("mls", True): + command.append("-M") + + if kwargs.get("xen", False): + command.extend(["-t", "xen", "-c", "30"]) + + with tempfile.NamedTemporaryFile("w") as fd: + command.extend(["-o", fd.name, "-U", "reject", source_file]) + + with open(os.devnull, "w+b") as null: + subprocess.check_call(command, stdout=null, shell=False, close_fds=True) + + yield setools.SELinuxPolicy(fd.name) diff --git a/tests/library/policyrep/test_user.py b/tests/library/policyrep/test_user.py index 492a91b1..c6c4fb92 100644 --- a/tests/library/policyrep/test_user.py +++ b/tests/library/policyrep/test_user.py @@ -2,105 +2,74 @@ # # SPDX-License-Identifier: GPL-2.0-only # -# Until this is fixed for cython: -# pylint: disable=undefined-variable,no-member -import unittest -from unittest.mock import Mock, patch +import pytest +import setools -from setools import SELinuxPolicy -from setools.exception import MLSDisabled, InvalidUser +@pytest.mark.obj_args("tests/library/policyrep/user_mls.conf") +class TestUserMLS: -@unittest.skip("Needs to be reworked for cython") -class UserTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = SELinuxPolicy("tests/policyrep/user.conf") - - def test_001_lookup(self): - """User factory policy lookup.""" - user = user_factory(self.p.policy, "user10") - self.assertEqual("user10", user.qpol_symbol.name(self.p.policy)) - - def test_002_lookup_invalid(self): - """User factory policy invalid lookup.""" - with self.assertRaises(InvalidUser): - user_factory(self.p.policy, "INVALID") - - def test_003_lookup_object(self): - """User factory policy lookup of User object.""" - user1 = user_factory(self.p.policy, "user10") - user2 = user_factory(self.p.policy, user1) - self.assertIs(user2, user1) - - def test_010_string(self): + def test_string(self, compiled_policy: setools.SELinuxPolicy) -> None: """User basic string rendering.""" - user = self.mock_user_factory("username", ['role1']) - self.assertEqual("username", str(user)) + user = compiled_policy.lookup_user("system") + assert "system" == str(user), f"{user}" - def test_020_statement_role(self): - """User statement, one role.""" - with patch('setools.policyrep.mls.enabled', return_value=False): - user = self.mock_user_factory("username", ['role20_r']) - self.assertEqual("user username roles role20_r;", user.statement()) - - def test_021_statement_two_roles(self): - """User statement, two roles.""" - with patch('setools.policyrep.mls.enabled', return_value=False): - user = self.mock_user_factory("username", ['role20_r', 'role21a_r']) - # roles are stored in a set, so the role order may vary - self.assertRegex(user.statement(), "(" - "user username roles { role20_r role21a_r };" - "|" - "user username roles { role21a_r role20_r };" - ")") - - def test_022_statement_one_role_mls(self): + def test_statement_one_role_mls(self, compiled_policy: setools.SELinuxPolicy) -> None: """User statement, one role, MLS.""" - user = self.mock_user_factory("username", ['role20_r'], level="s0", range_="s0-s2") - self.assertEqual("user username roles role20_r level s0 range s0 - s2;", user.statement()) + user = compiled_policy.lookup_user("user10") + assert "user user10 roles system level s1:c2 range s1 - s2:c0.c4;" == \ + user.statement(), user.statement() - def test_023_statement_two_roles_mls(self): + def test_023_statement_two_roles_mls(self, compiled_policy: setools.SELinuxPolicy) -> None: """User statement, two roles, MLS.""" - user = self.mock_user_factory("username", ['role20_r', 'role21a_r'], - level="s0", range_="s0 - s2") + user = compiled_policy.lookup_user("user20") # roles are stored in a set, so the role order may vary - self.assertRegex( - user.statement(), "(" - "user username roles { role20_r role21a_r } level s0 range s0 - s2;" - "|" - "user username roles { role21a_r role20_r } level s0 range s0 - s2;" - ")") + assert user.statement() in ( + "user user20 roles { role20_r role21a_r } level s0 range s0 - s2:c0.c4;", + "user user20 roles { role21a_r role20_r } level s0 range s0 - s2:c0.c4;"), \ + user.statement() - def test_030_roles(self): + def test_roles(self, compiled_policy: setools.SELinuxPolicy) -> None: """User roles.""" - user = self.mock_user_factory("username", ['role20_r', 'role21a_r']) - self.assertSetEqual(user.roles, set(['role20_r', 'role21a_r'])) + user = compiled_policy.lookup_user("user20") + assert set(['role20_r', 'role21a_r']) == user.roles, user.roles - def test_040_level(self): + def test_level(self, compiled_policy: setools.SELinuxPolicy) -> None: """User level.""" - user = self.mock_user_factory("username", ['role20_r', 'role21a_r'], - level="s0", range_="s0-s2") - self.assertEqual("s0", user.mls_level) - - def test_041_level_non_mls(self): - """User level, MLS disabled.""" - user = self.mock_user_factory("username", ['role20_r', 'role21a_r']) - with patch('setools.policyrep.mls.enabled', return_value=False): - with self.assertRaises(MLSDisabled): - user.mls_level + user = compiled_policy.lookup_user("user10") + assert "s1:c2" == user.mls_level, user.mls_level - def test_050_range(self): + def test_range(self, compiled_policy: setools.SELinuxPolicy) -> None: """User level.""" - user = self.mock_user_factory("username", ['role20_r', 'role21a_r'], - level="s0", range_="s0-s2") - self.assertEqual("s0 - s2", user.mls_range) + user = compiled_policy.lookup_user("user20") + assert "s0 - s2:c0.c4" == user.mls_range, user.mls_range + + +@pytest.mark.obj_args("tests/library/policyrep/user_standard.conf", mls=False) +class TestUserStandard: + + def test_statement_role(self, compiled_policy: setools.SELinuxPolicy) -> None: + """User statement, one role.""" + user = compiled_policy.lookup_user("user10") + assert "user user10 roles system;" == user.statement(), user.statement() + + def test_statement_two_roles(self, compiled_policy: setools.SELinuxPolicy) -> None: + """User statement, two roles.""" + user = compiled_policy.lookup_user("user20") + # roles are stored in a set, so the role order may vary + assert user.statement() in ( + "user user20 roles { role20_r role21a_r };", + "user user20 roles { role21a_r role20_r };"), \ + user.statement() + + def test_level(self, compiled_policy: setools.SELinuxPolicy) -> None: + """User level, MLS disabled.""" + user = compiled_policy.lookup_user("user10") + with pytest.raises(setools.exception.MLSDisabled): + user.mls_level - def test_051_range_non_mls(self): + def test_range(self, compiled_policy: setools.SELinuxPolicy) -> None: """User level, MLS disabled.""" - user = self.mock_user_factory("username", ['role20_r', 'role21a_r'], - level="s0", range_="s0-s2") - with patch('setools.policyrep.mls.enabled', return_value=False): - with self.assertRaises(MLSDisabled): - user.mls_range + user = compiled_policy.lookup_user("user20") + with pytest.raises(setools.exception.MLSDisabled): + user.mls_range diff --git a/tests/library/policyrep/user.conf b/tests/library/policyrep/user_mls.conf similarity index 90% rename from tests/library/policyrep/user.conf rename to tests/library/policyrep/user_mls.conf index 1b2db897..18564850 100644 --- a/tests/library/policyrep/user.conf +++ b/tests/library/policyrep/user_mls.conf @@ -108,10 +108,8 @@ allow system self:infoflow hi_w; #users user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4; -user user10 roles system level s0 range s0 - s2:c0.c4; -user user11a roles system level s0 range s0 - s2:c0.c4; -user user11b roles system level s0 range s0 - s2:c0.c4; -user user11c roles system level s0 range s0 - s2:c0.c4; +user user10 roles system level s1:c2 range s1 - s2:c0.c4; +user user20 roles { role20_r role21a_r } level s0 range s0 - s2:c0.c4; #normal constraints constrain infoflow hi_w (u1 == u2); diff --git a/tests/library/policyrep/user_standard.conf b/tests/library/policyrep/user_standard.conf new file mode 100644 index 00000000..c4774044 --- /dev/null +++ b/tests/library/policyrep/user_standard.conf @@ -0,0 +1,105 @@ +class infoflow +class infoflow2 +class infoflow3 +class infoflow4 +class infoflow5 +class infoflow6 +class infoflow7 + +sid kernel +sid security + +common infoflow +{ + low_w + med_w + hi_w + low_r + med_r + hi_r +} + +class infoflow +inherits infoflow + +class infoflow2 +inherits infoflow +{ + super_w + super_r +} + +class infoflow3 +{ + null +} + +class infoflow4 +inherits infoflow + +class infoflow5 +inherits infoflow + +class infoflow6 +inherits infoflow + +class infoflow7 +inherits infoflow +{ + super_w + super_r + super_none + super_both + super_unmapped +} + +attribute mls_exempt; + +type system; +role system; +role system types system; + +role role20_r; +role role21a_r; +role role21b_r; +role role21c_r; + +role role20_r types system; +role role21a_r types system; +role role21b_r types system; +role role21c_r types system; + +type type30; +type type31a; +type type31b; +type type31c; +role system types { type30 type31a type31b type31c }; + +allow system self:infoflow hi_w; + +#users +user system roles { system role20_r role21a_r role21b_r role21c_r }; +user user10 roles system; +user user20 roles { role20_r role21a_r }; + +#normal constraints +constrain infoflow hi_w (u1 == u2); + +#isids +sid kernel system:system:system +sid security system:system:system + +#fs_use +fs_use_trans devpts system:object_r:system; +fs_use_xattr ext3 system:object_r:system; +fs_use_task pipefs system:object_r:system; + +#genfscon +genfscon proc / system:object_r:system +genfscon proc /sys system:object_r:system +genfscon selinuxfs / system:object_r:system +portcon tcp 1 system:system:system +netifcon eth0 system:object_r:system system:object_r:system +nodecon 127.0.0.1 255.255.255.255 system:object_r:system +nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system + From 4a87070170d49761cb9e79778d81eb734bd9e806 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 5 Apr 2024 16:11:40 -0400 Subject: [PATCH 06/71] TestRole: Update Role tests to pytest fixtures and for Cython Role implementation. This was skipped since policyrep changed from SWIG to Cython. Fix corner case issue in Role.statement() for roles with no types. Signed-off-by: Chris PeBenito --- setools/policyrep/role.pxi | 2 + tests/library/policyrep/role.conf | 5 ++ tests/library/policyrep/test_role.py | 72 ++++++++++------------------ 3 files changed, 31 insertions(+), 48 deletions(-) diff --git a/setools/policyrep/role.pxi b/setools/policyrep/role.pxi index e48241bf..2ad089f7 100644 --- a/setools/policyrep/role.pxi +++ b/setools/policyrep/role.pxi @@ -41,6 +41,8 @@ cdef class Role(PolicySymbol): types = list(str(t) for t in self._types) count = len(types) stmt = f"role {self.name}" + if count == 0: + return f"role {self.name};" if count == 1: return f"role {self.name} types {types[0]};" diff --git a/tests/library/policyrep/role.conf b/tests/library/policyrep/role.conf index 1b2db897..a3668a2e 100644 --- a/tests/library/policyrep/role.conf +++ b/tests/library/policyrep/role.conf @@ -92,6 +92,9 @@ role role20_r; role role21a_r; role role21b_r; role role21c_r; +role rolename21; +role rolename22; +role rolename23; role role20_r types system; role role21a_r types system; @@ -102,6 +105,8 @@ type type30; type type31a; type type31b; type type31c; +role rolename21 types { type31a type31b }; +role rolename23 types { type31b type31c }; role system types { type30 type31a type31b type31c }; allow system self:infoflow hi_w; diff --git a/tests/library/policyrep/test_role.py b/tests/library/policyrep/test_role.py index 9c125772..eb12a193 100644 --- a/tests/library/policyrep/test_role.py +++ b/tests/library/policyrep/test_role.py @@ -2,68 +2,44 @@ # # SPDX-License-Identifier: GPL-2.0-only # -# Until this is fixed for cython: -# pylint: disable=undefined-variable,no-member -import unittest -from unittest.mock import Mock +import pytest +import setools -from setools import SELinuxPolicy -from setools.exception import InvalidRole +@pytest.mark.obj_args("tests/library/policyrep/role.conf") +class TestRole: -@unittest.skip("Needs to be reworked for cython") -class RoleTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = SELinuxPolicy("tests/policyrep/role.conf") - - def test_001_lookup(self): - """Role factory policy lookup.""" - role = role_factory(self.p.policy, "role20_r") - self.assertEqual("role20_r", role.qpol_symbol.name(self.p.policy)) - - def test_002_lookup_invalid(self): - """Role factory policy invalid lookup.""" - with self.assertRaises(InvalidRole): - role_factory(self.p.policy, "INVALID") - - def test_003_lookup_object(self): - """Role factory policy lookup of Role object.""" - role1 = role_factory(self.p.policy, "role20_r") - role2 = role_factory(self.p.policy, role1) - self.assertIs(role2, role1) - - def test_010_string(self): + def test_string(self, compiled_policy: setools.SELinuxPolicy) -> None: """Role basic string rendering.""" - role = self.mock_role_factory("rolename10", ['type1']) - self.assertEqual("rolename10", str(role)) + role = compiled_policy.lookup_role("role20_r") + assert "role20_r" == str(role), f"{role}" - def test_020_statement_type(self): + def test_statement_type(self, compiled_policy: setools.SELinuxPolicy) -> None: """Role statement, one type.""" - role = self.mock_role_factory("rolename20", ['type30']) - self.assertEqual("role rolename20 types type30;", role.statement()) + role = compiled_policy.lookup_role("role20_r") + assert "role role20_r types system;" == role.statement(), role.statement() - def test_021_statement_two_types(self): + def test_statement_two_types(self, compiled_policy: setools.SELinuxPolicy) -> None: """Role statement, two types.""" - role = self.mock_role_factory("rolename21", ['type31a', 'type31b']) - self.assertEqual("role rolename21 types { type31a type31b };", role.statement()) + role = compiled_policy.lookup_role("rolename21") + assert "role rolename21 types { type31a type31b };" == role.statement(), role.statement() - def test_022_statement_decl(self): + def test_statement_decl(self, compiled_policy: setools.SELinuxPolicy) -> None: """Role statement, no types.""" # This is an unlikely corner case, where a role # has been declared but has no types. - role = self.mock_role_factory("rolename22", []) - self.assertEqual("role rolename22;", role.statement()) + role = compiled_policy.lookup_role("rolename22") + assert "role rolename22;" == role.statement(), role.statement() - def test_030_types(self): + def test_types(self, compiled_policy: setools.SELinuxPolicy) -> None: """Role types generator.""" - role = self.mock_role_factory("rolename", ['type31b', 'type31c']) - self.assertEqual(['type31b', 'type31c'], sorted(role.types())) + role = compiled_policy.lookup_role("rolename23") + types = sorted(role.types()) + assert ["type31b", "type31c"] == types, types - def test_040_expand(self): + def test_expand(self, compiled_policy: setools.SELinuxPolicy) -> None: """Role expansion""" - role = self.mock_role_factory("rolename", ['type31a', 'type31b', 'type31c']) + role = compiled_policy.lookup_role("system") expanded = list(role.expand()) - self.assertEqual(1, len(expanded)) - self.assertIs(role, expanded[0]) + assert 1 == len(expanded), expanded + assert role == expanded[0], expanded From 5bf7d32d4c8f9c93799591828a4a5c645ef40738 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 8 Apr 2024 10:27:17 -0400 Subject: [PATCH 07/71] TestType, TestTypeAttribute: Update tests to pytest fixtures and for Cython implementation. Also split into two modules. Signed-off-by: Chris PeBenito --- tests/conftest.py | 52 ++++- tests/library/policyrep/test_type.py | 86 ++++++++ tests/library/policyrep/test_typeattr.py | 259 +++-------------------- tests/library/policyrep/type.conf | 158 ++++++++++++++ tests/library/policyrep/typeattr.conf | 14 +- 5 files changed, 322 insertions(+), 247 deletions(-) create mode 100644 tests/library/policyrep/test_type.py create mode 100644 tests/library/policyrep/type.conf diff --git a/tests/conftest.py b/tests/conftest.py index 65d448e8..6441775f 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -43,6 +43,42 @@ def _factory(name: str, /, *, types: frozenset[setools.Type] | None = None) -> s return _factory +@pytest.fixture +def mock_type(): + generated_types: dict[str, setools.Type] = {} + + def _factory(name: str, attrs: Iterable[setools.TypeAttribute] | None = None, + alias: Iterable[str] | None = None, perm: bool = False) -> setools.Type: + """Factory function for Type objects.""" + with suppress(KeyError): + return generated_types[name] + + type_ = SortableMock(setools.Type) + type_.name = name + type_.ispermissive = perm + type_.attributes.return_value = attrs if attrs is not None else () + type_.aliases.return_value = alias if alias is not None else () + generated_types[name] = type_ + return type_ + + return _factory + + +@pytest.fixture +def mock_typeattr(): + generated_attrs: dict[str, setools.TypeAttribute] = {} + + def _factory(name: str, types: Iterable[setools.Type] | None = None) -> setools.TypeAttribute: + """Factory function for TypeAttribute objects, using a mock qpol object.""" + attr = SortableMock(setools.TypeAttribute) + attr.name = name + attr.expand.return_value = types if types is not None else () + generated_attrs[name] = attr + return attr + + return _factory + + @pytest.fixture def mock_user(mock_role): generated_users: dict[str, setools.User] = {} @@ -78,7 +114,7 @@ def _factory(name: str, /, *, roles: frozenset[setools.Role] | None = None, @pytest.fixture -def mock_policy(mock_user, mock_role) -> setools.SELinuxPolicy: +def mock_policy(mock_type, mock_typeattr, mock_user, mock_role) -> setools.SELinuxPolicy: """Build a mock policy.""" foo_bool = SortableMock(setools.Boolean) foo_bool.name = "foo_bool" @@ -98,18 +134,12 @@ def mock_policy(mock_user, mock_role) -> setools.SELinuxPolicy: bar_class.perms = frozenset(("bar_perm1", "bar_perm2")) bar_class.common = common - fooattr = SortableMock(setools.TypeAttribute) - fooattr.name = "foo_type" - barattr = SortableMock(setools.TypeAttribute) - barattr.name = "bar_type" + fooattr = mock_typeattr("foo_type") + barattr = mock_typeattr("bar_type") - foo_t = SortableMock(setools.Type) - foo_t.name = "foo_t" - foo_t.attributes.return_value = (fooattr,) + foo_t = mock_type("foo_t", attrs=(fooattr,)) fooattr.expand.return_value = (foo_t,) - bar_t = SortableMock(setools.Type) - bar_t.name = "bar_t" - bar_t.attributes.return_value = (barattr,) + bar_t = mock_type("bar_t", attrs=(barattr,)) barattr.expand.return_value = (bar_t,) foo_r = mock_role("foo_r", types=frozenset((foo_t,))) diff --git a/tests/library/policyrep/test_type.py b/tests/library/policyrep/test_type.py new file mode 100644 index 00000000..660d8032 --- /dev/null +++ b/tests/library/policyrep/test_type.py @@ -0,0 +1,86 @@ +# Copyright 2015, Tresys Technology, LLC +# +# SPDX-License-Identifier: GPL-2.0-only +# +import pytest +import setools + + +@pytest.mark.obj_args("tests/library/policyrep/type.conf") +class TestType: + + def test_string(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Type basic string rendering.""" + type_ = compiled_policy.lookup_type("name10") + assert "name10" == str(type_), f"{type_}" + + def test_attrs(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Type with type attributes""" + type_ = compiled_policy.lookup_type("name20") + assert ["attr1", "attr2", "attr3"] == sorted(type_.attributes()), type_.attributes() + + def test_aliases(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Type aliases""" + type_ = compiled_policy.lookup_type("name30") + assert ["alias1", "alias2", "alias3"] == sorted(type_.aliases()), type_.aliases() + + def test_expand(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Type expansion""" + type_ = compiled_policy.lookup_type("name40") + expanded = list(type_.expand()) + assert 1 == len(expanded), len(expanded) + assert expanded[0] is type_ + + def test_permissive(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Type is permissive""" + type_ = compiled_policy.lookup_type("name50a") + permtype = compiled_policy.lookup_type("name50b") + assert not type_.ispermissive + assert permtype.ispermissive + + def test_statement(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Type basic statement""" + type_ = compiled_policy.lookup_type("name60") + assert "type name60;" == type_.statement(), type_.statement() + + def test_statement_one_attr(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Type statement, one attribute""" + type_ = compiled_policy.lookup_type("name61") + assert "type name61, attr1;" == type_.statement(), type_.statement() + + def test_statement_two_attr(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Type statement, two attributes""" + type_ = compiled_policy.lookup_type("name62") + assert "type name62, attr1, attr2;" == type_.statement(), type_.statement() + + def test_statement_one_alias(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Type statement, one alias""" + type_ = compiled_policy.lookup_type("name63") + assert "type name63 alias alias4;" == type_.statement(), type_.statement() + + def test_statement_two_alias(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Type statement, two aliases""" + type_ = compiled_policy.lookup_type("name64") + assert "type name64 alias { alias5 alias6 };" == type_.statement(), type_.statement() + + def test_statement_one_attr_one_alias(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Type statement, one attribute, one alias""" + type_ = compiled_policy.lookup_type("name65") + assert "type name65 alias alias7, attr1;" == type_.statement(), type_.statement() + + def test_statement_two_attr_one_alias(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Type statement, two attributes, one alias""" + type_ = compiled_policy.lookup_type("name66") + assert "type name66 alias alias8, attr2, attr3;" == type_.statement(), type_.statement() + + def test_statement_one_attr_two_alias(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Type statement, one attribute, two aliases""" + type_ = compiled_policy.lookup_type("name67") + assert "type name67 alias { alias10 alias11 }, attr3;" == type_.statement(), \ + type_.statement() + + def test_statement_two_attr_two_alias(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Type statement, two attributes, two aliases""" + type_ = compiled_policy.lookup_type("name68") + assert "type name68 alias { alias12 alias13 }, attr1, attr3;" == type_.statement(), \ + type_.statement() diff --git a/tests/library/policyrep/test_typeattr.py b/tests/library/policyrep/test_typeattr.py index b16bc979..eb844a26 100644 --- a/tests/library/policyrep/test_typeattr.py +++ b/tests/library/policyrep/test_typeattr.py @@ -2,254 +2,47 @@ # # SPDX-License-Identifier: GPL-2.0-only # -# Until this is fixed for cython: -# pylint: disable=undefined-variable,no-member -import unittest -from unittest.mock import Mock, patch +import pytest +import setools -from setools import SELinuxPolicy -from setools.exception import InvalidType, SymbolUseError +@pytest.mark.obj_args("tests/library/policyrep/typeattr.conf") +class TestTypeAttribute: -@unittest.skip("Needs to be reworked for cython") -class TypeTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = SELinuxPolicy("tests/policyrep/typeattr.conf") - - def mock_type_factory(self, name, attrs=[], alias=[], perm=False): - """Factory function for Type objects, using a mock qpol object.""" - mock_type = Mock(qpol.qpol_type_t) - mock_type.name.return_value = name - mock_type.type_iter.side_effect = AssertionError("Type iterator used") - mock_type.attr_iter = lambda x: iter(attrs) - mock_type.alias_iter = lambda x: iter(alias) - mock_type.ispermissive.return_value = perm - mock_type.isattr.return_value = False - mock_type.isalias.return_value = False - - return type_factory(self.p.policy, mock_type) - - def test_001_lookup(self): - """Type factory policy lookup.""" - type_ = type_factory(self.p.policy, "system") - self.assertEqual("system", type_.qpol_symbol.name(self.p.policy)) - - def test_002_lookup_invalid(self): - """Type factory policy invalid lookup.""" - with self.assertRaises(InvalidType): - type_factory(self.p.policy, "INVALID") - - def test_003_lookup_alias(self): - """Type factory policy lookup alias.""" - type_ = type_factory(self.p.policy, "sysalias", deref=True) - self.assertEqual("system", type_.qpol_symbol.name(self.p.policy)) - - def test_004_lookup_alias_no_deref(self): - """Type factory policy lookup alias (no dereference).""" - with self.assertRaises(TypeError): - type_ = type_factory(self.p.policy, "sysalias") - - def test_005_lookup_attr(self): - """Type factory policy lookup atribute.""" - with self.assertRaises(TypeError): - type_ = type_factory(self.p.policy, "attr1") - - def test_006_lookup2(self): - """Type factory policy lookup (type_or_attr_factory).""" - type_ = type_or_attr_factory(self.p.policy, "system") - self.assertEqual("system", type_.qpol_symbol.name(self.p.policy)) - - def test_007_lookup2_invalid(self): - """Type factory policy invalid lookup (type_or_attr_factory).""" - with self.assertRaises(InvalidType): - type_or_attr_factory(self.p.policy, "INVALID") - - def test_008_lookup2_alias(self): - """Type factory policy lookup alias (type_or_attr_factory).""" - type_ = type_or_attr_factory(self.p.policy, "sysalias", deref=True) - self.assertEqual("system", type_.qpol_symbol.name(self.p.policy)) - - def test_009_lookup2_alias_no_deref(self): - """Type factory policy lookup alias (no dereference, type_or_attr_factory).""" - with self.assertRaises(TypeError): - type_ = type_or_attr_factory(self.p.policy, "sysalias") - - def test_00a_lookup_object(self): - """Type factory policy lookup of Type object.""" - type1 = type_factory(self.p.policy, "system") - type2 = type_factory(self.p.policy, type1) - self.assertIs(type2, type1) - - def test_00b_lookup2_object(self): - """Type factory policy lookup of Type object (type_or_attr_factory).""" - type1 = type_or_attr_factory(self.p.policy, "system") - type2 = type_or_attr_factory(self.p.policy, type1) - self.assertIs(type2, type1) - - def test_010_string(self): - """Type basic string rendering.""" - type_ = self.mock_type_factory("name10") - self.assertEqual("name10", str(type_)) - - def test_020_attrs(self): - """Type attributes""" - type_ = self.mock_type_factory("name20", attrs=['attr1', 'attr2', 'attr3']) - self.assertEqual(['attr1', 'attr2', 'attr3'], sorted(type_.attributes())) - - def test_030_aliases(self): - """Type aliases""" - type_ = self.mock_type_factory("name30", alias=['alias1', 'alias2', 'alias3']) - self.assertEqual(['alias1', 'alias2', 'alias3'], sorted(type_.aliases())) - - def test_040_expand(self): - """Type expansion""" - type_ = self.mock_type_factory("name40") - expanded = list(type_.expand()) - self.assertEqual(1, len(expanded)) - self.assertIs(type_, expanded[0]) - - def test_050_permissive(self): - """Type is permissive""" - type_ = self.mock_type_factory("name50a") - permtype = self.mock_type_factory("name50b", perm=True) - self.assertFalse(type_.ispermissive) - self.assertTrue(permtype.ispermissive) - - def test_060_statement(self): - """Type basic statement""" - type_ = self.mock_type_factory("name60") - self.assertEqual("type name60;", type_.statement()) - - def test_061_statement_one_attr(self): - """Type statement, one attribute""" - type_ = self.mock_type_factory("name61", attrs=['attr1']) - self.assertEqual("type name61, attr1;", type_.statement()) - - def test_062_statement_two_attr(self): - """Type statement, two attributes""" - type_ = self.mock_type_factory("name62", attrs=['attr1', 'attr2']) - self.assertEqual("type name62, attr1, attr2;", type_.statement()) - - def test_063_statement_one_alias(self): - """Type statement, one alias""" - type_ = self.mock_type_factory("name63", alias=['alias1']) - self.assertEqual("type name63 alias alias1;", type_.statement()) - - def test_064_statement_two_alias(self): - """Type statement, two aliases""" - type_ = self.mock_type_factory("name64", alias=['alias1', 'alias2']) - self.assertEqual("type name64 alias { alias1 alias2 };", type_.statement()) - - def test_065_statement_one_attr_one_alias(self): - """Type statement, one attribute, one alias""" - type_ = self.mock_type_factory("name65", attrs=['attr1'], alias=['alias1']) - self.assertEqual("type name65 alias alias1, attr1;", type_.statement()) - - def test_066_statement_two_attr_one_alias(self): - """Type statement, two attributes, one alias""" - type_ = self.mock_type_factory("name66", attrs=['attr1', 'attr2'], alias=['alias1']) - self.assertEqual("type name66 alias alias1, attr1, attr2;", type_.statement()) - - def test_067_statement_one_attr_two_alias(self): - """Type statement, one attribute, two aliases""" - type_ = self.mock_type_factory("name67", attrs=['attr2'], alias=['alias3', 'alias4']) - self.assertEqual("type name67 alias { alias3 alias4 }, attr2;", type_.statement()) - - def test_068_statement_two_attr_two_alias(self): - """Type statement, two attributes, two aliases""" - type_ = self.mock_type_factory("name68", attrs=['attr2', 'attr3'], - alias=['alias2', 'alias4']) - self.assertEqual("type name68 alias { alias2 alias4 }, attr2, attr3;", type_.statement()) - - -@unittest.skip("Needs to be reworked for cython") -class TypeAttributeTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = SELinuxPolicy("tests/policyrep/typeattr.conf") - - def mock_attr_factory(self, name, types=[]): - """Factory function for TypeAttribute objects, using a mock qpol object.""" - mock_type = Mock(qpol.qpol_type_t) - mock_type.name.return_value = name - mock_type.type_iter = lambda x: iter(types) - mock_type.attr_iter.side_effect = AssertionError("Attr iter used") - mock_type.alias_iter.side_effect = AssertionError("Alias iter used") - mock_type.ispermissive.side_effect = AssertionError("Permissive used") - mock_type.isattr.return_value = True - mock_type.isalias.side_effect = AssertionError("Alias used") - - return attribute_factory(self.p.policy, mock_type) - - def test_001_lookup(self): - """TypeAttribute factory policy lookup.""" - attr = attribute_factory(self.p.policy, "attr1") - self.assertEqual("attr1", attr.qpol_symbol.name(self.p.policy)) - - def test_002_lookup_invalid(self): - """TypeAttribute factory policy invalid lookup.""" - with self.assertRaises(InvalidType): - attribute_factory(self.p.policy, "INVALID") - - def test_006_lookup2(self): - """TypeAttribute factory policy lookup (type_or_attr_factory).""" - attr = type_or_attr_factory(self.p.policy, "attr1") - self.assertEqual("attr1", attr.qpol_symbol.name(self.p.policy)) - - def test_007_lookup2_invalid(self): - """TypeAttribute factory policy invalid lookup (type_or_attr_factory).""" - with self.assertRaises(InvalidType): - type_or_attr_factory(self.p.policy, "INVALID") - - def test_008_lookup_object(self): - """TypeAttribute factory policy lookup of TypeAttribute object.""" - attr1 = attribute_factory(self.p.policy, "attr1") - attr2 = attribute_factory(self.p.policy, attr1) - self.assertIs(attr2, attr1) - - def test_009_lookup2_object(self): - """TypeAttribute factory policy lookup of TypeAttribute object (type_or_attr_factory).""" - attr1 = type_or_attr_factory(self.p.policy, "attr2") - attr2 = type_or_attr_factory(self.p.policy, attr1) - self.assertIs(attr2, attr1) - - def test_010_string(self): + def test_string(self, compiled_policy: setools.SELinuxPolicy) -> None: """TypeAttribute basic string rendering.""" - attr = self.mock_attr_factory("name10") - self.assertEqual("name10", str(attr)) + attr = compiled_policy.lookup_typeattr("name10") + assert "name10" == str(attr), f"{attr}" - def test_020_attrs(self): + def test_attrs(self, compiled_policy: setools.SELinuxPolicy) -> None: """TypeAttribute attributes""" - attr = self.mock_attr_factory("name20") - with self.assertRaises(SymbolUseError): + attr = compiled_policy.lookup_typeattr("name20") + with pytest.raises(setools.exception.SymbolUseError): attr.attributes() - def test_030_aliases(self): + def test_aliases(self, compiled_policy: setools.SELinuxPolicy) -> None: """TypeAttribute aliases""" - attr = self.mock_attr_factory("name30") - with self.assertRaises(SymbolUseError): + attr = compiled_policy.lookup_typeattr("name30") + with pytest.raises(setools.exception.SymbolUseError): attr.aliases() - def test_040_expand(self): + def test_expand(self, compiled_policy: setools.SELinuxPolicy) -> None: """TypeAttribute expansion""" - attr = self.mock_attr_factory("name40", types=['type31a', 'type31b', 'type31c']) - self.assertEqual(['type31a', 'type31b', 'type31c'], sorted(attr.expand())) + attr = compiled_policy.lookup_typeattr("name40") + assert ['type31a', 'type31b', 'type31c'] == sorted(attr.expand()), sorted(attr.expand()) - def test_050_permissive(self): - with self.assertRaises(SymbolUseError): - attr = self.mock_attr_factory("name20") + def test_permissive(self, compiled_policy: setools.SELinuxPolicy) -> None: + attr = compiled_policy.lookup_typeattr("name50") + with pytest.raises(setools.exception.SymbolUseError): attr.ispermissive - def test_060_statement(self): + def test_statement(self, compiled_policy: setools.SELinuxPolicy) -> None: """TypeAttribute basic statement""" - attr = self.mock_attr_factory("name60") - self.assertEqual("attribute name60;", attr.statement()) + attr = compiled_policy.lookup_typeattr("name60") + assert "attribute name60;" == attr.statement(), attr.statement() - def test_070_contains(self): + def test_contains(self, compiled_policy: setools.SELinuxPolicy) -> None: """TypeAttribute: contains""" - attr = self.mock_attr_factory("name70", types=['type31a', 'type31b', 'type31c']) - self.assertIn("type31b", attr) - self.assertNotIn("type30", attr) + attr = compiled_policy.lookup_typeattr("name70") + assert "type31b" in attr + assert "type30" not in attr diff --git a/tests/library/policyrep/type.conf b/tests/library/policyrep/type.conf new file mode 100644 index 00000000..85daea2e --- /dev/null +++ b/tests/library/policyrep/type.conf @@ -0,0 +1,158 @@ +class infoflow +class infoflow2 +class infoflow3 +class infoflow4 +class infoflow5 +class infoflow6 +class infoflow7 + +sid kernel +sid security + +common infoflow +{ + low_w + med_w + hi_w + low_r + med_r + hi_r +} + +class infoflow +inherits infoflow + +class infoflow2 +inherits infoflow +{ + super_w + super_r +} + +class infoflow3 +{ + null +} + +class infoflow4 +inherits infoflow + +class infoflow5 +inherits infoflow + +class infoflow6 +inherits infoflow + +class infoflow7 +inherits infoflow +{ + super_w + super_r + super_none + super_both + super_unmapped +} + +sensitivity s0; +sensitivity s1; +sensitivity s2; + +dominance { s0 s1 s2 } + +category c0; +category c1; +category c2; +category c3; +category c4; +category c5; +category c6; +category c7; +category c8; +category c9; +category c10; +category c11; +category c12; +category c13; + +#level decl +level s0:c0.c2; +level s1:c0.c13; +level s2:c0.c13; + +#some constraints +mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt)); + +attribute mls_exempt; +attribute attr1; +attribute attr2; +attribute attr3; + +type system alias sysalias; +role system; +role system types system; + +role role20_r; +role role21a_r; +role role21b_r; +role role21c_r; + +role role20_r types system; +role role21a_r types system; +role role21b_r types system; +role role21c_r types system; + +type name10; +type name20, attr1, attr2, attr3; +type name30 alias { alias1 alias2 alias3}; +type name40; +type name50a; +type name50b; +permissive name50b; +type name60; +type name61, attr1; +type name62, attr1, attr2; +type name63 alias alias4; +type name64 alias { alias5 alias6 }; +type name65 alias alias7, attr1; +type name66 alias alias8, attr2, attr3; +type name67 alias { alias10 alias11 }, attr3; +type name68 alias { alias12 alias13 }, attr1, attr3; + +type type30; +type type31a; +type type31b; +type type31c; +role system types { type30 type31a type31b type31c }; + +#type everything alias { alias1 alias2 }, attr1, attr2; + +allow system self:infoflow hi_w; + +#users +user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4; +user user10 roles system level s0 range s0 - s2:c0.c4; +user user11a roles system level s0 range s0 - s2:c0.c4; +user user11b roles system level s0 range s0 - s2:c0.c4; +user user11c roles system level s0 range s0 - s2:c0.c4; + +#normal constraints +constrain infoflow hi_w (u1 == u2); + +#isids +sid kernel system:system:system:s0 +sid security system:system:system:s0 + +#fs_use +fs_use_trans devpts system:object_r:system:s0; +fs_use_xattr ext3 system:object_r:system:s0; +fs_use_task pipefs system:object_r:system:s0; + +#genfscon +genfscon proc / system:object_r:system:s1 +genfscon proc /sys system:object_r:system:s0 +genfscon selinuxfs / system:object_r:system:s2:c0.c4 +portcon tcp 1 system:system:system:s0:c0.c1 +netifcon eth0 system:object_r:system:s0 system:object_r:system:s0 +nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0 +nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0 + diff --git a/tests/library/policyrep/typeattr.conf b/tests/library/policyrep/typeattr.conf index 94c1086c..0e330ee4 100644 --- a/tests/library/policyrep/typeattr.conf +++ b/tests/library/policyrep/typeattr.conf @@ -87,6 +87,14 @@ attribute attr1; attribute attr2; attribute attr3; +attribute name10; +attribute name20; +attribute name30; +attribute name40; +attribute name50; +attribute name60; +attribute name70; + type system alias sysalias; role system; role system types system; @@ -102,9 +110,9 @@ role role21b_r types system; role role21c_r types system; type type30; -type type31a; -type type31b; -type type31c; +type type31a, name40, name70; +type type31b, name40, name70; +type type31c, name40, name70; role system types { type30 type31a type31b type31c }; type everything alias { alias1 alias2 }, attr1, attr2; From 16153794a798b8512f0e7ca85bc1af91f72553af Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 8 Apr 2024 11:07:39 -0400 Subject: [PATCH 08/71] TestSELinuxPolicy: Update tests to pytest fixtures and for Cython implementation. Signed-off-by: Chris PeBenito --- tests/library/policyrep/test_selinuxpolicy.py | 228 ++++++++---------- 1 file changed, 95 insertions(+), 133 deletions(-) diff --git a/tests/library/policyrep/test_selinuxpolicy.py b/tests/library/policyrep/test_selinuxpolicy.py index 648c6467..b5a6cf95 100644 --- a/tests/library/policyrep/test_selinuxpolicy.py +++ b/tests/library/policyrep/test_selinuxpolicy.py @@ -4,228 +4,190 @@ # import copy -import os -import sys -import unittest -from setools import SELinuxPolicy, HandleUnknown -from setools.exception import InvalidPolicy +import pytest +import setools -from .util import compile_policy +@pytest.mark.obj_args("tests/library/policyrep/selinuxpolicy.conf") +class TestSELinuxPolicy: -class SELinuxPolicyTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/policyrep/selinuxpolicy.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - @unittest.skip("Retired for the SELinuxPolicyLoadError test suite.") - def test_001_open_policy_error(self): - """SELinuxPolicy: Invalid policy on open.""" - # source policies not supported - self.assertRaises(InvalidPolicy, SELinuxPolicy, "tests/policyrep/selinuxpolicy-bad.conf") - - def test_002_open_policy_non_existant(self): + def test_open_policy_non_existant(self) -> None: """SELinuxPolicy: Non existant policy on open.""" - self.assertRaises(OSError, SELinuxPolicy, "tests/policyrep/DOES_NOT_EXIST") + with pytest.raises(OSError): + setools.SELinuxPolicy("tests/policyrep/DOES_NOT_EXIST") - def test_003_deepcopy(self): + def test_deepcopy(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: Deep copy""" - p = copy.deepcopy(self.p) - self.assertIs(self.p, p) + p = copy.deepcopy(compiled_policy) + assert p is compiled_policy - def test_010_handle_unknown(self): + def test_handle_unknown(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: handle unknown setting.""" - self.assertEqual(self.p.handle_unknown, HandleUnknown.reject) + assert compiled_policy.handle_unknown == setools.HandleUnknown.reject - def test_011_mls(self): + def test_mls(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: MLS status.""" - self.assertTrue(self.p.mls) + assert compiled_policy.mls - def test_012_version(self): + def test_version(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: version.""" - self.assertTrue(self.p.version) + assert compiled_policy.version - def test_100_allow_count(self): + def test_allow_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: allow count""" - self.assertEqual(self.p.allow_count, 113) + assert compiled_policy.allow_count == 113 - def test_101_auditallow_count(self): + def test_auditallow_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: auditallow count""" - self.assertEqual(self.p.auditallow_count, 109) + assert compiled_policy.auditallow_count == 109 - def test_102_boolean_count(self): + def test_boolean_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: Boolean count.""" - self.assertEqual(self.p.boolean_count, 127) + assert compiled_policy.boolean_count == 127 - # def test_103_bounds_count(self): + # def test_bounds_count(self, compiled_policy: setools.SELinuxPolicy) -> None: - def test_104_category_count(self): + def test_category_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: category count""" - self.assertEqual(self.p.category_count, 17) + assert compiled_policy.category_count == 17 - def test_105_class_count(self): + def test_class_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: object class count""" - self.assertEqual(self.p.class_count, 7) + assert compiled_policy.class_count == 7 - def test_106_common_count(self): + def test_common_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: common permisison set count""" - self.assertEqual(self.p.common_count, 3) + assert compiled_policy.common_count == 3 - def test_107_conditional_count(self): + def test_conditional_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: conditional (expression) count""" - self.assertEqual(self.p.conditional_count, 67) + assert compiled_policy.conditional_count == 67 - def test_108_constraint_count(self): + def test_constraint_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: standard constraint count""" - self.assertEqual(self.p.constraint_count, 19) + assert compiled_policy.constraint_count == 19 - # def test_109_default_count(self): + # def test_default_count(self, compiled_policy: setools.SELinuxPolicy) -> None: - def test_110_dontaudit_count(self): + def test_dontaudit_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: dontaudit rule count""" - self.assertEqual(self.p.dontaudit_count, 107) + assert compiled_policy.dontaudit_count == 107 - def test_111_fs_use_count(self): + def test_fs_use_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: fs_use_* count""" - self.assertEqual(self.p.fs_use_count, 149) + assert compiled_policy.fs_use_count == 149 - def test_112_genfscon_count(self): + def test_genfscon_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: genfscon count""" - self.assertEqual(self.p.genfscon_count, 151) + assert compiled_policy.genfscon_count == 151 - def test_113_initial_sid_count(self): + def test_initial_sid_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: initial sid count""" - self.assertEqual(self.p.initialsids_count, 11) + assert compiled_policy.initialsids_count == 11 - def test_114_level_count(self): + def test_level_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: MLS level count""" - self.assertEqual(self.p.level_count, 13) + assert compiled_policy.level_count == 13 - def test_115_mls_constraint_count(self): + def test_mls_constraint_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: MLS constraint count""" - self.assertEqual(self.p.mlsconstraint_count, 23) + assert compiled_policy.mlsconstraint_count == 23 - def test_116_mls_validatetrans_count(self): + def test_mls_validatetrans_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: MLS validatetrans count""" - self.assertEqual(self.p.mlsvalidatetrans_count, 3) + assert compiled_policy.mlsvalidatetrans_count == 3 - def test_117_netifcon_count(self): + def test_netifcon_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: netifcon count""" - self.assertEqual(self.p.netifcon_count, 167) + assert compiled_policy.netifcon_count == 167 - def test_118_neverallow_count(self): + def test_neverallow_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: neverallow rule count""" # changed after dropping source policy support - # self.assertEqual(self.p.neverallow_count, 103) - self.assertEqual(self.p.neverallow_count, 0) + # assert compiled_policy.neverallow_count == 103) + assert compiled_policy.neverallow_count == 0 - def test_119_nodecon_count(self): + def test_nodecon_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: nodecon count""" - self.assertEqual(self.p.nodecon_count, 173) + assert compiled_policy.nodecon_count == 173 - def test_120_permission_count(self): + def test_permission_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: permission count""" - self.assertEqual(self.p.permission_count, 29) + assert compiled_policy.permission_count == 29 - def test_121_permissive_types_count(self): + def test_permissive_types_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: permissive types count""" - self.assertEqual(self.p.permissives_count, 73) + assert compiled_policy.permissives_count == 73 - def test_122_polcap_count(self): + def test_polcap_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: policy capability count""" - self.assertEqual(self.p.polcap_count, 2) + assert compiled_policy.polcap_count == 2 - def test_123_portcon_count(self): + def test_portcon_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: portcon count""" - self.assertEqual(self.p.portcon_count, 163) + assert compiled_policy.portcon_count == 163 - def test_124_range_transition_count(self): + def test_range_transition_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: range_transition count""" - self.assertEqual(self.p.range_transition_count, 71) + assert compiled_policy.range_transition_count == 71 - def test_125_role_count(self): + def test_role_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: role count""" - self.assertEqual(self.p.role_count, 131) + assert compiled_policy.role_count == 131 - # def test_126_role_attribute_count(self): + # def test_role_attribute_count(self, compiled_policy: setools.SELinuxPolicy) -> None: - def test_127_role_allow_count(self): + def test_role_allow_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: (role) allow count""" - self.assertEqual(self.p.role_allow_count, 83) + assert compiled_policy.role_allow_count == 83 - def test_128_role_transition_count(self): + def test_role_transition_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: role_transition count""" - self.assertEqual(self.p.role_transition_count, 79) + assert compiled_policy.role_transition_count == 79 - def test_129_type_count(self): + def test_type_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: type count""" - self.assertEqual(self.p.type_count, 137) + assert compiled_policy.type_count == 137 - def test_130_type_attribute_count(self): + def test_type_attribute_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: type attribute count""" - self.assertEqual(self.p.type_attribute_count, 157) + assert compiled_policy.type_attribute_count == 157 - def test_131_type_change_count(self): + def test_type_change_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: type_change rule count""" - self.assertEqual(self.p.type_change_count, 89) + assert compiled_policy.type_change_count == 89 - def test_132_type_member_count(self): + def test_type_member_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: type_member rule count""" - self.assertEqual(self.p.type_member_count, 61) + assert compiled_policy.type_member_count == 61 - def test_133_type_transition_count(self): + def test_type_transition_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: type_transition rule count""" - self.assertEqual(self.p.type_transition_count, 97) + assert compiled_policy.type_transition_count == 97 - def test_134_user_count(self): + def test_user_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: user count""" - self.assertEqual(self.p.user_count, 101) + assert compiled_policy.user_count == 101 - def test_135_validatetrans_count(self): + def test_validatetrans_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: validatetrans count""" - self.assertEqual(self.p.validatetrans_count, 5) + assert compiled_policy.validatetrans_count == 5 - def test_136_allowxperm_count(self): + def test_allowxperm_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: allowxperm rount""" - self.assertEqual(self.p.allowxperm_count, 179) + assert compiled_policy.allowxperm_count == 179 - def test_137_allowxperm_count(self): + def test_auditallowxperm_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: auditallowxperm rount""" - self.assertEqual(self.p.auditallowxperm_count, 181) + assert compiled_policy.auditallowxperm_count == 181 - def test_138_neverallowxperm_count(self): + def test_neverallowxperm_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: neverallowxperm rount""" # changed after dropping source policy support - # self.assertEqual(self.p.neverallowxperm_count, 191) - self.assertEqual(self.p.neverallowxperm_count, 0) + # assert compiled_policy.neverallowxperm_count == 191) + assert compiled_policy.neverallowxperm_count == 0 - def test_139_allowxperm_count(self): + def test_dontauditxperm_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: dontauditxperm rount""" - self.assertEqual(self.p.dontauditxperm_count, 193) - - -@unittest.skip("No longer necessary since source policy support was dropped.") -class SELinuxPolicyLoadError(unittest.TestCase): - - """Test attempted loading of non-compiling policies.""" - - def _load_policy(self, policy): - self.assertRaises(InvalidPolicy, SELinuxPolicy, - "tests/policyrep/invalid_policies/" + policy) - - def test_nodecon_invalid_range(self): - """SELinuxPolicy: invalid nodecon range (category not associated) error.""" - self._load_policy("nodecon-invalid-range.conf") - sys.stderr.write("The \"category can not be associated\" error above is expected.") - - # this is not fixed yet. See issue #72 - @unittest.expectedFailure - def test_user_level_not_in_range(self): - """SELinuxPolicy: error for user's default level isn't within the range.""" - self._load_policy("user-level-not-in-range.conf") + assert compiled_policy.dontauditxperm_count == 193 From ee67273225e5d0f21ea85660a1e3b3e9b506f457 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 8 Apr 2024 14:47:14 -0400 Subject: [PATCH 09/71] TestSELinuxPolicyLookup: Add generated test cases for SELinuxpolicy.lookup_* metods. Signed-off-by: Chris PeBenito --- tests/library/policyrep/test_selinuxpolicy.py | 89 +++++++++++++++++++ 1 file changed, 89 insertions(+) diff --git a/tests/library/policyrep/test_selinuxpolicy.py b/tests/library/policyrep/test_selinuxpolicy.py index b5a6cf95..9d8ebfde 100644 --- a/tests/library/policyrep/test_selinuxpolicy.py +++ b/tests/library/policyrep/test_selinuxpolicy.py @@ -4,6 +4,7 @@ # import copy +import dataclasses import pytest import setools @@ -191,3 +192,91 @@ def test_neverallowxperm_count(self, compiled_policy: setools.SELinuxPolicy) -> def test_dontauditxperm_count(self, compiled_policy: setools.SELinuxPolicy) -> None: """SELinuxPolicy: dontauditxperm rount""" assert compiled_policy.dontauditxperm_count == 193 + + +@dataclasses.dataclass +class LookupTestCase: + + method_name: str + obj_name: str + exc_type: type[Exception] + alias_name: str | None = None + + +lookup_test_data = [ + LookupTestCase("lookup_boolean", "bool13", setools.exception.InvalidBoolean), + LookupTestCase("lookup_category", "c15", setools.exception.InvalidCategory), + LookupTestCase("lookup_category", "c2", setools.exception.InvalidCategory, "cat_alias2"), + LookupTestCase("lookup_class", "infoflow6", setools.exception.InvalidClass), + LookupTestCase("lookup_common", "hi_c", setools.exception.InvalidCommon), + LookupTestCase("lookup_level", "s4:c5", setools.exception.InvalidLevel), + LookupTestCase("lookup_range", "s0 - s3", setools.exception.InvalidRange), + LookupTestCase("lookup_role", "role50", setools.exception.InvalidRole), + LookupTestCase("lookup_sensitivity", "s3", setools.exception.InvalidSensitivity), + LookupTestCase("lookup_sensitivity", "s0", setools.exception.InvalidSensitivity, + "sens_alias0"), + LookupTestCase("lookup_type", "type32", setools.exception.InvalidType), + LookupTestCase("lookup_type", "type1", setools.exception.InvalidType, "type_alias1"), + LookupTestCase("lookup_type_or_attr", "type97", setools.exception.InvalidType), + LookupTestCase("lookup_type_or_attr", "type2", setools.exception.InvalidType, "type_alias2"), + LookupTestCase("lookup_type_or_attr", "attr13", setools.exception.InvalidType), + LookupTestCase("lookup_typeattr", "attr17", setools.exception.InvalidType), + LookupTestCase("lookup_user", "user57", setools.exception.InvalidUser) +] + + +@pytest.mark.obj_args("tests/library/policyrep/selinuxpolicy.conf") +@pytest.mark.parametrize("testcase", lookup_test_data) +class TestSELinuxPolicyLookup: + + """Generated test cases for the SELinuxPolicy lookup methods.""" + + def test_lookup(self, testcase: LookupTestCase, + compiled_policy: setools.SELinuxPolicy) -> None: + """Test successful policy lookup.""" + method = getattr(compiled_policy, testcase.method_name) + if testcase.alias_name: + # look up by alias + obj = method(testcase.alias_name) + else: + obj = method(testcase.obj_name) + + assert testcase.obj_name == obj, f"{obj}" + + def test_lookup_invalid(self, testcase: LookupTestCase, + compiled_policy: setools.SELinuxPolicy) -> None: + """Test failed lookup.""" + method = getattr(compiled_policy, testcase.method_name) + with pytest.raises(testcase.exc_type): + obj = method("INVALID") + + def test_lookup_alias(self, testcase: LookupTestCase, + compiled_policy: setools.SELinuxPolicy) -> None: + """Test successful policy lookup by alias.""" + if not testcase.alias_name: + pytest.skip("Alias not configured for testcase.") + + method = getattr(compiled_policy, testcase.method_name) + # look up by alias + obj = method(testcase.alias_name, deref=True) + assert testcase.obj_name == obj, f"{obj}" + + def test_lookup_invalid_alias(self, testcase: LookupTestCase, + compiled_policy: setools.SELinuxPolicy) -> None: + """Test failed lookup due to invalid alias.""" + if not testcase.alias_name: + pytest.skip("Alias not configured for testcase.") + + method = getattr(compiled_policy, testcase.method_name) + with pytest.raises(testcase.exc_type): + obj = method("INVALID", deref=True) + + def test_lookup_no_deref_alias(self, testcase: LookupTestCase, + compiled_policy: setools.SELinuxPolicy) -> None: + """Test failed lookup due to disabled dereference.""" + if not testcase.alias_name: + pytest.skip("Alias not configured for testcase.") + + method = getattr(compiled_policy, testcase.method_name) + with pytest.raises(testcase.exc_type): + obj = method(testcase.alias_name, deref=False) From ec7bf76ff4de81f211925dd3acf8dd7f8307f723 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 8 Apr 2024 14:49:51 -0400 Subject: [PATCH 10/71] SELinuxPolicy.lookup_category(): Fix typo error in f-string. Signed-off-by: Chris PeBenito --- setools/policyrep/selinuxpolicy.pxi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setools/policyrep/selinuxpolicy.pxi b/setools/policyrep/selinuxpolicy.pxi index 14bbe73a..6eaa0b79 100644 --- a/setools/policyrep/selinuxpolicy.pxi +++ b/setools/policyrep/selinuxpolicy.pxi @@ -349,7 +349,7 @@ cdef class SELinuxPolicy: if c == name or (deref and name in list(c.aliases())): return c - raise InvalidCategory("f{name} is not a valid category") + raise InvalidCategory(f"{name} is not a valid category") def lookup_class(self, name): """Look up an object class.""" From 4ef22121972fc5c9a28287814a86de7de356afb7 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 8 Apr 2024 14:50:41 -0400 Subject: [PATCH 11/71] SELinuxPolicy: Drop lookup_initialSid method. This is not a component, but rather a labeling statement. Signed-off-by: Chris PeBenito --- setools/policyrep/selinuxpolicy.pxi | 8 -------- 1 file changed, 8 deletions(-) diff --git a/setools/policyrep/selinuxpolicy.pxi b/setools/policyrep/selinuxpolicy.pxi index 6eaa0b79..be8be3ec 100644 --- a/setools/policyrep/selinuxpolicy.pxi +++ b/setools/policyrep/selinuxpolicy.pxi @@ -367,14 +367,6 @@ cdef class SELinuxPolicy: raise InvalidCommon(f"{name} is not a valid common") - def lookup_initialsid(self, name): - """Look up an initial sid.""" - for sid in self.initialsids(): - if sid == name: - return sid - - raise InvalidInitialSid(f"{name} is not a valid initial SID") - def lookup_level(self, level): """Look up a MLS level.""" return Level.factory_from_string(self, level) From f706b8bf6f3c1cf4650768f58c81de749d373400 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 8 Apr 2024 15:33:24 -0400 Subject: [PATCH 12/71] TestPolicyCapability: Update tests to pytest fixtures and for Cython implementation. Signed-off-by: Chris PeBenito --- tests/library/policyrep/polcap.conf | 136 +++++++++++++++++++++++++ tests/library/policyrep/test_polcap.py | 52 ++-------- 2 files changed, 147 insertions(+), 41 deletions(-) create mode 100644 tests/library/policyrep/polcap.conf diff --git a/tests/library/policyrep/polcap.conf b/tests/library/policyrep/polcap.conf new file mode 100644 index 00000000..3da440d7 --- /dev/null +++ b/tests/library/policyrep/polcap.conf @@ -0,0 +1,136 @@ +class infoflow +class infoflow2 +class infoflow3 +class infoflow4 +class infoflow5 +class infoflow6 +class infoflow7 + +sid kernel +sid security + +common infoflow +{ + low_w + med_w + hi_w + low_r + med_r + hi_r +} + +class infoflow +inherits infoflow + +class infoflow2 +inherits infoflow +{ + super_w + super_r +} + +class infoflow3 +{ + null +} + +class infoflow4 +inherits infoflow + +class infoflow5 +inherits infoflow + +class infoflow6 +inherits infoflow + +class infoflow7 +inherits infoflow +{ + super_w + super_r + super_none + super_both + super_unmapped +} + +sensitivity s0; +sensitivity s1; +sensitivity s2; + +dominance { s0 s1 s2 } + +category c0; +category c1; +category c2; +category c3; +category c4; +category c5; +category c6; +category c7; +category c8; +category c9; +category c10; +category c11; +category c12; +category c13; + +#level decl +level s0:c0.c2; +level s1:c0.c13; +level s2:c0.c13; + +#some constraints +mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt)); + +policycap open_perms; + +attribute mls_exempt; + +type system; +role system; +role system types system; + +role role20_r; +role role21a_r; +role role21b_r; +role role21c_r; + +role role20_r types system; +role role21a_r types system; +role role21b_r types system; +role role21c_r types system; + +type type30; +type type31a; +type type31b; +type type31c; +role system types { type30 type31a type31b type31c }; + +allow system self:infoflow hi_w; + +#users +user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4; +user user10 roles system level s1:c2 range s1 - s2:c0.c4; +user user20 roles { role20_r role21a_r } level s0 range s0 - s2:c0.c4; + +#normal constraints +constrain infoflow hi_w (u1 == u2); + +#isids +sid kernel system:system:system:s0 +sid security system:system:system:s0 + +#fs_use +fs_use_trans devpts system:object_r:system:s0; +fs_use_xattr ext3 system:object_r:system:s0; +fs_use_task pipefs system:object_r:system:s0; + +#genfscon +genfscon proc / system:object_r:system:s1 +genfscon proc /sys system:object_r:system:s0 +genfscon selinuxfs / system:object_r:system:s2:c0.c4 +portcon tcp 1 system:system:system:s0:c0.c1 +netifcon eth0 system:object_r:system:s0 system:object_r:system:s0 +nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0 +nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0 + diff --git a/tests/library/policyrep/test_polcap.py b/tests/library/policyrep/test_polcap.py index c5ccc604..b71021ab 100644 --- a/tests/library/policyrep/test_polcap.py +++ b/tests/library/policyrep/test_polcap.py @@ -2,50 +2,20 @@ # # SPDX-License-Identifier: GPL-2.0-only # -# Until this is fixed for cython: -# pylint: disable=undefined-variable -import unittest -from unittest.mock import Mock +import pytest -@unittest.skip("Needs to be reworked for cython") -class PolCapTest(unittest.TestCase): +@pytest.mark.obj_args("tests/library/policyrep/polcap.conf") +class TestPolicyCapability: - @staticmethod - def mock_cap(name): - cap = Mock(qpol.qpol_polcap_t) - cap.name.return_value = name - return cap - - def setUp(self): - self.p = Mock(qpol.qpol_policy_t) - - def test_001_factory(self): - """PolCap: factory on qpol object.""" - q = self.mock_cap("test1") - cap = polcap_factory(self.p, q) - self.assertEqual("test1", cap.qpol_symbol.name(self.p)) - - def test_002_factory_object(self): - """PolCap: factory on PolCap object.""" - q = self.mock_cap("test2") - cap1 = polcap_factory(self.p, q) - cap2 = polcap_factory(self.p, cap1) - self.assertIs(cap2, cap1) - - def test_003_factory_lookup(self): - """PolCap: factory lookup.""" - with self.assertRaises(TypeError): - polcap_factory(self.p, "open_perms") - - def test_010_string(self): + def test_string(self, compiled_policy): """PolCap: basic string rendering.""" - q = self.mock_cap("test10") - cap = polcap_factory(self.p, q) - self.assertEqual("test10", str(cap)) + caps = list(compiled_policy.polcaps()) + assert len(caps) == 1 + assert "open_perms" == str(caps[0]) - def test_020_statement(self): + def test_statement(self, compiled_policy): """PolCap: statement.""" - q = self.mock_cap("test20") - cap = polcap_factory(self.p, q) - self.assertEqual("policycap test20;", cap.statement()) + caps = list(compiled_policy.polcaps()) + assert len(caps) == 1 + assert "policycap open_perms;" == caps[0].statement() From 3fb1fde56277a4f98ba83302e4607ee26b149021 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 8 Apr 2024 16:35:43 -0400 Subject: [PATCH 13/71] TestInitialSID: Update tests to pytest fixtures and for Cython implementation. Signed-off-by: Chris PeBenito --- tests/library/policyrep/initsid.conf | 2 - tests/library/policyrep/test_initsid.py | 72 ++++++------------------- 2 files changed, 16 insertions(+), 58 deletions(-) diff --git a/tests/library/policyrep/initsid.conf b/tests/library/policyrep/initsid.conf index 1b2db897..c0ff3347 100644 --- a/tests/library/policyrep/initsid.conf +++ b/tests/library/policyrep/initsid.conf @@ -7,7 +7,6 @@ class infoflow6 class infoflow7 sid kernel -sid security common infoflow { @@ -118,7 +117,6 @@ constrain infoflow hi_w (u1 == u2); #isids sid kernel system:system:system:s0 -sid security system:system:system:s0 #fs_use fs_use_trans devpts system:object_r:system:s0; diff --git a/tests/library/policyrep/test_initsid.py b/tests/library/policyrep/test_initsid.py index 14067528..d9edab7f 100644 --- a/tests/library/policyrep/test_initsid.py +++ b/tests/library/policyrep/test_initsid.py @@ -2,67 +2,27 @@ # # SPDX-License-Identifier: GPL-2.0-only # -# Until this is fixed for cython: -# pylint: disable=undefined-variable,no-member -import unittest -from unittest.mock import Mock, patch +import pytest +import setools -from setools import SELinuxPolicy -from setools.exception import InvalidInitialSid +@pytest.mark.obj_args("tests/library/policyrep/initsid.conf") +class TestInitialSID: -@unittest.skip("Needs to be reworked for cython") -@patch('setools.policyrep.context.context_factory', lambda x, y: y) -class InitialSIDTest(unittest.TestCase): - - @staticmethod - def mock_sid(name): - sid = Mock(qpol.qpol_isid_t) - sid.name.return_value = name - sid.context.return_value = name + "_context" - return sid - - @classmethod - def setUpClass(cls): - cls.p = SELinuxPolicy("tests/policyrep/initsid.conf") - - def test_001_factory(self): - """InitialSID: factory on qpol object.""" - q = self.mock_sid("test1") - sid = initialsid_factory(self.p.policy, q) - self.assertEqual("test1", sid.qpol_symbol.name(self.p.policy)) - - def test_002_factory_object(self): - """InitialSID: factory on InitialSID object.""" - q = self.mock_sid("test2") - sid1 = initialsid_factory(self.p.policy, q) - sid2 = initialsid_factory(self.p.policy, sid1) - self.assertIs(sid2, sid1) - - def test_003_factory_lookup(self): - """InitialSID: factory lookup.""" - sid = initialsid_factory(self.p.policy, "kernel") - self.assertEqual("kernel", sid.qpol_symbol.name(self.p.policy)) - - def test_004_factory_lookup_invalid(self): - """InitialSID: factory lookup.""" - with self.assertRaises(InvalidInitialSid): - initialsid_factory(self.p.policy, "INVALID") - - def test_010_string(self): + def test_string(self, compiled_policy: setools.SELinuxPolicy) -> None: """InitialSID: basic string rendering.""" - q = self.mock_sid("test10") - sid = initialsid_factory(self.p.policy, q) - self.assertEqual("test10", str(sid)) + sids = list(compiled_policy.initialsids()) + assert len(sids) == 1 + assert "kernel" == str(sids[0]) - def test_020_statement(self): + def test_context(self, compiled_policy: setools.SELinuxPolicy) -> None: """InitialSID: context.""" - q = self.mock_sid("test20") - sid = initialsid_factory(self.p.policy, q) - self.assertEqual("test20_context", sid.context) + sids = list(compiled_policy.initialsids()) + assert len(sids) == 1 + assert "system:system:system:s0" == sids[0].context, sids[0].context - def test_030_statement(self): + def test_statement(self, compiled_policy: setools.SELinuxPolicy) -> None: """InitialSID: statement.""" - q = self.mock_sid("test30") - sid = initialsid_factory(self.p.policy, q) - self.assertEqual("sid test30 test30_context", sid.statement()) + sids = list(compiled_policy.initialsids()) + assert len(sids) == 1 + assert "sid kernel system:system:system:s0" == sids[0].statement(), sids[0].statement() From d421f471a2b8f9709ae3f6b271b518f671e7abd3 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 9 Apr 2024 10:26:45 -0400 Subject: [PATCH 14/71] SELinuxPolicy: Fix f-string in InvalidPolicy exception. Signed-off-by: Chris PeBenito --- setools/policyrep/selinuxpolicy.pxi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setools/policyrep/selinuxpolicy.pxi b/setools/policyrep/selinuxpolicy.pxi index be8be3ec..d7b59fdf 100644 --- a/setools/policyrep/selinuxpolicy.pxi +++ b/setools/policyrep/selinuxpolicy.pxi @@ -677,7 +677,7 @@ cdef class SELinuxPolicy: if sepol.sepol_policydb_read(self.handle, pfile) < 0: raise InvalidPolicy(f"Invalid policy: {filename}. A binary policy must be specified. " - "(use e.g. policy.{sepol.sepol_policy_kern_vers_max()} or " + f"(use e.g. policy.{sepol.sepol_policy_kern_vers_max()} or " "sepolicy) Source policies are not supported.") fclose(infile) From b43c844f1afc3b0d2cac824868037dd2d86a3840 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 9 Apr 2024 14:18:29 -0400 Subject: [PATCH 15/71] TestObjClass, TestCommon: Update tests to pytest fixtures and for Cython implementation. Split object class tests and common tests into separate modules. Signed-off-by: Chris PeBenito --- tests/library/policyrep/common.conf | 113 +++++++++++++++ tests/library/policyrep/objclass.conf | 6 + tests/library/policyrep/test_common.py | 34 +++++ tests/library/policyrep/test_objclass.py | 174 +++++------------------ 4 files changed, 187 insertions(+), 140 deletions(-) create mode 100644 tests/library/policyrep/common.conf create mode 100644 tests/library/policyrep/test_common.py diff --git a/tests/library/policyrep/common.conf b/tests/library/policyrep/common.conf new file mode 100644 index 00000000..943c2109 --- /dev/null +++ b/tests/library/policyrep/common.conf @@ -0,0 +1,113 @@ +class infoflow +class infoflow2 +class infoflow3 +class infoflow4 +class infoflow7 +class infoflow8 +class infoflow10 + +sid kernel +sid security + +common infoflow +{ + low_w + low_r +} + +class infoflow +inherits infoflow + +class infoflow2 +inherits infoflow +{ + super_w + super_r +} + +class infoflow3 +{ + null +} + +class infoflow4 +inherits infoflow +{ + super_w + super_r + super_none + super_both + super_unmapped +} + +class infoflow7 +inherits infoflow +{ + unmapped +} + +class infoflow8 +{ + super_w + super_r +} + +class infoflow10 +{ + read + write +} + +sensitivity low_s; +sensitivity medium_s alias med; +sensitivity high_s; + +dominance { low_s med high_s } + +category here; +category there; +category elsewhere alias lost; + +#level decl +level low_s:here.there; +level med:here, elsewhere; +level high_s:here.lost; + +#some constraints +mlsconstrain infoflow low_r ((l1 dom l2) or (t1 == mls_exempt)); + +attribute mls_exempt; + +type system; +role system; +role system types system; + +allow system self:infoflow3 null; + +#users +user system roles system level med range low_s - high_s:here.lost; + +#normal constraints +constrain infoflow low_w (u1 == u2); + +#isids +sid kernel system:system:system:medium_s:here +sid security system:system:system:high_s:lost + +#fs_use +fs_use_trans devpts system:object_r:system:low_s; +fs_use_xattr ext3 system:object_r:system:low_s; +fs_use_task pipefs system:object_r:system:low_s; + +#genfscon +genfscon proc / system:object_r:system:med +genfscon proc /sys system:object_r:system:low_s +genfscon selinuxfs / system:object_r:system:high_s:here.there + +portcon tcp 80 system:object_r:system:low_s + +netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s + +nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here +nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here + diff --git a/tests/library/policyrep/objclass.conf b/tests/library/policyrep/objclass.conf index e19200b6..daeee4af 100644 --- a/tests/library/policyrep/objclass.conf +++ b/tests/library/policyrep/objclass.conf @@ -74,6 +74,10 @@ inherits com_a class infoflow6 inherits com_b +{ + perm1 + perm2 +} class infoflow7 inherits infoflow @@ -120,6 +124,8 @@ type system; role system; role system types system; +allow system self:infoflow3 null; + #users user system roles system level med range low_s - high_s:here.lost; diff --git a/tests/library/policyrep/test_common.py b/tests/library/policyrep/test_common.py new file mode 100644 index 00000000..81a78629 --- /dev/null +++ b/tests/library/policyrep/test_common.py @@ -0,0 +1,34 @@ +# Copyright 2015, Tresys Technology, LLC +# +# SPDX-License-Identifier: GPL-2.0-only +# +import pytest +import setools + + +@pytest.mark.obj_args("tests/library/policyrep/common.conf") +class TestCommon: + + def test_string(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Common: string representation""" + com = list(compiled_policy.commons()).pop() + assert "infoflow" == str(com), str(com) + + def test_perms(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Common: permissions""" + com = list(compiled_policy.commons()).pop() + assert set(["low_w", "low_r"]) == com.perms, com.perms + + def test_statment(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Common: statement.""" + com = list(compiled_policy.commons()).pop() + assert com.statement() in ( + "common infoflow\n{\n\tlow_w\n\tlow_r\n}", + "common infoflow\n{\n\tlow_r\n\tlow_w\n}"), \ + com.statement() + + def test_contains(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Common: contains""" + com = list(compiled_policy.commons()).pop() + assert "low_r" in com + assert "med_r" not in com diff --git a/tests/library/policyrep/test_objclass.py b/tests/library/policyrep/test_objclass.py index b8a7b54d..92df9114 100644 --- a/tests/library/policyrep/test_objclass.py +++ b/tests/library/policyrep/test_objclass.py @@ -2,159 +2,53 @@ # # SPDX-License-Identifier: GPL-2.0-only # -# Until this is fixed for cython: -# pylint: disable=undefined-variable,no-member -import unittest -from unittest.mock import Mock +import pytest +import setools -from setools import SELinuxPolicy -from setools.exception import InvalidCommon, InvalidClass +@pytest.mark.obj_args("tests/library/policyrep/objclass.conf") +class TestObjClass: -@unittest.skip("Needs to be reworked for cython") -class CommonTest(unittest.TestCase): - - @staticmethod - def mock_common(name, perms): - policy = Mock(qpol.qpol_policy_t) - com = Mock(qpol.qpol_common_t) - com.name.return_value = name - com.perm_iter = lambda x: iter(perms) - return common_factory(policy, com) - - @classmethod - def setUpClass(cls): - cls.p = SELinuxPolicy("tests/policyrep/objclass.conf") - - def test_001_lookup(self): - """Common: factory policy lookup.""" - com = common_factory(self.p.policy, "com_a") - self.assertEqual("com_a", com.qpol_symbol.name(self.p.policy)) - - def test_002_lookup_invalid(self): - """Common: factory policy invalid lookup.""" - with self.assertRaises(InvalidCommon): - common_factory(self.p.policy, "INVALID") - - def test_003_lookup_object(self): - """Common: factory policy lookup of Common object.""" - com1 = common_factory(self.p.policy, "com_b") - com2 = common_factory(self.p.policy, com1) - self.assertIs(com2, com1) - - def test_010_string(self): - """Common: string representation""" - com = self.mock_common("test10", ["perm1", "perm2"]) - self.assertEqual("test10", str(com)) - - def test_020_perms(self): - """Common: permissions""" - com = self.mock_common("test20", ["perm1", "perm2"]) - self.assertEqual(set(["perm1", "perm2"]), com.perms) - - def test_030_statment(self): - """Common: statement.""" - com = self.mock_common("test30", ["perm1", "perm2"]) - self.assertRegex(com.statement(), "(" - "common test30\n{\n\tperm1\n\tperm2\n}" - "|" - "common test30\n{\n\tperm2\n\tperm1\n}" - ")") - - def test_040_contains(self): - """Common: contains""" - com = self.mock_common("test40", ["perm1", "perm2"]) - self.assertIn("perm1", com) - self.assertNotIn("perm3", com) - - -@unittest.skip("Needs to be reworked for cython") -class ObjClassTest(unittest.TestCase): - - @staticmethod - def mock_class(name, perms, com_perms=[]): - policy = Mock(qpol.qpol_policy_t) - - cls = Mock(qpol.qpol_class_t) - cls.name.return_value = name - cls.perm_iter = lambda x: iter(perms) - - if com_perms: - com = Mock(qpol.qpol_common_t) - com.name.return_value = name + "_common" - com.perm_iter = lambda x: iter(com_perms) - cls.common.return_value = com - else: - cls.common.side_effect = ValueError - - return class_factory(policy, cls) - - @classmethod - def setUpClass(cls): - cls.p = SELinuxPolicy("tests/policyrep/objclass.conf") - - def test_001_lookup(self): - """ObjClass: factory policy lookup.""" - cls = class_factory(self.p.policy, "infoflow") - self.assertEqual("infoflow", cls.qpol_symbol.name(self.p.policy)) - - def test_002_lookup_invalid(self): - """ObjClass: factory policy invalid lookup.""" - with self.assertRaises(InvalidClass): - class_factory(self.p.policy, "INVALID") - - def test_003_lookup_object(self): - """ObjClass: factory policy lookup of ObjClass object.""" - cls1 = class_factory(self.p.policy, "infoflow4") - cls2 = class_factory(self.p.policy, cls1) - self.assertIs(cls2, cls1) - - def test_010_string(self): + def test_string(self, compiled_policy: setools.SELinuxPolicy) -> None: """ObjClass: string representation""" - cls = self.mock_class("test10", ["perm1", "perm2"]) - self.assertEqual("test10", str(cls)) + cls = compiled_policy.lookup_class("infoflow") + assert "infoflow" == str(cls), str(cls) - def test_020_perms(self): + def test_perms(self, compiled_policy: setools.SELinuxPolicy) -> None: """ObjClass: permissions""" - cls = self.mock_class("test20", ["perm1", "perm2"], com_perms=["perm3", "perm4"]) - self.assertEqual(set(["perm1", "perm2"]), cls.perms) + cls = compiled_policy.lookup_class("infoflow8") + assert frozenset(["super_w", "super_r"]) == cls.perms, f"{cls.perms}" - def test_030_statment(self): + def test_statment_wo_common_w_unique(self, compiled_policy: setools.SELinuxPolicy) -> None: """ObjClass: statement, no common.""" - cls = self.mock_class("test30", ["perm1", "perm2"]) - self.assertRegex(cls.statement(), "(" - "class test30\n{\n\tperm1\n\tperm2\n}" - "|" - "class test30\n{\n\tperm2\n\tperm1\n}" - ")") + cls = compiled_policy.lookup_class("infoflow8") + assert cls.statement() in ( + "class infoflow8\n{\n\tsuper_w\n\tsuper_r\n}", + "class infoflow8\n{\n\tsuper_r\n\tsuper_w\n}"), \ + cls.statement() - def test_031_statment(self): + def test_statment_w_common_w_unique(self, compiled_policy: setools.SELinuxPolicy) -> None: """ObjClass: statement, with common.""" - cls = self.mock_class("test31", ["perm1", "perm2"], com_perms=["perm3", "perm4"]) - self.assertRegex(cls.statement(), "(" - "class test31\ninherits test31_common\n{\n\tperm1\n\tperm2\n}" - "|" - "class test31\ninherits test31_common\n{\n\tperm2\n\tperm1\n}" - ")") + cls = compiled_policy.lookup_class("infoflow6") + assert cls.statement() in ( + "class infoflow6\ninherits com_b\n{\n\tperm1\n\tperm2\n}", + "class infoflow6\ninherits com_b\n{\n\tperm2\n\tperm1\n}"), \ + cls.statement() - def test_032_statment(self): + def test_statment_w_common_wo_unique(self, compiled_policy: setools.SELinuxPolicy) -> None: """ObjClass: statement, with common, no class perms.""" - cls = self.mock_class("test32", [], com_perms=["perm3", "perm4"]) - self.assertRegex(cls.statement(), "(" - "class test32\ninherits test32_common" - "|" - "class test32\ninherits test32_common" - ")") + cls = compiled_policy.lookup_class("infoflow5") + assert cls.statement() == "class infoflow5\ninherits com_a\n", cls.statement() - def test_040_contains(self): + def test_contains_wo_common(self, compiled_policy: setools.SELinuxPolicy) -> None: """ObjClass: contains""" - cls = self.mock_class("test40", ["perm1", "perm2"]) - self.assertIn("perm1", cls) - self.assertNotIn("perm3", cls) + cls = compiled_policy.lookup_class("infoflow10") + assert "read" in cls + assert "execute" not in cls - def test_041_contains_common(self): + def test_contains_w_common(self, compiled_policy: setools.SELinuxPolicy) -> None: """ObjClass: contains, with common""" - cls = self.mock_class("test41", ["perm1", "perm2"], com_perms=["perm3", "perm4"]) - self.assertIn("perm1", cls) - self.assertIn("perm3", cls) - self.assertNotIn("perm5", cls) + cls = compiled_policy.lookup_class("infoflow4") + assert "super_both" in cls + assert "hi_w" in cls + assert "unmapped" not in cls From 57566d9c721c44bc434a15c07c58cb2d8f5b534b Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 10 Apr 2024 08:11:48 -0400 Subject: [PATCH 16/71] tests: Skip GUI tests if key dependencies are missing. Ignore GUI tests if DISPLAY is not set or PyQt is not available. Signed-off-by: Chris PeBenito --- tests/gui/conftest.py | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 tests/gui/conftest.py diff --git a/tests/gui/conftest.py b/tests/gui/conftest.py new file mode 100644 index 00000000..03de29a8 --- /dev/null +++ b/tests/gui/conftest.py @@ -0,0 +1,31 @@ +# SPDX-License-Identifier: GPL-2.0-only + +import os +import pathlib +import pytest + +try: + import PyQt6 + have_pyqt6 = True +except ImportError: + have_pyqt6 = False + +try: + import pytestqt + have_pqtestqt = True +except ImportError: + have_pqtestqt = False + + +def pytest_ignore_collect(collection_path: pathlib.Path, path, + config: pytest.Config) -> bool | None: + + """Ignore GUI tests if DISPLAY is not set or PyQt is not available.""" + + xdisp = bool(os.getenv("DISPLAY")) + + # Return True to prevent considering this path for collection. + if all((xdisp, have_pyqt6, have_pqtestqt)): + return False + + return True From d610e1b0f737a65c6c88a8aee4aba0c4df005d33 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 10 Apr 2024 10:17:13 -0400 Subject: [PATCH 17/71] TestRules: Update tests to pytest fixtures and for Cython implementation. Use pytest parameterization to generate test cases for the three rule groups (RBAC, MLS, TE). Add default properties to PolicyObject to raise RuleUseError for consistency, as previously, in some cases, AttributeError was raised. Signed-off-by: Chris PeBenito --- setools/constraintquery.py | 2 +- setools/policyrep.pyi | 23 +- setools/policyrep/object.pxi | 9 + setools/policyrep/rbacrule.pxi | 10 - setools/policyrep/role.pxi | 4 - setools/policyrep/rule.pxi | 27 ++ setoolsgui/widgets/models/terule.py | 2 +- tests/library/policyrep/rules.conf | 155 +++++++++ tests/library/policyrep/test_mlsrule.py | 82 ----- tests/library/policyrep/test_rbacrule.py | 150 --------- tests/library/policyrep/test_rules.py | 217 ++++++++++++ tests/library/policyrep/test_terule.py | 405 ----------------------- 12 files changed, 420 insertions(+), 666 deletions(-) create mode 100644 tests/library/policyrep/rules.conf delete mode 100644 tests/library/policyrep/test_mlsrule.py delete mode 100644 tests/library/policyrep/test_rbacrule.py create mode 100644 tests/library/policyrep/test_rules.py delete mode 100644 tests/library/policyrep/test_terule.py diff --git a/setools/constraintquery.py b/setools/constraintquery.py index 1449c80c..21a7fda1 100644 --- a/setools/constraintquery.py +++ b/setools/constraintquery.py @@ -77,7 +77,7 @@ def _match_expr(self, expr: frozenset[policyrep.User] | frozenset[policyrep.Role if indirect: obj = set() for item in expr: - obj.update(item.expand()) # type: ignore[union-attr] + obj.update(item.expand()) else: obj = expr diff --git a/setools/policyrep.pyi b/setools/policyrep.pyi index 5ae40ab9..eb5bf303 100644 --- a/setools/policyrep.pyi +++ b/setools/policyrep.pyi @@ -46,22 +46,22 @@ class PolicyRule(PolicyObject): conditional_block: bool = ... extended: bool = ... origin: "PolicyRule" = ... - ruletype: Any = ... + ruletype: "PolicyEnum" = ... source: "PolicySymbol" = ... target: "PolicySymbol" = ... - __pyx_vtable__: Any = ... - def __init__(self, *args, **kwargs) -> None: ... + tclass: "ObjClass" = ... + xperm_type: str = ... + perms: frozenset[str] | "IoctlSet" = ... + default: PolicyObject = ... + filename: str = ... def enabled(self, **kwargs) -> bool: ... - def expand(self) -> Any: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... + def expand(self) -> Iterable["PolicyRule"]: ... class PolicySymbol(PolicyObject): name: str = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... + def __contains__(self, other) -> bool: ... + def expand(self) -> Iterable["PolicySymbol"]: ... class PolicyIterator: def __init__(self, *args, **kwargs) -> None: ... @@ -160,7 +160,7 @@ class OcontextIterator(PolicyIterator): # class AVRule(BaseTERule): default: NoReturn = ... - perms: set[str] = ... + perms: frozenset[str] = ... __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def derive_expanded(self, *args, **kwargs) -> "AVRule": ... @@ -267,7 +267,6 @@ class Common(PolicySymbol): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... - def __contains__(self, other) -> bool: ... def __reduce__(self) -> Any: ... def __setstate__(self, state) -> Any: ... @@ -891,7 +890,6 @@ class ObjClass(PolicySymbol): def defaults(self, *args, **kwargs) -> Iterable[AnyDefault]: ... def statement(self) -> str: ... def validatetrans(self, *args, **kwargs) -> Iterable["Validatetrans"]: ... - def __contains__(self, other) -> bool: ... def __reduce__(self) -> Any: ... def __setstate__(self, state) -> Any: ... @@ -1304,7 +1302,6 @@ class TypeAttribute(BaseType): def attributes(self) -> Iterable["TypeAttribute"]: ... def expand(self) -> Iterable["Type"]: ... def statement(self) -> str: ... - def __contains__(self, other) -> bool: ... def __iter__(self) -> Iterable["TypeAttribute"]: ... def __len__(self) -> int: ... def __reduce__(self) -> Any: ... diff --git a/setools/policyrep/object.pxi b/setools/policyrep/object.pxi index dd87b32a..944359b2 100644 --- a/setools/policyrep/object.pxi +++ b/setools/policyrep/object.pxi @@ -72,9 +72,18 @@ cdef class PolicySymbol(PolicyObject): cdef readonly str name + def __contains__(self, other): + # Default is non-expandable. + return self is other + def __str__(self): return self.name + def expand(self): + """Expand the symbol into constitent symbols.""" + # Default is non-expandable. + yield self + cdef class Ocontext(PolicyObject): diff --git a/setools/policyrep/rbacrule.pxi b/setools/policyrep/rbacrule.pxi index 03949d73..818ed483 100644 --- a/setools/policyrep/rbacrule.pxi +++ b/setools/policyrep/rbacrule.pxi @@ -43,16 +43,6 @@ cdef class RoleAllow(PolicyRule): def __lt__(self, other): return str(self) < str(other) - @property - def tclass(self): - """The rule's object class.""" - raise RuleUseError("Role allow rules do not have an object class.") - - @property - def default(self): - """The rule's default role.""" - raise RuleUseError("Role allow rules do not have a default role.") - def expand(self): """Expand the rule into an equivalent set of rules without attributes.""" cdef RoleAllow r diff --git a/setools/policyrep/role.pxi b/setools/policyrep/role.pxi index 2ad089f7..a83d9de6 100644 --- a/setools/policyrep/role.pxi +++ b/setools/policyrep/role.pxi @@ -28,10 +28,6 @@ cdef class Role(PolicySymbol): #return set(RoleEbitmapIterator.factory(self.policy, &self.handle.dominates)) return frozenset() - def expand(self): - """Generator that expands this into its member roles.""" - yield self - def types(self): """Generator which yields the role's set of types.""" return iter(self._types) diff --git a/setools/policyrep/rule.pxi b/setools/policyrep/rule.pxi index 1d3edc0b..fd728de0 100644 --- a/setools/policyrep/rule.pxi +++ b/setools/policyrep/rule.pxi @@ -28,6 +28,33 @@ cdef class PolicyRule(PolicyObject): # Most rule types cannot be conditional. raise RuleNotConditional + @property + def default(self): + """The rule's default.""" + raise RuleUseError + + @property + def filename(self): + """The filename for this rule.""" + # Most rule types do not have filenames. + raise RuleUseError + + @property + def perms(self): + """The permissions for this rule.""" + raise RuleUseError + + @property + def tclass(self): + """The rule's object class.""" + raise RuleUseError + + @property + def xperm_type(self): + """The extended permission type for this rule.""" + # Most rule types are not extended. + raise RuleUseError + def enabled(self, **kwargs): """ Determine if the rule is enabled, given the stated boolean values. diff --git a/setoolsgui/widgets/models/terule.py b/setoolsgui/widgets/models/terule.py index bbfeb55a..d2456a3f 100644 --- a/setoolsgui/widgets/models/terule.py +++ b/setoolsgui/widgets/models/terule.py @@ -45,7 +45,7 @@ def data(self, index: QtCore.QModelIndex, role: int = ModelRoles.DisplayRole): case 4: try: if rule.extended: - return f"{rule.xperm_type}: {rule.perms:,}" # type: ignore + return f"{rule.xperm_type}: {rule.perms:,}" else: return ", ".join(sorted(rule.perms)) # type: ignore except RuleUseError: diff --git a/tests/library/policyrep/rules.conf b/tests/library/policyrep/rules.conf new file mode 100644 index 00000000..12329b71 --- /dev/null +++ b/tests/library/policyrep/rules.conf @@ -0,0 +1,155 @@ +class infoflow +class infoflow2 +class infoflow3 +class infoflow4 +class infoflow5 +class infoflow6 +class infoflow7 + +sid kernel +sid security + +common infoflow +{ + low_w + med_w + hi_w + low_r + med_r + hi_r + ioctl +} + +class infoflow +inherits infoflow + +class infoflow2 +inherits infoflow +{ + super_w + super_r +} + +class infoflow3 +{ + null +} + +class infoflow4 +inherits infoflow + +class infoflow5 +inherits infoflow + +class infoflow6 +inherits infoflow + +class infoflow7 +inherits infoflow +{ + super_w + super_r + super_none + super_both + super_unmapped +} + +sensitivity s0; +sensitivity s1; +sensitivity s2; + +dominance { s0 s1 s2 } + +category c0; +category c1; +category c2; +category c3; +category c4; +category c5; +category c6; +category c7; +category c8; +category c9; +category c10; +category c11; +category c12; +category c13; + +#level decl +level s0:c0.c2; +level s1:c0.c13; +level s2:c0.c13; + +#some constraints +mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt)); + +attribute mls_exempt; + +bool a_bool false; + +type system; +role system; +role system types system; + +role role20_r; +role role21a_r; +role role21b_r; +role role21c_r; + +role role20_r types system; +role role21a_r types system; +role role21b_r types system; +role role21c_r types system; + +type type30; +type type31a; +type type31b; +type type31c; +role system types { type30 type31a type31b type31c }; + +allow role21a_r role21b_r; +role_transition role21b_r type30:infoflow role20_r; + +allow system type30:infoflow3 null; +auditallow type31c type31a:infoflow6 { hi_r hi_w }; +if (a_bool) { + dontaudit type31c type31b:infoflow7 { super_w super_r }; +} else { + type_change type31c type31b:infoflow2 system; +} +type_transition type31b system:infoflow4 type30 "the_filename"; + +allowxperm type30 type31a:infoflow ioctl 0x00ff; +auditallowxperm type31a type31b:infoflow ioctl { 0x001-0x0003 }; + +allow system self:infoflow hi_w; +range_transition type30 system:infoflow7 s0:c1 - s2:c0.c4; + +#users +user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4; +user user10 roles system level s0 range s0 - s2:c0.c4; +user user11a roles system level s0 range s0 - s2:c0.c4; +user user11b roles system level s0 range s0 - s2:c0.c4; +user user11c roles system level s0 range s0 - s2:c0.c4; + +#normal constraints +constrain infoflow hi_w (u1 == u2); + +#isids +sid kernel system:system:system:s0 +sid security system:system:system:s0 + +#fs_use +fs_use_trans devpts system:object_r:system:s0; +fs_use_xattr ext3 system:object_r:system:s0; +fs_use_task pipefs system:object_r:system:s0; + +#genfscon +genfscon proc / system:object_r:system:s1 +genfscon proc /sys system:object_r:system:s0 +genfscon selinuxfs / system:object_r:system:s2:c0.c4 +portcon tcp 1 system:system:system:s0:c0.c1 +netifcon eth0 system:object_r:system:s0 system:object_r:system:s0 +nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0 +nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0 + diff --git a/tests/library/policyrep/test_mlsrule.py b/tests/library/policyrep/test_mlsrule.py deleted file mode 100644 index 7c8b1d3a..00000000 --- a/tests/library/policyrep/test_mlsrule.py +++ /dev/null @@ -1,82 +0,0 @@ -# Copyright 2015, Tresys Technology, LLC -# -# SPDX-License-Identifier: GPL-2.0-only -# -# Until this is fixed for cython: -# pylint: disable=undefined-variable -import unittest -from unittest.mock import Mock, patch - -from setools import MLSRuletype as MRT -from setools.exception import InvalidMLSRuleType, RuleNotConditional - - -@unittest.skip("Needs to be reworked for cython") -@patch('setools.policyrep.mls.range_factory', lambda x, y: y) -@patch('setools.policyrep.typeattr.type_or_attr_factory', lambda x, y: y) -@patch('setools.policyrep.objclass.class_factory', lambda x, y: y) -class MLSRuleTest(unittest.TestCase): - - def mock_rangetrans_factory(self, source, target, tclass, default): - mock_rule = Mock(qpol_range_trans_t) - mock_rule.rule_type.return_value = MRT.range_transition - mock_rule.source_type.return_value = source - mock_rule.target_type.return_value = target - mock_rule.object_class.return_value = tclass - mock_rule.range.return_value = default - - return mls_rule_factory(self.p, mock_rule) - - def setUp(self): - self.p = Mock(qpol_policy_t) - - def test_000_factory(self): - """RangeTransition factory lookup.""" - with self.assertRaises(TypeError): - mls_rule_factory(self.p, "INVALID") - - def test_001_validate_ruletype(self): - """RangeTransition valid rule types.""" - self.assertEqual(MRT.range_transition, validate_ruletype("range_transition")) - - @unittest.skip("MLS ruletype changed to an enumeration.") - def test_002_validate_ruletype_invalid(self): - """RangeTransition valid rule types.""" - with self.assertRaises(InvalidMLSRuleType): - self.assertTrue(validate_ruletype("type_transition")) - - def test_010_ruletype(self): - """RangeTransition rule type""" - rule = self.mock_rangetrans_factory("a", "b", "c", "d") - self.assertEqual(MRT.range_transition, rule.ruletype) - - def test_020_source_type(self): - """RangeTransition source type""" - rule = self.mock_rangetrans_factory("source20", "b", "c", "d") - self.assertEqual("source20", rule.source) - - def test_030_target_type(self): - """RangeTransition target type""" - rule = self.mock_rangetrans_factory("a", "target30", "c", "d") - self.assertEqual("target30", rule.target) - - def test_040_object_class(self): - """RangeTransition object class""" - rule = self.mock_rangetrans_factory("a", "b", "class40", "d") - self.assertEqual("class40", rule.tclass) - - def test_050_default(self): - """RangeTransition default range""" - rule = self.mock_rangetrans_factory("a", "b", "c", "default50") - self.assertEqual("default50", rule.default) - - def test_060_conditional(self): - """RangeTransition conditional expression""" - rule = self.mock_rangetrans_factory("a", "b", "c", "d") - with self.assertRaises(RuleNotConditional): - rule.conditional - - def test_100_statement(self): - """RangeTransition statement.""" - rule = self.mock_rangetrans_factory("a", "b", "c", "d") - self.assertEqual("range_transition a b:c d;", rule.statement()) diff --git a/tests/library/policyrep/test_rbacrule.py b/tests/library/policyrep/test_rbacrule.py deleted file mode 100644 index cf2b01cc..00000000 --- a/tests/library/policyrep/test_rbacrule.py +++ /dev/null @@ -1,150 +0,0 @@ -# Copyright 2015, Tresys Technology, LLC -# -# SPDX-License-Identifier: GPL-2.0-only -# -# Until this is fixed for cython: -# pylint: disable=undefined-variable -import unittest -from unittest.mock import Mock, patch - -from setools.exception import InvalidRBACRuleType, RuleNotConditional, RuleUseError - - -@unittest.skip("Needs to be reworked for cython") -@patch('setools.policyrep.role.role_factory', lambda x, y: y) -class RoleAllowTest(unittest.TestCase): - - def mock_avrule_factory(self, source, target): - mock_rule = Mock(qpol_role_allow_t) - mock_rule.rule_type.return_value = RBACRuletype.allow - mock_rule.source_role.return_value = source - mock_rule.target_role.return_value = target - - return rbac_rule_factory(self.p, mock_rule) - - def setUp(self): - self.p = Mock(qpol_policy_t) - - def test_000_factory(self): - """RoleAllow factory lookup.""" - with self.assertRaises(TypeError): - rbac_rule_factory(self.p, "INVALID") - - @unittest.skip("RBAC ruletype changed to an enumeration.") - def test_001_validate_ruletype(self): - """RoleAllow valid rule types.""" - # no return value means a return of None - self.assertEqual("allow", validate_ruletype("allow")) - - def test_002_validate_ruletype_invalid(self): - """RoleAllow valid rule types.""" - with self.assertRaises(InvalidRBACRuleType): - self.assertTrue(validate_ruletype("range_transition")) - - def test_010_ruletype(self): - """RoleAllow rule type""" - rule = self.mock_avrule_factory("a", "b") - self.assertEqual(RBACRuletype.allow, rule.ruletype) - - def test_020_source_role(self): - """RoleAllow source role""" - rule = self.mock_avrule_factory("source20", "b") - self.assertEqual("source20", rule.source) - - def test_030_target_role(self): - """RoleAllow target role""" - rule = self.mock_avrule_factory("a", "target30") - self.assertEqual("target30", rule.target) - - def test_040_object_class(self): - """RoleAllow object class""" - rule = self.mock_avrule_factory("a", "b") - with self.assertRaises(RuleUseError): - rule.tclass - - def test_060_conditional(self): - """RoleAllow conditional expression""" - rule = self.mock_avrule_factory("a", "b") - with self.assertRaises(RuleNotConditional): - rule.conditional - - def test_070_default(self): - """RoleAllow default role""" - rule = self.mock_avrule_factory("a", "b") - with self.assertRaises(RuleUseError): - rule.default - - def test_100_statement_one_perm(self): - """RoleAllow statement.""" - rule = self.mock_avrule_factory("a", "b") - self.assertEqual("allow a b;", rule.statement()) - - -@unittest.skip("Needs to be reworked for cython") -@patch('setools.policyrep.role.role_factory', lambda x, y: y) -@patch('setools.policyrep.typeattr.type_or_attr_factory', lambda x, y: y) -@patch('setools.policyrep.objclass.class_factory', lambda x, y: y) -class RoleTransitionTest(unittest.TestCase): - - def mock_roletrans_factory(self, source, target, tclass, default): - mock_rule = Mock(qpol_role_trans_t) - mock_rule.rule_type.return_value = RBACRuletype.role_transition - mock_rule.source_role.return_value = source - mock_rule.target_type.return_value = target - mock_rule.object_class.return_value = tclass - mock_rule.default_role.return_value = default - - return rbac_rule_factory(self.p, mock_rule) - - def setUp(self): - self.p = Mock(qpol_policy_t) - - def test_000_factory(self): - """RoleTransition factory lookup.""" - with self.assertRaises(TypeError): - rbac_rule_factory(self.p, "INVALID") - - def test_001_validate_ruletype(self): - """RoleTransition valid rule types.""" - self.assertEqual(RBACRuletype.role_transition, validate_ruletype("role_transition")) - - def test_002_validate_ruletype_invalid(self): - """RoleTransition valid rule types.""" - with self.assertRaises(InvalidRBACRuleType): - self.assertTrue(validate_ruletype("type_transition")) - - def test_010_ruletype(self): - """RoleTransition rule type""" - rule = self.mock_roletrans_factory("a", "b", "c", "d") - self.assertEqual(RBACRuletype.role_transition, rule.ruletype) - - def test_020_source_role(self): - """RoleTransition source role""" - rule = self.mock_roletrans_factory("source20", "b", "c", "d") - self.assertEqual("source20", rule.source) - - def test_030_target_type(self): - """RoleTransition target type""" - rule = self.mock_roletrans_factory("a", "target30", "c", "d") - self.assertEqual("target30", rule.target) - - def test_040_object_class(self): - """RoleTransition object class""" - rule = self.mock_roletrans_factory("a", "b", "class40", "d") - self.assertEqual("class40", rule.tclass) - - def test_050_default(self): - """RoleTransition default role""" - rule = self.mock_roletrans_factory("a", "b", "c", "default50") - self.assertEqual("default50", rule.default) - - def test_060_conditional(self): - """RoleTransition conditional expression""" - rule = self.mock_roletrans_factory("a", "b", "c", "d") - with self.assertRaises(RuleNotConditional): - rule.conditional - - def test_100_statement(self): - """RoleTransition statement.""" - rule = self.mock_roletrans_factory("a", "b", "c", "d") - self.assertEqual("role_transition a b:c d;", rule.statement()) diff --git a/tests/library/policyrep/test_rules.py b/tests/library/policyrep/test_rules.py new file mode 100644 index 00000000..6ff6a040 --- /dev/null +++ b/tests/library/policyrep/test_rules.py @@ -0,0 +1,217 @@ +# +# SPDX-License-Identifier: GPL-2.0-only +# +from contextlib import suppress +import dataclasses +import enum + +import pytest +import setools + + +@dataclasses.dataclass +class RuleTestCase: + + """ + Rule test case + + If the field is None, it is not supported by the rule type. + """ + + ruletype: enum.Enum + source: str + target: str + statement: str + type_: type # the rule's policyrep class + tclass: str | None = None + xperm: str | None = None + perms: set[str] | setools.IoctlSet | None = None + default: str | None = None + filename: str | None = None + conditional: str | None = None + + +rule_test_data = [ + RuleTestCase(setools.RBACRuletype.allow, "role21a_r", "role21b_r", + type_=setools.RoleAllow, statement="allow role21a_r role21b_r;"), + RuleTestCase(setools.RBACRuletype.role_transition, "role21b_r", "type30", + type_=setools.RoleTransition, default="role20_r", tclass="infoflow", + statement="role_transition role21b_r type30:infoflow role20_r;"), + RuleTestCase(setools.MLSRuletype.range_transition, "type30", "system", tclass="infoflow7", + default="s0:c1 - s2:c0.c4", type_=setools.MLSRule, + statement="range_transition type30 system:infoflow7 s0:c1 - s2:c0.c4;"), + RuleTestCase(setools.TERuletype.allow, "system", "type30", tclass="infoflow3", + perms=set(("null",)), type_=setools.AVRule, + statement="allow system type30:infoflow3 null;"), + RuleTestCase(setools.TERuletype.auditallow, "type31c", "type31a", tclass="infoflow6", + perms=set(("hi_r", "hi_w")), type_=setools.AVRule, + statement="auditallow type31c type31a:infoflow6 { hi_r hi_w };"), + RuleTestCase(setools.TERuletype.dontaudit, "type31c", "type31b", tclass="infoflow7", + perms=set(("super_w", "super_r")), type_=setools.AVRule, conditional="a_bool", + statement="dontaudit type31c type31b:infoflow7 " + "{ super_r super_w }; [ a_bool ]:True"), + RuleTestCase(setools.TERuletype.type_transition, "type31b", "system", tclass="infoflow4", + default="type30", type_=setools.FileNameTERule, filename="the_filename", + statement="type_transition type31b system:infoflow4 type30 the_filename;"), + RuleTestCase(setools.TERuletype.type_change, "type31c", "type31b", tclass="infoflow2", + default="system", type_=setools.TERule, conditional="a_bool", + statement="type_change type31c type31b:infoflow2 system; [ a_bool ]:False"), + RuleTestCase(setools.TERuletype.allowxperm, "type30", "type31a", tclass="infoflow", + xperm="ioctl", perms=setools.IoctlSet((0x00ff,)), type_=setools.AVRuleXperm, + statement="allowxperm type30 type31a:infoflow ioctl 0x00ff;"), + RuleTestCase(setools.TERuletype.auditallowxperm, "type31a", "type31b", tclass="infoflow", + xperm="ioctl", perms=setools.IoctlSet((1, 2, 3)), type_=setools.AVRuleXperm, + statement="auditallowxperm type31a type31b:infoflow ioctl 0x0001-0x0003;")] + + +@pytest.mark.obj_args("tests/library/policyrep/rules.conf") +@pytest.mark.parametrize("testcase", rule_test_data) +class TestRules: + + @pytest.fixture(autouse=True) + def _get_rules(self, compiled_policy: setools.SELinuxPolicy) -> None: + self.rules = dict[enum.Enum, setools.policyrep.PolicyRule]() + self.rules |= {r.ruletype: r for r in compiled_policy.terules()} + self.rules |= {r.ruletype: r for r in compiled_policy.rbacrules()} + self.rules |= {r.ruletype: r for r in compiled_policy.mlsrules()} + + def test_ruletype(self, testcase: RuleTestCase) -> None: + """Rule type""" + rule = self.rules[testcase.ruletype] + assert testcase.ruletype == rule.ruletype, f"{testcase.ruletype} != {rule.ruletype}" + assert isinstance(rule, testcase.type_), f"{type(rule)}, {rule=}" + + def test_source_type(self, testcase: RuleTestCase) -> None: + """Source object""" + rule = self.rules[testcase.ruletype] + assert testcase.source == rule.source, f"{testcase.source} != {rule.source}" + + def test_target_type(self, testcase: RuleTestCase) -> None: + """Target object""" + rule = self.rules[testcase.ruletype] + assert testcase.target == rule.target, f"{testcase.target} != {rule.target}" + + def test_object_class(self, testcase: RuleTestCase) -> None: + """Object class""" + rule = self.rules[testcase.ruletype] + if testcase.tclass is None: + with pytest.raises(setools.exception.RuleUseError): + rule.tclass + else: + assert testcase.tclass == rule.tclass, f"{testcase.tclass} != {rule.tclass}" + + def test_xperm_type(self, testcase: RuleTestCase) -> None: + """Extended permission type""" + rule = self.rules[testcase.ruletype] + if testcase.xperm is None: + assert rule.extended is False + with pytest.raises(setools.exception.RuleUseError): + rule.xperm_type + else: + assert rule.extended is True + assert testcase.xperm == rule.xperm_type, f"{testcase.xperm} != {rule.xperm_type}" + + def test_permissions_or_default(self, testcase: RuleTestCase) -> None: + """Test default/permissions""" + assert not (testcase.default is not None and testcase.perms is not None), \ + f"Test case setup error {testcase=}" + + rule = self.rules[testcase.ruletype] + if testcase.perms is not None: + assert testcase.perms == rule.perms, f"{testcase.perms} != {rule.perms}" + with pytest.raises(setools.exception.RuleUseError): + rule.default + elif testcase.default is not None: + assert testcase.default == rule.default, f"{testcase.default} != {rule.default}" + with pytest.raises(setools.exception.RuleUseError): + rule.perms + else: + with pytest.raises(setools.exception.RuleUseError): + rule.perms + + with pytest.raises(setools.exception.RuleUseError): + rule.default + + def test_conditional(self, testcase: RuleTestCase) -> None: + """Conditional expression""" + rule = self.rules[testcase.ruletype] + if testcase.conditional is None: + with pytest.raises(setools.exception.RuleNotConditional): + rule.conditional + + with pytest.raises(setools.exception.RuleNotConditional): + rule.conditional_block + else: + assert testcase.conditional == rule.conditional, f"{rule.conditional}" + assert isinstance(rule.conditional_block, bool), f"{rule.conditional_block}" + + def test_filename(self, testcase: RuleTestCase) -> None: + """Filename""" + rule = self.rules[testcase.ruletype] + if testcase.filename is None: + if rule.ruletype == setools.TERuletype.type_transition: + with pytest.raises(setools.exception.TERuleNoFilename): + rule.filename + else: + with pytest.raises(setools.exception.RuleUseError): + rule.filename + else: + assert testcase.filename == rule.filename, f"{testcase.filename} != {rule.filename}" + + def test_statement(self, testcase: RuleTestCase) -> None: + """Statement""" + rule = self.rules[testcase.ruletype] + assert testcase.statement == rule.statement(), \ + f"\"{testcase.statement}\" != \"{rule.statement()}\"" + + def test_expand(self, testcase: RuleTestCase) -> None: + """Expand""" + rule = self.rules[testcase.ruletype] + for expanded_rule in rule.expand(): + assert isinstance(expanded_rule, type(rule)) + if expanded_rule is rule: + # the rule can't be expanded + pass + else: + assert expanded_rule.origin == rule + assert expanded_rule.source in rule.source + assert expanded_rule.target in rule.target + + with suppress(setools.exception.RuleUseError): + assert expanded_rule.tclass == rule.tclass + + with suppress(setools.exception.RuleUseError): + assert expanded_rule.xperm_type == rule.xperm_type + + with suppress(setools.exception.RuleUseError): + assert expanded_rule.perms == rule.perms + + with suppress(setools.exception.RuleUseError): + assert expanded_rule.default == rule.default + + with suppress(setools.exception.RuleNotConditional): + assert expanded_rule.conditional == rule.conditional + assert expanded_rule.conditional_block == rule.conditional_block + + with suppress(setools.exception.RuleUseError): + assert expanded_rule.filename == rule.filename + + +@pytest.mark.obj_args("tests/library/policyrep/terule_issue74.conf") +class TestAVRuleXpermIssue74: + + """ + Regression test for xperm ranges starting with 0x00 not being loaded. + https://github.com/SELinuxProject/setools/issues/74 + """ + + def test_regression(self, compiled_policy: setools.SELinuxPolicy): + """Regression test for GitHub issue 74.""" + rules = sorted(compiled_policy.terules()) + assert 2 == len(rules) + + # expect 2 rules: + # allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x8910 }; + # allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x0-0xff }; + assert setools.IoctlSet(range(0x100)) == rules[0].perms, f"{rules[0].perms}" + assert setools.IoctlSet([0x8910]) == rules[1].perms, f"{rules[1].perms}" diff --git a/tests/library/policyrep/test_terule.py b/tests/library/policyrep/test_terule.py deleted file mode 100644 index 39ecb5e0..00000000 --- a/tests/library/policyrep/test_terule.py +++ /dev/null @@ -1,405 +0,0 @@ -# Copyright 2015, Tresys Technology, LLC -# -# SPDX-License-Identifier: GPL-2.0-only -# -# Until this is fixed for cython: -# pylint: disable=undefined-variable -import unittest -from unittest.mock import Mock, patch - -from setools import SELinuxPolicy -from setools.exception import InvalidTERuleType, RuleNotConditional, RuleUseError, \ - TERuleNoFilename - -from .util import compile_policy - - -@unittest.skip("Needs to be reworked for cython") -@patch('setools.policyrep.boolcond.condexpr_factory', lambda x, y: y) -@patch('setools.policyrep.typeattr.type_or_attr_factory', lambda x, y: y) -@patch('setools.policyrep.objclass.class_factory', lambda x, y: y) -class AVRuleTest(unittest.TestCase): - - def mock_avrule_factory(self, ruletype, source, target, tclass, perms, cond=None): - mock_rule = Mock(qpol_avrule_t) - mock_rule.is_extended.return_value = False - mock_rule.rule_type.return_value = TERuletype.lookup(ruletype) - mock_rule.source_type.return_value = source - mock_rule.target_type.return_value = target - mock_rule.object_class.return_value = tclass - mock_rule.perm_iter = lambda x: iter(perms) - - if cond: - mock_rule.cond.return_value = cond - else: - # this actually comes out of condexpr_factory - # but it's simpler to have here - mock_rule.cond.side_effect = AttributeError - - return te_rule_factory(self.p, mock_rule) - - def setUp(self): - self.p = Mock(qpol_policy_t) - - def test_000_factory(self): - """AVRule factory lookup.""" - with self.assertRaises(TypeError): - te_rule_factory(self.p, "INVALID") - - @unittest.skip("TE ruletype changed to an enumeration.") - def test_001_validate_ruletype(self): - """AVRule valid rule types.""" - for r in ["allow", "neverallow", "auditallow", "dontaudit"]: - self.assertEqual(r, validate_ruletype(r)) - - def test_002_validate_ruletype_invalid(self): - """AVRule valid rule types.""" - with self.assertRaises(InvalidTERuleType): - self.assertTrue(validate_ruletype("role_transition")) - - def test_010_ruletype(self): - """AVRule rule type""" - rule = self.mock_avrule_factory("neverallow", "a", "b", "c", ['d']) - self.assertEqual(TERuletype.neverallow, rule.ruletype) - - def test_020_source_type(self): - """AVRule source type""" - rule = self.mock_avrule_factory("allow", "source20", "b", "c", ['d']) - self.assertEqual("source20", rule.source) - - def test_030_target_type(self): - """AVRule target type""" - rule = self.mock_avrule_factory("allow", "a", "target30", "c", ['d']) - self.assertEqual("target30", rule.target) - - def test_040_object_class(self): - """AVRule object class""" - rule = self.mock_avrule_factory("allow", "a", "b", "class40", ['d']) - self.assertEqual("class40", rule.tclass) - - def test_050_permissions(self): - """AVRule permissions""" - rule = self.mock_avrule_factory("allow", "a", "b", "c", ['perm50a', 'perm50b']) - self.assertSetEqual(set(['perm50a', 'perm50b']), rule.perms) - - def test_060_conditional(self): - """AVRule conditional expression""" - rule = self.mock_avrule_factory("allow", "a", "b", "c", ['d'], cond="cond60") - self.assertEqual("cond60", rule.conditional) - - def test_061_unconditional(self): - """AVRule conditional expression (none)""" - rule = self.mock_avrule_factory("allow", "a", "b", "c", ['d']) - with self.assertRaises(RuleNotConditional): - rule.conditional - - def test_070_default(self): - """AVRule default type""" - rule = self.mock_avrule_factory("allow", "a", "b", "c", ['d']) - with self.assertRaises(RuleUseError): - rule.default - - def test_080_filename(self): - """AVRule filename (none)""" - rule = self.mock_avrule_factory("allow", "a", "b", "c", ['d']) - with self.assertRaises(RuleUseError): - rule.filename - - def test_100_statement_one_perm(self): - """AVRule statement, one permission.""" - rule = self.mock_avrule_factory("allow", "a", "b", "c", ['d']) - self.assertEqual("allow a b:c d;", rule.statement()) - - def test_101_statement_two_perms(self): - """AVRule statement, two permissions.""" - rule = self.mock_avrule_factory("allow", "a", "b", "c", ['d1', 'd2']) - - # permissions are stored in a set, so the order may vary - self.assertRegex(rule.statement(), "(" - "allow a b:c { d1 d2 };" - "|" - "allow a b:c { d2 d1 };" - ")") - - def test_102_statement_one_perm_cond(self): - """AVRule statement, one permission, conditional.""" - rule = self.mock_avrule_factory("allow", "a", "b", "c", ['d'], cond="cond102") - self.assertEqual("allow a b:c d; [ cond102 ]:True", rule.statement()) - - def test_103_statement_two_perms_cond(self): - """AVRule statement, two permissions, conditional.""" - rule = self.mock_avrule_factory("allow", "a", "b", "c", ['d1', 'd2'], cond="cond103") - - # permissions are stored in a set, so the order may vary - self.assertRegex(rule.statement(), "(" - r"allow a b:c { d1 d2 }; \[ cond103 ]" # noqa - "|" - r"allow a b:c { d2 d1 }; \[ cond103 ]" - ")") - - -@unittest.skip("Needs to be reworked for cython") -@patch('setools.policyrep.boolcond.condexpr_factory', lambda x, y: y) -@patch('setools.policyrep.typeattr.type_or_attr_factory', lambda x, y: y) -@patch('setools.policyrep.objclass.class_factory', lambda x, y: y) -class AVRuleXpermTest(unittest.TestCase): - - def mock_avrule_factory(self, ruletype, source, target, tclass, xperm, perms): - mock_rule = Mock(qpol_avrule_t) - mock_rule.is_extended.return_value = True - mock_rule.rule_type.return_value = TERuletype.lookup(ruletype) - mock_rule.source_type.return_value = source - mock_rule.target_type.return_value = target - mock_rule.object_class.return_value = tclass - mock_rule.xperm_type.return_value = xperm - mock_rule.xperm_iter = lambda x: iter(perms) - - # this actually comes out of condexpr_factory - # but it's simpler to have here - mock_rule.cond.side_effect = AttributeError - - return te_rule_factory(self.p, mock_rule) - - def setUp(self): - self.p = Mock(qpol_policy_t) - - def test_000_factory(self): - """AVRuleXperm factory lookup.""" - with self.assertRaises(TypeError): - te_rule_factory(self.p, "INVALID") - - @unittest.skip("TE ruletype changed to an enumeration.") - def test_001_validate_ruletype(self): - """AVRuleXperm valid rule types.""" - for r in ["allowxperm", "neverallowxperm", "auditallowxperm", "dontauditxperm"]: - self.assertEqual(r, validate_ruletype(r)) - - def test_010_ruletype(self): - """AVRuleXperm rule type""" - rule = self.mock_avrule_factory("neverallowxperm", "a", "b", "c", "d", [0x0001]) - self.assertEqual(TERuletype.neverallowxperm, rule.ruletype) - - def test_020_source_type(self): - """AVRuleXperm source type""" - rule = self.mock_avrule_factory("allowxperm", "source20", "b", "c", "d", [0x0001]) - self.assertEqual("source20", rule.source) - - def test_030_target_type(self): - """AVRuleXperm target type""" - rule = self.mock_avrule_factory("allowxperm", "a", "target30", "c", "d", [0x0001]) - self.assertEqual("target30", rule.target) - - def test_040_object_class(self): - """AVRuleXperm object class""" - rule = self.mock_avrule_factory("allowxperm", "a", "b", "class40", "d", [0x0001]) - self.assertEqual("class40", rule.tclass) - - def test_050_permissions(self): - """AVRuleXperm permissions""" - rule = self.mock_avrule_factory("allowxperm", "a", "b", "c", "d", [0x0001, 0x0002, 0x0003]) - self.assertSetEqual(set([0x0001, 0x0002, 0x0003]), rule.perms) - - def test_060_xperm_type(self): - """AVRuleXperm xperm type""" - rule = self.mock_avrule_factory("allowxperm", "a", "b", "c", "xperm60", [0x0001]) - self.assertEqual("xperm60", rule.xperm_type) - - def test_070_unconditional(self): - """AVRuleXperm conditional expression (none)""" - rule = self.mock_avrule_factory("allowxperm", "a", "b", "c", "d", [0x0001]) - with self.assertRaises(RuleNotConditional): - rule.conditional - - def test_080_default(self): - """AVRuleXperm default type""" - rule = self.mock_avrule_factory("allowxperm", "a", "b", "c", "d", [0x0001]) - with self.assertRaises(RuleUseError): - rule.default - - def test_090_filename(self): - """AVRuleXperm filename (none)""" - rule = self.mock_avrule_factory("allowxperm", "a", "b", "c", "d", [0x0001]) - with self.assertRaises(RuleUseError): - rule.filename - - def test_100_statement_one_perm(self): - """AVRuleXperm statement, one permission.""" - rule = self.mock_avrule_factory("allowxperm", "a", "b", "c", "d", [0x0001]) - self.assertEqual("allowxperm a b:c d 0x0001;", rule.statement()) - - def test_101_statement_two_perms(self): - """AVRuleXperm statement, two permissions.""" - rule = self.mock_avrule_factory("allowxperm", "a", "b", "c", "d", [0x0001, 0x0003]) - self.assertEqual(rule.statement(), "allowxperm a b:c d { 0x0001 0x0003 };") - - def test_102_statement_range_perms(self): - """AVRuleXperm statement, range of permissions.""" - rule = self.mock_avrule_factory("allowxperm", "a", "b", "c", "d", - list(range(0x0010, 0x0015))) - self.assertEqual(rule.statement(), "allowxperm a b:c d 0x0010-0x0014;") - - def test_103_statement_single_perm_range_perms(self): - """AVRuleXperm statement, single perm with range of permissions.""" - rule = self.mock_avrule_factory("allowxperm", "a", "b", "c", "d", - [0x0001, 0x0003, 0x0004, 0x0005]) - self.assertEqual(rule.statement(), "allowxperm a b:c d { 0x0001 0x0003-0x0005 };") - - def test_104_statement_two_range_perms(self): - """AVRuleXperm statement, two ranges of permissions.""" - rule = self.mock_avrule_factory("allowxperm", "a", "b", "c", "d", - [0x0003, 0x0004, 0x0005, 0x0007, 0x0008, 0x0009]) - self.assertEqual(rule.statement(), "allowxperm a b:c d { 0x0003-0x0005 0x0007-0x0009 };") - - -class AVRuleXpermTestIssue74(unittest.TestCase): - - """ - Regression test for xperm ranges starting with 0x00 not being loaded. - https://github.com/SELinuxProject/setools/issues/74 - """ - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/policyrep/terule_issue74.conf") - - def test_issue74_regression(self): - """Regression test for GitHub issue 74.""" - rules = sorted(self.p.terules()) - print(rules) - self.assertEqual(2, len(rules)) - - # expect 2 rules: - # allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x8910 }; - # allowxperm init_type_t init_type_t : unix_dgram_socket ioctl { 0x0-0xff }; - self.assertSetEqual(set(range(0x100)), rules[0].perms) - self.assertSetEqual(set([0x8910]), rules[1].perms) - - -@unittest.skip("Needs to be reworked for cython") -@patch('setools.policyrep.boolcond.condexpr_factory', lambda x, y: y) -@patch('setools.policyrep.typeattr.type_factory', lambda x, y: y) -@patch('setools.policyrep.typeattr.type_or_attr_factory', lambda x, y: y) -@patch('setools.policyrep.objclass.class_factory', lambda x, y: y) -class TERuleTest(unittest.TestCase): - - def mock_terule_factory(self, ruletype, source, target, tclass, default, cond=None, - filename=None): - - if filename: - assert not cond - mock_rule = Mock(qpol_filename_trans_t) - mock_rule.filename.return_value = filename - - else: - mock_rule = Mock(qpol_terule_t) - - if cond: - mock_rule.cond.return_value = cond - else: - # this actually comes out of condexpr_factory - # but it's simpler to have here - mock_rule.cond.side_effect = AttributeError - - mock_rule.rule_type.return_value = TERuletype.lookup(ruletype) - mock_rule.source_type.return_value = source - mock_rule.target_type.return_value = target - mock_rule.object_class.return_value = tclass - mock_rule.default_type.return_value = default - - return te_rule_factory(self.p, mock_rule) - - def setUp(self): - self.p = Mock(qpol_policy_t) - - def test_000_factory(self): - """TERule factory lookup.""" - with self.assertRaises(TypeError): - te_rule_factory(self.p, "INVALID") - - @unittest.skip("TE ruletype changed to an enumeration.") - def test_001_validate_ruletype(self): - """TERule valid rule types.""" - for r in ["type_transition", "type_change", "type_member"]: - self.assertEqual(r, validate_ruletype(r)) - - @unittest.skip("TE ruletype changed to an enumeration.") - def test_002_validate_ruletype_invalid(self): - """TERule valid rule types.""" - with self.assertRaises(InvalidTERuleType): - self.assertTrue(validate_ruletype("role_transition")) - - def test_010_ruletype(self): - """TERule rule type""" - rule = self.mock_terule_factory("type_transition", "a", "b", "c", "d") - self.assertEqual(TERuletype.type_transition, rule.ruletype) - - def test_020_source_type(self): - """TERule source type""" - rule = self.mock_terule_factory("type_transition", "source20", "b", "c", "d") - self.assertEqual("source20", rule.source) - - def test_030_target_type(self): - """TERule target type""" - rule = self.mock_terule_factory("type_transition", "a", "target30", "c", "d") - self.assertEqual("target30", rule.target) - - def test_040_object_class(self): - """TERule object class""" - rule = self.mock_terule_factory("type_transition", "a", "b", "class40", "d") - self.assertEqual("class40", rule.tclass) - - def test_050_permissions(self): - """TERule permissions""" - rule = self.mock_terule_factory("type_transition", "a", "b", "c", "d") - with self.assertRaises(RuleUseError): - rule.perms - - def test_060_conditional(self): - """TERule conditional expression""" - rule = self.mock_terule_factory("type_transition", "a", "b", "c", "d", cond="cond60") - self.assertEqual("cond60", rule.conditional) - - def test_061_unconditional(self): - """TERule conditional expression (none)""" - rule = self.mock_terule_factory("type_transition", "a", "b", "c", "d") - with self.assertRaises(RuleNotConditional): - rule.conditional - - def test_070_default(self): - """TERule default type""" - rule = self.mock_terule_factory("type_transition", "a", "b", "c", "default70") - self.assertEqual("default70", rule.default) - - def test_080_filename(self): - """TERule filename""" - rule = self.mock_terule_factory("type_transition", "a", "b", "c", "d", filename="name80") - self.assertEqual("name80", rule.filename) - - def test_081_filename_none(self): - """TERule filename (none)""" - rule = self.mock_terule_factory("type_transition", "a", "b", "c", "d") - with self.assertRaises(TERuleNoFilename): - rule.filename - - def test_082_filename_wrong_ruletype(self): - """TERule filename on wrong ruletype""" - rule = self.mock_terule_factory("type_change", "a", "b", "c", "d") - with self.assertRaises(RuleUseError): - rule.filename - - def test_100_statement(self): - """TERule statement.""" - rule1 = self.mock_terule_factory("type_transition", "a", "b", "c", "d") - rule2 = self.mock_terule_factory("type_change", "a", "b", "c", "d") - self.assertEqual("type_transition a b:c d;", rule1.statement()) - self.assertEqual("type_change a b:c d;", rule2.statement()) - - def test_102_statement_cond(self): - """TERule statement, conditional.""" - rule = self.mock_terule_factory("type_transition", "a", "b", "c", "d", cond="cond102") - self.assertEqual("type_transition a b:c d; [ cond102 ]:True", rule.statement()) - - def test_103_statement_filename(self): - """TERule statement, two permissions, conditional.""" - rule = self.mock_terule_factory("type_transition", "a", "b", "c", "d", filename="name103") - self.assertEqual("type_transition a b:c d \"name103\";", rule.statement()) From 329710bc49d8f220b34e2d152940af97f4799fd1 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 12 Apr 2024 09:29:22 -0400 Subject: [PATCH 18/71] policyrep.pyi: Remove pickling methods. Pickling is not supported. Signed-off-by: Chris PeBenito --- setools/policyrep.pyi | 198 ------------------------------------------ 1 file changed, 198 deletions(-) diff --git a/setools/policyrep.pyi b/setools/policyrep.pyi index eb5bf303..4d49176e 100644 --- a/setools/policyrep.pyi +++ b/setools/policyrep.pyi @@ -38,8 +38,6 @@ class PolicyObject: def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class PolicyRule(PolicyObject): conditional: "Conditional" = ... @@ -69,8 +67,6 @@ class PolicyIterator: def __iter__(self) -> Any: ... def __len__(self) -> int: ... def __next__(self) -> Any: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class PolicyEnum(enum.Enum): @classmethod @@ -90,16 +86,12 @@ class BaseConstraint(PolicyObject): tclass: "ObjClass" = ... __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class BaseMLSLevel(PolicyObject): sensitivity: "Sensitivity" = ... __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def categories(self) -> Iterable[Category]: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class BaseTERule(PolicyRule): conditional: "Conditional" = ... @@ -112,8 +104,6 @@ class BaseTERule(PolicyRule): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def enabled(self, **kwargs) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class BaseType(PolicySymbol): __pyx_vtable__: Any = ... @@ -121,16 +111,12 @@ class BaseType(PolicySymbol): def aliases(self) -> Iterable[str]: ... def attributes(self) -> Iterable["BaseType"]: ... def expand(self) -> Iterable["BaseType"]: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class EbitmapIterator(PolicyIterator): def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "PolicyObject": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class HashtabIterator(PolicyIterator): __pyx_vtable__: Any = ... @@ -138,22 +124,16 @@ class HashtabIterator(PolicyIterator): def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> Any: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class Ocontext(PolicyObject): context: "Context" = ... __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class OcontextIterator(PolicyIterator): def __init__(self, *args, **kwargs) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "Ocontext": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... # # Concrete classes, in alphabetical order @@ -173,8 +153,6 @@ class AVRule(BaseTERule): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class AVRuleXperm(BaseTERule): default: NoReturn = ... @@ -191,8 +169,6 @@ class AVRuleXperm(BaseTERule): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class Boolean(PolicySymbol): @@ -200,15 +176,11 @@ class Boolean(PolicySymbol): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class BooleanHashtabIterator(HashtabIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Boolean: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class Bounds(PolicyObject): child: "Type" = ... @@ -224,8 +196,6 @@ class Bounds(PolicyObject): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class BoundsRuletype(PolicyEnum): typebounds: int = ... @@ -243,15 +213,11 @@ class Category(PolicySymbol): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class CategoryEbitmapIterator(EbitmapIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Category: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class CategoryHashtabIterator(HashtabIterator): __pyx_vtable__: Any = ... @@ -259,23 +225,17 @@ class CategoryHashtabIterator(HashtabIterator): def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> Category: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class Common(PolicySymbol): perms: frozenset[str] = ... __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class CommonHashtabIterator(HashtabIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Common: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class Conditional(PolicyObject): booleans: frozenset[Boolean] = ... @@ -295,8 +255,6 @@ class Conditional(PolicyObject): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class ConditionalExprIterator(PolicyIterator): __pyx_vtable__: Any = ... @@ -304,8 +262,6 @@ class ConditionalExprIterator(PolicyIterator): def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> ConditionalOperator | Boolean: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class ConditionalIterator(PolicyIterator): __pyx_vtable__: Any = ... @@ -313,8 +269,6 @@ class ConditionalIterator(PolicyIterator): def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> Conditional: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class ConditionalOperator(PolicyObject): _cond_expr_val_to_details: Any = ... @@ -324,8 +278,6 @@ class ConditionalOperator(PolicyObject): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self, *args, **kwargs) -> NoReturn: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class ConditionalTERuleIterator(PolicyIterator): __pyx_vtable__: Any = ... @@ -334,16 +286,12 @@ class ConditionalTERuleIterator(PolicyIterator): def ruletype_count(self, *args, **kwargs) -> Any: ... def __len__(self) -> int: ... def __next__(self) -> AnyTERule: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class Constraint(BaseConstraint): perms: frozenset[str] = ... __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class ConstraintExprIterator(PolicyIterator): __pyx_vtable__: Any = ... @@ -351,8 +299,6 @@ class ConstraintExprIterator(PolicyIterator): def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "ConstraintExprNode": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class ConstraintExprNode(PolicyObject): _expr_op_to_text: Any = ... @@ -370,8 +316,6 @@ class ConstraintExprNode(PolicyObject): def __getitem__(self, index) -> frozenset[TypeOrAttr] | frozenset["Role"] | frozenset["User"] | str: ... def __iter__(self) -> Iterable[frozenset[TypeOrAttr] | frozenset["Role"] | frozenset["User"] | str]: ... def __len__(self) -> int: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class ConstraintExpression(PolicyObject): mls: bool = ... @@ -391,8 +335,6 @@ class ConstraintExpression(PolicyObject): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class ConstraintIterator(PolicyIterator): __pyx_vtable__: Any = ... @@ -400,8 +342,6 @@ class ConstraintIterator(PolicyIterator): def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> Constraint: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class ConstraintRuletype(PolicyEnum): constrain: int = ... @@ -419,8 +359,6 @@ class Context(PolicyObject): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class Default(PolicyObject): default: "DefaultValue" = ... @@ -436,8 +374,6 @@ class Default(PolicyObject): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class DefaultRange(Default): default_range: "DefaultRangeValue" = ... @@ -451,8 +387,6 @@ class DefaultRange(Default): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class DefaultRangeValue(PolicyEnum): high: int = ... @@ -479,15 +413,11 @@ class Devicetreecon(Ocontext): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class DevicetreeconIterator(OcontextIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Devicetreecon: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class FSUse(Ocontext): fs: str = ... @@ -502,15 +432,11 @@ class FSUse(Ocontext): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class FSUseIterator(OcontextIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> FSUse: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class FSUseRuletype(PolicyEnum): fs_use_task: int = ... @@ -536,21 +462,15 @@ class FileNameTERule(BaseTERule): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class FileNameTERuleIterator(HashtabIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "FileNameTERule": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class GenfsFiletype(int): _filetype_to_text: Any = ... def __init__(self, *args, **kwargs) -> None: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class Genfscon(Ocontext): _sclass_to_stat: Any = ... @@ -568,8 +488,6 @@ class Genfscon(Ocontext): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class GenfsconIterator: __pyx_vtable__: Any = ... @@ -577,15 +495,11 @@ class GenfsconIterator: def __iter__(self) -> Iterable["Genfscon"]: ... def __len__(self) -> int: ... def __next__(self) -> "Genfscon": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class GenfsconOcontextIterator(OcontextIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Ocontext": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class HandleUnknown(PolicyEnum): allow: int = ... @@ -605,15 +519,11 @@ class Ibendportcon(Ocontext): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class IbendportconIterator(OcontextIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Ibendportcon": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class Ibpkeycon(Ocontext): pkeys: "IbpkeyconRange" = ... @@ -628,15 +538,11 @@ class Ibpkeycon(Ocontext): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class IbpkeyconIterator(OcontextIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Ibpkeycon": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... @dataclass class IbpkeyconRange: @@ -648,15 +554,11 @@ class InitialSID(Ocontext): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class InitialSIDIterator(OcontextIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "InitialSID": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class InvalidBoolean(setools.exception.InvalidSymbol): ... @@ -716,15 +618,11 @@ class Iomemcon(Ocontext): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class IomemconIterator(OcontextIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Iomemcon": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... @dataclass class IomemconRange: @@ -736,15 +634,11 @@ class Ioportcon(Ocontext): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class IoportconIterator(OcontextIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Ioportcon: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... @dataclass class IoportconRange: @@ -762,9 +656,7 @@ class Level(BaseMLSLevel): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... def __rxor__(self, other) -> bool: ... - def __setstate__(self, state) -> Any: ... def __xor__(self, other) -> bool: ... class LevelDecl(BaseMLSLevel): @@ -778,8 +670,6 @@ class LevelDecl(BaseMLSLevel): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class LevelDeclHashtabIterator(HashtabIterator): __pyx_vtable__: Any = ... @@ -787,8 +677,6 @@ class LevelDeclHashtabIterator(HashtabIterator): def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "LevelDecl": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class LowLevelPolicyError(ValueError, setools.exception.PolicyrepException): ... @@ -812,15 +700,11 @@ class MLSRule(PolicyRule): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class MLSRuleIterator(HashtabIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "MLSRuletype": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class MLSRuletype(PolicyEnum): range_transition: int = ... @@ -838,15 +722,11 @@ class Netifcon(Ocontext): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class NetifconIterator(OcontextIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Netifcon": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class NoCommon(AttributeError, setools.exception.PolicyrepException): ... @@ -867,8 +747,6 @@ class Nodecon(Ocontext): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class NodeconIPVersion(PolicyEnum): ipv4: int = ... @@ -878,8 +756,6 @@ class NodeconIterator(OcontextIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Nodecon": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class ObjClass(PolicySymbol): common: "Common" = ... @@ -890,30 +766,22 @@ class ObjClass(PolicySymbol): def defaults(self, *args, **kwargs) -> Iterable[AnyDefault]: ... def statement(self) -> str: ... def validatetrans(self, *args, **kwargs) -> Iterable["Validatetrans"]: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class ObjClassHashtabIterator(HashtabIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "ObjClass": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class Pcidevicecon(Ocontext): device: str = ... __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class PcideviceconIterator(OcontextIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Pcidevicecon": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class PermissionVectorIterator(PolicyIterator): __pyx_vtable__: Any = ... @@ -921,23 +789,17 @@ class PermissionVectorIterator(PolicyIterator): def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> str: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class Pirqcon(Ocontext): irq: int = ... __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class PirqconIterator(OcontextIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Pirqcon": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class PolicyCapability(PolicySymbol): __pyx_vtable__: Any = ... @@ -950,15 +812,11 @@ class PolicyCapability(PolicySymbol): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class PolicyCapabilityIterator(EbitmapIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "PolicyCapability": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class PolicyTarget(PolicyEnum): selinux: int = ... @@ -977,15 +835,11 @@ class Portcon(Ocontext): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class PortconIterator(OcontextIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Portcon: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class PortconProtocol(PolicyEnum): dccp: int = ... @@ -1016,8 +870,6 @@ class Range(PolicyObject): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class Role(PolicySymbol): dominated_roles: frozenset["Role"] = ... @@ -1026,8 +878,6 @@ class Role(PolicySymbol): def expand(self) -> Iterable["Role"]: ... def statement(self) -> str: ... def types(self) -> Iterable["Type"]: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class RoleAllow(PolicyRule): default: NoReturn = ... @@ -1046,8 +896,6 @@ class RoleAllow(PolicyRule): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class RoleAllowIterator(PolicyIterator): __pyx_vtable__: Any = ... @@ -1055,22 +903,16 @@ class RoleAllowIterator(PolicyIterator): def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "RoleAllow": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class RoleEbitmapIterator(EbitmapIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Any: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class RoleHashtabIterator(HashtabIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Role": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class RoleTransition(PolicyRule): default: "Role" = ... @@ -1089,8 +931,6 @@ class RoleTransition(PolicyRule): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class RoleTransitionIterator(PolicyIterator): __pyx_vtable__: Any = ... @@ -1098,8 +938,6 @@ class RoleTransitionIterator(PolicyIterator): def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "RoleTransition": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class RuleNotConditional(AttributeError, setools.exception.PolicyrepException): ... @@ -1205,8 +1043,6 @@ class SELinuxPolicy: def users(self) -> Iterable["User"]: ... def __copy__(self) -> "SELinuxPolicy": ... def __deepcopy__(self, memo) -> "SELinuxPolicy": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class Sensitivity(PolicySymbol): _value: int = ... @@ -1222,8 +1058,6 @@ class Sensitivity(PolicySymbol): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class SensitivityHashtabIterator(HashtabIterator): __pyx_vtable__: Any = ... @@ -1231,8 +1065,6 @@ class SensitivityHashtabIterator(HashtabIterator): def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "Sensitivity": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class SymbolUseError(AttributeError, setools.exception.PolicyrepException): ... @@ -1250,8 +1082,6 @@ class TERule(BaseTERule): def __le__(self, other) -> bool: ... def __lt__(self, other) -> bool: ... def __ne__(self, other) -> bool: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class TERuleIterator(PolicyIterator): __pyx_vtable__: Any = ... @@ -1260,8 +1090,6 @@ class TERuleIterator(PolicyIterator): def ruletype_count(self, *args, **kwargs) -> Any: ... def __len__(self) -> int: ... def __next__(self) -> "TERule": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class TERuleNoFilename(AttributeError, setools.exception.PolicyrepException): ... @@ -1291,8 +1119,6 @@ class Type(BaseType): def attributes(self) -> Iterable["TypeAttribute"]: ... def expand(self) -> Iterable["Type"]: ... def statement(self) -> str: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class TypeAttribute(BaseType): ispermissive: bool = ... @@ -1304,15 +1130,11 @@ class TypeAttribute(BaseType): def statement(self) -> str: ... def __iter__(self) -> Iterable["TypeAttribute"]: ... def __len__(self) -> int: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class TypeAttributeEbitmapIterator(EbitmapIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "TypeAttribute": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class TypeAttributeHashtabIterator(HashtabIterator): __pyx_vtable__: Any = ... @@ -1320,15 +1142,11 @@ class TypeAttributeHashtabIterator(HashtabIterator): def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "TypeAttribute": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class TypeEbitmapIterator(EbitmapIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Type": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class TypeHashtabIterator(HashtabIterator): __pyx_vtable__: Any = ... @@ -1336,15 +1154,11 @@ class TypeHashtabIterator(HashtabIterator): def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "Type": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class TypeOrAttributeEbitmapIterator(EbitmapIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> TypeOrAttr: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class TypeboundsIterator(HashtabIterator): __pyx_vtable__: Any = ... @@ -1352,8 +1166,6 @@ class TypeboundsIterator(HashtabIterator): def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "Bounds": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class User(PolicySymbol): mls_level: "Level" = ... @@ -1362,30 +1174,22 @@ class User(PolicySymbol): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class UserEbitmapIterator(EbitmapIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "User": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class UserHashtabIterator(HashtabIterator): __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "User": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class Validatetrans(BaseConstraint): perms: NoReturn = ... __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class ValidatetransIterator(PolicyIterator): __pyx_vtable__: Any = ... @@ -1393,8 +1197,6 @@ class ValidatetransIterator(PolicyIterator): def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "Validatetrans": ... - def __reduce__(self) -> Any: ... - def __setstate__(self, state) -> Any: ... class WeakKeyDefaultDict(weakref.WeakKeyDictionary): _abc_impl: Any = ... From 00d6acb38a64fa08f135a8e234c7083ae47b3dd9 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 12 Apr 2024 09:35:57 -0400 Subject: [PATCH 19/71] policyrep.pyi: Remove Cython internal details. Remove __pyx_vtable__. This is an internal detail of Cython and is not ueful in the Python stub. Signed-off-by: Chris PeBenito --- setools/policyrep.pyi | 95 ------------------------------------------- 1 file changed, 95 deletions(-) diff --git a/setools/policyrep.pyi b/setools/policyrep.pyi index 4d49176e..678c5e4a 100644 --- a/setools/policyrep.pyi +++ b/setools/policyrep.pyi @@ -26,7 +26,6 @@ def lookup_boolean_name_sub(name: str) -> str: ... class PolicyObject: policy: "SELinuxPolicy" = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __copy__(self) -> "PolicyObject": ... @@ -84,12 +83,10 @@ class BaseConstraint(PolicyObject): perms: frozenset[str] = ... ruletype: "ConstraintRuletype" = ... tclass: "ObjClass" = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... class BaseMLSLevel(PolicyObject): sensitivity: "Sensitivity" = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def categories(self) -> Iterable[Category]: ... @@ -101,12 +98,10 @@ class BaseTERule(PolicyRule): source: TypeOrAttr = ... tclass: "ObjClass" = ... target: TypeOrAttr = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def enabled(self, **kwargs) -> bool: ... class BaseType(PolicySymbol): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def aliases(self) -> Iterable[str]: ... def attributes(self) -> Iterable["BaseType"]: ... @@ -119,7 +114,6 @@ class EbitmapIterator(PolicyIterator): def __next__(self) -> "PolicyObject": ... class HashtabIterator(PolicyIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... @@ -127,7 +121,6 @@ class HashtabIterator(PolicyIterator): class Ocontext(PolicyObject): context: "Context" = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... class OcontextIterator(PolicyIterator): @@ -141,7 +134,6 @@ class OcontextIterator(PolicyIterator): class AVRule(BaseTERule): default: NoReturn = ... perms: frozenset[str] = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def derive_expanded(self, *args, **kwargs) -> "AVRule": ... def expand(self, *args, **kwargs) -> Iterable["AVRule"]: ... @@ -158,7 +150,6 @@ class AVRuleXperm(BaseTERule): default: NoReturn = ... perms: "IoctlSet" = ... xperm_type: str = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def expand(self, *args, **kwargs) -> Iterable["AVRuleXperm"]: ... def statement(self) -> str: ... @@ -173,12 +164,10 @@ class AVRuleXperm(BaseTERule): class Boolean(PolicySymbol): state: bool = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class BooleanHashtabIterator(HashtabIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Boolean: ... @@ -186,7 +175,6 @@ class Bounds(PolicyObject): child: "Type" = ... parent: "Type" = ... ruletype: "BoundsRuletype" = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -202,7 +190,6 @@ class BoundsRuletype(PolicyEnum): class Category(PolicySymbol): _value: int = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def aliases(self, *args, **kwargs) -> Iterable[str]: ... def statement(self) -> str: ... @@ -215,12 +202,10 @@ class Category(PolicySymbol): def __ne__(self, other) -> bool: ... class CategoryEbitmapIterator(EbitmapIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Category: ... class CategoryHashtabIterator(HashtabIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... @@ -228,18 +213,15 @@ class CategoryHashtabIterator(HashtabIterator): class Common(PolicySymbol): perms: frozenset[str] = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class CommonHashtabIterator(HashtabIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Common: ... class Conditional(PolicyObject): booleans: frozenset[Boolean] = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def evaluate(self, **kwargs) -> bool: ... def expression(self) -> Iterable["ConditionalOperator" | str]: ... @@ -257,14 +239,12 @@ class Conditional(PolicyObject): def __ne__(self, other) -> bool: ... class ConditionalExprIterator(PolicyIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> ConditionalOperator | Boolean: ... class ConditionalIterator(PolicyIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... @@ -275,12 +255,10 @@ class ConditionalOperator(PolicyObject): evaluate: Callable = ... precedence: int = ... unary: bool = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self, *args, **kwargs) -> NoReturn: ... class ConditionalTERuleIterator(PolicyIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def ruletype_count(self, *args, **kwargs) -> Any: ... @@ -289,12 +267,10 @@ class ConditionalTERuleIterator(PolicyIterator): class Constraint(BaseConstraint): perms: frozenset[str] = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class ConstraintExprIterator(PolicyIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... @@ -309,7 +285,6 @@ class ConstraintExprNode(PolicyObject): _user_syms: Any = ... names: frozenset[TypeOrAttr] | frozenset["Role"] | frozenset["User"] = ... symbol_type: int = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> NoReturn: ... def __contains__(self, other) -> bool: ... @@ -323,7 +298,6 @@ class ConstraintExpression(PolicyObject): types: frozenset["Type"] = ... users: frozenset["User"] = ... __hash__: Any = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def infix(self, *args, **kwargs) -> frozenset[TypeOrAttr] | frozenset["Role"] | frozenset["User"] | str: ... def statement(self) -> NoReturn: ... @@ -337,7 +311,6 @@ class ConstraintExpression(PolicyObject): def __ne__(self, other) -> bool: ... class ConstraintIterator(PolicyIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... @@ -356,7 +329,6 @@ class Context(PolicyObject): role: "Role" = ... type_: "Type" = ... user: "User" = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... @@ -364,7 +336,6 @@ class Default(PolicyObject): default: "DefaultValue" = ... ruletype: "DefaultRuletype" = ... tclass: "ObjClass" = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -377,7 +348,6 @@ class Default(PolicyObject): class DefaultRange(Default): default_range: "DefaultRangeValue" = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -410,19 +380,16 @@ class DefaultValue(PolicyEnum): class Devicetreecon(Ocontext): path: str = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class DevicetreeconIterator(OcontextIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Devicetreecon: ... class FSUse(Ocontext): fs: str = ... ruletype: "FSUseRuletype" = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -434,7 +401,6 @@ class FSUse(Ocontext): def __ne__(self, other) -> bool: ... class FSUseIterator(OcontextIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> FSUse: ... @@ -451,7 +417,6 @@ class FileNameTERule(BaseTERule): source: TypeOrAttr = ... tclass: "ObjClass" = ... target: TypeOrAttr = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def expand(self, *args, **kwargs) -> Iterable["FileNameTERule"]: ... def statement(self) -> str: ... @@ -464,7 +429,6 @@ class FileNameTERule(BaseTERule): def __ne__(self, other) -> bool: ... class FileNameTERuleIterator(HashtabIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "FileNameTERule": ... @@ -478,7 +442,6 @@ class Genfscon(Ocontext): fs: str = ... path: str = ... tclass: "ObjClass" = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -490,14 +453,12 @@ class Genfscon(Ocontext): def __ne__(self, other) -> bool: ... class GenfsconIterator: - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __iter__(self) -> Iterable["Genfscon"]: ... def __len__(self) -> int: ... def __next__(self) -> "Genfscon": ... class GenfsconOcontextIterator(OcontextIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Ocontext": ... @@ -509,7 +470,6 @@ class HandleUnknown(PolicyEnum): class Ibendportcon(Ocontext): name: str = ... port: int = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -521,14 +481,12 @@ class Ibendportcon(Ocontext): def __ne__(self, other) -> bool: ... class IbendportconIterator(OcontextIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Ibendportcon": ... class Ibpkeycon(Ocontext): pkeys: "IbpkeyconRange" = ... subnet_prefix: ipaddress.IPv6Address = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -540,7 +498,6 @@ class Ibpkeycon(Ocontext): def __ne__(self, other) -> bool: ... class IbpkeyconIterator(OcontextIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Ibpkeycon": ... @@ -551,12 +508,10 @@ class IbpkeyconRange: class InitialSID(Ocontext): name: str = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class InitialSIDIterator(OcontextIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "InitialSID": ... @@ -615,12 +570,10 @@ class IoctlSet(frozenset[int]): class Iomemcon(Ocontext): addr: "IomemconRange" = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class IomemconIterator(OcontextIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Iomemcon": ... @@ -631,12 +584,10 @@ class IomemconRange: class Ioportcon(Ocontext): ports: "IoportconRange" = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class IoportconIterator(OcontextIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Ioportcon: ... @@ -646,7 +597,6 @@ class IoportconRange: low: int = ... class Level(BaseMLSLevel): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> NoReturn: ... def __eq__(self, other) -> bool: ... @@ -660,7 +610,6 @@ class Level(BaseMLSLevel): def __xor__(self, other) -> bool: ... class LevelDecl(BaseMLSLevel): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -672,7 +621,6 @@ class LevelDecl(BaseMLSLevel): def __ne__(self, other) -> bool: ... class LevelDeclHashtabIterator(HashtabIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... @@ -689,7 +637,6 @@ class MLSRule(PolicyRule): source: TypeOrAttr = ... tclass: "ObjClass" = ... target: TypeOrAttr = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def expand(self) -> Iterable["MLSRule"]: ... def statement(self) -> str: ... @@ -702,7 +649,6 @@ class MLSRule(PolicyRule): def __ne__(self, other) -> bool: ... class MLSRuleIterator(HashtabIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "MLSRuletype": ... @@ -712,7 +658,6 @@ class MLSRuletype(PolicyEnum): class Netifcon(Ocontext): netif: str = ... packet: "Context" = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -724,7 +669,6 @@ class Netifcon(Ocontext): def __ne__(self, other) -> bool: ... class NetifconIterator(OcontextIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Netifcon": ... @@ -737,7 +681,6 @@ class NoStatement(setools.exception.SymbolUseError): ... class Nodecon(Ocontext): ip_version: "NodeconIPVersion" = ... network: ipaddress.IPv4Network | ipaddress.IPv6Network = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -753,14 +696,12 @@ class NodeconIPVersion(PolicyEnum): ipv6: int = ... class NodeconIterator(OcontextIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Nodecon": ... class ObjClass(PolicySymbol): common: "Common" = ... perms: frozenset[str] = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def constraints(self, *args, **kwargs) -> Iterable["Constraint"]: ... def defaults(self, *args, **kwargs) -> Iterable[AnyDefault]: ... @@ -768,23 +709,19 @@ class ObjClass(PolicySymbol): def validatetrans(self, *args, **kwargs) -> Iterable["Validatetrans"]: ... class ObjClassHashtabIterator(HashtabIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "ObjClass": ... class Pcidevicecon(Ocontext): device: str = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class PcideviceconIterator(OcontextIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Pcidevicecon": ... class PermissionVectorIterator(PolicyIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... @@ -792,17 +729,14 @@ class PermissionVectorIterator(PolicyIterator): class Pirqcon(Ocontext): irq: int = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class PirqconIterator(OcontextIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Pirqcon": ... class PolicyCapability(PolicySymbol): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -814,7 +748,6 @@ class PolicyCapability(PolicySymbol): def __ne__(self, other) -> bool: ... class PolicyCapabilityIterator(EbitmapIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "PolicyCapability": ... @@ -825,7 +758,6 @@ class PolicyTarget(PolicyEnum): class Portcon(Ocontext): ports: "PortconRange" = ... protocol: "PortconProtocol" = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -837,7 +769,6 @@ class Portcon(Ocontext): def __ne__(self, other) -> bool: ... class PortconIterator(OcontextIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Portcon: ... @@ -859,7 +790,6 @@ class RBACRuletype(PolicyEnum): class Range(PolicyObject): high: Level = ... low: Level = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __contains__(self, other) -> bool: ... @@ -873,7 +803,6 @@ class Range(PolicyObject): class Role(PolicySymbol): dominated_roles: frozenset["Role"] = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def expand(self) -> Iterable["Role"]: ... def statement(self) -> str: ... @@ -885,7 +814,6 @@ class RoleAllow(PolicyRule): source: "Role" = ... tclass: NoReturn = ... target: "Role" = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def expand(self) -> Iterable["RoleAllow"]: ... def statement(self) -> str: ... @@ -898,19 +826,16 @@ class RoleAllow(PolicyRule): def __ne__(self, other) -> bool: ... class RoleAllowIterator(PolicyIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "RoleAllow": ... class RoleEbitmapIterator(EbitmapIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Any: ... class RoleHashtabIterator(HashtabIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Role": ... @@ -920,7 +845,6 @@ class RoleTransition(PolicyRule): source: "Role" = ... tclass: "ObjClass" = ... target: TypeOrAttr = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def expand(self) -> Iterable["RoleTransition"]: ... def statement(self) -> str: ... @@ -933,7 +857,6 @@ class RoleTransition(PolicyRule): def __ne__(self, other) -> bool: ... class RoleTransitionIterator(PolicyIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... @@ -995,7 +918,6 @@ class SELinuxPolicy: user_count: int = ... validatetrans_count: int = ... version: int = ... - __pyx_vtable__: Any = ... def __init__(self, policyfile: str | None = None) -> None: ... def bools(self) -> Iterable["Boolean"]: ... def bounds(self) -> Iterable["Bounds"]: ... @@ -1046,7 +968,6 @@ class SELinuxPolicy: class Sensitivity(PolicySymbol): _value: int = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def aliases(self, *args, **kwargs) -> Any: ... def level_decl(self, *args, **kwargs) -> Any: ... @@ -1060,7 +981,6 @@ class Sensitivity(PolicySymbol): def __ne__(self, other) -> bool: ... class SensitivityHashtabIterator(HashtabIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... @@ -1071,7 +991,6 @@ class SymbolUseError(AttributeError, setools.exception.PolicyrepException): ... class TERule(BaseTERule): default: "Type" = ... perms: NoReturn = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def expand(self) -> Iterable["TERule"]: ... def statement(self) -> str: ... @@ -1084,7 +1003,6 @@ class TERule(BaseTERule): def __ne__(self, other) -> bool: ... class TERuleIterator(PolicyIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def ruletype_count(self, *args, **kwargs) -> Any: ... @@ -1113,7 +1031,6 @@ class TruthTableRow: class Type(BaseType): ispermissive: bool = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def aliases(self) -> Iterable[str]: ... def attributes(self) -> Iterable["TypeAttribute"]: ... @@ -1122,7 +1039,6 @@ class Type(BaseType): class TypeAttribute(BaseType): ispermissive: bool = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def aliases(self) -> Iterable[str]: ... def attributes(self) -> Iterable["TypeAttribute"]: ... @@ -1132,36 +1048,30 @@ class TypeAttribute(BaseType): def __len__(self) -> int: ... class TypeAttributeEbitmapIterator(EbitmapIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "TypeAttribute": ... class TypeAttributeHashtabIterator(HashtabIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "TypeAttribute": ... class TypeEbitmapIterator(EbitmapIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Type": ... class TypeHashtabIterator(HashtabIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "Type": ... class TypeOrAttributeEbitmapIterator(EbitmapIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> TypeOrAttr: ... class TypeboundsIterator(HashtabIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... @@ -1171,28 +1081,23 @@ class User(PolicySymbol): mls_level: "Level" = ... mls_range: "Range" = ... roles: frozenset["Role"] = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class UserEbitmapIterator(EbitmapIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "User": ... class UserHashtabIterator(HashtabIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "User": ... class Validatetrans(BaseConstraint): perms: NoReturn = ... - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class ValidatetransIterator(PolicyIterator): - __pyx_vtable__: Any = ... def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... From 68e90d70c8df2511855e03714b25cd1a3a8d9df9 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 12 Apr 2024 10:53:42 -0400 Subject: [PATCH 20/71] policyrep.pyi: Remove generic __init__() methds. In most cases, the objects cannot be created outside the policyrep code, since it requires low-level details from the policydb. Signed-off-by: Chris PeBenito --- setools/policyrep.pyi | 125 +----------------------------------------- 1 file changed, 3 insertions(+), 122 deletions(-) diff --git a/setools/policyrep.pyi b/setools/policyrep.pyi index 678c5e4a..12220434 100644 --- a/setools/policyrep.pyi +++ b/setools/policyrep.pyi @@ -3,7 +3,7 @@ from collections.abc import Callable, Iterable, Iterator from dataclasses import dataclass -from typing import Any, NamedTuple, NoReturn +from typing import Any, NoReturn import enum import ipaddress @@ -14,9 +14,7 @@ AnyConstraint = "Constraint" | "Validatetrans" AnyDefault = "Default" | "DefaultRange" AnyRBACRule = "RoleAllow" | "RoleTransition" AnyTERule = "AVRule" | "AVRuleXperm" | "TERule" | "FileNameTERule" -SELINUX_SIDNAMES: Any TypeOrAttr = "Type" | "TypeAttribute" -XEN_SIDNAMES: Any def lookup_boolean_name_sub(name: str) -> str: ... @@ -26,7 +24,6 @@ def lookup_boolean_name_sub(name: str) -> str: ... class PolicyObject: policy: "SELinuxPolicy" = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __copy__(self) -> "PolicyObject": ... def __deepcopy__(self, memo) -> "PolicyObject": ... @@ -56,12 +53,10 @@ class PolicyRule(PolicyObject): class PolicySymbol(PolicyObject): name: str = ... - def __init__(self, *args, **kwargs) -> None: ... def __contains__(self, other) -> bool: ... def expand(self) -> Iterable["PolicySymbol"]: ... class PolicyIterator: - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __iter__(self) -> Any: ... def __len__(self) -> int: ... @@ -83,11 +78,9 @@ class BaseConstraint(PolicyObject): perms: frozenset[str] = ... ruletype: "ConstraintRuletype" = ... tclass: "ObjClass" = ... - def __init__(self, *args, **kwargs) -> None: ... class BaseMLSLevel(PolicyObject): sensitivity: "Sensitivity" = ... - def __init__(self, *args, **kwargs) -> None: ... def categories(self) -> Iterable[Category]: ... class BaseTERule(PolicyRule): @@ -98,33 +91,27 @@ class BaseTERule(PolicyRule): source: TypeOrAttr = ... tclass: "ObjClass" = ... target: TypeOrAttr = ... - def __init__(self, *args, **kwargs) -> None: ... def enabled(self, **kwargs) -> bool: ... class BaseType(PolicySymbol): - def __init__(self, *args, **kwargs) -> None: ... def aliases(self) -> Iterable[str]: ... def attributes(self) -> Iterable["BaseType"]: ... def expand(self) -> Iterable["BaseType"]: ... class EbitmapIterator(PolicyIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "PolicyObject": ... class HashtabIterator(PolicyIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> Any: ... class Ocontext(PolicyObject): context: "Context" = ... - def __init__(self, *args, **kwargs) -> None: ... class OcontextIterator(PolicyIterator): - def __init__(self, *args, **kwargs) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "Ocontext": ... @@ -134,7 +121,6 @@ class OcontextIterator(PolicyIterator): class AVRule(BaseTERule): default: NoReturn = ... perms: frozenset[str] = ... - def __init__(self, *args, **kwargs) -> None: ... def derive_expanded(self, *args, **kwargs) -> "AVRule": ... def expand(self, *args, **kwargs) -> Iterable["AVRule"]: ... def statement(self) -> str: ... @@ -150,7 +136,6 @@ class AVRuleXperm(BaseTERule): default: NoReturn = ... perms: "IoctlSet" = ... xperm_type: str = ... - def __init__(self, *args, **kwargs) -> None: ... def expand(self, *args, **kwargs) -> Iterable["AVRuleXperm"]: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -164,18 +149,15 @@ class AVRuleXperm(BaseTERule): class Boolean(PolicySymbol): state: bool = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class BooleanHashtabIterator(HashtabIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Boolean: ... class Bounds(PolicyObject): child: "Type" = ... parent: "Type" = ... ruletype: "BoundsRuletype" = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... def __ge__(self, other) -> bool: ... @@ -189,8 +171,6 @@ class BoundsRuletype(PolicyEnum): typebounds: int = ... class Category(PolicySymbol): - _value: int = ... - def __init__(self, *args, **kwargs) -> None: ... def aliases(self, *args, **kwargs) -> Iterable[str]: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -202,27 +182,22 @@ class Category(PolicySymbol): def __ne__(self, other) -> bool: ... class CategoryEbitmapIterator(EbitmapIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Category: ... class CategoryHashtabIterator(HashtabIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> Category: ... class Common(PolicySymbol): perms: frozenset[str] = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class CommonHashtabIterator(HashtabIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Common: ... class Conditional(PolicyObject): booleans: frozenset[Boolean] = ... - def __init__(self, *args, **kwargs) -> None: ... def evaluate(self, **kwargs) -> bool: ... def expression(self) -> Iterable["ConditionalOperator" | str]: ... def false_rules(self, *args, **kwargs) -> Iterable[AnyTERule]: ... @@ -239,27 +214,22 @@ class Conditional(PolicyObject): def __ne__(self, other) -> bool: ... class ConditionalExprIterator(PolicyIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> ConditionalOperator | Boolean: ... class ConditionalIterator(PolicyIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> Conditional: ... class ConditionalOperator(PolicyObject): - _cond_expr_val_to_details: Any = ... evaluate: Callable = ... precedence: int = ... unary: bool = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self, *args, **kwargs) -> NoReturn: ... class ConditionalTERuleIterator(PolicyIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def ruletype_count(self, *args, **kwargs) -> Any: ... def __len__(self) -> int: ... @@ -267,25 +237,16 @@ class ConditionalTERuleIterator(PolicyIterator): class Constraint(BaseConstraint): perms: frozenset[str] = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class ConstraintExprIterator(PolicyIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "ConstraintExprNode": ... class ConstraintExprNode(PolicyObject): - _expr_op_to_text: Any = ... - _expr_type_to_text: Any = ... - _role_syms: Any = ... - _sym_to_text: Any = ... - _type_syms: Any = ... - _user_syms: Any = ... names: frozenset[TypeOrAttr] | frozenset["Role"] | frozenset["User"] = ... symbol_type: int = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> NoReturn: ... def __contains__(self, other) -> bool: ... def __getitem__(self, index) -> frozenset[TypeOrAttr] | frozenset["Role"] | frozenset["User"] | str: ... @@ -297,8 +258,6 @@ class ConstraintExpression(PolicyObject): roles: frozenset["Role"] = ... types: frozenset["Type"] = ... users: frozenset["User"] = ... - __hash__: Any = ... - def __init__(self, *args, **kwargs) -> None: ... def infix(self, *args, **kwargs) -> frozenset[TypeOrAttr] | frozenset["Role"] | frozenset["User"] | str: ... def statement(self) -> NoReturn: ... def __eq__(self, other) -> bool: ... @@ -311,7 +270,6 @@ class ConstraintExpression(PolicyObject): def __ne__(self, other) -> bool: ... class ConstraintIterator(PolicyIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> Constraint: ... @@ -329,14 +287,12 @@ class Context(PolicyObject): role: "Role" = ... type_: "Type" = ... user: "User" = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class Default(PolicyObject): default: "DefaultValue" = ... ruletype: "DefaultRuletype" = ... tclass: "ObjClass" = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... def __ge__(self, other) -> bool: ... @@ -348,7 +304,6 @@ class Default(PolicyObject): class DefaultRange(Default): default_range: "DefaultRangeValue" = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... def __ge__(self, other) -> bool: ... @@ -380,17 +335,14 @@ class DefaultValue(PolicyEnum): class Devicetreecon(Ocontext): path: str = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class DevicetreeconIterator(OcontextIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Devicetreecon: ... class FSUse(Ocontext): fs: str = ... ruletype: "FSUseRuletype" = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... def __ge__(self, other) -> bool: ... @@ -401,7 +353,6 @@ class FSUse(Ocontext): def __ne__(self, other) -> bool: ... class FSUseIterator(OcontextIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> FSUse: ... class FSUseRuletype(PolicyEnum): @@ -417,7 +368,6 @@ class FileNameTERule(BaseTERule): source: TypeOrAttr = ... tclass: "ObjClass" = ... target: TypeOrAttr = ... - def __init__(self, *args, **kwargs) -> None: ... def expand(self, *args, **kwargs) -> Iterable["FileNameTERule"]: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -429,20 +379,15 @@ class FileNameTERule(BaseTERule): def __ne__(self, other) -> bool: ... class FileNameTERuleIterator(HashtabIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "FileNameTERule": ... -class GenfsFiletype(int): - _filetype_to_text: Any = ... - def __init__(self, *args, **kwargs) -> None: ... +class GenfsFiletype(int): ... class Genfscon(Ocontext): - _sclass_to_stat: Any = ... filetype: "GenfsFiletype" = ... fs: str = ... path: str = ... tclass: "ObjClass" = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... def __ge__(self, other) -> bool: ... @@ -453,13 +398,11 @@ class Genfscon(Ocontext): def __ne__(self, other) -> bool: ... class GenfsconIterator: - def __init__(self, *args, **kwargs) -> None: ... def __iter__(self) -> Iterable["Genfscon"]: ... def __len__(self) -> int: ... def __next__(self) -> "Genfscon": ... class GenfsconOcontextIterator(OcontextIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Ocontext": ... class HandleUnknown(PolicyEnum): @@ -470,7 +413,6 @@ class HandleUnknown(PolicyEnum): class Ibendportcon(Ocontext): name: str = ... port: int = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... def __ge__(self, other) -> bool: ... @@ -481,13 +423,11 @@ class Ibendportcon(Ocontext): def __ne__(self, other) -> bool: ... class IbendportconIterator(OcontextIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Ibendportcon": ... class Ibpkeycon(Ocontext): pkeys: "IbpkeyconRange" = ... subnet_prefix: ipaddress.IPv6Address = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... def __ge__(self, other) -> bool: ... @@ -498,7 +438,6 @@ class Ibpkeycon(Ocontext): def __ne__(self, other) -> bool: ... class IbpkeyconIterator(OcontextIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Ibpkeycon": ... @dataclass @@ -508,11 +447,9 @@ class IbpkeyconRange: class InitialSID(Ocontext): name: str = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class InitialSIDIterator(OcontextIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "InitialSID": ... class InvalidBoolean(setools.exception.InvalidSymbol): ... @@ -562,7 +499,6 @@ class InvalidType(setools.exception.InvalidSymbol): ... class InvalidUser(setools.exception.InvalidSymbol): ... class IoctlSet(frozenset[int]): - def __init__(self, *args, **kwargs) -> None: ... def ranges(self) -> int: ... def __format__(self, *args, **kwargs) -> str: ... def __reduce_cython__(self, *args, **kwargs) -> Any: ... @@ -570,11 +506,9 @@ class IoctlSet(frozenset[int]): class Iomemcon(Ocontext): addr: "IomemconRange" = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class IomemconIterator(OcontextIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Iomemcon": ... @dataclass @@ -584,11 +518,9 @@ class IomemconRange: class Ioportcon(Ocontext): ports: "IoportconRange" = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class IoportconIterator(OcontextIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Ioportcon: ... @dataclass @@ -597,7 +529,6 @@ class IoportconRange: low: int = ... class Level(BaseMLSLevel): - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> NoReturn: ... def __eq__(self, other) -> bool: ... def __ge__(self, other) -> bool: ... @@ -610,7 +541,6 @@ class Level(BaseMLSLevel): def __xor__(self, other) -> bool: ... class LevelDecl(BaseMLSLevel): - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... def __ge__(self, other) -> bool: ... @@ -621,7 +551,6 @@ class LevelDecl(BaseMLSLevel): def __ne__(self, other) -> bool: ... class LevelDeclHashtabIterator(HashtabIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "LevelDecl": ... @@ -637,7 +566,6 @@ class MLSRule(PolicyRule): source: TypeOrAttr = ... tclass: "ObjClass" = ... target: TypeOrAttr = ... - def __init__(self, *args, **kwargs) -> None: ... def expand(self) -> Iterable["MLSRule"]: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -649,7 +577,6 @@ class MLSRule(PolicyRule): def __ne__(self, other) -> bool: ... class MLSRuleIterator(HashtabIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "MLSRuletype": ... class MLSRuletype(PolicyEnum): @@ -658,7 +585,6 @@ class MLSRuletype(PolicyEnum): class Netifcon(Ocontext): netif: str = ... packet: "Context" = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... def __ge__(self, other) -> bool: ... @@ -669,7 +595,6 @@ class Netifcon(Ocontext): def __ne__(self, other) -> bool: ... class NetifconIterator(OcontextIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Netifcon": ... class NoCommon(AttributeError, setools.exception.PolicyrepException): ... @@ -681,7 +606,6 @@ class NoStatement(setools.exception.SymbolUseError): ... class Nodecon(Ocontext): ip_version: "NodeconIPVersion" = ... network: ipaddress.IPv4Network | ipaddress.IPv6Network = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... def __ge__(self, other) -> bool: ... @@ -696,48 +620,39 @@ class NodeconIPVersion(PolicyEnum): ipv6: int = ... class NodeconIterator(OcontextIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Nodecon": ... class ObjClass(PolicySymbol): common: "Common" = ... perms: frozenset[str] = ... - def __init__(self, *args, **kwargs) -> None: ... def constraints(self, *args, **kwargs) -> Iterable["Constraint"]: ... def defaults(self, *args, **kwargs) -> Iterable[AnyDefault]: ... def statement(self) -> str: ... def validatetrans(self, *args, **kwargs) -> Iterable["Validatetrans"]: ... class ObjClassHashtabIterator(HashtabIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "ObjClass": ... class Pcidevicecon(Ocontext): device: str = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class PcideviceconIterator(OcontextIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Pcidevicecon": ... class PermissionVectorIterator(PolicyIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> str: ... class Pirqcon(Ocontext): irq: int = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class PirqconIterator(OcontextIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Pirqcon": ... class PolicyCapability(PolicySymbol): - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... def __ge__(self, other) -> bool: ... @@ -748,7 +663,6 @@ class PolicyCapability(PolicySymbol): def __ne__(self, other) -> bool: ... class PolicyCapabilityIterator(EbitmapIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "PolicyCapability": ... class PolicyTarget(PolicyEnum): @@ -758,7 +672,6 @@ class PolicyTarget(PolicyEnum): class Portcon(Ocontext): ports: "PortconRange" = ... protocol: "PortconProtocol" = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... def __ge__(self, other) -> bool: ... @@ -769,7 +682,6 @@ class Portcon(Ocontext): def __ne__(self, other) -> bool: ... class PortconIterator(OcontextIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Portcon: ... class PortconProtocol(PolicyEnum): @@ -790,7 +702,6 @@ class RBACRuletype(PolicyEnum): class Range(PolicyObject): high: Level = ... low: Level = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... def __contains__(self, other) -> bool: ... def __eq__(self, other) -> bool: ... @@ -803,7 +714,6 @@ class Range(PolicyObject): class Role(PolicySymbol): dominated_roles: frozenset["Role"] = ... - def __init__(self, *args, **kwargs) -> None: ... def expand(self) -> Iterable["Role"]: ... def statement(self) -> str: ... def types(self) -> Iterable["Type"]: ... @@ -814,7 +724,6 @@ class RoleAllow(PolicyRule): source: "Role" = ... tclass: NoReturn = ... target: "Role" = ... - def __init__(self, *args, **kwargs) -> None: ... def expand(self) -> Iterable["RoleAllow"]: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -826,17 +735,14 @@ class RoleAllow(PolicyRule): def __ne__(self, other) -> bool: ... class RoleAllowIterator(PolicyIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "RoleAllow": ... class RoleEbitmapIterator(EbitmapIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> Any: ... class RoleHashtabIterator(HashtabIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Role": ... class RoleTransition(PolicyRule): @@ -845,7 +751,6 @@ class RoleTransition(PolicyRule): source: "Role" = ... tclass: "ObjClass" = ... target: TypeOrAttr = ... - def __init__(self, *args, **kwargs) -> None: ... def expand(self) -> Iterable["RoleTransition"]: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -857,7 +762,6 @@ class RoleTransition(PolicyRule): def __ne__(self, other) -> bool: ... class RoleTransitionIterator(PolicyIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "RoleTransition": ... @@ -967,8 +871,6 @@ class SELinuxPolicy: def __deepcopy__(self, memo) -> "SELinuxPolicy": ... class Sensitivity(PolicySymbol): - _value: int = ... - def __init__(self, *args, **kwargs) -> None: ... def aliases(self, *args, **kwargs) -> Any: ... def level_decl(self, *args, **kwargs) -> Any: ... def statement(self) -> str: ... @@ -981,7 +883,6 @@ class Sensitivity(PolicySymbol): def __ne__(self, other) -> bool: ... class SensitivityHashtabIterator(HashtabIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "Sensitivity": ... @@ -991,7 +892,6 @@ class SymbolUseError(AttributeError, setools.exception.PolicyrepException): ... class TERule(BaseTERule): default: "Type" = ... perms: NoReturn = ... - def __init__(self, *args, **kwargs) -> None: ... def expand(self) -> Iterable["TERule"]: ... def statement(self) -> str: ... def __eq__(self, other) -> bool: ... @@ -1003,7 +903,6 @@ class TERule(BaseTERule): def __ne__(self, other) -> bool: ... class TERuleIterator(PolicyIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def ruletype_count(self, *args, **kwargs) -> Any: ... def __len__(self) -> int: ... @@ -1031,7 +930,6 @@ class TruthTableRow: class Type(BaseType): ispermissive: bool = ... - def __init__(self, *args, **kwargs) -> None: ... def aliases(self) -> Iterable[str]: ... def attributes(self) -> Iterable["TypeAttribute"]: ... def expand(self) -> Iterable["Type"]: ... @@ -1039,7 +937,6 @@ class Type(BaseType): class TypeAttribute(BaseType): ispermissive: bool = ... - def __init__(self, *args, **kwargs) -> None: ... def aliases(self) -> Iterable[str]: ... def attributes(self) -> Iterable["TypeAttribute"]: ... def expand(self) -> Iterable["Type"]: ... @@ -1048,31 +945,25 @@ class TypeAttribute(BaseType): def __len__(self) -> int: ... class TypeAttributeEbitmapIterator(EbitmapIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "TypeAttribute": ... class TypeAttributeHashtabIterator(HashtabIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "TypeAttribute": ... class TypeEbitmapIterator(EbitmapIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "Type": ... class TypeHashtabIterator(HashtabIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "Type": ... class TypeOrAttributeEbitmapIterator(EbitmapIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> TypeOrAttr: ... class TypeboundsIterator(HashtabIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "Bounds": ... @@ -1081,31 +972,21 @@ class User(PolicySymbol): mls_level: "Level" = ... mls_range: "Range" = ... roles: frozenset["Role"] = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class UserEbitmapIterator(EbitmapIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "User": ... class UserHashtabIterator(HashtabIterator): - def __init__(self, *args, **kwargs) -> None: ... def __next__(self) -> "User": ... class Validatetrans(BaseConstraint): perms: NoReturn = ... - def __init__(self, *args, **kwargs) -> None: ... def statement(self) -> str: ... class ValidatetransIterator(PolicyIterator): - def __init__(self, *args, **kwargs) -> None: ... def reset(self) -> None: ... def __len__(self) -> int: ... def __next__(self) -> "Validatetrans": ... -class WeakKeyDefaultDict(weakref.WeakKeyDictionary): - _abc_impl: Any = ... - __abstractmethods__: Any = ... - def __init__(self, *args, **kwargs) -> None: ... - def __getitem__(self, index) -> Any: ... - def __missing__(self, *args, **kwargs) -> Any: ... +class WeakKeyDefaultDict(weakref.WeakKeyDictionary): ... From 1611d6ca7d57f263f7fc7b1d5b5948c3d9a41bbb Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 12 Apr 2024 11:33:12 -0400 Subject: [PATCH 21/71] policyrep.pyi: Remove redundant methods. Remove method stubs that are redundant due to inheritance. Signed-off-by: Chris PeBenito --- setools/policyrep.pyi | 281 ++---------------------------------------- 1 file changed, 8 insertions(+), 273 deletions(-) diff --git a/setools/policyrep.pyi b/setools/policyrep.pyi index 12220434..a8d32f0a 100644 --- a/setools/policyrep.pyi +++ b/setools/policyrep.pyi @@ -58,16 +58,12 @@ class PolicySymbol(PolicyObject): class PolicyIterator: def reset(self) -> None: ... - def __iter__(self) -> Any: ... def __len__(self) -> int: ... - def __next__(self) -> Any: ... + def __next__(self) -> "PolicyObject" | str: ... # str for perm vectors class PolicyEnum(enum.Enum): @classmethod def lookup(cls, value) -> Any: ... - def __eq__(self, other) -> bool: ... - def __format__(self, *args, **kwargs) -> Any: ... - def __hash__(self) -> int: ... # # Base classes, in alphabetical order @@ -98,21 +94,14 @@ class BaseType(PolicySymbol): def attributes(self) -> Iterable["BaseType"]: ... def expand(self) -> Iterable["BaseType"]: ... -class EbitmapIterator(PolicyIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... - def __next__(self) -> "PolicyObject": ... +class EbitmapIterator(PolicyIterator): ... -class HashtabIterator(PolicyIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... - def __next__(self) -> Any: ... +class HashtabIterator(PolicyIterator): ... class Ocontext(PolicyObject): context: "Context" = ... class OcontextIterator(PolicyIterator): - def __len__(self) -> int: ... def __next__(self) -> "Ocontext": ... # @@ -123,33 +112,15 @@ class AVRule(BaseTERule): perms: frozenset[str] = ... def derive_expanded(self, *args, **kwargs) -> "AVRule": ... def expand(self, *args, **kwargs) -> Iterable["AVRule"]: ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class AVRuleXperm(BaseTERule): default: NoReturn = ... perms: "IoctlSet" = ... xperm_type: str = ... def expand(self, *args, **kwargs) -> Iterable["AVRuleXperm"]: ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... - class Boolean(PolicySymbol): state: bool = ... - def statement(self) -> str: ... class BooleanHashtabIterator(HashtabIterator): def __next__(self) -> Boolean: ... @@ -158,40 +129,21 @@ class Bounds(PolicyObject): child: "Type" = ... parent: "Type" = ... ruletype: "BoundsRuletype" = ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class BoundsRuletype(PolicyEnum): typebounds: int = ... class Category(PolicySymbol): def aliases(self, *args, **kwargs) -> Iterable[str]: ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class CategoryEbitmapIterator(EbitmapIterator): def __next__(self) -> Category: ... class CategoryHashtabIterator(HashtabIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... def __next__(self) -> Category: ... class Common(PolicySymbol): perms: frozenset[str] = ... - def statement(self) -> str: ... class CommonHashtabIterator(HashtabIterator): def __next__(self) -> Common: ... @@ -201,53 +153,34 @@ class Conditional(PolicyObject): def evaluate(self, **kwargs) -> bool: ... def expression(self) -> Iterable["ConditionalOperator" | str]: ... def false_rules(self, *args, **kwargs) -> Iterable[AnyTERule]: ... - def statement(self) -> str: ... def true_rules(self, *args, **kwargs) -> Iterable[AnyTERule]: ... def truth_table(self) -> list["TruthTableRow"]: ... def __contains__(self, other) -> bool: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class ConditionalExprIterator(PolicyIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... def __next__(self) -> ConditionalOperator | Boolean: ... class ConditionalIterator(PolicyIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... def __next__(self) -> Conditional: ... class ConditionalOperator(PolicyObject): evaluate: Callable = ... precedence: int = ... unary: bool = ... - def statement(self, *args, **kwargs) -> NoReturn: ... class ConditionalTERuleIterator(PolicyIterator): - def reset(self) -> None: ... def ruletype_count(self, *args, **kwargs) -> Any: ... - def __len__(self) -> int: ... def __next__(self) -> AnyTERule: ... class Constraint(BaseConstraint): perms: frozenset[str] = ... - def statement(self) -> str: ... class ConstraintExprIterator(PolicyIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... def __next__(self) -> "ConstraintExprNode": ... class ConstraintExprNode(PolicyObject): names: frozenset[TypeOrAttr] | frozenset["Role"] | frozenset["User"] = ... symbol_type: int = ... - def statement(self) -> NoReturn: ... def __contains__(self, other) -> bool: ... def __getitem__(self, index) -> frozenset[TypeOrAttr] | frozenset["Role"] | frozenset["User"] | str: ... def __iter__(self) -> Iterable[frozenset[TypeOrAttr] | frozenset["Role"] | frozenset["User"] | str]: ... @@ -259,19 +192,10 @@ class ConstraintExpression(PolicyObject): types: frozenset["Type"] = ... users: frozenset["User"] = ... def infix(self, *args, **kwargs) -> frozenset[TypeOrAttr] | frozenset["Role"] | frozenset["User"] | str: ... - def statement(self) -> NoReturn: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... def __getitem__(self, index) -> frozenset[TypeOrAttr] | frozenset["Role"] | frozenset["User"] | str: ... - def __gt__(self, other) -> bool: ... def __iter__(self) -> Iterator[frozenset["Role"] | frozenset["Type"] | frozenset["User"] | str]: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class ConstraintIterator(PolicyIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... def __next__(self) -> Constraint: ... class ConstraintRuletype(PolicyEnum): @@ -287,31 +211,14 @@ class Context(PolicyObject): role: "Role" = ... type_: "Type" = ... user: "User" = ... - def statement(self) -> str: ... class Default(PolicyObject): default: "DefaultValue" = ... ruletype: "DefaultRuletype" = ... tclass: "ObjClass" = ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class DefaultRange(Default): default_range: "DefaultRangeValue" = ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class DefaultRangeValue(PolicyEnum): high: int = ... @@ -331,11 +238,10 @@ class DefaultValue(PolicyEnum): source: int = ... target: int = ... @classmethod - def from_default_range(cls, *args, **kwargs) -> Any: ... + def from_default_range(cls, *args, **kwargs) -> "DefaultValue": ... class Devicetreecon(Ocontext): path: str = ... - def statement(self) -> str: ... class DevicetreeconIterator(OcontextIterator): def __next__(self) -> Devicetreecon: ... @@ -343,14 +249,6 @@ class DevicetreeconIterator(OcontextIterator): class FSUse(Ocontext): fs: str = ... ruletype: "FSUseRuletype" = ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class FSUseIterator(OcontextIterator): def __next__(self) -> FSUse: ... @@ -369,14 +267,6 @@ class FileNameTERule(BaseTERule): tclass: "ObjClass" = ... target: TypeOrAttr = ... def expand(self, *args, **kwargs) -> Iterable["FileNameTERule"]: ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class FileNameTERuleIterator(HashtabIterator): def __next__(self) -> "FileNameTERule": ... @@ -388,14 +278,6 @@ class Genfscon(Ocontext): fs: str = ... path: str = ... tclass: "ObjClass" = ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class GenfsconIterator: def __iter__(self) -> Iterable["Genfscon"]: ... @@ -413,14 +295,6 @@ class HandleUnknown(PolicyEnum): class Ibendportcon(Ocontext): name: str = ... port: int = ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class IbendportconIterator(OcontextIterator): def __next__(self) -> "Ibendportcon": ... @@ -428,14 +302,6 @@ class IbendportconIterator(OcontextIterator): class Ibpkeycon(Ocontext): pkeys: "IbpkeyconRange" = ... subnet_prefix: ipaddress.IPv6Address = ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class IbpkeyconIterator(OcontextIterator): def __next__(self) -> "Ibpkeycon": ... @@ -447,7 +313,6 @@ class IbpkeyconRange: class InitialSID(Ocontext): name: str = ... - def statement(self) -> str: ... class InitialSIDIterator(OcontextIterator): def __next__(self) -> "InitialSID": ... @@ -500,13 +365,9 @@ class InvalidUser(setools.exception.InvalidSymbol): ... class IoctlSet(frozenset[int]): def ranges(self) -> int: ... - def __format__(self, *args, **kwargs) -> str: ... - def __reduce_cython__(self, *args, **kwargs) -> Any: ... - def __setstate_cython__(self, *args, **kwargs) -> Any: ... class Iomemcon(Ocontext): addr: "IomemconRange" = ... - def statement(self) -> str: ... class IomemconIterator(OcontextIterator): def __next__(self) -> "Iomemcon": ... @@ -518,7 +379,6 @@ class IomemconRange: class Ioportcon(Ocontext): ports: "IoportconRange" = ... - def statement(self) -> str: ... class IoportconIterator(OcontextIterator): def __next__(self) -> Ioportcon: ... @@ -529,30 +389,12 @@ class IoportconRange: low: int = ... class Level(BaseMLSLevel): - def statement(self) -> NoReturn: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... def __rxor__(self, other) -> bool: ... def __xor__(self, other) -> bool: ... -class LevelDecl(BaseMLSLevel): - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... +class LevelDecl(BaseMLSLevel): ... class LevelDeclHashtabIterator(HashtabIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... def __next__(self) -> "LevelDecl": ... class LowLevelPolicyError(ValueError, setools.exception.PolicyrepException): ... @@ -567,17 +409,9 @@ class MLSRule(PolicyRule): tclass: "ObjClass" = ... target: TypeOrAttr = ... def expand(self) -> Iterable["MLSRule"]: ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class MLSRuleIterator(HashtabIterator): - def __next__(self) -> "MLSRuletype": ... + def __next__(self) -> "MLSRule": ... class MLSRuletype(PolicyEnum): range_transition: int = ... @@ -585,14 +419,6 @@ class MLSRuletype(PolicyEnum): class Netifcon(Ocontext): netif: str = ... packet: "Context" = ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class NetifconIterator(OcontextIterator): def __next__(self) -> "Netifcon": ... @@ -606,14 +432,6 @@ class NoStatement(setools.exception.SymbolUseError): ... class Nodecon(Ocontext): ip_version: "NodeconIPVersion" = ... network: ipaddress.IPv4Network | ipaddress.IPv6Network = ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class NodeconIPVersion(PolicyEnum): ipv4: int = ... @@ -627,7 +445,6 @@ class ObjClass(PolicySymbol): perms: frozenset[str] = ... def constraints(self, *args, **kwargs) -> Iterable["Constraint"]: ... def defaults(self, *args, **kwargs) -> Iterable[AnyDefault]: ... - def statement(self) -> str: ... def validatetrans(self, *args, **kwargs) -> Iterable["Validatetrans"]: ... class ObjClassHashtabIterator(HashtabIterator): @@ -635,32 +452,20 @@ class ObjClassHashtabIterator(HashtabIterator): class Pcidevicecon(Ocontext): device: str = ... - def statement(self) -> str: ... class PcideviceconIterator(OcontextIterator): def __next__(self) -> "Pcidevicecon": ... class PermissionVectorIterator(PolicyIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... def __next__(self) -> str: ... class Pirqcon(Ocontext): irq: int = ... - def statement(self) -> str: ... class PirqconIterator(OcontextIterator): def __next__(self) -> "Pirqcon": ... -class PolicyCapability(PolicySymbol): - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... +class PolicyCapability(PolicySymbol): ... class PolicyCapabilityIterator(EbitmapIterator): def __next__(self) -> "PolicyCapability": ... @@ -672,14 +477,6 @@ class PolicyTarget(PolicyEnum): class Portcon(Ocontext): ports: "PortconRange" = ... protocol: "PortconProtocol" = ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class PortconIterator(OcontextIterator): def __next__(self) -> Portcon: ... @@ -702,20 +499,11 @@ class RBACRuletype(PolicyEnum): class Range(PolicyObject): high: Level = ... low: Level = ... - def statement(self) -> str: ... def __contains__(self, other) -> bool: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class Role(PolicySymbol): dominated_roles: frozenset["Role"] = ... def expand(self) -> Iterable["Role"]: ... - def statement(self) -> str: ... def types(self) -> Iterable["Type"]: ... class RoleAllow(PolicyRule): @@ -725,22 +513,12 @@ class RoleAllow(PolicyRule): tclass: NoReturn = ... target: "Role" = ... def expand(self) -> Iterable["RoleAllow"]: ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class RoleAllowIterator(PolicyIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... def __next__(self) -> "RoleAllow": ... class RoleEbitmapIterator(EbitmapIterator): - def __next__(self) -> Any: ... + def __next__(self) -> "Role": ... class RoleHashtabIterator(HashtabIterator): def __next__(self) -> "Role": ... @@ -752,18 +530,8 @@ class RoleTransition(PolicyRule): tclass: "ObjClass" = ... target: TypeOrAttr = ... def expand(self) -> Iterable["RoleTransition"]: ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class RoleTransitionIterator(PolicyIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... def __next__(self) -> "RoleTransition": ... class RuleNotConditional(AttributeError, setools.exception.PolicyrepException): ... @@ -873,18 +641,8 @@ class SELinuxPolicy: class Sensitivity(PolicySymbol): def aliases(self, *args, **kwargs) -> Any: ... def level_decl(self, *args, **kwargs) -> Any: ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class SensitivityHashtabIterator(HashtabIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... def __next__(self) -> "Sensitivity": ... class SymbolUseError(AttributeError, setools.exception.PolicyrepException): ... @@ -893,19 +651,8 @@ class TERule(BaseTERule): default: "Type" = ... perms: NoReturn = ... def expand(self) -> Iterable["TERule"]: ... - def statement(self) -> str: ... - def __eq__(self, other) -> bool: ... - def __ge__(self, other) -> bool: ... - def __gt__(self, other) -> bool: ... - def __hash__(self) -> int: ... - def __le__(self, other) -> bool: ... - def __lt__(self, other) -> bool: ... - def __ne__(self, other) -> bool: ... class TERuleIterator(PolicyIterator): - def reset(self) -> None: ... - def ruletype_count(self, *args, **kwargs) -> Any: ... - def __len__(self) -> int: ... def __next__(self) -> "TERule": ... class TERuleNoFilename(AttributeError, setools.exception.PolicyrepException): ... @@ -933,14 +680,12 @@ class Type(BaseType): def aliases(self) -> Iterable[str]: ... def attributes(self) -> Iterable["TypeAttribute"]: ... def expand(self) -> Iterable["Type"]: ... - def statement(self) -> str: ... class TypeAttribute(BaseType): ispermissive: bool = ... def aliases(self) -> Iterable[str]: ... def attributes(self) -> Iterable["TypeAttribute"]: ... def expand(self) -> Iterable["Type"]: ... - def statement(self) -> str: ... def __iter__(self) -> Iterable["TypeAttribute"]: ... def __len__(self) -> int: ... @@ -948,31 +693,24 @@ class TypeAttributeEbitmapIterator(EbitmapIterator): def __next__(self) -> "TypeAttribute": ... class TypeAttributeHashtabIterator(HashtabIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... def __next__(self) -> "TypeAttribute": ... class TypeEbitmapIterator(EbitmapIterator): def __next__(self) -> "Type": ... class TypeHashtabIterator(HashtabIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... def __next__(self) -> "Type": ... class TypeOrAttributeEbitmapIterator(EbitmapIterator): def __next__(self) -> TypeOrAttr: ... class TypeboundsIterator(HashtabIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... def __next__(self) -> "Bounds": ... class User(PolicySymbol): mls_level: "Level" = ... mls_range: "Range" = ... roles: frozenset["Role"] = ... - def statement(self) -> str: ... class UserEbitmapIterator(EbitmapIterator): def __next__(self) -> "User": ... @@ -982,11 +720,8 @@ class UserHashtabIterator(HashtabIterator): class Validatetrans(BaseConstraint): perms: NoReturn = ... - def statement(self) -> str: ... class ValidatetransIterator(PolicyIterator): - def reset(self) -> None: ... - def __len__(self) -> int: ... def __next__(self) -> "Validatetrans": ... class WeakKeyDefaultDict(weakref.WeakKeyDictionary): ... From 76535989c3a3dd5143b2db4e7da0f8f22757138e Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 12 Apr 2024 11:41:50 -0400 Subject: [PATCH 22/71] policyrep.pxi: Remove iterator classes. These are abstracted by Iterable in the other stubs. Signed-off-by: Chris PeBenito --- setools/policyrep.pyi | 150 ------------------------------------------ 1 file changed, 150 deletions(-) diff --git a/setools/policyrep.pyi b/setools/policyrep.pyi index a8d32f0a..0412db99 100644 --- a/setools/policyrep.pyi +++ b/setools/policyrep.pyi @@ -8,7 +8,6 @@ from typing import Any, NoReturn import enum import ipaddress import setools.exception -import weakref AnyConstraint = "Constraint" | "Validatetrans" AnyDefault = "Default" | "DefaultRange" @@ -56,11 +55,6 @@ class PolicySymbol(PolicyObject): def __contains__(self, other) -> bool: ... def expand(self) -> Iterable["PolicySymbol"]: ... -class PolicyIterator: - def reset(self) -> None: ... - def __len__(self) -> int: ... - def __next__(self) -> "PolicyObject" | str: ... # str for perm vectors - class PolicyEnum(enum.Enum): @classmethod def lookup(cls, value) -> Any: ... @@ -94,16 +88,9 @@ class BaseType(PolicySymbol): def attributes(self) -> Iterable["BaseType"]: ... def expand(self) -> Iterable["BaseType"]: ... -class EbitmapIterator(PolicyIterator): ... - -class HashtabIterator(PolicyIterator): ... - class Ocontext(PolicyObject): context: "Context" = ... -class OcontextIterator(PolicyIterator): - def __next__(self) -> "Ocontext": ... - # # Concrete classes, in alphabetical order # @@ -122,9 +109,6 @@ class AVRuleXperm(BaseTERule): class Boolean(PolicySymbol): state: bool = ... -class BooleanHashtabIterator(HashtabIterator): - def __next__(self) -> Boolean: ... - class Bounds(PolicyObject): child: "Type" = ... parent: "Type" = ... @@ -136,18 +120,9 @@ class BoundsRuletype(PolicyEnum): class Category(PolicySymbol): def aliases(self, *args, **kwargs) -> Iterable[str]: ... -class CategoryEbitmapIterator(EbitmapIterator): - def __next__(self) -> Category: ... - -class CategoryHashtabIterator(HashtabIterator): - def __next__(self) -> Category: ... - class Common(PolicySymbol): perms: frozenset[str] = ... -class CommonHashtabIterator(HashtabIterator): - def __next__(self) -> Common: ... - class Conditional(PolicyObject): booleans: frozenset[Boolean] = ... def evaluate(self, **kwargs) -> bool: ... @@ -157,27 +132,14 @@ class Conditional(PolicyObject): def truth_table(self) -> list["TruthTableRow"]: ... def __contains__(self, other) -> bool: ... -class ConditionalExprIterator(PolicyIterator): - def __next__(self) -> ConditionalOperator | Boolean: ... - -class ConditionalIterator(PolicyIterator): - def __next__(self) -> Conditional: ... - class ConditionalOperator(PolicyObject): evaluate: Callable = ... precedence: int = ... unary: bool = ... -class ConditionalTERuleIterator(PolicyIterator): - def ruletype_count(self, *args, **kwargs) -> Any: ... - def __next__(self) -> AnyTERule: ... - class Constraint(BaseConstraint): perms: frozenset[str] = ... -class ConstraintExprIterator(PolicyIterator): - def __next__(self) -> "ConstraintExprNode": ... - class ConstraintExprNode(PolicyObject): names: frozenset[TypeOrAttr] | frozenset["Role"] | frozenset["User"] = ... symbol_type: int = ... @@ -195,9 +157,6 @@ class ConstraintExpression(PolicyObject): def __getitem__(self, index) -> frozenset[TypeOrAttr] | frozenset["Role"] | frozenset["User"] | str: ... def __iter__(self) -> Iterator[frozenset["Role"] | frozenset["Type"] | frozenset["User"] | str]: ... -class ConstraintIterator(PolicyIterator): - def __next__(self) -> Constraint: ... - class ConstraintRuletype(PolicyEnum): constrain: int = ... mlsconstrain: int = ... @@ -243,16 +202,10 @@ class DefaultValue(PolicyEnum): class Devicetreecon(Ocontext): path: str = ... -class DevicetreeconIterator(OcontextIterator): - def __next__(self) -> Devicetreecon: ... - class FSUse(Ocontext): fs: str = ... ruletype: "FSUseRuletype" = ... -class FSUseIterator(OcontextIterator): - def __next__(self) -> FSUse: ... - class FSUseRuletype(PolicyEnum): fs_use_task: int = ... fs_use_trans: int = ... @@ -268,9 +221,6 @@ class FileNameTERule(BaseTERule): target: TypeOrAttr = ... def expand(self, *args, **kwargs) -> Iterable["FileNameTERule"]: ... -class FileNameTERuleIterator(HashtabIterator): - def __next__(self) -> "FileNameTERule": ... - class GenfsFiletype(int): ... class Genfscon(Ocontext): @@ -279,14 +229,6 @@ class Genfscon(Ocontext): path: str = ... tclass: "ObjClass" = ... -class GenfsconIterator: - def __iter__(self) -> Iterable["Genfscon"]: ... - def __len__(self) -> int: ... - def __next__(self) -> "Genfscon": ... - -class GenfsconOcontextIterator(OcontextIterator): - def __next__(self) -> "Ocontext": ... - class HandleUnknown(PolicyEnum): allow: int = ... deny: int = ... @@ -296,16 +238,10 @@ class Ibendportcon(Ocontext): name: str = ... port: int = ... -class IbendportconIterator(OcontextIterator): - def __next__(self) -> "Ibendportcon": ... - class Ibpkeycon(Ocontext): pkeys: "IbpkeyconRange" = ... subnet_prefix: ipaddress.IPv6Address = ... -class IbpkeyconIterator(OcontextIterator): - def __next__(self) -> "Ibpkeycon": ... - @dataclass class IbpkeyconRange: high: int = ... @@ -314,9 +250,6 @@ class IbpkeyconRange: class InitialSID(Ocontext): name: str = ... -class InitialSIDIterator(OcontextIterator): - def __next__(self) -> "InitialSID": ... - class InvalidBoolean(setools.exception.InvalidSymbol): ... class InvalidBoundsType(setools.exception.InvalidSymbol): ... @@ -369,9 +302,6 @@ class IoctlSet(frozenset[int]): class Iomemcon(Ocontext): addr: "IomemconRange" = ... -class IomemconIterator(OcontextIterator): - def __next__(self) -> "Iomemcon": ... - @dataclass class IomemconRange: high: int = ... @@ -380,9 +310,6 @@ class IomemconRange: class Ioportcon(Ocontext): ports: "IoportconRange" = ... -class IoportconIterator(OcontextIterator): - def __next__(self) -> Ioportcon: ... - @dataclass class IoportconRange: high: int = ... @@ -394,9 +321,6 @@ class Level(BaseMLSLevel): class LevelDecl(BaseMLSLevel): ... -class LevelDeclHashtabIterator(HashtabIterator): - def __next__(self) -> "LevelDecl": ... - class LowLevelPolicyError(ValueError, setools.exception.PolicyrepException): ... class MLSDisabled(setools.exception.PolicyrepException): ... @@ -410,9 +334,6 @@ class MLSRule(PolicyRule): target: TypeOrAttr = ... def expand(self) -> Iterable["MLSRule"]: ... -class MLSRuleIterator(HashtabIterator): - def __next__(self) -> "MLSRule": ... - class MLSRuletype(PolicyEnum): range_transition: int = ... @@ -420,9 +341,6 @@ class Netifcon(Ocontext): netif: str = ... packet: "Context" = ... -class NetifconIterator(OcontextIterator): - def __next__(self) -> "Netifcon": ... - class NoCommon(AttributeError, setools.exception.PolicyrepException): ... class NoDefaults(setools.exception.InvalidSymbol): ... @@ -437,9 +355,6 @@ class NodeconIPVersion(PolicyEnum): ipv4: int = ... ipv6: int = ... -class NodeconIterator(OcontextIterator): - def __next__(self) -> "Nodecon": ... - class ObjClass(PolicySymbol): common: "Common" = ... perms: frozenset[str] = ... @@ -447,29 +362,14 @@ class ObjClass(PolicySymbol): def defaults(self, *args, **kwargs) -> Iterable[AnyDefault]: ... def validatetrans(self, *args, **kwargs) -> Iterable["Validatetrans"]: ... -class ObjClassHashtabIterator(HashtabIterator): - def __next__(self) -> "ObjClass": ... - class Pcidevicecon(Ocontext): device: str = ... -class PcideviceconIterator(OcontextIterator): - def __next__(self) -> "Pcidevicecon": ... - -class PermissionVectorIterator(PolicyIterator): - def __next__(self) -> str: ... - class Pirqcon(Ocontext): irq: int = ... -class PirqconIterator(OcontextIterator): - def __next__(self) -> "Pirqcon": ... - class PolicyCapability(PolicySymbol): ... -class PolicyCapabilityIterator(EbitmapIterator): - def __next__(self) -> "PolicyCapability": ... - class PolicyTarget(PolicyEnum): selinux: int = ... xen: int = ... @@ -478,9 +378,6 @@ class Portcon(Ocontext): ports: "PortconRange" = ... protocol: "PortconProtocol" = ... -class PortconIterator(OcontextIterator): - def __next__(self) -> Portcon: ... - class PortconProtocol(PolicyEnum): dccp: int = ... sctp: int = ... @@ -514,15 +411,6 @@ class RoleAllow(PolicyRule): target: "Role" = ... def expand(self) -> Iterable["RoleAllow"]: ... -class RoleAllowIterator(PolicyIterator): - def __next__(self) -> "RoleAllow": ... - -class RoleEbitmapIterator(EbitmapIterator): - def __next__(self) -> "Role": ... - -class RoleHashtabIterator(HashtabIterator): - def __next__(self) -> "Role": ... - class RoleTransition(PolicyRule): default: "Role" = ... ruletype: "RBACRuletype" = ... @@ -531,9 +419,6 @@ class RoleTransition(PolicyRule): target: TypeOrAttr = ... def expand(self) -> Iterable["RoleTransition"]: ... -class RoleTransitionIterator(PolicyIterator): - def __next__(self) -> "RoleTransition": ... - class RuleNotConditional(AttributeError, setools.exception.PolicyrepException): ... class RuleUseError(setools.exception.SymbolUseError): ... @@ -642,9 +527,6 @@ class Sensitivity(PolicySymbol): def aliases(self, *args, **kwargs) -> Any: ... def level_decl(self, *args, **kwargs) -> Any: ... -class SensitivityHashtabIterator(HashtabIterator): - def __next__(self) -> "Sensitivity": ... - class SymbolUseError(AttributeError, setools.exception.PolicyrepException): ... class TERule(BaseTERule): @@ -652,9 +534,6 @@ class TERule(BaseTERule): perms: NoReturn = ... def expand(self) -> Iterable["TERule"]: ... -class TERuleIterator(PolicyIterator): - def __next__(self) -> "TERule": ... - class TERuleNoFilename(AttributeError, setools.exception.PolicyrepException): ... class TERuletype(PolicyEnum): @@ -689,39 +568,10 @@ class TypeAttribute(BaseType): def __iter__(self) -> Iterable["TypeAttribute"]: ... def __len__(self) -> int: ... -class TypeAttributeEbitmapIterator(EbitmapIterator): - def __next__(self) -> "TypeAttribute": ... - -class TypeAttributeHashtabIterator(HashtabIterator): - def __next__(self) -> "TypeAttribute": ... - -class TypeEbitmapIterator(EbitmapIterator): - def __next__(self) -> "Type": ... - -class TypeHashtabIterator(HashtabIterator): - def __next__(self) -> "Type": ... - -class TypeOrAttributeEbitmapIterator(EbitmapIterator): - def __next__(self) -> TypeOrAttr: ... - -class TypeboundsIterator(HashtabIterator): - def __next__(self) -> "Bounds": ... - class User(PolicySymbol): mls_level: "Level" = ... mls_range: "Range" = ... roles: frozenset["Role"] = ... -class UserEbitmapIterator(EbitmapIterator): - def __next__(self) -> "User": ... - -class UserHashtabIterator(HashtabIterator): - def __next__(self) -> "User": ... - class Validatetrans(BaseConstraint): perms: NoReturn = ... - -class ValidatetransIterator(PolicyIterator): - def __next__(self) -> "Validatetrans": ... - -class WeakKeyDefaultDict(weakref.WeakKeyDictionary): ... From 4b59a807ce758bb875a0317229b32b4beea9b0c6 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 12 Apr 2024 11:47:08 -0400 Subject: [PATCH 23/71] policyrep.pyi: Remove exceptions. These are duplicates of exceptions in setools.exception. Signed-off-by: Chris PeBenito --- setools/policyrep.pyi | 67 ------------------------------------------- 1 file changed, 67 deletions(-) diff --git a/setools/policyrep.pyi b/setools/policyrep.pyi index 0412db99..ef950308 100644 --- a/setools/policyrep.pyi +++ b/setools/policyrep.pyi @@ -7,7 +7,6 @@ from typing import Any, NoReturn import enum import ipaddress -import setools.exception AnyConstraint = "Constraint" | "Validatetrans" AnyDefault = "Default" | "DefaultRange" @@ -163,8 +162,6 @@ class ConstraintRuletype(PolicyEnum): mlsvalidatetrans: int = ... validatetrans: int = ... -class ConstraintUseError(setools.exception.SymbolUseError): ... - class Context(PolicyObject): range_: "Range" = ... role: "Role" = ... @@ -250,52 +247,6 @@ class IbpkeyconRange: class InitialSID(Ocontext): name: str = ... -class InvalidBoolean(setools.exception.InvalidSymbol): ... - -class InvalidBoundsType(setools.exception.InvalidSymbol): ... - -class InvalidCategory(setools.exception.InvalidSymbol): ... - -class InvalidClass(setools.exception.InvalidSymbol): ... - -class InvalidCommon(setools.exception.InvalidSymbol): ... - -class InvalidConstraintType(setools.exception.InvalidSymbol): ... - -class InvalidDefaultRange(setools.exception.InvalidSymbol): ... - -class InvalidDefaultType(setools.exception.InvalidRuleType): ... - -class InvalidDefaultValue(setools.exception.InvalidSymbol): ... - -class InvalidFSUseType(setools.exception.InvalidRuleType): ... - -class InvalidInitialSid(setools.exception.InvalidSymbol): ... - -class InvalidLevel(setools.exception.InvalidSymbol): ... - -class InvalidLevelDecl(setools.exception.InvalidSymbol): ... - -class InvalidMLSRuleType(setools.exception.InvalidRuleType): ... - -class InvalidPolicy(ValueError, setools.exception.PolicyrepException): ... - -class InvalidRBACRuleType(setools.exception.InvalidRuleType): ... - -class InvalidRange(setools.exception.InvalidSymbol): ... - -class InvalidRole(setools.exception.InvalidSymbol): ... - -class InvalidRuleType(setools.exception.InvalidSymbol): ... - -class InvalidSensitivity(setools.exception.InvalidSymbol): ... - -class InvalidTERuleType(setools.exception.InvalidRuleType): ... - -class InvalidType(setools.exception.InvalidSymbol): ... - -class InvalidUser(setools.exception.InvalidSymbol): ... - class IoctlSet(frozenset[int]): def ranges(self) -> int: ... @@ -321,10 +272,6 @@ class Level(BaseMLSLevel): class LevelDecl(BaseMLSLevel): ... -class LowLevelPolicyError(ValueError, setools.exception.PolicyrepException): ... - -class MLSDisabled(setools.exception.PolicyrepException): ... - class MLSRule(PolicyRule): default: "Range" = ... origin: "MLSRule" = ... @@ -341,12 +288,6 @@ class Netifcon(Ocontext): netif: str = ... packet: "Context" = ... -class NoCommon(AttributeError, setools.exception.PolicyrepException): ... - -class NoDefaults(setools.exception.InvalidSymbol): ... - -class NoStatement(setools.exception.SymbolUseError): ... - class Nodecon(Ocontext): ip_version: "NodeconIPVersion" = ... network: ipaddress.IPv4Network | ipaddress.IPv6Network = ... @@ -419,10 +360,6 @@ class RoleTransition(PolicyRule): target: TypeOrAttr = ... def expand(self) -> Iterable["RoleTransition"]: ... -class RuleNotConditional(AttributeError, setools.exception.PolicyrepException): ... - -class RuleUseError(setools.exception.SymbolUseError): ... - class SELinuxPolicy: allow_count: int = ... allowxperm_count: int = ... @@ -527,15 +464,11 @@ class Sensitivity(PolicySymbol): def aliases(self, *args, **kwargs) -> Any: ... def level_decl(self, *args, **kwargs) -> Any: ... -class SymbolUseError(AttributeError, setools.exception.PolicyrepException): ... - class TERule(BaseTERule): default: "Type" = ... perms: NoReturn = ... def expand(self) -> Iterable["TERule"]: ... -class TERuleNoFilename(AttributeError, setools.exception.PolicyrepException): ... - class TERuletype(PolicyEnum): allow: int = ... allowxperm: int = ... From 7f1eaf4f68e981405027adedd9c723e069a9fc43 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 12 Apr 2024 15:42:58 -0400 Subject: [PATCH 24/71] test_mls: Update tests to pytest fixtures and for Cython implementation. Signed-off-by: Chris PeBenito --- setools/policyrep/mls.pxi | 6 +- tests/library/policyrep/mls.conf | 51 +- tests/library/policyrep/test_mls.py | 849 ++++++++-------------------- 3 files changed, 276 insertions(+), 630 deletions(-) diff --git a/setools/policyrep/mls.pxi b/setools/policyrep/mls.pxi index 6083268f..908fd7ae 100644 --- a/setools/policyrep/mls.pxi +++ b/setools/policyrep/mls.pxi @@ -331,9 +331,11 @@ cdef class Level(BaseMLSLevel): # verify level is valid if not l <= l.sensitivity.level_decl(): + invalid_cats = l._categories - set(l.sensitivity.level_decl().categories()) raise InvalidLevel( - f"{name} is not a valid level (one or more categories are not associated with the " - "sensitivity)") + f"{name} is not a valid level " + f"(category {', '.join(str(c) for c in invalid_cats)} is not associated " + f"with sensitivity {l.sensitivity})") return l diff --git a/tests/library/policyrep/mls.conf b/tests/library/policyrep/mls.conf index 1b2db897..0be737e2 100644 --- a/tests/library/policyrep/mls.conf +++ b/tests/library/policyrep/mls.conf @@ -53,11 +53,31 @@ inherits infoflow super_unmapped } -sensitivity s0; -sensitivity s1; +sensitivity s0 alias sname1; +sensitivity s1 alias { sname2 sname3 }; sensitivity s2; - -dominance { s0 s1 s2 } +sensitivity s3; +sensitivity s4; +sensitivity s5; +sensitivity s6; +sensitivity s7; +sensitivity s8; +sensitivity s9; +sensitivity s10; +sensitivity s11; +sensitivity s12; +sensitivity s13; +sensitivity s14; +sensitivity s15; +sensitivity s16; +sensitivity s17; +sensitivity s18; +sensitivity s19; +sensitivity s20; +sensitivity s21; +sensitivity s22; +sensitivity s23; +dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 s16 s17 s18 s19 s20 s21 s22 s23 } category c0; category c1; @@ -75,9 +95,30 @@ category c12; category c13; #level decl -level s0:c0.c2; +level s0:c0.c13; level s1:c0.c13; level s2:c0.c13; +level s3:c0.c13; +level s4:c0.c13; +level s5:c0.c13; +level s6:c0.c13; +level s7:c0.c13; +level s8:c0.c13; +level s9:c0.c13; +level s10:c0.c13; +level s11:c0.c13; +level s12:c0.c13; +level s13:c0.c13; +level s14:c0.c13; +level s15:c0.c13; +level s16:c0.c13; +level s17:c0.c13; +level s18:c0.c13; +level s19:c0.c13; +level s20:c0.c13; +level s21:c0.c13; +level s22:c0.c13; +level s23:c0.c13; #some constraints mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt)); diff --git a/tests/library/policyrep/test_mls.py b/tests/library/policyrep/test_mls.py index d22377bf..5cedc8d9 100644 --- a/tests/library/policyrep/test_mls.py +++ b/tests/library/policyrep/test_mls.py @@ -2,771 +2,374 @@ # # SPDX-License-Identifier: GPL-2.0-only # -# Until this is fixed for cython: -# pylint: disable=undefined-variable,no-member -import unittest -from unittest.mock import Mock - -from setools import SELinuxPolicy -from setools.exception import MLSDisabled, InvalidLevel, InvalidLevelDecl, InvalidRange, \ - InvalidSensitivity, InvalidCategory, NoStatement - - -@unittest.skip("Needs to be reworked for cython") -class SensitivityTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = SELinuxPolicy("tests/policyrep/mls.conf") - - def mock_sens_factory(self, sens, aliases=[]): - """Factory function for Sensitivity objects, using a mock qpol object.""" - mock_sens = Mock(qpol.qpol_level_t) - mock_sens.name.return_value = sens - mock_sens.isalias.return_value = False - mock_sens.value.return_value = int(sens[1:]) - mock_sens.alias_iter = lambda x: iter(aliases) - - return sensitivity_factory(self.p.policy, mock_sens) - - def test_000_mls_disabled(self): - """Sensitivity factory on MLS-disabled policy.""" - mock_p = Mock(qpol.qpol_policy_t) - mock_p.capability.return_value = False - self.assertRaises(MLSDisabled, sensitivity_factory, mock_p, None) - - def test_001_lookup(self): - """Sensitivity factory policy lookup.""" - sens = sensitivity_factory(self.p.policy, "s1") - self.assertEqual("s1", sens.qpol_symbol.name(self.p.policy)) - - def test_002_lookup_invalid(self): - """Sensitivity factory policy invalid lookup.""" - with self.assertRaises(InvalidSensitivity): - sensitivity_factory(self.p.policy, "INVALID") - - def test_003_lookup_object(self): - """Sensitivity factory policy lookup of Sensitivity object.""" - sens1 = sensitivity_factory(self.p.policy, "s1") - sens2 = sensitivity_factory(self.p.policy, sens1) - self.assertIs(sens2, sens1) - - def test_010_string(self): +import pytest +import setools + + +@pytest.mark.obj_args("tests/library/policyrep/mls.conf") +class TestSensitivity: + + def test_string(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity basic string rendering.""" - sens = self.mock_sens_factory("s0") - self.assertEqual("s0", str(sens)) + sens = compiled_policy.lookup_sensitivity("s0") + assert "s0" == str(sens), f"{sens}" - def test_020_statement(self): + def test_statement(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity basic statement rendering.""" - sens = self.mock_sens_factory("s0") - self.assertEqual("sensitivity s0;", sens.statement()) + sens = compiled_policy.lookup_sensitivity("s2") + assert "sensitivity s2;" == sens.statement(), sens.statement() - def test_021_statement_alias(self): + def test_statement_alias(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity one alias statement rendering.""" - sens = self.mock_sens_factory("s0", ["name1"]) - self.assertEqual("sensitivity s0 alias name1;", sens.statement()) + sens = compiled_policy.lookup_sensitivity("s0") + assert "sensitivity s0 alias sname1;" == sens.statement() - def test_022_statement_alias(self): + def test_statement_alias2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity two alias statement rendering.""" - sens = self.mock_sens_factory("s0", ["name1", "name2"]) - self.assertEqual("sensitivity s0 alias { name1 name2 };", sens.statement()) - - def test_030_value(self): - """Sensitivity value.""" - sens = self.mock_sens_factory("s17") - self.assertEqual(17, sens._value) + sens = compiled_policy.lookup_sensitivity("s1") + assert sens.statement() in ("sensitivity s1 alias { sname2 sname3 };", + "sensitivity s1 alias { sname3 sname2 };"), sens.statement() - def test_031_equal(self): + def test_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity equal.""" - sens1 = self.mock_sens_factory("s0") - sens2 = self.mock_sens_factory("s0") - self.assertEqual(sens1, sens2) + sens1 = compiled_policy.lookup_sensitivity("s0") + sens2 = compiled_policy.lookup_sensitivity("s0") + assert sens1 == sens2 - def test_032_equal_str(self): + def test_equal_str(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity equal to string.""" - sens = self.mock_sens_factory("s17") - self.assertEqual("s17", sens) + sens = compiled_policy.lookup_sensitivity("s17") + assert "s17" == sens - def test_033_not_equal(self): + def test_not_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity not equal.""" - sens1 = self.mock_sens_factory("s17") - sens2 = self.mock_sens_factory("s23") - self.assertNotEqual(sens1, sens2) + sens1 = compiled_policy.lookup_sensitivity("s17") + sens2 = compiled_policy.lookup_sensitivity("s23") + assert sens1 != sens2 - def test_034_not_equal_str(self): + def test_not_equal_str(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity not equal to string.""" - sens = self.mock_sens_factory("s17") - self.assertNotEqual("s0", sens) + sens = compiled_policy.lookup_sensitivity("s17") + assert "s0" != sens - def test_035_lt(self): + def test_lt(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity less-than.""" # less - sens1 = self.mock_sens_factory("s17") - sens2 = self.mock_sens_factory("s23") - self.assertTrue(sens1 < sens2) + sens1 = compiled_policy.lookup_sensitivity("s17") + sens2 = compiled_policy.lookup_sensitivity("s23") + assert sens1 < sens2 # equal - sens1 = self.mock_sens_factory("s17") - sens2 = self.mock_sens_factory("s17") - self.assertFalse(sens1 < sens2) + sens1 = compiled_policy.lookup_sensitivity("s17") + sens2 = compiled_policy.lookup_sensitivity("s17") + assert not (sens1 < sens2) # greater - sens1 = self.mock_sens_factory("s17") - sens2 = self.mock_sens_factory("s0") - self.assertFalse(sens1 < sens2) + sens1 = compiled_policy.lookup_sensitivity("s17") + sens2 = compiled_policy.lookup_sensitivity("s0") + assert not (sens1 < sens2) - def test_036_le(self): + def test_le(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity less-than-or-equal.""" # less - sens1 = self.mock_sens_factory("s17") - sens2 = self.mock_sens_factory("s23") - self.assertTrue(sens1 <= sens2) + sens1 = compiled_policy.lookup_sensitivity("s17") + sens2 = compiled_policy.lookup_sensitivity("s23") + assert sens1 <= sens2 # equal - sens1 = self.mock_sens_factory("s17") - sens2 = self.mock_sens_factory("s17") - self.assertTrue(sens1 <= sens2) + sens1 = compiled_policy.lookup_sensitivity("s17") + sens2 = compiled_policy.lookup_sensitivity("s17") + assert sens1 <= sens2 # greater - sens1 = self.mock_sens_factory("s17") - sens2 = self.mock_sens_factory("s0") - self.assertFalse(sens1 <= sens2) + sens1 = compiled_policy.lookup_sensitivity("s17") + sens2 = compiled_policy.lookup_sensitivity("s0") + assert not (sens1 <= sens2) - def test_037_ge(self): + def test_ge(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity greater-than-or-equal.""" # less - sens1 = self.mock_sens_factory("s17") - sens2 = self.mock_sens_factory("s23") - self.assertFalse(sens1 >= sens2) + sens1 = compiled_policy.lookup_sensitivity("s17") + sens2 = compiled_policy.lookup_sensitivity("s23") + assert not (sens1 >= sens2) # equal - sens1 = self.mock_sens_factory("s17") - sens2 = self.mock_sens_factory("s17") - self.assertTrue(sens1 >= sens2) + sens1 = compiled_policy.lookup_sensitivity("s17") + sens2 = compiled_policy.lookup_sensitivity("s17") + assert sens1 >= sens2 # greater - sens1 = self.mock_sens_factory("s17") - sens2 = self.mock_sens_factory("s0") - self.assertTrue(sens1 >= sens2) + sens1 = compiled_policy.lookup_sensitivity("s17") + sens2 = compiled_policy.lookup_sensitivity("s0") + assert sens1 >= sens2 - def test_038_gt(self): + def test_gt(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity greater-than.""" # less - sens1 = self.mock_sens_factory("s17") - sens2 = self.mock_sens_factory("s23") - self.assertFalse(sens1 > sens2) + sens1 = compiled_policy.lookup_sensitivity("s17") + sens2 = compiled_policy.lookup_sensitivity("s23") + assert not (sens1 > sens2) # equal - sens1 = self.mock_sens_factory("s17") - sens2 = self.mock_sens_factory("s17") - self.assertFalse(sens1 > sens2) + sens1 = compiled_policy.lookup_sensitivity("s17") + sens2 = compiled_policy.lookup_sensitivity("s17") + assert not (sens1 > sens2) # greater - sens1 = self.mock_sens_factory("s17") - sens2 = self.mock_sens_factory("s0") - self.assertTrue(sens1 > sens2) - - -@unittest.skip("Needs to be reworked for cython") -class CategoryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = SELinuxPolicy("tests/policyrep/mls.conf") - - def mock_cat_factory(self, cat, aliases=[]): - """Factory function for Category objects, using a mock qpol object.""" - mock_cat = Mock(qpol.qpol_cat_t) - mock_cat.name.return_value = cat - mock_cat.isalias.return_value = False - mock_cat.value.return_value = int(cat[1:]) - mock_cat.alias_iter = lambda x: iter(aliases) - - return category_factory(self.p.policy, mock_cat) - - def test_000_mls_disabled(self): - """Category factory on MLS-disabled policy.""" - mock_p = Mock(qpol.qpol_policy_t) - mock_p.capability.return_value = False - self.assertRaises(MLSDisabled, category_factory, mock_p, None) - - def test_001_lookup(self): - """Category factory policy lookup.""" - cat = category_factory(self.p.policy, "c1") - self.assertEqual("c1", cat.qpol_symbol.name(self.p.policy)) - - def test_002_lookup_invalid(self): - """Category factory policy invalid lookup.""" - with self.assertRaises(InvalidCategory): - category_factory(self.p.policy, "INVALID") - - def test_003_lookup_object(self): - """Category factory policy lookup of Category object.""" - cat1 = category_factory(self.p.policy, "c1") - cat2 = category_factory(self.p.policy, cat1) - self.assertIs(cat2, cat1) - - def test_010_statement(self): - """Category basic string rendering.""" - cat = self.mock_cat_factory("c0") - self.assertEqual("c0", str(cat)) - - def test_020_statement(self): - """Category basic statement rendering.""" - cat = self.mock_cat_factory("c0") - self.assertEqual("category c0;", cat.statement()) - - def test_021_statement_alias(self): - """Category one alias statement rendering.""" - cat = self.mock_cat_factory("c0", ["name1"]) - self.assertEqual("category c0 alias name1;", cat.statement()) - - def test_022_statement_alias(self): - """Category two alias statement rendering.""" - cat = self.mock_cat_factory("c0", ["name1", "name2"]) - self.assertEqual("category c0 alias { name1 name2 };", cat.statement()) - - def test_030_value(self): - """Category value.""" - cat = self.mock_cat_factory("c17") - self.assertEqual(17, cat._value) - - -@unittest.skip("Needs to be reworked for cython") -class LevelDeclTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = SELinuxPolicy("tests/policyrep/mls.conf") - - def mock_decl_factory(self, sens, cats=[]): - """Factory function for LevelDecl objects, using a mock qpol object.""" - mock_decl = Mock(qpol.qpol_level_t) - mock_decl.name.return_value = sens - mock_decl.isalias.return_value = False - mock_decl.value.return_value = int(sens[1:]) - mock_decl.cat_iter = lambda x: iter(cats) - - return level_decl_factory(self.p.policy, mock_decl) - - def test_000_mls_disabled(self): - """Level declaration factory on MLS-disabled policy.""" - mock_p = Mock(qpol.qpol_policy_t) - mock_p.capability.return_value = False - self.assertRaises(MLSDisabled, level_decl_factory, mock_p, None) - - def test_001_lookup(self): - """Level declaration factory policy lookup.""" - decl = level_decl_factory(self.p.policy, "s1") - self.assertEqual("s1", decl.qpol_symbol.name(self.p.policy)) - - def test_002_lookup_invalid(self): - """Level declaration factory policy invalid lookup.""" - with self.assertRaises(InvalidLevelDecl): - level_decl_factory(self.p.policy, "INVALID") - - def test_003_lookup_object(self): - """Level declaration factory policy lookup of LevelDecl object.""" - level1 = level_decl_factory(self.p.policy, "s1") - level2 = level_decl_factory(self.p.policy, level1) - self.assertIs(level2, level1) - - def test_010_string(self): - """Level declaration basic string rendering.""" - decl = self.mock_decl_factory("s0") - self.assertEqual("s0", str(decl)) - - def test_011_string_single_cat(self): - """Level declaration string rendering with one category""" - decl = self.mock_decl_factory("s0", ["c0"]) - self.assertEqual("s0:c0", str(decl)) - - def test_012_string_multiple_cat(self): - """Level declaration string rendering with multiple categories""" - decl = self.mock_decl_factory("s0", ["c0", "c3"]) - self.assertEqual("s0:c0,c3", str(decl)) - - def test_013_string_cat_set(self): - """Level declaration string rendering with category set""" - decl = self.mock_decl_factory("s0", ["c0", "c1", "c2", "c3"]) - self.assertEqual("s0:c0.c3", str(decl)) - - def test_014_string_complex(self): - """Level declaration string rendering with complex category set""" - decl = self.mock_decl_factory("s0", ["c0", "c1", "c2", "c3", "c5", "c7", "c8", "c9"]) - self.assertEqual("s0:c0.c3,c5,c7.c9", str(decl)) - - def test_020_statement(self): - """Level declaration basic statement rendering.""" - decl = self.mock_decl_factory("s0") - self.assertEqual("level s0;", decl.statement()) - - def test_021_statement_single_cat(self): - """Level declaration statement rendering with one category""" - decl = self.mock_decl_factory("s0", ["c0"]) - self.assertEqual("level s0:c0;", decl.statement()) - - def test_022_statement_multiple_cat(self): - """Level declaration statement rendering with multiple categories""" - decl = self.mock_decl_factory("s0", ["c0", "c3"]) - self.assertEqual("level s0:c0,c3;", decl.statement()) - - def test_012_string_cat_set(self): - """Level declaration statement rendering with category set""" - decl = self.mock_decl_factory("s0", ["c0", "c1", "c2", "c3"]) - self.assertEqual("level s0:c0.c3;", decl.statement()) - - def test_013_statement_complex(self): - """Level declaration statement rendering with complex category set""" - decl = self.mock_decl_factory("s0", ["c0", "c1", "c2", "c3", "c5", "c7", "c8", "c9"]) - self.assertEqual("level s0:c0.c3,c5,c7.c9;", decl.statement()) - - def test_030_equal(self): - """Level declaration equal.""" - decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - decl2 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - self.assertEqual(decl1, decl2) - - def test_031_equal_str(self): - """Level declaration equal to string.""" - decl = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - self.assertEqual("s17:c0.c3", decl) - - def test_032_not_equal(self): - """Level declaration not equal.""" - decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - decl2 = self.mock_decl_factory("s23") - self.assertNotEqual(decl1, decl2) - - def test_033_not_equal_str(self): - """Level declaration not equal to string.""" - decl = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - self.assertNotEqual("s0:c0.c2", decl) - - def test_034_lt(self): - """Level declaration less-than.""" - # less - decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"]) - self.assertTrue(decl1 < decl2) - - # equal - decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - decl2 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - self.assertFalse(decl1 < decl2) - - # greater - decl1 = self.mock_decl_factory("s24") - decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"]) - self.assertFalse(decl1 < decl2) - - def test_035_le(self): - """Level declaration less-than-or-equal.""" - # less - decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"]) - self.assertTrue(decl1 <= decl2) + sens1 = compiled_policy.lookup_sensitivity("s17") + sens2 = compiled_policy.lookup_sensitivity("s0") + assert sens1 > sens2 - # equal - decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - decl2 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - self.assertTrue(decl1 <= decl2) - # greater - decl1 = self.mock_decl_factory("s24") - decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"]) - self.assertFalse(decl1 <= decl2) +@pytest.mark.obj_args("tests/library/policyrep/mls.conf") +class TestCategory: - def test_036_ge(self): - """Level declaration greater-than-or-equal.""" - # less - decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"]) - self.assertFalse(decl1 >= decl2) - - # equal - decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - decl2 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - self.assertTrue(decl1 >= decl2) + def test_string(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Category basic string rendering.""" + cat = compiled_policy.lookup_category("c0") + assert "c0" == str(cat), f"{cat}" - # greater - decl1 = self.mock_decl_factory("s24") - decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"]) - self.assertTrue(decl1 >= decl2) + def test_statement(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Category basic statement rendering.""" + cat = compiled_policy.lookup_category("c2") + assert "category c2;" == cat.statement(), cat.statement() - def test_037_gt(self): - """Level declaration greater-than.""" - # less - decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"]) - self.assertFalse(decl1 > decl2) - # equal - decl1 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - decl2 = self.mock_decl_factory("s17", ["c0", "c1", "c2", "c3"]) - self.assertFalse(decl1 > decl2) +@pytest.mark.obj_args("tests/library/policyrep/mls.conf") +class TestLevel: - # greater - decl1 = self.mock_decl_factory("s24") - decl2 = self.mock_decl_factory("s23", ["c7", "c8", "c9"]) - self.assertTrue(decl1 > decl2) - - -@unittest.skip("Needs to be reworked for cython") -class LevelTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = SELinuxPolicy("tests/policyrep/mls.conf") - - def mock_level_factory(self, sens, cats=[]): - """Factory function Level objects, using a mock qpol object.""" - mock_level = Mock(qpol.qpol_mls_level_t) - mock_level.sens_name.return_value = sens - mock_level.cat_iter = lambda x: iter(cats) - - return level_factory(self.p.policy, mock_level) - - def test_000_mls_disabled(self): - """Level factory on MLS-disabled policy.""" - mock_p = Mock(qpol.qpol_policy_t) - mock_p.capability.return_value = False - self.assertRaises(MLSDisabled, level_factory, mock_p, None) - - def test_001_lookup_no_cats(self): - """Level lookup with no categories.""" - levelobj = level_factory(self.p.policy, "s2") - self.assertEqual("s2", levelobj.qpol_symbol.sens_name(self.p.policy)) - self.assertEqual(str(levelobj), "s2") - - def test_002_lookup_cat_range(self): - """Level lookup with category range.""" - levelobj = level_factory(self.p.policy, "s1:c0.c13") - self.assertEqual(str(levelobj), "s1:c0.c13") - - def test_003_lookup_complex_cats(self): - """Level lookup with complex category set.""" - levelobj = level_factory(self.p.policy, "s2:c0.c5,c7,c9.c11,c13") - self.assertEqual(str(levelobj), "s2:c0.c5,c7,c9.c11,c13") - - def test_004_lookup_bad1(self): - """Level lookup with garbage.""" - self.assertRaises(InvalidLevel, level_factory, self.p.policy, "FAIL") - - def test_005_lookup_bad2(self): - """Level lookup with : in garbage.""" - self.assertRaises(InvalidLevel, level_factory, self.p.policy, "FAIL:BAD") - - def test_006_lookup_bad_cat(self): - """Level lookup with invalid category.""" - self.assertRaises(InvalidLevel, level_factory, self.p.policy, "s0:FAIL") - - def test_007_lookup_bad_cat_range(self): - """Level lookup with backwards category range.""" - self.assertRaises(InvalidLevel, level_factory, self.p.policy, "s0:c4.c0") - - def test_008_lookup_cat_range_error(self): - """Level lookup with category range parse error.""" - self.assertRaises(InvalidLevel, level_factory, self.p.policy, "s0:c0.c2.c4") - - def test_009_lookup_cat_not_assoc(self): - """Level lookup with category not associated with sensitivity.""" - # c4 is not associated with s0. - self.assertRaises(InvalidLevel, level_factory, self.p.policy, "s0:c0,c4") - - def test_00a_lookup_object(self): - """Level factory policy lookup of Level object.""" - level1 = level_factory(self.p.policy, "s0") - level2 = level_factory(self.p.policy, level1) - self.assertIs(level2, level1) - - def test_010_equal(self): + def test_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Level equal.""" - level1 = self.mock_level_factory("s0", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s0", ["c0", "c1", "c2", "c3"]) - self.assertEqual(level1, level2) + level1 = compiled_policy.lookup_level("s0:c0.c3") + level2 = compiled_policy.lookup_level("s0:c0.c3") + assert level1 == level2 - def test_011_equal_str(self): + def test_equal_str(self, compiled_policy: setools.SELinuxPolicy) -> None: """Level equal to string.""" - level = self.mock_level_factory("s2", ["c0", "c1", "c2", "c3"]) - self.assertEqual("s2:c0.c3", level) + level = compiled_policy.lookup_level("s2:c0.c3") + assert "s2:c0.c3" == level, f"{level}" - def test_012_not_equal(self): + def test_not_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Level not equal.""" - level1 = self.mock_level_factory("s0", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s0") - self.assertNotEqual(level1, level2) + level1 = compiled_policy.lookup_level("s0:c0.c3") + level2 = compiled_policy.lookup_level("s0") + assert level1 != level2, f"{level1} ||| {level2}" - def test_013_not_equal_str(self): + def test_not_equal_str(self, compiled_policy: setools.SELinuxPolicy) -> None: """Level not equal to string.""" - level = self.mock_level_factory("s0", ["c0", "c2"]) - self.assertNotEqual("s0:c0.c2", level) + level = compiled_policy.lookup_level("s0:c0.c3") + assert "s0:c0.c2" != level, f"{level}" - def test_014_dom(self): + def test_dom(self, compiled_policy: setools.SELinuxPolicy) -> None: """Level dominate (ge).""" # equal - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertTrue(level1 >= level2) + level1 = compiled_policy.lookup_level("s1:c0.c3") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert level1 >= level2 # sens dominate - level1 = self.mock_level_factory("s2", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertTrue(level1 >= level2) + level1 = compiled_policy.lookup_level("s2:c0.c3") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert level1 >= level2 # cat set dominate - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3", "c4"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertTrue(level1 >= level2) + level1 = compiled_policy.lookup_level("s1:c0.c4") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert level1 >= level2 # sens domby - level1 = self.mock_level_factory("s0", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertFalse(level1 >= level2) + level1 = compiled_policy.lookup_level("s0:c0.c3") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert not (level1 >= level2) # cat set domby - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertFalse(level1 >= level2) + level1 = compiled_policy.lookup_level("s1:c0.c2") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert not (level1 >= level2) # incomp - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"]) - level2 = self.mock_level_factory("s1", ["c7", "c8", "c9"]) - self.assertFalse(level1 >= level2) + level1 = compiled_policy.lookup_level("s1:c0.c3") + level2 = compiled_policy.lookup_level("s1:c4.c7") + assert not (level1 >= level2) - def test_015_domby(self): + def test_domby(self, compiled_policy: setools.SELinuxPolicy) -> None: """Level dominate-by (le).""" # equal - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertTrue(level1 <= level2) + level1 = compiled_policy.lookup_level("s1:c0.c3") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert level1 <= level2 # sens dominate - level1 = self.mock_level_factory("s2", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertFalse(level1 <= level2) + level1 = compiled_policy.lookup_level("s2:c0.c3") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert not (level1 <= level2) # cat set dominate - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3", "c4"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertFalse(level1 <= level2) + level1 = compiled_policy.lookup_level("s1:c0.c4") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert not (level1 <= level2) # sens domby - level1 = self.mock_level_factory("s0", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertTrue(level1 <= level2) + level1 = compiled_policy.lookup_level("s0:c0.c3") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert level1 <= level2 # cat set domby - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertTrue(level1 <= level2) + level1 = compiled_policy.lookup_level("s1:c0.c2") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert level1 <= level2 # incomp - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"]) - level2 = self.mock_level_factory("s1", ["c7", "c8", "c9"]) - self.assertFalse(level1 <= level2) + level1 = compiled_policy.lookup_level("s1:c0.c2") + level2 = compiled_policy.lookup_level("s1:c7.c9") + assert not (level1 <= level2) - def test_016_proper_dom(self): + def test_proper_dom(self, compiled_policy: setools.SELinuxPolicy) -> None: """Level proper dominate (gt).""" # equal - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertFalse(level1 > level2) + level1 = compiled_policy.lookup_level("s1:c0.c3") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert not (level1 > level2) # sens dominate - level1 = self.mock_level_factory("s2", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertTrue(level1 > level2) + level1 = compiled_policy.lookup_level("s2:c0.c3") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert level1 > level2 # cat set dominate - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3", "c4"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertTrue(level1 > level2) + level1 = compiled_policy.lookup_level("s1:c0.c4") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert level1 > level2 # sens domby - level1 = self.mock_level_factory("s0", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertFalse(level1 > level2) + level1 = compiled_policy.lookup_level("s0:c0.c3") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert not (level1 > level2) # cat set domby - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertFalse(level1 > level2) + level1 = compiled_policy.lookup_level("s1:c0.c2") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert not (level1 > level2) # incomp - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"]) - level2 = self.mock_level_factory("s1", ["c7", "c8", "c9"]) - self.assertFalse(level1 > level2) + level1 = compiled_policy.lookup_level("s1:c0.c2") + level2 = compiled_policy.lookup_level("s1:c7.c9") + assert not (level1 > level2) - def test_017_proper_domby(self): + def test_proper_domby(self, compiled_policy: setools.SELinuxPolicy) -> None: """Level proper dominate-by (lt).""" # equal - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertFalse(level1 < level2) + level1 = compiled_policy.lookup_level("s1:c0.c3") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert not (level1 < level2) # sens dominate - level1 = self.mock_level_factory("s2", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertFalse(level1 < level2) + level1 = compiled_policy.lookup_level("s2:c0.c3") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert not (level1 < level2) # cat set dominate - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3", "c4"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertFalse(level1 < level2) + level1 = compiled_policy.lookup_level("s1:c0.c4") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert not (level1 < level2) # sens domby - level1 = self.mock_level_factory("s0", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertTrue(level1 < level2) + level1 = compiled_policy.lookup_level("s0:c0.c3") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert level1 < level2 # cat set domby - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertTrue(level1 < level2) + level1 = compiled_policy.lookup_level("s1:c0.c2") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert level1 < level2 # incomp - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"]) - level2 = self.mock_level_factory("s1", ["c7", "c8", "c9"]) - self.assertFalse(level1 < level2) + level1 = compiled_policy.lookup_level("s1:c0.c2") + level2 = compiled_policy.lookup_level("s1:c7.c9") + assert not (level1 < level2) - def test_018_incomp(self): + def test_incomp(self, compiled_policy: setools.SELinuxPolicy) -> None: """Level incomparable (xor).""" # equal - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertFalse(level1 ^ level2) + level1 = compiled_policy.lookup_level("s1:c0.c3") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert not (level1 ^ level2) # sens dominate - level1 = self.mock_level_factory("s2", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertFalse(level1 ^ level2) + level1 = compiled_policy.lookup_level("s2:c0.c3") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert not (level1 ^ level2) # cat set dominate - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3", "c4"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertFalse(level1 ^ level2) + level1 = compiled_policy.lookup_level("s1:c0.c4") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert not (level1 ^ level2) # sens domby - level1 = self.mock_level_factory("s0", ["c0", "c1", "c2", "c3"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertFalse(level1 ^ level2) + level1 = compiled_policy.lookup_level("s0:c0.c3") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert not (level1 ^ level2) # cat set domby - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"]) - level2 = self.mock_level_factory("s1", ["c0", "c1", "c2", "c3"]) - self.assertFalse(level1 ^ level2) + level1 = compiled_policy.lookup_level("s1:c0.c2") + level2 = compiled_policy.lookup_level("s1:c0.c3") + assert not (level1 ^ level2) # incomp - level1 = self.mock_level_factory("s1", ["c0", "c1", "c2"]) - level2 = self.mock_level_factory("s1", ["c7", "c8", "c9"]) - self.assertTrue(level1 ^ level2) + level1 = compiled_policy.lookup_level("s1:c0.c2") + level2 = compiled_policy.lookup_level("s1:c7.c9") + assert level1 ^ level2 - def test_020_level_statement(self): + def test_level_statement(self, compiled_policy: setools.SELinuxPolicy) -> None: """Level has no statement.""" - level = self.mock_level_factory("s1") - with self.assertRaises(NoStatement): + level = compiled_policy.lookup_level("s1") + with pytest.raises(setools.exception.NoStatement): level.statement() -@unittest.skip("Needs to be reworked for cython") -class RangeTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = SELinuxPolicy("tests/policyrep/mls.conf") - - def test_000_mls_disabled(self): - """Range factory on MLS-disabled policy.""" - mock_p = Mock(qpol.qpol_policy_t) - mock_p.capability.return_value = False - self.assertRaises(MLSDisabled, range_factory, mock_p, None) - - def test_001_range_lookup_single_level(self): - """Range lookup with single-level range.""" - rangeobj = range_factory(self.p.policy, "s0") - self.assertEqual(str(rangeobj), "s0") - - def test_002_range_lookup_single_level_redundant(self): - """Range lookup with single-level range (same range listed twice).""" - rangeobj = range_factory(self.p.policy, "s1-s1") - self.assertEqual(str(rangeobj), "s1") - - def test_003_range_lookup_simple(self): - """Range lookup with simple range.""" - rangeobj = range_factory(self.p.policy, "s0-s1:c0.c10") - self.assertEqual(str(rangeobj), "s0 - s1:c0.c10") - - def test_004_range_lookup_no_cats(self): - """Range lookup with no categories.""" - rangeobj = range_factory(self.p.policy, "s0-s1") - self.assertEqual(str(rangeobj), "s0 - s1") - - def test_005_range_lookup_complex(self): - """Range lookup with complex category set.""" - rangeobj = range_factory(self.p.policy, "s0:c0.c2-s2:c0.c5,c7,c9.c11,c13") - self.assertEqual(str(rangeobj), "s0:c0.c2 - s2:c0.c5,c7,c9.c11,c13") - - def test_006_range_lookup_non_dom(self): - """Range lookup with non-dominating high level.""" - self.assertRaises(InvalidRange, range_factory, self.p.policy, "s1-s0") - - def test_007_range_lookup_invalid_range_low(self): - """Range lookup with an invalid range (low).""" - # c13 is not associated with s0. - self.assertRaises(InvalidRange, range_factory, self.p.policy, "s0:c13-s2:c13") - - def test_008_range_lookup_invalid_range_high(self): - """Range lookup with an invalid range (high).""" - # c13 is not associated with s0. - self.assertRaises(InvalidRange, range_factory, self.p.policy, "s0-s0:c13") - - def test_009_lookup_object(self): - """Range factory policy lookup of Range object.""" - range1 = range_factory(self.p.policy, "s0") - range2 = range_factory(self.p.policy, range1) - self.assertIs(range2, range1) - - def test_020_equal(self): +@pytest.mark.obj_args("tests/library/policyrep/mls.conf") +class TestRange: + + def test_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Range equality.""" - rangeobj1 = range_factory(self.p.policy, "s0:c0.c2-s2:c0.c5,c7,c9.c11,c13") - rangeobj2 = range_factory(self.p.policy, "s0:c0.c2-s2:c0.c5,c7,c9.c11,c13") - self.assertEqual(rangeobj1, rangeobj2) + rangeobj1 = compiled_policy.lookup_range("s0:c0.c2-s2:c0.c5,c7,c9.c11,c13") + rangeobj2 = compiled_policy.lookup_range("s0:c0.c2-s2:c0.c5,c7,c9.c11,c13") + assert rangeobj1 == rangeobj2 - def test_021_equal(self): + def test_equal_string(self, compiled_policy: setools.SELinuxPolicy) -> None: """Range equal to string.""" - rangeobj = range_factory(self.p.policy, "s0:c0.c2-s2:c0.c5,c7,c9.c11,c13") - self.assertEqual("s0:c0.c2-s2:c0.c5,c7,c9.c11,c13", rangeobj) - self.assertEqual("s0:c0.c2- s2:c0.c5,c7,c9.c11,c13", rangeobj) - self.assertEqual("s0:c0.c2 -s2:c0.c5,c7,c9.c11,c13", rangeobj) - self.assertEqual("s0:c0.c2 - s2:c0.c5,c7,c9.c11,c13", rangeobj) + rangeobj = compiled_policy.lookup_range("s0:c0.c2-s2:c0.c5,c7,c9.c11,c13") + assert "s0:c0.c2-s2:c0.c5,c7,c9.c11,c13" == rangeobj + assert "s0:c0.c2- s2:c0.c5,c7,c9.c11,c13" == rangeobj + assert "s0:c0.c2 -s2:c0.c5,c7,c9.c11,c13" == rangeobj + assert "s0:c0.c2 - s2:c0.c5,c7,c9.c11,c13" == rangeobj - def test_022_contains(self): + def test_contains(self, compiled_policy: setools.SELinuxPolicy) -> None: """Range contains a level.""" - rangeobj = range_factory(self.p.policy, "s0:c1-s2:c0.c10") + rangeobj = compiled_policy.lookup_range("s0:c1-s2:c0.c10") # too low - level1 = level_factory(self.p.policy, "s0") - self.assertNotIn(level1, rangeobj) + level1 = compiled_policy.lookup_level("s0") + assert not (level1 in rangeobj) # low level - level2 = level_factory(self.p.policy, "s0:c1") - self.assertIn(level2, rangeobj) + level2 = compiled_policy.lookup_level("s0:c1") + assert level2 in rangeobj # mid - level3 = level_factory(self.p.policy, "s1:c1,c5") - self.assertIn(level3, rangeobj) + level3 = compiled_policy.lookup_level("s1:c1,c5") + assert level3 in rangeobj # high level - level4 = level_factory(self.p.policy, "s2:c0.c10") - self.assertIn(level4, rangeobj) + level4 = compiled_policy.lookup_level("s2:c0.c10") + assert level4 in rangeobj # too high - level5 = level_factory(self.p.policy, "s2:c0.c11") - self.assertNotIn(level5, rangeobj) + level5 = compiled_policy.lookup_level("s2:c0.c11") + assert not (level5 in rangeobj) - def test_030_range_statement(self): + def test_range_statement(self, compiled_policy: setools.SELinuxPolicy) -> None: """Range has no statement.""" - rangeobj = range_factory(self.p.policy, "s0") - with self.assertRaises(NoStatement): + rangeobj = compiled_policy.lookup_range("s0") + with pytest.raises(setools.exception.NoStatement): rangeobj.statement() From 67e979ce4f77edc9ed3657762242d8c5b2c7ced9 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 15 Apr 2024 16:26:39 -0400 Subject: [PATCH 25/71] seinfo: Fix incorrect target platform check. Incorrectly checks if policy is Xen. Signed-off-by: Chris PeBenito --- seinfo | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/seinfo b/seinfo index 31a78a09..80d308ce 100755 --- a/seinfo +++ b/seinfo @@ -308,7 +308,7 @@ try: components.append(("Validatetrans", vtq, lambda x: x.statement())) - if p.target_platform == "xen": + if p.target_platform == setools.PolicyTarget.xen: if args.ioportconquery or args.all: xiopq = setools.IoportconQuery(p) components.append(("Ioportcon", xiopq, lambda x: x.statement())) From 5f5a4cf24ae4986b542ed85e7efc998dccd1d6fc Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 16 Apr 2024 09:26:04 -0400 Subject: [PATCH 26/71] Drop PolicySymbolTest. Signed-off-by: Chris PeBenito --- tests/library/policyrep/test_symbol.py | 79 -------------------------- 1 file changed, 79 deletions(-) delete mode 100644 tests/library/policyrep/test_symbol.py diff --git a/tests/library/policyrep/test_symbol.py b/tests/library/policyrep/test_symbol.py deleted file mode 100644 index 86c765b0..00000000 --- a/tests/library/policyrep/test_symbol.py +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright 2015, Tresys Technology, LLC -# -# SPDX-License-Identifier: GPL-2.0-only -# -# Until this is fixed for cython: -# pylint: disable=undefined-variable -import copy -import unittest -from unittest.mock import Mock, patch - -from setools import SELinuxPolicy - - -@unittest.skip("Needs to be reworked for cython") -class PolicySymbolTest(unittest.TestCase): - - """Tests for base symbol class methods.""" - - def mock_symbol_factory(self, name): - """Factory function for Role objects, using a mock qpol object.""" - mock_role = Mock(qpol.qpol_role_t) - mock_role.name.return_value = name - mock_role.this = name - - mock_policy = Mock(qpol.qpol_policy_t) - return PolicySymbol(mock_policy, mock_role) - - def test_001_string(self): - """Symbol: string representation""" - sym = self.mock_symbol_factory("test1") - self.assertEqual("test1", str(sym)) - - def test_010_hash(self): - """Symbol: hash""" - sym = self.mock_symbol_factory("test10") - self.assertEqual(hash("test10"), hash(sym)) - - def test_020_eq(self): - """Symbol: equality""" - sym1 = self.mock_symbol_factory("test20") - sym2 = self.mock_symbol_factory("test20") - self.assertEqual(sym1, sym2) - - def test_021_eq(self): - """Symbol: equality with string""" - sym = self.mock_symbol_factory("test21") - self.assertEqual("test21", sym) - - def test_030_ne(self): - """Symbol: inequality""" - sym1 = self.mock_symbol_factory("test30a") - sym2 = self.mock_symbol_factory("test30b") - self.assertNotEqual(sym1, sym2) - - def test_031_ne(self): - """Symbol: inequality with string""" - sym = self.mock_symbol_factory("test31a") - self.assertNotEqual("test31b", sym) - - def test_040_lt(self): - """Symbol: less-than""" - sym1 = self.mock_symbol_factory("test40a") - sym2 = self.mock_symbol_factory("test40b") - self.assertTrue(sym1 < sym2) - - sym1 = self.mock_symbol_factory("test40") - sym2 = self.mock_symbol_factory("test40") - self.assertFalse(sym1 < sym2) - - sym1 = self.mock_symbol_factory("test40b") - sym2 = self.mock_symbol_factory("test40a") - self.assertFalse(sym1 < sym2) - - def test_050_deepcopy(self): - """Symbol: deep copy""" - sym1 = self.mock_symbol_factory("test50") - sym2 = copy.deepcopy(sym1) - self.assertIs(sym1.policy, sym2.policy) - self.assertIs(sym1.qpol_symbol, sym2.qpol_symbol) From 97bd259e4d10d5bb7528ff04f1fc4767446c7385 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 16 Apr 2024 11:37:28 -0400 Subject: [PATCH 27/71] TestDefault: Update tests to pytest fixtures and Cython implementation. Signed-off-by: Chris PeBenito --- tests/library/policyrep/default.conf | 126 ++++++++++++++ tests/library/policyrep/test_default.py | 215 +++++------------------- 2 files changed, 169 insertions(+), 172 deletions(-) create mode 100644 tests/library/policyrep/default.conf diff --git a/tests/library/policyrep/default.conf b/tests/library/policyrep/default.conf new file mode 100644 index 00000000..a9dee03e --- /dev/null +++ b/tests/library/policyrep/default.conf @@ -0,0 +1,126 @@ +class infoflow +class infoflow2 +class infoflow3 +class infoflow4 +class infoflow7 +class infoflow8 +class infoflow10 + +sid kernel +sid security + +common infoflow +{ + low_w + low_r +} + +class infoflow +inherits infoflow + +class infoflow2 +inherits infoflow +{ + super_w + super_r +} + +class infoflow3 +{ + null +} + +class infoflow4 +inherits infoflow +{ + super_w + super_r + super_none + super_both + super_unmapped +} + +class infoflow7 +inherits infoflow +{ + unmapped +} + +class infoflow8 +{ + super_w + super_r +} + +class infoflow10 +{ + read + write +} + +default_user infoflow target; + +default_role infoflow2 source; + +default_type infoflow3 target; + +default_range infoflow4 source high; + +default_user infoflow10 source; +default_role infoflow10 source; +default_type infoflow10 source; +default_range infoflow10 source low; + +sensitivity low_s; +sensitivity medium_s alias med; +sensitivity high_s; + +dominance { low_s med high_s } + +category here; +category there; +category elsewhere alias lost; + +#level decl +level low_s:here.there; +level med:here, elsewhere; +level high_s:here.lost; + +#some constraints +mlsconstrain infoflow low_r ((l1 dom l2) or (t1 == mls_exempt)); + +attribute mls_exempt; + +type system; +role system; +role system types system; + +allow system self:infoflow3 null; + +#users +user system roles system level med range low_s - high_s:here.lost; + +#normal constraints +constrain infoflow low_w (u1 == u2); + +#isids +sid kernel system:system:system:medium_s:here +sid security system:system:system:high_s:lost + +#fs_use +fs_use_trans devpts system:object_r:system:low_s; +fs_use_xattr ext3 system:object_r:system:low_s; +fs_use_task pipefs system:object_r:system:low_s; + +#genfscon +genfscon proc / system:object_r:system:med +genfscon proc /sys system:object_r:system:low_s +genfscon selinuxfs / system:object_r:system:high_s:here.there + +portcon tcp 80 system:object_r:system:low_s + +netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s + +nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here +nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here + diff --git a/tests/library/policyrep/test_default.py b/tests/library/policyrep/test_default.py index cc67e870..f74113aa 100644 --- a/tests/library/policyrep/test_default.py +++ b/tests/library/policyrep/test_default.py @@ -2,184 +2,55 @@ # # SPDX-License-Identifier: GPL-2.0-only # -# Until this is fixed for cython: -# pylint: disable=undefined-variable -import unittest -from unittest.mock import Mock, patch +from collections import defaultdict -from setools.exception import InvalidDefaultType, InvalidDefaultValue, \ - InvalidDefaultRange, NoDefaults +import pytest +import setools -@unittest.skip("Needs to be reworked for cython") -@patch('setools.policyrep.objclass.class_factory', lambda x, y: y) -class DefaultTest(unittest.TestCase): +@pytest.mark.obj_args("tests/library/policyrep/default.conf") +class TestDefault: - @staticmethod - def mock_default(objclass=None, user=None, role=None, type_=None, range_=None): - d = Mock(qpol_default_object_t) - d.object_class.return_value = objclass - d.user_default.return_value = user - d.role_default.return_value = role - d.type_default.return_value = type_ - d.range_default.return_value = range_ - return d + @pytest.fixture(autouse=True) + def _load_defaults(self, compiled_policy: setools.SELinuxPolicy) -> None: + self.defaults = defaultdict[str, list[setools.Default]](list) + for d in compiled_policy.defaults(): + self.defaults[d.tclass.name].append(d) - def setUp(self): - self.p = Mock(qpol_policy_t) - - def test_001_factory_user(self): - """Default: factory on qpol object with user default.""" - q = self.mock_default("test1", "source") - defaults = list(default_factory(self.p, q)) - self.assertEqual(1, len(defaults)) - - d = defaults[0] - self.assertEqual(DefaultRuletype.default_user, d.ruletype) - self.assertEqual("test1", d.tclass) - self.assertEqual(DefaultValue.source, d.default) - - def test_002_factory_role(self): - """Default: factory on qpol object with role default.""" - q = self.mock_default("test2", role="target") - defaults = list(default_factory(self.p, q)) - self.assertEqual(1, len(defaults)) - - d = defaults[0] - self.assertEqual(DefaultRuletype.default_role, d.ruletype) - self.assertEqual("test2", d.tclass) - self.assertEqual(DefaultValue.target, d.default) - - def test_003_factory_type(self): - """Default: factory on qpol object with type default.""" - q = self.mock_default("test3", type_="source") - defaults = list(default_factory(self.p, q)) - self.assertEqual(1, len(defaults)) - - d = defaults[0] - self.assertEqual(DefaultRuletype.default_type, d.ruletype) - self.assertEqual("test3", d.tclass) - self.assertEqual(DefaultValue.source, d.default) - - def test_004_factory_range(self): - """Default: factory on qpol object with range default.""" - q = self.mock_default("test4", range_="target low_high") - defaults = list(default_factory(self.p, q)) - self.assertEqual(1, len(defaults)) - - d = defaults[0] - self.assertEqual(DefaultRuletype.default_range, d.ruletype) - self.assertEqual("test4", d.tclass) - self.assertEqual(DefaultValue.target, d.default) - self.assertEqual(DefaultRangeValue.low_high, d.default_range) - - def test_005_factory_multiple(self): - """Default: factory on qpol object with mulitple defaults.""" - q = self.mock_default("test5", "source", "target", "source", "target low") - defaults = sorted(default_factory(self.p, q)) - self.assertEqual(4, len(defaults)) - - d = defaults[0] - self.assertEqual(DefaultRuletype.default_range, d.ruletype) - self.assertEqual("test5", d.tclass) - - d = defaults[1] - self.assertEqual(DefaultRuletype.default_role, d.ruletype) - self.assertEqual("test5", d.tclass) - - d = defaults[2] - self.assertEqual(DefaultRuletype.default_type, d.ruletype) - self.assertEqual("test5", d.tclass) - - d = defaults[3] - self.assertEqual(DefaultRuletype.default_user, d.ruletype) - self.assertEqual("test5", d.tclass) - - def test_010_user(self): + def test_user(self) -> None: """Default: default_user methods/attributes.""" - q = self.mock_default("test10", "target") - defaults = list(default_factory(self.p, q)) - self.assertEqual(1, len(defaults)) - - d = defaults[0] - self.assertEqual(DefaultRuletype.default_user, d.ruletype) - self.assertEqual("test10", d.tclass) - self.assertEqual(DefaultValue.target, d.default) - self.assertEqual("default_user test10 target;", str(d)) - self.assertEqual(str(d), d.statement()) - - def test_011_role(self): + d = self.defaults["infoflow"].pop() + assert setools.DefaultRuletype.default_user == d.ruletype + assert "infoflow" == d.tclass + assert setools.DefaultValue.target == d.default + assert "default_user infoflow target;" == str(d) + assert str(d) == d.statement() + + def test_role(self) -> None: """Default: default_role methods/attributes.""" - q = self.mock_default("test11", role="source") - defaults = list(default_factory(self.p, q)) - self.assertEqual(1, len(defaults)) - - d = defaults[0] - self.assertEqual(DefaultRuletype.default_role, d.ruletype) - self.assertEqual("test11", d.tclass) - self.assertEqual(DefaultValue.source, d.default) - self.assertEqual("default_role test11 source;", str(d)) - self.assertEqual(str(d), d.statement()) - - def test_012_type(self): + d = self.defaults["infoflow2"].pop() + assert setools.DefaultRuletype.default_role, d.ruletype + assert "infoflow2" == d.tclass + assert setools.DefaultValue.source, d.default + assert "default_role infoflow2 source;" == str(d) + assert str(d) == d.statement() + + def test_type(self) -> None: """Default: default_type methods/attributes.""" - q = self.mock_default("test12", type_="target") - defaults = list(default_factory(self.p, q)) - self.assertEqual(1, len(defaults)) - - d = defaults[0] - self.assertEqual(DefaultRuletype.default_type, d.ruletype) - self.assertEqual("test12", d.tclass) - self.assertEqual(DefaultValue.target, d.default) - self.assertEqual("default_type test12 target;", str(d)) - self.assertEqual(str(d), d.statement()) - - def test_013_range(self): + d = self.defaults["infoflow3"].pop() + assert setools.DefaultRuletype.default_type, d.ruletype + assert "infoflow3" == d.tclass + assert setools.DefaultValue.target, d.default + assert "default_type infoflow3 target;" == str(d) + assert str(d) == d.statement() + + def test_range(self) -> None: """Default: default_range methods/attributes.""" - q = self.mock_default("test13", range_="source high") - defaults = list(default_factory(self.p, q)) - self.assertEqual(1, len(defaults)) - - d = defaults[0] - self.assertEqual(DefaultRuletype.default_range, d.ruletype) - self.assertEqual("test13", d.tclass) - self.assertEqual(DefaultValue.source, d.default) - self.assertEqual(DefaultRangeValue.high, d.default_range) - self.assertEqual("default_range test13 source high;", str(d)) - self.assertEqual(str(d), d.statement()) - - @unittest.skip("Default ruletype changed to an enumeration.") - def test_020_validate_ruletype(self): - """Default: validate rule type.""" - for r in ["default_user", "default_role", "default_type", "default_range"]: - self.assertEqual(r, validate_ruletype(r)) - - @unittest.skip("Default ruletype changed to an enumeration.") - def test_021_validate_ruletype_invalid(self): - """Default: invalid ruletype""" - with self.assertRaises(InvalidDefaultType): - validate_ruletype("INVALID") - - @unittest.skip("Default value changed to an enumeration.") - def test_030_validate_default(self): - """Default: validate default value.""" - for d in ["source", "target"]: - self.assertEqual(d, validate_default_value(d)) - - @unittest.skip("Default value changed to an enumeration.") - def test_031_validate_default_invalid(self): - """Default query: invalid default value""" - with self.assertRaises(InvalidDefaultValue): - validate_default_value("INVALID") - - @unittest.skip("Default range value changed to an enumeration.") - def test_040_validate_default_range(self): - """Default: validate default range.""" - for r in ["low", "high", "low_high"]: - self.assertEqual(r, validate_default_range(r)) - - @unittest.skip("Default range value changed to an enumeration.") - def test_041_validate_default_range_invalid(self): - """Default query: invalid default range""" - with self.assertRaises(InvalidDefaultRange): - validate_default_range("INVALID") + d = self.defaults["infoflow4"].pop() + assert isinstance(d, setools.DefaultRange) + assert setools.DefaultRuletype.default_range, d.ruletype + assert "infoflow4" == d.tclass + assert setools.DefaultValue.source, d.default + assert setools.DefaultRangeValue.high == d.default_range + assert "default_range infoflow4 source high;" == str(d) + assert str(d) == d.statement() From 957411650924b1749e8c06933e2a3a8f9d7cd03c Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 16 Apr 2024 16:18:21 -0400 Subject: [PATCH 28/71] TestAssertRBAC: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/checker/test_assertrbac.py | 353 +++++++++++------------ 1 file changed, 172 insertions(+), 181 deletions(-) diff --git a/tests/library/checker/test_assertrbac.py b/tests/library/checker/test_assertrbac.py index 90aaf071..53540d19 100644 --- a/tests/library/checker/test_assertrbac.py +++ b/tests/library/checker/test_assertrbac.py @@ -1,250 +1,241 @@ # Copyright 2020, Microsoft Corporation # Copyright 2020, Chris PeBenito # -# This file is part of SETools. +# SPDX-License-Identifier: GPL-2.0-only # -# SETools is free software: you can redistribute it and/or modify -# it under the terms of the GNU Lesser General Public License as -# published by the Free Software Foundation, either version 2.1 of -# the License, or (at your option) any later version. -# -# SETools is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with SETools. If not, see -# . -# - import os -import unittest - -from ..policyrep.util import compile_policy -from setools import RBACRuletype -from setools.checker.assertrbac import AssertRBAC -from setools.exception import InvalidCheckValue, InvalidCheckOption +import pytest +import setools -class AssertRBACTest(unittest.TestCase): +@pytest.mark.obj_args("tests/library/checker/assertrbac.conf") +class TestAssertRBAC: - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/checker/assertrbac.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_unconfigured(self): + def test_unconfigured(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test unconfigured.""" - with self.assertRaises(InvalidCheckValue): - config = {} - check = AssertRBAC(self.p, "test_unconfigured", config) + with pytest.raises(setools.exception.InvalidCheckValue): + config: dict[str, str] = {} + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_unconfigured", config) - def test_invalid_option(self): + def test_invalid_option(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test invalid option""" - with self.assertRaises(InvalidCheckOption): + with pytest.raises(setools.exception.InvalidCheckOption): config = {"INVALID": "option"} - check = AssertRBAC(self.p, "test_invalid_option", config) + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_invalid_option", config) - def test_source(self): + def test_source(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test source setting.""" - - with self.subTest("Success"): - config = {"source": "src"} - check = AssertRBAC(self.p, "test_source", config) - - expected = self.p.lookup_role("src") - self.assertEqual(expected, check.source) - - with self.subTest("Failure"): - with self.assertRaises(InvalidCheckValue): - config = {"source": "FAIL"} - check = AssertRBAC(self.p, "test_source_fail", config) - - def test_target(self): + config = {"source": "src"} + check = setools.checker.assertrbac.AssertRBAC(compiled_policy, "test_source", config) + expected = compiled_policy.lookup_role("src") + assert expected == check.source + + def test_source_error(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Test source bad setting.""" + with pytest.raises(setools.exception.InvalidCheckValue): + config = {"source": "FAIL"} + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_source_fail", config) + + def test_target(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test target setting.""" - - with self.subTest("Success"): - config = {"target": "tgt"} - check = AssertRBAC(self.p, "test_target", config) - - expected = self.p.lookup_role("tgt") - self.assertEqual(expected, check.target) - - with self.subTest("Failure"): - with self.assertRaises(InvalidCheckValue): - config = {"target": "FAIL2"} - check = AssertRBAC(self.p, "test_target_fail", config) - - def test_exempt_source(self): + config = {"target": "tgt"} + check = setools.checker.assertrbac.AssertRBAC(compiled_policy, "test_target", config) + expected = compiled_policy.lookup_role("tgt") + assert expected == check.target + + def test_target_error(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Test target bad setting.""" + with pytest.raises(setools.exception.InvalidCheckValue): + config = {"target": "FAIL2"} + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_target_fail", config) + + def test_exempt_source(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test exempt_source setting.""" - with self.subTest("Success"): - config = {"source": "system", - "exempt_source": " exempt_src1 exempt_src2 "} - check = AssertRBAC(self.p, "test_exempt_source", config) - - # exempt_src2 is an attr - expected = set((self.p.lookup_role("exempt_src1"), - self.p.lookup_role("exempt_src2"))) - self.assertIsInstance(check.exempt_source, frozenset) - self.assertSetEqual(expected, check.exempt_source) - - with self.subTest("Success, missing role ignored"): - """Test exempt_source missing role is ignroed.""" - config = {"source": "system", - "exempt_source": "FAIL exempt_src2"} - check = AssertRBAC(self.p, "test_source_missing_ignored", config) - - # exempt_src2 is an attr - expected = set((self.p.lookup_role("exempt_src2"),)) - self.assertIsInstance(check.exempt_source, frozenset) - self.assertSetEqual(expected, check.exempt_source) - - def test_exempt_target(self): + config = {"source": "system", + "exempt_source": " exempt_src1 exempt_src2 "} + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_exempt_source", config) + + # exempt_src2 is an attr + expected = set((compiled_policy.lookup_role("exempt_src1"), + compiled_policy.lookup_role("exempt_src2"))) + assert expected == check.exempt_source + + def test_exempt_source_missing(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Test exempt_source missing role is ignroed.""" + config = {"source": "system", + "exempt_source": "FAIL exempt_src2"} + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_source_missing_ignored", config) + + # exempt_src2 is an attr + expected = set((compiled_policy.lookup_role("exempt_src2"),)) + assert expected == check.exempt_source + + def test_exempt_target(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test exempt_target setting.""" - with self.subTest("Success"): - config = {"target": "system", - "exempt_target": " exempt_tgt1 exempt_tgt2 "} - check = AssertRBAC(self.p, "test_exempt_target", config) - - # exempt_tgt2 is an attr - expected = set((self.p.lookup_role("exempt_tgt1"), - self.p.lookup_role("exempt_tgt2"))) - self.assertIsInstance(check.exempt_target, frozenset) - self.assertSetEqual(expected, check.exempt_target) - - with self.subTest("Success, missing role ignored"): - config = {"target": "system", - "exempt_target": "FAIL exempt_tgt2"} - check = AssertRBAC(self.p, "test_target_missing_ignored", config) - - # exempt_tgt2 is an attr - expected = set((self.p.lookup_role("exempt_tgt2"),)) - self.assertIsInstance(check.exempt_target, frozenset) - self.assertSetEqual(expected, check.exempt_target) - - def test_expect_source(self): + config = {"target": "system", + "exempt_target": " exempt_tgt1 exempt_tgt2 "} + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_exempt_target", config) + + # exempt_tgt2 is an attr + expected = set((compiled_policy.lookup_role("exempt_tgt1"), + compiled_policy.lookup_role("exempt_tgt2"))) + assert expected == check.exempt_target + + def test_exempt_target_missing(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Success, missing role ignored""" + config = {"target": "system", + "exempt_target": "FAIL exempt_tgt2"} + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_target_missing_ignored", config) + + # exempt_tgt2 is an attr + expected = set((compiled_policy.lookup_role("exempt_tgt2"),)) + assert expected == check.exempt_target + + def test_expect_source(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test expect_source setting.""" - with self.subTest("Success"): + config = {"target": "tgt", + "expect_source": " exempt_src1 exempt_src2 "} + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_expect_source", config) + + # exempt_src2 is an attr + expected = set((compiled_policy.lookup_role("exempt_src1"), + compiled_policy.lookup_role("exempt_src2"))) + assert expected == check.expect_source + + def test_expect_source_error(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Test bad expect_source setting.""" + with pytest.raises(setools.exception.InvalidCheckValue): config = {"target": "tgt", - "expect_source": " exempt_src1 exempt_src2 "} - check = AssertRBAC(self.p, "test_expect_source", config) - - # exempt_src2 is an attr - expected = set((self.p.lookup_role("exempt_src1"), - self.p.lookup_role("exempt_src2"))) - self.assertIsInstance(check.expect_source, frozenset) - self.assertSetEqual(expected, check.expect_source) - - with self.subTest("Failure"): - with self.assertRaises(InvalidCheckValue): - config = {"target": "tgt", - "expect_source": " source1 INVALID "} - check = AssertRBAC(self.p, "test_expect_source_fail", config) - - def test_expect_target(self): + "expect_source": " source1 INVALID "} + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_expect_source_fail", config) + + def test_expect_target(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test expect_target setting.""" - with self.subTest("Success"): + config = {"source": "src", + "expect_target": " exempt_tgt1 exempt_tgt2 "} + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_expect_target", config) + + # exempt_tgt2 is an attr + expected = set((compiled_policy.lookup_role("exempt_tgt1"), + compiled_policy.lookup_role("exempt_tgt2"))) + assert expected == check.expect_target + + def test_expect_target_error(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Test bad expect_target setting.""" + with pytest.raises(setools.exception.InvalidCheckValue): config = {"source": "src", - "expect_target": " exempt_tgt1 exempt_tgt2 "} - check = AssertRBAC(self.p, "test_expect_target", config) - - # exempt_tgt2 is an attr - expected = set((self.p.lookup_role("exempt_tgt1"), - self.p.lookup_role("exempt_tgt2"))) - self.assertIsInstance(check.expect_target, frozenset) - self.assertSetEqual(expected, check.expect_target) - - with self.subTest("Failure"): - with self.assertRaises(InvalidCheckValue): - config = {"source": "src", - "expect_target": " target1 INVALID "} - check = AssertRBAC(self.p, "test_expect_target_fail", config) - - def test_check_passes(self): + "expect_target": " target1 INVALID "} + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_expect_target_fail", config) + + def test_check_passes(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, no matches""" config = {"source": "src", "target": "tgt"} - check = AssertRBAC(self.p, "test_check_passes", config) - self.assertFalse(check.run()) + check = setools.checker.assertrbac.AssertRBAC(compiled_policy, "test_check_passes", config) + assert not check.run() - def test_check_passes_exempt_source_role(self): + def test_check_passes_exempt_source_role(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, exempt_source_role""" config = {"target": "target1", "exempt_source": "source1"} - check = AssertRBAC(self.p, "test_check_passes_exempt_source_role", config) - self.assertFalse(check.run()) + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_check_passes_exempt_source_role", config) + assert not check.run() - def test_check_passes_exempt_target_role(self): + def test_check_passes_exempt_target_role(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, exempt_target_role""" config = {"target": "target2", "exempt_source": "source2"} - check = AssertRBAC(self.p, "test_check_passes_exempt_target_role", config) - self.assertFalse(check.run()) + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_check_passes_exempt_target_role", config) + assert not check.run() - def test_check_passes_expect_source(self): + def test_check_passes_expect_source(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, expect_source""" config = {"target": "target3", "expect_source": "source3a source3b"} - check = AssertRBAC(self.p, "test_check_passes_expect_source", config) - self.assertFalse(check.run()) + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_check_passes_expect_source", config) + assert not check.run() - def test_check_passes_expect_target(self): + def test_check_passes_expect_target(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, expect_target""" config = {"source": "source4", "expect_target": "target4a target4b"} - check = AssertRBAC(self.p, "test_check_passes_expect_target", config) - self.assertFalse(check.run()) + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_check_passes_expect_target", config) + assert not check.run() - def test_check_passes_expect_exempt_source(self): + def test_check_passes_expect_exempt_source(self, + compiled_policy: setools.SELinuxPolicy) -> None: """"Test the check passes with both expected and exempted sources.""" config = {"target": "target5", "expect_source": "source5a", "exempt_source": "source5b"} - check = AssertRBAC(self.p, "test_check_passes_expect_exempt_source", config) - self.assertFalse(check.run()) + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_check_passes_expect_exempt_source", config) + assert not check.run() - def test_check_passes_expect_exempt_target(self): + def test_check_passes_expect_exempt_target(self, + compiled_policy: setools.SELinuxPolicy) -> None: """"Test the check passes with both expected and exempted targets.""" config = {"source": "source6", "expect_target": "target6a", "exempt_target": "target6b"} - check = AssertRBAC(self.p, "test_check_passes_expect_exempt_target", config) - self.assertFalse(check.run()) + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_check_passes_expect_exempt_target", config) + assert not check.run() - def test_check_fails(self): + def test_check_fails(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check fails""" - with open("/dev/null", "w") as fd: + with open(os.devnull, "w", encoding="utf-8") as fd: config = {"source": "source7", "expect_target": "target7a", "exempt_target": "target7b"} - check = AssertRBAC(self.p, "test_check_passes_exempt_target_attr", config) + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_check_passes_exempt_target_attr", config) check.output = fd result = check.run() - self.assertEqual(1, len(result), msg=result) + assert 1 == len(result) rule = result[0] - self.assertEqual(RBACRuletype.allow, rule.ruletype) - self.assertEqual("source7", rule.source) - self.assertEqual("target7c", rule.target) + assert isinstance(rule, setools.RoleAllow) + assert setools.RBACRuletype.allow == rule.ruletype + assert "source7" == rule.source + assert "target7c" == rule.target - def test_check_fails_expect_source(self): + def test_check_fails_expect_source(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check fails, expect_source""" config = {"target": "target8", "expect_source": "source8"} - check = AssertRBAC(self.p, "test_check_fails_expect_source", config) + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_check_fails_expect_source", config) result = check.run() - self.assertEqual(1, len(result), msg=result) - self.assertIn("source8", result[0]) + assert 1 == len(result) + msg = result.pop() + assert isinstance(msg, str) + assert "source8" in msg - def test_check_fails_expect_target(self): + def test_check_fails_expect_target(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check fails, expect_target""" config = {"source": "source9", "expect_target": "target9"} - check = AssertRBAC(self.p, "test_check_fails_expect_target", config) + check = setools.checker.assertrbac.AssertRBAC( + compiled_policy, "test_check_fails_expect_target", config) result = check.run() - self.assertEqual(1, len(result), msg=result) - self.assertIn("target9", result[0]) + assert 1 == len(result) + msg = result.pop() + assert isinstance(msg, str) + assert "target9" in msg From 82b1a71de98fec0027339004866f8b19e705e8db Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 16 Apr 2024 16:18:39 -0400 Subject: [PATCH 29/71] TestAssertTE: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/checker/test_assertte.py | 351 ++++++++++++------------- 1 file changed, 174 insertions(+), 177 deletions(-) diff --git a/tests/library/checker/test_assertte.py b/tests/library/checker/test_assertte.py index 4d97b7e6..bd23a8e1 100644 --- a/tests/library/checker/test_assertte.py +++ b/tests/library/checker/test_assertte.py @@ -1,330 +1,327 @@ # Copyright 2020, Microsoft Corporation # Copyright 2020, Chris PeBenito # -# This file is part of SETools. -# -# SETools is free software: you can redistribute it and/or modify -# it under the terms of the GNU Lesser General Public License as -# published by the Free Software Foundation, either version 2.1 of -# the License, or (at your option) any later version. -# -# SETools is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with SETools. If not, see -# . +# SPDX-License-Identifier: GPL-2.0-only # import os -import logging -import unittest - -from .. import mixins -from ..policyrep.util import compile_policy -from setools import TERuletype -from setools.checker.assertte import AssertTE -from setools.exception import InvalidCheckValue, InvalidCheckOption +import pytest +import setools -class AssertTETest(mixins.ValidateRule, unittest.TestCase): +@pytest.mark.obj_args("tests/library/checker/assertte.conf") +class TestAssertTE: - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/checker/assertte.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_unconfigured(self): + def test_unconfigured(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test unconfigured.""" - with self.assertRaises(InvalidCheckValue): - config = {} - check = AssertTE(self.p, "test_unconfigured", config) + with pytest.raises(setools.exception.InvalidCheckValue): + config = dict[str, str]() + check = setools.checker.assertte.AssertTE(compiled_policy, "test_unconfigured", config) - def test_invalid_option(self): + def test_invalid_option(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test invalid option""" - with self.assertRaises(InvalidCheckOption): + with pytest.raises(setools.exception.InvalidCheckOption): config = {"INVALID": "option"} - check = AssertTE(self.p, "test_invalid_option", config) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_invalid_option", config) - def test_source(self): + def test_source(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test source setting.""" config = {"source": "src"} - check = AssertTE(self.p, "test_source", config) + check = setools.checker.assertte.AssertTE(compiled_policy, "test_source", config) - expected = self.p.lookup_type("src") - self.assertEqual(expected, check.source) + expected = compiled_policy.lookup_type("src") + assert expected == check.source - def test_source_fail(self): + def test_source_fail(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test source setting failure.""" - with self.assertRaises(InvalidCheckValue): + with pytest.raises(setools.exception.InvalidCheckValue): config = {"source": "FAIL"} - check = AssertTE(self.p, "test_source_fail", config) + check = setools.checker.assertte.AssertTE(compiled_policy, "test_source_fail", config) - def test_target(self): + def test_target(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test target setting.""" config = {"target": "tgt"} - check = AssertTE(self.p, "test_target", config) + check = setools.checker.assertte.AssertTE(compiled_policy, "test_target", config) - expected = self.p.lookup_type("tgt") - self.assertEqual(expected, check.target) + expected = compiled_policy.lookup_type("tgt") + assert expected == check.target - def test_target_fail(self): + def test_target_fail(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test target setting failure.""" - with self.assertRaises(InvalidCheckValue): + with pytest.raises(setools.exception.InvalidCheckValue): config = {"target": "FAIL2"} - check = AssertTE(self.p, "test_target_fail", config) + check = setools.checker.assertte.AssertTE(compiled_policy, "test_target_fail", config) - def test_exempt_source(self): + def test_exempt_source(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test exempt_source setting.""" config = {"source": "system", "exempt_source": " exempt_src1 exempt_src2 "} - check = AssertTE(self.p, "test_exempt_source", config) + check = setools.checker.assertte.AssertTE(compiled_policy, "test_exempt_source", config) # exempt_src2 is an attr - expected = set((self.p.lookup_type("exempt_src1"), - self.p.lookup_type("exempt_source_type"))) - self.assertIsInstance(check.exempt_source, frozenset) - self.assertSetEqual(expected, check.exempt_source) + expected = set((compiled_policy.lookup_type("exempt_src1"), + compiled_policy.lookup_type("exempt_source_type"))) + assert expected == check.exempt_source - def test_source_missing_ignored(self): + def test_source_missing_ignored(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test exempt_source missing type is ignroed.""" config = {"source": "system", "exempt_source": "FAIL exempt_src2"} - check = AssertTE(self.p, "test_source_missing_ignored", config) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_source_missing_ignored", config) # exempt_src2 is an attr - expected = set((self.p.lookup_type("exempt_source_type"),)) - self.assertIsInstance(check.exempt_source, frozenset) - self.assertSetEqual(expected, check.exempt_source) + expected = set((compiled_policy.lookup_type("exempt_source_type"),)) + assert expected == check.exempt_source - def test_exempt_target(self): + def test_exempt_target(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test exempt_target setting.""" config = {"target": "system", "exempt_target": " exempt_tgt1 exempt_tgt2 "} - check = AssertTE(self.p, "test_exempt_target", config) + check = setools.checker.assertte.AssertTE(compiled_policy, "test_exempt_target", config) # exempt_tgt2 is an attr - expected = set((self.p.lookup_type("exempt_tgt1"), - self.p.lookup_type("exempt_target_type"))) - self.assertIsInstance(check.exempt_target, frozenset) - self.assertSetEqual(expected, check.exempt_target) + expected = set((compiled_policy.lookup_type("exempt_tgt1"), + compiled_policy.lookup_type("exempt_target_type"))) + assert expected == check.exempt_target - def test_target_missing_ignored(self): + def test_target_missing_ignored(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test exempt_target missing type is ignroed.""" config = {"target": "system", "exempt_target": "FAIL exempt_tgt2"} - check = AssertTE(self.p, "test_target_missing_ignored", config) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_target_missing_ignored", config) # exempt_tgt2 is an attr - expected = set((self.p.lookup_type("exempt_target_type"),)) - self.assertIsInstance(check.exempt_target, frozenset) - self.assertSetEqual(expected, check.exempt_target) + expected = set((compiled_policy.lookup_type("exempt_target_type"),)) + assert expected == check.exempt_target - def test_expect_source(self): + def test_expect_source(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test expect_source setting.""" - with self.subTest("Success"): + config = {"tclass": "infoflow3", + "expect_source": " exempt_src1 exempt_src2 "} + check = setools.checker.assertte.AssertTE(compiled_policy, "test_expect_source", config) + + # exempt_src2 is an attr + expected = set((compiled_policy.lookup_type("exempt_src1"), + compiled_policy.lookup_type("exempt_source_type"))) + assert expected == check.expect_source + + def test_expect_source_error(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Test bad expect_source setting.""" + with pytest.raises(setools.exception.InvalidCheckValue): config = {"tclass": "infoflow3", - "expect_source": " exempt_src1 exempt_src2 "} - check = AssertTE(self.p, "test_expect_source", config) - - # exempt_src2 is an attr - expected = set((self.p.lookup_type("exempt_src1"), - self.p.lookup_type("exempt_source_type"))) - self.assertIsInstance(check.expect_source, frozenset) - self.assertSetEqual(expected, check.expect_source) - - with self.subTest("Failure"): - with self.assertRaises(InvalidCheckValue): - config = {"tclass": "infoflow3", - "expect_source": " source1 INVALID "} - check = AssertTE(self.p, "test_expect_source_fail", config) - - def test_expect_target(self): + "expect_source": " source1 INVALID "} + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_expect_source_fail", config) + + def test_expect_target(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test expect_target setting.""" - with self.subTest("Success"): + config = {"tclass": "infoflow3", + "expect_target": " exempt_tgt1 exempt_tgt2 "} + check = setools.checker.assertte.AssertTE(compiled_policy, "test_expect_target", config) + + # exempt_tgt2 is an attr + expected = set((compiled_policy.lookup_type("exempt_tgt1"), + compiled_policy.lookup_type("exempt_target_type"))) + assert expected == check.expect_target + + def test_expect_target_error(self, compiled_policy: setools.SELinuxPolicy) -> None: + """Test bad expect_target setting.""" + with pytest.raises(setools.exception.InvalidCheckValue): config = {"tclass": "infoflow3", - "expect_target": " exempt_tgt1 exempt_tgt2 "} - check = AssertTE(self.p, "test_expect_target", config) - - # exempt_tgt2 is an attr - expected = set((self.p.lookup_type("exempt_tgt1"), - self.p.lookup_type("exempt_target_type"))) - self.assertIsInstance(check.expect_target, frozenset) - self.assertSetEqual(expected, check.expect_target) - - with self.subTest("Failure"): - with self.assertRaises(InvalidCheckValue): - config = {"tclass": "infoflow3", - "expect_target": " target1 INVALID "} - check = AssertTE(self.p, "test_expect_target_fail", config) - - def test_tclass(self): + "expect_target": " target1 INVALID "} + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_expect_target_fail", config) + + def test_tclass(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test tclass setting.""" config = {"tclass": "infoflow3 infoflow2"} - check = AssertTE(self.p, "test_tclass", config) + check = setools.checker.assertte.AssertTE(compiled_policy, "test_tclass", config) - expected = set((self.p.lookup_class("infoflow3"), - self.p.lookup_class("infoflow2"))) - self.assertEqual(expected, check.tclass) + expected = set((compiled_policy.lookup_class("infoflow3"), + compiled_policy.lookup_class("infoflow2"))) + assert expected == check.tclass - def test_tclass_fail(self): + def test_tclass_fail(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test tclass setting failure.""" - with self.assertRaises(InvalidCheckValue): + with pytest.raises(setools.exception.InvalidCheckValue): config = {"tclass": "FAIL_class"} - check = AssertTE(self.p, "test_tclass_fail", config) + check = setools.checker.assertte.AssertTE(compiled_policy, "test_tclass_fail", config) - def test_perms(self): + def test_perms(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test perms setting.""" config = {"perms": " hi_w super_r "} - check = AssertTE(self.p, "test_perms", config) + check = setools.checker.assertte.AssertTE(compiled_policy, "test_perms", config) expected = set(("hi_w", "super_r")) - self.assertEqual(expected, check.perms) + assert expected == check.perms - def test_perms_fail(self): + def test_perms_fail(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test perms setting failure.""" - with self.assertRaises(InvalidCheckValue): + with pytest.raises(setools.exception.InvalidCheckValue): config = {"perms": "FAIL_perms"} - check = AssertTE(self.p, "test_perms_fail", config) + check = setools.checker.assertte.AssertTE(compiled_policy, "test_perms_fail", config) - def test_check_passes(self): + def test_check_passes(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, no matches""" config = {"perms": "null"} - check = AssertTE(self.p, "test_check_passes", config) - self.assertFalse(check.run()) + check = setools.checker.assertte.AssertTE(compiled_policy, "test_check_passes", config) + assert not check.run() - def test_check_passes_empty_source(self): + def test_check_passes_empty_source(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, empty source attribute""" config = {"tclass": "infoflow7", "perms": "super_w"} - check = AssertTE(self.p, "test_check_passes_empty_source", config) - self.assertFalse(check.run()) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_check_passes_empty_source", config) + assert not check.run() - def test_check_passes_empty_target(self): + def test_check_passes_empty_target(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, empty target attribute""" config = {"tclass": "infoflow7", "perms": "super_r"} - check = AssertTE(self.p, "test_check_passes_empty_target", config) - self.assertFalse(check.run()) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_check_passes_empty_target", config) + assert not check.run() - def test_check_passes_exempt_source_type(self): + def test_check_passes_exempt_source_type(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, exempt_source_type""" config = {"tclass": "infoflow6", "perms": "hi_w", "exempt_source": "source1"} - check = AssertTE(self.p, "test_check_passes_exempt_source_type", config) - self.assertFalse(check.run()) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_check_passes_exempt_source_type", config) + assert not check.run() - def test_check_passes_exempt_source_attr(self): + def test_check_passes_exempt_source_attr(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, exempt_source_attr""" config = {"tclass": "infoflow6", "perms": "hi_r", "exempt_source": "all_sources"} - check = AssertTE(self.p, "test_check_passes_exempt_source_attr", config) - self.assertFalse(check.run()) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_check_passes_exempt_source_attr", config) + assert not check.run() - def test_check_passes_exempt_target_type(self): + def test_check_passes_exempt_target_type(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, exempt_target_type""" config = {"tclass": "infoflow5", "perms": "low_w", "exempt_source": "source1"} - check = AssertTE(self.p, "test_check_passes_exempt_target_type", config) - self.assertFalse(check.run()) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_check_passes_exempt_target_type", config) + assert not check.run() - def test_check_passes_exempt_target_attr(self): + def test_check_passes_exempt_target_attr(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, exempt_target_attr""" config = {"tclass": "infoflow5", "perms": "low_r", "exempt_target": "all_targets"} - check = AssertTE(self.p, "test_check_passes_exempt_target_attr", config) - self.assertFalse(check.run()) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_check_passes_exempt_target_attr", config) + assert not check.run() - def test_check_passes_expect_source(self): + def test_check_passes_expect_source(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, expect_source""" config = {"tclass": "infoflow6", "perms": "hi_r", "expect_source": "source1 source2"} - check = AssertTE(self.p, "test_check_passes_expect_source", config) - self.assertFalse(check.run()) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_check_passes_expect_source", config) + assert not check.run() - def test_check_passes_expect_source_attr(self): + def test_check_passes_expect_source_attr(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, expect_source with attribute""" config = {"tclass": "infoflow4", "perms": "med_w", "expect_source": "all_sources"} - check = AssertTE(self.p, "test_check_passes_expect_source_attr", config) - self.assertFalse(check.run()) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_check_passes_expect_source_attr", config) + assert not check.run() - def test_check_passes_expect_target(self): + def test_check_passes_expect_target(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, expect_target""" config = {"tclass": "infoflow6", "perms": "hi_r", "expect_target": "target1 target2"} - check = AssertTE(self.p, "test_check_passes_expect_target", config) - self.assertFalse(check.run()) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_check_passes_expect_target", config) + assert not check.run() - def test_check_passes_expect_target_attr(self): + def test_check_passes_expect_target_attr(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check passes, expect_target with attribute""" config = {"tclass": "infoflow4", "perms": "med_w", "expect_target": "all_targets"} - check = AssertTE(self.p, "test_check_passes_expect_target_attr", config) - self.assertFalse(check.run()) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_check_passes_expect_target_attr", config) + assert not check.run() - def test_check_passes_expect_exempt_source(self): + def test_check_passes_expect_exempt_source(self, + compiled_policy: setools.SELinuxPolicy) -> None: """"Test the check passes with both expected and exempted sources.""" config = {"tclass": "infoflow5", "perms": "low_r", "expect_source": "source1", "exempt_source": "source2"} - check = AssertTE(self.p, "test_check_passes_expect_exempt_source", config) - self.assertFalse(check.run()) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_check_passes_expect_exempt_source", config) + assert not check.run() - def test_check_passes_expect_exempt_target(self): + def test_check_passes_expect_exempt_target(self, + compiled_policy: setools.SELinuxPolicy) -> None: """"Test the check passes with both expected and exempted targets.""" config = {"tclass": "infoflow5", "perms": "low_r", "expect_source": "source1", "exempt_source": "source2"} - check = AssertTE(self.p, "test_check_passes_expect_exempt_target", config) - self.assertFalse(check.run()) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_check_passes_expect_exempt_target", config) + assert not check.run() - def test_check_fails(self): + def test_check_fails(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check fails""" - with open("/dev/null", "w") as fd: + with open(os.devnull, "w", encoding="utf-8") as fd: config = {"tclass": "infoflow4", "perms": "med_w", "exempt_source": "source1", "exempt_target": "target2"} - check = AssertTE(self.p, "test_check_passes_exempt_target_attr", config) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_check_passes_exempt_target_attr", config) check.output = fd result = check.run() - self.assertEqual(1, len(result), msg=result) - self.validate_rule(result[0], TERuletype.allow, "source3", "target3", "infoflow4", - set(["med_w"])) - - def test_check_fails_expect_source(self): + assert 1 == len(result) + rule = result.pop() + assert isinstance(rule, setools.AVRule) + assert rule.ruletype == setools.TERuletype.allow + assert rule.source == "source3" + assert rule.target == "target3" + assert rule.tclass == "infoflow4" + assert rule.perms == set(["med_w"]) + + def test_check_fails_expect_source(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check fails, expect_source""" config = {"tclass": "infoflow7", "perms": "super_w", "expect_source": "source1"} - check = AssertTE(self.p, "test_check_fails_expect_source", config) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_check_fails_expect_source", config) result = check.run() - self.assertEqual(1, len(result), msg=result) - self.assertIn("source1", result[0]) + assert 1 == len(result) + msg = result.pop() + assert isinstance(msg, str) + assert "source1" in msg - def test_check_fails_expect_target(self): + def test_check_fails_expect_target(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test the check fails, expect_target""" config = {"tclass": "infoflow7", "perms": "super_r", "expect_target": "target2"} - check = AssertTE(self.p, "test_check_fails_expect_target", config) + check = setools.checker.assertte.AssertTE( + compiled_policy, "test_check_fails_expect_target", config) result = check.run() - self.assertEqual(1, len(result), msg=result) - self.assertIn("target2", result[0]) + msg = result.pop() + assert isinstance(msg, str) + assert "target2" in msg From 382dcecb4d39de0db7116f02e3f814b9156cf6b8 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 16 Apr 2024 16:18:51 -0400 Subject: [PATCH 30/71] TestPolicyChecker: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/checker/test_checker.py | 92 +++++++++++---------------- 1 file changed, 36 insertions(+), 56 deletions(-) diff --git a/tests/library/checker/test_checker.py b/tests/library/checker/test_checker.py index 19b81e84..5aa6bb2e 100644 --- a/tests/library/checker/test_checker.py +++ b/tests/library/checker/test_checker.py @@ -1,72 +1,51 @@ # Copyright 2020, Microsoft Corporation # -# This file is part of SETools. +# SPDX-License-Identifier: GPL-2.0-only # -# SETools is free software: you can redistribute it and/or modify -# it under the terms of the GNU Lesser General Public License as -# published by the Free Software Foundation, either version 2.1 of -# the License, or (at your option) any later version. -# -# SETools is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with SETools. If not, see -# . -# - import os -import unittest from unittest.mock import Mock -from ..policyrep.util import compile_policy - -from setools.checker import PolicyChecker -from setools.exception import InvalidCheckerConfig, InvalidCheckerModule, InvalidCheckOption, \ - InvalidCheckValue - - -class PolicyCheckerTest(unittest.TestCase): +import pytest +import setools - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/checker/checker.conf") - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) +@pytest.mark.obj_args("tests/library/checker/checker.conf") +class TestPolicyChecker: - def test_config_empty(self): + def test_config_empty(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test empty config file""" - with self.assertRaises(InvalidCheckerConfig): - PolicyChecker(self.p, "/dev/null") + with pytest.raises(setools.exception.InvalidCheckerConfig): + setools.checker.PolicyChecker(compiled_policy, os.devnull) - def test_config_check_missing_type(self): + def test_config_check_missing_type(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test check missing check type""" - with self.assertRaises(InvalidCheckerModule): - PolicyChecker(self.p, "tests/library/checker/checker-missingtype.ini") + with pytest.raises(setools.exception.InvalidCheckerModule): + setools.checker.PolicyChecker(compiled_policy, + "tests/library/checker/checker-missingtype.ini") - def test_config_check_invalid_type(self): + def test_config_check_invalid_type(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test check invalid check type""" - with self.assertRaises(InvalidCheckerModule): - PolicyChecker(self.p, "tests/library/checker/checker-invalidtype.ini") + with pytest.raises(setools.exception.InvalidCheckerModule): + setools.checker.PolicyChecker(compiled_policy, + "tests/library/checker/checker-invalidtype.ini") - def test_config_check_invalid_option(self): + def test_config_check_invalid_option(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test check invalid check option""" - with self.assertRaises(InvalidCheckOption): - PolicyChecker(self.p, "tests/library/checker/checker-invalidoption.ini") + with pytest.raises(setools.exception.InvalidCheckOption): + setools.checker.PolicyChecker(compiled_policy, + "tests/library/checker/checker-invalidoption.ini") - def test_config_check_invalid_value(self): + def test_config_check_invalid_value(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test check invalid check type""" - with self.assertRaises(InvalidCheckValue): - PolicyChecker(self.p, "tests/library/checker/checker-invalidvalue.ini") + with pytest.raises(setools.exception.InvalidCheckValue): + setools.checker.PolicyChecker(compiled_policy, + "tests/library/checker/checker-invalidvalue.ini") - def test_run_pass(self): + def test_run_pass(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test run with passing config.""" - with open(os.devnull, "w") as fd: - checker = PolicyChecker(self.p, "tests/library/checker/checker-valid.ini") + with open(os.devnull, "w", encoding="utf-8") as fd: + checker = setools.checker.PolicyChecker(compiled_policy, + "tests/library/checker/checker-valid.ini") # create additional disabled mock test newcheck = Mock() @@ -76,15 +55,16 @@ def test_run_pass(self): newcheck.run.return_value = [] checker.checks.append(newcheck) - self.assertEqual(4, len(checker.checks)) + assert 4 == len(checker.checks) result = checker.run(output=fd) - self.assertEqual(0, result) + assert 0 == result newcheck.run.assert_not_called() - def test_run_fail(self): + def test_run_fail(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test run with failing config.""" - with open(os.devnull, "w") as fd: - checker = PolicyChecker(self.p, "tests/library/checker/checker-valid.ini") + with open(os.devnull, "w", encoding="utf-8") as fd: + checker = setools.checker.PolicyChecker(compiled_policy, + "tests/library/checker/checker-valid.ini") # create additional failing mock test newcheck = Mock() @@ -94,8 +74,8 @@ def test_run_fail(self): newcheck.run.return_value = list(range(13)) checker.checks.append(newcheck) - self.assertEqual(4, len(checker.checks)) + assert 4 == len(checker.checks) result = checker.run(output=fd) newcheck.run.assert_called() - self.assertEqual(13, result) + assert 13 == result From 393fe43af514f3ab420cc4ec59a8058cd67bc20c Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 16 Apr 2024 16:19:11 -0400 Subject: [PATCH 31/71] TestEmptyTypeAttr: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/checker/test_emptyattr.py | 118 ++++++++++-------------- 1 file changed, 51 insertions(+), 67 deletions(-) diff --git a/tests/library/checker/test_emptyattr.py b/tests/library/checker/test_emptyattr.py index 320cba82..ed081d17 100644 --- a/tests/library/checker/test_emptyattr.py +++ b/tests/library/checker/test_emptyattr.py @@ -1,118 +1,102 @@ # Copyright 2020, Microsoft Corporation # -# This file is part of SETools. +# SPDX-License-Identifier: GPL-2.0-only # -# SETools is free software: you can redistribute it and/or modify -# it under the terms of the GNU Lesser General Public License as -# published by the Free Software Foundation, either version 2.1 of -# the License, or (at your option) any later version. -# -# SETools is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with SETools. If not, see -# . -# - import os -import unittest - -from ..policyrep.util import compile_policy - -from setools.checker.emptyattr import EmptyTypeAttr -from setools.exception import InvalidCheckOption, InvalidCheckValue - -class EmptyTypeAttrTest(unittest.TestCase): +import pytest +import setools - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/checker/emptyattr.conf") - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) +@pytest.mark.obj_args("tests/library/checker/emptyattr.conf") +class TestEmptyTypeAttr: - def test_invalid_option(self): + def test_invalid_option(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test invalid option""" - with self.assertRaises(InvalidCheckOption): + with pytest.raises(setools.exception.InvalidCheckOption): config = {"INVALID": "option"} - check = EmptyTypeAttr(self.p, "test_invalid_option", config) + check = setools.checker.emptyattr.EmptyTypeAttr( + compiled_policy, "test_invalid_option", config) - def test_attr_setting(self): + def test_attr_setting(self, compiled_policy: setools.SELinuxPolicy) -> None: """EmptyTypeAttr test attr setting.""" config = {"attr": "test1"} - check = EmptyTypeAttr(self.p, "test_attr_setting", config) + check = setools.checker.emptyattr.EmptyTypeAttr( + compiled_policy, "test_attr_setting", config) - expected = self.p.lookup_typeattr("test1") - self.assertEqual(expected, check.attr) + expected = compiled_policy.lookup_typeattr("test1") + assert expected == check.attr - def test_attr_setting_fail(self): + def test_attr_setting_fail(self, compiled_policy: setools.SELinuxPolicy) -> None: """EmptyTypeAttr test attr setting with invalid attr.""" - with self.assertRaises(InvalidCheckValue): + with pytest.raises(setools.exception.InvalidCheckValue): config = {"attr": "FAILATTR"} - check = EmptyTypeAttr(self.p, "test_attr_setting_fail", config) + check = setools.checker.emptyattr.EmptyTypeAttr( + compiled_policy, "test_attr_setting_fail", config) - def test_attr_setting_missing(self): + def test_attr_setting_missing(self, compiled_policy: setools.SELinuxPolicy) -> None: """EmptyTypeAttr test attr setting missing.""" - with self.assertRaises(InvalidCheckValue): - config = {} - check = EmptyTypeAttr(self.p, "test_attr_setting_missing", config) + with pytest.raises(setools.exception.InvalidCheckValue): + config = dict[str, str]() + check = setools.checker.emptyattr.EmptyTypeAttr( + compiled_policy, "test_attr_setting_missing", config) - def test_missingok_setting(self): + def test_missingok_setting(self, compiled_policy: setools.SELinuxPolicy) -> None: """EmptyTypeAttr test missing_ok setting.""" config = {"attr": "test1", "missing_ok": "true"} - check = EmptyTypeAttr(self.p, "test_missingok_setting", config) - self.assertTrue(check.missing_ok) + check = setools.checker.emptyattr.EmptyTypeAttr( + compiled_policy, "test_missingok_setting", config) + assert check.missing_ok config = {"attr": "test1", "missing_ok": " YeS "} - check = EmptyTypeAttr(self.p, "test_missingok_setting", config) - self.assertTrue(check.missing_ok) + check = setools.checker.emptyattr.EmptyTypeAttr( + compiled_policy, "test_missingok_setting", config) + assert check.missing_ok config = {"attr": "test1", "missing_ok": " 1 "} - check = EmptyTypeAttr(self.p, "test_missingok_setting", config) - self.assertTrue(check.missing_ok) + check = setools.checker.emptyattr.EmptyTypeAttr( + compiled_policy, "test_missingok_setting", config) + assert check.missing_ok config = {"attr": "test1", "missing_ok": " No "} - check = EmptyTypeAttr(self.p, "test_missingok_setting", config) - self.assertFalse(check.missing_ok) + check = setools.checker.emptyattr.EmptyTypeAttr( + compiled_policy, "test_missingok_setting", config) + assert not check.missing_ok - def test_pass(self): + def test_pass(self, compiled_policy: setools.SELinuxPolicy) -> None: """EmptyTypeAttr test pass.""" - with open("/dev/null", "w") as fd: + with open(os.devnull, "w", encoding="utf-8") as fd: config = {"attr": "test1"} - check = EmptyTypeAttr(self.p, "test_pass", config) + check = setools.checker.emptyattr.EmptyTypeAttr(compiled_policy, "test_pass", config) check.output = fd result = check.run() - self.assertEqual(0, len(result)) + assert 0 == len(result) - def test_pass_missingok(self): + def test_pass_missingok(self, compiled_policy: setools.SELinuxPolicy) -> None: """EmptyTypeAttr test pass by missing.""" - with open("/dev/null", "w") as fd: + with open(os.devnull, "w", encoding="utf-8") as fd: config = {"attr": "test2", "missing_ok": "true"} - check = EmptyTypeAttr(self.p, "test_pass_missingok", config) + check = setools.checker.emptyattr.EmptyTypeAttr( + compiled_policy, "test_pass_missingok", config) check.output = fd result = check.run() - self.assertEqual(0, len(result)) + assert 0 == len(result) - def test_fail(self): + def test_fail(self, compiled_policy: setools.SELinuxPolicy) -> None: """EmptyTypeAttr test fail.""" - with open("/dev/null", "w") as fd: + with open(os.devnull, "w", encoding="utf-8") as fd: # also verify missing_ok doesn't induce a pass # when the attr exists config = {"attr": "test3", "missing_ok": "true"} - check = EmptyTypeAttr(self.p, "test_fail", config) + check = setools.checker.emptyattr.EmptyTypeAttr(compiled_policy, "test_fail", config) check.output = fd result = check.run() - expected = [self.p.lookup_type("test3_hit1"), - self.p.lookup_type("test3_hit2")] - self.assertListEqual(expected, result) + expected = [compiled_policy.lookup_type("test3_hit1"), + compiled_policy.lookup_type("test3_hit2")] + assert expected == result From 7b94ed8637958fada9ff7883acbbc7035e4bd964 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 16 Apr 2024 16:19:29 -0400 Subject: [PATCH 32/71] TestReadOnlyExecutables: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/checker/test_roexec.py | 103 +++++++++++---------------- 1 file changed, 43 insertions(+), 60 deletions(-) diff --git a/tests/library/checker/test_roexec.py b/tests/library/checker/test_roexec.py index d948110b..6a44f47a 100644 --- a/tests/library/checker/test_roexec.py +++ b/tests/library/checker/test_roexec.py @@ -1,116 +1,99 @@ # Copyright 2020, Microsoft Corporation # -# This file is part of SETools. +# SPDX-License-Identifier: GPL-2.0-only # -# SETools is free software: you can redistribute it and/or modify -# it under the terms of the GNU Lesser General Public License as -# published by the Free Software Foundation, either version 2.1 of -# the License, or (at your option) any later version. -# -# SETools is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with SETools. If not, see -# . -# - import os -import unittest - -from ..policyrep.util import compile_policy - -from setools.checker.roexec import ReadOnlyExecutables -from setools.exception import InvalidCheckOption, InvalidCheckValue - -class ReadOnlyExecutablesTest(unittest.TestCase): +import pytest +import setools - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/checker/roexec.conf") - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) +@pytest.mark.obj_args("tests/library/checker/roexec.conf") +class TestReadOnlyExecutables: - def test_invalid_option(self): + def test_invalid_option(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test invalid option""" - with self.assertRaises(InvalidCheckOption): + with pytest.raises(setools.exception.InvalidCheckOption): config = {"INVALID": "option"} - check = ReadOnlyExecutables(self.p, "test_invalid_option", config) + check = setools.checker.roexec.ReadOnlyExecutables( + compiled_policy, "test_invalid_option", config) - def test_all_exec(self): + def test_all_exec(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test all executables are returned for no-option test..""" - config = {} - check = ReadOnlyExecutables(self.p, "test_all_exec", config) + config = dict[str, str]() + check = setools.checker.roexec.ReadOnlyExecutables( + compiled_policy, "test_all_exec", config) result = check._collect_executables() # becasue of unconfined, nonexec is executable expected = set(("roexec", "execfile1", "execfile2", "nonexec", "exempt_file")) - self.assertSetEqual(expected, set(result.keys())) + assert expected == set(result.keys()) - def test_exempt_exec_domain(self): + def test_exempt_exec_domain(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test for exempting an exec domain.""" config = {"exempt_exec_domain": "unconfined"} - check = ReadOnlyExecutables(self.p, "test_exempt_exec_domain", config) + check = setools.checker.roexec.ReadOnlyExecutables( + compiled_policy, "test_exempt_exec_domain", config) result = check._collect_executables() expected = set(("execfile1", "execfile2", "roexec")) - self.assertSetEqual(expected, set(result.keys())) + assert expected == set(result.keys()) - def test_exempt_file(self): + def test_exempt_file(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test for exempting a file.""" config = {"exempt_file": "exempt_file"} - check = ReadOnlyExecutables(self.p, "test_exempt_file", config) + check = setools.checker.roexec.ReadOnlyExecutables( + compiled_policy, "test_exempt_file", config) result = check._collect_executables() expected = set(("roexec", "execfile1", "execfile2", "nonexec")) - self.assertSetEqual(expected, set(result.keys())) + assert expected == result.keys() - def test_exempt_file_attr(self): + def test_exempt_file_attr(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test for exempting a file by attribute.""" config = {"exempt_file": "exempt_files_attr"} - check = ReadOnlyExecutables(self.p, "test_exempt_file_attr", config) + check = setools.checker.roexec.ReadOnlyExecutables( + compiled_policy, "test_exempt_file_attr", config) result = check._collect_executables() expected = set(("roexec", "nonexec", "exempt_file")) - self.assertSetEqual(expected, set(result.keys())) + assert expected == result.keys() - def test_fail(self): + def test_fail(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test for failing.""" - with open("/dev/null", "w") as fd: + with open(os.devnull, "w", encoding="utf-8") as fd: config = {"exempt_exec_domain": "unconfined", "exempt_write_domain": "unconfined"} - check = ReadOnlyExecutables(self.p, "test_fail", config) + check = setools.checker.roexec.ReadOnlyExecutables( + compiled_policy, "test_fail", config) check.output = fd result = check.run() - expected = [self.p.lookup_type("execfile1"), - self.p.lookup_type("execfile2")] - self.assertListEqual(expected, result) + expected = [compiled_policy.lookup_type("execfile1"), + compiled_policy.lookup_type("execfile2")] + assert expected == result - def test_pass(self): + def test_pass(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test for passing.""" - with open("/dev/null", "w") as fd: + with open(os.devnull, "w", encoding="utf-8") as fd: config = {"exempt_exec_domain": "unconfined", "exempt_write_domain": "domain1 domain2 unconfined"} - check = ReadOnlyExecutables(self.p, "test_pass", config) + check = setools.checker.roexec.ReadOnlyExecutables( + compiled_policy, "test_pass", config) check.output = fd result = check.run() - self.assertFalse(result) + assert not result - def test_pass2(self): + def test_pass2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Test for passing with alternate exemptions.""" - with open("/dev/null", "w") as fd: + with open(os.devnull, "w", encoding="utf-8") as fd: config = {"exempt_exec_domain": "unconfined", "exempt_file": "execfile2", "exempt_write_domain": "domain1 unconfined"} - check = ReadOnlyExecutables(self.p, "test_pass2", config) + check = setools.checker.roexec.ReadOnlyExecutables( + compiled_policy, "test_pass2", config) check.output = fd result = check.run() - self.assertFalse(result) + assert not result From 2f6d5b7406c48d89d113fe69d3129ce015ffd885 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 16 Apr 2024 16:19:45 -0400 Subject: [PATCH 33/71] TestCheckerUtil: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/checker/util.py | 42 +++++++++-------------------------- 1 file changed, 11 insertions(+), 31 deletions(-) diff --git a/tests/library/checker/util.py b/tests/library/checker/util.py index a4d4e97e..c2318b3e 100644 --- a/tests/library/checker/util.py +++ b/tests/library/checker/util.py @@ -1,41 +1,21 @@ # Copyright 2020, Microsoft Corporation # -# This file is part of SETools. +# SPDX-License-Identifier: GPL-2.0-only # -# SETools is free software: you can redistribute it and/or modify -# it under the terms of the GNU Lesser General Public License as -# published by the Free Software Foundation, either version 2.1 of -# the License, or (at your option) any later version. -# -# SETools is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with SETools. If not, see -# . -# - -import os -import logging -import unittest - - from setools.checker import util -class CheckerUtilTest(unittest.TestCase): +class TestCheckerUtil: def test_config_bool_value(self): """Test config_bool_value""" - self.assertTrue(util.config_bool_value(" TrUe ")) - self.assertTrue((util.config_bool_value(" 1 "))) - self.assertTrue((util.config_bool_value(" YeS "))) - self.assertFalse((util.config_bool_value(" FalsE "))) - self.assertFalse((util.config_bool_value(" 0 "))) - self.assertFalse((util.config_bool_value(" No "))) + assert util.config_bool_value(" TrUe ") + assert (util.config_bool_value(" 1 ")) + assert (util.config_bool_value(" YeS ")) + assert not util.config_bool_value(" FalsE ") + assert not util.config_bool_value(" 0 ") + assert not util.config_bool_value(" No ") - self.assertTrue(util.config_bool_value(True)) - self.assertFalse((util.config_bool_value(None))) - self.assertFalse((util.config_bool_value(False))) + assert util.config_bool_value(True) + assert not util.config_bool_value(None) + assert not util.config_bool_value(False) From b5ddfb6a2cef1fde704f4c667da44719d2ac0968 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 14:52:59 -0400 Subject: [PATCH 34/71] TERuleQueryTest: Rename file for pytest. This was missed when the unit tests were changed to pytest. Signed-off-by: Chris PeBenito --- tests/library/{terulequery.py => test_terulequery.py} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tests/library/{terulequery.py => test_terulequery.py} (100%) diff --git a/tests/library/terulequery.py b/tests/library/test_terulequery.py similarity index 100% rename from tests/library/terulequery.py rename to tests/library/test_terulequery.py From f0592c589f00f5749f88079cdc45130637e471a3 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:18:49 -0400 Subject: [PATCH 35/71] TestBoolQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_boolquery.py | 45 +++++++++++++-------------------- 1 file changed, 17 insertions(+), 28 deletions(-) diff --git a/tests/library/test_boolquery.py b/tests/library/test_boolquery.py index ae70fd84..2be3761b 100644 --- a/tests/library/test_boolquery.py +++ b/tests/library/test_boolquery.py @@ -2,51 +2,40 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import BoolQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/boolquery.conf") +class TestBoolQuery: - -class BoolQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/boolquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Boolean query with no criteria.""" # query with no parameters gets all Booleans. - allbools = sorted(str(b) for b in self.p.bools()) + allbools = sorted(str(b) for b in compiled_policy.bools()) - q = BoolQuery(self.p) + q = setools.BoolQuery(compiled_policy) qbools = sorted(str(b) for b in q.results()) - self.assertListEqual(allbools, qbools) + assert allbools == qbools - def test_001_name_exact(self): + def test_name_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Boolean query with exact match""" - q = BoolQuery(self.p, name="test1") + q = setools.BoolQuery(compiled_policy, name="test1") bools = sorted(str(b) for b in q.results()) - self.assertListEqual(["test1"], bools) + assert ["test1"] == bools - def test_002_name_regex(self): + def test_name_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Boolean query with regex match.""" - q = BoolQuery(self.p, name="test2(a|b)", name_regex=True) + q = setools.BoolQuery(compiled_policy, name="test2(a|b)", name_regex=True) bools = sorted(str(b) for b in q.results()) - self.assertListEqual(["test2a", "test2b"], bools) + assert ["test2a", "test2b"] == bools - def test_010_default(self): + def test_default(self, compiled_policy: setools.SELinuxPolicy) -> None: """Boolean query with default state match.""" - q = BoolQuery(self.p, default=False) + q = setools.BoolQuery(compiled_policy, default=False) bools = sorted(str(b) for b in q.results()) - self.assertListEqual(["test10a", "test10b"], bools) + assert ["test10a", "test10b"] == bools From 3e71d3663fc54c9f258879d65ce74bddfbb58e8b Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:19:14 -0400 Subject: [PATCH 36/71] TestBoundsQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_boundsquery.py | 87 ++++++++++++++----------------- 1 file changed, 38 insertions(+), 49 deletions(-) diff --git a/tests/library/test_boundsquery.py b/tests/library/test_boundsquery.py index 17a857f7..3dc951d7 100644 --- a/tests/library/test_boundsquery.py +++ b/tests/library/test_boundsquery.py @@ -2,84 +2,73 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import BoundsQuery, BoundsRuletype -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/boundsquery.conf") +class TestBoundsQuery: - -class BoundsQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/boundsquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Bounds query with no criteria.""" # query with no parameters gets all bounds. - allbounds = sorted(self.p.bounds()) + allbounds = sorted(compiled_policy.bounds()) - q = BoundsQuery(self.p) + q = setools.BoundsQuery(compiled_policy) qbounds = sorted(q.results()) - self.assertListEqual(allbounds, qbounds) + assert allbounds == qbounds - def test_001_parent_exact(self): + def test_parent_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Bounds query with exact parent match.""" - q = BoundsQuery(self.p, parent="test1_parent", parent_regex=False) + q = setools.BoundsQuery(compiled_policy, parent="test1_parent", parent_regex=False) qbounds = sorted(q.results()) - self.assertEqual(1, len(qbounds)) + assert 1 == len(qbounds) b = qbounds[0] - self.assertEqual(BoundsRuletype.typebounds, b.ruletype) - self.assertEqual("test1_parent", b.parent) - self.assertEqual("test1_child", b.child) + assert setools.BoundsRuletype.typebounds == b.ruletype + assert "test1_parent" == b.parent + assert "test1_child" == b.child - def test_002_parent_regex(self): + def test_parent_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Bounds query with regex parent match.""" - q = BoundsQuery(self.p, parent="test2_parent?", parent_regex=True) + q = setools.BoundsQuery(compiled_policy, parent="test2_parent?", parent_regex=True) qbounds = sorted(q.results()) - self.assertEqual(2, len(qbounds)) + assert 2 == len(qbounds) b = qbounds[0] - self.assertEqual(BoundsRuletype.typebounds, b.ruletype) - self.assertEqual("test2_parent1", b.parent) - self.assertEqual("test2_child2", b.child) + assert setools.BoundsRuletype.typebounds == b.ruletype + assert "test2_parent1" == b.parent + assert "test2_child2" == b.child b = qbounds[1] - self.assertEqual(BoundsRuletype.typebounds, b.ruletype) - self.assertEqual("test2_parent2", b.parent) - self.assertEqual("test2_child1", b.child) + assert setools.BoundsRuletype.typebounds == b.ruletype + assert "test2_parent2" == b.parent + assert "test2_child1" == b.child - def test_010_child_exact(self): + def test_child_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Bounds query with exact child match.""" - q = BoundsQuery(self.p, child="test10_child", child_regex=False) + q = setools.BoundsQuery(compiled_policy, child="test10_child", child_regex=False) qbounds = sorted(q.results()) - self.assertEqual(1, len(qbounds)) + assert 1 == len(qbounds) b = qbounds[0] - self.assertEqual(BoundsRuletype.typebounds, b.ruletype) - self.assertEqual("test10_parent", b.parent) - self.assertEqual("test10_child", b.child) + assert setools.BoundsRuletype.typebounds == b.ruletype + assert "test10_parent" == b.parent + assert "test10_child" == b.child - def test_011_child_regex(self): + def test_child_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Bounds query with regex child match.""" - q = BoundsQuery(self.p, child="test11_child?", child_regex=True) + q = setools.BoundsQuery(compiled_policy, child="test11_child?", child_regex=True) qbounds = sorted(q.results()) - self.assertEqual(2, len(qbounds)) + assert 2 == len(qbounds) b = qbounds[0] - self.assertEqual(BoundsRuletype.typebounds, b.ruletype) - self.assertEqual("test11_parent1", b.parent) - self.assertEqual("test11_child2", b.child) + assert setools.BoundsRuletype.typebounds == b.ruletype + assert "test11_parent1" == b.parent + assert "test11_child2" == b.child b = qbounds[1] - self.assertEqual(BoundsRuletype.typebounds, b.ruletype) - self.assertEqual("test11_parent2", b.parent) - self.assertEqual("test11_child1", b.child) + assert setools.BoundsRuletype.typebounds == b.ruletype + assert "test11_parent2" == b.parent + assert "test11_child1" == b.child From 88bf8face5a26e0f44b22e5ab09f7d6582693d3c Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:19:40 -0400 Subject: [PATCH 37/71] TestCategoryQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_categoryquery.py | 52 +++++++++++------------------ 1 file changed, 20 insertions(+), 32 deletions(-) diff --git a/tests/library/test_categoryquery.py b/tests/library/test_categoryquery.py index 6de14193..296100fa 100644 --- a/tests/library/test_categoryquery.py +++ b/tests/library/test_categoryquery.py @@ -2,58 +2,46 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import CategoryQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/categoryquery.conf") +class TestCategoryQuery: - -class CategoryQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/categoryquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS category query with no criteria.""" # query with no parameters gets all categories. - allcats = sorted(str(c) for c in self.p.categories()) + allcats = sorted(str(c) for c in compiled_policy.categories()) - q = CategoryQuery(self.p) + q = setools.CategoryQuery(compiled_policy) qcats = sorted(str(c) for c in q.results()) + assert allcats == qcats - self.assertListEqual(allcats, qcats) - - def test_001_name_exact(self): + def test_name_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS category query with exact name match.""" - q = CategoryQuery(self.p, name="test1") + q = setools.CategoryQuery(compiled_policy, name="test1") cats = sorted(str(c) for c in q.results()) - self.assertListEqual(["test1"], cats) + assert ["test1"] == cats - def test_002_name_regex(self): + def test_name_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS category query with regex name match.""" - q = CategoryQuery(self.p, name="test2(a|b)", name_regex=True) + q = setools.CategoryQuery(compiled_policy, name="test2(a|b)", name_regex=True) cats = sorted(str(c) for c in q.results()) - self.assertListEqual(["test2a", "test2b"], cats) + assert ["test2a", "test2b"] == cats - def test_010_alias_exact(self): + def test_alias_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS category query with exact alias match.""" - q = CategoryQuery(self.p, alias="test10a") + q = setools.CategoryQuery(compiled_policy, alias="test10a") cats = sorted(str(t) for t in q.results()) - self.assertListEqual(["test10c1"], cats) + assert ["test10c1"] == cats - def test_011_alias_regex(self): + def test_alias_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS category query with regex alias match.""" - q = CategoryQuery(self.p, alias="test11(a|b)", alias_regex=True) + q = setools.CategoryQuery(compiled_policy, alias="test11(a|b)", alias_regex=True) cats = sorted(str(t) for t in q.results()) - self.assertListEqual(["test11c1", "test11c2"], cats) + assert ["test11c1", "test11c2"] == cats From 14ce6c0e8569c5c3f0c5482d0b2f34db833063d1 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:20:07 -0400 Subject: [PATCH 38/71] TestCommonQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_commonquery.py | 57 +++++++++++++------------------ 1 file changed, 23 insertions(+), 34 deletions(-) diff --git a/tests/library/test_commonquery.py b/tests/library/test_commonquery.py index 1b3de495..5018ec41 100644 --- a/tests/library/test_commonquery.py +++ b/tests/library/test_commonquery.py @@ -2,65 +2,54 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import CommonQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/commonquery.conf") +class TestCommonQuery: - -class CommonQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/commonquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Common query with no criteria.""" # query with no parameters gets all types. - commons = sorted(self.p.commons()) + commons = sorted(compiled_policy.commons()) - q = CommonQuery(self.p) + q = setools.CommonQuery(compiled_policy) q_commons = sorted(q.results()) - self.assertListEqual(commons, q_commons) + assert commons == q_commons - def test_001_name_exact(self): + def test_name_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Common query with exact name match.""" - q = CommonQuery(self.p, name="test1") + q = setools.CommonQuery(compiled_policy, name="test1") commons = sorted(str(c) for c in q.results()) - self.assertListEqual(["test1"], commons) + assert ["test1"] == commons - def test_002_name_regex(self): + def test_name_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Common query with regex name match.""" - q = CommonQuery(self.p, name="test2(a|b)", name_regex=True) + q = setools.CommonQuery(compiled_policy, name="test2(a|b)", name_regex=True) commons = sorted(str(c) for c in q.results()) - self.assertListEqual(["test2a", "test2b"], commons) + assert ["test2a", "test2b"] == commons - def test_010_perm_indirect_intersect(self): + def test_perm_indirect_intersect(self, compiled_policy: setools.SELinuxPolicy) -> None: """Common query with intersect permission name patch.""" - q = CommonQuery(self.p, perms=set(["null"]), perms_equal=False) + q = setools.CommonQuery(compiled_policy, perms=set(["null"]), perms_equal=False) commons = sorted(str(c) for c in q.results()) - self.assertListEqual(["test10a", "test10b"], commons) + assert ["test10a", "test10b"] == commons - def test_011_perm_indirect_equal(self): + def test_perm_indirect_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Common query with equal permission name patch.""" - q = CommonQuery(self.p, perms=set(["read", "write"]), perms_equal=True) + q = setools.CommonQuery(compiled_policy, perms=set(["read", "write"]), perms_equal=True) commons = sorted(str(c) for c in q.results()) - self.assertListEqual(["test11a"], commons) + assert ["test11a"] == commons - def test_012_perm_indirect_regex(self): + def test_perm_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Common query with regex permission name patch.""" - q = CommonQuery(self.p, perms="sig.+", perms_regex=True) + q = setools.CommonQuery(compiled_policy, perms="sig.+", perms_regex=True) commons = sorted(str(c) for c in q.results()) - self.assertListEqual(["test12a", "test12b"], commons) + assert ["test12a", "test12b"] == commons From f41297b28e1beac41d3423b308d13f6d18d0258a Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:20:41 -0400 Subject: [PATCH 39/71] TestConditionalInfoFlowAnalysis: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_conditionalinfoflow.py | 213 ++++++++++------------ 1 file changed, 101 insertions(+), 112 deletions(-) diff --git a/tests/library/test_conditionalinfoflow.py b/tests/library/test_conditionalinfoflow.py index 53e427d8..dedd0e90 100644 --- a/tests/library/test_conditionalinfoflow.py +++ b/tests/library/test_conditionalinfoflow.py @@ -2,18 +2,8 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest - -from setools import InfoFlowAnalysis -from setools import TERuletype as TERT -from setools.exception import InvalidType -from setools.permmap import PermissionMap -from setools.policyrep import Type - -from . import mixins -from .policyrep.util import compile_policy - +import pytest +import setools # Note: the testing for having correct rules on every edge is only # performed once on the full graph, since it is assumed that NetworkX's @@ -21,111 +11,110 @@ # the subgraph. -class ConditionalInfoFlowAnalysisTest(unittest.TestCase): +@pytest.fixture +def analysis(compiled_policy: setools.SELinuxPolicy) -> setools.InfoFlowAnalysis: + perm_map = setools.PermissionMap("tests/library/perm_map") + ret = setools.InfoFlowAnalysis(compiled_policy, perm_map) + ret._build_graph() + return ret - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/conditionalinfoflow.conf", mls=False) - cls.m = PermissionMap("tests/library/perm_map") - cls.a = InfoFlowAnalysis(cls.p, cls.m) - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) +@pytest.mark.obj_args("tests/library/conditionalinfoflow.conf", mls=False) +class TestConditionalInfoFlowAnalysis: - def test_001_keep_conditional_rules(self): + def test_keep_conditional_rules(self, analysis: setools.InfoFlowAnalysis) -> None: """Keep all conditional rules.""" - self.a.booleans = None - self.a._rebuildgraph = True - self.a._build_subgraph() - - source = self.p.lookup_type("src") - target = self.p.lookup_type("tgt") - flow_true = self.p.lookup_type("flow_true") - flow_false = self.p.lookup_type("flow_false") - - r = self.a.G.edges[source, flow_true]["rules"] - self.assertEqual(len(r), 1) - r = self.a.G.edges[flow_true, target]["rules"] - self.assertEqual(len(r), 1) - r = self.a.G.edges[source, flow_false]["rules"] - self.assertEqual(len(r), 1) - r = self.a.G.edges[flow_false, target]["rules"] - self.assertEqual(len(r), 1) - - def test_002_default_conditional_rules(self): + analysis.booleans = None + analysis.rebuildgraph = True + analysis._build_subgraph() + + source = analysis.policy.lookup_type("src") + target = analysis.policy.lookup_type("tgt") + flow_true = analysis.policy.lookup_type("flow_true") + flow_false = analysis.policy.lookup_type("flow_false") + + r = analysis.G.edges[source, flow_true]["rules"] + assert len(r) == 1 + r = analysis.G.edges[flow_true, target]["rules"] + assert len(r) == 1 + r = analysis.G.edges[source, flow_false]["rules"] + assert len(r) == 1 + r = analysis.G.edges[flow_false, target]["rules"] + assert len(r) == 1 + + def test_default_conditional_rules(self, analysis: setools.InfoFlowAnalysis) -> None: """Keep only default conditional rules.""" - self.a.booleans = {} - self.a._rebuildgraph = True - self.a._build_subgraph() - - source = self.p.lookup_type("src") - target = self.p.lookup_type("tgt") - flow_true = self.p.lookup_type("flow_true") - flow_false = self.p.lookup_type("flow_false") - - r = self.a.G.edges[source, flow_true]["rules"] - self.assertEqual(len(r), 0) - r = self.a.G.edges[flow_true, target]["rules"] - self.assertEqual(len(r), 0) - r = self.a.G.edges[source, flow_false]["rules"] - self.assertEqual(len(r), 1) - r = self.a.G.edges[flow_false, target]["rules"] - self.assertEqual(len(r), 1) - - def test_003_user_conditional_true(self): + analysis.booleans = {} + analysis.rebuildgraph = True + analysis._build_subgraph() + + source = analysis.policy.lookup_type("src") + target = analysis.policy.lookup_type("tgt") + flow_true = analysis.policy.lookup_type("flow_true") + flow_false = analysis.policy.lookup_type("flow_false") + + r = analysis.G.edges[source, flow_true]["rules"] + assert len(r) == 0 + r = analysis.G.edges[flow_true, target]["rules"] + assert len(r) == 0 + r = analysis.G.edges[source, flow_false]["rules"] + assert len(r) == 1 + r = analysis.G.edges[flow_false, target]["rules"] + assert len(r) == 1 + + def test_user_conditional_true(self, analysis: setools.InfoFlowAnalysis) -> None: """Keep only conditional rules selected by user specified booleans (True Case.)""" - self.a.booleans = {"condition": True} - self.a.rebuildgraph = True - self.a._build_subgraph() - - source = self.p.lookup_type("src") - target = self.p.lookup_type("tgt") - flow_true = self.p.lookup_type("flow_true") - flow_false = self.p.lookup_type("flow_false") - - r = self.a.G.edges[source, flow_true]["rules"] - self.assertEqual(len(r), 1) - r = self.a.G.edges[flow_true, target]["rules"] - self.assertEqual(len(r), 1) - r = self.a.G.edges[source, flow_false]["rules"] - self.assertEqual(len(r), 0) - r = self.a.G.edges[flow_false, target]["rules"] - self.assertEqual(len(r), 0) - - def test_004_user_conditional_false(self): + analysis.booleans = {"condition": True} + analysis.rebuildgraph = True + analysis._build_subgraph() + + source = analysis.policy.lookup_type("src") + target = analysis.policy.lookup_type("tgt") + flow_true = analysis.policy.lookup_type("flow_true") + flow_false = analysis.policy.lookup_type("flow_false") + + r = analysis.G.edges[source, flow_true]["rules"] + assert len(r) == 1 + r = analysis.G.edges[flow_true, target]["rules"] + assert len(r) == 1 + r = analysis.G.edges[source, flow_false]["rules"] + assert len(r) == 0 + r = analysis.G.edges[flow_false, target]["rules"] + assert len(r) == 0 + + def test_user_conditional_false(self, analysis: setools.InfoFlowAnalysis) -> None: """Keep only conditional rules selected by user specified booleans (False Case.)""" - self.a.booleans = {"condition": False} - self.a.rebuildgraph = True - self.a._build_subgraph() - - source = self.p.lookup_type("src") - target = self.p.lookup_type("tgt") - flow_true = self.p.lookup_type("flow_true") - flow_false = self.p.lookup_type("flow_false") - - r = self.a.G.edges[source, flow_true]["rules"] - self.assertEqual(len(r), 0) - r = self.a.G.edges[flow_true, target]["rules"] - self.assertEqual(len(r), 0) - r = self.a.G.edges[source, flow_false]["rules"] - self.assertEqual(len(r), 1) - r = self.a.G.edges[flow_false, target]["rules"] - self.assertEqual(len(r), 1) - - def test_005_remaining_edges(self): + analysis.booleans = {"condition": False} + analysis.rebuildgraph = True + analysis._build_subgraph() + + source = analysis.policy.lookup_type("src") + target = analysis.policy.lookup_type("tgt") + flow_true = analysis.policy.lookup_type("flow_true") + flow_false = analysis.policy.lookup_type("flow_false") + + r = analysis.G.edges[source, flow_true]["rules"] + assert len(r) == 0 + r = analysis.G.edges[flow_true, target]["rules"] + assert len(r) == 0 + r = analysis.G.edges[source, flow_false]["rules"] + assert len(r) == 1 + r = analysis.G.edges[flow_false, target]["rules"] + assert len(r) == 1 + + def test_remaining_edges(self, analysis: setools.InfoFlowAnalysis) -> None: """Keep edges when rules are deleted, but there are still remaining rules on the edge.""" - self.a.booleans = {} - self.a.rebuildgraph = True - self.a._build_subgraph() - - source = self.p.lookup_type("src_remain") - target = self.p.lookup_type("tgt_remain") - flow = self.p.lookup_type("flow_remain") - - r = self.a.G.edges[source, flow]["rules"] - self.assertEqual(len(r), 1) - self.assertEqual(str(r[0]), 'allow src_remain flow_remain:infoflow hi_w;') - r = self.a.G.edges[flow, target]["rules"] - self.assertEqual(len(r), 1) - self.assertEqual(str(r[0]), 'allow tgt_remain flow_remain:infoflow hi_r;') + analysis.booleans = {} + analysis.rebuildgraph = True + analysis._build_subgraph() + + source = analysis.policy.lookup_type("src_remain") + target = analysis.policy.lookup_type("tgt_remain") + flow = analysis.policy.lookup_type("flow_remain") + + r = analysis.G.edges[source, flow]["rules"] + assert len(r) == 1 + assert str(r[0]) == 'allow src_remain flow_remain:infoflow hi_w;' + r = analysis.G.edges[flow, target]["rules"] + assert len(r) == 1 + assert str(r[0]) == 'allow tgt_remain flow_remain:infoflow hi_r;' From 7be05f013ab329ceca46b3fce5fa8c8ba7eb0dad Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:21:06 -0400 Subject: [PATCH 40/71] TestConstraintQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_constraintquery.py | 103 +++++++++++--------------- 1 file changed, 42 insertions(+), 61 deletions(-) diff --git a/tests/library/test_constraintquery.py b/tests/library/test_constraintquery.py index e30b1048..4462d7c4 100644 --- a/tests/library/test_constraintquery.py +++ b/tests/library/test_constraintquery.py @@ -2,114 +2,95 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import ConstraintQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/constraintquery.conf") +class TestConstraintQuery: - -class ConstraintQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/constraintquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Constraint query with no criteria.""" - allconstraint = sorted(c.tclass for c in self.p.constraints()) + allconstraint = sorted(c.tclass for c in compiled_policy.constraints()) - q = ConstraintQuery(self.p) + q = setools.ConstraintQuery(compiled_policy) qconstraint = sorted(c.tclass for c in q.results()) + assert allconstraint == qconstraint - self.assertListEqual(allconstraint, qconstraint) - - def test_001_ruletype(self): + def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: """Constraint query with rule type match.""" - q = ConstraintQuery(self.p, ruletype=["mlsconstrain"]) - - constraint = sorted(c.tclass for c in q.results()) - self.assertListEqual(["test1"], constraint) - - @unittest.skip("Setting tclass to a string is no longer supported.") - def test_010_class_exact(self): - """Constraint query with exact object class match.""" - q = ConstraintQuery(self.p, tclass="test10") + q = setools.ConstraintQuery(compiled_policy, ruletype=["mlsconstrain"]) constraint = sorted(c.tclass for c in q.results()) - self.assertListEqual(["test10"], constraint) + assert ["test1"] == constraint - def test_011_class_list(self): + def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: """Constraint query with object class list match.""" - q = ConstraintQuery(self.p, tclass=["test11a", "test11b"]) + q = setools.ConstraintQuery(compiled_policy, tclass=["test11a", "test11b"]) constraint = sorted(c.tclass for c in q.results()) - self.assertListEqual(["test11a", "test11b"], constraint) + assert ["test11a", "test11b"] == constraint - def test_012_class_regex(self): + def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Constraint query with object class regex match.""" - q = ConstraintQuery(self.p, tclass="test12(a|c)", tclass_regex=True) + q = setools.ConstraintQuery(compiled_policy, tclass="test12(a|c)", tclass_regex=True) constraint = sorted(c.tclass for c in q.results()) - self.assertListEqual(["test12a", "test12c"], constraint) + assert ["test12a", "test12c"] == constraint - def test_020_perms_any(self): + def test_perms_any(self, compiled_policy: setools.SELinuxPolicy) -> None: """Constraint query with permission set intersection match.""" - q = ConstraintQuery(self.p, perms=["test20ap", "test20bp"]) + q = setools.ConstraintQuery(compiled_policy, perms=["test20ap", "test20bp"]) constraint = sorted(c.tclass for c in q.results()) - self.assertListEqual(["test20a", "test20b"], constraint) + assert ["test20a", "test20b"] == constraint - def test_021_perms_equal(self): + def test_perms_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Constraint query with permission set equality match.""" - q = ConstraintQuery(self.p, perms=["test21ap", "test21bp"], perms_equal=True) + q = setools.ConstraintQuery(compiled_policy, perms=["test21ap", "test21bp"], + perms_equal=True) constraint = sorted(c.tclass for c in q.results()) - self.assertListEqual(["test21c"], constraint) + assert ["test21c"] == constraint - def test_030_role_match_single(self): + def test_role_match_single(self, compiled_policy: setools.SELinuxPolicy) -> None: """Constraint query with role match.""" - q = ConstraintQuery(self.p, role="test30r") + q = setools.ConstraintQuery(compiled_policy, role="test30r") constraint = sorted(c.tclass for c in q.results()) - self.assertListEqual(["test30"], constraint) + assert ["test30"] == constraint - def test_031_role_match_regex(self): + def test_role_match_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Constraint query with regex role match.""" - q = ConstraintQuery(self.p, role="test31r.", role_regex=True) + q = setools.ConstraintQuery(compiled_policy, role="test31r.", role_regex=True) constraint = sorted(c.tclass for c in q.results()) - self.assertListEqual(["test31a", "test31b"], constraint) + assert ["test31a", "test31b"] == constraint - def test_040_type_match_single(self): + def test_type_match_single(self, compiled_policy: setools.SELinuxPolicy) -> None: """Constraint query with type match.""" - q = ConstraintQuery(self.p, type_="test40t") + q = setools.ConstraintQuery(compiled_policy, type_="test40t") constraint = sorted(c.tclass for c in q.results()) - self.assertListEqual(["test40"], constraint) + assert ["test40"] == constraint - def test_041_type_match_regex(self): + def test_type_match_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Constraint query with regex type match.""" - q = ConstraintQuery(self.p, type_="test41t.", type_regex=True) + q = setools.ConstraintQuery(compiled_policy, type_="test41t.", type_regex=True) constraint = sorted(c.tclass for c in q.results()) - self.assertListEqual(["test41a", "test41b"], constraint) + assert ["test41a", "test41b"] == constraint - def test_050_user_match_single(self): + def test_user_match_single(self, compiled_policy: setools.SELinuxPolicy) -> None: """Constraint query with user match.""" - q = ConstraintQuery(self.p, user="test50u") + q = setools.ConstraintQuery(compiled_policy, user="test50u") constraint = sorted(c.tclass for c in q.results()) - self.assertListEqual(["test50"], constraint) + assert ["test50"] == constraint - def test_051_user_match_regex(self): + def test_user_match_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Constraint query with regex user match.""" - q = ConstraintQuery(self.p, user="test51u.", user_regex=True) + q = setools.ConstraintQuery(compiled_policy, user="test51u.", user_regex=True) constraint = sorted(c.tclass for c in q.results()) - self.assertListEqual(["test51a", "test51b"], constraint) + assert ["test51a", "test51b"] == constraint From a25f9f2d4b5cf1dce368b0c02f8f998dcd2bbe61 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:22:44 -0400 Subject: [PATCH 41/71] TestDefaultQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_defaultquery.py | 88 +++++++++++++----------------- 1 file changed, 38 insertions(+), 50 deletions(-) diff --git a/tests/library/test_defaultquery.py b/tests/library/test_defaultquery.py index 683e2a8e..55a9ec75 100644 --- a/tests/library/test_defaultquery.py +++ b/tests/library/test_defaultquery.py @@ -2,90 +2,78 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import DefaultQuery, DefaultRuletype, DefaultValue -from setools.exception import InvalidClass -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/defaultquery.conf") +class TestDefaultQuery: - -class DefaultQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/defaultquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Default query: no criteria.""" # query with no parameters gets all defaults - alldefaults = sorted(self.p.defaults()) + alldefaults = sorted(compiled_policy.defaults()) - q = DefaultQuery(self.p) + q = setools.DefaultQuery(compiled_policy) qdefaults = sorted(q.results()) - self.assertListEqual(alldefaults, qdefaults) + assert alldefaults == qdefaults - def test_001_ruletype(self): + def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: """Default query: ruletype criterion.""" - q = DefaultQuery(self.p, ruletype=["default_user"]) + q = setools.DefaultQuery(compiled_policy, ruletype=["default_user"]) defaults = list(q.results()) - self.assertEqual(1, len(defaults)) + assert 1 == len(defaults) d = defaults[0] - self.assertEqual(DefaultRuletype.default_user, d.ruletype) - self.assertEqual("infoflow", d.tclass) - self.assertEqual(DefaultValue.target, d.default) + assert setools.DefaultRuletype.default_user == d.ruletype + assert "infoflow" == d.tclass + assert setools.DefaultValue.target == d.default - def test_010_class_list(self): + def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: """Default query: object class list match.""" - q = DefaultQuery(self.p, tclass=["infoflow3", "infoflow4"]) + q = setools.DefaultQuery(compiled_policy, tclass=["infoflow3", "infoflow4"]) defaults = sorted(d.tclass for d in q.results()) - self.assertListEqual(["infoflow3", "infoflow4"], defaults) + assert ["infoflow3", "infoflow4"] == defaults - def test_011_class_regex(self): + def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Default query: object class regex match.""" - q = DefaultQuery(self.p, tclass="infoflow(3|5)", tclass_regex=True) + q = setools.DefaultQuery(compiled_policy, tclass="infoflow(3|5)", tclass_regex=True) defaults = sorted(c.tclass for c in q.results()) - self.assertListEqual(["infoflow3", "infoflow5"], defaults) + assert ["infoflow3", "infoflow5"] == defaults - def test_020_default(self): + def test_default(self, compiled_policy: setools.SELinuxPolicy) -> None: """Default query: default setting.""" - q = DefaultQuery(self.p, default="source") + q = setools.DefaultQuery(compiled_policy, default="source") defaults = sorted(c.tclass for c in q.results()) - self.assertListEqual(["infoflow", "infoflow3"], defaults) + assert ["infoflow", "infoflow3"] == defaults - def test_030_default_range(self): + def test_default_range(self, compiled_policy: setools.SELinuxPolicy) -> None: """Default query: default_range setting.""" - q = DefaultQuery(self.p, default_range="high") + q = setools.DefaultQuery(compiled_policy, default_range="high") defaults = sorted(c.tclass for c in q.results()) - self.assertListEqual(["infoflow7"], defaults) + assert ["infoflow7"] == defaults - def test_900_invalid_ruletype(self): + def test_invalid_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: """Default query: invalid ruletype""" - with self.assertRaises(KeyError): - q = DefaultQuery(self.p, ruletype=["INVALID"]) + with pytest.raises(KeyError): + q = setools.DefaultQuery(compiled_policy, ruletype=["INVALID"]) - def test_901_invalid_class(self): + def test_invalid_class(self, compiled_policy: setools.SELinuxPolicy) -> None: """Default query: invalid object class""" - with self.assertRaises(InvalidClass): - q = DefaultQuery(self.p, tclass=["INVALID"]) + with pytest.raises(setools.exception.InvalidClass): + q = setools.DefaultQuery(compiled_policy, tclass=["INVALID"]) - def test_902_invalid_default_value(self): + def test_invalid_default_value(self, compiled_policy: setools.SELinuxPolicy) -> None: """Default query: invalid default value""" - with self.assertRaises(KeyError): - q = DefaultQuery(self.p, default="INVALID") + with pytest.raises(KeyError): + q = setools.DefaultQuery(compiled_policy, default="INVALID") - def test_903_invalid_default_range(self): + def test_invalid_default_range(self, compiled_policy: setools.SELinuxPolicy) -> None: """Default query: invalid default range""" - with self.assertRaises(KeyError): - q = DefaultQuery(self.p, default_range="INVALID") + with pytest.raises(KeyError): + q = setools.DefaultQuery(compiled_policy, default_range="INVALID") From d81d7ae9c18af2da641570cd34795b795d7e7ef3 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:23:26 -0400 Subject: [PATCH 42/71] TestDevicetreeconQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_devicetreeconquery.py | 193 +++++++++++------------ 1 file changed, 95 insertions(+), 98 deletions(-) diff --git a/tests/library/test_devicetreeconquery.py b/tests/library/test_devicetreeconquery.py index 17eb730d..6c0623c4 100644 --- a/tests/library/test_devicetreeconquery.py +++ b/tests/library/test_devicetreeconquery.py @@ -2,205 +2,202 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import DevicetreeconQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/devicetreeconquery.conf", xen=True) +class TestDevicetreeconQuery: - -class DevicetreeconQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/devicetreeconquery.conf", xen=True) - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with no criteria""" # query with no parameters gets all PCI paths. - rules = sorted(self.p.devicetreecons()) + rules = sorted(compiled_policy.devicetreecons()) - q = DevicetreeconQuery(self.p) + q = setools.DevicetreeconQuery(compiled_policy) q_rules = sorted(q.results()) - self.assertListEqual(rules, q_rules) + assert rules == q_rules - def test_010_user_exact(self): + def test_user_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context user exact match""" - q = DevicetreeconQuery(self.p, user="user10", user_regex=False) + q = setools.DevicetreeconQuery(compiled_policy, user="user10", user_regex=False) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree10")], path) + assert [("/dev/tree10")] == path - def test_011_user_regex(self): + def test_user_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context user regex match""" - q = DevicetreeconQuery(self.p, user="user11(a|b)", user_regex=True) + q = setools.DevicetreeconQuery(compiled_policy, user="user11(a|b)", user_regex=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree11"), ("/dev/tree11000")], path) + assert [("/dev/tree11"), ("/dev/tree11000")] == path - def test_020_role_exact(self): + def test_role_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context role exact match""" - q = DevicetreeconQuery(self.p, role="role20_r", role_regex=False) + q = setools.DevicetreeconQuery(compiled_policy, role="role20_r", role_regex=False) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree20")], path) + assert [("/dev/tree20")] == path - def test_021_role_regex(self): + def test_role_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context role regex match""" - q = DevicetreeconQuery(self.p, role="role21(a|c)_r", role_regex=True) + q = setools.DevicetreeconQuery(compiled_policy, role="role21(a|c)_r", role_regex=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree21"), ("/dev/tree21001")], path) + assert [("/dev/tree21"), ("/dev/tree21001")] == path - def test_030_type_exact(self): + def test_type_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context type exact match""" - q = DevicetreeconQuery(self.p, type_="type30", type_regex=False) + q = setools.DevicetreeconQuery(compiled_policy, type_="type30", type_regex=False) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree30")], path) + assert [("/dev/tree30")] == path - def test_031_type_regex(self): + def test_type_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context type regex match""" - q = DevicetreeconQuery(self.p, type_="type31(b|c)", type_regex=True) + q = setools.DevicetreeconQuery(compiled_policy, type_="type31(b|c)", type_regex=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree31000"), ("/dev/tree31001")], path) + assert [("/dev/tree31000"), ("/dev/tree31001")] == path - def test_040_range_exact(self): + def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range exact match""" - q = DevicetreeconQuery(self.p, range_="s0:c1 - s0:c0.c4") + q = setools.DevicetreeconQuery(compiled_policy, range_="s0:c1 - s0:c0.c4") path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree40")], path) + assert [("/dev/tree40")] == path - def test_041_range_overlap1(self): + def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range overlap match (equal)""" - q = DevicetreeconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s1:c1 - s1:c0.c4", + range_overlap=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree41")], path) + assert [("/dev/tree41")] == path - def test_041_range_overlap2(self): + def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range overlap match (subset)""" - q = DevicetreeconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c3", + range_overlap=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree41")], path) + assert [("/dev/tree41")] == path - def test_041_range_overlap3(self): + def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range overlap match (superset)""" - q = DevicetreeconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s1 - s1:c0.c4", range_overlap=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree41")], path) + assert [("/dev/tree41")] == path - def test_041_range_overlap4(self): + def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range overlap match (overlap low level)""" - q = DevicetreeconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s1 - s1:c1,c2", range_overlap=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree41")], path) + assert [("/dev/tree41")] == path - def test_041_range_overlap5(self): + def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range overlap match (overlap high level)""" - q = DevicetreeconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c4", + range_overlap=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree41")], path) + assert [("/dev/tree41")] == path - def test_042_range_subset1(self): + def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range subset match""" - q = DevicetreeconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s2:c1,c2 - s2:c0.c3", + range_overlap=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree42")], path) + assert [("/dev/tree42")] == path - def test_042_range_subset2(self): + def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range subset match (equal)""" - q = DevicetreeconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s2:c1 - s2:c1.c3", + range_overlap=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree42")], path) + assert [("/dev/tree42")] == path - def test_043_range_superset1(self): + def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range superset match""" - q = DevicetreeconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s3 - s3:c0.c4", + range_superset=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree43")], path) + assert [("/dev/tree43")] == path - def test_043_range_superset2(self): + def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range superset match (equal)""" - q = DevicetreeconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s3:c1 - s3:c1.c3", + range_superset=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree43")], path) + assert [("/dev/tree43")] == path - def test_044_range_proper_subset1(self): + def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range proper subset match""" - q = DevicetreeconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s4:c1,c2", range_subset=True, + range_proper=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree44")], path) + assert [("/dev/tree44")] == path - def test_044_range_proper_subset2(self): + def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range proper subset match (equal)""" - q = DevicetreeconQuery(self.p, - range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s4:c1 - s4:c1.c3", + range_subset=True, range_proper=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([], path) + assert [] == path - def test_044_range_proper_subset3(self): + def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range proper subset match (equal low only)""" - q = DevicetreeconQuery(self.p, - range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s4:c1 - s4:c1.c2", + range_subset=True, range_proper=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree44")], path) + assert [("/dev/tree44")] == path - def test_044_range_proper_subset4(self): + def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range proper subset match (equal high only)""" - q = DevicetreeconQuery(self.p, - range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s4:c1,c2 - s4:c1.c3", + range_subset=True, range_proper=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree44")], path) + assert [("/dev/tree44")] == path - def test_045_range_proper_superset1(self): + def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range proper superset match""" - q = DevicetreeconQuery(self.p, - range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s5 - s5:c0.c4", + range_superset=True, range_proper=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree45")], path) + assert [("/dev/tree45")] == path - def test_045_range_proper_superset2(self): + def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range proper superset match (equal)""" - q = DevicetreeconQuery(self.p, - range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s5:c1 - s5:c1.c3", + range_superset=True, range_proper=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([], path) + assert [] == path - def test_045_range_proper_superset3(self): + def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range proper superset match (equal low)""" - q = DevicetreeconQuery(self.p, - range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s5:c1 - s5:c1.c4", + range_superset=True, range_proper=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree45")], path) + assert [("/dev/tree45")] == path - def test_045_range_proper_superset4(self): + def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Devicetreecon query with context range proper superset match (equal high)""" - q = DevicetreeconQuery(self.p, - range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.DevicetreeconQuery(compiled_policy, range_="s5 - s5:c1.c3", + range_superset=True, range_proper=True) path = sorted(p.path for p in q.results()) - self.assertListEqual([("/dev/tree45")], path) + assert [("/dev/tree45")] == path From 3284589cc030c9d55d7066774bf744f538bfda04 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:25:34 -0400 Subject: [PATCH 43/71] TestPolicyDifference: Update tests to pytest fixtures. Add a new fixture that provides two compiled policies. Update validate rule mixin for pytest fixtures. Signed-off-by: Chris PeBenito --- tests/conftest.py | 73 +- tests/library/mixins.py | 50 +- tests/library/test_diff.py | 2862 ++++++++++++++++++------------------ 3 files changed, 1477 insertions(+), 1508 deletions(-) diff --git a/tests/conftest.py b/tests/conftest.py index 6441775f..ce123dc9 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -184,6 +184,40 @@ def mock_query(mock_policy) -> setools.PolicyQuery: return query +def _do_compile(source_file: str, output_file: str, /, *, mls: bool = True, + xen: bool = False) -> setools.SELinuxPolicy: + """ + Compile the specified source policy. Checkpolicy is + assumed to be /usr/bin/checkpolicy. Otherwise the path + must be specified in the CHECKPOLICY environment variable. + + Return: + A SELinuxPolicy object. + """ + user_src = os.getenv("USERSPACE_SRC") + checkpol = os.getenv("CHECKPOLICY") + + if user_src: + command = [user_src + "/checkpolicy/checkpolicy"] + elif checkpol: + command = [checkpol] + else: + command = ["/usr/bin/checkpolicy"] + + if mls: + command.append("-M") + + if xen: + command.extend(["-t", "xen", "-c", "30"]) + + command.extend(["-o", output_file, "-U", "reject", source_file]) + + with open(os.devnull, "w") as null: + subprocess.check_call(command, stdout=null, shell=False, close_fds=True) + + return setools.SELinuxPolicy(output_file) + + @pytest.fixture(scope="class") def compiled_policy(request: pytest.FixtureRequest) -> Iterable[setools.SELinuxPolicy]: """Build a compiled policy.""" @@ -193,23 +227,28 @@ def compiled_policy(request: pytest.FixtureRequest) -> Iterable[setools.SELinuxP source_file = args[0] - if "USERSPACE_SRC" in os.environ: - command = [os.environ['USERSPACE_SRC'] + "/checkpolicy/checkpolicy"] - elif "CHECKPOLICY" in os.environ: - command = [os.environ['CHECKPOLICY']] - else: - command = ["/usr/bin/checkpolicy"] - - if kwargs.get("mls", True): - command.append("-M") - - if kwargs.get("xen", False): - command.extend(["-t", "xen", "-c", "30"]) - with tempfile.NamedTemporaryFile("w") as fd: - command.extend(["-o", fd.name, "-U", "reject", source_file]) + yield _do_compile(source_file, fd.name, mls=kwargs.get("mls", True), + xen=kwargs.get("xen", False)) - with open(os.devnull, "w+b") as null: - subprocess.check_call(command, stdout=null, shell=False, close_fds=True) - yield setools.SELinuxPolicy(fd.name) +@pytest.fixture(scope="class") +def policy_pair(request: pytest.FixtureRequest) -> \ + Iterable[tuple[setools.SELinuxPolicy, setools.SELinuxPolicy]]: + """Build a compiled policy.""" + marker = request.node.get_closest_marker("obj_args") + args = marker.args if marker else () + kwargs = marker.kwargs if marker else {} + + source_file_left = args[0] + source_file_right = args[1] + + with tempfile.NamedTemporaryFile("w") as fd_left: + with tempfile.NamedTemporaryFile("w") as fd_right: + left = _do_compile(source_file_left, fd_left.name, + mls=kwargs.get("mls_left", True), + xen=kwargs.get("xen_left", False)) + right = _do_compile(source_file_right, fd_right.name, + mls=kwargs.get("mls_right", True), + xen=kwargs.get("xen_right", False)) + yield left, right diff --git a/tests/library/mixins.py b/tests/library/mixins.py index 4b2a690d..205927d5 100644 --- a/tests/library/mixins.py +++ b/tests/library/mixins.py @@ -4,40 +4,50 @@ # SPDX-License-Identifier: GPL-2.0-only # # pylint: disable=too-few-public-methods -import unittest +import pytest +import setools -from setools.exception import RuleNotConditional, RuleUseError - -class ValidateRule(unittest.TestCase): +class ValidateRule: """Mixin for validating policy rules.""" - def validate_rule(self, rule, ruletype, source, target, tclass, last_item, cond=None, - cond_block=None, xperm=None): + def validate_rule(self, + rule: setools.policyrep.PolicyRule, + ruletype: setools.policyrep.PolicyEnum | str, + source: setools.policyrep.PolicySymbol | str, + target: setools.policyrep.PolicySymbol | str, + tclass: setools.ObjClass | str, + last_item: set[str] | setools.IoctlSet | setools.policyrep.PolicySymbol | str, + cond: str | None = None, + cond_block: bool | None = None, + xperm: str | None = None) -> None: + """Validate a rule.""" - self.assertEqual(ruletype, rule.ruletype) - self.assertEqual(source, rule.source) - self.assertEqual(target, rule.target) - self.assertEqual(tclass, rule.tclass) + assert ruletype == rule.ruletype + assert source == rule.source + assert target == rule.target + assert tclass == rule.tclass try: # This is the common case. - self.assertSetEqual(last_item, rule.perms) - except (AttributeError, RuleUseError): - self.assertEqual(last_item, rule.default) + assert last_item == rule.perms + except (AttributeError, setools.exception.RuleUseError): + assert last_item == rule.default if cond: - self.assertEqual(cond, rule.conditional) + assert cond == rule.conditional else: - self.assertRaises(RuleNotConditional, getattr, rule, "conditional") + with pytest.raises(setools.exception.RuleNotConditional): + rule.conditional if cond_block is not None: - self.assertEqual(cond_block, rule.conditional_block) + assert cond_block == rule.conditional_block if xperm: - self.assertEqual(xperm, rule.xperm_type) - self.assertTrue(rule.extended) + assert xperm == rule.xperm_type + assert rule.extended else: - self.assertRaises(AttributeError, getattr, rule, "xperm_type") - self.assertFalse(rule.extended) + with pytest.raises(AttributeError): + rule.xperm_type + assert not rule.extended diff --git a/tests/library/test_diff.py b/tests/library/test_diff.py index 681cbc37..644c9cd1 100644 --- a/tests/library/test_diff.py +++ b/tests/library/test_diff.py @@ -3,11 +3,11 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest from dataclasses import astuple from ipaddress import IPv6Address, IPv4Network, IPv6Network +import pytest +import setools from setools import PolicyDifference, PortconProtocol, PortconRange from setools import BoundsRuletype as BRT from setools import ConstraintRuletype as CRT @@ -20,232 +20,218 @@ from setools import TERuletype as TRT from .mixins import ValidateRule -from .policyrep.util import compile_policy -class PolicyDifferenceTest(ValidateRule, unittest.TestCase): +@pytest.fixture(scope="class") +def analysis(policy_pair: tuple[setools.SELinuxPolicy, setools.SELinuxPolicy]) -> PolicyDifference: + return PolicyDifference(*policy_pair) - """Policy difference tests.""" - @classmethod - def setUpClass(cls): - cls.p_left = compile_policy("tests/library/diff_left.conf") - cls.p_right = compile_policy("tests/library/diff_right.conf") - cls.diff = PolicyDifference(cls.p_left, cls.p_right) +@pytest.mark.obj_args("tests/library/diff_left.conf", "tests/library/diff_right.conf") +class TestPolicyDifference(ValidateRule): - @classmethod - def tearDownClass(cls): - os.unlink(cls.p_left.path) - os.unlink(cls.p_right.path) + """Policy difference tests.""" # # Types # - def test_added_types(self): + def test_added_types(self, analysis: setools.PolicyDifference) -> None: """Diff: added type""" - self.assertSetEqual(set(["added_type"]), self.diff.added_types) + assert set(["added_type"]) == analysis.added_types - def test_removed_types(self): + def test_removed_types(self, analysis: setools.PolicyDifference) -> None: """Diff: modified type""" - self.assertSetEqual(set(["removed_type"]), self.diff.removed_types) + assert set(["removed_type"]) == analysis.removed_types - def test_modified_types_count(self): + def test_modified_types_count(self, analysis: setools.PolicyDifference) -> None: """Diff: total modified types""" - self.assertEqual(6, len(self.diff.modified_types)) + assert 6 == len(analysis.modified_types) - def test_modified_types_remove_attr(self): + def test_modified_types_remove_attr(self, analysis: setools.PolicyDifference) -> None: """Diff: modified type with removed attribute.""" # modified_remove_attr - self.diff.modified_types.sort() - type_ = self.diff.modified_types[4] - self.assertSetEqual(set(["an_attr"]), type_.removed_attributes) - self.assertFalse(type_.added_attributes) - self.assertFalse(type_.matched_attributes) - self.assertFalse(type_.modified_permissive) - self.assertFalse(type_.permissive) - self.assertFalse(type_.added_aliases) - self.assertFalse(type_.removed_aliases) - self.assertFalse(type_.matched_aliases) - - def test_modified_types_remove_alias(self): + analysis.modified_types.sort() + type_ = analysis.modified_types[4] + assert set(["an_attr"]) == type_.removed_attributes + assert not type_.added_attributes + assert not type_.matched_attributes + assert not type_.modified_permissive + assert not type_.permissive + assert not type_.added_aliases + assert not type_.removed_aliases + assert not type_.matched_aliases + + def test_modified_types_remove_alias(self, analysis: setools.PolicyDifference) -> None: """Diff: modified type with removed alias.""" # modified_remove_alias - self.diff.modified_types.sort() - type_ = self.diff.modified_types[3] - self.assertSetEqual(set(["an_alias"]), type_.removed_aliases) - self.assertFalse(type_.added_attributes) - self.assertFalse(type_.removed_attributes) - self.assertFalse(type_.matched_attributes) - self.assertFalse(type_.modified_permissive) - self.assertFalse(type_.permissive) - self.assertFalse(type_.added_aliases) - self.assertFalse(type_.matched_aliases) - - def test_modified_types_remove_permissive(self): + analysis.modified_types.sort() + type_ = analysis.modified_types[3] + assert set(["an_alias"]) == type_.removed_aliases + assert not type_.added_attributes + assert not type_.removed_attributes + assert not type_.matched_attributes + assert not type_.modified_permissive + assert not type_.permissive + assert not type_.added_aliases + assert not type_.matched_aliases + + def test_modified_types_remove_permissive(self, analysis: setools.PolicyDifference) -> None: """Diff: modified type with removed permissve.""" # modified_remove_permissive - self.diff.modified_types.sort() - type_ = self.diff.modified_types[5] - self.assertFalse(type_.added_attributes) - self.assertFalse(type_.removed_attributes) - self.assertFalse(type_.matched_attributes) - self.assertTrue(type_.modified_permissive) - self.assertTrue(type_.permissive) - self.assertFalse(type_.added_aliases) - self.assertFalse(type_.removed_aliases) - self.assertFalse(type_.matched_aliases) - - def test_modified_types_add_attr(self): + analysis.modified_types.sort() + type_ = analysis.modified_types[5] + assert not type_.added_attributes + assert not type_.removed_attributes + assert not type_.matched_attributes + assert type_.modified_permissive + assert type_.permissive + assert not type_.added_aliases + assert not type_.removed_aliases + assert not type_.matched_aliases + + def test_modified_types_add_attr(self, analysis: setools.PolicyDifference) -> None: """Diff: modified type with added attribute.""" # modified_add_attr - self.diff.modified_types.sort() - type_ = self.diff.modified_types[1] - self.assertSetEqual(set(["an_attr"]), type_.added_attributes) - self.assertFalse(type_.removed_attributes) - self.assertFalse(type_.matched_attributes) - self.assertFalse(type_.modified_permissive) - self.assertFalse(type_.permissive) - self.assertFalse(type_.added_aliases) - self.assertFalse(type_.removed_aliases) - self.assertFalse(type_.matched_aliases) - - def test_modified_types_add_alias(self): + analysis.modified_types.sort() + type_ = analysis.modified_types[1] + assert set(["an_attr"]) == type_.added_attributes + assert not type_.removed_attributes + assert not type_.matched_attributes + assert not type_.modified_permissive + assert not type_.permissive + assert not type_.added_aliases + assert not type_.removed_aliases + assert not type_.matched_aliases + + def test_modified_types_add_alias(self, analysis: setools.PolicyDifference) -> None: """Diff: modified type with added alias.""" # modified_add_alias - self.diff.modified_types.sort() - type_ = self.diff.modified_types[0] - self.assertSetEqual(set(["an_alias"]), type_.added_aliases) - self.assertFalse(type_.added_attributes) - self.assertFalse(type_.removed_attributes) - self.assertFalse(type_.matched_attributes) - self.assertFalse(type_.modified_permissive) - self.assertFalse(type_.permissive) - self.assertFalse(type_.removed_aliases) - self.assertFalse(type_.matched_aliases) - - def test_modified_types_add_permissive(self): + analysis.modified_types.sort() + type_ = analysis.modified_types[0] + assert set(["an_alias"]) == type_.added_aliases + assert not type_.added_attributes + assert not type_.removed_attributes + assert not type_.matched_attributes + assert not type_.modified_permissive + assert not type_.permissive + assert not type_.removed_aliases + assert not type_.matched_aliases + + def test_modified_types_add_permissive(self, analysis: setools.PolicyDifference) -> None: """Diff: modified type with added permissive.""" # modified_add_permissive - self.diff.modified_types.sort() - type_ = self.diff.modified_types[2] - self.assertFalse(type_.added_attributes) - self.assertFalse(type_.removed_attributes) - self.assertFalse(type_.matched_attributes) - self.assertTrue(type_.modified_permissive) - self.assertFalse(type_.permissive) - self.assertFalse(type_.added_aliases) - self.assertFalse(type_.removed_aliases) - self.assertFalse(type_.matched_aliases) + analysis.modified_types.sort() + type_ = analysis.modified_types[2] + assert not type_.added_attributes + assert not type_.removed_attributes + assert not type_.matched_attributes + assert type_.modified_permissive + assert not type_.permissive + assert not type_.added_aliases + assert not type_.removed_aliases + assert not type_.matched_aliases # # Roles # - def test_added_role(self): + def test_added_role(self, analysis: setools.PolicyDifference) -> None: """Diff: added role.""" - self.assertSetEqual(set(["added_role"]), self.diff.added_roles) + assert set(["added_role"]) == analysis.added_roles - def test_removed_role(self): + def test_removed_role(self, analysis: setools.PolicyDifference) -> None: """Diff: removed role.""" - self.assertSetEqual(set(["removed_role"]), self.diff.removed_roles) + assert set(["removed_role"]) == analysis.removed_roles - def test_modified_role_count(self): + def test_modified_role_count(self, analysis: setools.PolicyDifference) -> None: """Diff: modified role.""" - self.assertEqual(2, len(self.diff.modified_roles)) + assert 2 == len(analysis.modified_roles) - def test_modified_role_add_type(self): + def test_modified_role_add_type(self, analysis: setools.PolicyDifference) -> None: """Diff: modified role with added type.""" # modified_add_type - self.diff.modified_roles.sort() - self.assertSetEqual(set(["system"]), - self.diff.modified_roles[0].added_types) - self.assertFalse(self.diff.modified_roles[0].removed_types) + analysis.modified_roles.sort() + assert set(["system"]) == analysis.modified_roles[0].added_types + assert not analysis.modified_roles[0].removed_types - def test_modified_role_remove_type(self): + def test_modified_role_remove_type(self, analysis: setools.PolicyDifference) -> None: """Diff: modified role with removed type.""" # modified_remove_type - self.diff.modified_roles.sort() - self.assertSetEqual(set(["system"]), - self.diff.modified_roles[1].removed_types) - self.assertFalse(self.diff.modified_roles[1].added_types) + analysis.modified_roles.sort() + assert set(["system"]) == analysis.modified_roles[1].removed_types + assert not analysis.modified_roles[1].added_types # # Commons # - def test_added_common(self): + def test_added_common(self, analysis: setools.PolicyDifference) -> None: """Diff: added common.""" - self.assertSetEqual(set(["added_common"]), self.diff.added_commons) + assert set(["added_common"]) == analysis.added_commons - def test_removed_common(self): + def test_removed_common(self, analysis: setools.PolicyDifference) -> None: """Diff: removed common.""" - self.assertSetEqual(set(["removed_common"]), self.diff.removed_commons) + assert set(["removed_common"]) == analysis.removed_commons - def test_modified_common_count(self): + def test_modified_common_count(self, analysis: setools.PolicyDifference) -> None: """Diff: modified common count.""" - self.assertEqual(2, len(self.diff.modified_commons)) + assert 2 == len(analysis.modified_commons) - def test_modified_common_add_perm(self): + def test_modified_common_add_perm(self, analysis: setools.PolicyDifference) -> None: """Diff: modified common with added perm.""" # modified_add_perm - self.diff.modified_commons.sort() - self.assertSetEqual(set(["added_perm"]), - self.diff.modified_commons[0].added_perms) - self.assertFalse(self.diff.modified_commons[0].removed_perms) + analysis.modified_commons.sort() + assert set(["added_perm"]) == analysis.modified_commons[0].added_perms + assert not analysis.modified_commons[0].removed_perms - def test_modified_common_remove_perm(self): + def test_modified_common_remove_perm(self, analysis: setools.PolicyDifference) -> None: """Diff: modified common with removed perm.""" # modified_remove_perm - self.diff.modified_commons.sort() - self.assertSetEqual(set(["removed_perm"]), - self.diff.modified_commons[1].removed_perms) - self.assertFalse(self.diff.modified_commons[1].added_perms) + analysis.modified_commons.sort() + assert set(["removed_perm"]) == analysis.modified_commons[1].removed_perms + assert not analysis.modified_commons[1].added_perms # # Classes # - def test_added_class(self): + def test_added_class(self, analysis: setools.PolicyDifference) -> None: """Diff: added class.""" - self.assertSetEqual(set(["added_class"]), self.diff.added_classes) + assert set(["added_class"]) == analysis.added_classes - def test_removed_class(self): + def test_removed_class(self, analysis: setools.PolicyDifference) -> None: """Diff: removed class.""" - self.assertSetEqual(set(["removed_class"]), self.diff.removed_classes) + assert set(["removed_class"]) == analysis.removed_classes - def test_modified_class_count(self): + def test_modified_class_count(self, analysis: setools.PolicyDifference) -> None: """Diff: modified class count.""" - self.assertEqual(3, len(self.diff.modified_classes)) + assert 3 == len(analysis.modified_classes) - def test_modified_class_add_perm(self): + def test_modified_class_add_perm(self, analysis: setools.PolicyDifference) -> None: """Diff: modified class with added perm.""" # modified_add_perm - self.diff.modified_classes.sort() - self.assertSetEqual(set(["added_perm"]), - self.diff.modified_classes[0].added_perms) - self.assertFalse(self.diff.modified_classes[0].removed_perms) + analysis.modified_classes.sort() + assert set(["added_perm"]) == analysis.modified_classes[0].added_perms + assert not analysis.modified_classes[0].removed_perms - def test_modified_class_remove_perm(self): + def test_modified_class_remove_perm(self, analysis: setools.PolicyDifference) -> None: """Diff: modified class with removed perm.""" # modified_remove_perm - self.diff.modified_classes.sort() - self.assertSetEqual(set(["removed_perm"]), - self.diff.modified_classes[2].removed_perms) - self.assertFalse(self.diff.modified_classes[2].added_perms) + analysis.modified_classes.sort() + assert set(["removed_perm"]) == analysis.modified_classes[2].removed_perms + assert not analysis.modified_classes[2].added_perms - def test_modified_class_change_common(self): + def test_modified_class_change_common(self, analysis: setools.PolicyDifference) -> None: """Diff: modified class due to modified common.""" # modified_change_common - self.diff.modified_classes.sort() - self.assertSetEqual(set(["old_com"]), - self.diff.modified_classes[1].removed_perms) - self.assertSetEqual(set(["new_com"]), - self.diff.modified_classes[1].added_perms) + analysis.modified_classes.sort() + assert set(["old_com"]) == analysis.modified_classes[1].removed_perms + assert set(["new_com"]) == analysis.modified_classes[1].added_perms # # Allow rules # - def test_added_allow_rules(self): + def test_added_allow_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: added allow rules.""" - rules = sorted(self.diff.added_allows) - self.assertEqual(5, len(rules)) + rules = sorted(analysis.added_allows) + assert 5 == len(rules) # added rule with existing types self.validate_rule(rules[0], TRT.allow, "added_rule_source", "added_rule_target", @@ -267,10 +253,10 @@ def test_added_allow_rules(self): self.validate_rule(rules[4], TRT.allow, "system", "switch_block", "infoflow6", set(["hi_r"]), cond="switch_block_b", cond_block=False) - def test_removed_allow_rules(self): + def test_removed_allow_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed allow rules.""" - rules = sorted(self.diff.removed_allows) - self.assertEqual(5, len(rules)) + rules = sorted(analysis.removed_allows) + assert 5 == len(rules) # rule moved out of a conditional self.validate_rule(rules[0], TRT.allow, "move_from_bool", "move_from_bool", "infoflow4", @@ -292,52 +278,52 @@ def test_removed_allow_rules(self): self.validate_rule(rules[4], TRT.allow, "system", "switch_block", "infoflow6", set(["hi_r"]), cond="switch_block_b", cond_block=True) - def test_modified_allow_rules(self): + def test_modified_allow_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified allow rules.""" - lst = sorted(self.diff.modified_allows, key=lambda x: x.rule) - self.assertEqual(3, len(lst)) + lst = sorted(analysis.modified_allows, key=lambda x: x.rule) + assert 3 == len(lst) # add permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[0]) - self.assertEqual(TRT.allow, rule.ruletype) - self.assertEqual("modified_rule_add_perms", rule.source) - self.assertEqual("modified_rule_add_perms", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertSetEqual(set(["hi_w"]), added_perms) - self.assertFalse(removed_perms) - self.assertSetEqual(set(["hi_r"]), matched_perms) + assert TRT.allow == rule.ruletype + assert "modified_rule_add_perms" == rule.source + assert "modified_rule_add_perms" == rule.target + assert "infoflow" == rule.tclass + assert set(["hi_w"]) == added_perms + assert not removed_perms + assert set(["hi_r"]) == matched_perms # add and remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[1]) - self.assertEqual(TRT.allow, rule.ruletype) - self.assertEqual("modified_rule_add_remove_perms", rule.source) - self.assertEqual("modified_rule_add_remove_perms", rule.target) - self.assertEqual("infoflow2", rule.tclass) - self.assertSetEqual(set(["super_r"]), added_perms) - self.assertSetEqual(set(["super_w"]), removed_perms) - self.assertSetEqual(set(["low_w"]), matched_perms) + assert TRT.allow == rule.ruletype + assert "modified_rule_add_remove_perms" == rule.source + assert "modified_rule_add_remove_perms" == rule.target + assert "infoflow2" == rule.tclass + assert set(["super_r"]) == added_perms + assert set(["super_w"]) == removed_perms + assert set(["low_w"]) == matched_perms # remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[2]) - self.assertEqual(TRT.allow, rule.ruletype) - self.assertEqual("modified_rule_remove_perms", rule.source) - self.assertEqual("modified_rule_remove_perms", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertFalse(added_perms) - self.assertSetEqual(set(["low_r"]), removed_perms) - self.assertSetEqual(set(["low_w"]), matched_perms) + assert TRT.allow == rule.ruletype + assert "modified_rule_remove_perms" == rule.source + assert "modified_rule_remove_perms" == rule.target + assert "infoflow" == rule.tclass + assert not added_perms + assert set(["low_r"]) == removed_perms + assert set(["low_w"]) == matched_perms # # Auditallow rules # - def test_added_auditallow_rules(self): + def test_added_auditallow_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: added auditallow rules.""" - rules = sorted(self.diff.added_auditallows) - self.assertEqual(5, len(rules)) + rules = sorted(analysis.added_auditallows) + assert 5 == len(rules) # added rule with existing types - self.validate_rule(rules[0], TRT.auditallow, "aa_added_rule_source", "aa_added_rule_target", - "infoflow", set(["med_w"])) + self.validate_rule(rules[0], TRT.auditallow, "aa_added_rule_source", + "aa_added_rule_target", "infoflow", set(["med_w"])) # rule moved out of a conditional self.validate_rule(rules[1], TRT.auditallow, "aa_move_from_bool", "aa_move_from_bool", @@ -355,10 +341,10 @@ def test_added_auditallow_rules(self): self.validate_rule(rules[4], TRT.auditallow, "system", "aa_switch_block", "infoflow6", set(["hi_r"]), cond="aa_switch_block_b", cond_block=False) - def test_removed_auditallow_rules(self): + def test_removed_auditallow_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed auditallow rules.""" - rules = sorted(self.diff.removed_auditallows) - self.assertEqual(5, len(rules)) + rules = sorted(analysis.removed_auditallows) + assert 5 == len(rules) # rule moved out of a conditional self.validate_rule(rules[0], TRT.auditallow, "aa_move_from_bool", "aa_move_from_bool", @@ -380,48 +366,48 @@ def test_removed_auditallow_rules(self): self.validate_rule(rules[4], TRT.auditallow, "system", "aa_switch_block", "infoflow6", set(["hi_r"]), cond="aa_switch_block_b", cond_block=True) - def test_modified_auditallow_rules(self): + def test_modified_auditallow_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified auditallow rules.""" - lst = sorted(self.diff.modified_auditallows, key=lambda x: x.rule) - self.assertEqual(3, len(lst)) + lst = sorted(analysis.modified_auditallows, key=lambda x: x.rule) + assert 3 == len(lst) # add permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[0]) - self.assertEqual(TRT.auditallow, rule.ruletype) - self.assertEqual("aa_modified_rule_add_perms", rule.source) - self.assertEqual("aa_modified_rule_add_perms", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertSetEqual(set(["hi_w"]), added_perms) - self.assertFalse(removed_perms) - self.assertSetEqual(set(["hi_r"]), matched_perms) + assert TRT.auditallow == rule.ruletype + assert "aa_modified_rule_add_perms" == rule.source + assert "aa_modified_rule_add_perms" == rule.target + assert "infoflow" == rule.tclass + assert set(["hi_w"]) == added_perms + assert not removed_perms + assert set(["hi_r"]) == matched_perms # add and remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[1]) - self.assertEqual(TRT.auditallow, rule.ruletype) - self.assertEqual("aa_modified_rule_add_remove_perms", rule.source) - self.assertEqual("aa_modified_rule_add_remove_perms", rule.target) - self.assertEqual("infoflow2", rule.tclass) - self.assertSetEqual(set(["super_r"]), added_perms) - self.assertSetEqual(set(["super_w"]), removed_perms) - self.assertSetEqual(set(["low_w"]), matched_perms) + assert TRT.auditallow == rule.ruletype + assert "aa_modified_rule_add_remove_perms" == rule.source + assert "aa_modified_rule_add_remove_perms" == rule.target + assert "infoflow2" == rule.tclass + assert set(["super_r"]) == added_perms + assert set(["super_w"]) == removed_perms + assert set(["low_w"]) == matched_perms # remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[2]) - self.assertEqual(TRT.auditallow, rule.ruletype) - self.assertEqual("aa_modified_rule_remove_perms", rule.source) - self.assertEqual("aa_modified_rule_remove_perms", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertFalse(added_perms) - self.assertSetEqual(set(["low_r"]), removed_perms) - self.assertSetEqual(set(["low_w"]), matched_perms) + assert TRT.auditallow == rule.ruletype + assert "aa_modified_rule_remove_perms" == rule.source + assert "aa_modified_rule_remove_perms" == rule.target + assert "infoflow" == rule.tclass + assert not added_perms + assert set(["low_r"]) == removed_perms + assert set(["low_w"]) == matched_perms # # Dontaudit rules # - def test_added_dontaudit_rules(self): + def test_added_dontaudit_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: added dontaudit rules.""" - rules = sorted(self.diff.added_dontaudits) - self.assertEqual(5, len(rules)) + rules = sorted(analysis.added_dontaudits) + assert 5 == len(rules) # added rule with new type self.validate_rule(rules[0], TRT.dontaudit, "added_type", "added_type", "infoflow7", @@ -443,10 +429,10 @@ def test_added_dontaudit_rules(self): self.validate_rule(rules[4], TRT.dontaudit, "system", "da_switch_block", "infoflow6", set(["hi_r"]), cond="da_switch_block_b", cond_block=False) - def test_removed_dontaudit_rules(self): + def test_removed_dontaudit_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed dontaudit rules.""" - rules = sorted(self.diff.removed_dontaudits) - self.assertEqual(5, len(rules)) + rules = sorted(analysis.removed_dontaudits) + assert 5 == len(rules) # rule moved out of a conditional self.validate_rule(rules[0], TRT.dontaudit, "da_move_from_bool", "da_move_from_bool", @@ -468,51 +454,51 @@ def test_removed_dontaudit_rules(self): self.validate_rule(rules[4], TRT.dontaudit, "system", "da_switch_block", "infoflow6", set(["hi_r"]), cond="da_switch_block_b", cond_block=True) - def test_modified_dontaudit_rules(self): + def test_modified_dontaudit_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified dontaudit rules.""" - lst = sorted(self.diff.modified_dontaudits, key=lambda x: x.rule) - self.assertEqual(3, len(lst)) + lst = sorted(analysis.modified_dontaudits, key=lambda x: x.rule) + assert 3 == len(lst) # add permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[0]) - self.assertEqual(TRT.dontaudit, rule.ruletype) - self.assertEqual("da_modified_rule_add_perms", rule.source) - self.assertEqual("da_modified_rule_add_perms", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertSetEqual(set(["hi_w"]), added_perms) - self.assertFalse(removed_perms) - self.assertSetEqual(set(["hi_r"]), matched_perms) + assert TRT.dontaudit == rule.ruletype + assert "da_modified_rule_add_perms" == rule.source + assert "da_modified_rule_add_perms" == rule.target + assert "infoflow" == rule.tclass + assert set(["hi_w"]) == added_perms + assert not removed_perms + assert set(["hi_r"]) == matched_perms # add and remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[1]) - self.assertEqual(TRT.dontaudit, rule.ruletype) - self.assertEqual("da_modified_rule_add_remove_perms", rule.source) - self.assertEqual("da_modified_rule_add_remove_perms", rule.target) - self.assertEqual("infoflow2", rule.tclass) - self.assertSetEqual(set(["super_r"]), added_perms) - self.assertSetEqual(set(["super_w"]), removed_perms) - self.assertSetEqual(set(["low_w"]), matched_perms) + assert TRT.dontaudit == rule.ruletype + assert "da_modified_rule_add_remove_perms" == rule.source + assert "da_modified_rule_add_remove_perms" == rule.target + assert "infoflow2" == rule.tclass + assert set(["super_r"]) == added_perms + assert set(["super_w"]) == removed_perms + assert set(["low_w"]) == matched_perms # remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[2]) - self.assertEqual(TRT.dontaudit, rule.ruletype) - self.assertEqual("da_modified_rule_remove_perms", rule.source) - self.assertEqual("da_modified_rule_remove_perms", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertFalse(added_perms) - self.assertSetEqual(set(["low_r"]), removed_perms) - self.assertSetEqual(set(["low_w"]), matched_perms) + assert TRT.dontaudit == rule.ruletype + assert "da_modified_rule_remove_perms" == rule.source + assert "da_modified_rule_remove_perms" == rule.target + assert "infoflow" == rule.tclass + assert not added_perms + assert set(["low_r"]) == removed_perms + assert set(["low_w"]) == matched_perms # # Neverallow rules # - def test_added_neverallow_rules(self): + def test_added_neverallow_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: added neverallow rules.""" - self.assertFalse(self.diff.added_neverallows) + assert not analysis.added_neverallows # changed after dropping source policy support - # rules = sorted(self.diff.added_neverallows) - # self.assertEqual(2, len(rules)) + # rules = sorted(analysis.added_neverallows) + # assert 2 == len(rules) # added rule with new type # self.validate_rule(rules[0], TRT.neverallow, "added_type", "added_type", "added_class", @@ -522,12 +508,12 @@ def test_added_neverallow_rules(self): # self.validate_rule(rules[1], TRT.neverallow, "na_added_rule_source", # "na_added_rule_target", "infoflow", set(["med_w"])) - def test_removed_neverallow_rules(self): + def test_removed_neverallow_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed neverallow rules.""" - self.assertFalse(self.diff.removed_neverallows) + assert not analysis.removed_neverallows # changed after dropping source policy support - # rules = sorted(self.diff.removed_neverallows) - # self.assertEqual(2, len(rules)) + # rules = sorted(analysis.removed_neverallows) + # assert 2 == len(rules) # removed rule with existing types # self.validate_rule(rules[0], TRT.neverallow, "na_removed_rule_source", @@ -537,50 +523,50 @@ def test_removed_neverallow_rules(self): # self.validate_rule(rules[1], TRT.neverallow, "removed_type", "removed_type", # "removed_class", set(["null_perm"])) - def test_modified_neverallow_rules(self): + def test_modified_neverallow_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified neverallow rules.""" # changed after dropping source policy support - self.assertFalse(self.diff.modified_neverallows) - # l = sorted(self.diff.modified_neverallows, key=lambda x: x.rule) - # self.assertEqual(3, len(l)) + assert not analysis.modified_neverallows + # l = sorted(analysis.modified_neverallows, key=lambda x: x.rule) + # assert 3 == len(l) # # # add permissions # rule, added_perms, removed_perms, matched_perms = l[0] - # self.assertEqual(TRT.neverallow, rule.ruletype) - # self.assertEqual("na_modified_rule_add_perms", rule.source) - # self.assertEqual("na_modified_rule_add_perms", rule.target) - # self.assertEqual("infoflow", rule.tclass) - # self.assertSetEqual(set(["hi_w"]), added_perms) - # self.assertFalse(removed_perms) - # self.assertSetEqual(set(["hi_r"]), matched_perms) + # assert TRT.neverallow == rule.ruletype + # assert "na_modified_rule_add_perms" == rule.source + # assert "na_modified_rule_add_perms" == rule.target + # assert "infoflow" == rule.tclass + # assert set(["hi_w"]) == added_perms + # assert not removed_perms + # assert set(["hi_r"]) == matched_perms # # # add and remove permissions # rule, added_perms, removed_perms, matched_perms = l[1] - # self.assertEqual(TRT.neverallow, rule.ruletype) - # self.assertEqual("na_modified_rule_add_remove_perms", rule.source) - # self.assertEqual("na_modified_rule_add_remove_perms", rule.target) - # self.assertEqual("infoflow2", rule.tclass) - # self.assertSetEqual(set(["super_r"]), added_perms) - # self.assertSetEqual(set(["super_w"]), removed_perms) - # self.assertSetEqual(set(["low_w"]), matched_perms) + # assert TRT.neverallow == rule.ruletype + # assert "na_modified_rule_add_remove_perms" == rule.source + # assert "na_modified_rule_add_remove_perms" == rule.target + # assert "infoflow2" == rule.tclass + # assert set(["super_r"]) == added_perms + # assert set(["super_w"]) == removed_perms + # assert set(["low_w"]) == matched_perms # # # remove permissions # rule, added_perms, removed_perms, matched_perms = l[2] - # self.assertEqual(TRT.neverallow, rule.ruletype) - # self.assertEqual("na_modified_rule_remove_perms", rule.source) - # self.assertEqual("na_modified_rule_remove_perms", rule.target) - # self.assertEqual("infoflow", rule.tclass) - # self.assertFalse(added_perms) - # self.assertSetEqual(set(["low_r"]), removed_perms) - # self.assertSetEqual(set(["low_w"]), matched_perms) + # assert TRT.neverallow == rule.ruletype + # assert "na_modified_rule_remove_perms" == rule.source + # assert "na_modified_rule_remove_perms" == rule.target + # assert "infoflow" == rule.tclass + # assert not added_perms + # assert set(["low_r"]) == removed_perms + # assert set(["low_w"]) == matched_perms # # Type_transition rules # - def test_added_type_transition_rules(self): + def test_added_type_transition_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: added type_transition rules.""" - rules = sorted(self.diff.added_type_transitions) - self.assertEqual(5, len(rules)) + rules = sorted(analysis.added_type_transitions) + assert 5 == len(rules) # added rule with new type self.validate_rule(rules[0], TRT.type_transition, "added_type", "system", "infoflow4", @@ -602,10 +588,10 @@ def test_added_type_transition_rules(self): self.validate_rule(rules[4], TRT.type_transition, "tt_move_to_bool", "system", "infoflow3", "system", cond="tt_move_to_bool_b", cond_block=True) - def test_removed_type_transition_rules(self): + def test_removed_type_transition_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed type_transition rules.""" - rules = sorted(self.diff.removed_type_transitions) - self.assertEqual(5, len(rules)) + rules = sorted(analysis.removed_type_transitions) + assert 5 == len(rules) # removed rule with new type self.validate_rule(rules[0], TRT.type_transition, "removed_type", "system", "infoflow4", @@ -627,26 +613,26 @@ def test_removed_type_transition_rules(self): self.validate_rule(rules[4], TRT.type_transition, "tt_removed_rule_source", "tt_removed_rule_target", "infoflow", "system") - def test_modified_type_transition_rules(self): + def test_modified_type_transition_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified type_transition rules.""" - lst = sorted(self.diff.modified_type_transitions, key=lambda x: x.rule) - self.assertEqual(1, len(lst)) + lst = sorted(analysis.modified_type_transitions, key=lambda x: x.rule) + assert 1 == len(lst) rule, added_default, removed_default = astuple(lst[0]) - self.assertEqual(TRT.type_transition, rule.ruletype) - self.assertEqual("tt_matched_source", rule.source) - self.assertEqual("system", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertEqual("tt_new_type", added_default) - self.assertEqual("tt_old_type", removed_default) + assert TRT.type_transition == rule.ruletype + assert "tt_matched_source" == rule.source + assert "system" == rule.target + assert "infoflow" == rule.tclass + assert "tt_new_type" == added_default + assert "tt_old_type" == removed_default # # Type_change rules # - def test_added_type_change_rules(self): + def test_added_type_change_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: added type_change rules.""" - rules = sorted(self.diff.added_type_changes) - self.assertEqual(5, len(rules)) + rules = sorted(analysis.added_type_changes) + assert 5 == len(rules) # added rule with new type self.validate_rule(rules[0], TRT.type_change, "added_type", "system", "infoflow4", @@ -668,10 +654,10 @@ def test_added_type_change_rules(self): self.validate_rule(rules[4], TRT.type_change, "tc_move_to_bool", "system", "infoflow3", "system", cond="tc_move_to_bool_b", cond_block=True) - def test_removed_type_change_rules(self): + def test_removed_type_change_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed type_change rules.""" - rules = sorted(self.diff.removed_type_changes) - self.assertEqual(5, len(rules)) + rules = sorted(analysis.removed_type_changes) + assert 5 == len(rules) # removed rule with new type self.validate_rule(rules[0], TRT.type_change, "removed_type", "system", "infoflow4", @@ -693,26 +679,26 @@ def test_removed_type_change_rules(self): self.validate_rule(rules[4], TRT.type_change, "tc_removed_rule_source", "tc_removed_rule_target", "infoflow", "system") - def test_modified_type_change_rules(self): + def test_modified_type_change_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified type_change rules.""" - lst = sorted(self.diff.modified_type_changes, key=lambda x: x.rule) - self.assertEqual(1, len(lst)) + lst = sorted(analysis.modified_type_changes, key=lambda x: x.rule) + assert 1 == len(lst) rule, added_default, removed_default = astuple(lst[0]) - self.assertEqual(TRT.type_change, rule.ruletype) - self.assertEqual("tc_matched_source", rule.source) - self.assertEqual("system", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertEqual("tc_new_type", added_default) - self.assertEqual("tc_old_type", removed_default) + assert TRT.type_change == rule.ruletype + assert "tc_matched_source" == rule.source + assert "system" == rule.target + assert "infoflow" == rule.tclass + assert "tc_new_type" == added_default + assert "tc_old_type" == removed_default # # Type_member rules # - def test_added_type_member_rules(self): + def test_added_type_member_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: added type_member rules.""" - rules = sorted(self.diff.added_type_members) - self.assertEqual(5, len(rules)) + rules = sorted(analysis.added_type_members) + assert 5 == len(rules) # added rule with new type self.validate_rule(rules[0], TRT.type_member, "added_type", "system", "infoflow4", @@ -734,10 +720,10 @@ def test_added_type_member_rules(self): self.validate_rule(rules[4], TRT.type_member, "tm_move_to_bool", "system", "infoflow3", "system", cond="tm_move_to_bool_b", cond_block=True) - def test_removed_type_member_rules(self): + def test_removed_type_member_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed type_member rules.""" - rules = sorted(self.diff.removed_type_members) - self.assertEqual(5, len(rules)) + rules = sorted(analysis.removed_type_members) + assert 5 == len(rules) # removed rule with new type self.validate_rule(rules[0], TRT.type_member, "removed_type", "system", "infoflow4", @@ -759,26 +745,26 @@ def test_removed_type_member_rules(self): self.validate_rule(rules[4], TRT.type_member, "tm_removed_rule_source", "tm_removed_rule_target", "infoflow", "system") - def test_modified_type_member_rules(self): + def test_modified_type_member_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified type_member rules.""" - lst = sorted(self.diff.modified_type_members, key=lambda x: x.rule) - self.assertEqual(1, len(lst)) + lst = sorted(analysis.modified_type_members, key=lambda x: x.rule) + assert 1 == len(lst) rule, added_default, removed_default = astuple(lst[0]) - self.assertEqual(TRT.type_member, rule.ruletype) - self.assertEqual("tm_matched_source", rule.source) - self.assertEqual("system", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertEqual("tm_new_type", added_default) - self.assertEqual("tm_old_type", removed_default) + assert TRT.type_member == rule.ruletype + assert "tm_matched_source" == rule.source + assert "system" == rule.target + assert "infoflow" == rule.tclass + assert "tm_new_type" == added_default + assert "tm_old_type" == removed_default # # Range_transition rules # - def test_added_range_transition_rules(self): + def test_added_range_transition_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: added range_transition rules.""" - rules = sorted(self.diff.added_range_transitions) - self.assertEqual(2, len(rules)) + rules = sorted(analysis.added_range_transitions) + assert 2 == len(rules) # added rule with new type self.validate_rule(rules[0], MRT.range_transition, "added_type", "system", "infoflow4", @@ -788,10 +774,10 @@ def test_added_range_transition_rules(self): self.validate_rule(rules[1], MRT.range_transition, "rt_added_rule_source", "rt_added_rule_target", "infoflow", "s3") - def test_removed_range_transition_rules(self): + def test_removed_range_transition_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed range_transition rules.""" - rules = sorted(self.diff.removed_range_transitions) - self.assertEqual(2, len(rules)) + rules = sorted(analysis.removed_range_transitions) + assert 2 == len(rules) # removed rule with new type self.validate_rule(rules[0], MRT.range_transition, "removed_type", "system", "infoflow4", @@ -801,59 +787,59 @@ def test_removed_range_transition_rules(self): self.validate_rule(rules[1], MRT.range_transition, "rt_removed_rule_source", "rt_removed_rule_target", "infoflow", "s1") - def test_modified_range_transition_rules(self): + def test_modified_range_transition_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified range_transition rules.""" - lst = sorted(self.diff.modified_range_transitions, key=lambda x: x.rule) - self.assertEqual(1, len(lst)) + lst = sorted(analysis.modified_range_transitions, key=lambda x: x.rule) + assert 1 == len(lst) rule, added_default, removed_default = astuple(lst[0]) - self.assertEqual(MRT.range_transition, rule.ruletype) - self.assertEqual("rt_matched_source", rule.source) - self.assertEqual("system", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertEqual("s0:c0,c4 - s1:c0.c2,c4", added_default) - self.assertEqual("s2:c0 - s3:c0.c2", removed_default) + assert MRT.range_transition == rule.ruletype + assert "rt_matched_source" == rule.source + assert "system" == rule.target + assert "infoflow" == rule.tclass + assert "s0:c0,c4 - s1:c0.c2,c4" == added_default + assert "s2:c0 - s3:c0.c2" == removed_default # # Role allow rules # - def test_added_role_allow_rules(self): + def test_added_role_allow_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: added role_allow rules.""" - rules = sorted(self.diff.added_role_allows) - self.assertEqual(2, len(rules)) + rules = sorted(analysis.added_role_allows) + assert 2 == len(rules) # added rule with existing roles - self.assertEqual(RRT.allow, rules[0].ruletype) - self.assertEqual("added_role", rules[0].source) - self.assertEqual("system", rules[0].target) + assert RRT.allow == rules[0].ruletype + assert "added_role" == rules[0].source + assert "system" == rules[0].target # added rule with new roles - self.assertEqual(RRT.allow, rules[1].ruletype) - self.assertEqual("added_rule_source_r", rules[1].source) - self.assertEqual("added_rule_target_r", rules[1].target) + assert RRT.allow == rules[1].ruletype + assert "added_rule_source_r" == rules[1].source + assert "added_rule_target_r" == rules[1].target - def test_removed_role_allow_rules(self): + def test_removed_role_allow_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed role_allow rules.""" - rules = sorted(self.diff.removed_role_allows) - self.assertEqual(2, len(rules)) + rules = sorted(analysis.removed_role_allows) + assert 2 == len(rules) # removed rule with removed role - self.assertEqual(RRT.allow, rules[0].ruletype) - self.assertEqual("removed_role", rules[0].source) - self.assertEqual("system", rules[0].target) + assert RRT.allow == rules[0].ruletype + assert "removed_role" == rules[0].source + assert "system" == rules[0].target # removed rule with existing roles - self.assertEqual(RRT.allow, rules[1].ruletype) - self.assertEqual("removed_rule_source_r", rules[1].source) - self.assertEqual("removed_rule_target_r", rules[1].target) + assert RRT.allow == rules[1].ruletype + assert "removed_rule_source_r" == rules[1].source + assert "removed_rule_target_r" == rules[1].target # # Role_transition rules # - def test_added_role_transition_rules(self): + def test_added_role_transition_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: added role_transition rules.""" - rules = sorted(self.diff.added_role_transitions) - self.assertEqual(2, len(rules)) + rules = sorted(analysis.added_role_transitions) + assert 2 == len(rules) # added rule with new role self.validate_rule(rules[0], RRT.role_transition, "added_role", "system", "infoflow4", @@ -863,10 +849,10 @@ def test_added_role_transition_rules(self): self.validate_rule(rules[1], RRT.role_transition, "role_tr_added_rule_source", "role_tr_added_rule_target", "infoflow6", "system") - def test_removed_role_transition_rules(self): + def test_removed_role_transition_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed role_transition rules.""" - rules = sorted(self.diff.removed_role_transitions) - self.assertEqual(2, len(rules)) + rules = sorted(analysis.removed_role_transitions) + assert 2 == len(rules) # removed rule with new role self.validate_rule(rules[0], RRT.role_transition, "removed_role", "system", "infoflow4", @@ -876,1071 +862,1051 @@ def test_removed_role_transition_rules(self): self.validate_rule(rules[1], RRT.role_transition, "role_tr_removed_rule_source", "role_tr_removed_rule_target", "infoflow5", "system") - def test_modified_role_transition_rules(self): + def test_modified_role_transition_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified role_transition rules.""" - lst = sorted(self.diff.modified_role_transitions, key=lambda x: x.rule) - self.assertEqual(1, len(lst)) + lst = sorted(analysis.modified_role_transitions, key=lambda x: x.rule) + assert 1 == len(lst) rule, added_default, removed_default = astuple(lst[0]) - self.assertEqual(RRT.role_transition, rule.ruletype) - self.assertEqual("role_tr_matched_source", rule.source) - self.assertEqual("role_tr_matched_target", rule.target) - self.assertEqual("infoflow3", rule.tclass) - self.assertEqual("role_tr_new_role", added_default) - self.assertEqual("role_tr_old_role", removed_default) + assert RRT.role_transition == rule.ruletype + assert "role_tr_matched_source" == rule.source + assert "role_tr_matched_target" == rule.target + assert "infoflow3" == rule.tclass + assert "role_tr_new_role" == added_default + assert "role_tr_old_role" == removed_default # # Users # - def test_added_user(self): + def test_added_user(self, analysis: setools.PolicyDifference) -> None: """Diff: added user.""" - self.assertSetEqual(set(["added_user"]), self.diff.added_users) + assert set(["added_user"]) == analysis.added_users - def test_removed_user(self): + def test_removed_user(self, analysis: setools.PolicyDifference) -> None: """Diff: removed user.""" - self.assertSetEqual(set(["removed_user"]), self.diff.removed_users) + assert set(["removed_user"]) == analysis.removed_users - def test_modified_user_count(self): + def test_modified_user_count(self, analysis: setools.PolicyDifference) -> None: """Diff: modified user count.""" - self.assertEqual(4, len(self.diff.modified_users)) + assert 4 == len(analysis.modified_users) - def test_modified_user_add_role(self): + def test_modified_user_add_role(self, analysis: setools.PolicyDifference) -> None: """Diff: modified user with added role.""" # modified_add_role - self.diff.modified_users.sort() - self.assertSetEqual(set(["added_role"]), - self.diff.modified_users[0].added_roles) - self.assertFalse(self.diff.modified_users[0].removed_roles) + analysis.modified_users.sort() + assert set(["added_role"]) == analysis.modified_users[0].added_roles + assert not analysis.modified_users[0].removed_roles - def test_modified_user_remove_role(self): + def test_modified_user_remove_role(self, analysis: setools.PolicyDifference) -> None: """Diff: modified user with removed role.""" # modified_remove_role - self.diff.modified_users.sort() - self.assertSetEqual(set(["removed_role"]), - self.diff.modified_users[3].removed_roles) - self.assertFalse(self.diff.modified_users[3].added_roles) + analysis.modified_users.sort() + assert set(["removed_role"]) == analysis.modified_users[3].removed_roles + assert not analysis.modified_users[3].added_roles - def test_modified_user_change_level(self): + def test_modified_user_change_level(self, analysis: setools.PolicyDifference) -> None: """Diff: modified user due to modified default level.""" # modified_change_level - self.diff.modified_users.sort() - self.assertEqual("s2:c0", self.diff.modified_users[1].removed_level) - self.assertEqual("s2:c1", self.diff.modified_users[1].added_level) + analysis.modified_users.sort() + assert "s2:c0" == analysis.modified_users[1].removed_level + assert "s2:c1" == analysis.modified_users[1].added_level - def test_modified_user_change_range(self): + def test_modified_user_change_range(self, analysis: setools.PolicyDifference) -> None: """Diff: modified user due to modified range.""" # modified_change_range - self.diff.modified_users.sort() - self.assertEqual("s3:c1 - s3:c1.c3", - self.diff.modified_users[2].removed_range) - self.assertEqual("s3:c1 - s3:c1.c4", - self.diff.modified_users[2].added_range) + analysis.modified_users.sort() + assert "s3:c1 - s3:c1.c3" == analysis.modified_users[2].removed_range + assert "s3:c1 - s3:c1.c4" == analysis.modified_users[2].added_range # # Type attributes # - def test_added_type_attribute(self): + def test_added_type_attribute(self, analysis: setools.PolicyDifference) -> None: """Diff: added type attribute.""" - self.assertSetEqual(set(["added_attr"]), self.diff.added_type_attributes) + assert set(["added_attr"]) == analysis.added_type_attributes - def test_removed_type_attribute(self): + def test_removed_type_attribute(self, analysis: setools.PolicyDifference) -> None: """Diff: removed type attribute.""" - self.assertSetEqual(set(["removed_attr"]), self.diff.removed_type_attributes) + assert set(["removed_attr"]) == analysis.removed_type_attributes - def test_modified_type_attribute(self): + def test_modified_type_attribute(self, analysis: setools.PolicyDifference) -> None: """Diff: modified type attribute.""" - self.assertEqual(1, len(self.diff.modified_type_attributes)) - self.assertSetEqual(set(["modified_add_attr"]), - self.diff.modified_type_attributes[0].added_types) - self.assertSetEqual(set(["modified_remove_attr"]), - self.diff.modified_type_attributes[0].removed_types) + assert 1 == len(analysis.modified_type_attributes) + assert set(["modified_add_attr"]) == analysis.modified_type_attributes[0].added_types + assert set(["modified_remove_attr"]) == analysis.modified_type_attributes[0].removed_types # # Booleans # - def test_added_boolean(self): + def test_added_boolean(self, analysis: setools.PolicyDifference) -> None: """Diff: added boolean.""" - self.assertSetEqual(set(["added_bool"]), self.diff.added_booleans) + assert set(["added_bool"]) == analysis.added_booleans - def test_removed_boolean(self): + def test_removed_boolean(self, analysis: setools.PolicyDifference) -> None: """Diff: removed boolean.""" - self.assertSetEqual(set(["removed_bool"]), self.diff.removed_booleans) + assert set(["removed_bool"]) == analysis.removed_booleans - def test_modified_boolean(self): + def test_modified_boolean(self, analysis: setools.PolicyDifference) -> None: """Diff: modified boolean.""" - self.assertEqual(1, len(self.diff.modified_booleans)) - self.assertTrue(self.diff.modified_booleans[0].added_state) - self.assertFalse(self.diff.modified_booleans[0].removed_state) + assert 1 == len(analysis.modified_booleans) + assert analysis.modified_booleans[0].added_state + assert not analysis.modified_booleans[0].removed_state # # Categories # - def test_added_category(self): + def test_added_category(self, analysis: setools.PolicyDifference) -> None: """Diff: added category.""" - self.assertSetEqual(set(["c6"]), self.diff.added_categories) + assert set(["c6"]) == analysis.added_categories - def test_removed_category(self): + def test_removed_category(self, analysis: setools.PolicyDifference) -> None: """Diff: removed category.""" - self.assertSetEqual(set(["c5"]), self.diff.removed_categories) + assert set(["c5"]) == analysis.removed_categories - def test_modified_category(self): + def test_modified_category(self, analysis: setools.PolicyDifference) -> None: """Diff: modified categories.""" - self.assertEqual(2, len(self.diff.modified_categories)) - self.diff.modified_categories.sort() + assert 2 == len(analysis.modified_categories) + analysis.modified_categories.sort() # add alias on c1 - self.assertEqual(set(["foo"]), self.diff.modified_categories[1].added_aliases) - self.assertFalse(self.diff.modified_categories[1].removed_aliases) + assert set(["foo"]) == analysis.modified_categories[1].added_aliases + assert not analysis.modified_categories[1].removed_aliases # remove alias on c0 - self.assertFalse(self.diff.modified_categories[0].added_aliases) - self.assertEqual(set(["eggs"]), self.diff.modified_categories[0].removed_aliases) + assert not analysis.modified_categories[0].added_aliases + assert set(["eggs"]) == analysis.modified_categories[0].removed_aliases # # Sensitivity # - def test_added_sensitivities(self): + def test_added_sensitivities(self, analysis: setools.PolicyDifference) -> None: """Diff: added sensitivities.""" - self.assertSetEqual(set(["s46"]), self.diff.added_sensitivities) + assert set(["s46"]) == analysis.added_sensitivities - def test_removed_sensitivities(self): + def test_removed_sensitivities(self, analysis: setools.PolicyDifference) -> None: """Diff: removed sensitivities.""" - self.assertSetEqual(set(["s47"]), self.diff.removed_sensitivities) + assert set(["s47"]) == analysis.removed_sensitivities - def test_modified_sensitivities(self): + def test_modified_sensitivities(self, analysis: setools.PolicyDifference) -> None: """Diff: modified sensitivities.""" - self.assertEqual(2, len(self.diff.modified_sensitivities)) - self.diff.modified_sensitivities.sort() + assert 2 == len(analysis.modified_sensitivities) + analysis.modified_sensitivities.sort() # add alias to s1 - self.assertSetEqual(set(["al4"]), self.diff.modified_sensitivities[1].added_aliases) - self.assertFalse(self.diff.modified_sensitivities[1].removed_aliases) + assert set(["al4"]) == analysis.modified_sensitivities[1].added_aliases + assert not analysis.modified_sensitivities[1].removed_aliases # remove alias from s0 - self.assertFalse(self.diff.modified_sensitivities[0].added_aliases) - self.assertSetEqual(set(["al2"]), self.diff.modified_sensitivities[0].removed_aliases) + assert not analysis.modified_sensitivities[0].added_aliases + assert set(["al2"]) == analysis.modified_sensitivities[0].removed_aliases # # Initial SIDs # - def test_added_initialsids(self): + def test_added_initialsids(self, analysis: setools.PolicyDifference) -> None: """Diff: added initialsids.""" - self.assertSetEqual(set(["file_labels"]), self.diff.added_initialsids) + assert set(["file_labels"]) == analysis.added_initialsids - @unittest.skip("Moved to PolicyDifferenceRmIsidTest.") - def test_removed_initialsids(self): + @pytest.mark.skip("Moved to PolicyDifferenceRmIsidTest.") + def test_removed_initialsids(self, analysis: setools.PolicyDifference) -> None: """Diff: removed initialsids.""" - self.assertSetEqual(set(["removed_sid"]), self.diff.removed_initialsids) + assert set(["removed_sid"]) == analysis.removed_initialsids - def test_modified_initialsids(self): + def test_modified_initialsids(self, analysis: setools.PolicyDifference) -> None: """Diff: modified initialsids.""" - self.assertEqual(1, len(self.diff.modified_initialsids)) - self.assertEqual("system:system:system:s0", - self.diff.modified_initialsids[0].added_context) - self.assertEqual("removed_user:system:system:s0", - self.diff.modified_initialsids[0].removed_context) + assert 1 == len(analysis.modified_initialsids) + assert "system:system:system:s0" == analysis.modified_initialsids[0].added_context + assert "removed_user:system:system:s0" == analysis.modified_initialsids[0].removed_context # # fs_use_* # - def test_added_fs_uses(self): + def test_added_fs_uses(self, analysis: setools.PolicyDifference) -> None: """Diff: added fs_uses.""" - lst = sorted(self.diff.added_fs_uses) - self.assertEqual(1, len(lst)) + lst = sorted(analysis.added_fs_uses) + assert 1 == len(lst) rule = lst[0] - self.assertEqual(FSURT.fs_use_xattr, rule.ruletype) - self.assertEqual("added_fsuse", rule.fs) - self.assertEqual("system:object_r:system:s0", rule.context) + assert FSURT.fs_use_xattr == rule.ruletype + assert "added_fsuse" == rule.fs + assert "system:object_r:system:s0" == rule.context - def test_removed_fs_uses(self): + def test_removed_fs_uses(self, analysis: setools.PolicyDifference) -> None: """Diff: removed fs_uses.""" - lst = sorted(self.diff.removed_fs_uses) - self.assertEqual(1, len(lst)) + lst = sorted(analysis.removed_fs_uses) + assert 1 == len(lst) rule = lst[0] - self.assertEqual(FSURT.fs_use_task, rule.ruletype) - self.assertEqual("removed_fsuse", rule.fs) - self.assertEqual("system:object_r:system:s0", rule.context) + assert FSURT.fs_use_task == rule.ruletype + assert "removed_fsuse" == rule.fs + assert "system:object_r:system:s0" == rule.context - def test_modified_fs_uses(self): + def test_modified_fs_uses(self, analysis: setools.PolicyDifference) -> None: """Diff: modified fs_uses.""" - lst = sorted(self.diff.modified_fs_uses, key=lambda x: x.rule) - self.assertEqual(1, len(lst)) + lst = sorted(analysis.modified_fs_uses, key=lambda x: x.rule) + assert 1 == len(lst) rule, added_context, removed_context = astuple(lst[0]) - self.assertEqual(FSURT.fs_use_trans, rule.ruletype) - self.assertEqual("modified_fsuse", rule.fs) - self.assertEqual("added_user:object_r:system:s1", added_context) - self.assertEqual("removed_user:object_r:system:s0", removed_context) + assert FSURT.fs_use_trans == rule.ruletype + assert "modified_fsuse" == rule.fs + assert "added_user:object_r:system:s1" == added_context + assert "removed_user:object_r:system:s0" == removed_context # # genfscon # - def test_added_genfscons(self): + def test_added_genfscons(self, analysis: setools.PolicyDifference) -> None: """Diff: added genfscons.""" - lst = sorted(self.diff.added_genfscons) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.added_genfscons) + assert 2 == len(lst) rule = lst[0] - self.assertEqual("added_genfs", rule.fs) - self.assertEqual("/", rule.path) - self.assertEqual("added_user:object_r:system:s0", rule.context) + assert "added_genfs" == rule.fs + assert "/" == rule.path + assert "added_user:object_r:system:s0" == rule.context rule = lst[1] - self.assertEqual("change_path", rule.fs) - self.assertEqual("/new", rule.path) - self.assertEqual("system:object_r:system:s0", rule.context) + assert "change_path" == rule.fs + assert "/new" == rule.path + assert "system:object_r:system:s0" == rule.context - def test_removed_genfscons(self): + def test_removed_genfscons(self, analysis: setools.PolicyDifference) -> None: """Diff: removed genfscons.""" - lst = sorted(self.diff.removed_genfscons) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.removed_genfscons) + assert 2 == len(lst) rule = lst[0] - self.assertEqual("change_path", rule.fs) - self.assertEqual("/old", rule.path) - self.assertEqual("system:object_r:system:s0", rule.context) + assert "change_path" == rule.fs + assert "/old" == rule.path + assert "system:object_r:system:s0" == rule.context rule = lst[1] - self.assertEqual("removed_genfs", rule.fs) - self.assertEqual("/", rule.path) - self.assertEqual("system:object_r:system:s0", rule.context) + assert "removed_genfs" == rule.fs + assert "/" == rule.path + assert "system:object_r:system:s0" == rule.context - def test_modified_genfscons(self): + def test_modified_genfscons(self, analysis: setools.PolicyDifference) -> None: """Diff: modified genfscons.""" - lst = sorted(self.diff.modified_genfscons, key=lambda x: x.rule) - self.assertEqual(1, len(lst)) + lst = sorted(analysis.modified_genfscons, key=lambda x: x.rule) + assert 1 == len(lst) rule, added_context, removed_context = astuple(lst[0]) - self.assertEqual("modified_genfs", rule.fs) - self.assertEqual("/", rule.path) - self.assertEqual("added_user:object_r:system:s0", added_context) - self.assertEqual("removed_user:object_r:system:s0", removed_context) + assert "modified_genfs" == rule.fs + assert "/" == rule.path + assert "added_user:object_r:system:s0" == added_context + assert "removed_user:object_r:system:s0" == removed_context # # level decl # - def test_added_levels(self): + def test_added_levels(self, analysis: setools.PolicyDifference) -> None: """Diff: added levels.""" - lst = sorted(self.diff.added_levels) - self.assertEqual(1, len(lst)) - self.assertEqual("s46:c0.c4", lst[0]) + lst = sorted(analysis.added_levels) + assert 1 == len(lst) + assert "s46:c0.c4" == lst[0] - def test_removed_levels(self): + def test_removed_levels(self, analysis: setools.PolicyDifference) -> None: """Diff: removed levels.""" - lst = sorted(self.diff.removed_levels) - self.assertEqual(1, len(lst)) - self.assertEqual("s47:c0.c4", lst[0]) + lst = sorted(analysis.removed_levels) + assert 1 == len(lst) + assert "s47:c0.c4" == lst[0] - def test_modified_levels(self): + def test_modified_levels(self, analysis: setools.PolicyDifference) -> None: """Diff: modified levels.""" - lst = sorted(self.diff.modified_levels) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.modified_levels) + assert 2 == len(lst) level = lst[0] - self.assertEqual("s40", level.level.sensitivity) - self.assertSetEqual(set(["c3"]), level.added_categories) - self.assertFalse(level.removed_categories) + assert "s40" == level.level.sensitivity + assert set(["c3"]) == level.added_categories + assert not level.removed_categories level = lst[1] - self.assertEqual("s41", level.level.sensitivity) - self.assertFalse(level.added_categories) - self.assertSetEqual(set(["c4"]), level.removed_categories) + assert "s41" == level.level.sensitivity + assert not level.added_categories + assert set(["c4"]) == level.removed_categories # # netifcon # - def test_added_netifcons(self): + def test_added_netifcons(self, analysis: setools.PolicyDifference) -> None: """Diff: added netifcons.""" - lst = sorted(self.diff.added_netifcons) - self.assertEqual(1, len(lst)) + lst = sorted(analysis.added_netifcons) + assert 1 == len(lst) rule = lst[0] - self.assertEqual("added_netif", rule.netif) - self.assertEqual("system:object_r:system:s0", rule.context) - self.assertEqual("system:object_r:system:s0", rule.packet) + assert "added_netif" == rule.netif + assert "system:object_r:system:s0" == rule.context + assert "system:object_r:system:s0" == rule.packet - def test_removed_netifcons(self): + def test_removed_netifcons(self, analysis: setools.PolicyDifference) -> None: """Diff: removed netifcons.""" - lst = sorted(self.diff.removed_netifcons) - self.assertEqual(1, len(lst)) + lst = sorted(analysis.removed_netifcons) + assert 1 == len(lst) rule = lst[0] - self.assertEqual("removed_netif", rule.netif) - self.assertEqual("system:object_r:system:s0", rule.context) - self.assertEqual("system:object_r:system:s0", rule.packet) + assert "removed_netif" == rule.netif + assert "system:object_r:system:s0" == rule.context + assert "system:object_r:system:s0" == rule.packet - def test_modified_netifcons(self): + def test_modified_netifcons(self, analysis: setools.PolicyDifference) -> None: """Diff: modified netifcons.""" - lst = sorted(self.diff.modified_netifcons, key=lambda x: x.rule) - self.assertEqual(3, len(lst)) + lst = sorted(analysis.modified_netifcons, key=lambda x: x.rule) + assert 3 == len(lst) # modified both contexts rule, added_context, removed_context, added_packet, removed_packet = astuple(lst[0]) - self.assertEqual("mod_both_netif", rule.netif) - self.assertEqual("added_user:object_r:system:s0", added_context) - self.assertEqual("removed_user:object_r:system:s0", removed_context) - self.assertEqual("added_user:object_r:system:s0", added_packet) - self.assertEqual("removed_user:object_r:system:s0", removed_packet) + assert "mod_both_netif" == rule.netif + assert "added_user:object_r:system:s0" == added_context + assert "removed_user:object_r:system:s0" == removed_context + assert "added_user:object_r:system:s0" == added_packet + assert "removed_user:object_r:system:s0" == removed_packet # modified context rule, added_context, removed_context, added_packet, removed_packet = astuple(lst[1]) - self.assertEqual("mod_ctx_netif", rule.netif) - self.assertEqual("added_user:object_r:system:s0", added_context) - self.assertEqual("removed_user:object_r:system:s0", removed_context) - self.assertIsNone(added_packet) - self.assertIsNone(removed_packet) + assert "mod_ctx_netif" == rule.netif + assert "added_user:object_r:system:s0" == added_context + assert "removed_user:object_r:system:s0" == removed_context + assert added_packet is None + assert removed_packet is None # modified packet context rule, added_context, removed_context, added_packet, removed_packet = astuple(lst[2]) - self.assertEqual("mod_pkt_netif", rule.netif) - self.assertIsNone(added_context) - self.assertIsNone(removed_context) - self.assertEqual("added_user:object_r:system:s0", added_packet) - self.assertEqual("removed_user:object_r:system:s0", removed_packet) + assert "mod_pkt_netif" == rule.netif + assert added_context is None + assert removed_context is None + assert "added_user:object_r:system:s0" == added_packet + assert "removed_user:object_r:system:s0" == removed_packet # # nodecons # - def test_added_nodecons(self): + def test_added_nodecons(self, analysis: setools.PolicyDifference) -> None: """Diff: added nodecons.""" - lst = sorted(self.diff.added_nodecons) - self.assertEqual(4, len(lst)) + lst = sorted(analysis.added_nodecons) + assert 4 == len(lst) # new IPv4 nodecon = lst[0] - self.assertEqual(IPv4Network("124.0.0.0/8"), nodecon.network) + assert IPv4Network("124.0.0.0/8") == nodecon.network # changed IPv4 netmask nodecon = lst[1] - self.assertEqual(IPv4Network("125.0.0.0/16"), nodecon.network) + assert IPv4Network("125.0.0.0/16") == nodecon.network # new IPv6 nodecon = lst[2] - self.assertEqual(IPv6Network("ff04::/62"), nodecon.network) + assert IPv6Network("ff04::/62") == nodecon.network # changed IPv6 netmask nodecon = lst[3] - self.assertEqual(IPv6Network("ff05::/60"), nodecon.network) + assert IPv6Network("ff05::/60") == nodecon.network - def test_removed_nodecons(self): + def test_removed_nodecons(self, analysis: setools.PolicyDifference) -> None: """Diff: removed nodecons.""" - lst = sorted(self.diff.removed_nodecons) - self.assertEqual(4, len(lst)) + lst = sorted(analysis.removed_nodecons) + assert 4 == len(lst) # new IPv4 nodecon = lst[0] - self.assertEqual(IPv4Network("122.0.0.0/8"), nodecon.network) + assert IPv4Network("122.0.0.0/8") == nodecon.network # changed IPv4 netmask nodecon = lst[1] - self.assertEqual(IPv4Network("125.0.0.0/8"), nodecon.network) + assert IPv4Network("125.0.0.0/8") == nodecon.network # new IPv6 nodecon = lst[2] - self.assertEqual(IPv6Network("ff02::/62"), nodecon.network) + assert IPv6Network("ff02::/62") == nodecon.network # changed IPv6 netmask nodecon = lst[3] - self.assertEqual(IPv6Network("ff05::/62"), nodecon.network) + assert IPv6Network("ff05::/62") == nodecon.network - def test_modified_nodecons(self): + def test_modified_nodecons(self, analysis: setools.PolicyDifference) -> None: """Diff: modified nodecons.""" - lst = sorted(self.diff.modified_nodecons, key=lambda x: x.rule) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.modified_nodecons, key=lambda x: x.rule) + assert 2 == len(lst) # changed IPv4 nodecon, added_context, removed_context = astuple(lst[0]) - self.assertEqual(IPv4Network("123.0.0.0/8"), nodecon.network) - self.assertEqual("modified_change_level:object_r:system:s2:c0", added_context) - self.assertEqual("modified_change_level:object_r:system:s2:c1", removed_context) + assert IPv4Network("123.0.0.0/8") == nodecon.network + assert "modified_change_level:object_r:system:s2:c0" == added_context + assert "modified_change_level:object_r:system:s2:c1" == removed_context # changed IPv6 nodecon, added_context, removed_context = astuple(lst[1]) - self.assertEqual(IPv6Network("ff03::/62"), nodecon.network) - self.assertEqual("modified_change_level:object_r:system:s2:c1", added_context) - self.assertEqual("modified_change_level:object_r:system:s2:c0.c1", removed_context) + assert IPv6Network("ff03::/62") == nodecon.network + assert "modified_change_level:object_r:system:s2:c1" == added_context + assert "modified_change_level:object_r:system:s2:c0.c1" == removed_context # # Policy capabilities # - def test_added_polcaps(self): + def test_added_polcaps(self, analysis: setools.PolicyDifference) -> None: """Diff: added polcaps.""" - self.assertSetEqual(set(["always_check_network"]), self.diff.added_polcaps) + assert set(["always_check_network"]) == analysis.added_polcaps - def test_removed_polcaps(self): + def test_removed_polcaps(self, analysis: setools.PolicyDifference) -> None: """Diff: removed polcaps.""" - self.assertSetEqual(set(["network_peer_controls"]), self.diff.removed_polcaps) + assert set(["network_peer_controls"]) == analysis.removed_polcaps # # portcons # - def test_added_portcons(self): + def test_added_portcons(self, analysis: setools.PolicyDifference) -> None: """Diff: added portcons.""" - lst = sorted(self.diff.added_portcons) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.added_portcons) + assert 2 == len(lst) portcon = lst[0] - self.assertEqual(PortconProtocol.tcp, portcon.protocol) - self.assertEqual(PortconRange(2024, 2026), portcon.ports) + assert PortconProtocol.tcp == portcon.protocol + assert PortconRange(2024, 2026) == portcon.ports portcon = lst[1] - self.assertEqual(PortconProtocol.udp, portcon.protocol) - self.assertEqual(PortconRange(2024, 2024), portcon.ports) + assert PortconProtocol.udp == portcon.protocol + assert PortconRange(2024, 2024) == portcon.ports - def test_removed_portcons(self): + def test_removed_portcons(self, analysis: setools.PolicyDifference) -> None: """Diff: removed portcons.""" - lst = sorted(self.diff.removed_portcons) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.removed_portcons) + assert 2 == len(lst) portcon = lst[0] - self.assertEqual(PortconProtocol.tcp, portcon.protocol) - self.assertEqual(PortconRange(1024, 1026), portcon.ports) + assert PortconProtocol.tcp == portcon.protocol + assert PortconRange(1024, 1026) == portcon.ports portcon = lst[1] - self.assertEqual(PortconProtocol.udp, portcon.protocol) - self.assertEqual(PortconRange(1024, 1024), portcon.ports) + assert PortconProtocol.udp == portcon.protocol + assert PortconRange(1024, 1024) == portcon.ports - def test_modified_portcons(self): + def test_modified_portcons(self, analysis: setools.PolicyDifference) -> None: """Diff: modified portcons.""" - lst = sorted(self.diff.modified_portcons, key=lambda x: x.rule) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.modified_portcons, key=lambda x: x.rule) + assert 2 == len(lst) portcon, added_context, removed_context = astuple(lst[0]) - self.assertEqual(PortconProtocol.tcp, portcon.protocol) - self.assertEqual(PortconRange(3024, 3026), portcon.ports) - self.assertEqual("added_user:object_r:system:s1", added_context) - self.assertEqual("removed_user:object_r:system:s0", removed_context) + assert PortconProtocol.tcp == portcon.protocol + assert PortconRange(3024, 3026) == portcon.ports + assert "added_user:object_r:system:s1" == added_context + assert "removed_user:object_r:system:s0" == removed_context portcon, added_context, removed_context = astuple(lst[1]) - self.assertEqual(PortconProtocol.udp, portcon.protocol) - self.assertEqual(PortconRange(3024, 3024), portcon.ports) - self.assertEqual("added_user:object_r:system:s1", added_context) - self.assertEqual("removed_user:object_r:system:s0", removed_context) + assert PortconProtocol.udp == portcon.protocol + assert PortconRange(3024, 3024) == portcon.ports + assert "added_user:object_r:system:s1" == added_context + assert "removed_user:object_r:system:s0" == removed_context # # defaults # - def test_added_defaults(self): + def test_added_defaults(self, analysis: setools.PolicyDifference) -> None: """Diff: added defaults.""" - lst = sorted(self.diff.added_defaults) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.added_defaults) + assert 2 == len(lst) default = lst[0] - self.assertEqual(DRT.default_range, default.ruletype) - self.assertEqual("infoflow2", default.tclass) + assert DRT.default_range == default.ruletype + assert "infoflow2" == default.tclass default = lst[1] - self.assertEqual(DRT.default_user, default.ruletype) - self.assertEqual("infoflow2", default.tclass) + assert DRT.default_user == default.ruletype + assert "infoflow2" == default.tclass - def test_removed_defaults(self): + def test_removed_defaults(self, analysis: setools.PolicyDifference) -> None: """Diff: removed defaults.""" - lst = sorted(self.diff.removed_defaults) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.removed_defaults) + assert 2 == len(lst) default = lst[0] - self.assertEqual(DRT.default_range, default.ruletype) - self.assertEqual("infoflow3", default.tclass) + assert DRT.default_range == default.ruletype + assert "infoflow3" == default.tclass default = lst[1] - self.assertEqual(DRT.default_role, default.ruletype) - self.assertEqual("infoflow3", default.tclass) + assert DRT.default_role == default.ruletype + assert "infoflow3" == default.tclass - def test_modified_defaults(self): + def test_modified_defaults(self, analysis: setools.PolicyDifference) -> None: """Diff: modified defaults.""" - lst = sorted(self.diff.modified_defaults, key=lambda x: x.rule) - self.assertEqual(4, len(lst)) + lst = sorted(analysis.modified_defaults, key=lambda x: x.rule) + assert 4 == len(lst) default, added_default, removed_default, added_range, removed_range = astuple(lst[0]) - self.assertEqual(DRT.default_range, default.ruletype) - self.assertEqual("infoflow4", default.tclass) - self.assertEqual(DV.target, added_default) - self.assertEqual(DV.source, removed_default) - self.assertIsNone(added_range) - self.assertIsNone(removed_range) + assert DRT.default_range == default.ruletype + assert "infoflow4" == default.tclass + assert DV.target == added_default + assert DV.source == removed_default + assert added_range is None + assert removed_range is None default, added_default, removed_default, added_range, removed_range = astuple(lst[1]) - self.assertEqual(DRT.default_range, default.ruletype) - self.assertEqual("infoflow5", default.tclass) - self.assertIsNone(added_default) - self.assertIsNone(removed_default) - self.assertEqual(DRV.high, added_range) - self.assertEqual(DRV.low, removed_range) + assert DRT.default_range == default.ruletype + assert "infoflow5" == default.tclass + assert added_default is None + assert removed_default is None + assert DRV.high == added_range + assert DRV.low == removed_range default, added_default, removed_default, added_range, removed_range = astuple(lst[2]) - self.assertEqual(DRT.default_range, default.ruletype) - self.assertEqual("infoflow6", default.tclass) - self.assertEqual(DV.target, added_default) - self.assertEqual(DV.source, removed_default) - self.assertEqual(DRV.low, added_range) - self.assertEqual(DRV.high, removed_range) + assert DRT.default_range == default.ruletype + assert "infoflow6" == default.tclass + assert DV.target == added_default + assert DV.source == removed_default + assert DRV.low == added_range + assert DRV.high == removed_range default, added_default, removed_default, added_range, removed_range = astuple(lst[3]) - self.assertEqual(DRT.default_type, default.ruletype) - self.assertEqual("infoflow4", default.tclass) - self.assertEqual(DV.target, added_default) - self.assertEqual(DV.source, removed_default) - self.assertIsNone(added_range) - self.assertIsNone(removed_range) + assert DRT.default_type == default.ruletype + assert "infoflow4" == default.tclass + assert DV.target == added_default + assert DV.source == removed_default + assert added_range is None + assert removed_range is None # # constrains # - def test_added_constrains(self): + def test_added_constrains(self, analysis: setools.PolicyDifference) -> None: """Diff: added constrains.""" - lst = sorted(self.diff.added_constrains) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.added_constrains) + assert 2 == len(lst) constrain = lst[0] - self.assertEqual(CRT.constrain, constrain.ruletype) - self.assertEqual("infoflow3", constrain.tclass) - self.assertSetEqual(set(["null"]), constrain.perms) - self.assertEqual(["u1", "u2", "!="], constrain.expression) + assert CRT.constrain == constrain.ruletype + assert "infoflow3" == constrain.tclass + assert set(["null"]) == constrain.perms + assert ["u1", "u2", "!="] == constrain.expression constrain = lst[1] - self.assertEqual(CRT.constrain, constrain.ruletype) - self.assertEqual("infoflow5", constrain.tclass) - self.assertSetEqual(set(["hi_r"]), constrain.perms) - self.assertEqual( - ['u1', 'u2', '==', 'r1', 'r2', '==', 'and', 't1', set(["system"]), '!=', 'or'], - constrain.expression) - - def test_removed_constrains(self): + assert CRT.constrain == constrain.ruletype + assert "infoflow5" == constrain.tclass + assert set(["hi_r"]) == constrain.perms + assert ['u1', 'u2', '==', 'r1', 'r2', '==', 'and', 't1', set(["system"]), '!=', 'or'] \ + == constrain.expression + + def test_removed_constrains(self, analysis: setools.PolicyDifference) -> None: """Diff: removed constrains.""" - lst = sorted(self.diff.removed_constrains) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.removed_constrains) + assert 2 == len(lst) constrain = lst[0] - self.assertEqual(CRT.constrain, constrain.ruletype) - self.assertEqual("infoflow4", constrain.tclass) - self.assertSetEqual(set(["hi_w"]), constrain.perms) - self.assertEqual(["u1", "u2", "!="], constrain.expression) + assert CRT.constrain == constrain.ruletype + assert "infoflow4" == constrain.tclass + assert set(["hi_w"]) == constrain.perms + assert ["u1", "u2", "!="] == constrain.expression constrain = lst[1] - self.assertEqual(CRT.constrain, constrain.ruletype) - self.assertEqual("infoflow5", constrain.tclass) - self.assertSetEqual(set(["hi_r"]), constrain.perms) - self.assertEqual( - ['u1', 'u2', '==', 'r1', 'r2', '==', 'and', 't1', set(["system"]), '==', 'or'], - constrain.expression) + assert CRT.constrain == constrain.ruletype + assert "infoflow5" == constrain.tclass + assert set(["hi_r"]) == constrain.perms + assert ['u1', 'u2', '==', 'r1', 'r2', '==', 'and', 't1', set(["system"]), '==', 'or'] == \ + constrain.expression # # mlsconstrains # - def test_added_mlsconstrains(self): + def test_added_mlsconstrains(self, analysis: setools.PolicyDifference) -> None: """Diff: added mlsconstrains.""" - lst = sorted(self.diff.added_mlsconstrains) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.added_mlsconstrains) + assert 2 == len(lst) mlsconstrain = lst[0] - self.assertEqual(CRT.mlsconstrain, mlsconstrain.ruletype) - self.assertEqual("infoflow3", mlsconstrain.tclass) - self.assertSetEqual(set(["null"]), mlsconstrain.perms) - self.assertEqual( - ['l1', 'l2', 'domby', 'h1', 'h2', 'domby', 'and', - 't1', set(["mls_exempt"]), '!=', 'or'], - mlsconstrain.expression) + assert CRT.mlsconstrain == mlsconstrain.ruletype + assert "infoflow3" == mlsconstrain.tclass + assert set(["null"]) == mlsconstrain.perms + assert ['l1', 'l2', 'domby', 'h1', 'h2', 'domby', 'and', + 't1', set(["mls_exempt"]), '!=', 'or'] == mlsconstrain.expression mlsconstrain = lst[1] - self.assertEqual(CRT.mlsconstrain, mlsconstrain.ruletype) - self.assertEqual("infoflow5", mlsconstrain.tclass) - self.assertSetEqual(set(["hi_r"]), mlsconstrain.perms) - self.assertEqual( - ['l1', 'l2', 'domby', 'h1', 'h2', 'incomp', - 'and', 't1', set(["mls_exempt"]), '==', 'or'], - mlsconstrain.expression) - - def test_removed_mlsconstrains(self): + assert CRT.mlsconstrain == mlsconstrain.ruletype + assert "infoflow5" == mlsconstrain.tclass + assert set(["hi_r"]) == mlsconstrain.perms + assert ['l1', 'l2', 'domby', 'h1', 'h2', 'incomp', + 'and', 't1', set(["mls_exempt"]), '==', 'or'] == mlsconstrain.expression + + def test_removed_mlsconstrains(self, analysis: setools.PolicyDifference) -> None: """Diff: removed mlsconstrains.""" - lst = sorted(self.diff.removed_mlsconstrains) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.removed_mlsconstrains) + assert 2 == len(lst) mlsconstrain = lst[0] - self.assertEqual(CRT.mlsconstrain, mlsconstrain.ruletype) - self.assertEqual("infoflow4", mlsconstrain.tclass) - self.assertSetEqual(set(["hi_w"]), mlsconstrain.perms) - self.assertEqual( - ['l1', 'l2', 'domby', 'h1', 'h2', 'domby', 'and', - 't1', set(["mls_exempt"]), '==', 'or'], - mlsconstrain.expression) + assert CRT.mlsconstrain == mlsconstrain.ruletype + assert "infoflow4" == mlsconstrain.tclass + assert set(["hi_w"]) == mlsconstrain.perms + assert ['l1', 'l2', 'domby', 'h1', 'h2', 'domby', 'and', + 't1', set(["mls_exempt"]), '==', 'or'] == mlsconstrain.expression mlsconstrain = lst[1] - self.assertEqual(CRT.mlsconstrain, mlsconstrain.ruletype) - self.assertEqual("infoflow5", mlsconstrain.tclass) - self.assertSetEqual(set(["hi_r"]), mlsconstrain.perms) - self.assertEqual( - ['l1', 'l2', 'domby', 'h1', 'h2', 'dom', 'and', 't1', set(["mls_exempt"]), '==', 'or'], - mlsconstrain.expression) + assert CRT.mlsconstrain == mlsconstrain.ruletype + assert "infoflow5" == mlsconstrain.tclass + assert set(["hi_r"]) == mlsconstrain.perms + assert ['l1', 'l2', 'domby', 'h1', 'h2', 'dom', 'and', 't1', set(["mls_exempt"]), '==', + 'or'] == mlsconstrain.expression # # validatetrans # - def test_added_validatetrans(self): + def test_added_validatetrans(self, analysis: setools.PolicyDifference) -> None: """Diff: added validatetrans.""" - lst = sorted(self.diff.added_validatetrans) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.added_validatetrans) + assert 2 == len(lst) validatetrans = lst[0] - self.assertEqual(CRT.validatetrans, validatetrans.ruletype) - self.assertEqual("infoflow3", validatetrans.tclass) - self.assertEqual( - ['t1', 't2', '==', 't3', set(["system"]), '==', 'or'], - validatetrans.expression) + assert CRT.validatetrans == validatetrans.ruletype + assert "infoflow3" == validatetrans.tclass + assert ['t1', 't2', '==', 't3', set(["system"]), '==', 'or'] == validatetrans.expression validatetrans = lst[1] - self.assertEqual(CRT.validatetrans, validatetrans.ruletype) - self.assertEqual("infoflow5", validatetrans.tclass) - self.assertEqual( - ['u1', 'u2', '!=', 'r1', 'r2', '==', 'and', 't3', set(["system"]), '==', 'or'], - validatetrans.expression) + assert CRT.validatetrans == validatetrans.ruletype + assert "infoflow5" == validatetrans.tclass + assert ['u1', 'u2', '!=', 'r1', 'r2', '==', 'and', 't3', set(["system"]), '==', 'or'] \ + == validatetrans.expression - def test_removed_validatetrans(self): + def test_removed_validatetrans(self, analysis: setools.PolicyDifference) -> None: """Diff: removed validatetrans.""" - lst = sorted(self.diff.removed_validatetrans) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.removed_validatetrans) + assert 2 == len(lst) validatetrans = lst[0] - self.assertEqual(CRT.validatetrans, validatetrans.ruletype) - self.assertEqual("infoflow4", validatetrans.tclass) - self.assertEqual( - ['u1', 'u2', '==', 't3', set(["system"]), '==', 'or'], - validatetrans.expression) + assert CRT.validatetrans == validatetrans.ruletype + assert "infoflow4" == validatetrans.tclass + assert ['u1', 'u2', '==', 't3', set(["system"]), '==', 'or'] == validatetrans.expression validatetrans = lst[1] - self.assertEqual(CRT.validatetrans, validatetrans.ruletype) - self.assertEqual("infoflow5", validatetrans.tclass) - self.assertEqual( - ['u1', 'u2', '==', 'r1', 'r2', '!=', 'and', 't3', set(["system"]), '==', 'or'], - validatetrans.expression) + assert CRT.validatetrans == validatetrans.ruletype + assert "infoflow5" == validatetrans.tclass + assert ['u1', 'u2', '==', 'r1', 'r2', '!=', 'and', 't3', set(["system"]), '==', 'or'] \ + == validatetrans.expression # # mlsvalidatetrans # - def test_added_mlsvalidatetrans(self): + def test_added_mlsvalidatetrans(self, analysis: setools.PolicyDifference) -> None: """Diff: added mlsvalidatetrans.""" - lst = sorted(self.diff.added_mlsvalidatetrans) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.added_mlsvalidatetrans) + assert 2 == len(lst) mlsvalidatetrans = lst[0] - self.assertEqual(CRT.mlsvalidatetrans, mlsvalidatetrans.ruletype) - self.assertEqual("infoflow3", mlsvalidatetrans.tclass) - self.assertEqual( - ['l1', 'l2', '==', 'h1', 'h2', '==', 'and', 't3', set(["mls_exempt"]), '==', 'or'], - mlsvalidatetrans.expression) + assert CRT.mlsvalidatetrans == mlsvalidatetrans.ruletype + assert "infoflow3" == mlsvalidatetrans.tclass + assert ['l1', 'l2', '==', 'h1', 'h2', '==', 'and', 't3', set(["mls_exempt"]), '==', + 'or'] == mlsvalidatetrans.expression mlsvalidatetrans = lst[1] - self.assertEqual(CRT.mlsvalidatetrans, mlsvalidatetrans.ruletype) - self.assertEqual("infoflow5", mlsvalidatetrans.tclass) - self.assertEqual( - ['l1', 'l2', 'incomp', 'h1', 'h2', 'domby', - 'and', 't3', set(["mls_exempt"]), '==', 'or'], - mlsvalidatetrans.expression) - - def test_removed_mlsvalidatetrans(self): + assert CRT.mlsvalidatetrans == mlsvalidatetrans.ruletype + assert "infoflow5" == mlsvalidatetrans.tclass + assert ['l1', 'l2', 'incomp', 'h1', 'h2', 'domby', 'and', 't3', set(["mls_exempt"]), '==', + 'or'] == mlsvalidatetrans.expression + + def test_removed_mlsvalidatetrans(self, analysis: setools.PolicyDifference) -> None: """Diff: removed mlsvalidatetrans.""" - lst = sorted(self.diff.removed_mlsvalidatetrans) - self.assertEqual(2, len(lst)) + lst = sorted(analysis.removed_mlsvalidatetrans) + assert 2 == len(lst) mlsvalidatetrans = lst[0] - self.assertEqual(CRT.mlsvalidatetrans, mlsvalidatetrans.ruletype) - self.assertEqual("infoflow4", mlsvalidatetrans.tclass) - self.assertEqual( - ['l1', 'l2', '==', 'h1', 'h2', '==', 'and', 't3', set(["mls_exempt"]), '==', 'or'], - mlsvalidatetrans.expression) + assert CRT.mlsvalidatetrans == mlsvalidatetrans.ruletype + assert "infoflow4" == mlsvalidatetrans.tclass + assert ['l1', 'l2', '==', 'h1', 'h2', '==', 'and', 't3', set(["mls_exempt"]), '==', + 'or'] == mlsvalidatetrans.expression mlsvalidatetrans = lst[1] - self.assertEqual(CRT.mlsvalidatetrans, mlsvalidatetrans.ruletype) - self.assertEqual("infoflow5", mlsvalidatetrans.tclass) - self.assertEqual( - ['l1', 'l2', 'dom', 'h1', 'h2', 'dom', 'and', 't3', set(["mls_exempt"]), '==', 'or'], - mlsvalidatetrans.expression) + assert CRT.mlsvalidatetrans == mlsvalidatetrans.ruletype + assert "infoflow5" == mlsvalidatetrans.tclass + assert ['l1', 'l2', 'dom', 'h1', 'h2', 'dom', 'and', 't3', set(["mls_exempt"]), '==', + 'or'] == mlsvalidatetrans.expression # # typebounds # - def test_added_typebounds(self): + def test_added_typebounds(self, analysis: setools.PolicyDifference) -> None: """Diff: added typebounds.""" - lst = sorted(self.diff.added_typebounds) - self.assertEqual(1, len(lst)) + lst = sorted(analysis.added_typebounds) + assert 1 == len(lst) bounds = lst[0] - self.assertEqual(BRT.typebounds, bounds.ruletype) - self.assertEqual("added_parent", bounds.parent) - self.assertEqual("added_child", bounds.child) + assert BRT.typebounds == bounds.ruletype + assert "added_parent" == bounds.parent + assert "added_child" == bounds.child - def test_removed_typebounds(self): + def test_removed_typebounds(self, analysis: setools.PolicyDifference) -> None: """Diff: removed typebounds.""" - lst = sorted(self.diff.removed_typebounds) - self.assertEqual(1, len(lst)) + lst = sorted(analysis.removed_typebounds) + assert 1 == len(lst) bounds = lst[0] - self.assertEqual(BRT.typebounds, bounds.ruletype) - self.assertEqual("removed_parent", bounds.parent) - self.assertEqual("removed_child", bounds.child) + assert BRT.typebounds == bounds.ruletype + assert "removed_parent" == bounds.parent + assert "removed_child" == bounds.child - def test_modified_typebounds(self): + def test_modified_typebounds(self, analysis: setools.PolicyDifference) -> None: """Diff: modified typebounds.""" - lst = sorted(self.diff.modified_typebounds, key=lambda x: x.rule) - self.assertEqual(1, len(lst)) + lst = sorted(analysis.modified_typebounds, key=lambda x: x.rule) + assert 1 == len(lst) bounds, added_bound, removed_bound = astuple(lst[0]) - self.assertEqual(BRT.typebounds, bounds.ruletype) - self.assertEqual("mod_child", bounds.child) - self.assertEqual("mod_parent_added", added_bound) - self.assertEqual("mod_parent_removed", removed_bound) + assert BRT.typebounds == bounds.ruletype + assert "mod_child" == bounds.child + assert "mod_parent_added" == added_bound + assert "mod_parent_removed" == removed_bound # # Allowxperm rules # - def test_added_allowxperm_rules(self): + def test_added_allowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: added allowxperm rules.""" - rules = sorted(self.diff.added_allowxperms) - self.assertEqual(2, len(rules)) + rules = sorted(analysis.added_allowxperms) + assert 2 == len(rules) # added rule with new type self.validate_rule(rules[0], TRT.allowxperm, "added_type", "added_type", "infoflow7", - set([0x0009]), xperm="ioctl") + setools.IoctlSet([0x0009]), xperm="ioctl") # added rule with existing types self.validate_rule(rules[1], TRT.allowxperm, "ax_added_rule_source", "ax_added_rule_target", - "infoflow", set([0x0002]), xperm="ioctl") + "infoflow", setools.IoctlSet([0x0002]), xperm="ioctl") - def test_removed_allowxperm_rules(self): + def test_removed_allowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed allowxperm rules.""" - rules = sorted(self.diff.removed_allowxperms) - self.assertEqual(2, len(rules)) + rules = sorted(analysis.removed_allowxperms) + assert 2 == len(rules) # removed rule with existing types self.validate_rule(rules[0], TRT.allowxperm, "ax_removed_rule_source", - "ax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl") + "ax_removed_rule_target", "infoflow", setools.IoctlSet([0x0002]), + xperm="ioctl") # removed rule with new type self.validate_rule(rules[1], TRT.allowxperm, "removed_type", "removed_type", "infoflow7", - set([0x0009]), xperm="ioctl") + setools.IoctlSet([0x0009]), xperm="ioctl") - def test_modified_allowxperm_rules(self): + def test_modified_allowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified allowxperm rules.""" - lst = sorted(self.diff.modified_allowxperms, key=lambda x: x.rule) - self.assertEqual(3, len(lst)) + lst = sorted(analysis.modified_allowxperms, key=lambda x: x.rule) + assert 3 == len(lst) # add permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[0]) - self.assertEqual(TRT.allowxperm, rule.ruletype) - self.assertEqual("ax_modified_rule_add_perms", rule.source) - self.assertEqual("ax_modified_rule_add_perms", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertSetEqual(set([0x000f]), added_perms) - self.assertFalse(removed_perms) - self.assertSetEqual(set([0x0004]), matched_perms) + assert TRT.allowxperm == rule.ruletype + assert "ax_modified_rule_add_perms" == rule.source + assert "ax_modified_rule_add_perms" == rule.target + assert "infoflow" == rule.tclass + assert setools.IoctlSet([0x000f]) == added_perms + assert not removed_perms + assert setools.IoctlSet([0x0004]) == matched_perms # add and remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[1]) - self.assertEqual(TRT.allowxperm, rule.ruletype) - self.assertEqual("ax_modified_rule_add_remove_perms", rule.source) - self.assertEqual("ax_modified_rule_add_remove_perms", rule.target) - self.assertEqual("infoflow2", rule.tclass) - self.assertSetEqual(set([0x0006]), added_perms) - self.assertSetEqual(set([0x0007]), removed_perms) - self.assertSetEqual(set([0x0008]), matched_perms) + assert TRT.allowxperm == rule.ruletype + assert "ax_modified_rule_add_remove_perms" == rule.source + assert "ax_modified_rule_add_remove_perms" == rule.target + assert "infoflow2" == rule.tclass + assert setools.IoctlSet([0x0006]) == added_perms + assert setools.IoctlSet([0x0007]) == removed_perms + assert setools.IoctlSet([0x0008]) == matched_perms # remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[2]) - self.assertEqual(TRT.allowxperm, rule.ruletype) - self.assertEqual("ax_modified_rule_remove_perms", rule.source) - self.assertEqual("ax_modified_rule_remove_perms", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertFalse(added_perms) - self.assertSetEqual(set([0x0006]), removed_perms) - self.assertSetEqual(set([0x0005]), matched_perms) + assert TRT.allowxperm == rule.ruletype + assert "ax_modified_rule_remove_perms" == rule.source + assert "ax_modified_rule_remove_perms" == rule.target + assert "infoflow" == rule.tclass + assert not added_perms + assert setools.IoctlSet([0x0006]) == removed_perms + assert setools.IoctlSet([0x0005]) == matched_perms # # Auditallowxperm rules # - def test_added_auditallowxperm_rules(self): + def test_added_auditallowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: added auditallowxperm rules.""" - rules = sorted(self.diff.added_auditallowxperms) - self.assertEqual(2, len(rules)) + rules = sorted(analysis.added_auditallowxperms) + assert 2 == len(rules) # added rule with existing types self.validate_rule(rules[0], TRT.auditallowxperm, "aax_added_rule_source", - "aax_added_rule_target", "infoflow", set([0x0002]), xperm="ioctl") + "aax_added_rule_target", "infoflow", setools.IoctlSet([0x0002]), + xperm="ioctl") # added rule with new type self.validate_rule(rules[1], TRT.auditallowxperm, "added_type", "added_type", "infoflow7", - set([0x0009]), xperm="ioctl") + setools.IoctlSet([0x0009]), xperm="ioctl") - def test_removed_auditallowxperm_rules(self): + def test_removed_auditallowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed auditallowxperm rules.""" - rules = sorted(self.diff.removed_auditallowxperms) - self.assertEqual(2, len(rules)) + rules = sorted(analysis.removed_auditallowxperms) + assert 2 == len(rules) # removed rule with existing types self.validate_rule(rules[0], TRT.auditallowxperm, "aax_removed_rule_source", - "aax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl") + "aax_removed_rule_target", "infoflow", setools.IoctlSet([0x0002]), + xperm="ioctl") # removed rule with new type self.validate_rule(rules[1], TRT.auditallowxperm, "removed_type", "removed_type", - "infoflow7", set([0x0009]), xperm="ioctl") + "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") - def test_modified_auditallowxperm_rules(self): + def test_modified_auditallowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified auditallowxperm rules.""" - lst = sorted(self.diff.modified_auditallowxperms, key=lambda x: x.rule) - self.assertEqual(3, len(lst)) + lst = sorted(analysis.modified_auditallowxperms, key=lambda x: x.rule) + assert 3 == len(lst) # add permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[0]) - self.assertEqual(TRT.auditallowxperm, rule.ruletype) - self.assertEqual("aax_modified_rule_add_perms", rule.source) - self.assertEqual("aax_modified_rule_add_perms", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertSetEqual(set([0x000f]), added_perms) - self.assertFalse(removed_perms) - self.assertSetEqual(set([0x0004]), matched_perms) + assert TRT.auditallowxperm == rule.ruletype + assert "aax_modified_rule_add_perms" == rule.source + assert "aax_modified_rule_add_perms" == rule.target + assert "infoflow" == rule.tclass + assert setools.IoctlSet([0x000f]) == added_perms + assert not removed_perms + assert setools.IoctlSet([0x0004]) == matched_perms # add and remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[1]) - self.assertEqual(TRT.auditallowxperm, rule.ruletype) - self.assertEqual("aax_modified_rule_add_remove_perms", rule.source) - self.assertEqual("aax_modified_rule_add_remove_perms", rule.target) - self.assertEqual("infoflow2", rule.tclass) - self.assertSetEqual(set([0x0006]), added_perms) - self.assertSetEqual(set([0x0007]), removed_perms) - self.assertSetEqual(set([0x0008]), matched_perms) + assert TRT.auditallowxperm == rule.ruletype + assert "aax_modified_rule_add_remove_perms" == rule.source + assert "aax_modified_rule_add_remove_perms" == rule.target + assert "infoflow2" == rule.tclass + assert setools.IoctlSet([0x0006]) == added_perms + assert setools.IoctlSet([0x0007]) == removed_perms + assert setools.IoctlSet([0x0008]) == matched_perms # remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[2]) - self.assertEqual(TRT.auditallowxperm, rule.ruletype) - self.assertEqual("aax_modified_rule_remove_perms", rule.source) - self.assertEqual("aax_modified_rule_remove_perms", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertFalse(added_perms) - self.assertSetEqual(set([0x0006]), removed_perms) - self.assertSetEqual(set([0x0005]), matched_perms) + assert TRT.auditallowxperm == rule.ruletype + assert "aax_modified_rule_remove_perms" == rule.source + assert "aax_modified_rule_remove_perms" == rule.target + assert "infoflow" == rule.tclass + assert not added_perms + assert setools.IoctlSet([0x0006]) == removed_perms + assert setools.IoctlSet([0x0005]) == matched_perms # # Neverallowxperm rules # - def test_added_neverallowxperm_rules(self): + def test_added_neverallowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: added neverallowxperm rules.""" - self.assertFalse(self.diff.added_neverallowxperms) + assert not analysis.added_neverallowxperms # changed after dropping source policy support - # rules = sorted(self.diff.added_neverallowxperms) - # self.assertEqual(2, len(rules)) + # rules = sorted(analysis.added_neverallowxperms) + # assert 2 == len(rules) # # # added rule with new type - # self.validate_rule(rules[0], TRT.neverallowxperm, "added_type", "added_type", "infoflow7", - # set([0x0009]), xperm="ioctl") + # self.validate_rule(rules[0], TRT.neverallowxperm, "added_type", "added_type", + # "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") # # # added rule with existing types # self.validate_rule(rules[1], TRT.neverallowxperm, "nax_added_rule_source", - # "nax_added_rule_target", "infoflow", set([0x0002]), xperm="ioctl") + # "nax_added_rule_target", "infoflow", setools.IoctlSet([0x0002]), + # xperm="ioctl") - def test_removed_neverallowxperm_rules(self): + def test_removed_neverallowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed neverallowxperm rules.""" - self.assertFalse(self.diff.removed_neverallowxperms) + assert not analysis.removed_neverallowxperms # changed after dropping source policy support - # rules = sorted(self.diff.removed_neverallowxperms) - # self.assertEqual(2, len(rules)) + # rules = sorted(analysis.removed_neverallowxperms) + # assert 2 == len(rules) # # # removed rule with existing types # self.validate_rule(rules[0], TRT.neverallowxperm, "nax_removed_rule_source", - # "nax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl") + # "nax_removed_rule_target", "infoflow", setools.IoctlSet([0x0002]), + # xperm="ioctl") # # # removed rule with new type # self.validate_rule(rules[1], TRT.neverallowxperm, "removed_type", "removed_type", - # "infoflow7", set([0x0009]), xperm="ioctl") + # "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") - def test_modified_neverallowxperm_rules(self): + def test_modified_neverallowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified neverallowxperm rules.""" - self.assertFalse(self.diff.modified_neverallowxperms) + assert not analysis.modified_neverallowxperms # changed after dropping source policy support - # l = sorted(self.diff.modified_neverallowxperms, key=lambda x: x.rule) - # self.assertEqual(3, len(l)) + # l = sorted(analysis.modified_neverallowxperms, key=lambda x: x.rule) + # assert 3 == len(l) # # # add permissions # rule, added_perms, removed_perms, matched_perms = l[0] - # self.assertEqual(TRT.neverallowxperm, rule.ruletype) - # self.assertEqual("nax_modified_rule_add_perms", rule.source) - # self.assertEqual("nax_modified_rule_add_perms", rule.target) - # self.assertEqual("infoflow", rule.tclass) - # self.assertSetEqual(set([0x000f]), added_perms) - # self.assertFalse(removed_perms) - # self.assertSetEqual(set([0x0004]), matched_perms) + # assert TRT.neverallowxperm == rule.ruletype + # assert "nax_modified_rule_add_perms" == rule.source + # assert "nax_modified_rule_add_perms" == rule.target + # assert "infoflow" == rule.tclass + # assert setools.IoctlSet([0x000f]) == added_perms + # assert not removed_perms + # assert setools.IoctlSet([0x0004]) == matched_perms # # # add and remove permissions # rule, added_perms, removed_perms, matched_perms = l[1] - # self.assertEqual(TRT.neverallowxperm, rule.ruletype) - # self.assertEqual("nax_modified_rule_add_remove_perms", rule.source) - # self.assertEqual("nax_modified_rule_add_remove_perms", rule.target) - # self.assertEqual("infoflow2", rule.tclass) - # self.assertSetEqual(set([0x0006]), added_perms) - # self.assertSetEqual(set([0x0007]), removed_perms) - # self.assertSetEqual(set([0x0008]), matched_perms) + # assert TRT.neverallowxperm == rule.ruletype + # assert "nax_modified_rule_add_remove_perms" == rule.source + # assert "nax_modified_rule_add_remove_perms" == rule.target + # assert "infoflow2" == rule.tclass + # assert setools.IoctlSet([0x0006]) == added_perms + # assert setools.IoctlSet([0x0007]) == removed_perms + # assert setools.IoctlSet([0x0008]) == matched_perms # # # remove permissions # rule, added_perms, removed_perms, matched_perms = l[2] - # self.assertEqual(TRT.neverallowxperm, rule.ruletype) - # self.assertEqual("nax_modified_rule_remove_perms", rule.source) - # self.assertEqual("nax_modified_rule_remove_perms", rule.target) - # self.assertEqual("infoflow", rule.tclass) - # self.assertFalse(added_perms) - # self.assertSetEqual(set([0x0006]), removed_perms) - # self.assertSetEqual(set([0x0005]), matched_perms) + # assert TRT.neverallowxperm == rule.ruletype + # assert "nax_modified_rule_remove_perms" == rule.source + # assert "nax_modified_rule_remove_perms" == rule.target + # assert "infoflow" == rule.tclass + # assert not added_perms + # assert setools.IoctlSet([0x0006]) == removed_perms + # assert setools.IoctlSet([0x0005]) == matched_perms # # Dontauditxperm rules # - def test_added_dontauditxperm_rules(self): + def test_added_dontauditxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: added dontauditxperm rules.""" - rules = sorted(self.diff.added_dontauditxperms) - self.assertEqual(2, len(rules)) + rules = sorted(analysis.added_dontauditxperms) + assert 2 == len(rules) # added rule with new type self.validate_rule(rules[0], TRT.dontauditxperm, "added_type", "added_type", "infoflow7", - set([0x0009]), xperm="ioctl") + setools.IoctlSet([0x0009]), xperm="ioctl") # added rule with existing types self.validate_rule(rules[1], TRT.dontauditxperm, "dax_added_rule_source", - "dax_added_rule_target", "infoflow", set([0x0002]), xperm="ioctl") + "dax_added_rule_target", "infoflow", setools.IoctlSet([0x0002]), + xperm="ioctl") - def test_removed_dontauditxperm_rules(self): + def test_removed_dontauditxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed dontauditxperm rules.""" - rules = sorted(self.diff.removed_dontauditxperms) - self.assertEqual(2, len(rules)) + rules = sorted(analysis.removed_dontauditxperms) + assert 2 == len(rules) # removed rule with existing types self.validate_rule(rules[0], TRT.dontauditxperm, "dax_removed_rule_source", - "dax_removed_rule_target", "infoflow", set([0x0002]), xperm="ioctl") + "dax_removed_rule_target", "infoflow", setools.IoctlSet([0x0002]), + xperm="ioctl") # removed rule with new type self.validate_rule(rules[1], TRT.dontauditxperm, "removed_type", "removed_type", - "infoflow7", set([0x0009]), xperm="ioctl") + "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") - def test_modified_dontauditxperm_rules(self): + def test_modified_dontauditxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified dontauditxperm rules.""" - lst = sorted(self.diff.modified_dontauditxperms, key=lambda x: x.rule) - self.assertEqual(3, len(lst)) + lst = sorted(analysis.modified_dontauditxperms, key=lambda x: x.rule) + assert 3 == len(lst) # add permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[0]) - self.assertEqual(TRT.dontauditxperm, rule.ruletype) - self.assertEqual("dax_modified_rule_add_perms", rule.source) - self.assertEqual("dax_modified_rule_add_perms", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertSetEqual(set([0x000f]), added_perms) - self.assertFalse(removed_perms) - self.assertSetEqual(set([0x0004]), matched_perms) + assert TRT.dontauditxperm == rule.ruletype + assert "dax_modified_rule_add_perms" == rule.source + assert "dax_modified_rule_add_perms" == rule.target + assert "infoflow" == rule.tclass + assert setools.IoctlSet([0x000f]) == added_perms + assert not removed_perms + assert setools.IoctlSet([0x0004]) == matched_perms # add and remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[1]) - self.assertEqual(TRT.dontauditxperm, rule.ruletype) - self.assertEqual("dax_modified_rule_add_remove_perms", rule.source) - self.assertEqual("dax_modified_rule_add_remove_perms", rule.target) - self.assertEqual("infoflow2", rule.tclass) - self.assertSetEqual(set([0x0006]), added_perms) - self.assertSetEqual(set([0x0007]), removed_perms) - self.assertSetEqual(set([0x0008]), matched_perms) + assert TRT.dontauditxperm == rule.ruletype + assert "dax_modified_rule_add_remove_perms" == rule.source + assert "dax_modified_rule_add_remove_perms" == rule.target + assert "infoflow2" == rule.tclass + assert setools.IoctlSet([0x0006]) == added_perms + assert setools.IoctlSet([0x0007]) == removed_perms + assert setools.IoctlSet([0x0008]) == matched_perms # remove permissions rule, added_perms, removed_perms, matched_perms = astuple(lst[2]) - self.assertEqual(TRT.dontauditxperm, rule.ruletype) - self.assertEqual("dax_modified_rule_remove_perms", rule.source) - self.assertEqual("dax_modified_rule_remove_perms", rule.target) - self.assertEqual("infoflow", rule.tclass) - self.assertFalse(added_perms) - self.assertSetEqual(set([0x0006]), removed_perms) - self.assertSetEqual(set([0x0005]), matched_perms) + assert TRT.dontauditxperm == rule.ruletype + assert "dax_modified_rule_remove_perms" == rule.source + assert "dax_modified_rule_remove_perms" == rule.target + assert "infoflow" == rule.tclass + assert not added_perms + assert setools.IoctlSet([0x0006]) == removed_perms + assert setools.IoctlSet([0x0005]) == matched_perms # # Ibendportcon statements # - def test_added_ibendportcons(self): + def test_added_ibendportcons(self, analysis: setools.PolicyDifference) -> None: """Diff: added ibendportcon statements.""" - rules = sorted(self.diff.added_ibendportcons) - self.assertEqual(1, len(rules)) - self.assertEqual("add", rules[0].name) - self.assertEqual(23, rules[0].port) - self.assertEqual("system:system:system:s0", rules[0].context) + rules = sorted(analysis.added_ibendportcons) + assert 1 == len(rules) + assert "add" == rules[0].name + assert 23 == rules[0].port + assert "system:system:system:s0" == rules[0].context - def test_removed_ibendportcons(self): + def test_removed_ibendportcons(self, analysis: setools.PolicyDifference) -> None: """Diff: removed ibendportcon statements.""" - rules = sorted(self.diff.removed_ibendportcons) - self.assertEqual(1, len(rules)) - self.assertEqual("removed", rules[0].name) - self.assertEqual(7, rules[0].port) - self.assertEqual("system:system:system:s0", rules[0].context) + rules = sorted(analysis.removed_ibendportcons) + assert 1 == len(rules) + assert "removed" == rules[0].name + assert 7 == rules[0].port + assert "system:system:system:s0" == rules[0].context - def test_modified_ibendportcons(self): + def test_modified_ibendportcons(self, analysis: setools.PolicyDifference) -> None: """Diff: modified ibendportcon statements""" - rules = sorted(self.diff.modified_ibendportcons) - self.assertEqual(1, len(rules)) + rules = sorted(analysis.modified_ibendportcons) + assert 1 == len(rules) rule, added, removed = astuple(rules[0]) - self.assertEqual("modified", rule.name) - self.assertEqual(13, rule.port) - self.assertEqual("modified_change_level:object_r:system:s2", added) - self.assertEqual("modified_change_level:object_r:system:s2:c0.c1", removed) + assert "modified" == rule.name + assert 13 == rule.port + assert "modified_change_level:object_r:system:s2" == added + assert "modified_change_level:object_r:system:s2:c0.c1" == removed # # Ibpkeycon statements # - def test_added_ibpkeycons(self): + def test_added_ibpkeycons(self, analysis: setools.PolicyDifference) -> None: """Diff: added ibpkeycon statements.""" - rules = sorted(self.diff.added_ibpkeycons) - self.assertEqual(2, len(rules)) + rules = sorted(analysis.added_ibpkeycons) + assert 2 == len(rules) rule = rules[0] - self.assertEqual(IPv6Address("beef::"), rule.subnet_prefix) - self.assertEqual(0xe, rule.pkeys.low) - self.assertEqual(0xe, rule.pkeys.high) - self.assertEqual("system:system:system:s0", rule.context) + assert IPv6Address("beef::") == rule.subnet_prefix + assert 0xe == rule.pkeys.low + assert 0xe == rule.pkeys.high + assert "system:system:system:s0" == rule.context rule = rules[1] - self.assertEqual(IPv6Address("dead::"), rule.subnet_prefix) - self.assertEqual(0xbeef, rule.pkeys.low) - self.assertEqual(0xdead, rule.pkeys.high) - self.assertEqual("system:system:system:s0", rule.context) + assert IPv6Address("dead::") == rule.subnet_prefix + assert 0xbeef == rule.pkeys.low + assert 0xdead == rule.pkeys.high + assert "system:system:system:s0" == rule.context - def test_removed_ibpkeycons(self): + def test_removed_ibpkeycons(self, analysis: setools.PolicyDifference) -> None: """Diff: removed ibpkeycon statements.""" - rules = sorted(self.diff.removed_ibpkeycons) - self.assertEqual(2, len(rules)) + rules = sorted(analysis.removed_ibpkeycons) + assert 2 == len(rules) rule = rules[0] - self.assertEqual(IPv6Address("dccc::"), rule.subnet_prefix) - self.assertEqual(0xc, rule.pkeys.low) - self.assertEqual(0xc, rule.pkeys.high) - self.assertEqual("system:system:system:s0", rule.context) + assert IPv6Address("dccc::") == rule.subnet_prefix + assert 0xc == rule.pkeys.low + assert 0xc == rule.pkeys.high + assert "system:system:system:s0" == rule.context rule = rules[1] - self.assertEqual(IPv6Address("feee::"), rule.subnet_prefix) - self.assertEqual(0xaaaa, rule.pkeys.low) - self.assertEqual(0xbbbb, rule.pkeys.high) - self.assertEqual("system:system:system:s0", rule.context) + assert IPv6Address("feee::") == rule.subnet_prefix + assert 0xaaaa == rule.pkeys.low + assert 0xbbbb == rule.pkeys.high + assert "system:system:system:s0" == rule.context - def test_modified_ibpkeycons(self): + def test_modified_ibpkeycons(self, analysis: setools.PolicyDifference) -> None: """Diff: modified ibpkeycon statements""" - rules = sorted(self.diff.modified_ibpkeycons) - self.assertEqual(2, len(rules)) + rules = sorted(analysis.modified_ibpkeycons) + assert 2 == len(rules) rule, added, removed = astuple(rules[0]) - self.assertEqual(IPv6Address("aaaa::"), rule.subnet_prefix) - self.assertEqual(0xcccc, rule.pkeys.low) - self.assertEqual(0xdddd, rule.pkeys.high) - self.assertEqual("modified_change_level:object_r:system:s2:c0", added) - self.assertEqual("modified_change_level:object_r:system:s2:c1", removed) + assert IPv6Address("aaaa::") == rule.subnet_prefix + assert 0xcccc == rule.pkeys.low + assert 0xdddd == rule.pkeys.high + assert "modified_change_level:object_r:system:s2:c0" == added + assert "modified_change_level:object_r:system:s2:c1" == removed rule, added, removed = astuple(rules[1]) - self.assertEqual(IPv6Address("bbbb::"), rule.subnet_prefix) - self.assertEqual(0xf, rule.pkeys.low) - self.assertEqual(0xf, rule.pkeys.high) - self.assertEqual("modified_change_level:object_r:system:s2:c1", added) - self.assertEqual("modified_change_level:object_r:system:s2:c0.c1", removed) + assert IPv6Address("bbbb::") == rule.subnet_prefix + assert 0xf == rule.pkeys.low + assert 0xf == rule.pkeys.high + assert "modified_change_level:object_r:system:s2:c1" == added + assert "modified_change_level:object_r:system:s2:c0.c1" == removed -class PolicyDifferenceRmIsidTest(unittest.TestCase): +@pytest.mark.obj_args("tests/library/diff_left.conf", "tests/library/diff_right_rmisid.conf") +class TestPolicyDifferenceRmIsid: """ Policy difference test for removed initial SID. @@ -1949,487 +1915,468 @@ class PolicyDifferenceRmIsidTest(unittest.TestCase): this cannot be in the above test suite. """ - @classmethod - def setUpClass(cls): - cls.p_left = compile_policy("tests/library/diff_left.conf") - cls.p_right = compile_policy("tests/library/diff_right_rmisid.conf") - cls.diff = PolicyDifference(cls.p_left, cls.p_right) - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p_left.path) - os.unlink(cls.p_right.path) - - def test_removed_initialsids(self): + def test_removed_initialsids(self, analysis: setools.PolicyDifference) -> None: """Diff: removed initialsids.""" - self.assertSetEqual(set(["file"]), self.diff.removed_initialsids) + assert set(["file"]) == analysis.removed_initialsids -class PolicyDifferenceTestNoDiff(unittest.TestCase): +@pytest.mark.obj_args("tests/library/diff_left.conf", "tests/library/diff_left.conf") +class TestPolicyDifferenceTestNoDiff: """Policy difference test with no policy differences.""" - @classmethod - def setUpClass(cls): - cls.p_left = compile_policy("tests/library/diff_left.conf") - cls.p_right = compile_policy("tests/library/diff_left.conf") - cls.diff = PolicyDifference(cls.p_left, cls.p_right) - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p_left.path) - os.unlink(cls.p_right.path) - - def test_added_types(self): + def test_added_types(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added types""" - self.assertFalse(self.diff.added_types) + assert not analysis.added_types - def test_removed_types(self): + def test_removed_types(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed types""" - self.assertFalse(self.diff.removed_types) + assert not analysis.removed_types - def test_modified_types(self): + def test_modified_types(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified types""" - self.assertFalse(self.diff.modified_types) + assert not analysis.modified_types - def test_added_roles(self): + def test_added_roles(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added roles.""" - self.assertFalse(self.diff.added_roles) + assert not analysis.added_roles - def test_removed_roles(self): + def test_removed_roles(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed roles.""" - self.assertFalse(self.diff.removed_roles) + assert not analysis.removed_roles - def test_modified_roles(self): + def test_modified_roles(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified roles.""" - self.assertFalse(self.diff.modified_roles) + assert not analysis.modified_roles - def test_added_commons(self): + def test_added_commons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added commons.""" - self.assertFalse(self.diff.added_commons) + assert not analysis.added_commons - def test_removed_commons(self): + def test_removed_commons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed commons.""" - self.assertFalse(self.diff.removed_commons) + assert not analysis.removed_commons - def test_modified_commons(self): + def test_modified_commons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified commons.""" - self.assertFalse(self.diff.modified_commons) + assert not analysis.modified_commons - def test_added_classes(self): + def test_added_classes(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added classes.""" - self.assertFalse(self.diff.added_classes) + assert not analysis.added_classes - def test_removed_classes(self): + def test_removed_classes(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed classes.""" - self.assertFalse(self.diff.removed_classes) + assert not analysis.removed_classes - def test_modified_classes(self): + def test_modified_classes(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified classes.""" - self.assertFalse(self.diff.modified_classes) + assert not analysis.modified_classes - def test_added_allows(self): + def test_added_allows(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added allow rules.""" - self.assertFalse(self.diff.added_allows) + assert not analysis.added_allows - def test_removed_allows(self): + def test_removed_allows(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed allow rules.""" - self.assertFalse(self.diff.removed_allows) + assert not analysis.removed_allows - def test_modified_allows(self): + def test_modified_allows(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified allow rules.""" - self.assertFalse(self.diff.modified_allows) + assert not analysis.modified_allows - def test_added_auditallows(self): + def test_added_auditallows(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added auditallow rules.""" - self.assertFalse(self.diff.added_auditallows) + assert not analysis.added_auditallows - def test_removed_auditallows(self): + def test_removed_auditallows(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed auditallow rules.""" - self.assertFalse(self.diff.removed_auditallows) + assert not analysis.removed_auditallows - def test_modified_auditallows(self): + def test_modified_auditallows(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified auditallow rules.""" - self.assertFalse(self.diff.modified_auditallows) + assert not analysis.modified_auditallows - def test_added_neverallows(self): + def test_added_neverallows(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added neverallow rules.""" - self.assertFalse(self.diff.added_neverallows) + assert not analysis.added_neverallows - def test_removed_neverallows(self): + def test_removed_neverallows(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed neverallow rules.""" - self.assertFalse(self.diff.removed_neverallows) + assert not analysis.removed_neverallows - def test_modified_neverallows(self): + def test_modified_neverallows(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified neverallow rules.""" - self.assertFalse(self.diff.modified_neverallows) + assert not analysis.modified_neverallows - def test_added_dontaudits(self): + def test_added_dontaudits(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added dontaudit rules.""" - self.assertFalse(self.diff.added_dontaudits) + assert not analysis.added_dontaudits - def test_removed_dontaudits(self): + def test_removed_dontaudits(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed dontaudit rules.""" - self.assertFalse(self.diff.removed_dontaudits) + assert not analysis.removed_dontaudits - def test_modified_dontaudits(self): + def test_modified_dontaudits(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified dontaudit rules.""" - self.assertFalse(self.diff.modified_dontaudits) + assert not analysis.modified_dontaudits - def test_added_type_transitions(self): + def test_added_type_transitions(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added type_transition rules.""" - self.assertFalse(self.diff.added_type_transitions) + assert not analysis.added_type_transitions - def test_removed_type_transitions(self): + def test_removed_type_transitions(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed type_transition rules.""" - self.assertFalse(self.diff.removed_type_transitions) + assert not analysis.removed_type_transitions - def test_modified_type_transitions(self): + def test_modified_type_transitions(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified type_transition rules.""" - self.assertFalse(self.diff.modified_type_transitions) + assert not analysis.modified_type_transitions - def test_added_type_changes(self): + def test_added_type_changes(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added type_change rules.""" - self.assertFalse(self.diff.added_type_changes) + assert not analysis.added_type_changes - def test_removed_type_changes(self): + def test_removed_type_changes(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed type_change rules.""" - self.assertFalse(self.diff.removed_type_changes) + assert not analysis.removed_type_changes - def test_modified_type_changes(self): + def test_modified_type_changes(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified type_change rules.""" - self.assertFalse(self.diff.modified_type_changes) + assert not analysis.modified_type_changes - def test_added_type_members(self): + def test_added_type_members(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added type_member rules.""" - self.assertFalse(self.diff.added_type_members) + assert not analysis.added_type_members - def test_removed_type_members(self): + def test_removed_type_members(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed type_member rules.""" - self.assertFalse(self.diff.removed_type_members) + assert not analysis.removed_type_members - def test_modified_type_members(self): + def test_modified_type_members(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified type_member rules.""" - self.assertFalse(self.diff.modified_type_members) + assert not analysis.modified_type_members - def test_added_range_transitions(self): + def test_added_range_transitions(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added range_transition rules.""" - self.assertFalse(self.diff.added_range_transitions) + assert not analysis.added_range_transitions - def test_removed_range_transitions(self): + def test_removed_range_transitions(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed range_transition rules.""" - self.assertFalse(self.diff.removed_range_transitions) + assert not analysis.removed_range_transitions - def test_modified_range_transitions(self): + def test_modified_range_transitions(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified range_transition rules.""" - self.assertFalse(self.diff.modified_range_transitions) + assert not analysis.modified_range_transitions - def test_added_role_allows(self): + def test_added_role_allows(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added role_allow rules.""" - self.assertFalse(self.diff.added_role_allows) + assert not analysis.added_role_allows - def test_removed_role_allows(self): + def test_removed_role_allows(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed role_allow rules.""" - self.assertFalse(self.diff.removed_role_allows) + assert not analysis.removed_role_allows - def test_added_role_transitions(self): + def test_added_role_transitions(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added role_transition rules.""" - self.assertFalse(self.diff.added_role_transitions) + assert not analysis.added_role_transitions - def test_removed_role_transitions(self): + def test_removed_role_transitions(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed role_transition rules.""" - self.assertFalse(self.diff.removed_role_transitions) + assert not analysis.removed_role_transitions - def test_modified_role_transitions(self): + def test_modified_role_transitions(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified role_transition rules.""" - self.assertFalse(self.diff.modified_role_transitions) + assert not analysis.modified_role_transitions - def test_added_users(self): + def test_added_users(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added users.""" - self.assertFalse(self.diff.added_users) + assert not analysis.added_users - def test_removed_users(self): + def test_removed_users(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed users.""" - self.assertFalse(self.diff.removed_users) + assert not analysis.removed_users - def test_modified_users(self): + def test_modified_users(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified user rules.""" - self.assertFalse(self.diff.modified_users) + assert not analysis.modified_users - def test_added_type_attributes(self): + def test_added_type_attributes(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added type attribute.""" - self.assertFalse(self.diff.added_type_attributes) + assert not analysis.added_type_attributes - def test_removed_type_attributes(self): + def test_removed_type_attributes(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed type attributes.""" - self.assertFalse(self.diff.removed_type_attributes) + assert not analysis.removed_type_attributes - def test_modified_type_attributes(self): + def test_modified_type_attributes(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified type attributes.""" - self.assertFalse(self.diff.modified_type_attributes) + assert not analysis.modified_type_attributes - def test_added_booleans(self): + def test_added_booleans(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added booleans.""" - self.assertFalse(self.diff.added_booleans) + assert not analysis.added_booleans - def test_removed_booleans(self): + def test_removed_booleans(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed booleans.""" - self.assertFalse(self.diff.removed_booleans) + assert not analysis.removed_booleans - def test_modified_booleans(self): + def test_modified_booleans(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified booleans.""" - self.assertFalse(self.diff.modified_booleans) + assert not analysis.modified_booleans - def test_added_categories(self): + def test_added_categories(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added categories.""" - self.assertFalse(self.diff.added_categories) + assert not analysis.added_categories - def test_removed_categories(self): + def test_removed_categories(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed categories.""" - self.assertFalse(self.diff.removed_categories) + assert not analysis.removed_categories - def test_modified_categories(self): + def test_modified_categories(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified categories.""" - self.assertFalse(self.diff.modified_categories) + assert not analysis.modified_categories - def test_added_sensitivities(self): + def test_added_sensitivities(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added sensitivities.""" - self.assertFalse(self.diff.added_sensitivities) + assert not analysis.added_sensitivities - def test_removed_sensitivities(self): + def test_removed_sensitivities(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed sensitivities.""" - self.assertFalse(self.diff.removed_sensitivities) + assert not analysis.removed_sensitivities - def test_modified_sensitivities(self): + def test_modified_sensitivities(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified sensitivities.""" - self.assertFalse(self.diff.modified_sensitivities) + assert not analysis.modified_sensitivities - def test_added_initialsids(self): + def test_added_initialsids(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added initialsids.""" - self.assertFalse(self.diff.added_initialsids) + assert not analysis.added_initialsids - def test_removed_initialsids(self): + def test_removed_initialsids(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed initialsids.""" - self.assertFalse(self.diff.removed_initialsids) + assert not analysis.removed_initialsids - def test_modified_initialsids(self): + def test_modified_initialsids(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified initialsids.""" - self.assertFalse(self.diff.modified_initialsids) + assert not analysis.modified_initialsids - def test_added_fs_uses(self): + def test_added_fs_uses(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added fs_uses.""" - self.assertFalse(self.diff.added_fs_uses) + assert not analysis.added_fs_uses - def test_removed_fs_uses(self): + def test_removed_fs_uses(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed fs_uses.""" - self.assertFalse(self.diff.removed_fs_uses) + assert not analysis.removed_fs_uses - def test_modified_fs_uses(self): + def test_modified_fs_uses(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified fs_uses.""" - self.assertFalse(self.diff.modified_fs_uses) + assert not analysis.modified_fs_uses - def test_added_genfscons(self): + def test_added_genfscons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added genfscons.""" - self.assertFalse(self.diff.added_genfscons) + assert not analysis.added_genfscons - def test_removed_genfscons(self): + def test_removed_genfscons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed genfscons.""" - self.assertFalse(self.diff.removed_genfscons) + assert not analysis.removed_genfscons - def test_modified_genfscons(self): + def test_modified_genfscons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified genfscons.""" - self.assertFalse(self.diff.modified_genfscons) + assert not analysis.modified_genfscons - def test_added_levels(self): + def test_added_levels(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added levels.""" - self.assertFalse(self.diff.added_levels) + assert not analysis.added_levels - def test_removed_levels(self): + def test_removed_levels(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed levels.""" - self.assertFalse(self.diff.removed_levels) + assert not analysis.removed_levels - def test_modified_levels(self): + def test_modified_levels(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified levels.""" - self.assertFalse(self.diff.modified_levels) + assert not analysis.modified_levels - def test_added_netifcons(self): + def test_added_netifcons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added netifcons.""" - self.assertFalse(self.diff.added_netifcons) + assert not analysis.added_netifcons - def test_removed_netifcons(self): + def test_removed_netifcons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed netifcons.""" - self.assertFalse(self.diff.removed_netifcons) + assert not analysis.removed_netifcons - def test_modified_netifcons(self): + def test_modified_netifcons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified netifcons.""" - self.assertFalse(self.diff.modified_netifcons) + assert not analysis.modified_netifcons - def test_added_nodecons(self): + def test_added_nodecons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added nodecons.""" - self.assertFalse(self.diff.added_nodecons) + assert not analysis.added_nodecons - def test_removed_nodecons(self): + def test_removed_nodecons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed nodecons.""" - self.assertFalse(self.diff.removed_nodecons) + assert not analysis.removed_nodecons - def test_modified_nodecons(self): + def test_modified_nodecons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified nodecons.""" - self.assertFalse(self.diff.modified_nodecons) + assert not analysis.modified_nodecons - def test_added_polcaps(self): + def test_added_polcaps(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added polcaps.""" - self.assertFalse(self.diff.added_polcaps) + assert not analysis.added_polcaps - def test_removed_polcaps(self): + def test_removed_polcaps(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed polcaps.""" - self.assertFalse(self.diff.removed_polcaps) + assert not analysis.removed_polcaps - def test_added_portcons(self): + def test_added_portcons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added portcons.""" - self.assertFalse(self.diff.added_portcons) + assert not analysis.added_portcons - def test_removed_portcons(self): + def test_removed_portcons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed portcons.""" - self.assertFalse(self.diff.removed_portcons) + assert not analysis.removed_portcons - def test_modified_portcons(self): + def test_modified_portcons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified portcons.""" - self.assertFalse(self.diff.modified_portcons) + assert not analysis.modified_portcons - def test_modified_properties(self): + def test_modified_properties(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified properties.""" - self.assertFalse(self.diff.modified_properties) + assert not analysis.modified_properties - def test_added_defaults(self): + def test_added_defaults(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added defaults.""" - self.assertFalse(self.diff.added_defaults) + assert not analysis.added_defaults - def test_removed_defaults(self): + def test_removed_defaults(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed defaults.""" - self.assertFalse(self.diff.removed_defaults) + assert not analysis.removed_defaults - def test_modified_defaults(self): + def test_modified_defaults(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified defaults.""" - self.assertFalse(self.diff.modified_defaults) + assert not analysis.modified_defaults - def test_added_constrains(self): + def test_added_constrains(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added constrains.""" - self.assertFalse(self.diff.added_constrains) + assert not analysis.added_constrains - def test_removed_constrains(self): + def test_removed_constrains(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed constrains.""" - self.assertFalse(self.diff.removed_constrains) + assert not analysis.removed_constrains - def test_added_mlsconstrains(self): + def test_added_mlsconstrains(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added mlsconstrains.""" - self.assertFalse(self.diff.added_mlsconstrains) + assert not analysis.added_mlsconstrains - def test_removed_mlsconstrains(self): + def test_removed_mlsconstrains(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed mlsconstrains.""" - self.assertFalse(self.diff.removed_mlsconstrains) + assert not analysis.removed_mlsconstrains - def test_added_validatetrans(self): + def test_added_validatetrans(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added validatetrans.""" - self.assertFalse(self.diff.added_validatetrans) + assert not analysis.added_validatetrans - def test_removed_validatetrans(self): + def test_removed_validatetrans(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed validatetrans.""" - self.assertFalse(self.diff.removed_validatetrans) + assert not analysis.removed_validatetrans - def test_added_mlsvalidatetrans(self): + def test_added_mlsvalidatetrans(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added mlsvalidatetrans.""" - self.assertFalse(self.diff.added_mlsvalidatetrans) + assert not analysis.added_mlsvalidatetrans - def test_removed_mlsvalidatetrans(self): + def test_removed_mlsvalidatetrans(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed mlsvalidatetrans.""" - self.assertFalse(self.diff.removed_mlsvalidatetrans) + assert not analysis.removed_mlsvalidatetrans - def test_added_typebounds(self): + def test_added_typebounds(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added typebounds.""" - self.assertFalse(self.diff.added_typebounds) + assert not analysis.added_typebounds - def test_removed_typebounds(self): + def test_removed_typebounds(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed typebounds.""" - self.assertFalse(self.diff.removed_typebounds) + assert not analysis.removed_typebounds - def test_modified_typebounds(self): + def test_modified_typebounds(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified typebounds.""" - self.assertFalse(self.diff.modified_typebounds) + assert not analysis.modified_typebounds - def test_added_allowxperms(self): + def test_added_allowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added allowxperm rules.""" - self.assertFalse(self.diff.added_allowxperms) + assert not analysis.added_allowxperms - def test_removed_allowxperms(self): + def test_removed_allowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed allowxperm rules.""" - self.assertFalse(self.diff.removed_allowxperms) + assert not analysis.removed_allowxperms - def test_modified_allowxperms(self): + def test_modified_allowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified allowxperm rules.""" - self.assertFalse(self.diff.modified_allowxperms) + assert not analysis.modified_allowxperms - def test_added_auditallowxperms(self): + def test_added_auditallowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added auditallowxperm rules.""" - self.assertFalse(self.diff.added_auditallowxperms) + assert not analysis.added_auditallowxperms - def test_removed_auditallowxperms(self): + def test_removed_auditallowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed auditallowxperm rules.""" - self.assertFalse(self.diff.removed_auditallowxperms) + assert not analysis.removed_auditallowxperms - def test_modified_auditallowxperms(self): + def test_modified_auditallowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified auditallowxperm rules.""" - self.assertFalse(self.diff.modified_auditallowxperms) + assert not analysis.modified_auditallowxperms - def test_added_neverallowxperms(self): + def test_added_neverallowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added neverallowxperm rules.""" - self.assertFalse(self.diff.added_neverallowxperms) + assert not analysis.added_neverallowxperms - def test_removed_neverallowxperms(self): + def test_removed_neverallowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed neverallowxperm rules.""" - self.assertFalse(self.diff.removed_neverallowxperms) + assert not analysis.removed_neverallowxperms - def test_modified_neverallowxperms(self): + def test_modified_neverallowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified neverallowxperm rules.""" - self.assertFalse(self.diff.modified_neverallowxperms) + assert not analysis.modified_neverallowxperms - def test_added_dontauditxperms(self): + def test_added_dontauditxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added dontauditxperm rules.""" - self.assertFalse(self.diff.added_dontauditxperms) + assert not analysis.added_dontauditxperms - def test_removed_dontauditxperms(self): + def test_removed_dontauditxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed dontauditxperm rules.""" - self.assertFalse(self.diff.removed_dontauditxperms) + assert not analysis.removed_dontauditxperms - def test_modified_dontauditxperms(self): + def test_modified_dontauditxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified dontauditxperm rules.""" - self.assertFalse(self.diff.modified_dontauditxperms) + assert not analysis.modified_dontauditxperms - def test_added_ibendportcons(self): + def test_added_ibendportcons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added ibendportcon rules.""" - self.assertFalse(self.diff.added_ibendportcons) + assert not analysis.added_ibendportcons - def test_removed_ibendportcons(self): + def test_removed_ibendportcons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed ibendportcon rules.""" - self.assertFalse(self.diff.removed_ibendportcons) + assert not analysis.removed_ibendportcons - def test_modified_ibendportcons(self): + def test_modified_ibendportcons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified ibendportcon rules.""" - self.assertFalse(self.diff.modified_ibendportcons) + assert not analysis.modified_ibendportcons - def test_added_ibpkeycons(self): + def test_added_ibpkeycons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added ibpkeycon rules.""" - self.assertFalse(self.diff.added_ibpkeycons) + assert not analysis.added_ibpkeycons - def test_removed_ibpkeycons(self): + def test_removed_ibpkeycons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed ibpkeycon rules.""" - self.assertFalse(self.diff.removed_ibpkeycons) + assert not analysis.removed_ibpkeycons - def test_modified_ibpkeycons(self): + def test_modified_ibpkeycons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified ibpkeycon rules.""" - self.assertFalse(self.diff.modified_ibpkeycons) + assert not analysis.modified_ibpkeycons -class PolicyDifferenceTestMLStoStandard(unittest.TestCase): +@pytest.mark.obj_args("tests/library/diff_left.conf", "tests/library/diff_left_standard.conf", + mls_right=False) +class TestPolicyDifferenceTestMLStoStandard: """ Policy difference test between MLS and standard (non-MLS) policy. @@ -2438,508 +2385,481 @@ class PolicyDifferenceTestMLStoStandard(unittest.TestCase): left policy, except with MLS disabled. """ - @classmethod - def setUpClass(cls): - cls.p_left = compile_policy("tests/library/diff_left.conf") - cls.p_right = compile_policy("tests/library/diff_left_standard.conf", mls=False) - cls.diff = PolicyDifference(cls.p_left, cls.p_right) - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p_left.path) - os.unlink(cls.p_right.path) - - def test_added_types(self): + def test_added_types(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added types""" - self.assertFalse(self.diff.added_types) + assert not analysis.added_types - def test_removed_types(self): + def test_removed_types(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed types""" - self.assertFalse(self.diff.removed_types) + assert not analysis.removed_types - def test_modified_types(self): + def test_modified_types(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified types""" - self.assertFalse(self.diff.modified_types) + assert not analysis.modified_types - def test_added_roles(self): + def test_added_roles(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added roles.""" - self.assertFalse(self.diff.added_roles) + assert not analysis.added_roles - def test_removed_roles(self): + def test_removed_roles(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed roles.""" - self.assertFalse(self.diff.removed_roles) + assert not analysis.removed_roles - def test_modified_roles(self): + def test_modified_roles(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified roles.""" - self.assertFalse(self.diff.modified_roles) + assert not analysis.modified_roles - def test_added_commons(self): + def test_added_commons(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added commons.""" - self.assertFalse(self.diff.added_commons) + assert not analysis.added_commons - def test_removed_commons(self): + def test_removed_commons(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed commons.""" - self.assertFalse(self.diff.removed_commons) + assert not analysis.removed_commons - def test_modified_commons(self): + def test_modified_commons(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified commons.""" - self.assertFalse(self.diff.modified_commons) + assert not analysis.modified_commons - def test_added_classes(self): + def test_added_classes(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added classes.""" - self.assertFalse(self.diff.added_classes) + assert not analysis.added_classes - def test_removed_classes(self): + def test_removed_classes(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed classes.""" - self.assertFalse(self.diff.removed_classes) + assert not analysis.removed_classes - def test_modified_classes(self): + def test_modified_classes(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified classes.""" - self.assertFalse(self.diff.modified_classes) + assert not analysis.modified_classes - def test_added_allows(self): + def test_added_allows(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added allow rules.""" - self.assertFalse(self.diff.added_allows) + assert not analysis.added_allows - def test_removed_allows(self): + def test_removed_allows(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed allow rules.""" - self.assertFalse(self.diff.removed_allows) + assert not analysis.removed_allows - def test_modified_allows(self): + def test_modified_allows(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified allow rules.""" - self.assertFalse(self.diff.modified_allows) + assert not analysis.modified_allows - def test_added_auditallows(self): + def test_added_auditallows(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added auditallow rules.""" - self.assertFalse(self.diff.added_auditallows) + assert not analysis.added_auditallows - def test_removed_auditallows(self): + def test_removed_auditallows(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed auditallow rules.""" - self.assertFalse(self.diff.removed_auditallows) + assert not analysis.removed_auditallows - def test_modified_auditallows(self): + def test_modified_auditallows(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified auditallow rules.""" - self.assertFalse(self.diff.modified_auditallows) + assert not analysis.modified_auditallows - def test_added_neverallows(self): + def test_added_neverallows(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added neverallow rules.""" - self.assertFalse(self.diff.added_neverallows) + assert not analysis.added_neverallows - def test_removed_neverallows(self): + def test_removed_neverallows(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed neverallow rules.""" - self.assertFalse(self.diff.removed_neverallows) + assert not analysis.removed_neverallows - def test_modified_neverallows(self): + def test_modified_neverallows(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified neverallow rules.""" - self.assertFalse(self.diff.modified_neverallows) + assert not analysis.modified_neverallows - def test_added_dontaudits(self): + def test_added_dontaudits(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added dontaudit rules.""" - self.assertFalse(self.diff.added_dontaudits) + assert not analysis.added_dontaudits - def test_removed_dontaudits(self): + def test_removed_dontaudits(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed dontaudit rules.""" - self.assertFalse(self.diff.removed_dontaudits) + assert not analysis.removed_dontaudits - def test_modified_dontaudits(self): + def test_modified_dontaudits(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified dontaudit rules.""" - self.assertFalse(self.diff.modified_dontaudits) + assert not analysis.modified_dontaudits - def test_added_type_transitions(self): + def test_added_type_transitions(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added type_transition rules.""" - self.assertFalse(self.diff.added_type_transitions) + assert not analysis.added_type_transitions - def test_removed_type_transitions(self): + def test_removed_type_transitions(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed type_transition rules.""" - self.assertFalse(self.diff.removed_type_transitions) + assert not analysis.removed_type_transitions - def test_modified_type_transitions(self): + def test_modified_type_transitions(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified type_transition rules.""" - self.assertFalse(self.diff.modified_type_transitions) + assert not analysis.modified_type_transitions - def test_added_type_changes(self): + def test_added_type_changes(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added type_change rules.""" - self.assertFalse(self.diff.added_type_changes) + assert not analysis.added_type_changes - def test_removed_type_changes(self): + def test_removed_type_changes(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed type_change rules.""" - self.assertFalse(self.diff.removed_type_changes) + assert not analysis.removed_type_changes - def test_modified_type_changes(self): + def test_modified_type_changes(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified type_change rules.""" - self.assertFalse(self.diff.modified_type_changes) + assert not analysis.modified_type_changes - def test_added_type_members(self): + def test_added_type_members(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added type_member rules.""" - self.assertFalse(self.diff.added_type_members) + assert not analysis.added_type_members - def test_removed_type_members(self): + def test_removed_type_members(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed type_member rules.""" - self.assertFalse(self.diff.removed_type_members) + assert not analysis.removed_type_members - def test_modified_type_members(self): + def test_modified_type_members(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified type_member rules.""" - self.assertFalse(self.diff.modified_type_members) + assert not analysis.modified_type_members - def test_added_range_transitions(self): + def test_added_range_transitions(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added range_transition rules.""" - self.assertFalse(self.diff.added_range_transitions) + assert not analysis.added_range_transitions - def test_removed_range_transitions(self): + def test_removed_range_transitions(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: all range_transition rules removed.""" - self.assertEqual(self.diff.left_policy.range_transition_count, - len(self.diff.removed_range_transitions)) + assert analysis.left_policy.range_transition_count == \ + len(analysis.removed_range_transitions) - def test_modified_range_transitions(self): + def test_modified_range_transitions(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified range_transition rules.""" - self.assertFalse(self.diff.modified_range_transitions) + assert not analysis.modified_range_transitions - def test_added_role_allows(self): + def test_added_role_allows(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added role_allow rules.""" - self.assertFalse(self.diff.added_role_allows) + assert not analysis.added_role_allows - def test_removed_role_allows(self): + def test_removed_role_allows(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed role_allow rules.""" - self.assertFalse(self.diff.removed_role_allows) + assert not analysis.removed_role_allows - def test_added_role_transitions(self): + def test_added_role_transitions(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added role_transition rules.""" - self.assertFalse(self.diff.added_role_transitions) + assert not analysis.added_role_transitions - def test_removed_role_transitions(self): + def test_removed_role_transitions(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed role_transition rules.""" - self.assertFalse(self.diff.removed_role_transitions) + assert not analysis.removed_role_transitions - def test_modified_role_transitions(self): + def test_modified_role_transitions(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified role_transition rules.""" - self.assertFalse(self.diff.modified_role_transitions) + assert not analysis.modified_role_transitions - def test_added_users(self): + def test_added_users(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added users.""" - self.assertFalse(self.diff.added_users) + assert not analysis.added_users - def test_removed_users(self): + def test_removed_users(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed users.""" - self.assertFalse(self.diff.removed_users) + assert not analysis.removed_users - def test_modified_users(self): + def test_modified_users(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: all users modified.""" - self.assertEqual(self.diff.left_policy.user_count, len(self.diff.modified_users)) + assert analysis.left_policy.user_count == len(analysis.modified_users) - def test_added_type_attributes(self): + def test_added_type_attributes(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added type attribute.""" - self.assertFalse(self.diff.added_type_attributes) + assert not analysis.added_type_attributes - def test_removed_type_attributes(self): + def test_removed_type_attributes(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed type attributes.""" - self.assertFalse(self.diff.removed_type_attributes) + assert not analysis.removed_type_attributes - def test_modified_type_attributes(self): + def test_modified_type_attributes(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified type attributes.""" - self.assertFalse(self.diff.modified_type_attributes) + assert not analysis.modified_type_attributes - def test_added_booleans(self): + def test_added_booleans(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added booleans.""" - self.assertFalse(self.diff.added_booleans) + assert not analysis.added_booleans - def test_removed_booleans(self): + def test_removed_booleans(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed booleans.""" - self.assertFalse(self.diff.removed_booleans) + assert not analysis.removed_booleans - def test_modified_booleans(self): + def test_modified_booleans(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified booleans.""" - self.assertFalse(self.diff.modified_booleans) + assert not analysis.modified_booleans - def test_added_categories(self): + def test_added_categories(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added categories.""" - self.assertFalse(self.diff.added_categories) + assert not analysis.added_categories - def test_removed_categories(self): + def test_removed_categories(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: all categories removed.""" - self.assertEqual(self.diff.left_policy.category_count, len(self.diff.removed_categories)) + assert analysis.left_policy.category_count == len(analysis.removed_categories) - def test_modified_categories(self): + def test_modified_categories(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified categories.""" - self.assertFalse(self.diff.modified_categories) + assert not analysis.modified_categories - def test_added_sensitivities(self): + def test_added_sensitivities(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added sensitivities.""" - self.assertFalse(self.diff.added_sensitivities) + assert not analysis.added_sensitivities - def test_removed_sensitivities(self): + def test_removed_sensitivities(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: all sensitivities removed.""" - self.assertEqual(self.diff.left_policy.level_count, len(self.diff.removed_sensitivities)) + assert analysis.left_policy.level_count == len(analysis.removed_sensitivities) - def test_modified_sensitivities(self): + def test_modified_sensitivities(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified sensitivities.""" - self.assertFalse(self.diff.modified_sensitivities) + assert not analysis.modified_sensitivities - def test_added_initialsids(self): + def test_added_initialsids(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added initialsids.""" - self.assertFalse(self.diff.added_initialsids) + assert not analysis.added_initialsids - def test_removed_initialsids(self): + def test_removed_initialsids(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed initialsids.""" - self.assertFalse(self.diff.removed_initialsids) + assert not analysis.removed_initialsids - def test_modified_initialsids(self): + def test_modified_initialsids(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: all initialsids modified.""" - self.assertEqual(self.diff.left_policy.initialsids_count, - len(self.diff.modified_initialsids)) + assert analysis.left_policy.initialsids_count == len(analysis.modified_initialsids) - def test_added_fs_uses(self): + def test_added_fs_uses(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added fs_uses.""" - self.assertFalse(self.diff.added_fs_uses) + assert not analysis.added_fs_uses - def test_removed_fs_uses(self): + def test_removed_fs_uses(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed fs_uses.""" - self.assertFalse(self.diff.removed_fs_uses) + assert not analysis.removed_fs_uses - def test_modified_fs_uses(self): + def test_modified_fs_uses(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: all fs_uses modified.""" - self.assertEqual(self.diff.left_policy.fs_use_count, len(self.diff.modified_fs_uses)) + assert analysis.left_policy.fs_use_count == len(analysis.modified_fs_uses) - def test_added_genfscons(self): + def test_added_genfscons(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added genfscons.""" - self.assertFalse(self.diff.added_genfscons) + assert not analysis.added_genfscons - def test_removed_genfscons(self): + def test_removed_genfscons(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed genfscons.""" - self.assertFalse(self.diff.removed_genfscons) + assert not analysis.removed_genfscons - def test_modified_genfscons(self): + def test_modified_genfscons(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: all genfscons modified.""" - self.assertEqual(self.diff.left_policy.genfscon_count, len(self.diff.modified_genfscons)) + assert analysis.left_policy.genfscon_count == len(analysis.modified_genfscons) - def test_added_levels(self): + def test_added_levels(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added levels.""" - self.assertFalse(self.diff.added_levels) + assert not analysis.added_levels - def test_removed_levels(self): + def test_removed_levels(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: all levels removed.""" - self.assertEqual(self.diff.left_policy.level_count, len(self.diff.removed_levels)) + assert analysis.left_policy.level_count == len(analysis.removed_levels) - def test_modified_levels(self): + def test_modified_levels(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified levels.""" - self.assertFalse(self.diff.modified_levels) + assert not analysis.modified_levels - def test_added_netifcons(self): + def test_added_netifcons(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added netifcons.""" - self.assertFalse(self.diff.added_netifcons) + assert not analysis.added_netifcons - def test_removed_netifcons(self): + def test_removed_netifcons(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed netifcons.""" - self.assertFalse(self.diff.removed_netifcons) + assert not analysis.removed_netifcons - def test_modified_netifcons(self): + def test_modified_netifcons(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: all netifcons modified.""" - self.assertEqual(self.diff.left_policy.netifcon_count, len(self.diff.modified_netifcons)) + assert analysis.left_policy.netifcon_count == len(analysis.modified_netifcons) - def test_added_nodecons(self): + def test_added_nodecons(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added nodecons.""" - self.assertFalse(self.diff.added_nodecons) + assert not analysis.added_nodecons - def test_removed_nodecons(self): + def test_removed_nodecons(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed nodecons.""" - self.assertFalse(self.diff.removed_nodecons) + assert not analysis.removed_nodecons - def test_modified_nodecons(self): + def test_modified_nodecons(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: all nodecons modified.""" - self.assertEqual(self.diff.left_policy.nodecon_count, len(self.diff.modified_nodecons)) + assert analysis.left_policy.nodecon_count == len(analysis.modified_nodecons) - def test_added_polcaps(self): + def test_added_polcaps(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added polcaps.""" - self.assertFalse(self.diff.added_polcaps) + assert not analysis.added_polcaps - def test_removed_polcaps(self): + def test_removed_polcaps(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed polcaps.""" - self.assertFalse(self.diff.removed_polcaps) + assert not analysis.removed_polcaps - def test_added_portcons(self): + def test_added_portcons(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added portcons.""" - self.assertFalse(self.diff.added_portcons) + assert not analysis.added_portcons - def test_removed_portcons(self): + def test_removed_portcons(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed portcons.""" - self.assertFalse(self.diff.removed_portcons) + assert not analysis.removed_portcons - def test_modified_portcons(self): + def test_modified_portcons(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: all portcons modified.""" - self.assertEqual(self.diff.left_policy.portcon_count, len(self.diff.modified_portcons)) + assert analysis.left_policy.portcon_count == len(analysis.modified_portcons) - def test_modified_properties(self): + def test_modified_properties(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: MLS property modified only.""" - self.assertEqual(1, len(self.diff.modified_properties)) + assert 1 == len(analysis.modified_properties) - name, added, removed = astuple(self.diff.modified_properties[0]) - self.assertEqual("MLS", name) - self.assertIs(False, added) - self.assertIs(True, removed) + name, added, removed = astuple(analysis.modified_properties[0]) + assert "MLS" == name + assert added is False + assert removed is True - def test_added_defaults(self): + def test_added_defaults(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added defaults.""" - self.assertFalse(self.diff.added_defaults) + assert not analysis.added_defaults - def test_removed_defaults(self): + def test_removed_defaults(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: all default_range removed.""" - self.assertEqual( - sum(1 for d in self.diff.left_policy.defaults() if d.ruletype == DRT.default_range), - len(self.diff.removed_defaults)) + assert sum(1 for d in analysis.left_policy.defaults() if d.ruletype == DRT.default_range) \ + == len(analysis.removed_defaults) - def test_modified_defaults(self): + def test_modified_defaults(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no defaults modified.""" - self.assertFalse(self.diff.modified_defaults) + assert not analysis.modified_defaults - def test_added_constraints(self): + def test_added_constraints(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added constraints.""" - self.assertFalse(self.diff.added_constrains) + assert not analysis.added_constrains - def test_removed_constraints(self): + def test_removed_constraints(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed constraints.""" - self.assertFalse(self.diff.removed_constrains) + assert not analysis.removed_constrains - def test_added_validatetrans(self): + def test_added_validatetrans(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added validatetrans.""" - self.assertFalse(self.diff.added_validatetrans) + assert not analysis.added_validatetrans - def test_removed_validatetrans(self): + def test_removed_validatetrans(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed validatetrans.""" - self.assertFalse(self.diff.removed_validatetrans) + assert not analysis.removed_validatetrans - def test_added_mlsconstraints(self): + def test_added_mlsconstraints(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added mlsconstraints.""" - self.assertFalse(self.diff.added_mlsconstrains) + assert not analysis.added_mlsconstrains - def test_removed_mlsconstraints(self): + def test_removed_mlsconstraints(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: all mlsconstraints removed.""" - self.assertEqual( - sum(1 for m in self.diff.left_policy.constraints() if m.ruletype == CRT.mlsconstrain), - len(self.diff.removed_mlsconstrains)) + assert sum(1 for m in analysis.left_policy.constraints() if + m.ruletype == CRT.mlsconstrain) == len(analysis.removed_mlsconstrains) - def test_added_mlsvalidatetrans(self): + def test_added_mlsvalidatetrans(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added mlsvalidatetrans.""" - self.assertFalse(self.diff.added_mlsvalidatetrans) + assert not analysis.added_mlsvalidatetrans - def test_removed_mlsvalidatetrans(self): + def test_removed_mlsvalidatetrans(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: all mlsvalidatetrans removed.""" - self.assertEqual( - sum(1 for m in self.diff.left_policy.constraints() - if m.ruletype == CRT.mlsvalidatetrans), - len(self.diff.removed_mlsvalidatetrans)) + assert sum(1 for m in analysis.left_policy.constraints() + if m.ruletype == CRT.mlsvalidatetrans) == \ + len(analysis.removed_mlsvalidatetrans) - def test_added_typebounds(self): + def test_added_typebounds(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no added typebounds.""" - self.assertFalse(self.diff.added_typebounds) + assert not analysis.added_typebounds - def test_removed_typebounds(self): + def test_removed_typebounds(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no removed typebounds.""" - self.assertFalse(self.diff.removed_typebounds) + assert not analysis.removed_typebounds - def test_modified_typebounds(self): + def test_modified_typebounds(self, analysis: setools.PolicyDifference) -> None: """MLSvsStandardDiff: no modified typebounds.""" - self.assertFalse(self.diff.modified_typebounds) + assert not analysis.modified_typebounds - def test_added_allowxperms(self): + def test_added_allowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added allowxperm rules.""" - self.assertFalse(self.diff.added_allowxperms) + assert not analysis.added_allowxperms - def test_removed_allowxperms(self): + def test_removed_allowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed allowxperm rules.""" - self.assertFalse(self.diff.removed_allowxperms) + assert not analysis.removed_allowxperms - def test_modified_allowxperms(self): + def test_modified_allowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified allowxperm rules.""" - self.assertFalse(self.diff.modified_allowxperms) + assert not analysis.modified_allowxperms - def test_added_auditallowxperms(self): + def test_added_auditallowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added auditallowxperm rules.""" - self.assertFalse(self.diff.added_auditallowxperms) + assert not analysis.added_auditallowxperms - def test_removed_auditallowxperms(self): + def test_removed_auditallowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed auditallowxperm rules.""" - self.assertFalse(self.diff.removed_auditallowxperms) + assert not analysis.removed_auditallowxperms - def test_modified_auditallowxperms(self): + def test_modified_auditallowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified auditallowxperm rules.""" - self.assertFalse(self.diff.modified_auditallowxperms) + assert not analysis.modified_auditallowxperms - def test_added_neverallowxperms(self): + def test_added_neverallowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added neverallowxperm rules.""" - self.assertFalse(self.diff.added_neverallowxperms) + assert not analysis.added_neverallowxperms - def test_removed_neverallowxperms(self): + def test_removed_neverallowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed neverallowxperm rules.""" - self.assertFalse(self.diff.removed_neverallowxperms) + assert not analysis.removed_neverallowxperms - def test_modified_neverallowxperms(self): + def test_modified_neverallowxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified neverallowxperm rules.""" - self.assertFalse(self.diff.modified_neverallowxperms) + assert not analysis.modified_neverallowxperms - def test_added_dontauditxperms(self): + def test_added_dontauditxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added dontauditxperm rules.""" - self.assertFalse(self.diff.added_dontauditxperms) + assert not analysis.added_dontauditxperms - def test_removed_dontauditxperms(self): + def test_removed_dontauditxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed dontauditxperm rules.""" - self.assertFalse(self.diff.removed_dontauditxperms) + assert not analysis.removed_dontauditxperms - def test_modified_dontauditxperms(self): + def test_modified_dontauditxperms(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified dontauditxperm rules.""" - self.assertFalse(self.diff.modified_dontauditxperms) + assert not analysis.modified_dontauditxperms - def test_added_ibpkeycons(self): + def test_added_ibpkeycons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added ibpkeycon rules.""" - self.assertFalse(self.diff.added_ibpkeycons) + assert not analysis.added_ibpkeycons - def test_removed_ibpkeycons(self): + def test_removed_ibpkeycons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed ibpkeycon rules.""" - self.assertFalse(self.diff.removed_ibpkeycons) + assert not analysis.removed_ibpkeycons - def test_modified_ibpkeycons(self): + def test_modified_ibpkeycons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified ibpkeycon rules.""" - self.assertEqual(self.diff.left_policy.ibpkeycon_count, - len(self.diff.modified_ibpkeycons)) + assert analysis.left_policy.ibpkeycon_count == len(analysis.modified_ibpkeycons) - def test_added_ibendportcons(self): + def test_added_ibendportcons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no added ibendportcon rules.""" - self.assertFalse(self.diff.added_ibendportcons) + assert not analysis.added_ibendportcons - def test_removed_ibendportcons(self): + def test_removed_ibendportcons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no removed ibendportcon rules.""" - self.assertFalse(self.diff.removed_ibendportcons) + assert not analysis.removed_ibendportcons - def test_modified_ibendportcons(self): + def test_modified_ibendportcons(self, analysis: setools.PolicyDifference) -> None: """NoDiff: no modified ibendportcon rules.""" - self.assertEqual(self.diff.left_policy.ibendportcon_count, - len(self.diff.modified_ibendportcons)) + assert analysis.left_policy.ibendportcon_count == len(analysis.modified_ibendportcons) -class PolicyDifferenceTestRedundant(unittest.TestCase): +@pytest.mark.obj_args("tests/library/diff_left.conf", "tests/library/diff_left_redundant.conf") +class TestPolicyDifferenceTestRedundant: """ Policy difference test with redundant rules. There should be no policy differences. """ - @classmethod - def setUpClass(cls): - cls.p_left = compile_policy("tests/library/diff_left.conf") - cls.p_right = compile_policy("tests/library/diff_left_redundant.conf") - cls.diff = PolicyDifference(cls.p_left, cls.p_right) - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p_left.path) - os.unlink(cls.p_right.path) - - def test_added_allows(self): + def test_added_allows(self, analysis: setools.PolicyDifference) -> None: """Redundant: no added allow rules.""" - self.assertFalse(self.diff.added_allows) + assert not analysis.added_allows - def test_removed_allows(self): + def test_removed_allows(self, analysis: setools.PolicyDifference) -> None: """Redundant: no removed allow rules.""" - self.assertFalse(self.diff.removed_allows) + assert not analysis.removed_allows - def test_modified_allows(self): + def test_modified_allows(self, analysis: setools.PolicyDifference) -> None: """Redundant: no modified allow rules.""" - self.assertFalse(self.diff.modified_allows) + assert not analysis.modified_allows From 8142b856b392585a2634a00a61d4e554577609a8 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:26:49 -0400 Subject: [PATCH 44/71] TestDomainTransitionAnalysis: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_dta.py | 1077 +++++++++++++++++++------------------ 1 file changed, 543 insertions(+), 534 deletions(-) diff --git a/tests/library/test_dta.py b/tests/library/test_dta.py index 2c9e73e1..a7e43478 100644 --- a/tests/library/test_dta.py +++ b/tests/library/test_dta.py @@ -2,337 +2,333 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import typing -from setools import DomainTransitionAnalysis +import pytest +import setools from setools import TERuletype as TERT -from setools.exception import InvalidType -from setools.policyrep import Type from . import mixins -from .policyrep.util import compile_policy -class DomainTransitionAnalysisTest(mixins.ValidateRule, unittest.TestCase): +@pytest.fixture +def analysis(compiled_policy: setools.SELinuxPolicy) -> setools.DomainTransitionAnalysis: + ret = setools.DomainTransitionAnalysis(compiled_policy) + ret._build_graph() + return ret - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/dta.conf") - cls.a = DomainTransitionAnalysis(cls.p) - cls.a._build_graph() - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) +@pytest.mark.obj_args("tests/library/dta.conf") +class TestDomainTransitionAnalysis(mixins.ValidateRule): - def test_000_graph_structure(self): + def test_graph_structure(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: verify graph structure.""" # don't check node list since the disconnected nodes are not # removed after removing invalid domain transitions - start = self.p.lookup_type("start") - trans1 = self.p.lookup_type("trans1") - trans2 = self.p.lookup_type("trans2") - trans3 = self.p.lookup_type("trans3") - trans5 = self.p.lookup_type("trans5") - dyntrans100 = self.p.lookup_type("dyntrans100") - bothtrans200 = self.p.lookup_type("bothtrans200") - - edges = set(self.a.G.out_edges()) - self.assertSetEqual(set([(dyntrans100, bothtrans200), - (start, dyntrans100), - (start, trans1), - (trans1, trans2), - (trans2, trans3), - (trans3, trans5)]), edges) - - def test_001_bothtrans(self): + start = analysis.policy.lookup_type("start") + trans1 = analysis.policy.lookup_type("trans1") + trans2 = analysis.policy.lookup_type("trans2") + trans3 = analysis.policy.lookup_type("trans3") + trans5 = analysis.policy.lookup_type("trans5") + dyntrans100 = analysis.policy.lookup_type("dyntrans100") + bothtrans200 = analysis.policy.lookup_type("bothtrans200") + + edges = set(analysis.G.out_edges()) + assert set([(dyntrans100, bothtrans200), + (start, dyntrans100), + (start, trans1), + (trans1, trans2), + (trans2, trans3), + (trans3, trans5)]) == edges + + def test_bothtrans(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: type_transition, setexeccon(), and setcon() transitions.""" - s = self.p.lookup_type("dyntrans100") - t = self.p.lookup_type("bothtrans200") - e = self.p.lookup_type("bothtrans200_exec") + s = analysis.policy.lookup_type("dyntrans100") + t = analysis.policy.lookup_type("bothtrans200") + e = analysis.policy.lookup_type("bothtrans200_exec") # regular transition - r = self.a.G.edges[s, t]["transition"] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["transition"] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition", "dyntransition"])) # setexec perms - r = self.a.G.edges[s, t]["setexec"] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["setexec"] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec", "setcurrent"])) # exec perms - k = sorted(self.a.G.edges[s, t]["execute"].keys()) - self.assertEqual(k, [e]) + k = sorted(analysis.G.edges[s, t]["execute"].keys()) + assert k == [e] - r = self.a.G.edges[s, t]["execute"][e] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["execute"][e] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) # entrypoint perms - k = sorted(self.a.G.edges[s, t]["entrypoint"].keys()) - self.assertEqual(k, [e]) + k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) + assert k == [e] - r = self.a.G.edges[s, t]["entrypoint"][e] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["entrypoint"][e] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) # type_transition - k = sorted(self.a.G.edges[s, t]["type_transition"].keys()) - self.assertEqual(k, [e]) + k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) + assert k == [e] - r = self.a.G.edges[s, t]["type_transition"][e] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["type_transition"][e] + assert len(r) == 1 self.validate_rule(r[0], TERT.type_transition, s, e, "process", t) # dynamic transition - r = self.a.G.edges[s, t]["dyntransition"] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["dyntransition"] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition", "dyntransition"])) # setcurrent - r = self.a.G.edges[s, t]["setcurrent"] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["setcurrent"] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec", "setcurrent"])) - def test_010_dyntrans(self): + def test_dyntrans(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: setcon() transition.""" - s = self.p.lookup_type("start") - t = self.p.lookup_type("dyntrans100") + s = analysis.policy.lookup_type("start") + t = analysis.policy.lookup_type("dyntrans100") # regular transition - r = self.a.G.edges[s, t]["transition"] - self.assertEqual(len(r), 0) + r = analysis.G.edges[s, t]["transition"] + assert len(r) == 0 # setexec perms - r = self.a.G.edges[s, t]["setexec"] - self.assertEqual(len(r), 0) + r = analysis.G.edges[s, t]["setexec"] + assert len(r) == 0 # exec perms - k = sorted(self.a.G.edges[s, t]["execute"].keys()) - self.assertEqual(len(k), 0) + k = sorted(analysis.G.edges[s, t]["execute"].keys()) + assert len(k) == 0 # entrypoint perms - k = sorted(self.a.G.edges[s, t]["entrypoint"].keys()) - self.assertEqual(len(k), 0) + k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) + assert len(k) == 0 # type_transition - k = sorted(self.a.G.edges[s, t]["type_transition"].keys()) - self.assertEqual(len(k), 0) + k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) + assert len(k) == 0 # dynamic transition - r = self.a.G.edges[s, t]["dyntransition"] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["dyntransition"] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, t, "process", set(["dyntransition"])) # setcurrent - r = self.a.G.edges[s, t]["setcurrent"] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["setcurrent"] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, s, "process", set(["setcurrent"])) - def test_020_trans(self): + def test_trans(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: type_transition transition.""" - s = self.p.lookup_type("start") - t = self.p.lookup_type("trans1") - e = self.p.lookup_type("trans1_exec") + s = analysis.policy.lookup_type("start") + t = analysis.policy.lookup_type("trans1") + e = analysis.policy.lookup_type("trans1_exec") # regular transition - r = self.a.G.edges[s, t]["transition"] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["transition"] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) # setexec perms - r = self.a.G.edges[s, t]["setexec"] - self.assertEqual(len(r), 0) + r = analysis.G.edges[s, t]["setexec"] + assert len(r) == 0 # exec perms - k = sorted(self.a.G.edges[s, t]["execute"].keys()) - self.assertEqual(k, [e]) + k = sorted(analysis.G.edges[s, t]["execute"].keys()) + assert k == [e] - r = self.a.G.edges[s, t]["execute"][e] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["execute"][e] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) # entrypoint perms - k = sorted(self.a.G.edges[s, t]["entrypoint"].keys()) - self.assertEqual(k, [e]) + k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) + assert k == [e] - r = self.a.G.edges[s, t]["entrypoint"][e] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["entrypoint"][e] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) # type_transition - k = sorted(self.a.G.edges[s, t]["type_transition"].keys()) - self.assertEqual(k, [e]) + k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) + assert k == [e] - r = self.a.G.edges[s, t]["type_transition"][e] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["type_transition"][e] + assert len(r) == 1 self.validate_rule(r[0], TERT.type_transition, s, e, "process", t) # dynamic transition - r = self.a.G.edges[s, t]["dyntransition"] - self.assertEqual(len(r), 0) + r = analysis.G.edges[s, t]["dyntransition"] + assert len(r) == 0 # setcurrent - r = self.a.G.edges[s, t]["setcurrent"] - self.assertEqual(len(r), 0) + r = analysis.G.edges[s, t]["setcurrent"] + assert len(r) == 0 - def test_030_setexec(self): + def test_setexec(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: setexec() transition.""" - s = self.p.lookup_type("trans1") - t = self.p.lookup_type("trans2") - e = self.p.lookup_type("trans2_exec") + s = analysis.policy.lookup_type("trans1") + t = analysis.policy.lookup_type("trans2") + e = analysis.policy.lookup_type("trans2_exec") # regular transition - r = self.a.G.edges[s, t]["transition"] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["transition"] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) # setexec perms - r = self.a.G.edges[s, t]["setexec"] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["setexec"] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec"])) # exec perms - k = sorted(self.a.G.edges[s, t]["execute"].keys()) - self.assertEqual(k, [e]) + k = sorted(analysis.G.edges[s, t]["execute"].keys()) + assert k == [e] - r = self.a.G.edges[s, t]["execute"][e] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["execute"][e] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) # entrypoint perms - k = sorted(self.a.G.edges[s, t]["entrypoint"].keys()) - self.assertEqual(k, [e]) + k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) + assert k == [e] - r = self.a.G.edges[s, t]["entrypoint"][e] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["entrypoint"][e] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) # type_transition - k = sorted(self.a.G.edges[s, t]["type_transition"].keys()) - self.assertEqual(len(k), 0) + k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) + assert len(k) == 0 # dynamic transition - r = self.a.G.edges[s, t]["dyntransition"] - self.assertEqual(len(r), 0) + r = analysis.G.edges[s, t]["dyntransition"] + assert len(r) == 0 # setcurrent - r = self.a.G.edges[s, t]["setcurrent"] - self.assertEqual(len(r), 0) + r = analysis.G.edges[s, t]["setcurrent"] + assert len(r) == 0 - def test_040_two_entrypoint(self): + def test_two_entrypoint(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: 2 entrypoints, only one by type_transition.""" - s = self.p.lookup_type("trans2") - t = self.p.lookup_type("trans3") - e = [self.p.lookup_type("trans3_exec1"), self.p.lookup_type("trans3_exec2")] + s = analysis.policy.lookup_type("trans2") + t = analysis.policy.lookup_type("trans3") + e = [analysis.policy.lookup_type("trans3_exec1"), + analysis.policy.lookup_type("trans3_exec2")] # regular transition - r = self.a.G.edges[s, t]["transition"] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["transition"] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) # setexec perms - r = self.a.G.edges[s, t]["setexec"] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["setexec"] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec"])) # exec perms - k = sorted(self.a.G.edges[s, t]["execute"].keys()) - self.assertEqual(k, e) + k = sorted(analysis.G.edges[s, t]["execute"].keys()) + assert k == e - r = self.a.G.edges[s, t]["execute"][e[0]] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["execute"][e[0]] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, e[0], "file", set(["execute"])) - r = self.a.G.edges[s, t]["execute"][e[1]] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["execute"][e[1]] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, e[1], "file", set(["execute"])) # entrypoint perms - k = sorted(self.a.G.edges[s, t]["entrypoint"].keys()) - self.assertEqual(k, e) + k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) + assert k == e - r = self.a.G.edges[s, t]["entrypoint"][e[0]] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["entrypoint"][e[0]] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, t, e[0], "file", set(["entrypoint"])) - r = self.a.G.edges[s, t]["entrypoint"][e[1]] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["entrypoint"][e[1]] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, t, e[1], "file", set(["entrypoint"])) # type_transition - k = sorted(self.a.G.edges[s, t]["type_transition"].keys()) - self.assertEqual(k, [e[0]]) + k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) + assert k == [e[0]] - r = self.a.G.edges[s, t]["type_transition"][e[0]] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["type_transition"][e[0]] + assert len(r) == 1 self.validate_rule(r[0], TERT.type_transition, s, e[0], "process", t) # dynamic transition - r = self.a.G.edges[s, t]["dyntransition"] - self.assertEqual(len(r), 0) + r = analysis.G.edges[s, t]["dyntransition"] + assert len(r) == 0 # setcurrent - r = self.a.G.edges[s, t]["setcurrent"] - self.assertEqual(len(r), 0) + r = analysis.G.edges[s, t]["setcurrent"] + assert len(r) == 0 - def test_050_cond_type_trans(self): + def test_cond_type_trans(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: conditional type_transition.""" - s = self.p.lookup_type("trans3") - t = self.p.lookup_type("trans5") - e = self.p.lookup_type("trans5_exec") + s = analysis.policy.lookup_type("trans3") + t = analysis.policy.lookup_type("trans5") + e = analysis.policy.lookup_type("trans5_exec") # regular transition - r = self.a.G.edges[s, t]["transition"] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["transition"] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) # setexec perms - r = self.a.G.edges[s, t]["setexec"] - self.assertEqual(len(r), 0) + r = analysis.G.edges[s, t]["setexec"] + assert len(r) == 0 # exec perms - k = sorted(self.a.G.edges[s, t]["execute"].keys()) - self.assertEqual(k, [e]) + k = sorted(analysis.G.edges[s, t]["execute"].keys()) + assert k == [e] - r = self.a.G.edges[s, t]["execute"][e] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["execute"][e] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) # entrypoint perms - k = sorted(self.a.G.edges[s, t]["entrypoint"].keys()) - self.assertEqual(k, [e]) + k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) + assert k == [e] - r = self.a.G.edges[s, t]["entrypoint"][e] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["entrypoint"][e] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) # type_transition - k = sorted(self.a.G.edges[s, t]["type_transition"].keys()) - self.assertEqual(k, [e]) + k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) + assert k == [e] - r = self.a.G.edges[s, t]["type_transition"][e] - self.assertEqual(len(r), 1) + r = analysis.G.edges[s, t]["type_transition"][e] + assert len(r) == 1 self.validate_rule(r[0], TERT.type_transition, s, e, "process", t, cond="trans5") # dynamic transition - r = self.a.G.edges[s, t]["dyntransition"] - self.assertEqual(len(r), 0) + r = analysis.G.edges[s, t]["dyntransition"] + assert len(r) == 0 # setcurrent - r = self.a.G.edges[s, t]["setcurrent"] - self.assertEqual(len(r), 0) + r = analysis.G.edges[s, t]["setcurrent"] + assert len(r) == 0 - def test_100_forward_subgraph_structure(self): + def test_forward_subgraph_structure(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: verify forward subgraph structure.""" # The purpose is to ensure the subgraph is reversed # only when the reverse option is set, not that @@ -341,26 +337,26 @@ def test_100_forward_subgraph_structure(self): # Don't check node list since the disconnected nodes are not # removed after removing invalid domain transitions - self.a.reverse = False - self.a._build_subgraph() - - start = self.p.lookup_type("start") - trans1 = self.p.lookup_type("trans1") - trans2 = self.p.lookup_type("trans2") - trans3 = self.p.lookup_type("trans3") - trans5 = self.p.lookup_type("trans5") - dyntrans100 = self.p.lookup_type("dyntrans100") - bothtrans200 = self.p.lookup_type("bothtrans200") - - edges = set(self.a.subG.out_edges()) - self.assertSetEqual(set([(dyntrans100, bothtrans200), - (start, dyntrans100), - (start, trans1), - (trans1, trans2), - (trans2, trans3), - (trans3, trans5)]), edges) - - def test_101_reverse_subgraph_structure(self): + analysis.reverse = False + analysis._build_subgraph() + + start = analysis.policy.lookup_type("start") + trans1 = analysis.policy.lookup_type("trans1") + trans2 = analysis.policy.lookup_type("trans2") + trans3 = analysis.policy.lookup_type("trans3") + trans5 = analysis.policy.lookup_type("trans5") + dyntrans100 = analysis.policy.lookup_type("dyntrans100") + bothtrans200 = analysis.policy.lookup_type("bothtrans200") + + edges = set(analysis.subG.out_edges()) + assert set([(dyntrans100, bothtrans200), + (start, dyntrans100), + (start, trans1), + (trans1, trans2), + (trans2, trans3), + (trans3, trans5)]) == edges + + def test_reverse_subgraph_structure(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: verify reverse subgraph structure.""" # The purpose is to ensure the subgraph is reversed # only when the reverse option is set, not that @@ -369,514 +365,527 @@ def test_101_reverse_subgraph_structure(self): # Don't check node list since the disconnected nodes are not # removed after removing invalid domain transitions - self.a.reverse = True - self.a._build_subgraph() - - start = self.p.lookup_type("start") - trans1 = self.p.lookup_type("trans1") - trans2 = self.p.lookup_type("trans2") - trans3 = self.p.lookup_type("trans3") - trans5 = self.p.lookup_type("trans5") - dyntrans100 = self.p.lookup_type("dyntrans100") - bothtrans200 = self.p.lookup_type("bothtrans200") - - edges = set(self.a.subG.out_edges()) - self.assertSetEqual(set([(bothtrans200, dyntrans100), - (dyntrans100, start), - (trans1, start), - (trans2, trans1), - (trans3, trans2), - (trans5, trans3)]), edges) - - def test_200_exclude_domain(self): + analysis.reverse = True + analysis._build_subgraph() + + start = analysis.policy.lookup_type("start") + trans1 = analysis.policy.lookup_type("trans1") + trans2 = analysis.policy.lookup_type("trans2") + trans3 = analysis.policy.lookup_type("trans3") + trans5 = analysis.policy.lookup_type("trans5") + dyntrans100 = analysis.policy.lookup_type("dyntrans100") + bothtrans200 = analysis.policy.lookup_type("bothtrans200") + + edges = set(analysis.subG.out_edges()) + assert set([(bothtrans200, dyntrans100), + (dyntrans100, start), + (trans1, start), + (trans2, trans1), + (trans3, trans2), + (trans5, trans3)]) == edges + + def test_exclude_domain(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: exclude domain type.""" # Don't check node list since the disconnected nodes are not # removed after removing invalid domain transitions - self.a.reverse = False - self.a.exclude = ["trans1"] - self.a._build_subgraph() - - start = self.p.lookup_type("start") - trans2 = self.p.lookup_type("trans2") - trans3 = self.p.lookup_type("trans3") - trans5 = self.p.lookup_type("trans5") - dyntrans100 = self.p.lookup_type("dyntrans100") - bothtrans200 = self.p.lookup_type("bothtrans200") - - edges = set(self.a.subG.out_edges()) - self.assertSetEqual(set([(dyntrans100, bothtrans200), - (start, dyntrans100), - (trans2, trans3), - (trans3, trans5)]), edges) - - def test_201_exclude_entryoint_with_2entrypoints(self): + analysis.reverse = False + analysis.exclude = ["trans1"] # type: ignore[list-item] + analysis._build_subgraph() + + start = analysis.policy.lookup_type("start") + trans2 = analysis.policy.lookup_type("trans2") + trans3 = analysis.policy.lookup_type("trans3") + trans5 = analysis.policy.lookup_type("trans5") + dyntrans100 = analysis.policy.lookup_type("dyntrans100") + bothtrans200 = analysis.policy.lookup_type("bothtrans200") + + edges = set(analysis.subG.out_edges()) + assert set([(dyntrans100, bothtrans200), + (start, dyntrans100), + (trans2, trans3), + (trans3, trans5)]) == edges + + def test_exclude_entryoint_with_2entrypoints( + self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: exclude entrypoint type without transition deletion (other entrypoints).""" # Don't check node list since the disconnected nodes are not # removed after removing invalid domain transitions - self.a.reverse = False - self.a.exclude = ["trans3_exec1"] - self.a._build_subgraph() - - start = self.p.lookup_type("start") - trans1 = self.p.lookup_type("trans1") - trans2 = self.p.lookup_type("trans2") - trans3 = self.p.lookup_type("trans3") - trans5 = self.p.lookup_type("trans5") - dyntrans100 = self.p.lookup_type("dyntrans100") - bothtrans200 = self.p.lookup_type("bothtrans200") - - edges = set(self.a.subG.out_edges()) - self.assertSetEqual(set([(dyntrans100, bothtrans200), - (start, dyntrans100), - (start, trans1), - (trans1, trans2), - (trans2, trans3), - (trans3, trans5)]), edges) - - def test_202_exclude_entryoint_with_dyntrans(self): + analysis.reverse = False + analysis.exclude = ["trans3_exec1"] # type: ignore[list-item] + analysis._build_subgraph() + + start = analysis.policy.lookup_type("start") + trans1 = analysis.policy.lookup_type("trans1") + trans2 = analysis.policy.lookup_type("trans2") + trans3 = analysis.policy.lookup_type("trans3") + trans5 = analysis.policy.lookup_type("trans5") + dyntrans100 = analysis.policy.lookup_type("dyntrans100") + bothtrans200 = analysis.policy.lookup_type("bothtrans200") + + edges = set(analysis.subG.out_edges()) + assert set([(dyntrans100, bothtrans200), + (start, dyntrans100), + (start, trans1), + (trans1, trans2), + (trans2, trans3), + (trans3, trans5)]) == edges + + def test_exclude_entryoint_with_dyntrans( + self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: exclude entrypoint type without transition deletion (dyntrans).""" # Don't check node list since the disconnected nodes are not # removed after removing invalid domain transitions - self.a.reverse = False - self.a.exclude = ["bothtrans200_exec"] - self.a._build_subgraph() - - start = self.p.lookup_type("start") - trans1 = self.p.lookup_type("trans1") - trans2 = self.p.lookup_type("trans2") - trans3 = self.p.lookup_type("trans3") - trans5 = self.p.lookup_type("trans5") - dyntrans100 = self.p.lookup_type("dyntrans100") - bothtrans200 = self.p.lookup_type("bothtrans200") - - edges = set(self.a.subG.out_edges()) - self.assertSetEqual(set([(dyntrans100, bothtrans200), - (start, dyntrans100), - (start, trans1), - (trans1, trans2), - (trans2, trans3), - (trans3, trans5)]), edges) - - def test_203_exclude_entryoint_delete_transition(self): + analysis.reverse = False + analysis.exclude = ["bothtrans200_exec"] # type: ignore[list-item] + analysis._build_subgraph() + + start = analysis.policy.lookup_type("start") + trans1 = analysis.policy.lookup_type("trans1") + trans2 = analysis.policy.lookup_type("trans2") + trans3 = analysis.policy.lookup_type("trans3") + trans5 = analysis.policy.lookup_type("trans5") + dyntrans100 = analysis.policy.lookup_type("dyntrans100") + bothtrans200 = analysis.policy.lookup_type("bothtrans200") + + edges = set(analysis.subG.out_edges()) + assert set([(dyntrans100, bothtrans200), + (start, dyntrans100), + (start, trans1), + (trans1, trans2), + (trans2, trans3), + (trans3, trans5)]) == edges + + def test_exclude_entryoint_delete_transition( + self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: exclude entrypoint type with transition deletion.""" # Don't check node list since the disconnected nodes are not # removed after removing invalid domain transitions - self.a.reverse = False - self.a.exclude = ["trans2_exec"] - self.a._build_subgraph() - - start = self.p.lookup_type("start") - trans1 = self.p.lookup_type("trans1") - trans2 = self.p.lookup_type("trans2") - trans3 = self.p.lookup_type("trans3") - trans5 = self.p.lookup_type("trans5") - dyntrans100 = self.p.lookup_type("dyntrans100") - bothtrans200 = self.p.lookup_type("bothtrans200") - - edges = set(self.a.subG.out_edges()) - self.assertSetEqual(set([(dyntrans100, bothtrans200), - (start, dyntrans100), - (start, trans1), - (trans2, trans3), - (trans3, trans5)]), edges) - - def test_300_all_paths(self): + analysis.reverse = False + analysis.exclude = ["trans2_exec"] # type: ignore[list-item] + analysis._build_subgraph() + + start = analysis.policy.lookup_type("start") + trans1 = analysis.policy.lookup_type("trans1") + trans2 = analysis.policy.lookup_type("trans2") + trans3 = analysis.policy.lookup_type("trans3") + trans5 = analysis.policy.lookup_type("trans5") + dyntrans100 = analysis.policy.lookup_type("dyntrans100") + bothtrans200 = analysis.policy.lookup_type("bothtrans200") + + edges = set(analysis.subG.out_edges()) + assert set([(dyntrans100, bothtrans200), + (start, dyntrans100), + (start, trans1), + (trans2, trans3), + (trans3, trans5)]) == edges + + def test_all_paths(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: all paths output""" - self.a.reverse = False - self.a.exclude = None - self.a.source = "start" - self.a.target = "bothtrans200" - self.a.depth_limit = 3 - self.a.mode = DomainTransitionAnalysis.Mode.AllPaths + analysis.reverse = False + analysis.exclude = [] + analysis.source = "start" + analysis.target = "bothtrans200" + analysis.depth_limit = 3 + analysis.mode = setools.DomainTransitionAnalysis.Mode.AllPaths expected_path = ["start", "dyntrans100", "bothtrans200"] - paths = list(self.a.results()) - self.assertEqual(1, len(paths)) + paths = list(analysis.results()) + assert 1 == len(paths) for path in paths: - for stepnum, step in enumerate(path): - self.assertIsInstance(step.source, Type) - self.assertIsInstance(step.target, Type) - self.assertEqual(expected_path[stepnum], step.source) - self.assertEqual(expected_path[stepnum + 1], step.target) + for stepnum, step in enumerate(typing.cast(setools.DTAPath, path)): + assert isinstance(step.source, setools.Type) + assert isinstance(step.target, setools.Type) + assert expected_path[stepnum] == step.source + assert expected_path[stepnum + 1] == step.target for r in step.transition: - self.assertIn("transition", r.perms) + assert "transition" in r.perms for e in step.entrypoints: - self.assertIsInstance(e.name, Type) + assert isinstance(e.name, setools.Type) for r in e.entrypoint: - self.assertIn("entrypoint", r.perms) + assert "entrypoint" in r.perms for r in e.execute: - self.assertIn("execute", r.perms) + assert "execute" in r.perms for r in e.type_transition: - self.assertEqual(TERT.type_transition, r.ruletype) + assert TERT.type_transition == r.ruletype for r in step.setexec: - self.assertIn("setexec", r.perms) + assert "setexec" in r.perms for r in step.dyntransition: - self.assertIn("dyntransition", r.perms) + assert "dyntransition" in r.perms for r in step.setcurrent: - self.assertIn("setcurrent", r.perms) + assert "setcurrent" in r.perms - def test_301_all_shortest_paths(self): + def test_all_shortest_paths(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: all shortest paths output""" - self.a.reverse = False - self.a.exclude = None - self.a.source = "start" - self.a.target = "bothtrans200" - self.a.mode = DomainTransitionAnalysis.Mode.ShortestPaths + analysis.reverse = False + analysis.exclude = [] + analysis.source = "start" + analysis.target = "bothtrans200" + analysis.mode = setools.DomainTransitionAnalysis.Mode.ShortestPaths expected_path = ["start", "dyntrans100", "bothtrans200"] - paths = list(self.a.results()) - self.assertEqual(1, len(paths)) + paths = list(analysis.results()) + assert 1 == len(paths) for path in paths: - for stepnum, step in enumerate(path): - self.assertIsInstance(step.source, Type) - self.assertIsInstance(step.target, Type) - self.assertEqual(expected_path[stepnum], step.source) - self.assertEqual(expected_path[stepnum + 1], step.target) + for stepnum, step in enumerate(typing.cast(setools.DTAPath, path)): + assert isinstance(step.source, setools.Type) + assert isinstance(step.target, setools.Type) + assert expected_path[stepnum] == step.source + assert expected_path[stepnum + 1] == step.target for r in step.transition: - self.assertIn("transition", r.perms) + assert "transition" in r.perms for e in step.entrypoints: - self.assertIsInstance(e.name, Type) + assert isinstance(e.name, setools.Type) for r in e.entrypoint: - self.assertIn("entrypoint", r.perms) + assert "entrypoint" in r.perms for r in e.execute: - self.assertIn("execute", r.perms) + assert "execute" in r.perms for r in e.type_transition: - self.assertEqual(TERT.type_transition, r.ruletype) + assert TERT.type_transition == r.ruletype for r in step.setexec: - self.assertIn("setexec", r.perms) + assert "setexec" in r.perms for r in step.dyntransition: - self.assertIn("dyntransition", r.perms) + assert "dyntransition" in r.perms for r in step.setcurrent: - self.assertIn("setcurrent", r.perms) + assert "setcurrent" in r.perms - def test_303_transitions(self): + def test_transitions(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: transitions output""" - self.a.reverse = False - self.a.exclude = None - self.a.source = "start" - self.a.depth_limit = 1 - self.a.mode = DomainTransitionAnalysis.Mode.TransitionsOut + analysis.reverse = False + analysis.exclude = [] + analysis.source = "start" + analysis.depth_limit = 1 + analysis.mode = setools.DomainTransitionAnalysis.Mode.TransitionsOut - transitions = list(self.a.results()) - self.assertEqual(2, len(transitions)) + transitions = list(analysis.results()) + assert 2 == len(transitions) for step in transitions: - self.assertIsInstance(step.source, Type) - self.assertIsInstance(step.target, Type) - self.assertEqual("start", step.source) + assert isinstance(step, setools.DomainTransition) + assert isinstance(step.source, setools.Type) + assert isinstance(step.target, setools.Type) + assert "start" == step.source for r in step.transition: - self.assertIn("transition", r.perms) + assert "transition" in r.perms for e in step.entrypoints: - self.assertIsInstance(e.name, Type) + assert isinstance(e.name, setools.Type) for r in e.entrypoint: - self.assertIn("entrypoint", r.perms) + assert "entrypoint" in r.perms for r in e.execute: - self.assertIn("execute", r.perms) + assert "execute" in r.perms for r in e.type_transition: - self.assertEqual(TERT.type_transition, r.ruletype) + assert TERT.type_transition == r.ruletype for r in step.setexec: - self.assertIn("setexec", r.perms) + assert "setexec" in r.perms for r in step.dyntransition: - self.assertIn("dyntransition", r.perms) + assert "dyntransition" in r.perms for r in step.setcurrent: - self.assertIn("setcurrent", r.perms) + assert "setcurrent" in r.perms - def test_310_all_paths_reversed(self): + def test_all_paths_reversed(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: all paths output reverse DTA""" - self.a.reverse = True - self.a.exclude = None - self.a.source = "bothtrans200" - self.a.target = "start" - self.a.depth_limit = 3 - self.a.mode = DomainTransitionAnalysis.Mode.AllPaths + analysis.reverse = True + analysis.exclude = [] + analysis.source = "bothtrans200" + analysis.target = "start" + analysis.depth_limit = 3 + analysis.mode = setools.DomainTransitionAnalysis.Mode.AllPaths expected_path = ["bothtrans200", "dyntrans100", "start"] - paths = list(self.a.results()) - self.assertEqual(1, len(paths)) + paths = list(analysis.results()) + assert 1 == len(paths) for path in paths: - for stepnum, step in enumerate(path): - self.assertIsInstance(step.source, Type) - self.assertIsInstance(step.target, Type) - self.assertEqual(step.source, expected_path[stepnum + 1]) - self.assertEqual(step.target, expected_path[stepnum]) + for stepnum, step in enumerate(typing.cast(setools.DTAPath, path)): + assert isinstance(step.source, setools.Type) + assert isinstance(step.target, setools.Type) + assert step.source == expected_path[stepnum + 1] + assert step.target == expected_path[stepnum] for r in step.transition: - self.assertIn("transition", r.perms) + assert "transition" in r.perms for e in step.entrypoints: - self.assertIsInstance(e.name, Type) + assert isinstance(e.name, setools.Type) for r in e.entrypoint: - self.assertIn("entrypoint", r.perms) + assert "entrypoint" in r.perms for r in e.execute: - self.assertIn("execute", r.perms) + assert "execute" in r.perms for r in e.type_transition: - self.assertEqual(TERT.type_transition, r.ruletype) + assert TERT.type_transition == r.ruletype for r in step.setexec: - self.assertIn("setexec", r.perms) + assert "setexec" in r.perms for r in step.dyntransition: - self.assertIn("dyntransition", r.perms) + assert "dyntransition" in r.perms for r in step.setcurrent: - self.assertIn("setcurrent", r.perms) + assert "setcurrent" in r.perms - def test_311_all_shortest_paths_reversed(self): + def test_all_shortest_paths_reversed(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: all shortest paths output reverse DTA""" - self.a.reverse = True - self.a.exclude = None - self.a.source = "bothtrans200" - self.a.target = "start" - self.a.mode = DomainTransitionAnalysis.Mode.ShortestPaths + analysis.reverse = True + analysis.exclude = [] + analysis.source = "bothtrans200" + analysis.target = "start" + analysis.mode = setools.DomainTransitionAnalysis.Mode.ShortestPaths expected_path = ["bothtrans200", "dyntrans100", "start"] - paths = list(self.a.results()) - self.assertEqual(1, len(paths)) + paths = list(analysis.results()) + assert 1 == len(paths) for path in paths: - for stepnum, step in enumerate(path): - self.assertIsInstance(step.source, Type) - self.assertIsInstance(step.target, Type) - self.assertEqual(step.source, expected_path[stepnum + 1]) - self.assertEqual(step.target, expected_path[stepnum]) + for stepnum, step in enumerate(typing.cast(setools.DTAPath, path)): + assert isinstance(step.source, setools.Type) + assert isinstance(step.target, setools.Type) + assert step.source == expected_path[stepnum + 1] + assert step.target == expected_path[stepnum] for r in step.transition: - self.assertIn("transition", r.perms) + assert "transition" in r.perms for e in step.entrypoints: - self.assertIsInstance(e.name, Type) + assert isinstance(e.name, setools.Type) for r in e.entrypoint: - self.assertIn("entrypoint", r.perms) + assert "entrypoint" in r.perms for r in e.execute: - self.assertIn("execute", r.perms) + assert "execute" in r.perms for r in e.type_transition: - self.assertEqual(TERT.type_transition, r.ruletype) + assert TERT.type_transition == r.ruletype for r in step.setexec: - self.assertIn("setexec", r.perms) + assert "setexec" in r.perms for r in step.dyntransition: - self.assertIn("dyntransition", r.perms) + assert "dyntransition" in r.perms for r in step.setcurrent: - self.assertIn("setcurrent", r.perms) + assert "setcurrent" in r.perms - def test_313_transitions_reversed(self): + def test_transitions_reversed(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: transitions output reverse DTA""" - self.a.reverse = False - self.a.exclude = None - self.a.target = "bothtrans200" - self.a.depth_limit = 1 - self.a.mode = DomainTransitionAnalysis.Mode.TransitionsIn + analysis.reverse = False + analysis.exclude = [] + analysis.target = "bothtrans200" + analysis.depth_limit = 1 + analysis.mode = setools.DomainTransitionAnalysis.Mode.TransitionsIn - transitions = list(self.a.results()) - self.assertEqual(1, len(transitions)) + transitions = list(analysis.results()) + assert 1 == len(transitions) for step in transitions: - self.assertIsInstance(step.source, Type) - self.assertIsInstance(step.target, Type) - self.assertEqual("bothtrans200", step.target) + assert isinstance(step, setools.DomainTransition) + assert isinstance(step.source, setools.Type) + assert isinstance(step.target, setools.Type) + assert "bothtrans200" == step.target for r in step.transition: - self.assertIn("transition", r.perms) + assert "transition" in r.perms for e in step.entrypoints: - self.assertIsInstance(e.name, Type) + assert isinstance(e.name, setools.Type) for r in e.entrypoint: - self.assertIn("entrypoint", r.perms) + assert "entrypoint" in r.perms for r in e.execute: - self.assertIn("execute", r.perms) + assert "execute" in r.perms for r in e.type_transition: - self.assertEqual(TERT.type_transition, r.ruletype) + assert TERT.type_transition == r.ruletype for r in step.setexec: - self.assertIn("setexec", r.perms) + assert "setexec" in r.perms for r in step.dyntransition: - self.assertIn("dyntransition", r.perms) + assert "dyntransition" in r.perms for r in step.setcurrent: - self.assertIn("setcurrent", r.perms) + assert "setcurrent" in r.perms - def test_900_set_exclude_invalid_type(self): + def test_set_exclude_invalid_type(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: set invalid excluded type.""" - self.a.reverse = False - self.a.exclude = None - with self.assertRaises(InvalidType): - self.a.exclude = ["trans1", "invalid_type"] + analysis.reverse = False + analysis.exclude = [] + with pytest.raises(setools.exception.InvalidType): + analysis.exclude = ["trans1", "invalid_type"] # type: ignore[list-item] - def test_910_all_paths_invalid_source(self): + def test_all_paths_invalid_source(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: all paths with invalid source type.""" - self.a.reverse = False - self.a.exclude = None - self.a.mode = DomainTransitionAnalysis.Mode.AllPaths - with self.assertRaises(InvalidType): - self.a.source = "invalid_type" + analysis.reverse = False + analysis.exclude = [] + analysis.mode = setools.DomainTransitionAnalysis.Mode.AllPaths + with pytest.raises(setools.exception.InvalidType): + analysis.source = "invalid_type" - def test_911_all_paths_invalid_target(self): + def test_all_paths_invalid_target(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: all paths with invalid target type.""" - self.a.reverse = False - self.a.exclude = None - self.a.mode = DomainTransitionAnalysis.Mode.AllPaths - with self.assertRaises(InvalidType): - self.a.target = "invalid_type" + analysis.reverse = False + analysis.exclude = [] + analysis.mode = setools.DomainTransitionAnalysis.Mode.AllPaths + with pytest.raises(setools.exception.InvalidType): + analysis.target = "invalid_type" - def test_912_all_paths_invalid_maxlen(self): + def test_all_paths_invalid_maxlen(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: all paths with invalid max path length.""" - self.a.reverse = False - self.a.exclude = None - self.a.mode = DomainTransitionAnalysis.Mode.AllPaths - with self.assertRaises(ValueError): - self.a.depth_limit = -2 + analysis.reverse = False + analysis.exclude = [] + analysis.mode = setools.DomainTransitionAnalysis.Mode.AllPaths + with pytest.raises(ValueError): + analysis.depth_limit = -2 - def test_913_all_paths_source_excluded(self): + def test_all_paths_source_excluded(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: all paths with excluded source type.""" - self.a.reverse = False - self.a.exclude = ["trans1"] - self.a.source = "trans1" - self.a.target = "trans2" - self.a.mode = DomainTransitionAnalysis.Mode.AllPaths - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_914_all_paths_target_excluded(self): + analysis.reverse = False + analysis.exclude = ["trans1"] # type: ignore[list-item] + analysis.source = "trans1" + analysis.target = "trans2" + analysis.mode = setools.DomainTransitionAnalysis.Mode.AllPaths + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_all_paths_target_excluded(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: all paths with excluded target type.""" - self.a.reverse = False - self.a.exclude = ["trans2"] - self.a.source = "trans1" - self.a.target = "trans2" - self.a.mode = DomainTransitionAnalysis.Mode.AllPaths - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_915_all_paths_source_disconnected(self): + analysis.reverse = False + analysis.exclude = ["trans2"] # type: ignore[list-item] + analysis.source = "trans1" + analysis.target = "trans2" + analysis.mode = setools.DomainTransitionAnalysis.Mode.AllPaths + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_all_paths_source_disconnected( + self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: all paths with disconnected source type.""" - self.a.reverse = False - self.a.exclude = None - self.a.source = "trans5" - self.a.target = "trans2" - self.a.mode = DomainTransitionAnalysis.Mode.AllPaths - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_916_all_paths_target_disconnected(self): + analysis.reverse = False + analysis.exclude = [] + analysis.source = "trans5" + analysis.target = "trans2" + analysis.mode = setools.DomainTransitionAnalysis.Mode.AllPaths + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_all_paths_target_disconnected( + self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: all paths with disconnected target type.""" - self.a.reverse = False - self.a.exclude = ["trans3"] - self.a.source = "trans2" - self.a.target = "trans5" - self.a.mode = DomainTransitionAnalysis.Mode.AllPaths - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_925_shortest_path_target_disconnected(self): + analysis.reverse = False + analysis.exclude = ["trans3"] # type: ignore[list-item] + analysis.source = "trans2" + analysis.target = "trans5" + analysis.mode = setools.DomainTransitionAnalysis.Mode.AllPaths + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_shortest_path_target_disconnected( + self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: shortest path with disconnected target type.""" - self.a.reverse = False - self.a.exclude = ["trans3"] - self.a.source = "trans2" - self.a.target = "trans5" - self.a.mode = DomainTransitionAnalysis.Mode.ShortestPaths - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_932_all_shortest_paths_source_excluded(self): + analysis.reverse = False + analysis.exclude = ["trans3"] # type: ignore[list-item] + analysis.source = "trans2" + analysis.target = "trans5" + analysis.mode = setools.DomainTransitionAnalysis.Mode.ShortestPaths + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_all_shortest_paths_source_excluded( + self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: all shortest paths with excluded source type.""" - self.a.reverse = False - self.a.exclude = ["trans1"] - self.a.source = "trans1" - self.a.target = "trans2" - self.a.mode = DomainTransitionAnalysis.Mode.ShortestPaths - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_933_all_shortest_paths_target_excluded(self): + analysis.reverse = False + analysis.exclude = ["trans1"] # type: ignore[list-item] + analysis.source = "trans1" + analysis.target = "trans2" + analysis.mode = setools.DomainTransitionAnalysis.Mode.ShortestPaths + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_all_shortest_paths_target_excluded( + self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: all shortest paths with excluded target type.""" - self.a.reverse = False - self.a.exclude = ["trans2"] - self.a.source = "trans1" - self.a.target = "trans2" - self.a.mode = DomainTransitionAnalysis.Mode.ShortestPaths - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_934_all_shortest_paths_source_disconnected(self): + analysis.reverse = False + analysis.exclude = ["trans2"] # type: ignore[list-item] + analysis.source = "trans1" + analysis.target = "trans2" + analysis.mode = setools.DomainTransitionAnalysis.Mode.ShortestPaths + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_all_shortest_paths_source_disconnected( + self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: all shortest paths with disconnected source type.""" - self.a.reverse = False - self.a.exclude = None - self.a.source = "trans5" - self.a.target = "trans2" - self.a.mode = DomainTransitionAnalysis.Mode.ShortestPaths - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_935_all_shortest_paths_target_disconnected(self): + analysis.reverse = False + analysis.exclude = [] + analysis.source = "trans5" + analysis.target = "trans2" + analysis.mode = setools.DomainTransitionAnalysis.Mode.ShortestPaths + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_all_shortest_paths_target_disconnected( + self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: all shortest paths with disconnected target type.""" - self.a.reverse = False - self.a.exclude = ["trans3"] - self.a.source = "trans2" - self.a.target = "trans5" - self.a.mode = DomainTransitionAnalysis.Mode.ShortestPaths - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_941_transitions_source_excluded(self): + analysis.reverse = False + analysis.exclude = ["trans3"] # type: ignore[list-item] + analysis.source = "trans2" + analysis.target = "trans5" + analysis.mode = setools.DomainTransitionAnalysis.Mode.ShortestPaths + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_transitions_source_excluded(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: transitions with excluded source type.""" - self.a.reverse = False - self.a.exclude = ["trans1"] - self.a.mode = DomainTransitionAnalysis.Mode.TransitionsOut - self.a.source = "trans1" - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_942_transitions_source_disconnected(self): + analysis.reverse = False + analysis.exclude = ["trans1"] # type: ignore[list-item] + analysis.mode = setools.DomainTransitionAnalysis.Mode.TransitionsOut + analysis.source = "trans1" + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_transitions_source_disconnected( + self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: transitions with disconnected source type.""" - self.a.reverse = False - self.a.exclude = ["trans3"] - self.a.source = "trans5" - self.a.mode = DomainTransitionAnalysis.Mode.TransitionsOut - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) + analysis.reverse = False + analysis.exclude = ["trans3"] # type: ignore[list-item] + analysis.source = "trans5" + analysis.mode = setools.DomainTransitionAnalysis.Mode.TransitionsOut + paths = list(analysis.results()) + assert 0 == len(paths) From 3a7e05b2af2da0109dc0875e13498b5b34ca6fc8 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:27:11 -0400 Subject: [PATCH 45/71] TestFSUseQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_fsusequery.py | 197 +++++++++++++++---------------- 1 file changed, 97 insertions(+), 100 deletions(-) diff --git a/tests/library/test_fsusequery.py b/tests/library/test_fsusequery.py index 5319308b..dd36aa26 100644 --- a/tests/library/test_fsusequery.py +++ b/tests/library/test_fsusequery.py @@ -2,219 +2,216 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import FSUseQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/fsusequery.conf") +class TestFSUseQuery: - -class FSUseQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/fsusequery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with no criteria""" # query with no parameters gets all fs_use_*. - fsu = sorted(self.p.fs_uses()) + fsu = sorted(compiled_policy.fs_uses()) - q = FSUseQuery(self.p) + q = setools.FSUseQuery(compiled_policy) q_fsu = sorted(q.results()) - self.assertListEqual(fsu, q_fsu) + assert fsu == q_fsu - def test_001_fs_exact(self): + def test_fs_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with exact fs match""" - q = FSUseQuery(self.p, fs="test1", fs_regex=False) + q = setools.FSUseQuery(compiled_policy, fs="test1", fs_regex=False) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test1"], fsu) + assert ["test1"] == fsu - def test_002_fs_regex(self): + def test_fs_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with regex fs match""" - q = FSUseQuery(self.p, fs="test2(a|b)", fs_regex=True) + q = setools.FSUseQuery(compiled_policy, fs="test2(a|b)", fs_regex=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test2a", "test2b"], fsu) + assert ["test2a", "test2b"] == fsu - def test_010_ruletype(self): + def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with ruletype match""" - q = FSUseQuery(self.p, ruletype=['fs_use_trans', 'fs_use_task']) + q = setools.FSUseQuery(compiled_policy, ruletype=['fs_use_trans', 'fs_use_task']) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test10a", "test10b"], fsu) + assert ["test10a", "test10b"] == fsu - def test_020_user_exact(self): + def test_user_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context user exact match""" - q = FSUseQuery(self.p, user="user20", user_regex=False) + q = setools.FSUseQuery(compiled_policy, user="user20", user_regex=False) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test20"], fsu) + assert ["test20"] == fsu - def test_021_user_regex(self): + def test_user_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context user regex match""" - q = FSUseQuery(self.p, user="user21(a|b)", user_regex=True) + q = setools.FSUseQuery(compiled_policy, user="user21(a|b)", user_regex=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test21a", "test21b"], fsu) + assert ["test21a", "test21b"] == fsu - def test_030_role_exact(self): + def test_role_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context role exact match""" - q = FSUseQuery(self.p, role="role30_r", role_regex=False) + q = setools.FSUseQuery(compiled_policy, role="role30_r", role_regex=False) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test30"], fsu) + assert ["test30"] == fsu - def test_031_role_regex(self): + def test_role_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context role regex match""" - q = FSUseQuery(self.p, role="role31(a|c)_r", role_regex=True) + q = setools.FSUseQuery(compiled_policy, role="role31(a|c)_r", role_regex=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test31a", "test31c"], fsu) + assert ["test31a", "test31c"] == fsu - def test_040_type_exact(self): + def test_type_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context type exact match""" - q = FSUseQuery(self.p, type_="type40", type_regex=False) + q = setools.FSUseQuery(compiled_policy, type_="type40", type_regex=False) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test40"], fsu) + assert ["test40"] == fsu - def test_041_type_regex(self): + def test_type_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context type regex match""" - q = FSUseQuery(self.p, type_="type41(b|c)", type_regex=True) + q = setools.FSUseQuery(compiled_policy, type_="type41(b|c)", type_regex=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test41b", "test41c"], fsu) + assert ["test41b", "test41c"] == fsu - def test_050_range_exact(self): + def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range exact match""" - q = FSUseQuery(self.p, range_="s0:c1 - s0:c0.c4") + q = setools.FSUseQuery(compiled_policy, range_="s0:c1 - s0:c0.c4") fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test50"], fsu) + assert ["test50"] == fsu - def test_051_range_overlap1(self): + def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range overlap match (equal)""" - q = FSUseQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + q = setools.FSUseQuery(compiled_policy, range_="s1:c1 - s1:c0.c4", range_overlap=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test51"], fsu) + assert ["test51"] == fsu - def test_051_range_overlap2(self): + def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range overlap match (subset)""" - q = FSUseQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + q = setools.FSUseQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test51"], fsu) + assert ["test51"] == fsu - def test_051_range_overlap3(self): + def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range overlap match (superset)""" - q = FSUseQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + q = setools.FSUseQuery(compiled_policy, range_="s1 - s1:c0.c4", range_overlap=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test51"], fsu) + assert ["test51"] == fsu - def test_051_range_overlap4(self): + def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range overlap match (overlap low level)""" - q = FSUseQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + q = setools.FSUseQuery(compiled_policy, range_="s1 - s1:c1,c2", range_overlap=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test51"], fsu) + assert ["test51"] == fsu - def test_051_range_overlap5(self): + def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range overlap match (overlap high level)""" - q = FSUseQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + q = setools.FSUseQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test51"], fsu) + assert ["test51"] == fsu - def test_052_range_subset1(self): + def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range subset match""" - q = FSUseQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + q = setools.FSUseQuery(compiled_policy, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test52"], fsu) + assert ["test52"] == fsu - def test_052_range_subset2(self): + def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range subset match (equal)""" - q = FSUseQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + q = setools.FSUseQuery(compiled_policy, range_="s2:c1 - s2:c1.c3", range_overlap=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test52"], fsu) + assert ["test52"] == fsu - def test_053_range_superset1(self): + def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range superset match""" - q = FSUseQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + q = setools.FSUseQuery(compiled_policy, range_="s3 - s3:c0.c4", range_superset=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test53"], fsu) + assert ["test53"] == fsu - def test_053_range_superset2(self): + def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range superset match (equal)""" - q = FSUseQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + q = setools.FSUseQuery(compiled_policy, range_="s3:c1 - s3:c1.c3", range_superset=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test53"], fsu) + assert ["test53"] == fsu - def test_054_range_proper_subset1(self): + def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range proper subset match""" - q = FSUseQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + q = setools.FSUseQuery(compiled_policy, range_="s4:c1,c2", range_subset=True, + range_proper=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test54"], fsu) + assert ["test54"] == fsu - def test_054_range_proper_subset2(self): + def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range proper subset match (equal)""" - q = FSUseQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.FSUseQuery(compiled_policy, range_="s4:c1 - s4:c1.c3", range_subset=True, + range_proper=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual([], fsu) + assert [] == fsu - def test_054_range_proper_subset3(self): + def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range proper subset match (equal low only)""" - q = FSUseQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + q = setools.FSUseQuery(compiled_policy, range_="s4:c1 - s4:c1.c2", range_subset=True, + range_proper=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test54"], fsu) + assert ["test54"] == fsu - def test_054_range_proper_subset4(self): + def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range proper subset match (equal high only)""" - q = FSUseQuery(self.p, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.FSUseQuery(compiled_policy, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, + range_proper=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test54"], fsu) + assert ["test54"] == fsu - def test_055_range_proper_superset1(self): + def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range proper superset match""" - q = FSUseQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + q = setools.FSUseQuery(compiled_policy, range_="s5 - s5:c0.c4", range_superset=True, + range_proper=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test55"], fsu) + assert ["test55"] == fsu - def test_055_range_proper_superset2(self): + def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range proper superset match (equal)""" - q = FSUseQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.FSUseQuery(compiled_policy, range_="s5:c1 - s5:c1.c3", range_superset=True, + range_proper=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual([], fsu) + assert [] == fsu - def test_055_range_proper_superset3(self): + def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range proper superset match (equal low)""" - q = FSUseQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + q = setools.FSUseQuery(compiled_policy, range_="s5:c1 - s5:c1.c4", range_superset=True, + range_proper=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test55"], fsu) + assert ["test55"] == fsu - def test_055_range_proper_superset4(self): + def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """fs_use_* query with context range proper superset match (equal high)""" - q = FSUseQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.FSUseQuery(compiled_policy, range_="s5 - s5:c1.c3", range_superset=True, + range_proper=True) fsu = sorted(s.fs for s in q.results()) - self.assertListEqual(["test55"], fsu) + assert ["test55"] == fsu From a776e73fbef1b3037caba75af2ba315a693660d2 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:27:46 -0400 Subject: [PATCH 46/71] TestGenfsconQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_genfsconquery.py | 212 ++++++++++++++-------------- 1 file changed, 106 insertions(+), 106 deletions(-) diff --git a/tests/library/test_genfsconquery.py b/tests/library/test_genfsconquery.py index 2248c2c2..ac5b934b 100644 --- a/tests/library/test_genfsconquery.py +++ b/tests/library/test_genfsconquery.py @@ -2,235 +2,235 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest import stat -from setools import GenfsconQuery +import pytest +import setools -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/genfsconquery.conf") +class TestGenfsconQuery: -class GenfsconQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/genfsconquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with no criteria""" # query with no parameters gets all genfs. - genfs = sorted(self.p.genfscons()) + genfs = sorted(compiled_policy.genfscons()) - q = GenfsconQuery(self.p) + q = setools.GenfsconQuery(compiled_policy) q_genfs = sorted(q.results()) - self.assertListEqual(genfs, q_genfs) + assert genfs == q_genfs - def test_001_fs_exact(self): + def test_fs_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with exact fs match""" - q = GenfsconQuery(self.p, fs="test1", fs_regex=False) + q = setools.GenfsconQuery(compiled_policy, fs="test1", fs_regex=False) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test1"], genfs) + assert ["test1"] == genfs - def test_002_fs_regex(self): + def test_fs_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with regex fs match""" - q = GenfsconQuery(self.p, fs="test2(a|b)", fs_regex=True) + q = setools.GenfsconQuery(compiled_policy, fs="test2(a|b)", fs_regex=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test2a", "test2b"], genfs) + assert ["test2a", "test2b"] == genfs - def test_010_path_exact(self): + def test_path_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with exact path match""" - q = GenfsconQuery(self.p, path="/sys", path_regex=False) + q = setools.GenfsconQuery(compiled_policy, path="/sys", path_regex=False) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test10"], genfs) + assert ["test10"] == genfs - def test_011_path_regex(self): + def test_path_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with regex path match""" - q = GenfsconQuery(self.p, path="/(spam|eggs)", path_regex=True) + q = setools.GenfsconQuery(compiled_policy, path="/(spam|eggs)", path_regex=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test11a", "test11b"], genfs) + assert ["test11a", "test11b"] == genfs - def test_020_user_exact(self): + def test_user_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context user exact match""" - q = GenfsconQuery(self.p, user="user20", user_regex=False) + q = setools.GenfsconQuery(compiled_policy, user="user20", user_regex=False) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test20"], genfs) + assert ["test20"] == genfs - def test_021_user_regex(self): + def test_user_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context user regex match""" - q = GenfsconQuery(self.p, user="user21(a|b)", user_regex=True) + q = setools.GenfsconQuery(compiled_policy, user="user21(a|b)", user_regex=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test21a", "test21b"], genfs) + assert ["test21a", "test21b"] == genfs - def test_030_role_exact(self): + def test_role_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context role exact match""" - q = GenfsconQuery(self.p, role="role30_r", role_regex=False) + q = setools.GenfsconQuery(compiled_policy, role="role30_r", role_regex=False) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test30"], genfs) + assert ["test30"] == genfs - def test_031_role_regex(self): + def test_role_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context role regex match""" - q = GenfsconQuery(self.p, role="role31(a|c)_r", role_regex=True) + q = setools.GenfsconQuery(compiled_policy, role="role31(a|c)_r", role_regex=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test31a", "test31c"], genfs) + assert ["test31a", "test31c"] == genfs - def test_040_type_exact(self): + def test_type_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context type exact match""" - q = GenfsconQuery(self.p, type_="type40", type_regex=False) + q = setools.GenfsconQuery(compiled_policy, type_="type40", type_regex=False) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test40"], genfs) + assert ["test40"] == genfs - def test_041_type_regex(self): + def test_type_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context type regex match""" - q = GenfsconQuery(self.p, type_="type41(b|c)", type_regex=True) + q = setools.GenfsconQuery(compiled_policy, type_="type41(b|c)", type_regex=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test41b", "test41c"], genfs) + assert ["test41b", "test41c"] == genfs - def test_050_file_type(self): + def test_file_type(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with file type match""" - q = GenfsconQuery(self.p, filetype=stat.S_IFBLK) + q = setools.GenfsconQuery(compiled_policy, filetype=stat.S_IFBLK) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test50b"], genfs) + assert ["test50b"] == genfs - def test_060_range_exact(self): + def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range exact match""" - q = GenfsconQuery(self.p, range_="s0:c1 - s0:c0.c4") + q = setools.GenfsconQuery(compiled_policy, range_="s0:c1 - s0:c0.c4") genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test60"], genfs) + assert ["test60"] == genfs - def test_061_range_overlap1(self): + def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range overlap match (equal)""" - q = GenfsconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + q = setools.GenfsconQuery(compiled_policy, range_="s1:c1 - s1:c0.c4", range_overlap=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test61"], genfs) + assert ["test61"] == genfs - def test_061_range_overlap2(self): + def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range overlap match (subset)""" - q = GenfsconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + q = setools.GenfsconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c3", + range_overlap=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test61"], genfs) + assert ["test61"] == genfs - def test_061_range_overlap3(self): + def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range overlap match (superset)""" - q = GenfsconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + q = setools.GenfsconQuery(compiled_policy, range_="s1 - s1:c0.c4", range_overlap=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test61"], genfs) + assert ["test61"] == genfs - def test_061_range_overlap4(self): + def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range overlap match (overlap low level)""" - q = GenfsconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + q = setools.GenfsconQuery(compiled_policy, range_="s1 - s1:c1,c2", range_overlap=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test61"], genfs) + assert ["test61"] == genfs - def test_061_range_overlap5(self): + def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range overlap match (overlap high level)""" - q = GenfsconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + q = setools.GenfsconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c4", + range_overlap=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test61"], genfs) + assert ["test61"] == genfs - def test_062_range_subset1(self): + def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range subset match""" - q = GenfsconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + q = setools.GenfsconQuery(compiled_policy, range_="s2:c1,c2 - s2:c0.c3", + range_overlap=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test62"], genfs) + assert ["test62"] == genfs - def test_062_range_subset2(self): + def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range subset match (equal)""" - q = GenfsconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + q = setools.GenfsconQuery(compiled_policy, range_="s2:c1 - s2:c1.c3", range_overlap=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test62"], genfs) + assert ["test62"] == genfs - def test_063_range_superset1(self): + def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range superset match""" - q = GenfsconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + q = setools.GenfsconQuery(compiled_policy, range_="s3 - s3:c0.c4", range_superset=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test63"], genfs) + assert ["test63"] == genfs - def test_063_range_superset2(self): + def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range superset match (equal)""" - q = GenfsconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + q = setools.GenfsconQuery(compiled_policy, range_="s3:c1 - s3:c1.c3", range_superset=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test63"], genfs) + assert ["test63"] == genfs - def test_064_range_proper_subset1(self): + def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range proper subset match""" - q = GenfsconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + q = setools.GenfsconQuery(compiled_policy, range_="s4:c1,c2", range_subset=True, + range_proper=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test64"], genfs) + assert ["test64"] == genfs - def test_064_range_proper_subset2(self): + def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range proper subset match (equal)""" - q = GenfsconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.GenfsconQuery(compiled_policy, range_="s4:c1 - s4:c1.c3", range_subset=True, + range_proper=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual([], genfs) + assert [] == genfs - def test_064_range_proper_subset3(self): + def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range proper subset match (equal low only)""" - q = GenfsconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + q = setools.GenfsconQuery(compiled_policy, range_="s4:c1 - s4:c1.c2", range_subset=True, + range_proper=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test64"], genfs) + assert ["test64"] == genfs - def test_064_range_proper_subset4(self): + def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range proper subset match (equal high only)""" - q = GenfsconQuery(self.p, - range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.GenfsconQuery(compiled_policy, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, + range_proper=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test64"], genfs) + assert ["test64"] == genfs - def test_065_range_proper_superset1(self): + def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range proper superset match""" - q = GenfsconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + q = setools.GenfsconQuery(compiled_policy, range_="s5 - s5:c0.c4", range_superset=True, + range_proper=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test65"], genfs) + assert ["test65"] == genfs - def test_065_range_proper_superset2(self): + def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range proper superset match (equal)""" - q = GenfsconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.GenfsconQuery(compiled_policy, range_="s5:c1 - s5:c1.c3", range_superset=True, + range_proper=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual([], genfs) + assert [] == genfs - def test_065_range_proper_superset3(self): + def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range proper superset match (equal low)""" - q = GenfsconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + q = setools.GenfsconQuery(compiled_policy, range_="s5:c1 - s5:c1.c4", range_superset=True, + range_proper=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test65"], genfs) + assert ["test65"] == genfs - def test_065_range_proper_superset4(self): + def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Genfscon query with context range proper superset match (equal high)""" - q = GenfsconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.GenfsconQuery(compiled_policy, range_="s5 - s5:c1.c3", range_superset=True, + range_proper=True) genfs = sorted(s.fs for s in q.results()) - self.assertListEqual(["test65"], genfs) + assert ["test65"] == genfs From 17a968196ca19c94a04b4030d2eb15a7e2900c74 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:28:43 -0400 Subject: [PATCH 47/71] TestIbendportconQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_ibendportconquery.py | 210 ++++++++++++------------ 1 file changed, 103 insertions(+), 107 deletions(-) diff --git a/tests/library/test_ibendportconquery.py b/tests/library/test_ibendportconquery.py index 0ec282dc..6441e82e 100644 --- a/tests/library/test_ibendportconquery.py +++ b/tests/library/test_ibendportconquery.py @@ -2,226 +2,222 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import IbendportconQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/ibendportconquery.conf") +class TestIbendportconQuery: - -class IbendportconQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/ibendportconquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with no criteria""" # query with no parameters gets all ibendportcons. - ibendportcons = sorted(self.p.ibendportcons()) + ibendportcons = sorted(compiled_policy.ibendportcons()) - q = IbendportconQuery(self.p) + q = setools.IbendportconQuery(compiled_policy) q_ibendportcons = sorted(q.results()) - self.assertListEqual(ibendportcons, q_ibendportcons) + assert ibendportcons == q_ibendportcons - def test_001_name_exact(self): + def test_name_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with exact name match.""" - q = IbendportconQuery(self.p, name="test1", name_regex=False) + q = setools.IbendportconQuery(compiled_policy, name="test1", name_regex=False) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test1"], ibendportcons) + assert ["test1"] == ibendportcons - def test_002_name_regext(self): + def test_name_regext(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with regex name match.""" - q = IbendportconQuery(self.p, name="test2(a|b)", name_regex=True) + q = setools.IbendportconQuery(compiled_policy, name="test2(a|b)", name_regex=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test2a", "test2b"], ibendportcons) + assert ["test2a", "test2b"] == ibendportcons - def test_010_port(self): + def test_port(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with port match.""" - q = IbendportconQuery(self.p, port=10) + q = setools.IbendportconQuery(compiled_policy, port=10) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test10"], ibendportcons) + assert ["test10"] == ibendportcons - def test_020_user_exact(self): + def test_user_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context user exact match""" - q = IbendportconQuery(self.p, user="user20", user_regex=False) + q = setools.IbendportconQuery(compiled_policy, user="user20", user_regex=False) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test20"], ibendportcons) + assert ["test20"] == ibendportcons - def test_021_user_regex(self): + def test_user_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context user regex match""" - q = IbendportconQuery(self.p, user="user21(a|b)", user_regex=True) + q = setools.IbendportconQuery(compiled_policy, user="user21(a|b)", user_regex=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test21a", "test21b"], ibendportcons) + assert ["test21a", "test21b"] == ibendportcons - def test_030_role_exact(self): + def test_role_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context role exact match""" - q = IbendportconQuery(self.p, role="role30_r", role_regex=False) + q = setools.IbendportconQuery(compiled_policy, role="role30_r", role_regex=False) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test30"], ibendportcons) + assert ["test30"] == ibendportcons - def test_031_role_regex(self): + def test_role_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context role regex match""" - q = IbendportconQuery(self.p, role="role31(a|c)_r", role_regex=True) + q = setools.IbendportconQuery(compiled_policy, role="role31(a|c)_r", role_regex=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test31a", "test31c"], ibendportcons) + assert ["test31a", "test31c"] == ibendportcons - def test_040_type_exact(self): + def test_type_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context type exact match""" - q = IbendportconQuery(self.p, type_="type40", type_regex=False) + q = setools.IbendportconQuery(compiled_policy, type_="type40", type_regex=False) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test40"], ibendportcons) + assert ["test40"] == ibendportcons - def test_041_type_regex(self): + def test_type_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context type regex match""" - q = IbendportconQuery(self.p, type_="type41(b|c)", type_regex=True) + q = setools.IbendportconQuery(compiled_policy, type_="type41(b|c)", type_regex=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test41b", "test41c"], ibendportcons) + assert ["test41b", "test41c"] == ibendportcons - def test_050_range_exact(self): + def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range exact match""" - q = IbendportconQuery(self.p, range_="s0:c1 - s0:c0.c4") + q = setools.IbendportconQuery(compiled_policy, range_="s0:c1 - s0:c0.c4") ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test50"], ibendportcons) + assert ["test50"] == ibendportcons - def test_051_range_overlap1(self): + def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range overlap match (equal)""" - q = IbendportconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + q = setools.IbendportconQuery(compiled_policy, range_="s1:c1 - s1:c0.c4", + range_overlap=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test51"], ibendportcons) + assert ["test51"] == ibendportcons - def test_051_range_overlap2(self): + def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range overlap match (subset)""" - q = IbendportconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + q = setools.IbendportconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c3", + range_overlap=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test51"], ibendportcons) + assert ["test51"] == ibendportcons - def test_051_range_overlap3(self): + def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range overlap match (superset)""" - q = IbendportconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + q = setools.IbendportconQuery(compiled_policy, range_="s1 - s1:c0.c4", range_overlap=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test51"], ibendportcons) + assert ["test51"] == ibendportcons - def test_051_range_overlap4(self): + def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range overlap match (overlap low level)""" - q = IbendportconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + q = setools.IbendportconQuery(compiled_policy, range_="s1 - s1:c1,c2", range_overlap=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test51"], ibendportcons) + assert ["test51"] == ibendportcons - def test_051_range_overlap5(self): + def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range overlap match (overlap high level)""" - q = IbendportconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + q = setools.IbendportconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c4", + range_overlap=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test51"], ibendportcons) + assert ["test51"] == ibendportcons - def test_052_range_subset1(self): + def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range subset match""" - q = IbendportconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + q = setools.IbendportconQuery(compiled_policy, range_="s2:c1,c2 - s2:c0.c3", + range_overlap=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test52"], ibendportcons) + assert ["test52"] == ibendportcons - def test_052_range_subset2(self): + def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range subset match (equal)""" - q = IbendportconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + q = setools.IbendportconQuery(compiled_policy, range_="s2:c1 - s2:c1.c3", + range_overlap=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test52"], ibendportcons) + assert ["test52"] == ibendportcons - def test_053_range_superset1(self): + def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range superset match""" - q = IbendportconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + q = setools.IbendportconQuery(compiled_policy, range_="s3 - s3:c0.c4", range_superset=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test53"], ibendportcons) + assert ["test53"] == ibendportcons - def test_053_range_superset2(self): + def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range superset match (equal)""" - q = IbendportconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + q = setools.IbendportconQuery(compiled_policy, range_="s3:c1 - s3:c1.c3", + range_superset=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test53"], ibendportcons) + assert ["test53"] == ibendportcons - def test_054_range_proper_subset1(self): + def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range proper subset match""" - q = IbendportconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + q = setools.IbendportconQuery(compiled_policy, range_="s4:c1,c2", range_subset=True, + range_proper=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test54"], ibendportcons) + assert ["test54"] == ibendportcons - def test_054_range_proper_subset2(self): + def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range proper subset match (equal)""" - q = IbendportconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, - range_proper=True) + q = setools.IbendportconQuery(compiled_policy, range_="s4:c1 - s4:c1.c3", + range_subset=True, range_proper=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual([], ibendportcons) + assert [] == ibendportcons - def test_054_range_proper_subset3(self): + def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range proper subset match (equal low only)""" - q = IbendportconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, - range_proper=True) + q = setools.IbendportconQuery(compiled_policy, range_="s4:c1 - s4:c1.c2", + range_subset=True, range_proper=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test54"], ibendportcons) + assert ["test54"] == ibendportcons - def test_054_range_proper_subset4(self): + def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range proper subset match (equal high only)""" - q = IbendportconQuery(self.p, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, - range_proper=True) + q = setools.IbendportconQuery(compiled_policy, range_="s4:c1,c2 - s4:c1.c3", + range_subset=True, range_proper=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test54"], ibendportcons) + assert ["test54"] == ibendportcons - def test_055_range_proper_superset1(self): + def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range proper superset match""" - q = IbendportconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, - range_proper=True) + q = setools.IbendportconQuery(compiled_policy, range_="s5 - s5:c0.c4", range_superset=True, + range_proper=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test55"], ibendportcons) + assert ["test55"] == ibendportcons - def test_055_range_proper_superset2(self): + def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range proper superset match (equal)""" - q = IbendportconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, - range_proper=True) + q = setools.IbendportconQuery(compiled_policy, range_="s5:c1 - s5:c1.c3", + range_superset=True, range_proper=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual([], ibendportcons) + assert [] == ibendportcons - def test_055_range_proper_superset3(self): + def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range proper superset match (equal low)""" - q = IbendportconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, - range_proper=True) + q = setools.IbendportconQuery(compiled_policy, range_="s5:c1 - s5:c1.c4", + range_superset=True, range_proper=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test55"], ibendportcons) + assert ["test55"] == ibendportcons - def test_055_range_proper_superset4(self): + def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibendportcon query with context range proper superset match (equal high)""" - q = IbendportconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, - range_proper=True) + q = setools.IbendportconQuery(compiled_policy, range_="s5 - s5:c1.c3", range_superset=True, + range_proper=True) ibendportcons = sorted(n.name for n in q.results()) - self.assertListEqual(["test55"], ibendportcons) + assert ["test55"] == ibendportcons From 09546cb83291c4d8a4feb15d110fb7a1b07436b5 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:30:46 -0400 Subject: [PATCH 48/71] TestIbpkeyconQuery: Update tests to pytest fixtures. Fix IbpkeyconRange typing stub to include rich comparisons. Signed-off-by: Chris PeBenito --- setools/policyrep.pyi | 2 +- tests/library/test_ibpkeyconquery.py | 270 +++++++++++++-------------- 2 files changed, 134 insertions(+), 138 deletions(-) diff --git a/setools/policyrep.pyi b/setools/policyrep.pyi index ef950308..a04a2c80 100644 --- a/setools/policyrep.pyi +++ b/setools/policyrep.pyi @@ -239,7 +239,7 @@ class Ibpkeycon(Ocontext): pkeys: "IbpkeyconRange" = ... subnet_prefix: ipaddress.IPv6Address = ... -@dataclass +@dataclass(eq=True, order=True, frozen=True) class IbpkeyconRange: high: int = ... low: int = ... diff --git a/tests/library/test_ibpkeyconquery.py b/tests/library/test_ibpkeyconquery.py index 308e5168..7d9e6d7e 100644 --- a/tests/library/test_ibpkeyconquery.py +++ b/tests/library/test_ibpkeyconquery.py @@ -2,272 +2,268 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import IbpkeyconQuery, IbpkeyconRange -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/ibpkeyconquery.conf") +class TestIbpkeyconQuery: - -class IbpkeyconQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/ibpkeyconquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with no criteria""" # query with no parameters gets all ibpkeycons. - ibpkeycons = sorted(self.p.ibpkeycons()) + ibpkeycons = sorted(compiled_policy.ibpkeycons()) - q = IbpkeyconQuery(self.p) + q = setools.IbpkeyconQuery(compiled_policy) q_ibpkeycons = sorted(q.results()) - self.assertListEqual(ibpkeycons, q_ibpkeycons) + assert ibpkeycons == q_ibpkeycons - def test_001_subnet_mask(self): + def test_subnet_mask(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibpkeycon query with subnet mask match.""" - q = IbpkeyconQuery(self.p, subnet_prefix="fe81::") + q = setools.IbpkeyconQuery(compiled_policy, subnet_prefix="fe81::") ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(1, 1)], ibpkeycons) + assert [setools.IbpkeyconRange(1, 1)] == ibpkeycons - def test_010_pkey_exact(self): + def test_pkey_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibpkeycon query with exact pkey match.""" - q = IbpkeyconQuery(self.p, pkeys=(0x10c, 0x10e)) + q = setools.IbpkeyconQuery(compiled_policy, pkeys=(0x10c, 0x10e)) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(0x10c, 0x10e)], ibpkeycons) + assert [setools.IbpkeyconRange(0x10c, 0x10e)] == ibpkeycons - def test_020_user_exact(self): + def test_user_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context user exact match""" - q = IbpkeyconQuery(self.p, user="user20", user_regex=False) + q = setools.IbpkeyconQuery(compiled_policy, user="user20", user_regex=False) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(20, 20)], ibpkeycons) + assert [setools.IbpkeyconRange(20, 20)] == ibpkeycons - def test_021_user_regex(self): + def test_user_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context user regex match""" - q = IbpkeyconQuery(self.p, user="user21(a|b)", user_regex=True) + q = setools.IbpkeyconQuery(compiled_policy, user="user21(a|b)", user_regex=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(0x21a, 0x21a), - IbpkeyconRange(0x21b, 0x21b)], ibpkeycons) + assert [setools.IbpkeyconRange(0x21a, 0x21a), + setools.IbpkeyconRange(0x21b, 0x21b)] == ibpkeycons - def test_030_role_exact(self): + def test_role_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context role exact match""" - q = IbpkeyconQuery(self.p, role="role30_r", role_regex=False) + q = setools.IbpkeyconQuery(compiled_policy, role="role30_r", role_regex=False) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(30, 30)], ibpkeycons) + assert [setools.IbpkeyconRange(30, 30)] == ibpkeycons - def test_031_role_regex(self): + def test_role_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context role regex match""" - q = IbpkeyconQuery(self.p, role="role31(a|c)_r", role_regex=True) + q = setools.IbpkeyconQuery(compiled_policy, role="role31(a|c)_r", role_regex=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(0x31a, 0x31a), - IbpkeyconRange(0x31c, 0x31c)], ibpkeycons) + assert [setools.IbpkeyconRange(0x31a, 0x31a), + setools.IbpkeyconRange(0x31c, 0x31c)] == ibpkeycons - def test_040_type_exact(self): + def test_type_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context type exact match""" - q = IbpkeyconQuery(self.p, type_="type40", type_regex=False) + q = setools.IbpkeyconQuery(compiled_policy, type_="type40", type_regex=False) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(40, 40)], ibpkeycons) + assert [setools.IbpkeyconRange(40, 40)] == ibpkeycons - def test_041_type_regex(self): + def test_type_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context type regex match""" - q = IbpkeyconQuery(self.p, type_="type41(b|c)", type_regex=True) + q = setools.IbpkeyconQuery(compiled_policy, type_="type41(b|c)", type_regex=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(0x41b, 0x41b), - IbpkeyconRange(0x41c, 0x41c)], ibpkeycons) + assert [setools.IbpkeyconRange(0x41b, 0x41b), + setools.IbpkeyconRange(0x41c, 0x41c)] == ibpkeycons - def test_050_range_exact(self): + def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range exact match""" - q = IbpkeyconQuery(self.p, range_="s0:c1 - s0:c0.c4") + q = setools.IbpkeyconQuery(compiled_policy, range_="s0:c1 - s0:c0.c4") ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(50, 50)], ibpkeycons) + assert [setools.IbpkeyconRange(50, 50)] == ibpkeycons - def test_051_range_overlap1(self): + def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range overlap match (equal)""" - q = IbpkeyconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s1:c1 - s1:c0.c4", range_overlap=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(51, 51)], ibpkeycons) + assert [setools.IbpkeyconRange(51, 51)] == ibpkeycons - def test_051_range_overlap2(self): + def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range overlap match (subset)""" - q = IbpkeyconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c3", + range_overlap=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(51, 51)], ibpkeycons) + assert [setools.IbpkeyconRange(51, 51)] == ibpkeycons - def test_051_range_overlap3(self): + def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range overlap match (superset)""" - q = IbpkeyconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s1 - s1:c0.c4", range_overlap=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(51, 51)], ibpkeycons) + assert [setools.IbpkeyconRange(51, 51)] == ibpkeycons - def test_051_range_overlap4(self): + def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range overlap match (overlap low level)""" - q = IbpkeyconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s1 - s1:c1,c2", range_overlap=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(51, 51)], ibpkeycons) + assert [setools.IbpkeyconRange(51, 51)] == ibpkeycons - def test_051_range_overlap5(self): + def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range overlap match (overlap high level)""" - q = IbpkeyconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c4", + range_overlap=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(51, 51)], ibpkeycons) + assert [setools.IbpkeyconRange(51, 51)] == ibpkeycons - def test_052_range_subset1(self): + def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range subset match""" - q = IbpkeyconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s2:c1,c2 - s2:c0.c3", + range_overlap=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(52, 52)], ibpkeycons) + assert [setools.IbpkeyconRange(52, 52)] == ibpkeycons - def test_052_range_subset2(self): + def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range subset match (equal)""" - q = IbpkeyconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s2:c1 - s2:c1.c3", range_overlap=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(52, 52)], ibpkeycons) + assert [setools.IbpkeyconRange(52, 52)] == ibpkeycons - def test_053_range_superset1(self): + def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range superset match""" - q = IbpkeyconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s3 - s3:c0.c4", range_superset=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(53, 53)], ibpkeycons) + assert [setools.IbpkeyconRange(53, 53)] == ibpkeycons - def test_053_range_superset2(self): + def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range superset match (equal)""" - q = IbpkeyconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s3:c1 - s3:c1.c3", range_superset=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(53, 53)], ibpkeycons) + assert [setools.IbpkeyconRange(53, 53)] == ibpkeycons - def test_054_range_proper_subset1(self): + def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range proper subset match""" - q = IbpkeyconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s4:c1,c2", range_subset=True, + range_proper=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(54, 54)], ibpkeycons) + assert [setools.IbpkeyconRange(54, 54)] == ibpkeycons - def test_054_range_proper_subset2(self): + def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range proper subset match (equal)""" - q = IbpkeyconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s4:c1 - s4:c1.c3", range_subset=True, + range_proper=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([], ibpkeycons) + assert [] == ibpkeycons - def test_054_range_proper_subset3(self): + def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range proper subset match (equal low only)""" - q = IbpkeyconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s4:c1 - s4:c1.c2", range_subset=True, + range_proper=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(54, 54)], ibpkeycons) + assert [setools.IbpkeyconRange(54, 54)] == ibpkeycons - def test_054_range_proper_subset4(self): + def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range proper subset match (equal high only)""" - q = IbpkeyconQuery(self.p, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, - range_proper=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s4:c1,c2 - s4:c1.c3", + range_subset=True, range_proper=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(54, 54)], ibpkeycons) + assert [setools.IbpkeyconRange(54, 54)] == ibpkeycons - def test_055_range_proper_superset1(self): + def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range proper superset match""" - q = IbpkeyconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s5 - s5:c0.c4", range_superset=True, + range_proper=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(55, 55)], ibpkeycons) + assert [setools.IbpkeyconRange(55, 55)] == ibpkeycons - def test_055_range_proper_superset2(self): + def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range proper superset match (equal)""" - q = IbpkeyconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, - range_proper=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s5:c1 - s5:c1.c3", range_superset=True, + range_proper=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([], ibpkeycons) + assert [] == ibpkeycons - def test_055_range_proper_superset3(self): + def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range proper superset match (equal low)""" - q = IbpkeyconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, - range_proper=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s5:c1 - s5:c1.c4", range_superset=True, + range_proper=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(55, 55)], ibpkeycons) + assert [setools.IbpkeyconRange(55, 55)] == ibpkeycons - def test_055_range_proper_superset4(self): + def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """ibpkeycon query with context range proper superset match (equal high)""" - q = IbpkeyconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, - range_proper=True) + q = setools.IbpkeyconQuery(compiled_policy, range_="s5 - s5:c1.c3", range_superset=True, + range_proper=True) ibpkeycons = sorted(n.pkeys for n in q.results()) - self.assertListEqual([IbpkeyconRange(55, 55)], ibpkeycons) + assert [setools.IbpkeyconRange(55, 55)] == ibpkeycons - def test_900_invalid_subnet_prefix(self): + def test_invalid_subnet_prefix(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibpkeycon query with invalid subnet prefix""" - with self.assertRaises(ValueError): - IbpkeyconQuery(self.p, subnet_prefix="INVALID") + with pytest.raises(ValueError): + setools.IbpkeyconQuery(compiled_policy, subnet_prefix="INVALID") - def test_910_invalid_pkey_negative(self): + def test_invalid_pkey_negative(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibpkeycon query with negative pkey""" - with self.assertRaises(ValueError): - IbpkeyconQuery(self.p, pkeys=(-1, -1)) + with pytest.raises(ValueError): + setools.IbpkeyconQuery(compiled_policy, pkeys=(-1, -1)) - with self.assertRaises(ValueError): - IbpkeyconQuery(self.p, pkeys=(1, -1)) + with pytest.raises(ValueError): + setools.IbpkeyconQuery(compiled_policy, pkeys=(1, -1)) - with self.assertRaises(ValueError): - IbpkeyconQuery(self.p, pkeys=(-1, 1)) + with pytest.raises(ValueError): + setools.IbpkeyconQuery(compiled_policy, pkeys=(-1, 1)) - def test_911_invalid_pkey_zero(self): + def test_invalid_pkey_zero(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibpkeycon query with 0 pkey""" - with self.assertRaises(ValueError): - IbpkeyconQuery(self.p, pkeys=(0, 0)) + with pytest.raises(ValueError): + setools.IbpkeyconQuery(compiled_policy, pkeys=(0, 0)) - def test_912_invalid_pkey_over_max(self): + def test_invalid_pkey_over_max(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibpkeycon query with pkey over maximum value""" - with self.assertRaises(ValueError): - IbpkeyconQuery(self.p, pkeys=(1, 0xfffff)) + with pytest.raises(ValueError): + setools.IbpkeyconQuery(compiled_policy, pkeys=(1, 0xfffff)) - with self.assertRaises(ValueError): - IbpkeyconQuery(self.p, pkeys=(0xfffff, 1)) + with pytest.raises(ValueError): + setools.IbpkeyconQuery(compiled_policy, pkeys=(0xfffff, 1)) - with self.assertRaises(ValueError): - IbpkeyconQuery(self.p, pkeys=(0xfffff, 0xfffff)) + with pytest.raises(ValueError): + setools.IbpkeyconQuery(compiled_policy, pkeys=(0xfffff, 0xfffff)) - def test_913_invalid_pkey_not_a_number(self): + def test_invalid_pkey_not_a_number(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibpkeycon query with pkey is not a number""" - with self.assertRaises(TypeError): - IbpkeyconQuery(self.p, pkeys=(1, "INVALID")) + with pytest.raises(TypeError): + setools.IbpkeyconQuery(compiled_policy, pkeys=(1, "INVALID")) - with self.assertRaises(TypeError): - IbpkeyconQuery(self.p, pkeys=("INVALID", 2)) + with pytest.raises(TypeError): + setools.IbpkeyconQuery(compiled_policy, pkeys=("INVALID", 2)) - def test_914_invalid_pkey_not_tuple(self): + def test_invalid_pkey_not_tuple(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibpkeycon query with pkey is not a tuple""" - with self.assertRaises(TypeError): - IbpkeyconQuery(self.p, pkeys=1) + with pytest.raises(TypeError): + setools.IbpkeyconQuery(compiled_policy, pkeys=1) - def test_915_invalid_pkey_wrong_tuple_length(self): + def test_invalid_pkey_wrong_tuple_length(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ibpkeycon query with pkey is not correct tuple size""" - with self.assertRaises(TypeError): - IbpkeyconQuery(self.p, pkeys=(1,)) + with pytest.raises(TypeError): + setools.IbpkeyconQuery(compiled_policy, pkeys=(1,)) - with self.assertRaises(TypeError): - IbpkeyconQuery(self.p, pkeys=(1, 2, 3)) + with pytest.raises(TypeError): + setools.IbpkeyconQuery(compiled_policy, pkeys=(1, 2, 3)) From 1b156fe9cf07d795a9bf74c2c9ef9a11b2c18618 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:31:45 -0400 Subject: [PATCH 49/71] TestInfoFlowAnalysis: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_infoflow.py | 608 ++++++++++++++++----------------- 1 file changed, 303 insertions(+), 305 deletions(-) diff --git a/tests/library/test_infoflow.py b/tests/library/test_infoflow.py index d6ed4539..c418c8fd 100644 --- a/tests/library/test_infoflow.py +++ b/tests/library/test_infoflow.py @@ -2,17 +2,14 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import collections +import typing -from setools import InfoFlowAnalysis +import pytest +import setools from setools import TERuletype as TERT -from setools.exception import InvalidType -from setools.permmap import PermissionMap -from setools.policyrep import Type from . import mixins -from .policyrep.util import compile_policy # Note: the testing for having correct rules on every edge is only @@ -20,403 +17,404 @@ # Digraph.subgraph() function correctly copies the edge attributes into # the subgraph. +@pytest.fixture +def analysis(compiled_policy: setools.SELinuxPolicy) -> setools.InfoFlowAnalysis: + perm_map = setools.PermissionMap("tests/library/perm_map") + ret = setools.InfoFlowAnalysis(compiled_policy, perm_map) + ret._build_graph() + return ret -class InfoFlowAnalysisTest(mixins.ValidateRule, unittest.TestCase): - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/infoflow.conf") - cls.m = PermissionMap("tests/library/perm_map") - cls.a = InfoFlowAnalysis(cls.p, cls.m) +@pytest.mark.obj_args("tests/library/infoflow.conf") +class TestInfoFlowAnalysis(mixins.ValidateRule): - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_001_full_graph(self): + def test_full_graph(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis full graph.""" - self.a._build_graph() - - disconnected1 = self.p.lookup_type("disconnected1") - disconnected2 = self.p.lookup_type("disconnected2") - node1 = self.p.lookup_type("node1") - node2 = self.p.lookup_type("node2") - node3 = self.p.lookup_type("node3") - node4 = self.p.lookup_type("node4") - node5 = self.p.lookup_type("node5") - node6 = self.p.lookup_type("node6") - node7 = self.p.lookup_type("node7") - node8 = self.p.lookup_type("node8") - node9 = self.p.lookup_type("node9") - - nodes = set(self.a.G.nodes()) - self.assertSetEqual(set([disconnected1, disconnected2, node1, - node2, node3, node4, node5, - node6, node7, node8, node9]), nodes) - - edges = set(self.a.G.out_edges()) - self.assertSetEqual(set([(disconnected1, disconnected2), - (disconnected2, disconnected1), - (node1, node2), - (node1, node3), - (node2, node4), - (node3, node5), - (node4, node6), - (node5, node8), - (node6, node5), - (node6, node7), - (node8, node9), - (node9, node8)]), edges) - - r = self.a.G.edges[disconnected1, disconnected2]["rules"] - self.assertEqual(len(r), 1) + disconnected1 = analysis.policy.lookup_type("disconnected1") + disconnected2 = analysis.policy.lookup_type("disconnected2") + node1 = analysis.policy.lookup_type("node1") + node2 = analysis.policy.lookup_type("node2") + node3 = analysis.policy.lookup_type("node3") + node4 = analysis.policy.lookup_type("node4") + node5 = analysis.policy.lookup_type("node5") + node6 = analysis.policy.lookup_type("node6") + node7 = analysis.policy.lookup_type("node7") + node8 = analysis.policy.lookup_type("node8") + node9 = analysis.policy.lookup_type("node9") + + nodes = set(analysis.G.nodes()) + assert set([disconnected1, disconnected2, node1, node2, node3, node4, node5, node6, node7, + node8, node9]) == nodes + + edges = set(analysis.G.out_edges()) + assert set([(disconnected1, disconnected2), + (disconnected2, disconnected1), + (node1, node2), + (node1, node3), + (node2, node4), + (node3, node5), + (node4, node6), + (node5, node8), + (node6, node5), + (node6, node7), + (node8, node9), + (node9, node8)]) == edges + + r = analysis.G.edges[disconnected1, disconnected2]["rules"] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, "disconnected1", "disconnected2", "infoflow2", set(["super"])) - r = self.a.G.edges[disconnected2, disconnected1]["rules"] - self.assertEqual(len(r), 1) + r = analysis.G.edges[disconnected2, disconnected1]["rules"] + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, "disconnected1", "disconnected2", "infoflow2", set(["super"])) - r = sorted(self.a.G.edges[node1, node2]["rules"]) - self.assertEqual(len(r), 2) + r = sorted(analysis.G.edges[node1, node2]["rules"]) + assert len(r) == 2 self.validate_rule(r[0], TERT.allow, "node1", "node2", "infoflow", set(["med_w"])) self.validate_rule(r[1], TERT.allow, "node2", "node1", "infoflow", set(["hi_r"])) - r = sorted(self.a.G.edges[node1, node3]["rules"]) - self.assertEqual(len(r), 1) + r = sorted(analysis.G.edges[node1, node3]["rules"]) + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, "node3", "node1", "infoflow", set(["low_r", "med_r"])) - r = sorted(self.a.G.edges[node2, node4]["rules"]) - self.assertEqual(len(r), 1) + r = sorted(analysis.G.edges[node2, node4]["rules"]) + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, "node2", "node4", "infoflow", set(["hi_w"])) - r = sorted(self.a.G.edges[node3, node5]["rules"]) - self.assertEqual(len(r), 1) + r = sorted(analysis.G.edges[node3, node5]["rules"]) + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, "node5", "node3", "infoflow", set(["low_r"])) - r = sorted(self.a.G.edges[node4, node6]["rules"]) - self.assertEqual(len(r), 1) + r = sorted(analysis.G.edges[node4, node6]["rules"]) + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, "node4", "node6", "infoflow2", set(["hi_w"])) - r = sorted(self.a.G.edges[node5, node8]["rules"]) - self.assertEqual(len(r), 1) + r = sorted(analysis.G.edges[node5, node8]["rules"]) + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, "node5", "node8", "infoflow2", set(["hi_w"])) - r = sorted(self.a.G.edges[node6, node5]["rules"]) - self.assertEqual(len(r), 1) + r = sorted(analysis.G.edges[node6, node5]["rules"]) + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, "node5", "node6", "infoflow", set(["med_r"])) - r = sorted(self.a.G.edges[node6, node7]["rules"]) - self.assertEqual(len(r), 1) + r = sorted(analysis.G.edges[node6, node7]["rules"]) + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, "node6", "node7", "infoflow", set(["hi_w"])) - r = sorted(self.a.G.edges[node8, node9]["rules"]) - self.assertEqual(len(r), 1) + r = sorted(analysis.G.edges[node8, node9]["rules"]) + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, "node8", "node9", "infoflow2", set(["super"])) - r = sorted(self.a.G.edges[node9, node8]["rules"]) - self.assertEqual(len(r), 1) + r = sorted(analysis.G.edges[node9, node8]["rules"]) + assert len(r) == 1 self.validate_rule(r[0], TERT.allow, "node8", "node9", "infoflow2", set(["super"])) - def test_100_minimum_3(self): + def test_minimum_3(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis with minimum weight 3.""" - self.a.exclude = None - self.a.min_weight = 3 - self.a._build_subgraph() - - disconnected1 = self.p.lookup_type("disconnected1") - disconnected2 = self.p.lookup_type("disconnected2") - node1 = self.p.lookup_type("node1") - node2 = self.p.lookup_type("node2") - node3 = self.p.lookup_type("node3") - node4 = self.p.lookup_type("node4") - node5 = self.p.lookup_type("node5") - node6 = self.p.lookup_type("node6") - node7 = self.p.lookup_type("node7") - node8 = self.p.lookup_type("node8") - node9 = self.p.lookup_type("node9") + analysis.exclude = [] + analysis.min_weight = 3 + analysis._build_subgraph() + + disconnected1 = analysis.policy.lookup_type("disconnected1") + disconnected2 = analysis.policy.lookup_type("disconnected2") + node1 = analysis.policy.lookup_type("node1") + node2 = analysis.policy.lookup_type("node2") + node3 = analysis.policy.lookup_type("node3") + node4 = analysis.policy.lookup_type("node4") + node5 = analysis.policy.lookup_type("node5") + node6 = analysis.policy.lookup_type("node6") + node7 = analysis.policy.lookup_type("node7") + node8 = analysis.policy.lookup_type("node8") + node9 = analysis.policy.lookup_type("node9") # don't test nodes list, as disconnected nodes # are not removed by subgraph generation. we # assume NetworkX copies into the subgraph # correctly. - edges = set(self.a.subG.out_edges()) - self.assertSetEqual(set([(disconnected1, disconnected2), - (disconnected2, disconnected1), - (node1, node2), - (node1, node3), - (node2, node4), - (node4, node6), - (node5, node8), - (node6, node5), - (node6, node7), - (node8, node9), - (node9, node8)]), edges) - - def test_200_minimum_8(self): + edges = set(analysis.subG.out_edges()) + assert set([(disconnected1, disconnected2), + (disconnected2, disconnected1), + (node1, node2), + (node1, node3), + (node2, node4), + (node4, node6), + (node5, node8), + (node6, node5), + (node6, node7), + (node8, node9), + (node9, node8)]) == edges + + def test_minimum_8(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis with minimum weight 8.""" - self.a.exclude = None - self.a.min_weight = 8 - self.a._build_subgraph() - - disconnected1 = self.p.lookup_type("disconnected1") - disconnected2 = self.p.lookup_type("disconnected2") - node1 = self.p.lookup_type("node1") - node2 = self.p.lookup_type("node2") - node4 = self.p.lookup_type("node4") - node5 = self.p.lookup_type("node5") - node6 = self.p.lookup_type("node6") - node7 = self.p.lookup_type("node7") - node8 = self.p.lookup_type("node8") - node9 = self.p.lookup_type("node9") + analysis.exclude = [] + analysis.min_weight = 8 + analysis._build_subgraph() + + disconnected1 = analysis.policy.lookup_type("disconnected1") + disconnected2 = analysis.policy.lookup_type("disconnected2") + node1 = analysis.policy.lookup_type("node1") + node2 = analysis.policy.lookup_type("node2") + node4 = analysis.policy.lookup_type("node4") + node5 = analysis.policy.lookup_type("node5") + node6 = analysis.policy.lookup_type("node6") + node7 = analysis.policy.lookup_type("node7") + node8 = analysis.policy.lookup_type("node8") + node9 = analysis.policy.lookup_type("node9") # don't test nodes list, as disconnected nodes # are not removed by subgraph generation. we # assume NetworkX copies into the subgraph # correctly. - edges = set(self.a.subG.out_edges()) - self.assertSetEqual(set([(disconnected1, disconnected2), - (disconnected2, disconnected1), - (node1, node2), - (node2, node4), - (node4, node6), - (node5, node8), - (node6, node7), - (node8, node9), - (node9, node8)]), edges) - - def test_300_all_paths(self): + edges = set(analysis.subG.out_edges()) + assert set([(disconnected1, disconnected2), + (disconnected2, disconnected1), + (node1, node2), + (node2, node4), + (node4, node6), + (node5, node8), + (node6, node7), + (node8, node9), + (node9, node8)]) == edges + + def test_all_paths(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: all paths output""" - self.a.exclude = None - self.a.min_weight = 1 - self.a.source = "node1" - self.a.target = "node4" - self.a.mode = InfoFlowAnalysis.Mode.AllPaths - self.a.depth_limit = 3 + analysis.exclude = [] + analysis.min_weight = 1 + analysis.source = "node1" + analysis.target = "node4" + analysis.mode = setools.InfoFlowAnalysis.Mode.AllPaths + analysis.depth_limit = 3 - paths = list(self.a.results()) - self.assertEqual(1, len(paths)) + paths = list(typing.cast(collections.abc.Iterable[setools.InfoFlowPath], + analysis.results())) + assert 1 == len(paths) steps = list(paths[0]) - self.assertEqual(2, len(steps)) + assert 2 == len(steps) step = steps[0] - self.assertIsInstance(step.source, Type) - self.assertIsInstance(step.target, Type) - self.assertEqual(step.source, "node1") - self.assertEqual(step.target, "node2") + assert isinstance(step.source, setools.Type) + assert isinstance(step.target, setools.Type) + assert step.source == "node1" + assert step.target == "node2" for r in steps[0].rules: - self.assertEqual(TERT.allow, r.ruletype) + assert TERT.allow == r.ruletype step = steps[1] - self.assertIsInstance(step.source, Type) - self.assertIsInstance(step.target, Type) - self.assertEqual(step.source, "node2") - self.assertEqual(step.target, "node4") + assert isinstance(step.source, setools.Type) + assert isinstance(step.target, setools.Type) + assert step.source == "node2" + assert step.target == "node4" for r in step.rules: - self.assertEqual(TERT.allow, r.ruletype) + assert TERT.allow == r.ruletype - def test_301_all_shortest_paths(self): + def test_all_shortest_paths(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: all shortest paths output""" - self.a.exclude = None - self.a.min_weight = 1 - self.a.source = "node1" - self.a.target = "node4" - self.a.mode = InfoFlowAnalysis.Mode.ShortestPaths + analysis.exclude = [] + analysis.min_weight = 1 + analysis.source = "node1" + analysis.target = "node4" + analysis.mode = setools.InfoFlowAnalysis.Mode.ShortestPaths - paths = list(self.a.results()) - self.assertEqual(1, len(paths)) + paths = list(typing.cast(collections.abc.Iterable[setools.InfoFlowPath], + analysis.results())) + assert 1 == len(paths) steps = list(paths[0]) - self.assertEqual(2, len(steps)) + assert 2 == len(steps) step = steps[0] - self.assertIsInstance(step.source, Type) - self.assertIsInstance(step.target, Type) - self.assertEqual(step.source, "node1") - self.assertEqual(step.target, "node2") + assert isinstance(step.source, setools.Type) + assert isinstance(step.target, setools.Type) + assert step.source == "node1" + assert step.target == "node2" for r in steps[0].rules: - self.assertEqual(TERT.allow, r.ruletype) + assert TERT.allow == r.ruletype step = steps[1] - self.assertIsInstance(step.source, Type) - self.assertIsInstance(step.target, Type) - self.assertEqual(step.source, "node2") - self.assertEqual(step.target, "node4") + assert isinstance(step.source, setools.Type) + assert isinstance(step.target, setools.Type) + assert step.source == "node2" + assert step.target == "node4" for r in step.rules: - self.assertEqual(TERT.allow, r.ruletype) + assert TERT.allow == r.ruletype - def test_303_infoflows_out(self): + def test_infoflows_out(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: flows out of a type""" - self.a.exclude = None - self.a.min_weight = 1 - self.a.mode = InfoFlowAnalysis.Mode.FlowsOut - self.a.depth_limit = 1 - self.a.source = "node6" - - for flow in self.a.results(): - self.assertIsInstance(flow.source, Type) - self.assertIsInstance(flow.target, Type) - self.assertEqual(flow.source, "node6") + analysis.exclude = [] + analysis.min_weight = 1 + analysis.mode = setools.InfoFlowAnalysis.Mode.FlowsOut + analysis.depth_limit = 1 + analysis.source = "node6" + + for flow in analysis.results(): + assert isinstance(flow, setools.InfoFlowStep) + assert isinstance(flow.source, setools.Type) + assert isinstance(flow.target, setools.Type) + assert flow.source == "node6" for r in flow.rules: - self.assertEqual(TERT.allow, r.ruletype) + assert TERT.allow == r.ruletype - def test_304_infoflows_in(self): + def test_infoflows_in(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: flows in to a type""" - self.a.exclude = None - self.a.min_weight = 1 - self.a.mode = InfoFlowAnalysis.Mode.FlowsIn - self.a.depth_limit = 1 - self.a.target = "node8" - - for flow in self.a.results(): - self.assertIsInstance(flow.source, Type) - self.assertIsInstance(flow.target, Type) - self.assertEqual(flow.target, "node8") + analysis.exclude = [] + analysis.min_weight = 1 + analysis.mode = setools.InfoFlowAnalysis.Mode.FlowsIn + analysis.depth_limit = 1 + analysis.target = "node8" + + for flow in analysis.results(): + assert isinstance(flow, setools.InfoFlowStep) + assert isinstance(flow.source, setools.Type) + assert isinstance(flow.target, setools.Type) + assert flow.target == "node8" for r in flow.rules: - self.assertEqual(TERT.allow, r.ruletype) + assert TERT.allow == r.ruletype - def test_900_set_exclude_invalid_type(self): + def test_set_exclude_invalid_type(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: set invalid excluded type.""" - with self.assertRaises(InvalidType): - self.a.exclude = ["node1", "invalid_type"] + with pytest.raises(setools.exception.InvalidType): + analysis.exclude = ["node1", "invalid_type"] # type: ignore[list-item] - def test_901_set_small_min_weight(self): + def test_set_small_min_weight(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: set too small weight.""" - with self.assertRaises(ValueError): - self.a.min_weight = 0 + with pytest.raises(ValueError): + analysis.min_weight = 0 - with self.assertRaises(ValueError): - self.a.min_weight = -3 + with pytest.raises(ValueError): + analysis.min_weight = -3 - def test_902_set_large_min_weight(self): + def test_set_large_min_weight(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: set too big weight.""" - with self.assertRaises(ValueError): - self.a.min_weight = 11 + with pytest.raises(ValueError): + analysis.min_weight = 11 - with self.assertRaises(ValueError): - self.a.min_weight = 50 + with pytest.raises(ValueError): + analysis.min_weight = 50 - def test_910_invalid_source(self): + def test_invalid_source(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: invalid source type.""" - with self.assertRaises(InvalidType): - self.a.source = "invalid_type" + with pytest.raises(setools.exception.InvalidType): + analysis.source = "invalid_type" - def test_911_invalid_target(self): + def test_invalid_target(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: invalid target type.""" - with self.assertRaises(InvalidType): - self.a.target = "invalid_type" + with pytest.raises(setools.exception.InvalidType): + analysis.target = "invalid_type" - def test_912_all_paths_invalid_maxlen(self): + def test_all_paths_invalid_maxlen(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: all paths with invalid max path length.""" - self.a.exclude = None - self.a.min_weight = 1 - self.a.mode = InfoFlowAnalysis.Mode.AllPaths + analysis.exclude = [] + analysis.min_weight = 1 + analysis.mode = setools.InfoFlowAnalysis.Mode.AllPaths - with self.assertRaises(ValueError): - self.a.depth_limit = -2 + with pytest.raises(ValueError): + analysis.depth_limit = -2 - def test_913_all_paths_source_excluded(self): + def test_all_paths_source_excluded(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: all paths with excluded source type.""" - self.a.exclude = ["node1"] - self.a.min_weight = 1 - self.a.mode = InfoFlowAnalysis.Mode.AllPaths - self.a.source = "node1" - self.a.target = "node2" - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_914_all_paths_target_excluded(self): + analysis.exclude = ["node1"] # type: ignore[list-item] + analysis.min_weight = 1 + analysis.mode = setools.InfoFlowAnalysis.Mode.AllPaths + analysis.source = "node1" + analysis.target = "node2" + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_all_paths_target_excluded(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: all paths with excluded target type.""" - self.a.exclude = ["node2"] - self.a.min_weight = 1 - self.a.mode = InfoFlowAnalysis.Mode.AllPaths - self.a.source = "node1" - self.a.target = "node2" - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_915_all_paths_source_disconnected(self): + analysis.exclude = ["node2"] # type: ignore[list-item] + analysis.min_weight = 1 + analysis.mode = setools.InfoFlowAnalysis.Mode.AllPaths + analysis.source = "node1" + analysis.target = "node2" + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_all_paths_source_disconnected(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: all paths with disconnected source type.""" - self.a.exclude = None - self.a.min_weight = 1 - self.a.mode = InfoFlowAnalysis.Mode.AllPaths - self.a.source = "disconnected1" - self.a.target = "node2" - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_916_all_paths_target_disconnected(self): + analysis.exclude = [] + analysis.min_weight = 1 + analysis.mode = setools.InfoFlowAnalysis.Mode.AllPaths + analysis.source = "disconnected1" + analysis.target = "node2" + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_all_paths_target_disconnected(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: all paths with disconnected target type.""" - self.a.exclude = None - self.a.min_weight = 1 - self.a.source = "node2" - self.a.target = "disconnected1" - self.a.mode = InfoFlowAnalysis.Mode.AllPaths - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_932_all_shortest_paths_source_excluded(self): + analysis.exclude = [] + analysis.min_weight = 1 + analysis.source = "node2" + analysis.target = "disconnected1" + analysis.mode = setools.InfoFlowAnalysis.Mode.AllPaths + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_all_shortest_paths_source_excluded(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: all shortest paths with excluded source type.""" - self.a.exclude = ["node1"] - self.a.min_weight = 1 - self.a.mode = InfoFlowAnalysis.Mode.ShortestPaths - self.a.source = "node1" - self.a.target = "node2" - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_933_all_shortest_paths_target_excluded(self): + analysis.exclude = ["node1"] # type: ignore[list-item] + analysis.min_weight = 1 + analysis.mode = setools.InfoFlowAnalysis.Mode.ShortestPaths + analysis.source = "node1" + analysis.target = "node2" + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_all_shortest_paths_target_excluded(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: all shortest paths with excluded target type.""" - self.a.exclude = ["node2"] - self.a.min_weight = 1 - self.a.mode = InfoFlowAnalysis.Mode.ShortestPaths - self.a.source = "node1" - self.a.target = "node2" - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_934_all_shortest_paths_source_disconnected(self): + analysis.exclude = ["node2"] # type: ignore[list-item] + analysis.min_weight = 1 + analysis.mode = setools.InfoFlowAnalysis.Mode.ShortestPaths + analysis.source = "node1" + analysis.target = "node2" + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_all_shortest_paths_source_disconnected( + self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: all shortest paths with disconnected source type.""" - self.a.exclude = None - self.a.min_weight = 1 - self.a.mode = InfoFlowAnalysis.Mode.ShortestPaths - self.a.source = "disconnected1" - self.a.target = "node2" - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_935_all_shortest_paths_target_disconnected(self): + analysis.exclude = [] + analysis.min_weight = 1 + analysis.mode = setools.InfoFlowAnalysis.Mode.ShortestPaths + analysis.source = "disconnected1" + analysis.target = "node2" + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_all_shortest_paths_target_disconnected( + self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: all shortest paths with disconnected target type.""" - self.a.exclude = None - self.a.min_weight = 1 - self.source = "node2" - self.target = "disconnected1" - self.a.mode = InfoFlowAnalysis.Mode.ShortestPaths - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_941_infoflows_source_excluded(self): + analysis.exclude = [] + analysis.min_weight = 1 + analysis.source = "node2" + analysis.target = "disconnected1" + analysis.mode = setools.InfoFlowAnalysis.Mode.ShortestPaths + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_infoflows_source_excluded(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: infoflows with excluded source type.""" - self.a.exclude = ["node1"] - self.a.min_weight = 1 - self.a.mode = InfoFlowAnalysis.Mode.FlowsOut - self.a.source = "node1" - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) - - def test_942_infoflows_source_disconnected(self): + analysis.exclude = ["node1"] # type: ignore[list-item] + analysis.min_weight = 1 + analysis.mode = setools.InfoFlowAnalysis.Mode.FlowsOut + analysis.source = "node1" + paths = list(analysis.results()) + assert 0 == len(paths) + + def test_infoflows_source_disconnected(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis: infoflows with disconnected source type.""" - self.a.exclude = ["disconnected2"] - self.a.min_weight = 1 - self.a.mode = InfoFlowAnalysis.Mode.FlowsOut - self.a.source = "disconnected1" - paths = list(self.a.results()) - self.assertEqual(0, len(paths)) + analysis.exclude = ["disconnected2"] # type: ignore[list-item] + analysis.min_weight = 1 + analysis.mode = setools.InfoFlowAnalysis.Mode.FlowsOut + analysis.source = "disconnected1" + paths = list(analysis.results()) + assert 0 == len(paths) From 43e764d5ecfc2d577300f6ca516ad7e381a40b70 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:32:08 -0400 Subject: [PATCH 50/71] TestInitialSIDQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_initsidquery.py | 198 ++++++++++++++--------------- 1 file changed, 98 insertions(+), 100 deletions(-) diff --git a/tests/library/test_initsidquery.py b/tests/library/test_initsidquery.py index 6f05cec6..86a0b9f2 100644 --- a/tests/library/test_initsidquery.py +++ b/tests/library/test_initsidquery.py @@ -2,215 +2,213 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import InitialSIDQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/initsidquery.conf") +class TestInitialSIDQuery: - -class InitialSIDQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/initsidquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with no criteria""" # query with no parameters gets all SIDs. - sids = sorted(self.p.initialsids()) + sids = sorted(compiled_policy.initialsids()) - q = InitialSIDQuery(self.p) + q = setools.InitialSIDQuery(compiled_policy) q_sids = sorted(q.results()) - self.assertListEqual(sids, q_sids) + assert sids == q_sids - def test_001_name_exact(self): + def test_name_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with exact match""" - q = InitialSIDQuery(self.p, name="kernel", name_regex=False) + q = setools.InitialSIDQuery(compiled_policy, name="kernel", name_regex=False) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["kernel"], sids) + assert ["kernel"] == sids - def test_002_name_regex(self): + def test_name_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with regex match""" - q = InitialSIDQuery(self.p, name="(security|unlabeled)", name_regex=True) + q = setools.InitialSIDQuery(compiled_policy, name="(security|unlabeled)", name_regex=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["security", "unlabeled"], sids) + assert ["security", "unlabeled"] == sids - def test_010_user_exact(self): + def test_user_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context user exact match""" - q = InitialSIDQuery(self.p, user="user10", user_regex=False) + q = setools.InitialSIDQuery(compiled_policy, user="user10", user_regex=False) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["fs"], sids) + assert ["fs"] == sids - def test_011_user_regex(self): + def test_user_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context user regex match""" - q = InitialSIDQuery(self.p, user="user11(a|b)", user_regex=True) + q = setools.InitialSIDQuery(compiled_policy, user="user11(a|b)", user_regex=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["file", "file_labels"], sids) + assert ["file", "file_labels"] == sids - def test_020_role_exact(self): + def test_role_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context role exact match""" - q = InitialSIDQuery(self.p, role="role20_r", role_regex=False) + q = setools.InitialSIDQuery(compiled_policy, role="role20_r", role_regex=False) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["any_socket"], sids) + assert ["any_socket"] == sids - def test_021_role_regex(self): + def test_role_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context role regex match""" - q = InitialSIDQuery(self.p, role="role21(a|c)_r", role_regex=True) + q = setools.InitialSIDQuery(compiled_policy, role="role21(a|c)_r", role_regex=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["netmsg", "port"], sids) + assert ["netmsg", "port"] == sids - def test_030_type_exact(self): + def test_type_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context type exact match""" - q = InitialSIDQuery(self.p, type_="type30", type_regex=False) + q = setools.InitialSIDQuery(compiled_policy, type_="type30", type_regex=False) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["node"], sids) + assert ["node"] == sids - def test_031_type_regex(self): + def test_type_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context type regex match""" - q = InitialSIDQuery(self.p, type_="type31(b|c)", type_regex=True) + q = setools.InitialSIDQuery(compiled_policy, type_="type31(b|c)", type_regex=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["icmp_socket", "tcp_socket"], sids) + assert ["icmp_socket", "tcp_socket"] == sids - def test_040_range_exact(self): + def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range exact match""" - q = InitialSIDQuery(self.p, range_="s0:c1 - s0:c0.c4") + q = setools.InitialSIDQuery(compiled_policy, range_="s0:c1 - s0:c0.c4") sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl_modprobe"], sids) + assert ["sysctl_modprobe"] == sids - def test_041_range_overlap1(self): + def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range overlap match (equal)""" - q = InitialSIDQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s1:c1 - s1:c0.c4", range_overlap=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl"], sids) + assert ["sysctl"] == sids - def test_041_range_overlap2(self): + def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range overlap match (subset)""" - q = InitialSIDQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c3", + range_overlap=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl"], sids) + assert ["sysctl"] == sids - def test_041_range_overlap3(self): + def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range overlap match (superset)""" - q = InitialSIDQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s1 - s1:c0.c4", range_overlap=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl"], sids) + assert ["sysctl"] == sids - def test_041_range_overlap4(self): + def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range overlap match (overlap low level)""" - q = InitialSIDQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s1 - s1:c1,c2", range_overlap=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl"], sids) + assert ["sysctl"] == sids - def test_041_range_overlap5(self): + def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range overlap match (overlap high level)""" - q = InitialSIDQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c4", + range_overlap=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl"], sids) + assert ["sysctl"] == sids - def test_042_range_subset1(self): + def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range subset match""" - q = InitialSIDQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s2:c1,c2 - s2:c0.c3", + range_overlap=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl_fs"], sids) + assert ["sysctl_fs"] == sids - def test_042_range_subset2(self): + def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range subset match (equal)""" - q = InitialSIDQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s2:c1 - s2:c1.c3", range_overlap=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl_fs"], sids) + assert ["sysctl_fs"] == sids - def test_043_range_superset1(self): + def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range superset match""" - q = InitialSIDQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s3 - s3:c0.c4", range_superset=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl_kernel"], sids) + assert ["sysctl_kernel"] == sids - def test_043_range_superset2(self): + def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range superset match (equal)""" - q = InitialSIDQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s3:c1 - s3:c1.c3", + range_superset=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl_kernel"], sids) + assert ["sysctl_kernel"] == sids - def test_044_range_proper_subset1(self): + def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range proper subset match""" - q = InitialSIDQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s4:c1,c2", range_subset=True, + range_proper=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl_net"], sids) + assert ["sysctl_net"] == sids - def test_044_range_proper_subset2(self): + def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range proper subset match (equal)""" - q = InitialSIDQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s4:c1 - s4:c1.c3", range_subset=True, + range_proper=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual([], sids) + assert [] == sids - def test_044_range_proper_subset3(self): + def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range proper subset match (equal low only)""" - q = InitialSIDQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s4:c1 - s4:c1.c2", range_subset=True, + range_proper=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl_net"], sids) + assert ["sysctl_net"] == sids - def test_044_range_proper_subset4(self): + def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range proper subset match (equal high only)""" - q = InitialSIDQuery(self.p, - range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s4:c1,c2 - s4:c1.c3", + range_subset=True, range_proper=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl_net"], sids) + assert ["sysctl_net"] == sids - def test_045_range_proper_superset1(self): + def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range proper superset match""" - q = InitialSIDQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s5 - s5:c0.c4", range_superset=True, + range_proper=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl_net_unix"], sids) + assert ["sysctl_net_unix"] == sids - def test_045_range_proper_superset2(self): + def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range proper superset match (equal)""" - q = InitialSIDQuery(self.p, - range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s5:c1 - s5:c1.c3", + range_superset=True, range_proper=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual([], sids) + assert [] == sids - def test_045_range_proper_superset3(self): + def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range proper superset match (equal low)""" - q = InitialSIDQuery(self.p, - range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s5:c1 - s5:c1.c4", + range_superset=True, range_proper=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl_net_unix"], sids) + assert ["sysctl_net_unix"] == sids - def test_045_range_proper_superset4(self): + def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Initial SID query with context range proper superset match (equal high)""" - q = InitialSIDQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.InitialSIDQuery(compiled_policy, range_="s5 - s5:c1.c3", range_superset=True, + range_proper=True) sids = sorted(str(s) for s in q.results()) - self.assertListEqual(["sysctl_net_unix"], sids) + assert ["sysctl_net_unix"] == sids From 66c741e39729ad7c7fd087965541d04367ca89d9 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:33:29 -0400 Subject: [PATCH 51/71] TestIomemconQuery: Update tests to pytest fixtures. Fix IomemconRange typing stub to include rich comparisons. Signed-off-by: Chris PeBenito --- setools/policyrep.pyi | 2 +- tests/library/test_iomemconquery.py | 395 ++++++++++++++-------------- 2 files changed, 198 insertions(+), 199 deletions(-) diff --git a/setools/policyrep.pyi b/setools/policyrep.pyi index a04a2c80..32287f54 100644 --- a/setools/policyrep.pyi +++ b/setools/policyrep.pyi @@ -253,7 +253,7 @@ class IoctlSet(frozenset[int]): class Iomemcon(Ocontext): addr: "IomemconRange" = ... -@dataclass +@dataclass(eq=True, order=True, frozen=True) class IomemconRange: high: int = ... low: int = ... diff --git a/tests/library/test_iomemconquery.py b/tests/library/test_iomemconquery.py index 1e27597b..7a32786a 100644 --- a/tests/library/test_iomemconquery.py +++ b/tests/library/test_iomemconquery.py @@ -2,429 +2,428 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import IomemconQuery, IomemconRange -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/iomemconquery.conf", xen=True) +class TestIomemconQuery: - -class IomemconQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/iomemconquery.conf", xen=True) - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with no criteria""" # query with no parameters gets all addr. - rules = sorted(self.p.iomemcons()) + rules = sorted(compiled_policy.iomemcons()) - q = IomemconQuery(self.p) + q = setools.IomemconQuery(compiled_policy) q_rules = sorted(q.results()) - self.assertListEqual(rules, q_rules) + assert rules == q_rules - def test_010_user_exact(self): + def test_user_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context user exact match""" - q = IomemconQuery(self.p, user="user10", user_regex=False) + q = setools.IomemconQuery(compiled_policy, user="user10", user_regex=False) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(10, 10)], addr) + assert [setools.IomemconRange(10, 10)] == addr - def test_011_user_regex(self): + def test_user_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context user regex match""" - q = IomemconQuery(self.p, user="user11(a|b)", user_regex=True) + q = setools.IomemconQuery(compiled_policy, user="user11(a|b)", user_regex=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(11, 11), IomemconRange(11000, 11000)], addr) + assert [setools.IomemconRange(11, 11), setools.IomemconRange(11000, 11000)] == addr - def test_020_role_exact(self): + def test_role_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context role exact match""" - q = IomemconQuery(self.p, role="role20_r", role_regex=False) + q = setools.IomemconQuery(compiled_policy, role="role20_r", role_regex=False) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(20, 20)], addr) + assert [setools.IomemconRange(20, 20)] == addr - def test_021_role_regex(self): + def test_role_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context role regex match""" - q = IomemconQuery(self.p, role="role21(a|c)_r", role_regex=True) + q = setools.IomemconQuery(compiled_policy, role="role21(a|c)_r", role_regex=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(21, 21), IomemconRange(21001, 21001)], addr) + assert [setools.IomemconRange(21, 21), setools.IomemconRange(21001, 21001)] == addr - def test_030_type_exact(self): + def test_type_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context type exact match""" - q = IomemconQuery(self.p, type_="type30", type_regex=False) + q = setools.IomemconQuery(compiled_policy, type_="type30", type_regex=False) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(30, 30)], addr) + assert [setools.IomemconRange(30, 30)] == addr - def test_031_type_regex(self): + def test_type_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context type regex match""" - q = IomemconQuery(self.p, type_="type31(b|c)", type_regex=True) + q = setools.IomemconQuery(compiled_policy, type_="type31(b|c)", type_regex=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(31000, 31000), IomemconRange(31001, 31001)], addr) + assert [setools.IomemconRange(31000, 31000), setools.IomemconRange(31001, 31001)] == addr - def test_040_range_exact(self): + def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range exact match""" - q = IomemconQuery(self.p, range_="s0:c1 - s0:c0.c4") + q = setools.IomemconQuery(compiled_policy, range_="s0:c1 - s0:c0.c4") addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(40, 40)], addr) + assert [setools.IomemconRange(40, 40)] == addr - def test_041_range_overlap1(self): + def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range overlap match (equal)""" - q = IomemconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + q = setools.IomemconQuery(compiled_policy, range_="s1:c1 - s1:c0.c4", range_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(41, 41)], addr) + assert [setools.IomemconRange(41, 41)] == addr - def test_041_range_overlap2(self): + def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range overlap match (subset)""" - q = IomemconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + q = setools.IomemconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c3", + range_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(41, 41)], addr) + assert [setools.IomemconRange(41, 41)] == addr - def test_041_range_overlap3(self): + def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range overlap match (superset)""" - q = IomemconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + q = setools.IomemconQuery(compiled_policy, range_="s1 - s1:c0.c4", range_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(41, 41)], addr) + assert [setools.IomemconRange(41, 41)] == addr - def test_041_range_overlap4(self): + def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range overlap match (overlap low level)""" - q = IomemconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + q = setools.IomemconQuery(compiled_policy, range_="s1 - s1:c1,c2", range_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(41, 41)], addr) + assert [setools.IomemconRange(41, 41)] == addr - def test_041_range_overlap5(self): + def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range overlap match (overlap high level)""" - q = IomemconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + q = setools.IomemconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c4", + range_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(41, 41)], addr) + assert [setools.IomemconRange(41, 41)] == addr - def test_042_range_subset1(self): + def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range subset match""" - q = IomemconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + q = setools.IomemconQuery(compiled_policy, range_="s2:c1,c2 - s2:c0.c3", + range_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(42, 42)], addr) + assert [setools.IomemconRange(42, 42)] == addr - def test_042_range_subset2(self): + def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range subset match (equal)""" - q = IomemconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + q = setools.IomemconQuery(compiled_policy, range_="s2:c1 - s2:c1.c3", range_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(42, 42)], addr) + assert [setools.IomemconRange(42, 42)] == addr - def test_043_range_superset1(self): + def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range superset match""" - q = IomemconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + q = setools.IomemconQuery(compiled_policy, range_="s3 - s3:c0.c4", range_superset=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(43, 43)], addr) + assert [setools.IomemconRange(43, 43)] == addr - def test_043_range_superset2(self): + def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range superset match (equal)""" - q = IomemconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + q = setools.IomemconQuery(compiled_policy, range_="s3:c1 - s3:c1.c3", range_superset=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(43, 43)], addr) + assert [setools.IomemconRange(43, 43)] == addr - def test_044_range_proper_subset1(self): + def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range proper subset match""" - q = IomemconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + q = setools.IomemconQuery(compiled_policy, range_="s4:c1,c2", range_subset=True, + range_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(44, 44)], addr) + assert [setools.IomemconRange(44, 44)] == addr - def test_044_range_proper_subset2(self): + def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range proper subset match (equal)""" - q = IomemconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.IomemconQuery(compiled_policy, range_="s4:c1 - s4:c1.c3", range_subset=True, + range_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([], addr) + assert [] == addr - def test_044_range_proper_subset3(self): + def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range proper subset match (equal low only)""" - q = IomemconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + q = setools.IomemconQuery(compiled_policy, range_="s4:c1 - s4:c1.c2", range_subset=True, + range_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(44, 44)], addr) + assert [setools.IomemconRange(44, 44)] == addr - def test_044_range_proper_subset4(self): + def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range proper subset match (equal high only)""" - q = IomemconQuery(self.p, - range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.IomemconQuery(compiled_policy, range_="s4:c1,c2 - s4:c1.c3", + range_subset=True, range_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(44, 44)], addr) + assert [setools.IomemconRange(44, 44)] == addr - def test_045_range_proper_superset1(self): + def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range proper superset match""" - q = IomemconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + q = setools.IomemconQuery(compiled_policy, range_="s5 - s5:c0.c4", range_superset=True, + range_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(45, 45)], addr) + assert [setools.IomemconRange(45, 45)] == addr - def test_045_range_proper_superset2(self): + def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range proper superset match (equal)""" - q = IomemconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.IomemconQuery(compiled_policy, range_="s5:c1 - s5:c1.c3", range_superset=True, + range_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([], addr) + assert [] == addr - def test_045_range_proper_superset3(self): + def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range proper superset match (equal low)""" - q = IomemconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + q = setools.IomemconQuery(compiled_policy, range_="s5:c1 - s5:c1.c4", range_superset=True, + range_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(45, 45)], addr) + assert [setools.IomemconRange(45, 45)] == addr - def test_045_range_proper_superset4(self): + def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with context range proper superset match (equal high)""" - q = IomemconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.IomemconQuery(compiled_policy, range_="s5 - s5:c1.c3", range_superset=True, + range_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(45, 45)], addr) + assert [setools.IomemconRange(45, 45)] == addr - def test_050_single_equal(self): + def test_single_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with single mem addr exact match""" - q = IomemconQuery(self.p, addr=(50, 50)) + q = setools.IomemconQuery(compiled_policy, addr=(50, 50)) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50, 50)], addr) + assert [setools.IomemconRange(50, 50)] == addr - def test_051_range_equal(self): + def test_range_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with mem addr range exact match""" - q = IomemconQuery(self.p, addr=(50100, 50110)) + q = setools.IomemconQuery(compiled_policy, addr=(50100, 50110)) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50100, 50110)], addr) + assert [setools.IomemconRange(50100, 50110)] == addr - def test_052_single_subset(self): + def test_single_subset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with single mem addr subset""" - q = IomemconQuery(self.p, addr=(50200, 50200), addr_subset=True) + q = setools.IomemconQuery(compiled_policy, addr=(50200, 50200), addr_subset=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50200, 50200)], addr) + assert [setools.IomemconRange(50200, 50200)] == addr - def test_053_range_subset(self): + def test_range_subset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range subset""" - q = IomemconQuery(self.p, addr=(50301, 50309), addr_subset=True) + q = setools.IomemconQuery(compiled_policy, addr=(50301, 50309), addr_subset=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50300, 50310)], addr) + assert [setools.IomemconRange(50300, 50310)] == addr - def test_053_range_subset_edge1(self): + def test_range_subset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range subset, equal edge case""" - q = IomemconQuery(self.p, addr=(50300, 50310), addr_subset=True) + q = setools.IomemconQuery(compiled_policy, addr=(50300, 50310), addr_subset=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50300, 50310)], addr) + assert [setools.IomemconRange(50300, 50310)] == addr - def test_054_single_proper_subset(self): + def test_single_proper_subset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with single mem addr proper subset""" - q = IomemconQuery( - self.p, addr=(50400, 50400), addr_subset=True, addr_proper=True) + q = setools.IomemconQuery( + compiled_policy, addr=(50400, 50400), addr_subset=True, addr_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([], addr) + assert [] == addr - def test_055_range_proper_subset(self): + def test_range_proper_subset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range proper subset""" - q = IomemconQuery( - self.p, addr=(50501, 50509), addr_subset=True, addr_proper=True) + q = setools.IomemconQuery( + compiled_policy, addr=(50501, 50509), addr_subset=True, addr_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50500, 50510)], addr) + assert [setools.IomemconRange(50500, 50510)] == addr - def test_055_range_proper_subset_edge1(self): + def test_range_proper_subset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range proper subset, equal edge case""" - q = IomemconQuery( - self.p, addr=(50500, 50510), addr_subset=True, addr_proper=True) + q = setools.IomemconQuery( + compiled_policy, addr=(50500, 50510), addr_subset=True, addr_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([], addr) + assert [] == addr - def test_055_range_proper_subset_edge2(self): + def test_range_proper_subset_edge2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range proper subset, low equal edge case""" - q = IomemconQuery( - self.p, addr=(50500, 50509), addr_subset=True, addr_proper=True) + q = setools.IomemconQuery( + compiled_policy, addr=(50500, 50509), addr_subset=True, addr_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50500, 50510)], addr) + assert [setools.IomemconRange(50500, 50510)] == addr - def test_055_range_proper_subset_edge3(self): + def test_range_proper_subset_edge3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range proper subset, high equal edge case""" - q = IomemconQuery( - self.p, addr=(50501, 50510), addr_subset=True, addr_proper=True) + q = setools.IomemconQuery( + compiled_policy, addr=(50501, 50510), addr_subset=True, addr_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50500, 50510)], addr) + assert [setools.IomemconRange(50500, 50510)] == addr - def test_056_single_superset(self): + def test_single_superset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with single mem addr superset""" - q = IomemconQuery(self.p, addr=(50600, 50602), addr_superset=True) + q = setools.IomemconQuery(compiled_policy, addr=(50600, 50602), addr_superset=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50601, 50601)], addr) + assert [setools.IomemconRange(50601, 50601)] == addr - def test_056_single_superset_edge1(self): + def test_single_superset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with single mem addr superset, equal edge case""" - q = IomemconQuery(self.p, addr=(50601, 50601), addr_superset=True) + q = setools.IomemconQuery(compiled_policy, addr=(50601, 50601), addr_superset=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50601, 50601)], addr) + assert [setools.IomemconRange(50601, 50601)] == addr - def test_057_range_superset(self): + def test_range_superset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range superset""" - q = IomemconQuery(self.p, addr=(50700, 50711), addr_superset=True) + q = setools.IomemconQuery(compiled_policy, addr=(50700, 50711), addr_superset=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50700, 50710)], addr) + assert [setools.IomemconRange(50700, 50710)] == addr - def test_057_range_superset_edge1(self): + def test_range_superset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range superset, equal edge case""" - q = IomemconQuery(self.p, addr=(50700, 50710), addr_superset=True) + q = setools.IomemconQuery(compiled_policy, addr=(50700, 50710), addr_superset=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50700, 50710)], addr) + assert [setools.IomemconRange(50700, 50710)] == addr - def test_058_single_proper_superset(self): + def test_single_proper_superset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with single mem addr proper superset""" - q = IomemconQuery( - self.p, addr=(50800, 50802), addr_superset=True, addr_proper=True) + q = setools.IomemconQuery( + compiled_policy, addr=(50800, 50802), addr_superset=True, addr_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50801, 50801)], addr) + assert [setools.IomemconRange(50801, 50801)] == addr - def test_058_single_proper_superset_edge1(self): + def test_single_proper_superset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with single mem addr proper superset, equal edge case""" - q = IomemconQuery( - self.p, addr=(50801, 50801), addr_superset=True, addr_proper=True) + q = setools.IomemconQuery( + compiled_policy, addr=(50801, 50801), addr_superset=True, addr_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([], addr) + assert [] == addr - def test_058_single_proper_superset_edge2(self): + def test_single_proper_superset_edge2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with single mem addr proper superset, low equal edge case""" - q = IomemconQuery( - self.p, addr=(50801, 50802), addr_superset=True, addr_proper=True) + q = setools.IomemconQuery( + compiled_policy, addr=(50801, 50802), addr_superset=True, addr_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50801, 50801)], addr) + assert [setools.IomemconRange(50801, 50801)] == addr - def test_058_single_proper_superset_edge3(self): + def test_single_proper_superset_edge3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with single mem addr proper superset, high equal edge case""" - q = IomemconQuery( - self.p, addr=(50800, 50801), addr_superset=True, addr_proper=True) + q = setools.IomemconQuery( + compiled_policy, addr=(50800, 50801), addr_superset=True, addr_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50801, 50801)], addr) + assert [setools.IomemconRange(50801, 50801)] == addr - def test_059_range_proper_superset(self): + def test_range_proper_superset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range proper superset""" - q = IomemconQuery( - self.p, addr=(50900, 50911), addr_superset=True, addr_proper=True) + q = setools.IomemconQuery( + compiled_policy, addr=(50900, 50911), addr_superset=True, addr_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50901, 50910)], addr) + assert [setools.IomemconRange(50901, 50910)] == addr - def test_059_range_proper_superset_edge1(self): + def test_range_proper_superset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range proper superset, equal edge case""" - q = IomemconQuery( - self.p, addr=(50901, 50910), addr_superset=True, addr_proper=True) + q = setools.IomemconQuery( + compiled_policy, addr=(50901, 50910), addr_superset=True, addr_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([], addr) + assert [] == addr - def test_059_range_proper_superset_edge2(self): + def test_range_proper_superset_edge2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range proper superset, equal high mem addr edge case""" - q = IomemconQuery( - self.p, addr=(50900, 50910), addr_superset=True, addr_proper=True) + q = setools.IomemconQuery( + compiled_policy, addr=(50900, 50910), addr_superset=True, addr_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50901, 50910)], addr) + assert [setools.IomemconRange(50901, 50910)] == addr - def test_059_range_proper_superset_edge3(self): + def test_range_proper_superset_edge3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range proper superset, equal low mem addr edge case""" - q = IomemconQuery( - self.p, addr=(50901, 50911), addr_superset=True, addr_proper=True) + q = setools.IomemconQuery( + compiled_policy, addr=(50901, 50911), addr_superset=True, addr_proper=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(50901, 50910)], addr) + assert [setools.IomemconRange(50901, 50910)] == addr - def test_060_single_overlap(self): + def test_single_overlap(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with single overlap""" - q = IomemconQuery(self.p, addr=(60001, 60001), addr_overlap=True) + q = setools.IomemconQuery(compiled_policy, addr=(60001, 60001), addr_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(60001, 60001)], addr) + assert [setools.IomemconRange(60001, 60001)] == addr - def test_060_single_overlap_edge1(self): + def test_single_overlap_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with single overlap, range match low""" - q = IomemconQuery(self.p, addr=(60001, 60002), addr_overlap=True) + q = setools.IomemconQuery(compiled_policy, addr=(60001, 60002), addr_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(60001, 60001)], addr) + assert [setools.IomemconRange(60001, 60001)] == addr - def test_060_single_overlap_edge2(self): + def test_single_overlap_edge2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with single overlap, range match high""" - q = IomemconQuery(self.p, addr=(60000, 60001), addr_overlap=True) + q = setools.IomemconQuery(compiled_policy, addr=(60000, 60001), addr_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(60001, 60001)], addr) + assert [setools.IomemconRange(60001, 60001)] == addr - def test_060_single_overlap_edge3(self): + def test_single_overlap_edge3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with single overlap, range match proper superset""" - q = IomemconQuery(self.p, addr=(60000, 60002), addr_overlap=True) + q = setools.IomemconQuery(compiled_policy, addr=(60000, 60002), addr_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(60001, 60001)], addr) + assert [setools.IomemconRange(60001, 60001)] == addr - def test_061_range_overlap_low_half(self): + def test_range_overlap_low_half(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range overlap, low half match""" - q = IomemconQuery(self.p, addr=(60100, 60105), addr_overlap=True) + q = setools.IomemconQuery(compiled_policy, addr=(60100, 60105), addr_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(60101, 60110)], addr) + assert [setools.IomemconRange(60101, 60110)] == addr - def test_062_range_overlap_high_half(self): + def test_range_overlap_high_half(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range overlap, high half match""" - q = IomemconQuery(self.p, addr=(60205, 60211), addr_overlap=True) + q = setools.IomemconQuery(compiled_policy, addr=(60205, 60211), addr_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(60200, 60210)], addr) + assert [setools.IomemconRange(60200, 60210)] == addr - def test_063_range_overlap_middle(self): + def test_range_overlap_middle(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range overlap, middle match""" - q = IomemconQuery(self.p, addr=(60305, 60308), addr_overlap=True) + q = setools.IomemconQuery(compiled_policy, addr=(60305, 60308), addr_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(60300, 60310)], addr) + assert [setools.IomemconRange(60300, 60310)] == addr - def test_064_range_overlap_equal(self): + def test_range_overlap_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range overlap, equal match""" - q = IomemconQuery(self.p, addr=(60400, 60410), addr_overlap=True) + q = setools.IomemconQuery(compiled_policy, addr=(60400, 60410), addr_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(60400, 60410)], addr) + assert [setools.IomemconRange(60400, 60410)] == addr - def test_065_range_overlap_superset(self): + def test_range_overlap_superset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Iomemcon query with range overlap, superset match""" - q = IomemconQuery(self.p, addr=(60500, 60510), addr_overlap=True) + q = setools.IomemconQuery(compiled_policy, addr=(60500, 60510), addr_overlap=True) addr = sorted(p.addr for p in q.results()) - self.assertListEqual([IomemconRange(60501, 60509)], addr) + assert [setools.IomemconRange(60501, 60509)] == addr From c786b5ae58930d6cb52cb7736f333ee90dc12c87 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:35:08 -0400 Subject: [PATCH 52/71] TestIoportconQuery: Update tests to pytest fixtures. Fix IoportconRange typing stub to include rich comparisons. Signed-off-by: Chris PeBenito --- setools/policyrep.pyi | 2 +- tests/library/test_ioportconquery.py | 398 +++++++++++++-------------- 2 files changed, 199 insertions(+), 201 deletions(-) diff --git a/setools/policyrep.pyi b/setools/policyrep.pyi index 32287f54..6a39235e 100644 --- a/setools/policyrep.pyi +++ b/setools/policyrep.pyi @@ -261,7 +261,7 @@ class IomemconRange: class Ioportcon(Ocontext): ports: "IoportconRange" = ... -@dataclass +@dataclass(eq=True, order=True, frozen=True) class IoportconRange: high: int = ... low: int = ... diff --git a/tests/library/test_ioportconquery.py b/tests/library/test_ioportconquery.py index f0ace2ee..e701593e 100644 --- a/tests/library/test_ioportconquery.py +++ b/tests/library/test_ioportconquery.py @@ -2,431 +2,429 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import IoportconQuery, IoportconRange -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/ioportconquery.conf", xen=True) +class TestIoportconQuery: - -class IoportconQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/ioportconquery.conf", xen=True) - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Ioportcon query with no criteria""" # query with no parameters gets all ports. - rules = sorted(self.p.ioportcons()) + rules = sorted(compiled_policy.ioportcons()) - q = IoportconQuery(self.p) + q = setools.IoportconQuery(compiled_policy) q_rules = sorted(q.results()) - self.assertListEqual(rules, q_rules) + assert rules == q_rules - def test_010_user_exact(self): + def test_user_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context user exact match""" - q = IoportconQuery(self.p, user="user10", user_regex=False) + q = setools.IoportconQuery(compiled_policy, user="user10", user_regex=False) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(10, 10)], ports) + assert [setools.IoportconRange(10, 10)] == ports - def test_011_user_regex(self): + def test_user_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context user regex match""" - q = IoportconQuery(self.p, user="user11(a|b)", user_regex=True) + q = setools.IoportconQuery(compiled_policy, user="user11(a|b)", user_regex=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(11, 11), IoportconRange(11000, 11000)], ports) + assert [setools.IoportconRange(11, 11), setools.IoportconRange(11000, 11000)] == ports - def test_020_role_exact(self): + def test_role_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context role exact match""" - q = IoportconQuery(self.p, role="role20_r", role_regex=False) + q = setools.IoportconQuery(compiled_policy, role="role20_r", role_regex=False) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(20, 20)], ports) + assert [setools.IoportconRange(20, 20)] == ports - def test_021_role_regex(self): + def test_role_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context role regex match""" - q = IoportconQuery(self.p, role="role21(a|c)_r", role_regex=True) + q = setools.IoportconQuery(compiled_policy, role="role21(a|c)_r", role_regex=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(21, 21), IoportconRange(21001, 21001)], ports) + assert [setools.IoportconRange(21, 21), setools.IoportconRange(21001, 21001)] == ports - def test_030_type_exact(self): + def test_type_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context type exact match""" - q = IoportconQuery(self.p, type_="type30", type_regex=False) + q = setools.IoportconQuery(compiled_policy, type_="type30", type_regex=False) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(30, 30)], ports) + assert [setools.IoportconRange(30, 30)] == ports - def test_031_type_regex(self): + def test_type_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context type regex match""" - q = IoportconQuery(self.p, type_="type31(b|c)", type_regex=True) + q = setools.IoportconQuery(compiled_policy, type_="type31(b|c)", type_regex=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(31000, 31000), IoportconRange(31001, 31001)], ports) + assert [setools.IoportconRange(31000, 31000), + setools.IoportconRange(31001, 31001)] == ports - def test_040_range_exact(self): + def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range exact match""" - q = IoportconQuery(self.p, range_="s0:c1 - s0:c0.c4") + q = setools.IoportconQuery(compiled_policy, range_="s0:c1 - s0:c0.c4") ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(40, 40)], ports) + assert [setools.IoportconRange(40, 40)] == ports - def test_041_range_overlap1(self): + def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range overlap match (equal)""" - q = IoportconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + q = setools.IoportconQuery(compiled_policy, range_="s1:c1 - s1:c0.c4", range_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(41, 41)], ports) + assert [setools.IoportconRange(41, 41)] == ports - def test_041_range_overlap2(self): + def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range overlap match (subset)""" - q = IoportconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + q = setools.IoportconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c3", + range_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(41, 41)], ports) + assert [setools.IoportconRange(41, 41)] == ports - def test_041_range_overlap3(self): + def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range overlap match (superset)""" - q = IoportconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + q = setools.IoportconQuery(compiled_policy, range_="s1 - s1:c0.c4", range_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(41, 41)], ports) + assert [setools.IoportconRange(41, 41)] == ports - def test_041_range_overlap4(self): + def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range overlap match (overlap low level)""" - q = IoportconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + q = setools.IoportconQuery(compiled_policy, range_="s1 - s1:c1,c2", range_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(41, 41)], ports) + assert [setools.IoportconRange(41, 41)] == ports - def test_041_range_overlap5(self): + def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range overlap match (overlap high level)""" - q = IoportconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + q = setools.IoportconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c4", + range_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(41, 41)], ports) + assert [setools.IoportconRange(41, 41)] == ports - def test_042_range_subset1(self): + def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range subset match""" - q = IoportconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + q = setools.IoportconQuery(compiled_policy, range_="s2:c1,c2 - s2:c0.c3", + range_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(42, 42)], ports) + assert [setools.IoportconRange(42, 42)] == ports - def test_042_range_subset2(self): + def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range subset match (equal)""" - q = IoportconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + q = setools.IoportconQuery(compiled_policy, range_="s2:c1 - s2:c1.c3", range_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(42, 42)], ports) + assert [setools.IoportconRange(42, 42)] == ports - def test_043_range_superset1(self): + def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range superset match""" - q = IoportconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + q = setools.IoportconQuery(compiled_policy, range_="s3 - s3:c0.c4", range_superset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(43, 43)], ports) + assert [setools.IoportconRange(43, 43)] == ports - def test_043_range_superset2(self): + def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range superset match (equal)""" - q = IoportconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + q = setools.IoportconQuery(compiled_policy, range_="s3:c1 - s3:c1.c3", range_superset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(43, 43)], ports) + assert [setools.IoportconRange(43, 43)] == ports - def test_044_range_proper_subset1(self): + def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper subset match""" - q = IoportconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + q = setools.IoportconQuery(compiled_policy, range_="s4:c1,c2", range_subset=True, + range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(44, 44)], ports) + assert [setools.IoportconRange(44, 44)] == ports - def test_044_range_proper_subset2(self): + def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper subset match (equal)""" - q = IoportconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.IoportconQuery(compiled_policy, range_="s4:c1 - s4:c1.c3", range_subset=True, + range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([], ports) + assert [] == ports - def test_044_range_proper_subset3(self): + def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper subset match (equal low only)""" - q = IoportconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + q = setools.IoportconQuery(compiled_policy, range_="s4:c1 - s4:c1.c2", range_subset=True, + range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(44, 44)], ports) + assert [setools.IoportconRange(44, 44)] == ports - def test_044_range_proper_subset4(self): + def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper subset match (equal high only)""" - q = IoportconQuery(self.p, - range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.IoportconQuery(compiled_policy, range_="s4:c1,c2 - s4:c1.c3", + range_subset=True, range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(44, 44)], ports) + assert [setools.IoportconRange(44, 44)] == ports - def test_045_range_proper_superset1(self): + def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper superset match""" - q = IoportconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + q = setools.IoportconQuery(compiled_policy, range_="s5 - s5:c0.c4", range_superset=True, + range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(45, 45)], ports) + assert [setools.IoportconRange(45, 45)] == ports - def test_045_range_proper_superset2(self): + def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper superset match (equal)""" - q = IoportconQuery(self.p, - range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.IoportconQuery(compiled_policy, range_="s5:c1 - s5:c1.c3", range_superset=True, + range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([], ports) + assert [] == ports - def test_045_range_proper_superset3(self): + def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper superset match (equal low)""" - q = IoportconQuery(self.p, - range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + q = setools.IoportconQuery(compiled_policy, range_="s5:c1 - s5:c1.c4", range_superset=True, + range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(45, 45)], ports) + assert [setools.IoportconRange(45, 45)] == ports - def test_045_range_proper_superset4(self): + def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper superset match (equal high)""" - q = IoportconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.IoportconQuery(compiled_policy, range_="s5 - s5:c1.c3", range_superset=True, + range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(45, 45)], ports) + assert [setools.IoportconRange(45, 45)] == ports - def test_050_single_equal(self): + def test_single_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port exact match""" - q = IoportconQuery(self.p, ports=(50, 50)) + q = setools.IoportconQuery(compiled_policy, ports=(50, 50)) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50, 50)], ports) + assert [setools.IoportconRange(50, 50)] == ports - def test_051_range_equal(self): + def test_range_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with port range exact match""" - q = IoportconQuery(self.p, ports=(50100, 50110)) + q = setools.IoportconQuery(compiled_policy, ports=(50100, 50110)) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50100, 50110)], ports) + assert [setools.IoportconRange(50100, 50110)] == ports - def test_052_single_subset(self): + def test_single_subset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port subset""" - q = IoportconQuery(self.p, ports=(50200, 50200), ports_subset=True) + q = setools.IoportconQuery(compiled_policy, ports=(50200, 50200), ports_subset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50200, 50200)], ports) + assert [setools.IoportconRange(50200, 50200)] == ports - def test_053_range_subset(self): + def test_range_subset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range subset""" - q = IoportconQuery(self.p, ports=(50301, 50309), ports_subset=True) + q = setools.IoportconQuery(compiled_policy, ports=(50301, 50309), ports_subset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50300, 50310)], ports) + assert [setools.IoportconRange(50300, 50310)] == ports - def test_053_range_subset_edge1(self): + def test_range_subset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range subset, equal edge case""" - q = IoportconQuery(self.p, ports=(50300, 50310), ports_subset=True) + q = setools.IoportconQuery(compiled_policy, ports=(50300, 50310), ports_subset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50300, 50310)], ports) + assert [setools.IoportconRange(50300, 50310)] == ports - def test_054_single_proper_subset(self): + def test_single_proper_subset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port proper subset""" - q = IoportconQuery( - self.p, ports=(50400, 50400), ports_subset=True, ports_proper=True) + q = setools.IoportconQuery( + compiled_policy, ports=(50400, 50400), ports_subset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([], ports) + assert [] == ports - def test_055_range_proper_subset(self): + def test_range_proper_subset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper subset""" - q = IoportconQuery( - self.p, ports=(50501, 50509), ports_subset=True, ports_proper=True) + q = setools.IoportconQuery( + compiled_policy, ports=(50501, 50509), ports_subset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50500, 50510)], ports) + assert [setools.IoportconRange(50500, 50510)] == ports - def test_055_range_proper_subset_edge1(self): + def test_range_proper_subset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper subset, equal edge case""" - q = IoportconQuery( - self.p, ports=(50500, 50510), ports_subset=True, ports_proper=True) + q = setools.IoportconQuery( + compiled_policy, ports=(50500, 50510), ports_subset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([], ports) + assert [] == ports - def test_055_range_proper_subset_edge2(self): + def test_range_proper_subset_edge2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper subset, low equal edge case""" - q = IoportconQuery( - self.p, ports=(50500, 50509), ports_subset=True, ports_proper=True) + q = setools.IoportconQuery( + compiled_policy, ports=(50500, 50509), ports_subset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50500, 50510)], ports) + assert [setools.IoportconRange(50500, 50510)] == ports - def test_055_range_proper_subset_edge3(self): + def test_range_proper_subset_edge3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper subset, high equal edge case""" - q = IoportconQuery( - self.p, ports=(50501, 50510), ports_subset=True, ports_proper=True) + q = setools.IoportconQuery( + compiled_policy, ports=(50501, 50510), ports_subset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50500, 50510)], ports) + assert [setools.IoportconRange(50500, 50510)] == ports - def test_056_single_superset(self): + def test_single_superset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port superset""" - q = IoportconQuery(self.p, ports=(50600, 50602), ports_superset=True) + q = setools.IoportconQuery(compiled_policy, ports=(50600, 50602), ports_superset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50601, 50601)], ports) + assert [setools.IoportconRange(50601, 50601)] == ports - def test_056_single_superset_edge1(self): + def test_single_superset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port superset, equal edge case""" - q = IoportconQuery(self.p, ports=(50601, 50601), ports_superset=True) + q = setools.IoportconQuery(compiled_policy, ports=(50601, 50601), ports_superset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50601, 50601)], ports) + assert [setools.IoportconRange(50601, 50601)] == ports - def test_057_range_superset(self): + def test_range_superset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range superset""" - q = IoportconQuery(self.p, ports=(50700, 50711), ports_superset=True) + q = setools.IoportconQuery(compiled_policy, ports=(50700, 50711), ports_superset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50700, 50710)], ports) + assert [setools.IoportconRange(50700, 50710)] == ports - def test_057_range_superset_edge1(self): + def test_range_superset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range superset, equal edge case""" - q = IoportconQuery(self.p, ports=(50700, 50710), ports_superset=True) + q = setools.IoportconQuery(compiled_policy, ports=(50700, 50710), ports_superset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50700, 50710)], ports) + assert [setools.IoportconRange(50700, 50710)] == ports - def test_058_single_proper_superset(self): + def test_single_proper_superset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port proper superset""" - q = IoportconQuery( - self.p, ports=(50800, 50802), ports_superset=True, ports_proper=True) + q = setools.IoportconQuery( + compiled_policy, ports=(50800, 50802), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50801, 50801)], ports) + assert [setools.IoportconRange(50801, 50801)] == ports - def test_058_single_proper_superset_edge1(self): + def test_single_proper_superset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port proper superset, equal edge case""" - q = IoportconQuery( - self.p, ports=(50801, 50801), ports_superset=True, ports_proper=True) + q = setools.IoportconQuery( + compiled_policy, ports=(50801, 50801), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([], ports) + assert [] == ports - def test_058_single_proper_superset_edge2(self): + def test_single_proper_superset_edge2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port proper superset, low equal edge case""" - q = IoportconQuery( - self.p, ports=(50801, 50802), ports_superset=True, ports_proper=True) + q = setools.IoportconQuery( + compiled_policy, ports=(50801, 50802), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50801, 50801)], ports) + assert [setools.IoportconRange(50801, 50801)] == ports - def test_058_single_proper_superset_edge3(self): + def test_single_proper_superset_edge3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port proper superset, high equal edge case""" - q = IoportconQuery( - self.p, ports=(50800, 50801), ports_superset=True, ports_proper=True) + q = setools.IoportconQuery( + compiled_policy, ports=(50800, 50801), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50801, 50801)], ports) + assert [setools.IoportconRange(50801, 50801)] == ports - def test_059_range_proper_superset(self): + def test_range_proper_superset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper superset""" - q = IoportconQuery( - self.p, ports=(50900, 50911), ports_superset=True, ports_proper=True) + q = setools.IoportconQuery( + compiled_policy, ports=(50900, 50911), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50901, 50910)], ports) + assert [setools.IoportconRange(50901, 50910)] == ports - def test_059_range_proper_superset_edge1(self): + def test_range_proper_superset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper superset, equal edge case""" - q = IoportconQuery( - self.p, ports=(50901, 50910), ports_superset=True, ports_proper=True) + q = setools.IoportconQuery( + compiled_policy, ports=(50901, 50910), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([], ports) + assert [] == ports - def test_059_range_proper_superset_edge2(self): + def test_range_proper_superset_edge2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper superset, equal high port edge case""" - q = IoportconQuery( - self.p, ports=(50900, 50910), ports_superset=True, ports_proper=True) + q = setools.IoportconQuery( + compiled_policy, ports=(50900, 50910), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50901, 50910)], ports) + assert [setools.IoportconRange(50901, 50910)] == ports - def test_059_range_proper_superset_edge3(self): + def test_range_proper_superset_edge3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper superset, equal low port edge case""" - q = IoportconQuery( - self.p, ports=(50901, 50911), ports_superset=True, ports_proper=True) + q = setools.IoportconQuery( + compiled_policy, ports=(50901, 50911), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(50901, 50910)], ports) + assert [setools.IoportconRange(50901, 50910)] == ports - def test_060_single_overlap(self): + def test_single_overlap(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single overlap""" - q = IoportconQuery(self.p, ports=(60001, 60001), ports_overlap=True) + q = setools.IoportconQuery(compiled_policy, ports=(60001, 60001), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(60001, 60001)], ports) + assert [setools.IoportconRange(60001, 60001)] == ports - def test_060_single_overlap_edge1(self): + def test_single_overlap_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single overlap, range match low""" - q = IoportconQuery(self.p, ports=(60001, 60002), ports_overlap=True) + q = setools.IoportconQuery(compiled_policy, ports=(60001, 60002), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(60001, 60001)], ports) + assert [setools.IoportconRange(60001, 60001)] == ports - def test_060_single_overlap_edge2(self): + def test_single_overlap_edge2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single overlap, range match high""" - q = IoportconQuery(self.p, ports=(60000, 60001), ports_overlap=True) + q = setools.IoportconQuery(compiled_policy, ports=(60000, 60001), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(60001, 60001)], ports) + assert [setools.IoportconRange(60001, 60001)] == ports - def test_060_single_overlap_edge3(self): + def test_single_overlap_edge3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single overlap, range match proper superset""" - q = IoportconQuery(self.p, ports=(60000, 60002), ports_overlap=True) + q = setools.IoportconQuery(compiled_policy, ports=(60000, 60002), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(60001, 60001)], ports) + assert [setools.IoportconRange(60001, 60001)] == ports - def test_061_range_overlap_low_half(self): + def test_range_overlap_low_half(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range overlap, low half match""" - q = IoportconQuery(self.p, ports=(60100, 60105), ports_overlap=True) + q = setools.IoportconQuery(compiled_policy, ports=(60100, 60105), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(60101, 60110)], ports) + assert [setools.IoportconRange(60101, 60110)] == ports - def test_062_range_overlap_high_half(self): + def test_range_overlap_high_half(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range overlap, high half match""" - q = IoportconQuery(self.p, ports=(60205, 60211), ports_overlap=True) + q = setools.IoportconQuery(compiled_policy, ports=(60205, 60211), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(60200, 60210)], ports) + assert [setools.IoportconRange(60200, 60210)] == ports - def test_063_range_overlap_middle(self): + def test_range_overlap_middle(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range overlap, middle match""" - q = IoportconQuery(self.p, ports=(60305, 60308), ports_overlap=True) + q = setools.IoportconQuery(compiled_policy, ports=(60305, 60308), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(60300, 60310)], ports) + assert [setools.IoportconRange(60300, 60310)] == ports - def test_064_range_overlap_equal(self): + def test_range_overlap_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range overlap, equal match""" - q = IoportconQuery(self.p, ports=(60400, 60410), ports_overlap=True) + q = setools.IoportconQuery(compiled_policy, ports=(60400, 60410), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(60400, 60410)], ports) + assert [setools.IoportconRange(60400, 60410)] == ports - def test_065_range_overlap_superset(self): + def test_range_overlap_superset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range overlap, superset match""" - q = IoportconQuery(self.p, ports=(60500, 60510), ports_overlap=True) + q = setools.IoportconQuery(compiled_policy, ports=(60500, 60510), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([IoportconRange(60501, 60509)], ports) + assert [setools.IoportconRange(60501, 60509)] == ports From 62baa4417ef85368795b20aeb51df009b008d59f Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:36:14 -0400 Subject: [PATCH 53/71] TestMLSRuleQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_mlsrulequery.py | 214 +++++++++++++---------------- 1 file changed, 99 insertions(+), 115 deletions(-) diff --git a/tests/library/test_mlsrulequery.py b/tests/library/test_mlsrulequery.py index 37265a34..ecb5dd66 100644 --- a/tests/library/test_mlsrulequery.py +++ b/tests/library/test_mlsrulequery.py @@ -2,14 +2,12 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest - +import pytest +import setools from setools import MLSRuleQuery from setools import MLSRuletype as RT from . import mixins -from .policyrep.util import compile_policy # Note: the test policy has been written assuming range_transition # statements could have attributes. However, range_transition @@ -18,278 +16,264 @@ # expected type names) -class MLSRuleQueryTest(mixins.ValidateRule, unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/mlsrulequery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) +@pytest.mark.obj_args("tests/library/mlsrulequery.conf") +class TestMLSRuleQuery(mixins.ValidateRule): - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with no criteria.""" # query with no parameters gets all MLS rules. - rules = sorted(self.p.mlsrules()) + rules = sorted(compiled_policy.mlsrules()) - q = MLSRuleQuery(self.p) + q = MLSRuleQuery(compiled_policy) q_rules = sorted(q.results()) - self.assertListEqual(rules, q_rules) + assert rules == q_rules - def test_001_source_direct(self): + def test_source_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with exact, direct, source match.""" q = MLSRuleQuery( - self.p, source="test1s", source_regex=False) + compiled_policy, source="test1s", source_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test1s", "test1t", "infoflow", "s0") - def test_003_source_direct_regex(self): + def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with regex, direct, source match.""" q = MLSRuleQuery( - self.p, source="test3(s|aS)", source_regex=True) + compiled_policy, source="test3(s|aS)", source_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], RT.range_transition, "test3s", "test3t", "infoflow", "s1") self.validate_rule(r[1], RT.range_transition, "test3s", "test3t", "infoflow2", "s2") - def test_005_issue111(self): + def test_issue111(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with attribute source criteria, indirect match.""" # https://github.com/TresysTechnology/setools/issues/111 - q = MLSRuleQuery(self.p, source="test5b", source_indirect=True) + q = MLSRuleQuery(compiled_policy, source="test5b", source_indirect=True) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], RT.range_transition, "test5t1", "test5target", "infoflow", "s1") self.validate_rule(r[1], RT.range_transition, "test5t2", "test5target", "infoflow7", "s2") - def test_010_target_direct(self): + def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with exact, direct, target match.""" q = MLSRuleQuery( - self.p, target="test10t", target_regex=False) + compiled_policy, target="test10t", target_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], RT.range_transition, "test10s", "test10t", "infoflow", "s0") self.validate_rule(r[1], RT.range_transition, "test10s", "test10t", "infoflow2", "s1") - def test_012_target_direct_regex(self): + def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with regex, direct, target match.""" q = MLSRuleQuery( - self.p, target="test12a.*", target_regex=True) + compiled_policy, target="test12a.*", target_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test12s", "test12aFAIL", "infoflow", "s2") - def test_014_issue111(self): + def test_issue111_2(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with attribute target criteria, indirect match.""" # https://github.com/TresysTechnology/setools/issues/111 - q = MLSRuleQuery(self.p, target="test14b", target_indirect=True) + q = MLSRuleQuery(compiled_policy, target="test14b", target_indirect=True) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], RT.range_transition, "test14source", "test14t1", "infoflow", "s1") - self.validate_rule(r[1], RT.range_transition, "test14source", "test14t2", "infoflow7", "s2") - - @unittest.skip("Setting tclass to a string is no longer supported.") - def test_020_class(self): - """MLS rule query with exact object class match.""" - q = MLSRuleQuery(self.p, tclass="infoflow7", tclass_regex=False) - - r = sorted(q.results()) - self.assertEqual(len(r), 1) - self.validate_rule(r[0], RT.range_transition, "test20", "test20", "infoflow7", "s1") + self.validate_rule(r[1], RT.range_transition, "test14source", "test14t2", "infoflow7", + "s2") - def test_021_class_list(self): + def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with object class list match.""" q = MLSRuleQuery( - self.p, tclass=["infoflow3", "infoflow4"], tclass_regex=False) + compiled_policy, tclass=["infoflow3", "infoflow4"], tclass_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], RT.range_transition, "test21", "test21", "infoflow3", "s2") self.validate_rule(r[1], RT.range_transition, "test21", "test21", "infoflow4", "s1") - def test_022_class_regex(self): + def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with object class regex match.""" - q = MLSRuleQuery(self.p, tclass="infoflow(5|6)", tclass_regex=True) + q = MLSRuleQuery(compiled_policy, tclass="infoflow(5|6)", tclass_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], RT.range_transition, "test22", "test22", "infoflow5", "s1") self.validate_rule(r[1], RT.range_transition, "test22", "test22", "infoflow6", "s2") - def test_040_range_exact(self): + def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range exact match""" - q = MLSRuleQuery(self.p, default="s40:c1 - s40:c0.c4") + q = MLSRuleQuery(compiled_policy, default="s40:c1 - s40:c0.c4") r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test40", "test40", "infoflow", "s40:c1 - s40:c0.c4") - def test_041_range_overlap1(self): + def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range overlap match (equal)""" - q = MLSRuleQuery(self.p, default="s41:c1 - s41:c0.c4", default_overlap=True) + q = MLSRuleQuery(compiled_policy, default="s41:c1 - s41:c0.c4", default_overlap=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", "s41:c1 - s41:c1.c3") - def test_041_range_overlap2(self): + def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range overlap match (subset)""" - q = MLSRuleQuery(self.p, default="s41:c1,c2 - s41:c0.c3", default_overlap=True) + q = MLSRuleQuery(compiled_policy, default="s41:c1,c2 - s41:c0.c3", default_overlap=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", "s41:c1 - s41:c1.c3") - def test_041_range_overlap3(self): + def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range overlap match (superset)""" - q = MLSRuleQuery(self.p, default="s41 - s41:c0.c4", default_overlap=True) + q = MLSRuleQuery(compiled_policy, default="s41 - s41:c0.c4", default_overlap=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", "s41:c1 - s41:c1.c3") - def test_041_range_overlap4(self): + def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range overlap match (overlap low level)""" - q = MLSRuleQuery(self.p, default="s41 - s41:c1,c2", default_overlap=True) + q = MLSRuleQuery(compiled_policy, default="s41 - s41:c1,c2", default_overlap=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", "s41:c1 - s41:c1.c3") - def test_041_range_overlap5(self): + def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range overlap match (overlap high level)""" - q = MLSRuleQuery(self.p, default="s41:c1,c2 - s41:c0.c4", default_overlap=True) + q = MLSRuleQuery(compiled_policy, default="s41:c1,c2 - s41:c0.c4", default_overlap=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", "s41:c1 - s41:c1.c3") - def test_042_range_subset1(self): + def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range subset match""" - q = MLSRuleQuery(self.p, default="s42:c1,c2 - s42:c0.c3", default_overlap=True) + q = MLSRuleQuery(compiled_policy, default="s42:c1,c2 - s42:c0.c3", default_overlap=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test42", "test42", "infoflow", "s42:c1 - s42:c1.c3") - def test_042_range_subset2(self): + def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range subset match (equal)""" - q = MLSRuleQuery(self.p, default="s42:c1 - s42:c1.c3", default_overlap=True) + q = MLSRuleQuery(compiled_policy, default="s42:c1 - s42:c1.c3", default_overlap=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test42", "test42", "infoflow", "s42:c1 - s42:c1.c3") - def test_043_range_superset1(self): + def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range superset match""" - q = MLSRuleQuery(self.p, default="s43 - s43:c0.c4", default_superset=True) + q = MLSRuleQuery(compiled_policy, default="s43 - s43:c0.c4", default_superset=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test43", "test43", "infoflow", "s43:c1 - s43:c1.c3") - def test_043_range_superset2(self): + def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range superset match (equal)""" - q = MLSRuleQuery(self.p, default="s43:c1 - s43:c1.c3", default_superset=True) + q = MLSRuleQuery(compiled_policy, default="s43:c1 - s43:c1.c3", default_superset=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test43", "test43", "infoflow", "s43:c1 - s43:c1.c3") - def test_044_range_proper_subset1(self): + def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range proper subset match""" - q = MLSRuleQuery(self.p, default="s44:c1,c2", default_subset=True, default_proper=True) + q = MLSRuleQuery(compiled_policy, default="s44:c1,c2", default_subset=True, + default_proper=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test44", "test44", "infoflow", "s44:c1 - s44:c1.c3") - def test_044_range_proper_subset2(self): + def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range proper subset match (equal)""" - q = MLSRuleQuery(self.p, - default="s44:c1 - s44:c1.c3", default_subset=True, default_proper=True) + q = MLSRuleQuery(compiled_policy, default="s44:c1 - s44:c1.c3", default_subset=True, + default_proper=True) r = sorted(q.results()) - self.assertEqual(len(r), 0) + assert len(r) == 0 - def test_044_range_proper_subset3(self): + def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range proper subset match (equal low only)""" - q = MLSRuleQuery(self.p, - default="s44:c1 - s44:c1.c2", default_subset=True, default_proper=True) + q = MLSRuleQuery(compiled_policy, default="s44:c1 - s44:c1.c2", default_subset=True, + default_proper=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test44", "test44", "infoflow", "s44:c1 - s44:c1.c3") - def test_044_range_proper_subset4(self): + def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range proper subset match (equal high only)""" - q = MLSRuleQuery(self.p, - default="s44:c1,c2 - s44:c1.c3", default_subset=True, default_proper=True) + q = MLSRuleQuery(compiled_policy, default="s44:c1,c2 - s44:c1.c3", default_subset=True, + default_proper=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test44", "test44", "infoflow", "s44:c1 - s44:c1.c3") - def test_045_range_proper_superset1(self): + def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range proper superset match""" - q = MLSRuleQuery(self.p, - default="s45 - s45:c0.c4", default_superset=True, default_proper=True) + q = MLSRuleQuery(compiled_policy, default="s45 - s45:c0.c4", default_superset=True, + default_proper=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test45", "test45", "infoflow", "s45:c1 - s45:c1.c3") - def test_045_range_proper_superset2(self): + def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range proper superset match (equal)""" - q = MLSRuleQuery(self.p, - default="s45:c1 - s45:c1.c3", default_superset=True, default_proper=True) + q = MLSRuleQuery(compiled_policy, default="s45:c1 - s45:c1.c3", default_superset=True, + default_proper=True) r = sorted(q.results()) - self.assertEqual(len(r), 0) + assert len(r) == 0 - def test_045_range_proper_superset3(self): + def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range proper superset match (equal low)""" - q = MLSRuleQuery(self.p, - default="s45:c1 - s45:c1.c4", default_superset=True, default_proper=True) + q = MLSRuleQuery(compiled_policy, default="s45:c1 - s45:c1.c4", default_superset=True, + default_proper=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test45", "test45", "infoflow", "s45:c1 - s45:c1.c3") - def test_045_range_proper_superset4(self): + def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range proper superset match (equal high)""" - q = MLSRuleQuery(self.p, - default="s45 - s45:c1.c3", default_superset=True, default_proper=True) + q = MLSRuleQuery(compiled_policy, default="s45 - s45:c1.c3", default_superset=True, + default_proper=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RT.range_transition, "test45", "test45", "infoflow", "s45:c1 - s45:c1.c3") - def test_900_invalid_ruletype(self): + def test_invalid_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with invalid rule type.""" - with self.assertRaises(KeyError): - q = MLSRuleQuery(self.p, ruletype=["type_transition"]) + with pytest.raises(KeyError): + q = MLSRuleQuery(compiled_policy, ruletype=["type_transition"]) From 5a4922227a72cc0e92dc9d673bfb7f02a70e3bb8 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:36:31 -0400 Subject: [PATCH 54/71] TestNetifconQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_netifconquery.py | 191 ++++++++++++++-------------- 1 file changed, 97 insertions(+), 94 deletions(-) diff --git a/tests/library/test_netifconquery.py b/tests/library/test_netifconquery.py index 9a7214bf..c9cc5369 100644 --- a/tests/library/test_netifconquery.py +++ b/tests/library/test_netifconquery.py @@ -2,209 +2,212 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import NetifconQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/netifconquery.conf") +class TestNetifconQuery: - -class NetifconQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/netifconquery.conf") - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with no criteria""" # query with no parameters gets all netifs. - netifs = sorted(self.p.netifcons()) + netifs = sorted(compiled_policy.netifcons()) - q = NetifconQuery(self.p) + q = setools.NetifconQuery(compiled_policy) q_netifs = sorted(q.results()) - self.assertListEqual(netifs, q_netifs) + assert netifs == q_netifs - def test_001_name_exact(self): + def test_name_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with exact match""" - q = NetifconQuery(self.p, name="test1", name_regex=False) + q = setools.NetifconQuery(compiled_policy, name="test1", name_regex=False) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test1"], netifs) + assert ["test1"] == netifs - def test_002_name_regex(self): + def test_name_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with regex match""" - q = NetifconQuery(self.p, name="test2(a|b)", name_regex=True) + q = setools.NetifconQuery(compiled_policy, name="test2(a|b)", name_regex=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test2a", "test2b"], netifs) + assert ["test2a", "test2b"] == netifs - def test_010_user_exact(self): + def test_user_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context user exact match""" - q = NetifconQuery(self.p, user="user10", user_regex=False) + q = setools.NetifconQuery(compiled_policy, user="user10", user_regex=False) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test10"], netifs) + assert ["test10"] == netifs - def test_011_user_regex(self): + def test_user_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context user regex match""" - q = NetifconQuery(self.p, user="user11(a|b)", user_regex=True) + q = setools.NetifconQuery(compiled_policy, user="user11(a|b)", user_regex=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test11a", "test11b"], netifs) + assert ["test11a", "test11b"] == netifs - def test_020_role_exact(self): + def test_role_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context role exact match""" - q = NetifconQuery(self.p, role="role20_r", role_regex=False) + q = setools.NetifconQuery(compiled_policy, role="role20_r", role_regex=False) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test20"], netifs) + assert ["test20"] == netifs - def test_021_role_regex(self): + def test_role_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context role regex match""" - q = NetifconQuery(self.p, role="role21(a|c)_r", role_regex=True) + q = setools.NetifconQuery(compiled_policy, role="role21(a|c)_r", role_regex=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test21a", "test21c"], netifs) + assert ["test21a", "test21c"] == netifs - def test_030_type_exact(self): + def test_type_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context type exact match""" - q = NetifconQuery(self.p, type_="type30", type_regex=False) + q = setools.NetifconQuery(compiled_policy, type_="type30", type_regex=False) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test30"], netifs) + assert ["test30"] == netifs - def test_031_type_regex(self): + def test_type_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context type regex match""" - q = NetifconQuery(self.p, type_="type31(b|c)", type_regex=True) + q = setools.NetifconQuery(compiled_policy, type_="type31(b|c)", type_regex=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test31b", "test31c"], netifs) + assert ["test31b", "test31c"] == netifs - def test_040_range_exact(self): + def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range exact match""" - q = NetifconQuery(self.p, range_="s0:c1 - s0:c0.c4") + q = setools.NetifconQuery(compiled_policy, range_="s0:c1 - s0:c0.c4") netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test40"], netifs) + assert ["test40"] == netifs - def test_041_range_overlap1(self): + def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range overlap match (equal)""" - q = NetifconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + q = setools.NetifconQuery(compiled_policy, range_="s1:c1 - s1:c0.c4", range_overlap=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test41"], netifs) + assert ["test41"] == netifs - def test_041_range_overlap2(self): + def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range overlap match (subset)""" - q = NetifconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + q = setools.NetifconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c3", + range_overlap=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test41"], netifs) + assert ["test41"] == netifs - def test_041_range_overlap3(self): + def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range overlap match (superset)""" - q = NetifconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + q = setools.NetifconQuery(compiled_policy, range_="s1 - s1:c0.c4", range_overlap=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test41"], netifs) + assert ["test41"] == netifs - def test_041_range_overlap4(self): + def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range overlap match (overlap low level)""" - q = NetifconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + q = setools.NetifconQuery(compiled_policy, range_="s1 - s1:c1,c2", range_overlap=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test41"], netifs) + assert ["test41"] == netifs - def test_041_range_overlap5(self): + def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range overlap match (overlap high level)""" - q = NetifconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + q = setools.NetifconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c4", + range_overlap=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test41"], netifs) + assert ["test41"] == netifs - def test_042_range_subset1(self): + def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range subset match""" - q = NetifconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + q = setools.NetifconQuery(compiled_policy, range_="s2:c1,c2 - s2:c0.c3", + range_overlap=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test42"], netifs) + assert ["test42"] == netifs - def test_042_range_subset2(self): + def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range subset match (equal)""" - q = NetifconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + q = setools.NetifconQuery(compiled_policy, range_="s2:c1 - s2:c1.c3", range_overlap=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test42"], netifs) + assert ["test42"] == netifs - def test_043_range_superset1(self): + def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range superset match""" - q = NetifconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + q = setools.NetifconQuery(compiled_policy, range_="s3 - s3:c0.c4", range_superset=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test43"], netifs) + assert ["test43"] == netifs - def test_043_range_superset2(self): + def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range superset match (equal)""" - q = NetifconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + q = setools.NetifconQuery(compiled_policy, range_="s3:c1 - s3:c1.c3", range_superset=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test43"], netifs) + assert ["test43"] == netifs - def test_044_range_proper_subset1(self): + def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range proper subset match""" - q = NetifconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + q = setools.NetifconQuery(compiled_policy, range_="s4:c1,c2", range_subset=True, + range_proper=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test44"], netifs) + assert ["test44"] == netifs - def test_044_range_proper_subset2(self): + def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range proper subset match (equal)""" - q = NetifconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.NetifconQuery(compiled_policy, range_="s4:c1 - s4:c1.c3", range_subset=True, + range_proper=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual([], netifs) + assert [] == netifs - def test_044_range_proper_subset3(self): + def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range proper subset match (equal low only)""" - q = NetifconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + q = setools.NetifconQuery(compiled_policy, range_="s4:c1 - s4:c1.c2", range_subset=True, + range_proper=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test44"], netifs) + assert ["test44"] == netifs - def test_044_range_proper_subset4(self): + def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range proper subset match (equal high only)""" - q = NetifconQuery(self.p, - range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.NetifconQuery(compiled_policy, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, + range_proper=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test44"], netifs) + assert ["test44"] == netifs - def test_045_range_proper_superset1(self): + def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range proper superset match""" - q = NetifconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + q = setools.NetifconQuery(compiled_policy, range_="s5 - s5:c0.c4", range_superset=True, + range_proper=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test45"], netifs) + assert ["test45"] == netifs - def test_045_range_proper_superset2(self): + def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range proper superset match (equal)""" - q = NetifconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.NetifconQuery(compiled_policy, range_="s5:c1 - s5:c1.c3", range_superset=True, + range_proper=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual([], netifs) + assert [] == netifs - def test_045_range_proper_superset3(self): + def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range proper superset match (equal low)""" - q = NetifconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + q = setools.NetifconQuery(compiled_policy, range_="s5:c1 - s5:c1.c4", range_superset=True, + range_proper=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test45"], netifs) + assert ["test45"] == netifs - def test_045_range_proper_superset4(self): + def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Netifcon query with context range proper superset match (equal high)""" - q = NetifconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.NetifconQuery(compiled_policy, range_="s5 - s5:c1.c3", range_superset=True, + range_proper=True) netifs = sorted(s.netif for s in q.results()) - self.assertListEqual(["test45"], netifs) + assert ["test45"] == netifs From fe1d4a2af97577d4e021971924961473b7edb656 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:37:10 -0400 Subject: [PATCH 55/71] TestNodeconQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_nodeconquery.py | 208 ++++++++++++++--------------- 1 file changed, 103 insertions(+), 105 deletions(-) diff --git a/tests/library/test_nodeconquery.py b/tests/library/test_nodeconquery.py index 0739fd33..0d609056 100644 --- a/tests/library/test_nodeconquery.py +++ b/tests/library/test_nodeconquery.py @@ -3,235 +3,233 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest from socket import AF_INET6 from ipaddress import IPv4Network, IPv6Network -from setools import NodeconQuery +import pytest +import setools -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/nodeconquery.conf") +class TestNodeconQuery: -class NodeconQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/nodeconquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with no criteria""" # query with no parameters gets all nodecons. - nodecons = sorted(self.p.nodecons()) + nodecons = sorted(compiled_policy.nodecons()) - q = NodeconQuery(self.p) + q = setools.NodeconQuery(compiled_policy) q_nodecons = sorted(q.results()) - self.assertListEqual(nodecons, q_nodecons) + assert nodecons == q_nodecons - def test_001_ip_version(self): + def test_ip_version(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with IP version match.""" - q = NodeconQuery(self.p, ip_version=AF_INET6) + q = setools.NodeconQuery(compiled_policy, ip_version=AF_INET6) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv6Network("1100::/16"), IPv6Network("1110::/16")], nodecons) + assert [IPv6Network("1100::/16"), IPv6Network("1110::/16")] == nodecons - def test_020_user_exact(self): + def test_user_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context user exact match""" - q = NodeconQuery(self.p, user="user20", user_regex=False) + q = setools.NodeconQuery(compiled_policy, user="user20", user_regex=False) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.20.1/32")], nodecons) + assert [IPv4Network("10.1.20.1/32")] == nodecons - def test_021_user_regex(self): + def test_user_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context user regex match""" - q = NodeconQuery(self.p, user="user21(a|b)", user_regex=True) + q = setools.NodeconQuery(compiled_policy, user="user21(a|b)", user_regex=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.21.1/32"), IPv4Network("10.1.21.2/32")], nodecons) + assert [IPv4Network("10.1.21.1/32"), IPv4Network("10.1.21.2/32")] == nodecons - def test_030_role_exact(self): + def test_role_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context role exact match""" - q = NodeconQuery(self.p, role="role30_r", role_regex=False) + q = setools.NodeconQuery(compiled_policy, role="role30_r", role_regex=False) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.30.1/32")], nodecons) + assert [IPv4Network("10.1.30.1/32")] == nodecons - def test_031_role_regex(self): + def test_role_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context role regex match""" - q = NodeconQuery(self.p, role="role31(a|c)_r", role_regex=True) + q = setools.NodeconQuery(compiled_policy, role="role31(a|c)_r", role_regex=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.31.1/32"), IPv4Network("10.1.31.3/32")], nodecons) + assert [IPv4Network("10.1.31.1/32"), IPv4Network("10.1.31.3/32")] == nodecons - def test_040_type_exact(self): + def test_type_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context type exact match""" - q = NodeconQuery(self.p, type_="type40", type_regex=False) + q = setools.NodeconQuery(compiled_policy, type_="type40", type_regex=False) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.40.1/32")], nodecons) + assert [IPv4Network("10.1.40.1/32")] == nodecons - def test_041_type_regex(self): + def test_type_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context type regex match""" - q = NodeconQuery(self.p, type_="type41(b|c)", type_regex=True) + q = setools.NodeconQuery(compiled_policy, type_="type41(b|c)", type_regex=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.41.2/32"), IPv4Network("10.1.41.3/32")], nodecons) + assert [IPv4Network("10.1.41.2/32"), IPv4Network("10.1.41.3/32")] == nodecons - def test_050_range_exact(self): + def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range exact match""" - q = NodeconQuery(self.p, range_="s0:c1 - s0:c0.c4") + q = setools.NodeconQuery(compiled_policy, range_="s0:c1 - s0:c0.c4") nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.50.1/32")], nodecons) + assert [IPv4Network("10.1.50.1/32")] == nodecons - def test_051_range_overlap1(self): + def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range overlap match (equal)""" - q = NodeconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + q = setools.NodeconQuery(compiled_policy, range_="s1:c1 - s1:c0.c4", range_overlap=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.51.1/32")], nodecons) + assert [IPv4Network("10.1.51.1/32")] == nodecons - def test_051_range_overlap2(self): + def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range overlap match (subset)""" - q = NodeconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + q = setools.NodeconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.51.1/32")], nodecons) + assert [IPv4Network("10.1.51.1/32")] == nodecons - def test_051_range_overlap3(self): + def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range overlap match (superset)""" - q = NodeconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + q = setools.NodeconQuery(compiled_policy, range_="s1 - s1:c0.c4", range_overlap=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.51.1/32")], nodecons) + assert [IPv4Network("10.1.51.1/32")] == nodecons - def test_051_range_overlap4(self): + def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range overlap match (overlap low level)""" - q = NodeconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + q = setools.NodeconQuery(compiled_policy, range_="s1 - s1:c1,c2", range_overlap=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.51.1/32")], nodecons) + assert [IPv4Network("10.1.51.1/32")] == nodecons - def test_051_range_overlap5(self): + def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range overlap match (overlap high level)""" - q = NodeconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + q = setools.NodeconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.51.1/32")], nodecons) + assert [IPv4Network("10.1.51.1/32")] == nodecons - def test_052_range_subset1(self): + def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range subset match""" - q = NodeconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + q = setools.NodeconQuery(compiled_policy, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.52.1/32")], nodecons) + assert [IPv4Network("10.1.52.1/32")] == nodecons - def test_052_range_subset2(self): + def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range subset match (equal)""" - q = NodeconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + q = setools.NodeconQuery(compiled_policy, range_="s2:c1 - s2:c1.c3", range_overlap=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.52.1/32")], nodecons) + assert [IPv4Network("10.1.52.1/32")] == nodecons - def test_053_range_superset1(self): + def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range superset match""" - q = NodeconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + q = setools.NodeconQuery(compiled_policy, range_="s3 - s3:c0.c4", range_superset=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.53.1/32")], nodecons) + assert [IPv4Network("10.1.53.1/32")] == nodecons - def test_053_range_superset2(self): + def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range superset match (equal)""" - q = NodeconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + q = setools.NodeconQuery(compiled_policy, range_="s3:c1 - s3:c1.c3", range_superset=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.53.1/32")], nodecons) + assert [IPv4Network("10.1.53.1/32")] == nodecons - def test_054_range_proper_subset1(self): + def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range proper subset match""" - q = NodeconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + q = setools.NodeconQuery(compiled_policy, range_="s4:c1,c2", range_subset=True, + range_proper=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.54.1/32")], nodecons) + assert [IPv4Network("10.1.54.1/32")] == nodecons - def test_054_range_proper_subset2(self): + def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range proper subset match (equal)""" - q = NodeconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.NodeconQuery(compiled_policy, range_="s4:c1 - s4:c1.c3", range_subset=True, + range_proper=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([], nodecons) + assert [] == nodecons - def test_054_range_proper_subset3(self): + def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range proper subset match (equal low only)""" - q = NodeconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + q = setools.NodeconQuery(compiled_policy, range_="s4:c1 - s4:c1.c2", range_subset=True, + range_proper=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.54.1/32")], nodecons) + assert [IPv4Network("10.1.54.1/32")] == nodecons - def test_054_range_proper_subset4(self): + def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range proper subset match (equal high only)""" - q = NodeconQuery(self.p, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.NodeconQuery(compiled_policy, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, + range_proper=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.54.1/32")], nodecons) + assert [IPv4Network("10.1.54.1/32")] == nodecons - def test_055_range_proper_superset1(self): + def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range proper superset match""" - q = NodeconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + q = setools.NodeconQuery(compiled_policy, range_="s5 - s5:c0.c4", range_superset=True, + range_proper=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.55.1/32")], nodecons) + assert [IPv4Network("10.1.55.1/32")] == nodecons - def test_055_range_proper_superset2(self): + def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range proper superset match (equal)""" - q = NodeconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.NodeconQuery(compiled_policy, range_="s5:c1 - s5:c1.c3", range_superset=True, + range_proper=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([], nodecons) + assert [] == nodecons - def test_055_range_proper_superset3(self): + def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range proper superset match (equal low)""" - q = NodeconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + q = setools.NodeconQuery(compiled_policy, range_="s5:c1 - s5:c1.c4", range_superset=True, + range_proper=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.55.1/32")], nodecons) + assert [IPv4Network("10.1.55.1/32")] == nodecons - def test_055_range_proper_superset4(self): + def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with context range proper superset match (equal high)""" - q = NodeconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.NodeconQuery(compiled_policy, range_="s5 - s5:c1.c3", range_superset=True, + range_proper=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("10.1.55.1/32")], nodecons) + assert [IPv4Network("10.1.55.1/32")] == nodecons - def test_100_v4network_equal(self): + def test_v4network_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with IPv4 equal network""" - q = NodeconQuery(self.p, network="192.168.1.0/24", network_overlap=False) + q = setools.NodeconQuery(compiled_policy, network="192.168.1.0/24", network_overlap=False) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("192.168.1.0/24")], nodecons) + assert [IPv4Network("192.168.1.0/24")] == nodecons - def test_101_v4network_overlap(self): + def test_v4network_overlap(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with IPv4 network overlap""" - q = NodeconQuery(self.p, network="192.168.201.0/24", network_overlap=True) + q = setools.NodeconQuery(compiled_policy, network="192.168.201.0/24", network_overlap=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv4Network("192.168.200.0/22")], nodecons) + assert [IPv4Network("192.168.200.0/22")] == nodecons - def test_110_v6network_equal(self): + def test_v6network_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with IPv6 equal network""" - q = NodeconQuery(self.p, network="1100::/16", network_overlap=False) + q = setools.NodeconQuery(compiled_policy, network="1100::/16", network_overlap=False) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv6Network("1100::/16")], nodecons) + assert [IPv6Network("1100::/16")] == nodecons - def test_111_v6network_overlap(self): + def test_v6network_overlap(self, compiled_policy: setools.SELinuxPolicy) -> None: """Nodecon query with IPv6 network overlap""" - q = NodeconQuery(self.p, network="1110:8000::/17", network_overlap=True) + q = setools.NodeconQuery(compiled_policy, network="1110:8000::/17", network_overlap=True) nodecons = sorted(n.network for n in q.results()) - self.assertListEqual([IPv6Network("1110::/16")], nodecons) + assert [IPv6Network("1110::/16")] == nodecons From c112e6a621921743c37f19460e7a6ec3cf273e42 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:37:30 -0400 Subject: [PATCH 56/71] TestObjClassQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_objclassquery.py | 98 +++++++++++++---------------- 1 file changed, 42 insertions(+), 56 deletions(-) diff --git a/tests/library/test_objclassquery.py b/tests/library/test_objclassquery.py index ee1ea4dc..e0397c7b 100644 --- a/tests/library/test_objclassquery.py +++ b/tests/library/test_objclassquery.py @@ -2,110 +2,96 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import ObjClassQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/objclassquery.conf") +class TestObjClassQuery: - -class ObjClassQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/objclassquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Class query with no criteria.""" # query with no parameters gets all types. - classes = sorted(self.p.classes()) + classes = sorted(compiled_policy.classes()) - q = ObjClassQuery(self.p) + q = setools.ObjClassQuery(compiled_policy) q_classes = sorted(q.results()) - self.assertListEqual(classes, q_classes) + assert classes == q_classes - def test_001_name_exact(self): + def test_name_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Class query with exact name match.""" - q = ObjClassQuery(self.p, name="infoflow") + q = setools.ObjClassQuery(compiled_policy, name="infoflow") classes = sorted(str(c) for c in q.results()) - self.assertListEqual(["infoflow"], classes) + assert ["infoflow"] == classes - def test_002_name_regex(self): + def test_name_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Class query with regex name match.""" - q = ObjClassQuery(self.p, name="infoflow(2|3)", name_regex=True) + q = setools.ObjClassQuery(compiled_policy, name="infoflow(2|3)", name_regex=True) classes = sorted(str(c) for c in q.results()) - self.assertListEqual(["infoflow2", "infoflow3"], classes) + assert ["infoflow2", "infoflow3"] == classes - def test_010_common_exact(self): + def test_common_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Class query with exact common name match.""" - q = ObjClassQuery(self.p, common="infoflow") + q = setools.ObjClassQuery(compiled_policy, common="infoflow") classes = sorted(str(c) for c in q.results()) - self.assertListEqual(["infoflow", "infoflow2", - "infoflow4", "infoflow7"], classes) + assert ["infoflow", "infoflow2", "infoflow4", "infoflow7"] == classes - def test_011_common_regex(self): + def test_common_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Class query with regex common name match.""" - q = ObjClassQuery(self.p, common="com_[ab]", common_regex=True) + q = setools.ObjClassQuery(compiled_policy, common="com_[ab]", common_regex=True) classes = sorted(str(c) for c in q.results()) - self.assertListEqual(["infoflow5", "infoflow6"], classes) + assert ["infoflow5", "infoflow6"] == classes - def test_020_perm_indirect_intersect(self): + def test_perm_indirect_intersect(self, compiled_policy: setools.SELinuxPolicy) -> None: """Class query with indirect, intersect permission name patch.""" - q = ObjClassQuery( - self.p, perms=set(["send"]), perms_indirect=True, perms_equal=False) + q = setools.ObjClassQuery( + compiled_policy, perms=set(["send"]), perms_indirect=True, perms_equal=False) classes = sorted(str(c) for c in q.results()) - self.assertListEqual(["infoflow6"], classes) + assert ["infoflow6"] == classes - def test_021_perm_direct_intersect(self): + def test_perm_direct_intersect(self, compiled_policy: setools.SELinuxPolicy) -> None: """Class query with direct, intersect permission name patch.""" - q = ObjClassQuery( - self.p, perms=set(["super_r"]), perms_indirect=False, perms_equal=False) + q = setools.ObjClassQuery( + compiled_policy, perms=set(["super_r"]), perms_indirect=False, perms_equal=False) classes = sorted(str(c) for c in q.results()) - self.assertListEqual(["infoflow2", "infoflow4", "infoflow8"], classes) + assert ["infoflow2", "infoflow4", "infoflow8"] == classes - def test_022_perm_indirect_equal(self): + def test_perm_indirect_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Class query with indirect, equal permission name patch.""" - q = ObjClassQuery(self.p, perms=set( + q = setools.ObjClassQuery(compiled_policy, perms=set( ["low_w", "med_w", "hi_w", "low_r", "med_r", "hi_r", "unmapped"]), perms_indirect=True, perms_equal=True) classes = sorted(str(c) for c in q.results()) - self.assertListEqual(["infoflow7"], classes) + assert ["infoflow7"] == classes - def test_023_perm_direct_equal(self): + def test_perm_direct_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Class query with direct, equal permission name patch.""" - q = ObjClassQuery(self.p, perms=set( + q = setools.ObjClassQuery(compiled_policy, perms=set( ["super_r", "super_w"]), perms_indirect=False, perms_equal=True) classes = sorted(str(c) for c in q.results()) - self.assertListEqual(["infoflow2", "infoflow8"], classes) + assert ["infoflow2", "infoflow8"] == classes - def test_024_perm_indirect_regex(self): + def test_perm_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Class query with indirect, regex permission name patch.""" - q = ObjClassQuery( - self.p, perms="(send|setattr)", perms_indirect=True, perms_regex=True) + q = setools.ObjClassQuery( + compiled_policy, perms="(send|setattr)", perms_indirect=True, perms_regex=True) classes = sorted(str(c) for c in q.results()) - self.assertListEqual(["infoflow6", "infoflow9"], classes) + assert ["infoflow6", "infoflow9"] == classes - def test_025_perm_direct_regex(self): + def test_perm_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Class query with direct, regex permission name patch.""" - q = ObjClassQuery( - self.p, perms="(read|super_r)", perms_indirect=False, perms_regex=True) + q = setools.ObjClassQuery( + compiled_policy, perms="(read|super_r)", perms_indirect=False, perms_regex=True) classes = sorted(str(c) for c in q.results()) - self.assertListEqual(["infoflow10", "infoflow2", - "infoflow4", "infoflow8"], - classes) + assert ["infoflow10", "infoflow2", "infoflow4", "infoflow8"] == classes From aeb602d8ede93ad3d546dac2b1dd77a023a52033 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:37:52 -0400 Subject: [PATCH 57/71] TestPcideviceconQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_pcideviceconquery.py | 192 ++++++++++++------------ 1 file changed, 94 insertions(+), 98 deletions(-) diff --git a/tests/library/test_pcideviceconquery.py b/tests/library/test_pcideviceconquery.py index c6bcfd46..bea7753a 100644 --- a/tests/library/test_pcideviceconquery.py +++ b/tests/library/test_pcideviceconquery.py @@ -2,205 +2,201 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import PcideviceconQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/pcideviceconquery.conf", xen=True) +class TestPcideviceconQuery: - -class PcideviceconQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/pcideviceconquery.conf", xen=True) - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with no criteria""" # query with no parameters gets all PCI devices. - rules = sorted(self.p.pcidevicecons()) + rules = sorted(compiled_policy.pcidevicecons()) - q = PcideviceconQuery(self.p) + q = setools.PcideviceconQuery(compiled_policy) q_rules = sorted(q.results()) - self.assertListEqual(rules, q_rules) + assert rules == q_rules - def test_010_user_exact(self): + def test_user_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context user exact match""" - q = PcideviceconQuery(self.p, user="user10", user_regex=False) + q = setools.PcideviceconQuery(compiled_policy, user="user10", user_regex=False) device = sorted(p.device for p in q.results()) - self.assertListEqual([(10)], device) + assert [(10)] == device - def test_011_user_regex(self): + def test_user_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context user regex match""" - q = PcideviceconQuery(self.p, user="user11(a|b)", user_regex=True) + q = setools.PcideviceconQuery(compiled_policy, user="user11(a|b)", user_regex=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(11), (11000)], device) + assert [(11), (11000)] == device - def test_020_role_exact(self): + def test_role_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context role exact match""" - q = PcideviceconQuery(self.p, role="role20_r", role_regex=False) + q = setools.PcideviceconQuery(compiled_policy, role="role20_r", role_regex=False) device = sorted(p.device for p in q.results()) - self.assertListEqual([(20)], device) + assert [(20)] == device - def test_021_role_regex(self): + def test_role_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context role regex match""" - q = PcideviceconQuery(self.p, role="role21(a|c)_r", role_regex=True) + q = setools.PcideviceconQuery(compiled_policy, role="role21(a|c)_r", role_regex=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(21), (21001)], device) + assert [(21), (21001)] == device - def test_030_type_exact(self): + def test_type_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context type exact match""" - q = PcideviceconQuery(self.p, type_="type30", type_regex=False) + q = setools.PcideviceconQuery(compiled_policy, type_="type30", type_regex=False) device = sorted(p.device for p in q.results()) - self.assertListEqual([(30)], device) + assert [(30)] == device - def test_031_type_regex(self): + def test_type_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context type regex match""" - q = PcideviceconQuery(self.p, type_="type31(b|c)", type_regex=True) + q = setools.PcideviceconQuery(compiled_policy, type_="type31(b|c)", type_regex=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(31000), (31001)], device) + assert [(31000), (31001)] == device - def test_040_range_exact(self): + def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range exact match""" - q = PcideviceconQuery(self.p, range_="s0:c1 - s0:c0.c4") + q = setools.PcideviceconQuery(compiled_policy, range_="s0:c1 - s0:c0.c4") device = sorted(p.device for p in q.results()) - self.assertListEqual([(40)], device) + assert [(40)] == device - def test_041_range_overlap1(self): + def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range overlap match (equal)""" - q = PcideviceconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s1:c1 - s1:c0.c4", + range_overlap=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(41)], device) + assert [(41)] == device - def test_041_range_overlap2(self): + def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range overlap match (subset)""" - q = PcideviceconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c3", + range_overlap=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(41)], device) + assert [(41)] == device - def test_041_range_overlap3(self): + def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range overlap match (superset)""" - q = PcideviceconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s1 - s1:c0.c4", range_overlap=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(41)], device) + assert [(41)] == device - def test_041_range_overlap4(self): + def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range overlap match (overlap low level)""" - q = PcideviceconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s1 - s1:c1,c2", range_overlap=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(41)], device) + assert [(41)] == device - def test_041_range_overlap5(self): + def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range overlap match (overlap high level)""" - q = PcideviceconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c4", + range_overlap=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(41)], device) + assert [(41)] == device - def test_042_range_subset1(self): + def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range subset match""" - q = PcideviceconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s2:c1,c2 - s2:c0.c3", + range_overlap=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(42)], device) + assert [(42)] == device - def test_042_range_subset2(self): + def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range subset match (equal)""" - q = PcideviceconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s2:c1 - s2:c1.c3", + range_overlap=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(42)], device) + assert [(42)] == device - def test_043_range_superset1(self): + def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range superset match""" - q = PcideviceconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s3 - s3:c0.c4", range_superset=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(43)], device) + assert [(43)] == device - def test_043_range_superset2(self): + def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range superset match (equal)""" - q = PcideviceconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s3:c1 - s3:c1.c3", + range_superset=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(43)], device) + assert [(43)] == device - def test_044_range_proper_subset1(self): + def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range proper subset match""" - q = PcideviceconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s4:c1,c2", range_subset=True, + range_proper=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(44)], device) + assert [(44)] == device - def test_044_range_proper_subset2(self): + def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range proper subset match (equal)""" - q = PcideviceconQuery(self.p, - range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s4:c1 - s4:c1.c3", + range_subset=True, range_proper=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([], device) + assert [] == device - def test_044_range_proper_subset3(self): + def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range proper subset match (equal low only)""" - q = PcideviceconQuery(self.p, - range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s4:c1 - s4:c1.c2", + range_subset=True, range_proper=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(44)], device) + assert [(44)] == device - def test_044_range_proper_subset4(self): + def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range proper subset match (equal high only)""" - q = PcideviceconQuery(self.p, - range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s4:c1,c2 - s4:c1.c3", + range_subset=True, range_proper=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(44)], device) + assert [(44)] == device - def test_045_range_proper_superset1(self): + def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range proper superset match""" - q = PcideviceconQuery(self.p, - range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s5 - s5:c0.c4", range_superset=True, + range_proper=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(45)], device) + assert [(45)] == device - def test_045_range_proper_superset2(self): + def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range proper superset match (equal)""" - q = PcideviceconQuery(self.p, - range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s5:c1 - s5:c1.c3", + range_superset=True, range_proper=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([], device) + assert [] == device - def test_045_range_proper_superset3(self): + def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range proper superset match (equal low)""" - q = PcideviceconQuery(self.p, - range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s5:c1 - s5:c1.c4", + range_superset=True, range_proper=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(45)], device) + assert [(45)] == device - def test_045_range_proper_superset4(self): + def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pcidevicecon query with context range proper superset match (equal high)""" - q = PcideviceconQuery(self.p, - range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.PcideviceconQuery(compiled_policy, range_="s5 - s5:c1.c3", range_superset=True, + range_proper=True) device = sorted(p.device for p in q.results()) - self.assertListEqual([(45)], device) + assert [(45)] == device From ae0dd8e174ed4bedf7b69de4115bde7412a96988 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:38:22 -0400 Subject: [PATCH 58/71] TestPermissionMap: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_permmap.py | 236 ++++++++++++++++------------------ 1 file changed, 112 insertions(+), 124 deletions(-) diff --git a/tests/library/test_permmap.py b/tests/library/test_permmap.py index c112ace2..fae5a70f 100644 --- a/tests/library/test_permmap.py +++ b/tests/library/test_permmap.py @@ -2,54 +2,42 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import unittest -import os from unittest.mock import Mock +import pytest +import setools from setools import PermissionMap, TERuletype from setools.exception import PermissionMapParseError, RuleTypeError, \ UnmappedClass, UnmappedPermission -from .policyrep.util import compile_policy - -class PermissionMapTest(unittest.TestCase): +@pytest.mark.obj_args("tests/library/permmap.conf") +class TestPermissionMap: """Permission map unit tests.""" - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/permmap.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def validate_permmap_entry(self, permmap, cls, perm, direction, weight, enabled): + def validate_permmap_entry(self, permmap: dict, cls: str, perm: str, direction: str, + weight: int, enabled: bool) -> None: """Validate a permission map entry and settings.""" - self.assertIn(cls, permmap) - self.assertIn(perm, permmap[cls]) - self.assertIn('direction', permmap[cls][perm]) - self.assertIn('weight', permmap[cls][perm]) - self.assertIn('enabled', permmap[cls][perm]) - self.assertEqual(permmap[cls][perm]['direction'], direction) - self.assertEqual(permmap[cls][perm]['weight'], weight) - - if enabled: - self.assertTrue(permmap[cls][perm]['enabled']) - else: - self.assertFalse(permmap[cls][perm]['enabled']) - - def test_001_load(self): + assert cls in permmap + assert perm in permmap[cls] + assert 'direction' in permmap[cls][perm] + assert 'weight' in permmap[cls][perm] + assert 'enabled' in permmap[cls][perm] + assert permmap[cls][perm]['direction'] == direction + assert permmap[cls][perm]['weight'] == weight + assert permmap[cls][perm]['enabled'] == enabled + + def test_load(self) -> None: """PermMap open from path.""" permmap = PermissionMap("tests/library/perm_map") # validate permission map contents - self.assertEqual(5, len(permmap._permmap)) + assert 5 == len(permmap._permmap) # class infoflow - self.assertIn("infoflow", permmap._permmap) - self.assertEqual(6, len(permmap._permmap['infoflow'])) + assert "infoflow" in permmap._permmap + assert 6 == len(permmap._permmap['infoflow']) self.validate_permmap_entry(permmap._permmap, 'infoflow', 'low_w', 'w', 1, True) self.validate_permmap_entry(permmap._permmap, 'infoflow', 'med_w', 'w', 5, True) self.validate_permmap_entry(permmap._permmap, 'infoflow', 'hi_w', 'w', 10, True) @@ -58,8 +46,8 @@ def test_001_load(self): self.validate_permmap_entry(permmap._permmap, 'infoflow', 'hi_r', 'r', 10, True) # class infoflow2 - self.assertIn("infoflow2", permmap._permmap) - self.assertEqual(7, len(permmap._permmap['infoflow2'])) + assert "infoflow2" in permmap._permmap + assert 7 == len(permmap._permmap['infoflow2']) self.validate_permmap_entry(permmap._permmap, 'infoflow2', 'low_w', 'w', 1, True) self.validate_permmap_entry(permmap._permmap, 'infoflow2', 'med_w', 'w', 5, True) self.validate_permmap_entry(permmap._permmap, 'infoflow2', 'hi_w', 'w', 10, True) @@ -69,164 +57,164 @@ def test_001_load(self): self.validate_permmap_entry(permmap._permmap, 'infoflow2', 'super', 'b', 10, True) # class infoflow3 - self.assertIn("infoflow3", permmap._permmap) - self.assertEqual(1, len(permmap._permmap['infoflow3'])) + assert "infoflow3" in permmap._permmap + assert 1 == len(permmap._permmap['infoflow3']) self.validate_permmap_entry(permmap._permmap, 'infoflow3', 'null', 'n', 1, True) # class file - self.assertIn("file", permmap._permmap) - self.assertEqual(2, len(permmap._permmap['file'])) + assert "file" in permmap._permmap + assert 2 == len(permmap._permmap['file']) self.validate_permmap_entry(permmap._permmap, 'file', 'execute', 'r', 10, True) self.validate_permmap_entry(permmap._permmap, 'file', 'entrypoint', 'r', 10, True) # class process - self.assertIn("process", permmap._permmap) - self.assertEqual(1, len(permmap._permmap['process'])) + assert "process" in permmap._permmap + assert 1 == len(permmap._permmap['process']) self.validate_permmap_entry(permmap._permmap, 'process', 'transition', 'w', 10, True) - def test_002_load_invalid(self): + def test_load_invalid(self) -> None: """PermMap load completely wrong file type""" - with self.assertRaises(PermissionMapParseError): + with pytest.raises(PermissionMapParseError): PermissionMap("setup.py") - def test_002_load_negative_class_count(self): + def test_load_negative_class_count(self) -> None: """PermMap load negative class count""" - with self.assertRaises(PermissionMapParseError): + with pytest.raises(PermissionMapParseError): PermissionMap("tests/library/invalid_perm_maps/negative-classcount") - def test_003_load_non_number_class_count(self): + def test_load_non_number_class_count(self) -> None: """PermMap load non-number class count""" - with self.assertRaises(PermissionMapParseError): + with pytest.raises(PermissionMapParseError): PermissionMap("tests/library/invalid_perm_maps/non-number-classcount") - def test_004_load_extra_class(self): + def test_load_extra_class(self) -> None: """PermMap load extra class""" - with self.assertRaises(PermissionMapParseError): + with pytest.raises(PermissionMapParseError): PermissionMap("tests/library/invalid_perm_maps/extra-class") - def test_005_load_bad_class_keyword(self): + def test_load_bad_class_keyword(self) -> None: """PermMap load bad class keyword""" - with self.assertRaises(PermissionMapParseError): + with pytest.raises(PermissionMapParseError): PermissionMap("tests/library/invalid_perm_maps/bad-class-keyword") # test 6: bad class name(?) - def test_007_load_negative_perm_count(self): + def test_load_negative_perm_count(self) -> None: """PermMap load negative permission count""" - with self.assertRaises(PermissionMapParseError): + with pytest.raises(PermissionMapParseError): PermissionMap("tests/library/invalid_perm_maps/negative-permcount") - def test_008_load_bad_perm_count(self): + def test_load_bad_perm_count(self) -> None: """PermMap load bad permission count""" - with self.assertRaises(PermissionMapParseError): + with pytest.raises(PermissionMapParseError): PermissionMap("tests/library/invalid_perm_maps/bad-permcount") # test 9: bad perm name(?) - def test_010_load_extra_perms(self): + def test_load_extra_perms(self) -> None: """PermMap load negative permission count""" - with self.assertRaises(PermissionMapParseError): + with pytest.raises(PermissionMapParseError): PermissionMap("tests/library/invalid_perm_maps/extra-perms") - def test_011_load_invalid_flow_direction(self): + def test_load_invalid_flow_direction(self) -> None: """PermMap load invalid flow direction""" - with self.assertRaises(PermissionMapParseError): + with pytest.raises(PermissionMapParseError): PermissionMap("tests/library/invalid_perm_maps/invalid-flowdir") - def test_012_load_bad_perm_weight(self): + def test_load_bad_perm_weight(self) -> None: """PermMap load too high/low permission weight""" - with self.assertRaises(PermissionMapParseError): + with pytest.raises(PermissionMapParseError): PermissionMap("tests/library/invalid_perm_maps/bad-perm-weight-high") - with self.assertRaises(PermissionMapParseError): + with pytest.raises(PermissionMapParseError): PermissionMap("tests/library/invalid_perm_maps/bad-perm-weight-low") - def test_013_load_invalid_weight(self): + def test_load_invalid_weight(self) -> None: """PermMap load invalid permission weight""" - with self.assertRaises(PermissionMapParseError): + with pytest.raises(PermissionMapParseError): PermissionMap("tests/library/invalid_perm_maps/invalid-perm-weight") - def test_100_set_weight(self): + def test_set_weight(self) -> None: """PermMap set weight""" permmap = PermissionMap("tests/library/perm_map") self.validate_permmap_entry(permmap._permmap, 'infoflow2', 'low_w', 'w', 1, True) permmap.set_weight("infoflow2", "low_w", 10) self.validate_permmap_entry(permmap._permmap, 'infoflow2', 'low_w', 'w', 10, True) - def test_101_set_weight_low(self): + def test_set_weight_low(self) -> None: """PermMap set weight low""" permmap = PermissionMap("tests/library/perm_map") - with self.assertRaises(ValueError): + with pytest.raises(ValueError): permmap.set_weight("infoflow2", "low_w", 0) - with self.assertRaises(ValueError): + with pytest.raises(ValueError): permmap.set_weight("infoflow2", "low_w", -10) - def test_102_set_weight_low(self): + def test_set_weight_high(self) -> None: """PermMap set weight high""" permmap = PermissionMap("tests/library/perm_map") - with self.assertRaises(ValueError): + with pytest.raises(ValueError): permmap.set_weight("infoflow2", "low_w", 11) - with self.assertRaises(ValueError): + with pytest.raises(ValueError): permmap.set_weight("infoflow2", "low_w", 50) - def test_103_set_weight_unmapped_class(self): + def test_set_weight_unmapped_class(self) -> None: """PermMap set weight unmapped class""" permmap = PermissionMap("tests/library/perm_map") - with self.assertRaises(UnmappedClass): + with pytest.raises(UnmappedClass): permmap.set_weight("UNMAPPED", "write", 10) - def test_104_set_weight_unmapped_permission(self): + def test_set_weight_unmapped_permission(self) -> None: """PermMap set weight unmapped class""" permmap = PermissionMap("tests/library/perm_map") - with self.assertRaises(UnmappedPermission): + with pytest.raises(UnmappedPermission): permmap.set_weight("infoflow2", "UNMAPPED", 10) - def test_110_set_direction(self): + def test_set_direction(self) -> None: """PermMap set direction""" permmap = PermissionMap("tests/library/perm_map") self.validate_permmap_entry(permmap._permmap, 'infoflow2', 'low_w', 'w', 1, True) permmap.set_direction("infoflow2", "low_w", "r") self.validate_permmap_entry(permmap._permmap, 'infoflow2', 'low_w', 'r', 1, True) - def test_111_set_direction_invalid(self): + def test_set_direction_invalid(self) -> None: """PermMap set invalid direction""" permmap = PermissionMap("tests/library/perm_map") - with self.assertRaises(ValueError): + with pytest.raises(ValueError): permmap.set_direction("infoflow2", "low_w", "X") - def test_112_set_direction_unmapped_class(self): + def test_set_direction_unmapped_class(self) -> None: """PermMap set direction unmapped class""" permmap = PermissionMap("tests/library/perm_map") - with self.assertRaises(UnmappedClass): + with pytest.raises(UnmappedClass): permmap.set_direction("UNMAPPED", "write", "w") - def test_113_set_direction_unmapped_permission(self): + def test_set_direction_unmapped_permission(self) -> None: """PermMap set direction unmapped class""" permmap = PermissionMap("tests/library/perm_map") - with self.assertRaises(UnmappedPermission): + with pytest.raises(UnmappedPermission): permmap.set_direction("infoflow2", "UNMAPPED", "w") - def test_120_exclude_perm(self): + def test_exclude_perm(self) -> None: """PermMap exclude permission.""" permmap = PermissionMap("tests/library/perm_map") permmap.exclude_permission("infoflow", "med_w") self.validate_permmap_entry(permmap._permmap, 'infoflow', 'med_w', 'w', 5, False) - def test_121_exclude_perm_unmapped_class(self): + def test_exclude_perm_unmapped_class(self) -> None: """PermMap exclude permission unmapped class.""" permmap = PermissionMap("tests/library/perm_map") - with self.assertRaises(UnmappedClass): + with pytest.raises(UnmappedClass): permmap.exclude_permission("UNMAPPED", "med_w") - def test_122_exclude_perm_unmapped_perm(self): + def test_exclude_perm_unmapped_perm(self) -> None: """PermMap exclude permission unmapped permission.""" permmap = PermissionMap("tests/library/perm_map") - with self.assertRaises(UnmappedPermission): + with pytest.raises(UnmappedPermission): permmap.exclude_permission("infoflow", "UNMAPPED") - def test_123_include_perm(self): + def test_include_perm(self) -> None: """PermMap include permission.""" permmap = PermissionMap("tests/library/perm_map") permmap.exclude_permission("infoflow", "med_w") @@ -235,32 +223,32 @@ def test_123_include_perm(self): permmap.include_permission("infoflow", "med_w") self.validate_permmap_entry(permmap._permmap, 'infoflow', 'med_w', 'w', 5, True) - def test_124_include_perm_unmapped_class(self): + def test_include_perm_unmapped_class(self) -> None: """PermMap include permission unmapped class.""" permmap = PermissionMap("tests/library/perm_map") - with self.assertRaises(UnmappedClass): + with pytest.raises(UnmappedClass): permmap.include_permission("UNMAPPED", "med_w") - def test_125_include_perm_unmapped_perm(self): + def test_include_perm_unmapped_perm(self) -> None: """PermMap include permission unmapped permission.""" permmap = PermissionMap("tests/library/perm_map") - with self.assertRaises(UnmappedPermission): + with pytest.raises(UnmappedPermission): permmap.include_permission("infoflow", "UNMAPPED") - def test_130_exclude_class(self): + def test_exclude_class(self) -> None: """PermMap exclude class.""" permmap = PermissionMap("tests/library/perm_map") permmap.exclude_class("file") self.validate_permmap_entry(permmap._permmap, 'file', 'execute', 'r', 10, False) self.validate_permmap_entry(permmap._permmap, 'file', 'entrypoint', 'r', 10, False) - def test_131_exclude_class_unmapped_class(self): + def test_exclude_class_unmapped_class(self) -> None: """PermMap exclude class unmapped class.""" permmap = PermissionMap("tests/library/perm_map") - with self.assertRaises(UnmappedClass): + with pytest.raises(UnmappedClass): permmap.exclude_class("UNMAPPED") - def test_132_include_class(self): + def test_include_class(self) -> None: """PermMap exclude class.""" permmap = PermissionMap("tests/library/perm_map") permmap.exclude_class("file") @@ -271,13 +259,13 @@ def test_132_include_class(self): self.validate_permmap_entry(permmap._permmap, 'file', 'execute', 'r', 10, True) self.validate_permmap_entry(permmap._permmap, 'file', 'entrypoint', 'r', 10, True) - def test_133_include_class_unmapped_class(self): + def test_include_class_unmapped_class(self) -> None: """PermMap include class unmapped class.""" permmap = PermissionMap("tests/library/perm_map") - with self.assertRaises(UnmappedClass): + with pytest.raises(UnmappedClass): permmap.include_class("UNMAPPED") - def test_140_weight_read_only(self): + def test_weight_read_only(self) -> None: """PermMap get weight of read-only rule.""" rule = Mock() rule.ruletype = TERuletype.allow @@ -286,10 +274,10 @@ def test_140_weight_read_only(self): permmap = PermissionMap("tests/library/perm_map") weight = permmap.rule_weight(rule) - self.assertEqual(weight.read, 10) - self.assertEqual(weight.write, 0) + assert weight.read == 10 + assert weight.write == 0 - def test_141_weight_write_only(self): + def test_weight_write_only(self) -> None: """PermMap get weight of write-only rule.""" rule = Mock() rule.ruletype = TERuletype.allow @@ -298,10 +286,10 @@ def test_141_weight_write_only(self): permmap = PermissionMap("tests/library/perm_map") weight = permmap.rule_weight(rule) - self.assertEqual(weight.read, 0) - self.assertEqual(weight.write, 5) + assert weight.read == 0 + assert weight.write == 5 - def test_142_weight_both(self): + def test_weight_both(self) -> None: """PermMap get weight of both rule.""" rule = Mock() rule.ruletype = TERuletype.allow @@ -310,10 +298,10 @@ def test_142_weight_both(self): permmap = PermissionMap("tests/library/perm_map") weight = permmap.rule_weight(rule) - self.assertEqual(weight.read, 1) - self.assertEqual(weight.write, 10) + assert weight.read == 1 + assert weight.write == 10 - def test_143_weight_none(self): + def test_weight_none(self) -> None: """PermMap get weight of none rule.""" rule = Mock() rule.ruletype = TERuletype.allow @@ -322,10 +310,10 @@ def test_143_weight_none(self): permmap = PermissionMap("tests/library/perm_map") weight = permmap.rule_weight(rule) - self.assertEqual(weight.read, 0) - self.assertEqual(weight.write, 0) + assert weight.read == 0 + assert weight.write == 0 - def test_144_weight_unmapped_class(self): + def test_weight_unmapped_class(self) -> None: """PermMap get weight of rule with unmapped class.""" rule = Mock() rule.ruletype = TERuletype.allow @@ -333,9 +321,9 @@ def test_144_weight_unmapped_class(self): rule.perms = set(["null"]) permmap = PermissionMap("tests/library/perm_map") - self.assertRaises(UnmappedClass, permmap.rule_weight, rule) + pytest.raises(UnmappedClass, permmap.rule_weight, rule) - def test_145_weight_unmapped_permission(self): + def test_weight_unmapped_permission(self) -> None: """PermMap get weight of rule with unmapped permission.""" rule = Mock() rule.ruletype = TERuletype.allow @@ -343,18 +331,18 @@ def test_145_weight_unmapped_permission(self): rule.perms = set(["low_r", "unmapped"]) permmap = PermissionMap("tests/library/perm_map") - self.assertRaises(UnmappedPermission, permmap.rule_weight, rule) + pytest.raises(UnmappedPermission, permmap.rule_weight, rule) - def test_146_weight_wrong_rule_type(self): + def test_weight_wrong_rule_type(self) -> None: """PermMap get weight of rule with wrong rule type.""" rule = Mock() rule.ruletype = TERuletype.type_transition rule.tclass = "infoflow" permmap = PermissionMap("tests/library/perm_map") - self.assertRaises(RuleTypeError, permmap.rule_weight, rule) + pytest.raises(RuleTypeError, permmap.rule_weight, rule) - def test_147_weight_excluded_permission(self): + def test_weight_excluded_permission(self) -> None: """PermMap get weight of a rule with excluded permission.""" rule = Mock() rule.ruletype = TERuletype.allow @@ -364,10 +352,10 @@ def test_147_weight_excluded_permission(self): permmap = PermissionMap("tests/library/perm_map") permmap.exclude_permission("infoflow", "hi_r") weight = permmap.rule_weight(rule) - self.assertEqual(weight.read, 5) - self.assertEqual(weight.write, 0) + assert weight.read == 5 + assert weight.write == 0 - def test_148_weight_excluded_class(self): + def test_weight_excluded_class(self) -> None: """PermMap get weight of a rule with excluded class.""" rule = Mock() rule.ruletype = TERuletype.allow @@ -377,16 +365,16 @@ def test_148_weight_excluded_class(self): permmap = PermissionMap("tests/library/perm_map") permmap.exclude_class("infoflow") weight = permmap.rule_weight(rule) - self.assertEqual(weight.read, 0) - self.assertEqual(weight.write, 0) + assert weight.read == 0 + assert weight.write == 0 - def test_150_map_policy(self): + def test_map_policy(self, compiled_policy: setools.SELinuxPolicy) -> None: """PermMap create mappings for classes/perms in a policy.""" permmap = PermissionMap("tests/library/perm_map") - permmap.map_policy(self.p) + permmap.map_policy(compiled_policy) self.validate_permmap_entry(permmap._permmap, 'infoflow2', 'new_perm', 'u', 1, True) - self.assertIn("new_class", permmap._permmap) - self.assertEqual(1, len(permmap._permmap['new_class'])) + assert "new_class" in permmap._permmap + assert 1 == len(permmap._permmap['new_class']) self.validate_permmap_entry(permmap._permmap, 'new_class', 'new_class_perm', 'u', 1, True) From a4f8dffcf10a86a11199c75a6bee69a532e9f0cc Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:39:00 -0400 Subject: [PATCH 59/71] TestPirqconQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_pirqconquery.py | 179 ++++++++++++++--------------- 1 file changed, 88 insertions(+), 91 deletions(-) diff --git a/tests/library/test_pirqconquery.py b/tests/library/test_pirqconquery.py index 7a1c3d89..8da451a2 100644 --- a/tests/library/test_pirqconquery.py +++ b/tests/library/test_pirqconquery.py @@ -2,198 +2,195 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import PirqconQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/pirqconquery.conf", xen=True) +class TestPirqconQuery: - -class PirqconQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/pirqconquery.conf", xen=True) - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with no criteria""" # query with no parameters gets all PCI irqs. - rules = sorted(self.p.pirqcons()) + rules = sorted(compiled_policy.pirqcons()) - q = PirqconQuery(self.p) + q = setools.PirqconQuery(compiled_policy) q_rules = sorted(q.results()) - self.assertListEqual(rules, q_rules) + assert rules == q_rules - def test_010_user_exact(self): + def test_user_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context user exact match""" - q = PirqconQuery(self.p, user="user10", user_regex=False) + q = setools.PirqconQuery(compiled_policy, user="user10", user_regex=False) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(10)], irq) + assert [(10)] == irq - def test_011_user_regex(self): + def test_user_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context user regex match""" - q = PirqconQuery(self.p, user="user11(a|b)", user_regex=True) + q = setools.PirqconQuery(compiled_policy, user="user11(a|b)", user_regex=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(11), (11000)], irq) + assert [(11), (11000)] == irq - def test_020_role_exact(self): + def test_role_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context role exact match""" - q = PirqconQuery(self.p, role="role20_r", role_regex=False) + q = setools.PirqconQuery(compiled_policy, role="role20_r", role_regex=False) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(20)], irq) + assert [(20)] == irq - def test_021_role_regex(self): + def test_role_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context role regex match""" - q = PirqconQuery(self.p, role="role21(a|c)_r", role_regex=True) + q = setools.PirqconQuery(compiled_policy, role="role21(a|c)_r", role_regex=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(21), (21001)], irq) + assert [(21), (21001)] == irq - def test_030_type_exact(self): + def test_type_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context type exact match""" - q = PirqconQuery(self.p, type_="type30", type_regex=False) + q = setools.PirqconQuery(compiled_policy, type_="type30", type_regex=False) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(30)], irq) + assert [(30)] == irq - def test_031_type_regex(self): + def test_type_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context type regex match""" - q = PirqconQuery(self.p, type_="type31(b|c)", type_regex=True) + q = setools.PirqconQuery(compiled_policy, type_="type31(b|c)", type_regex=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(31000), (31001)], irq) + assert [(31000), (31001)] == irq - def test_040_range_exact(self): + def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range exact match""" - q = PirqconQuery(self.p, range_="s0:c1 - s0:c0.c4") + q = setools.PirqconQuery(compiled_policy, range_="s0:c1 - s0:c0.c4") irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(40)], irq) + assert [(40)] == irq - def test_041_range_overlap1(self): + def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range overlap match (equal)""" - q = PirqconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + q = setools.PirqconQuery(compiled_policy, range_="s1:c1 - s1:c0.c4", range_overlap=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(41)], irq) + assert [(41)] == irq - def test_041_range_overlap2(self): + def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range overlap match (subset)""" - q = PirqconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + q = setools.PirqconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(41)], irq) + assert [(41)] == irq - def test_041_range_overlap3(self): + def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range overlap match (superset)""" - q = PirqconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + q = setools.PirqconQuery(compiled_policy, range_="s1 - s1:c0.c4", range_overlap=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(41)], irq) + assert [(41)] == irq - def test_041_range_overlap4(self): + def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range overlap match (overlap low level)""" - q = PirqconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + q = setools.PirqconQuery(compiled_policy, range_="s1 - s1:c1,c2", range_overlap=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(41)], irq) + assert [(41)] == irq - def test_041_range_overlap5(self): + def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range overlap match (overlap high level)""" - q = PirqconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + q = setools.PirqconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(41)], irq) + assert [(41)] == irq - def test_042_range_subset1(self): + def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range subset match""" - q = PirqconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + q = setools.PirqconQuery(compiled_policy, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(42)], irq) + assert [(42)] == irq - def test_042_range_subset2(self): + def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range subset match (equal)""" - q = PirqconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + q = setools.PirqconQuery(compiled_policy, range_="s2:c1 - s2:c1.c3", range_overlap=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(42)], irq) + assert [(42)] == irq - def test_043_range_superset1(self): + def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range superset match""" - q = PirqconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + q = setools.PirqconQuery(compiled_policy, range_="s3 - s3:c0.c4", range_superset=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(43)], irq) + assert [(43)] == irq - def test_043_range_superset2(self): + def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range superset match (equal)""" - q = PirqconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + q = setools.PirqconQuery(compiled_policy, range_="s3:c1 - s3:c1.c3", range_superset=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(43)], irq) + assert [(43)] == irq - def test_044_range_proper_subset1(self): + def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range proper subset match""" - q = PirqconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + q = setools.PirqconQuery(compiled_policy, range_="s4:c1,c2", range_subset=True, + range_proper=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(44)], irq) + assert [(44)] == irq - def test_044_range_proper_subset2(self): + def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range proper subset match (equal)""" - q = PirqconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.PirqconQuery(compiled_policy, range_="s4:c1 - s4:c1.c3", range_subset=True, + range_proper=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([], irq) + assert [] == irq - def test_044_range_proper_subset3(self): + def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range proper subset match (equal low only)""" - q = PirqconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + q = setools.PirqconQuery(compiled_policy, range_="s4:c1 - s4:c1.c2", range_subset=True, + range_proper=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(44)], irq) + assert [(44)] == irq - def test_044_range_proper_subset4(self): + def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range proper subset match (equal high only)""" - q = PirqconQuery(self.p, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.PirqconQuery(compiled_policy, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, + range_proper=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(44)], irq) + assert [(44)] == irq - def test_045_range_proper_superset1(self): + def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range proper superset match""" - q = PirqconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + q = setools.PirqconQuery(compiled_policy, range_="s5 - s5:c0.c4", range_superset=True, + range_proper=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(45)], irq) + assert [(45)] == irq - def test_045_range_proper_superset2(self): + def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range proper superset match (equal)""" - q = PirqconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.PirqconQuery(compiled_policy, range_="s5:c1 - s5:c1.c3", range_superset=True, + range_proper=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([], irq) + assert [] == irq - def test_045_range_proper_superset3(self): + def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range proper superset match (equal low)""" - q = PirqconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + q = setools.PirqconQuery(compiled_policy, range_="s5:c1 - s5:c1.c4", range_superset=True, + range_proper=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(45)], irq) + assert [(45)] == irq - def test_045_range_proper_superset4(self): + def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Pirqcon query with context range proper superset match (equal high)""" - q = PirqconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.PirqconQuery(compiled_policy, range_="s5 - s5:c1.c3", range_superset=True, + range_proper=True) irq = sorted(p.irq for p in q.results()) - self.assertListEqual([(45)], irq) + assert [(45)] == irq From 7258d2364c6db0f690f228daddddf85a072f473c Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:39:25 -0400 Subject: [PATCH 60/71] TestPolCapQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_polcapquery.py | 39 +++++++++++-------------------- 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/tests/library/test_polcapquery.py b/tests/library/test_polcapquery.py index 3176b00c..494fefd1 100644 --- a/tests/library/test_polcapquery.py +++ b/tests/library/test_polcapquery.py @@ -2,44 +2,33 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import PolCapQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/polcapquery.conf") +class TestPolCapQuery: - -class PolCapQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/polcapquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Policy capability query with no criteria""" # query with no parameters gets all capabilities. - allcaps = sorted(self.p.polcaps()) + allcaps = sorted(compiled_policy.polcaps()) - q = PolCapQuery(self.p) + q = setools.PolCapQuery(compiled_policy) qcaps = sorted(q.results()) - self.assertListEqual(allcaps, qcaps) + assert allcaps == qcaps - def test_001_name_exact(self): + def test_name_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Policy capability query with exact match""" - q = PolCapQuery(self.p, name="open_perms", name_regex=False) + q = setools.PolCapQuery(compiled_policy, name="open_perms", name_regex=False) caps = sorted(str(c) for c in q.results()) - self.assertListEqual(["open_perms"], caps) + assert ["open_perms"] == caps - def test_002_name_regex(self): + def test_name_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Policy capability query with regex match""" - q = PolCapQuery(self.p, name="pe?er", name_regex=True) + q = setools.PolCapQuery(compiled_policy, name="pe?er", name_regex=True) caps = sorted(str(c) for c in q.results()) - self.assertListEqual(["network_peer_controls", "open_perms"], caps) + assert ["network_peer_controls", "open_perms"] == caps From 4bbc5bd806185ef95147d37ef31dfd19da51fd8b Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:40:21 -0400 Subject: [PATCH 61/71] TestPortconQuery: Update tests to pytest fixtures. Fix PortconRange typing stub to include rich comparisons. Signed-off-by: Chris PeBenito --- setools/policyrep.pyi | 2 +- tests/library/test_portconquery.py | 396 ++++++++++++++--------------- 2 files changed, 198 insertions(+), 200 deletions(-) diff --git a/setools/policyrep.pyi b/setools/policyrep.pyi index 6a39235e..445a2b4d 100644 --- a/setools/policyrep.pyi +++ b/setools/policyrep.pyi @@ -325,7 +325,7 @@ class PortconProtocol(PolicyEnum): tcp: int = ... udp: int = ... -@dataclass +@dataclass(eq=True, order=True, frozen=True) class PortconRange: high: int = ... low: int = ... diff --git a/tests/library/test_portconquery.py b/tests/library/test_portconquery.py index e876901e..077c8add 100644 --- a/tests/library/test_portconquery.py +++ b/tests/library/test_portconquery.py @@ -2,436 +2,434 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest from socket import IPPROTO_UDP -from setools import PortconQuery, PortconRange +import pytest +import setools -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/portconquery.conf") +class TestPortconQuery: -class PortconQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/portconquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with no criteria""" # query with no parameters gets all ports. - rules = sorted(self.p.portcons()) + rules = sorted(compiled_policy.portcons()) - q = PortconQuery(self.p) + q = setools.PortconQuery(compiled_policy) q_rules = sorted(q.results()) - self.assertListEqual(rules, q_rules) + assert rules == q_rules - def test_001_protocol(self): + def test_protocol(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with protocol match""" - q = PortconQuery(self.p, protocol=IPPROTO_UDP) + q = setools.PortconQuery(compiled_policy, protocol=IPPROTO_UDP) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(1, 1)], ports) + assert [setools.PortconRange(1, 1)] == ports - def test_010_user_exact(self): + def test_user_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context user exact match""" - q = PortconQuery(self.p, user="user10", user_regex=False) + q = setools.PortconQuery(compiled_policy, user="user10", user_regex=False) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(10, 10)], ports) + assert [setools.PortconRange(10, 10)] == ports - def test_011_user_regex(self): + def test_user_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context user regex match""" - q = PortconQuery(self.p, user="user11(a|b)", user_regex=True) + q = setools.PortconQuery(compiled_policy, user="user11(a|b)", user_regex=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(11, 11), PortconRange(11000, 11000)], ports) + assert [setools.PortconRange(11, 11), setools.PortconRange(11000, 11000)] == ports - def test_020_role_exact(self): + def test_role_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context role exact match""" - q = PortconQuery(self.p, role="role20_r", role_regex=False) + q = setools.PortconQuery(compiled_policy, role="role20_r", role_regex=False) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(20, 20)], ports) + assert [setools.PortconRange(20, 20)] == ports - def test_021_role_regex(self): + def test_role_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context role regex match""" - q = PortconQuery(self.p, role="role21(a|c)_r", role_regex=True) + q = setools.PortconQuery(compiled_policy, role="role21(a|c)_r", role_regex=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(21, 21), PortconRange(21001, 21001)], ports) + assert [setools.PortconRange(21, 21), setools.PortconRange(21001, 21001)] == ports - def test_030_type_exact(self): + def test_type_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context type exact match""" - q = PortconQuery(self.p, type_="type30", type_regex=False) + q = setools.PortconQuery(compiled_policy, type_="type30", type_regex=False) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(30, 30)], ports) + assert [setools.PortconRange(30, 30)] == ports - def test_031_type_regex(self): + def test_type_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context type regex match""" - q = PortconQuery(self.p, type_="type31(b|c)", type_regex=True) + q = setools.PortconQuery(compiled_policy, type_="type31(b|c)", type_regex=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(31000, 31000), PortconRange(31001, 31001)], ports) + assert [setools.PortconRange(31000, 31000), setools.PortconRange(31001, 31001)] == ports - def test_040_range_exact(self): + def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range exact match""" - q = PortconQuery(self.p, range_="s0:c1 - s0:c0.c4") + q = setools.PortconQuery(compiled_policy, range_="s0:c1 - s0:c0.c4") ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(40, 40)], ports) + assert [setools.PortconRange(40, 40)] == ports - def test_041_range_overlap1(self): + def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range overlap match (equal)""" - q = PortconQuery(self.p, range_="s1:c1 - s1:c0.c4", range_overlap=True) + q = setools.PortconQuery(compiled_policy, range_="s1:c1 - s1:c0.c4", range_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(41, 41)], ports) + assert [setools.PortconRange(41, 41)] == ports - def test_041_range_overlap2(self): + def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range overlap match (subset)""" - q = PortconQuery(self.p, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) + q = setools.PortconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c3", range_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(41, 41)], ports) + assert [setools.PortconRange(41, 41)] == ports - def test_041_range_overlap3(self): + def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range overlap match (superset)""" - q = PortconQuery(self.p, range_="s1 - s1:c0.c4", range_overlap=True) + q = setools.PortconQuery(compiled_policy, range_="s1 - s1:c0.c4", range_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(41, 41)], ports) + assert [setools.PortconRange(41, 41)] == ports - def test_041_range_overlap4(self): + def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range overlap match (overlap low level)""" - q = PortconQuery(self.p, range_="s1 - s1:c1,c2", range_overlap=True) + q = setools.PortconQuery(compiled_policy, range_="s1 - s1:c1,c2", range_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(41, 41)], ports) + assert [setools.PortconRange(41, 41)] == ports - def test_041_range_overlap5(self): + def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range overlap match (overlap high level)""" - q = PortconQuery(self.p, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) + q = setools.PortconQuery(compiled_policy, range_="s1:c1,c2 - s1:c0.c4", range_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(41, 41)], ports) + assert [setools.PortconRange(41, 41)] == ports - def test_042_range_subset1(self): + def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range subset match""" - q = PortconQuery(self.p, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) + q = setools.PortconQuery(compiled_policy, range_="s2:c1,c2 - s2:c0.c3", range_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(42, 42)], ports) + assert [setools.PortconRange(42, 42)] == ports - def test_042_range_subset2(self): + def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range subset match (equal)""" - q = PortconQuery(self.p, range_="s2:c1 - s2:c1.c3", range_overlap=True) + q = setools.PortconQuery(compiled_policy, range_="s2:c1 - s2:c1.c3", range_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(42, 42)], ports) + assert [setools.PortconRange(42, 42)] == ports - def test_043_range_superset1(self): + def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range superset match""" - q = PortconQuery(self.p, range_="s3 - s3:c0.c4", range_superset=True) + q = setools.PortconQuery(compiled_policy, range_="s3 - s3:c0.c4", range_superset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(43, 43)], ports) + assert [setools.PortconRange(43, 43)] == ports - def test_043_range_superset2(self): + def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range superset match (equal)""" - q = PortconQuery(self.p, range_="s3:c1 - s3:c1.c3", range_superset=True) + q = setools.PortconQuery(compiled_policy, range_="s3:c1 - s3:c1.c3", range_superset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(43, 43)], ports) + assert [setools.PortconRange(43, 43)] == ports - def test_044_range_proper_subset1(self): + def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper subset match""" - q = PortconQuery(self.p, range_="s4:c1,c2", range_subset=True, range_proper=True) + q = setools.PortconQuery(compiled_policy, range_="s4:c1,c2", range_subset=True, + range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(44, 44)], ports) + assert [setools.PortconRange(44, 44)] == ports - def test_044_range_proper_subset2(self): + def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper subset match (equal)""" - q = PortconQuery(self.p, range_="s4:c1 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.PortconQuery(compiled_policy, range_="s4:c1 - s4:c1.c3", range_subset=True, + range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([], ports) + assert [] == ports - def test_044_range_proper_subset3(self): + def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper subset match (equal low only)""" - q = PortconQuery(self.p, range_="s4:c1 - s4:c1.c2", range_subset=True, range_proper=True) + q = setools.PortconQuery(compiled_policy, range_="s4:c1 - s4:c1.c2", range_subset=True, + range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(44, 44)], ports) + assert [setools.PortconRange(44, 44)] == ports - def test_044_range_proper_subset4(self): + def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper subset match (equal high only)""" - q = PortconQuery(self.p, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, range_proper=True) + q = setools.PortconQuery(compiled_policy, range_="s4:c1,c2 - s4:c1.c3", range_subset=True, + range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(44, 44)], ports) + assert [setools.PortconRange(44, 44)] == ports - def test_045_range_proper_superset1(self): + def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper superset match""" - q = PortconQuery(self.p, range_="s5 - s5:c0.c4", range_superset=True, range_proper=True) + q = setools.PortconQuery(compiled_policy, range_="s5 - s5:c0.c4", range_superset=True, + range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(45, 45)], ports) + assert [setools.PortconRange(45, 45)] == ports - def test_045_range_proper_superset2(self): + def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper superset match (equal)""" - q = PortconQuery(self.p, range_="s5:c1 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.PortconQuery(compiled_policy, range_="s5:c1 - s5:c1.c3", range_superset=True, + range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([], ports) + assert [] == ports - def test_045_range_proper_superset3(self): + def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper superset match (equal low)""" - q = PortconQuery(self.p, range_="s5:c1 - s5:c1.c4", range_superset=True, range_proper=True) + q = setools.PortconQuery(compiled_policy, range_="s5:c1 - s5:c1.c4", range_superset=True, + range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(45, 45)], ports) + assert [setools.PortconRange(45, 45)] == ports - def test_045_range_proper_superset4(self): + def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with context range proper superset match (equal high)""" - q = PortconQuery(self.p, range_="s5 - s5:c1.c3", range_superset=True, range_proper=True) + q = setools.PortconQuery(compiled_policy, range_="s5 - s5:c1.c3", range_superset=True, + range_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(45, 45)], ports) + assert [setools.PortconRange(45, 45)] == ports - def test_050_single_equal(self): + def test_single_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port exact match""" - q = PortconQuery(self.p, ports=(50, 50)) + q = setools.PortconQuery(compiled_policy, ports=(50, 50)) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50, 50)], ports) + assert [setools.PortconRange(50, 50)] == ports - def test_051_range_equal(self): + def test_range_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with port range exact match""" - q = PortconQuery(self.p, ports=(50100, 50110)) + q = setools.PortconQuery(compiled_policy, ports=(50100, 50110)) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50100, 50110)], ports) + assert [setools.PortconRange(50100, 50110)] == ports - def test_052_single_subset(self): + def test_single_subset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port subset""" - q = PortconQuery(self.p, ports=(50200, 50200), ports_subset=True) + q = setools.PortconQuery(compiled_policy, ports=(50200, 50200), ports_subset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50200, 50200)], ports) + assert [setools.PortconRange(50200, 50200)] == ports - def test_053_range_subset(self): + def test_range_subset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range subset""" - q = PortconQuery(self.p, ports=(50301, 50309), ports_subset=True) + q = setools.PortconQuery(compiled_policy, ports=(50301, 50309), ports_subset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50300, 50310)], ports) + assert [setools.PortconRange(50300, 50310)] == ports - def test_053_range_subset_edge1(self): + def test_range_subset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range subset, equal edge case""" - q = PortconQuery(self.p, ports=(50300, 50310), ports_subset=True) + q = setools.PortconQuery(compiled_policy, ports=(50300, 50310), ports_subset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50300, 50310)], ports) + assert [setools.PortconRange(50300, 50310)] == ports - def test_054_single_proper_subset(self): + def test_single_proper_subset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port proper subset""" - q = PortconQuery( - self.p, ports=(50400, 50400), ports_subset=True, ports_proper=True) + q = setools.PortconQuery( + compiled_policy, ports=(50400, 50400), ports_subset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([], ports) + assert [] == ports - def test_055_range_proper_subset(self): + def test_range_proper_subset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper subset""" - q = PortconQuery( - self.p, ports=(50501, 50509), ports_subset=True, ports_proper=True) + q = setools.PortconQuery( + compiled_policy, ports=(50501, 50509), ports_subset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50500, 50510)], ports) + assert [setools.PortconRange(50500, 50510)] == ports - def test_055_range_proper_subset_edge1(self): + def test_range_proper_subset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper subset, equal edge case""" - q = PortconQuery( - self.p, ports=(50500, 50510), ports_subset=True, ports_proper=True) + q = setools.PortconQuery( + compiled_policy, ports=(50500, 50510), ports_subset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([], ports) + assert [] == ports - def test_055_range_proper_subset_edge2(self): + def test_range_proper_subset_edge2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper subset, low equal edge case""" - q = PortconQuery( - self.p, ports=(50500, 50509), ports_subset=True, ports_proper=True) + q = setools.PortconQuery( + compiled_policy, ports=(50500, 50509), ports_subset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50500, 50510)], ports) + assert [setools.PortconRange(50500, 50510)] == ports - def test_055_range_proper_subset_edge3(self): + def test_range_proper_subset_edge3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper subset, high equal edge case""" - q = PortconQuery( - self.p, ports=(50501, 50510), ports_subset=True, ports_proper=True) + q = setools.PortconQuery( + compiled_policy, ports=(50501, 50510), ports_subset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50500, 50510)], ports) + assert [setools.PortconRange(50500, 50510)] == ports - def test_056_single_superset(self): + def test_single_superset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port superset""" - q = PortconQuery(self.p, ports=(50600, 50602), ports_superset=True) + q = setools.PortconQuery(compiled_policy, ports=(50600, 50602), ports_superset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50601, 50601)], ports) + assert [setools.PortconRange(50601, 50601)] == ports - def test_056_single_superset_edge1(self): + def test_single_superset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port superset, equal edge case""" - q = PortconQuery(self.p, ports=(50601, 50601), ports_superset=True) + q = setools.PortconQuery(compiled_policy, ports=(50601, 50601), ports_superset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50601, 50601)], ports) + assert [setools.PortconRange(50601, 50601)] == ports - def test_057_range_superset(self): + def test_range_superset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range superset""" - q = PortconQuery(self.p, ports=(50700, 50711), ports_superset=True) + q = setools.PortconQuery(compiled_policy, ports=(50700, 50711), ports_superset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50700, 50710)], ports) + assert [setools.PortconRange(50700, 50710)] == ports - def test_057_range_superset_edge1(self): + def test_range_superset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range superset, equal edge case""" - q = PortconQuery(self.p, ports=(50700, 50710), ports_superset=True) + q = setools.PortconQuery(compiled_policy, ports=(50700, 50710), ports_superset=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50700, 50710)], ports) + assert [setools.PortconRange(50700, 50710)] == ports - def test_058_single_proper_superset(self): + def test_single_proper_superset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port proper superset""" - q = PortconQuery( - self.p, ports=(50800, 50802), ports_superset=True, ports_proper=True) + q = setools.PortconQuery( + compiled_policy, ports=(50800, 50802), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50801, 50801)], ports) + assert [setools.PortconRange(50801, 50801)] == ports - def test_058_single_proper_superset_edge1(self): + def test_single_proper_superset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port proper superset, equal edge case""" - q = PortconQuery( - self.p, ports=(50801, 50801), ports_superset=True, ports_proper=True) + q = setools.PortconQuery( + compiled_policy, ports=(50801, 50801), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([], ports) + assert [] == ports - def test_058_single_proper_superset_edge2(self): + def test_single_proper_superset_edge2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port proper superset, low equal edge case""" - q = PortconQuery( - self.p, ports=(50801, 50802), ports_superset=True, ports_proper=True) + q = setools.PortconQuery( + compiled_policy, ports=(50801, 50802), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50801, 50801)], ports) + assert [setools.PortconRange(50801, 50801)] == ports - def test_058_single_proper_superset_edge3(self): + def test_single_proper_superset_edge3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single port proper superset, high equal edge case""" - q = PortconQuery( - self.p, ports=(50800, 50801), ports_superset=True, ports_proper=True) + q = setools.PortconQuery( + compiled_policy, ports=(50800, 50801), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50801, 50801)], ports) + assert [setools.PortconRange(50801, 50801)] == ports - def test_059_range_proper_superset(self): + def test_range_proper_superset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper superset""" - q = PortconQuery( - self.p, ports=(50900, 50911), ports_superset=True, ports_proper=True) + q = setools.PortconQuery( + compiled_policy, ports=(50900, 50911), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50901, 50910)], ports) + assert [setools.PortconRange(50901, 50910)] == ports - def test_059_range_proper_superset_edge1(self): + def test_range_proper_superset_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper superset, equal edge case""" - q = PortconQuery( - self.p, ports=(50901, 50910), ports_superset=True, ports_proper=True) + q = setools.PortconQuery( + compiled_policy, ports=(50901, 50910), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([], ports) + assert [] == ports - def test_059_range_proper_superset_edge2(self): + def test_range_proper_superset_edge2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper superset, equal high port edge case""" - q = PortconQuery( - self.p, ports=(50900, 50910), ports_superset=True, ports_proper=True) + q = setools.PortconQuery( + compiled_policy, ports=(50900, 50910), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50901, 50910)], ports) + assert [setools.PortconRange(50901, 50910)] == ports - def test_059_range_proper_superset_edge3(self): + def test_range_proper_superset_edge3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range proper superset, equal low port edge case""" - q = PortconQuery( - self.p, ports=(50901, 50911), ports_superset=True, ports_proper=True) + q = setools.PortconQuery( + compiled_policy, ports=(50901, 50911), ports_superset=True, ports_proper=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(50901, 50910)], ports) + assert [setools.PortconRange(50901, 50910)] == ports - def test_060_single_overlap(self): + def test_single_overlap(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single overlap""" - q = PortconQuery(self.p, ports=(60001, 60001), ports_overlap=True) + q = setools.PortconQuery(compiled_policy, ports=(60001, 60001), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(60001, 60001)], ports) + assert [setools.PortconRange(60001, 60001)] == ports - def test_060_single_overlap_edge1(self): + def test_single_overlap_edge1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single overlap, range match low""" - q = PortconQuery(self.p, ports=(60001, 60002), ports_overlap=True) + q = setools.PortconQuery(compiled_policy, ports=(60001, 60002), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(60001, 60001)], ports) + assert [setools.PortconRange(60001, 60001)] == ports - def test_060_single_overlap_edge2(self): + def test_single_overlap_edge2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single overlap, range match high""" - q = PortconQuery(self.p, ports=(60000, 60001), ports_overlap=True) + q = setools.PortconQuery(compiled_policy, ports=(60000, 60001), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(60001, 60001)], ports) + assert [setools.PortconRange(60001, 60001)] == ports - def test_060_single_overlap_edge3(self): + def test_single_overlap_edge3(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with single overlap, range match proper superset""" - q = PortconQuery(self.p, ports=(60000, 60002), ports_overlap=True) + q = setools.PortconQuery(compiled_policy, ports=(60000, 60002), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(60001, 60001)], ports) + assert [setools.PortconRange(60001, 60001)] == ports - def test_061_range_overlap_low_half(self): + def test_range_overlap_low_half(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range overlap, low half match""" - q = PortconQuery(self.p, ports=(60100, 60105), ports_overlap=True) + q = setools.PortconQuery(compiled_policy, ports=(60100, 60105), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(60101, 60110)], ports) + assert [setools.PortconRange(60101, 60110)] == ports - def test_062_range_overlap_high_half(self): + def test_range_overlap_high_half(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range overlap, high half match""" - q = PortconQuery(self.p, ports=(60205, 60211), ports_overlap=True) + q = setools.PortconQuery(compiled_policy, ports=(60205, 60211), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(60200, 60210)], ports) + assert [setools.PortconRange(60200, 60210)] == ports - def test_063_range_overlap_middle(self): + def test_range_overlap_middle(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range overlap, middle match""" - q = PortconQuery(self.p, ports=(60305, 60308), ports_overlap=True) + q = setools.PortconQuery(compiled_policy, ports=(60305, 60308), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(60300, 60310)], ports) + assert [setools.PortconRange(60300, 60310)] == ports - def test_064_range_overlap_equal(self): + def test_range_overlap_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range overlap, equal match""" - q = PortconQuery(self.p, ports=(60400, 60410), ports_overlap=True) + q = setools.PortconQuery(compiled_policy, ports=(60400, 60410), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(60400, 60410)], ports) + assert [setools.PortconRange(60400, 60410)] == ports - def test_065_range_overlap_superset(self): + def test_range_overlap_superset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Portcon query with range overlap, superset match""" - q = PortconQuery(self.p, ports=(60500, 60510), ports_overlap=True) + q = setools.PortconQuery(compiled_policy, ports=(60500, 60510), ports_overlap=True) ports = sorted(p.ports for p in q.results()) - self.assertListEqual([PortconRange(60501, 60509)], ports) + assert [setools.PortconRange(60501, 60509)] == ports From 299ef1447ac7431fb1c79d7c7763315077b88a8c Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:40:59 -0400 Subject: [PATCH 62/71] TestRBACRuleQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_rbacrulequery.py | 115 ++++++++++++---------------- 1 file changed, 50 insertions(+), 65 deletions(-) diff --git a/tests/library/test_rbacrulequery.py b/tests/library/test_rbacrulequery.py index 220ffd90..9166dba1 100644 --- a/tests/library/test_rbacrulequery.py +++ b/tests/library/test_rbacrulequery.py @@ -4,149 +4,134 @@ # SPDX-License-Identifier: GPL-2.0-only # # pylint: disable=invalid-name,too-many-public-methods -import os -import unittest - +import pytest +import setools from setools import RBACRuleQuery from setools import RBACRuletype as RRT from setools.exception import RuleUseError, RuleNotConditional from . import mixins -from .policyrep.util import compile_policy -class RBACRuleQueryTest(mixins.ValidateRule, unittest.TestCase): +@pytest.mark.obj_args("tests/library/rbacrulequery.conf") +class TestRBACRuleQuery(mixins.ValidateRule): """RBAC rule query unit tests.""" - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/rbacrulequery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def validate_allow(self, rule, source, target): + def validate_allow(self, rule, source, target) -> None: """Validate a role allow rule.""" - self.assertEqual(RRT.allow, rule.ruletype) - self.assertEqual(source, rule.source) - self.assertEqual(target, rule.target) - self.assertRaises(RuleUseError, getattr, rule, "tclass") - self.assertRaises(RuleUseError, getattr, rule, "default") - self.assertRaises(RuleNotConditional, getattr, rule, "conditional") - - def test_000_unset(self): + assert RRT.allow == rule.ruletype + assert source == rule.source + assert target == rule.target + with pytest.raises(RuleUseError): + rule.tclass + with pytest.raises(RuleUseError): + rule.default + with pytest.raises(RuleNotConditional): + rule.conditional + + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with no criteria.""" # query with no parameters gets all RBAC rules. - rules = sorted(self.p.rbacrules()) + rules = sorted(compiled_policy.rbacrules()) - q = RBACRuleQuery(self.p) + q = RBACRuleQuery(compiled_policy) q_rules = sorted(q.results()) - self.assertListEqual(rules, q_rules) + assert rules == q_rules - def test_001_source_direct(self): + def test_source_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with exact, direct, source match.""" q = RBACRuleQuery( - self.p, source="test1s", source_indirect=False, source_regex=False) + compiled_policy, source="test1s", source_indirect=False, source_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_allow(r[0], "test1s", "test1t") self.validate_rule(r[1], RRT.role_transition, "test1s", "system", "infoflow", "test1t") - def test_002_source_direct_regex(self): + def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with regex, direct, source match.""" q = RBACRuleQuery( - self.p, source="test2s(1|2)", source_indirect=False, source_regex=True) + compiled_policy, source="test2s(1|2)", source_indirect=False, source_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_allow(r[0], "test2s1", "test2t") - def test_010_target_direct(self): + def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with exact, direct, target match.""" q = RBACRuleQuery( - self.p, target="test10t", target_indirect=False, target_regex=False) + compiled_policy, target="test10t", target_indirect=False, target_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_allow(r[0], "test10s", "test10t") - def test_011_target_direct_regex(self): + def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with regex, direct, target match.""" q = RBACRuleQuery( - self.p, target="test11t(1|3)", target_indirect=False, target_regex=True) + compiled_policy, target="test11t(1|3)", target_indirect=False, target_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_allow(r[0], "test11s", "test11t1") - def test_012_target_type(self): + def test_target_type(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with a type as target.""" - q = RBACRuleQuery(self.p, target="test12t") + q = RBACRuleQuery(compiled_policy, target="test12t") r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RRT.role_transition, "test12s", "test12t", "infoflow", "test12d") - @unittest.skip("Setting tclass to a string is no longer supported.") - def test_020_class(self): - """RBAC rule query with exact object class match.""" - q = RBACRuleQuery(self.p, tclass="infoflow2", tclass_regex=False) - - r = sorted(q.results()) - self.assertEqual(len(r), 1) - self.validate_rule(r[0], RRT.role_transition, "test20", "system", "infoflow2", "test20d2") - - def test_021_class_list(self): + def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with object class list match.""" q = RBACRuleQuery( - self.p, tclass=["infoflow3", "infoflow4"], tclass_regex=False) + compiled_policy, tclass=["infoflow3", "infoflow4"], tclass_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], RRT.role_transition, "test21", "system", "infoflow3", "test21d3") self.validate_rule(r[1], RRT.role_transition, "test21", "system", "infoflow4", "test21d2") - def test_022_class_regex(self): + def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with object class regex match.""" - q = RBACRuleQuery(self.p, tclass="infoflow(5|6)", tclass_regex=True) + q = RBACRuleQuery(compiled_policy, tclass="infoflow(5|6)", tclass_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], RRT.role_transition, "test22", "system", "infoflow5", "test22d2") self.validate_rule(r[1], RRT.role_transition, "test22", "system", "infoflow6", "test22d3") - def test_030_default(self): + def test_default(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with exact default match.""" q = RBACRuleQuery( - self.p, default="test30d", default_regex=False) + compiled_policy, default="test30d", default_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], RRT.role_transition, "test30s", "system", "infoflow", "test30d") - def test_031_default_regex(self): + def test_default_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with regex default match.""" q = RBACRuleQuery( - self.p, default="test31d(2|3)", default_regex=True) + compiled_policy, default="test31d(2|3)", default_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], RRT.role_transition, "test31s", "system", "infoflow7", "test31d3") self.validate_rule(r[1], RRT.role_transition, "test31s", "system", "process", "test31d2") - def test_040_ruletype(self): + def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with rule type.""" - q = RBACRuleQuery(self.p, ruletype=[RRT.allow]) + q = RBACRuleQuery(compiled_policy, ruletype=[RRT.allow]) num = 0 for num, r in enumerate(sorted(q.results()), start=1): - self.assertEqual(r.ruletype, RRT.allow) + assert r.ruletype == RRT.allow # this will have to be updated as number of # role allows change in the test policy - self.assertEqual(num, 9) + assert num == 9 From 89e6c52018b2f6db86efca4c1be5620a894249bd Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:41:26 -0400 Subject: [PATCH 63/71] TestRoleQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_rolequery.py | 61 ++++++++++++++------------------- 1 file changed, 25 insertions(+), 36 deletions(-) diff --git a/tests/library/test_rolequery.py b/tests/library/test_rolequery.py index 74d3a986..95c19b1c 100644 --- a/tests/library/test_rolequery.py +++ b/tests/library/test_rolequery.py @@ -2,67 +2,56 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import RoleQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/rolequery.conf") +class TestRoleQuery: - -class RoleQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/rolequery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Role query with no criteria.""" # query with no parameters gets all types. - roles = sorted(self.p.roles()) + roles = sorted(compiled_policy.roles()) - q = RoleQuery(self.p) + q = setools.RoleQuery(compiled_policy) q_roles = sorted(q.results()) - self.assertListEqual(roles, q_roles) + assert roles == q_roles - def test_001_name_exact(self): + def test_name_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Role query with exact name match.""" - q = RoleQuery(self.p, name="test1") + q = setools.RoleQuery(compiled_policy, name="test1") roles = sorted(str(r) for r in q.results()) - self.assertListEqual(["test1"], roles) + assert ["test1"] == roles - def test_002_name_regex(self): + def test_name_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Role query with regex name match.""" - q = RoleQuery(self.p, name="test2(a|b)", name_regex=True) + q = setools.RoleQuery(compiled_policy, name="test2(a|b)", name_regex=True) roles = sorted(str(r) for r in q.results()) - self.assertListEqual(["test2a", "test2b"], roles) + assert ["test2a", "test2b"] == roles - def test_010_type_intersect(self): + def test_type_intersect(self, compiled_policy: setools.SELinuxPolicy) -> None: """Role query with type set intersection.""" - q = RoleQuery(self.p, types=["test10a", "test10b"]) + q = setools.RoleQuery(compiled_policy, types=["test10a", "test10b"]) roles = sorted(str(r) for r in q.results()) - self.assertListEqual(["test10r1", "test10r2", "test10r3", - "test10r4", "test10r5", "test10r6"], roles) + assert ["test10r1", "test10r2", "test10r3", + "test10r4", "test10r5", "test10r6"] == roles - def test_011_type_equality(self): + def test_type_equality(self, compiled_policy: setools.SELinuxPolicy) -> None: """Role query with type set equality.""" - q = RoleQuery(self.p, types=["test11a", "test11b"], types_equal=True) + q = setools.RoleQuery(compiled_policy, types=["test11a", "test11b"], types_equal=True) roles = sorted(str(r) for r in q.results()) - self.assertListEqual(["test11r2"], roles) + assert ["test11r2"] == roles - def test_012_type_regex(self): + def test_type_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Role query with type set match.""" - q = RoleQuery(self.p, types="test12(a|b)", types_regex=True) + q = setools.RoleQuery(compiled_policy, types="test12(a|b)", types_regex=True) roles = sorted(str(r) for r in q.results()) - self.assertListEqual(["test12r1", "test12r2", "test12r3", - "test12r4", "test12r5", "test12r6"], roles) + assert ["test12r1", "test12r2", "test12r3", + "test12r4", "test12r5", "test12r6"] == roles From d5f8aafcef20b4aca36dd56e37b76033b6a37460 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:41:44 -0400 Subject: [PATCH 64/71] TestSensitivityQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_sensitivityquery.py | 81 +++++++++++--------------- 1 file changed, 35 insertions(+), 46 deletions(-) diff --git a/tests/library/test_sensitivityquery.py b/tests/library/test_sensitivityquery.py index 8ad4bd2a..b95fad16 100644 --- a/tests/library/test_sensitivityquery.py +++ b/tests/library/test_sensitivityquery.py @@ -2,93 +2,82 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import SensitivityQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/sensitivityquery.conf") +class TestSensitivityQuery: - -class SensitivityQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/sensitivityquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity query with no criteria.""" # query with no parameters gets all sensitivities. - allsens = sorted(str(c) for c in self.p.sensitivities()) + allsens = sorted(str(c) for c in compiled_policy.sensitivities()) - q = SensitivityQuery(self.p) + q = setools.SensitivityQuery(compiled_policy) qsens = sorted(str(c) for c in q.results()) - self.assertListEqual(allsens, qsens) + assert allsens == qsens - def test_001_name_exact(self): + def test_name_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity query with exact name match.""" - q = SensitivityQuery(self.p, name="test1") + q = setools.SensitivityQuery(compiled_policy, name="test1") sens = sorted(str(c) for c in q.results()) - self.assertListEqual(["test1"], sens) + assert ["test1"] == sens - def test_002_name_regex(self): + def test_name_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity query with regex name match.""" - q = SensitivityQuery(self.p, name="test2(a|b)", name_regex=True) + q = setools.SensitivityQuery(compiled_policy, name="test2(a|b)", name_regex=True) sens = sorted(str(c) for c in q.results()) - self.assertListEqual(["test2a", "test2b"], sens) + assert ["test2a", "test2b"] == sens - def test_010_alias_exact(self): + def test_alias_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity query with exact alias match.""" - q = SensitivityQuery(self.p, alias="test10a") + q = setools.SensitivityQuery(compiled_policy, alias="test10a") sens = sorted(str(t) for t in q.results()) - self.assertListEqual(["test10s1"], sens) + assert ["test10s1"] == sens - def test_011_alias_regex(self): + def test_alias_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity query with regex alias match.""" - q = SensitivityQuery(self.p, alias="test11(a|b)", alias_regex=True) + q = setools.SensitivityQuery(compiled_policy, alias="test11(a|b)", alias_regex=True) sens = sorted(str(t) for t in q.results()) - self.assertListEqual(["test11s1", "test11s2"], sens) + assert ["test11s1", "test11s2"] == sens - def test_020_sens_equal(self): + def test_sens_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity query with sens equality.""" - q = SensitivityQuery(self.p, sens="test20") + q = setools.SensitivityQuery(compiled_policy, sens="test20") sens = sorted(str(u) for u in q.results()) - self.assertListEqual(["test20"], sens) + assert ["test20"] == sens - def test_021_sens_dom1(self): + def test_sens_dom1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity query with sens dominance.""" - q = SensitivityQuery(self.p, sens="test21crit", sens_dom=True) + q = setools.SensitivityQuery(compiled_policy, sens="test21crit", sens_dom=True) sens = sorted(str(u) for u in q.results()) - self.assertListEqual(["test21", "test21crit"], sens) + assert ["test21", "test21crit"] == sens - def test_021_sens_dom2(self): + def test_sens_dom2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity query with sens dominance (equal).""" - q = SensitivityQuery(self.p, sens="test21", sens_dom=True) + q = setools.SensitivityQuery(compiled_policy, sens="test21", sens_dom=True) sens = sorted(str(u) for u in q.results()) - self.assertListEqual(["test21"], sens) + assert ["test21"] == sens - def test_022_sens_domby1(self): + def test_sens_domby1(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity query with sens dominated-by.""" - q = SensitivityQuery(self.p, sens="test22crit", sens_domby=True) + q = setools.SensitivityQuery(compiled_policy, sens="test22crit", sens_domby=True) sens = sorted(str(u) for u in q.results()) - self.assertListEqual(["test22", "test22crit"], sens) + assert ["test22", "test22crit"] == sens - def test_022_sens_domby2(self): + def test_sens_domby2(self, compiled_policy: setools.SELinuxPolicy) -> None: """Sensitivity query with sens dominated-by (equal).""" - q = SensitivityQuery(self.p, sens="test22", sens_domby=True) + q = setools.SensitivityQuery(compiled_policy, sens="test22", sens_domby=True) sens = sorted(str(u) for u in q.results()) - self.assertListEqual(["test22"], sens) + assert ["test22"] == sens From 9878bf8d435436067f754b0366ffafac25eca9fb Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:42:41 -0400 Subject: [PATCH 65/71] TestTERuleQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_terulequery.py | 344 ++++++++++++++---------------- 1 file changed, 160 insertions(+), 184 deletions(-) diff --git a/tests/library/test_terulequery.py b/tests/library/test_terulequery.py index 1d9b9d92..4673b632 100644 --- a/tests/library/test_terulequery.py +++ b/tests/library/test_terulequery.py @@ -4,460 +4,436 @@ # SPDX-License-Identifier: GPL-2.0-only # # pylint: disable=invalid-name,too-many-public-methods -import os -import unittest - +import pytest +import setools from setools import TERuleQuery from setools import TERuletype as TRT from . import mixins -from .policyrep.util import compile_policy -class TERuleQueryTest(mixins.ValidateRule, unittest.TestCase): +@pytest.mark.obj_args("tests/library/terulequery.conf") +class TestTERuleQuery(mixins.ValidateRule): """Type enforcement rule query unit tests.""" - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/terulequery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with no criteria.""" # query with no parameters gets all TE rules. - rules = sorted(self.p.terules()) + rules = sorted(compiled_policy.terules()) - q = TERuleQuery(self.p) + q = TERuleQuery(compiled_policy) q_rules = sorted(q.results()) - self.assertListEqual(rules, q_rules) + assert rules == q_rules - def test_001_source_direct(self): + def test_source_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with exact, direct, source match.""" q = TERuleQuery( - self.p, source="test1a", source_indirect=False, source_regex=False) + compiled_policy, source="test1a", source_indirect=False, source_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], TRT.allow, "test1a", "test1t", "infoflow", set(["hi_w"])) - def test_002_source_indirect(self): + def test_source_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with exact, indirect, source match.""" q = TERuleQuery( - self.p, source="test2s", source_indirect=True, source_regex=False) + compiled_policy, source="test2s", source_indirect=True, source_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], TRT.allow, "test2a", "test2t", "infoflow", set(["hi_w"])) - def test_003_source_direct_regex(self): + def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with regex, direct, source match.""" q = TERuleQuery( - self.p, source="test3a.*", source_indirect=False, source_regex=True) + compiled_policy, source="test3a.*", source_indirect=False, source_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], TRT.allow, "test3aS", "test3t", "infoflow", set(["low_r"])) - def test_004_source_indirect_regex(self): + def test_source_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with regex, indirect, source match.""" q = TERuleQuery( - self.p, source="test4(s|t)", source_indirect=True, source_regex=True) + compiled_policy, source="test4(s|t)", source_indirect=True, source_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], TRT.allow, "test4a1", "test4a1", "infoflow", set(["hi_w"])) self.validate_rule(r[1], TRT.allow, "test4a2", "test4a2", "infoflow", set(["low_r"])) - def test_005_target_direct(self): + def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with exact, direct, target match.""" q = TERuleQuery( - self.p, target="test5a", target_indirect=False, target_regex=False) + compiled_policy, target="test5a", target_indirect=False, target_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], TRT.allow, "test5s", "test5a", "infoflow", set(["hi_w"])) - def test_006_target_indirect(self): + def test_target_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with exact, indirect, target match.""" q = TERuleQuery( - self.p, target="test6t", target_indirect=True, target_regex=False) + compiled_policy, target="test6t", target_indirect=True, target_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], TRT.allow, "test6s", "test6a", "infoflow", set(["hi_w"])) self.validate_rule(r[1], TRT.allow, "test6s", "test6t", "infoflow", set(["low_r"])) - def test_007_target_direct_regex(self): + def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with regex, direct, target match.""" q = TERuleQuery( - self.p, target="test7a.*", target_indirect=False, target_regex=True) + compiled_policy, target="test7a.*", target_indirect=False, target_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], TRT.allow, "test7s", "test7aPASS", "infoflow", set(["low_r"])) - def test_008_target_indirect_regex(self): + def test_target_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with regex, indirect, target match.""" q = TERuleQuery( - self.p, target="test8(s|t)", target_indirect=True, target_regex=True) + compiled_policy, target="test8(s|t)", target_indirect=True, target_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], TRT.allow, "test8a1", "test8a1", "infoflow", set(["hi_w"])) self.validate_rule(r[1], TRT.allow, "test8a2", "test8a2", "infoflow", set(["low_r"])) - @unittest.skip("Setting tclass to a string is no longer supported.") - def test_009_class(self): - """TE rule query with exact object class match.""" - q = TERuleQuery(self.p, tclass="infoflow2", tclass_regex=False) - - r = sorted(q.results()) - self.assertEqual(len(r), 1) - self.validate_rule(r[0], TRT.allow, "test9", "test9", "infoflow2", set(["super_w"])) - - def test_010_class_list(self): + def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with object class list match.""" q = TERuleQuery( - self.p, tclass=["infoflow3", "infoflow4"], tclass_regex=False) + compiled_policy, tclass=["infoflow3", "infoflow4"], tclass_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], TRT.allow, "test10", "test10", "infoflow3", set(["null"])) self.validate_rule(r[1], TRT.allow, "test10", "test10", "infoflow4", set(["hi_w"])) - def test_011_class_regex(self): + def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with object class regex match.""" - q = TERuleQuery(self.p, tclass="infoflow(5|6)", tclass_regex=True) + q = TERuleQuery(compiled_policy, tclass="infoflow(5|6)", tclass_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], TRT.allow, "test11", "test11", "infoflow5", set(["low_w"])) self.validate_rule(r[1], TRT.allow, "test11", "test11", "infoflow6", set(["med_r"])) - def test_012_perms_any(self): + def test_perms_any(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with permission set intersection.""" - q = TERuleQuery(self.p, perms=["super_r"], perms_equal=False) + q = TERuleQuery(compiled_policy, perms=["super_r"], perms_equal=False) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], TRT.allow, "test12a", "test12a", "infoflow7", set(["super_r"])) self.validate_rule(r[1], TRT.allow, "test12b", "test12b", "infoflow7", set(["super_r", "super_none"])) - def test_013_perms_equal(self): + def test_perms_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with permission set equality.""" q = TERuleQuery( - self.p, perms=["super_w", "super_none", "super_both"], perms_equal=True) + compiled_policy, perms=["super_w", "super_none", "super_both"], perms_equal=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], TRT.allow, "test13c", "test13c", "infoflow7", set(["super_w", "super_none", "super_both"])) - def test_014_ruletype(self): + def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with rule type match.""" - q = TERuleQuery(self.p, ruletype=["auditallow", "dontaudit"]) + q = TERuleQuery(compiled_policy, ruletype=["auditallow", "dontaudit"]) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], TRT.auditallow, "test14", "test14", "infoflow7", set(["super_both"])) self.validate_rule(r[1], TRT.dontaudit, "test14", "test14", "infoflow7", set(["super_unmapped"])) - def test_052_perms_subset1(self): + def test_perms_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with permission subset.""" - q = TERuleQuery(self.p, perms=["super_none", "super_both"], perms_subset=True) + q = TERuleQuery(compiled_policy, perms=["super_none", "super_both"], perms_subset=True) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], TRT.allow, "test13c", "test13c", "infoflow7", set(["super_w", "super_none", "super_both"])) self.validate_rule(r[1], TRT.allow, "test13d", "test13d", "infoflow7", set(["super_w", "super_none", "super_both", "super_unmapped"])) - def test_052_perms_subset2(self): + def test_perms_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with permission subset (equality).""" - q = TERuleQuery(self.p, perms=["super_w", "super_none", "super_both", "super_unmapped"], + q = TERuleQuery(compiled_policy, perms=["super_w", "super_none", "super_both", + "super_unmapped"], perms_subset=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], TRT.allow, "test13d", "test13d", "infoflow7", set(["super_w", "super_none", "super_both", "super_unmapped"])) - def test_100_default(self): + def test_default(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with default type exact match.""" - q = TERuleQuery(self.p, default="test100d", default_regex=False) + q = TERuleQuery(compiled_policy, default="test100d", default_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], TRT.type_transition, "test100", "test100", "infoflow7", "test100d") - def test_101_default_regex(self): + def test_default_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with default type regex match.""" - q = TERuleQuery(self.p, default="test101.", default_regex=True) + q = TERuleQuery(compiled_policy, default="test101.", default_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], TRT.type_transition, "test101", "test101d", "infoflow7", "test101e") self.validate_rule(r[1], TRT.type_transition, "test101", "test101e", "infoflow7", "test101d") - def test_200_boolean_intersection(self): + def test_boolean_intersection(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with intersection Boolean set match.""" - q = TERuleQuery(self.p, boolean=["test200"]) + q = TERuleQuery(compiled_policy, boolean=["test200"]) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], TRT.allow, "test200t1", "test200t1", "infoflow7", set(["super_w"]), cond="test200") self.validate_rule(r[1], TRT.allow, "test200t2", "test200t2", "infoflow7", set(["super_w"]), cond="test200a && test200") - def test_201_boolean_equal(self): + def test_boolean_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with equal Boolean set match.""" - q = TERuleQuery(self.p, boolean=["test201a", "test201b"], boolean_equal=True) + q = TERuleQuery(compiled_policy, boolean=["test201a", "test201b"], boolean_equal=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], TRT.allow, "test201t1", "test201t1", "infoflow7", set(["super_unmapped"]), cond="test201b && test201a") - def test_202_boolean_regex(self): + def test_boolean_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with regex Boolean match.""" - q = TERuleQuery(self.p, boolean="test202(a|b)", boolean_regex=True) + q = TERuleQuery(compiled_policy, boolean="test202(a|b)", boolean_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], TRT.allow, "test202t1", "test202t1", "infoflow7", set(["super_none"]), cond="test202a") self.validate_rule(r[1], TRT.allow, "test202t2", "test202t2", "infoflow7", set(["super_unmapped"]), cond="test202b || test202c") - def test_300_issue111(self): + def test_issue111(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with attribute source criteria, indirect match.""" # https://github.com/TresysTechnology/setools/issues/111 - q = TERuleQuery(self.p, source="test300b", source_indirect=True) + q = TERuleQuery(compiled_policy, source="test300b", source_indirect=True) r = sorted(q.results()) - self.assertEqual(len(r), 4) + assert len(r) == 4 self.validate_rule(r[0], TRT.allow, "test300a", "test300target", "infoflow7", set(["hi_w"])) self.validate_rule(r[1], TRT.allow, "test300b", "test300target", "infoflow7", set(["super_w"])) self.validate_rule(r[2], TRT.allow, "test300t1", "test300t1", "infoflow7", set(["hi_r"])) self.validate_rule(r[3], TRT.allow, "test300t2", "test300t2", "infoflow7", set(["med_w"])) - def test_301_issue111(self): + def test_issue111_2(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with attribute target criteria, indirect match.""" # https://github.com/TresysTechnology/setools/issues/111 - q = TERuleQuery(self.p, target="test301b", target_indirect=True) + q = TERuleQuery(compiled_policy, target="test301b", target_indirect=True) r = sorted(q.results()) - self.assertEqual(len(r), 4) + assert len(r) == 4 self.validate_rule(r[0], TRT.allow, "test301source", "test301a", "infoflow7", set(["hi_w"])) self.validate_rule(r[1], TRT.allow, "test301source", "test301b", "infoflow7", set(["super_w"])) self.validate_rule(r[2], TRT.allow, "test301t1", "test301t1", "infoflow7", set(["hi_r"])) self.validate_rule(r[3], TRT.allow, "test301t2", "test301t2", "infoflow7", set(["med_w"])) - def test_302_issue111(self): + def test_issue111_3(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with attribute default type criteria.""" # https://github.com/TresysTechnology/setools/issues/111 - q = TERuleQuery(self.p, default="test302") + q = TERuleQuery(compiled_policy, default="test302") r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], TRT.type_transition, "test302source", "test302t1", "infoflow7", "test302t1") self.validate_rule(r[1], TRT.type_transition, "test302source", "test302t2", "infoflow7", "test302t2") -class TERuleQueryXperm(mixins.ValidateRule, unittest.TestCase): +@pytest.mark.obj_args("tests/library/terulequery2.conf") +class TERuleQueryXperm(mixins.ValidateRule): """TE Rule Query with extended permission rules.""" - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/terulequery2.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_001_source_direct(self): + def test_source_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with exact, direct, source match.""" q = TERuleQuery( - self.p, source="test1a", source_indirect=False, source_regex=False) + compiled_policy, source="test1a", source_indirect=False, source_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], TRT.allowxperm, "test1a", "test1t", "infoflow", - set(range(0xebe0, 0xebff + 1)), xperm="ioctl") + setools.IoctlSet(range(0xebe0, 0xebff + 1)), xperm="ioctl") - def test_002_source_indirect(self): + def test_source_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with exact, indirect, source match.""" q = TERuleQuery( - self.p, source="test2s", source_indirect=True, source_regex=False) + compiled_policy, source="test2s", source_indirect=True, source_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], TRT.allowxperm, "test2a", "test2t", "infoflow", - set([0x5411, 0x5451]), xperm="ioctl") + setools.IoctlSet([0x5411, 0x5451]), xperm="ioctl") - def test_003_source_direct_regex(self): + def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with regex, direct, source match.""" q = TERuleQuery( - self.p, source="test3a.*", source_indirect=False, source_regex=True) + compiled_policy, source="test3a.*", source_indirect=False, source_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], TRT.allowxperm, "test3aS", "test3t", "infoflow", - set([0x1111]), xperm="ioctl") + setools.IoctlSet([0x1111]), xperm="ioctl") - def test_004_source_indirect_regex(self): + def test_source_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with regex, indirect, source match.""" q = TERuleQuery( - self.p, source="test4(s|t)", source_indirect=True, source_regex=True) + compiled_policy, source="test4(s|t)", source_indirect=True, source_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], TRT.allowxperm, "test4a1", "test4a1", "infoflow", - set([0x9999]), xperm="ioctl") + setools.IoctlSet([0x9999]), xperm="ioctl") self.validate_rule(r[1], TRT.allowxperm, "test4a2", "test4a2", "infoflow", - set([0x1111]), xperm="ioctl") + setools.IoctlSet([0x1111]), xperm="ioctl") - def test_005_target_direct(self): + def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with exact, direct, target match.""" q = TERuleQuery( - self.p, target="test5a", target_indirect=False, target_regex=False) + compiled_policy, target="test5a", target_indirect=False, target_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 1) - self.validate_rule(r[0], TRT.allowxperm, "test5s", "test5a", "infoflow", set([0x9999]), - xperm="ioctl") + assert len(r) == 1 + self.validate_rule(r[0], TRT.allowxperm, "test5s", "test5a", "infoflow", + setools.IoctlSet([0x9999]), xperm="ioctl") - def test_006_target_indirect(self): + def test_target_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with exact, indirect, target match.""" q = TERuleQuery( - self.p, target="test6t", target_indirect=True, target_regex=False) + compiled_policy, target="test6t", target_indirect=True, target_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 2) - self.validate_rule(r[0], TRT.allowxperm, "test6s", "test6a", "infoflow", set([0x9999]), - xperm="ioctl") - self.validate_rule(r[1], TRT.allowxperm, "test6s", "test6t", "infoflow", set([0x1111]), - xperm="ioctl") + assert len(r) == 2 + self.validate_rule(r[0], TRT.allowxperm, "test6s", "test6a", "infoflow", + setools.IoctlSet([0x9999]), xperm="ioctl") + self.validate_rule(r[1], TRT.allowxperm, "test6s", "test6t", "infoflow", + setools.IoctlSet([0x1111]), xperm="ioctl") - def test_007_target_direct_regex(self): + def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with regex, direct, target match.""" q = TERuleQuery( - self.p, target="test7a.*", target_indirect=False, target_regex=True) + compiled_policy, target="test7a.*", target_indirect=False, target_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) - self.validate_rule(r[0], TRT.allowxperm, "test7s", "test7aPASS", "infoflow", set([0x1111]), - xperm="ioctl") + assert len(r) == 1 + self.validate_rule(r[0], TRT.allowxperm, "test7s", "test7aPASS", "infoflow", + setools.IoctlSet([0x1111]), xperm="ioctl") - def test_008_target_indirect_regex(self): + def test_target_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with regex, indirect, target match.""" q = TERuleQuery( - self.p, target="test8(s|t)", target_indirect=True, target_regex=True) + compiled_policy, target="test8(s|t)", target_indirect=True, target_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 2) - self.validate_rule(r[0], TRT.allowxperm, "test8a1", "test8a1", "infoflow", set([0x9999]), - xperm="ioctl") - self.validate_rule(r[1], TRT.allowxperm, "test8a2", "test8a2", "infoflow", set([0x1111]), - xperm="ioctl") + assert len(r) == 2 + self.validate_rule(r[0], TRT.allowxperm, "test8a1", "test8a1", "infoflow", + setools.IoctlSet([0x9999]), xperm="ioctl") + self.validate_rule(r[1], TRT.allowxperm, "test8a2", "test8a2", "infoflow", + setools.IoctlSet([0x1111]), xperm="ioctl") - def test_010_class_list(self): + def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with object class list match.""" q = TERuleQuery( - self.p, tclass=["infoflow3", "infoflow4"], tclass_regex=False) + compiled_policy, tclass=["infoflow3", "infoflow4"], tclass_regex=False) r = sorted(q.results()) - self.assertEqual(len(r), 2) - self.validate_rule(r[0], TRT.allowxperm, "test10", "test10", "infoflow3", set([0]), - xperm="ioctl") - self.validate_rule(r[1], TRT.allowxperm, "test10", "test10", "infoflow4", set([0x9999]), - xperm="ioctl") + assert len(r) == 2 + self.validate_rule(r[0], TRT.allowxperm, "test10", "test10", "infoflow3", + setools.IoctlSet([0]), xperm="ioctl") + self.validate_rule(r[1], TRT.allowxperm, "test10", "test10", "infoflow4", + setools.IoctlSet([0x9999]), xperm="ioctl") - def test_011_class_regex(self): + def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with object class regex match.""" - q = TERuleQuery(self.p, tclass="infoflow(5|6)", tclass_regex=True) + q = TERuleQuery(compiled_policy, tclass="infoflow(5|6)", tclass_regex=True) r = sorted(q.results()) - self.assertEqual(len(r), 2) - self.validate_rule(r[0], TRT.allowxperm, "test11", "test11", "infoflow5", set([0x1111]), - xperm="ioctl") - self.validate_rule(r[1], TRT.allowxperm, "test11", "test11", "infoflow6", set([0x5555]), - xperm="ioctl") + assert len(r) == 2 + self.validate_rule(r[0], TRT.allowxperm, "test11", "test11", "infoflow5", + setools.IoctlSet([0x1111]), xperm="ioctl") + self.validate_rule(r[1], TRT.allowxperm, "test11", "test11", "infoflow6", + setools.IoctlSet([0x5555]), xperm="ioctl") - def test_014_ruletype(self): + def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with rule type match.""" - q = TERuleQuery(self.p, ruletype=["auditallowxperm", "dontauditxperm"]) + q = TERuleQuery(compiled_policy, ruletype=["auditallowxperm", "dontauditxperm"]) r = sorted(q.results()) - self.assertEqual(len(r), 2) + assert len(r) == 2 self.validate_rule(r[0], TRT.auditallowxperm, "test14", "test14", "infoflow7", - set([0x1234]), xperm="ioctl") + setools.IoctlSet([0x1234]), xperm="ioctl") self.validate_rule(r[1], TRT.dontauditxperm, "test14", "test14", "infoflow7", - set([0x4321]), xperm="ioctl") + setools.IoctlSet([0x4321]), xperm="ioctl") - def test_100_std_perm_any(self): + def test_std_perm_any(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query match by standard permission.""" - q = TERuleQuery(self.p, ruletype=["neverallow", "neverallowxperm"], + q = TERuleQuery(compiled_policy, ruletype=["neverallow", "neverallowxperm"], perms=set(["ioctl", "hi_w"]), perms_equal=False) r = sorted(q.results()) - self.assertEqual(len(r), 0) + assert len(r) == 0 # changed after dropping source policy support - # self.assertEqual(len(r), 2) + # assert len(r) == 2 # self.validate_rule(r[0], TRT.neverallow, "test100", "system", "infoflow2", # set(["ioctl", "hi_w"])) # self.validate_rule(r[1], TRT.neverallowxperm, "test100", "test100", "infoflow2", - # set([0x1234]), xperm="ioctl") + # setools.IoctlSet([0x1234]), xperm="ioctl") - def test_100_std_perm_equal(self): + def test_std_perm_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query match by standard permission, equal perm set.""" - q = TERuleQuery(self.p, ruletype=["neverallow", "neverallowxperm"], + q = TERuleQuery(compiled_policy, ruletype=["neverallow", "neverallowxperm"], perms=set(["ioctl", "hi_w"]), perms_equal=True) r = sorted(q.results()) - self.assertEqual(len(r), 0) + assert len(r) == 0 # changed after dropping source policy support - # self.assertEqual(len(r), 1) + # assert len(r) == 1 # self.validate_rule(r[0], TRT.neverallow, "test100", "system", "infoflow2", # set(["ioctl", "hi_w"])) - def test_101_xperm_any(self): + def test_xperm_any(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query match any perm set.""" - q = TERuleQuery(self.p, xperms=[(0x9011, 0x9013)], xperms_equal=False) + q = TERuleQuery(compiled_policy, xperms=[(0x9011, 0x9013)], xperms_equal=False) r = sorted(q.results()) - self.assertEqual(len(r), 4) + assert len(r) == 4 self.validate_rule(r[0], TRT.allowxperm, "test101a", "test101a", "infoflow7", - set([0x9011]), xperm="ioctl") + setools.IoctlSet([0x9011]), xperm="ioctl") self.validate_rule(r[1], TRT.allowxperm, "test101b", "test101b", "infoflow7", - set([0x9011, 0x9012]), xperm="ioctl") + setools.IoctlSet([0x9011, 0x9012]), xperm="ioctl") self.validate_rule(r[2], TRT.allowxperm, "test101c", "test101c", "infoflow7", - set([0x9011, 0x9012, 0x9013]), xperm="ioctl") + setools.IoctlSet([0x9011, 0x9012, 0x9013]), xperm="ioctl") self.validate_rule(r[3], TRT.allowxperm, "test101d", "test101d", "infoflow7", - set([0x9011, 0x9012, 0x9013, 0x9014]), xperm="ioctl") + setools.IoctlSet([0x9011, 0x9012, 0x9013, 0x9014]), xperm="ioctl") - def test_101_xperm_equal(self): + def test_xperm_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query match equal perm set.""" - q = TERuleQuery(self.p, xperms=[(0x9011, 0x9013)], xperms_equal=True) + q = TERuleQuery(compiled_policy, xperms=[(0x9011, 0x9013)], xperms_equal=True) r = sorted(q.results()) - self.assertEqual(len(r), 1) + assert len(r) == 1 self.validate_rule(r[0], TRT.allowxperm, "test101c", "test101c", "infoflow7", - set([0x9011, 0x9012, 0x9013]), xperm="ioctl") + setools.IoctlSet([0x9011, 0x9012, 0x9013]), xperm="ioctl") From a5cfda01f52cd6dc14b9fd2b933bc74bb798df55 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:43:05 -0400 Subject: [PATCH 66/71] TestTypeAttributeQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_typeattrquery.py | 59 ++++++++++++----------------- 1 file changed, 24 insertions(+), 35 deletions(-) diff --git a/tests/library/test_typeattrquery.py b/tests/library/test_typeattrquery.py index 9f084f9a..031a50f5 100644 --- a/tests/library/test_typeattrquery.py +++ b/tests/library/test_typeattrquery.py @@ -2,66 +2,55 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import TypeAttributeQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/typeattrquery.conf") +class TestTypeAttributeQuery: - -class TypeAttributeQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/typeattrquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type attribute query with no criteria.""" # query with no parameters gets all attrs. - allattrs = sorted(self.p.typeattributes()) + allattrs = sorted(compiled_policy.typeattributes()) - q = TypeAttributeQuery(self.p) + q = setools.TypeAttributeQuery(compiled_policy) qattrs = sorted(q.results()) - self.assertListEqual(allattrs, qattrs) + assert allattrs == qattrs - def test_001_name_exact(self): + def test_name_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type attribute query with exact name match.""" - q = TypeAttributeQuery(self.p, name="test1") + q = setools.TypeAttributeQuery(compiled_policy, name="test1") attrs = sorted(str(t) for t in q.results()) - self.assertListEqual(["test1"], attrs) + assert ["test1"] == attrs - def test_002_name_regex(self): + def test_name_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type attribute query with regex name match.""" - q = TypeAttributeQuery(self.p, name="test2(a|b)", name_regex=True) + q = setools.TypeAttributeQuery(compiled_policy, name="test2(a|b)", name_regex=True) attrs = sorted(str(t) for t in q.results()) - self.assertListEqual(["test2a", "test2b"], attrs) + assert ["test2a", "test2b"] == attrs - def test_010_type_set_intersect(self): + def test_type_set_intersect(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type attribute query with type set intersection.""" - q = TypeAttributeQuery(self.p, types=["test10t1", "test10t7"]) + q = setools.TypeAttributeQuery(compiled_policy, types=["test10t1", "test10t7"]) attrs = sorted(str(t) for t in q.results()) - self.assertListEqual(["test10a", "test10c"], attrs) + assert ["test10a", "test10c"] == attrs - def test_011_type_set_equality(self): + def test_type_set_equality(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type attribute query with type set equality.""" - q = TypeAttributeQuery(self.p, types=["test11t1", "test11t2", - "test11t3", "test11t5"], types_equal=True) + q = setools.TypeAttributeQuery(compiled_policy, types=["test11t1", "test11t2", + "test11t3", "test11t5"], types_equal=True) attrs = sorted(str(t) for t in q.results()) - self.assertListEqual(["test11a"], attrs) + assert ["test11a"] == attrs - def test_012_type_set_regex(self): + def test_type_set_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type attribute query with type set regex match.""" - q = TypeAttributeQuery(self.p, types="test12t(1|2)", types_regex=True) + q = setools.TypeAttributeQuery(compiled_policy, types="test12t(1|2)", types_regex=True) attrs = sorted(str(t) for t in q.results()) - self.assertListEqual(["test12a", "test12b"], attrs) + assert ["test12a", "test12b"] == attrs From 8ee4d1ce582dfc8e8c2e9bd5dd74cd587e929075 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:43:23 -0400 Subject: [PATCH 67/71] TestTypeQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_typequery.py | 85 ++++++++++++++------------------- 1 file changed, 37 insertions(+), 48 deletions(-) diff --git a/tests/library/test_typequery.py b/tests/library/test_typequery.py index b2bf5d58..64c23cf5 100644 --- a/tests/library/test_typequery.py +++ b/tests/library/test_typequery.py @@ -3,95 +3,84 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import TypeQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/typequery.conf") +class TestTypeQuery: - -class TypeQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/typequery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type query with no criteria.""" # query with no parameters gets all types. - alltypes = sorted(self.p.types()) + alltypes = sorted(compiled_policy.types()) - q = TypeQuery(self.p) + q = setools.TypeQuery(compiled_policy) qtypes = sorted(q.results()) - self.assertListEqual(alltypes, qtypes) + assert alltypes == qtypes - def test_001_name_exact(self): + def test_name_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type query with exact name match.""" - q = TypeQuery(self.p, name="test1") + q = setools.TypeQuery(compiled_policy, name="test1") types = sorted(str(t) for t in q.results()) - self.assertListEqual(["test1"], types) + assert ["test1"] == types - def test_002_name_regex(self): + def test_name_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type query with regex name match.""" - q = TypeQuery(self.p, name="test2(a|b)", name_regex=True) + q = setools.TypeQuery(compiled_policy, name="test2(a|b)", name_regex=True) types = sorted(str(t) for t in q.results()) - self.assertListEqual(["test2a", "test2b"], types) + assert ["test2a", "test2b"] == types - def test_010_attr_intersect(self): + def test_attr_intersect(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type query with attribute set intersection.""" - q = TypeQuery(self.p, attrs=["test10a", "test10b"]) + q = setools.TypeQuery(compiled_policy, attrs=["test10a", "test10b"]) types = sorted(str(t) for t in q.results()) - self.assertListEqual(["test10t1", "test10t2", "test10t3", - "test10t4", "test10t5", "test10t6"], types) + assert ["test10t1", "test10t2", "test10t3", + "test10t4", "test10t5", "test10t6"] == types - def test_011_attr_equality(self): + def test_attr_equality(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type query with attribute set equality.""" - q = TypeQuery(self.p, attrs=["test11a", "test11b"], attrs_equal=True) + q = setools.TypeQuery(compiled_policy, attrs=["test11a", "test11b"], attrs_equal=True) types = sorted(str(t) for t in q.results()) - self.assertListEqual(["test11t2"], types) + assert ["test11t2"] == types - def test_012_attr_regex(self): + def test_attr_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type query with attribute regex match.""" - q = TypeQuery(self.p, attrs="test12(a|b)", attrs_regex=True) + q = setools.TypeQuery(compiled_policy, attrs="test12(a|b)", attrs_regex=True) types = sorted(str(t) for t in q.results()) - self.assertListEqual(["test12t1", "test12t2", "test12t3", - "test12t4", "test12t5", "test12t6"], types) + assert ["test12t1", "test12t2", "test12t3", + "test12t4", "test12t5", "test12t6"] == types - def test_020_alias_exact(self): + def test_alias_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type query with exact alias match.""" - q = TypeQuery(self.p, alias="test20a") + q = setools.TypeQuery(compiled_policy, alias="test20a") types = sorted(str(t) for t in q.results()) - self.assertListEqual(["test20t1"], types) + assert ["test20t1"] == types - def test_021_alias_regex(self): + def test_alias_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type query with regex alias match.""" - q = TypeQuery(self.p, alias="test21(a|b)", alias_regex=True) + q = setools.TypeQuery(compiled_policy, alias="test21(a|b)", alias_regex=True) types = sorted(str(t) for t in q.results()) - self.assertListEqual(["test21t1", "test21t2"], types) + assert ["test21t1", "test21t2"] == types - def test_022_alias_dereference(self): + def test_alias_dereference(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type query with alias dereference.""" - q = TypeQuery(self.p, name="test22alias", alias_deref=True) + q = setools.TypeQuery(compiled_policy, name="test22alias", alias_deref=True) types = sorted(str(t) for t in q.results()) - self.assertListEqual(["test22"], types) + assert ["test22"] == types - def test_030_permissive(self): + def test_permissive(self, compiled_policy: setools.SELinuxPolicy) -> None: """Type query with permissive match""" - q = TypeQuery(self.p, permissive=True) + q = setools.TypeQuery(compiled_policy, permissive=True) types = sorted(str(t) for t in q.results()) - self.assertListEqual(["test30"], types) + assert ["test30"] == types From 20d704fa4a61d6a9325ed75856962eaf547efdb7 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:43:51 -0400 Subject: [PATCH 68/71] TestUserQuery: Update tests to pytest fixtures. Signed-off-by: Chris PeBenito --- tests/library/test_userquery.py | 216 ++++++++++++++++---------------- 1 file changed, 107 insertions(+), 109 deletions(-) diff --git a/tests/library/test_userquery.py b/tests/library/test_userquery.py index 1b494790..c141317a 100644 --- a/tests/library/test_userquery.py +++ b/tests/library/test_userquery.py @@ -2,236 +2,234 @@ # # SPDX-License-Identifier: GPL-2.0-only # -import os -import unittest +import pytest +import setools -from setools import UserQuery -from .policyrep.util import compile_policy +@pytest.mark.obj_args("tests/library/userquery.conf") +class TestUserQuery: - -class UserQueryTest(unittest.TestCase): - - @classmethod - def setUpClass(cls): - cls.p = compile_policy("tests/library/userquery.conf") - - @classmethod - def tearDownClass(cls): - os.unlink(cls.p.path) - - def test_000_unset(self): + def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with no criteria.""" # query with no parameters gets all types. - allusers = sorted(self.p.users()) + allusers = sorted(compiled_policy.users()) - q = UserQuery(self.p) + q = setools.UserQuery(compiled_policy) qusers = sorted(q.results()) - self.assertListEqual(allusers, qusers) + assert allusers == qusers - def test_001_name_exact(self): + def test_name_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with exact name match.""" - q = UserQuery(self.p, name="test1_u") + q = setools.UserQuery(compiled_policy, name="test1_u") users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test1_u"], users) + assert ["test1_u"] == users - def test_002_name_regex(self): + def test_name_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with regex name match.""" - q = UserQuery(self.p, name="test2_u(1|2)", name_regex=True) + q = setools.UserQuery(compiled_policy, name="test2_u(1|2)", name_regex=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test2_u1", "test2_u2"], users) + assert ["test2_u1", "test2_u2"] == users - def test_010_role_intersect(self): + def test_role_intersect(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with role set intersection.""" - q = UserQuery(self.p, roles=["test10a_r", "test10b_r"]) + q = setools.UserQuery(compiled_policy, roles=["test10a_r", "test10b_r"]) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test10_u1", "test10_u2", "test10_u3", - "test10_u4", "test10_u5", "test10_u6"], users) + assert ["test10_u1", "test10_u2", "test10_u3", + "test10_u4", "test10_u5", "test10_u6"] == users - def test_011_role_equality(self): + def test_role_equality(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with role set equality.""" - q = UserQuery( - self.p, roles=["test11a_r", "test11b_r"], roles_equal=True) + q = setools.UserQuery( + compiled_policy, roles=["test11a_r", "test11b_r"], roles_equal=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test11_u2"], users) + assert ["test11_u2"] == users - def test_012_role_regex(self): + def test_role_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with role regex match.""" - q = UserQuery(self.p, roles="test12(a|b)_r", roles_regex=True) + q = setools.UserQuery(compiled_policy, roles="test12(a|b)_r", roles_regex=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test12_u1", "test12_u2", "test12_u3", - "test12_u4", "test12_u5", "test12_u6"], users) + assert ["test12_u1", "test12_u2", "test12_u3", + "test12_u4", "test12_u5", "test12_u6"] == users - def test_020_level_equal(self): + def test_level_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with default level equality.""" - q = UserQuery(self.p, level="s3:c0,c4") + q = setools.UserQuery(compiled_policy, level="s3:c0,c4") users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test20"], users) + assert ["test20"] == users - def test_021_level_dom1(self): + def test_level_dom1(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with default level dominance.""" - q = UserQuery(self.p, level="s2:c1,c2,c4", level_dom=True) + q = setools.UserQuery(compiled_policy, level="s2:c1,c2,c4", level_dom=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test21"], users) + assert ["test21"] == users - def test_021_level_dom2(self): + def test_level_dom2(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with default level dominance (equal).""" - q = UserQuery(self.p, level="s2:c1,c4", level_dom=True) + q = setools.UserQuery(compiled_policy, level="s2:c1,c4", level_dom=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test21"], users) + assert ["test21"] == users - def test_022_level_domby1(self): + def test_level_domby1(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with default level dominated-by.""" - q = UserQuery(self.p, level="s3:c2", level_domby=True) + q = setools.UserQuery(compiled_policy, level="s3:c2", level_domby=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test22"], users) + assert ["test22"] == users - def test_022_level_domby2(self): + def test_level_domby2(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with default level dominated-by (equal).""" - q = UserQuery(self.p, level="s3:c2,c4", level_domby=True) + q = setools.UserQuery(compiled_policy, level="s3:c2,c4", level_domby=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test22"], users) + assert ["test22"] == users - def test_023_level_incomp(self): + def test_level_incomp(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with default level icomparable.""" - q = UserQuery(self.p, level="s5:c0.c5,c7", level_incomp=True) + q = setools.UserQuery(compiled_policy, level="s5:c0.c5,c7", level_incomp=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test23"], users) + assert ["test23"] == users - def test_040_range_exact(self): + def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range exact match""" - q = UserQuery(self.p, range_="s0:c5 - s0:c0.c5") + q = setools.UserQuery(compiled_policy, range_="s0:c5 - s0:c0.c5") users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test40"], users) + assert ["test40"] == users - def test_041_range_overlap1(self): + def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range overlap match (equal)""" - q = UserQuery(self.p, range_="s1:c5 - s1:c1.c3,c5", range_overlap=True) + q = setools.UserQuery(compiled_policy, range_="s1:c5 - s1:c1.c3,c5", range_overlap=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test41"], users) + assert ["test41"] == users - def test_041_range_overlap2(self): + def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range overlap match (subset)""" - q = UserQuery(self.p, range_="s1:c2,c5 - s1:c2.c3,c5", range_overlap=True) + q = setools.UserQuery(compiled_policy, range_="s1:c2,c5 - s1:c2.c3,c5", range_overlap=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test41"], users) + assert ["test41"] == users - def test_041_range_overlap3(self): + def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range overlap match (superset)""" - q = UserQuery(self.p, range_="s1 - s1:c0.c5", range_overlap=True) + q = setools.UserQuery(compiled_policy, range_="s1 - s1:c0.c5", range_overlap=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test41"], users) + assert ["test41"] == users - def test_041_range_overlap4(self): + def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range overlap match (overlap low level)""" - q = UserQuery(self.p, range_="s1:c5 - s1:c2,c5", range_overlap=True) + q = setools.UserQuery(compiled_policy, range_="s1:c5 - s1:c2,c5", range_overlap=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test41"], users) + assert ["test41"] == users - def test_041_range_overlap5(self): + def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range overlap match (overlap high level)""" - q = UserQuery(self.p, range_="s1:c5,c2 - s1:c1.c3,c5", range_overlap=True) + q = setools.UserQuery(compiled_policy, range_="s1:c5,c2 - s1:c1.c3,c5", range_overlap=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test41"], users) + assert ["test41"] == users - def test_042_range_subset1(self): + def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range subset match""" - q = UserQuery(self.p, range_="s2:c2,c5 - s2:c2.c3,c5", range_overlap=True) + q = setools.UserQuery(compiled_policy, range_="s2:c2,c5 - s2:c2.c3,c5", range_overlap=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test42"], users) + assert ["test42"] == users - def test_042_range_subset2(self): + def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range subset match (equal)""" - q = UserQuery(self.p, range_="s2:c5 - s2:c1.c3,c5", range_overlap=True) + q = setools.UserQuery(compiled_policy, range_="s2:c5 - s2:c1.c3,c5", range_overlap=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test42"], users) + assert ["test42"] == users - def test_043_range_superset1(self): + def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range superset match""" - q = UserQuery(self.p, range_="s3 - s3:c0.c6", range_superset=True) + q = setools.UserQuery(compiled_policy, range_="s3 - s3:c0.c6", range_superset=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test43"], users) + assert ["test43"] == users - def test_043_range_superset2(self): + def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range superset match (equal)""" - q = UserQuery(self.p, range_="s3:c5 - s3:c1.c3,c5.c6", range_superset=True) + q = setools.UserQuery(compiled_policy, range_="s3:c5 - s3:c1.c3,c5.c6", + range_superset=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test43"], users) + assert ["test43"] == users - def test_044_range_proper_subset1(self): + def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range proper subset match""" - q = UserQuery(self.p, range_="s4:c2,c5", range_subset=True, range_proper=True) + q = setools.UserQuery(compiled_policy, range_="s4:c2,c5", range_subset=True, + range_proper=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test44"], users) + assert ["test44"] == users - def test_044_range_proper_subset2(self): + def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range proper subset match (equal)""" - q = UserQuery(self.p, range_="s4:c5 - s4:c1.c3,c5", range_subset=True, range_proper=True) + q = setools.UserQuery(compiled_policy, range_="s4:c5 - s4:c1.c3,c5", range_subset=True, + range_proper=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual([], users) + assert [] == users - def test_044_range_proper_subset3(self): + def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range proper subset match (equal low)""" - q = UserQuery(self.p, range_="s4:c5 - s4:c1.c2,c5", range_subset=True, range_proper=True) + q = setools.UserQuery(compiled_policy, range_="s4:c5 - s4:c1.c2,c5", range_subset=True, + range_proper=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test44"], users) + assert ["test44"] == users - def test_044_range_proper_subset4(self): + def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range proper subset match (equal high)""" - q = UserQuery(self.p, range_="s4:c1,c5 - s4:c1.c3,c5", range_subset=True, range_proper=True) + q = setools.UserQuery(compiled_policy, range_="s4:c1,c5 - s4:c1.c3,c5", range_subset=True, + range_proper=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test44"], users) + assert ["test44"] == users - def test_045_range_proper_superset1(self): + def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range proper superset match""" - q = UserQuery(self.p, range_="s5 - s5:c0.c5", range_superset=True, range_proper=True) + q = setools.UserQuery(compiled_policy, range_="s5 - s5:c0.c5", range_superset=True, + range_proper=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test45"], users) + assert ["test45"] == users - def test_045_range_proper_superset2(self): + def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range proper superset match (equal)""" - q = UserQuery(self.p, range_="s5:c5 - s5:c1.c3,c5", range_superset=True, range_proper=True) + q = setools.UserQuery(compiled_policy, range_="s5:c5 - s5:c1.c3,c5", range_superset=True, + range_proper=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual([], users) + assert [] == users - def test_045_range_proper_superset3(self): + def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range proper superset match (equal low)""" - q = UserQuery(self.p, range_="s5:c5 - s5:c1.c5", range_superset=True, range_proper=True) + q = setools.UserQuery(compiled_policy, range_="s5:c5 - s5:c1.c5", range_superset=True, + range_proper=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test45"], users) + assert ["test45"] == users - def test_045_range_proper_superset4(self): + def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """User query with range proper superset match (equal high)""" - q = UserQuery(self.p, range_="s5 - s5:c1.c3,c5", range_superset=True, range_proper=True) + q = setools.UserQuery(compiled_policy, range_="s5 - s5:c1.c3,c5", range_superset=True, + range_proper=True) users = sorted(str(u) for u in q.results()) - self.assertListEqual(["test45"], users) + assert ["test45"] == users From 894c695c4b399f20d0643f7633882f95f4a914d5 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 18 Apr 2024 15:44:43 -0400 Subject: [PATCH 69/71] Remove unused compile_policy utility function. This is replaced by a pytest fixture. Signed-off-by: Chris PeBenito --- tests/library/policyrep/util.py | 55 --------------------------------- 1 file changed, 55 deletions(-) delete mode 100644 tests/library/policyrep/util.py diff --git a/tests/library/policyrep/util.py b/tests/library/policyrep/util.py deleted file mode 100644 index 3124cda6..00000000 --- a/tests/library/policyrep/util.py +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright 2015, Tresys Technology, LLC -# Copyright 2018, Chris PeBenito -# -# SPDX-License-Identifier: GPL-2.0-only -# -import os -import subprocess -import tempfile - -from setools import SELinuxPolicy - - -def compile_policy(source_file, mls=True, xen=False): - """ - Compile the specified source policy. Checkpolicy is - assumed to be /usr/bin/checkpolicy. Otherwise the path - must be specified in the CHECKPOLICY environment variable. - - Return: - A SELinuxPolicy object. - """ - # create a temp file for the binary policy - # and then have checkpolicy overwrite it. - fd, policy_path = tempfile.mkstemp() - os.close(fd) - - if "USERSPACE_SRC" in os.environ: - command = [os.environ['USERSPACE_SRC'] + "/checkpolicy/checkpolicy"] - elif "CHECKPOLICY" in os.environ: - command = [os.environ['CHECKPOLICY']] - else: - command = ["/usr/bin/checkpolicy"] - - if mls: - command.append("-M") - - if xen: - command.extend(["-t", "xen", "-c", "30"]) - - command.extend(["-o", policy_path, "-U", "reject", source_file]) - - with open(os.devnull, "w") as null: - subprocess.check_call(command, stdout=null, shell=False, close_fds=True) - - try: - policy = SELinuxPolicy(policy_path) - except Exception: - # This should never be hit, since this policy - # successfully compiled with checkpolicy above. - # If we do, clean up the binary policy since - # tearDownClass() does not run. - os.unlink(policy_path) - raise - - return policy From c958e6754462134a9e0d04781b4596270bc5f586 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 19 Apr 2024 13:42:20 -0400 Subject: [PATCH 70/71] tests/library: Move validate_rule to a regular function. Now that unit tests use pytest, validate_rule no longer needs to use "self" to do assertions. It no longer needs to be a mixin. Signed-off-by: Chris PeBenito --- tests/library/mixins.py | 53 -------- tests/library/test_diff.py | 180 ++++++++++++++-------------- tests/library/test_dta.py | 60 +++++----- tests/library/test_infoflow.py | 30 ++--- tests/library/test_mlsrulequery.py | 64 +++++----- tests/library/test_rbacrulequery.py | 22 ++-- tests/library/test_terulequery.py | 138 ++++++++++----------- tests/library/util.py | 48 ++++++++ 8 files changed, 295 insertions(+), 300 deletions(-) delete mode 100644 tests/library/mixins.py create mode 100644 tests/library/util.py diff --git a/tests/library/mixins.py b/tests/library/mixins.py deleted file mode 100644 index 205927d5..00000000 --- a/tests/library/mixins.py +++ /dev/null @@ -1,53 +0,0 @@ -"""Unit test mixin classes.""" -# Copyright 2015, Tresys Technology, LLC -# -# SPDX-License-Identifier: GPL-2.0-only -# -# pylint: disable=too-few-public-methods -import pytest -import setools - - -class ValidateRule: - - """Mixin for validating policy rules.""" - - def validate_rule(self, - rule: setools.policyrep.PolicyRule, - ruletype: setools.policyrep.PolicyEnum | str, - source: setools.policyrep.PolicySymbol | str, - target: setools.policyrep.PolicySymbol | str, - tclass: setools.ObjClass | str, - last_item: set[str] | setools.IoctlSet | setools.policyrep.PolicySymbol | str, - cond: str | None = None, - cond_block: bool | None = None, - xperm: str | None = None) -> None: - - """Validate a rule.""" - assert ruletype == rule.ruletype - assert source == rule.source - assert target == rule.target - assert tclass == rule.tclass - - try: - # This is the common case. - assert last_item == rule.perms - except (AttributeError, setools.exception.RuleUseError): - assert last_item == rule.default - - if cond: - assert cond == rule.conditional - else: - with pytest.raises(setools.exception.RuleNotConditional): - rule.conditional - - if cond_block is not None: - assert cond_block == rule.conditional_block - - if xperm: - assert xperm == rule.xperm_type - assert rule.extended - else: - with pytest.raises(AttributeError): - rule.xperm_type - assert not rule.extended diff --git a/tests/library/test_diff.py b/tests/library/test_diff.py index 644c9cd1..20ed89ef 100644 --- a/tests/library/test_diff.py +++ b/tests/library/test_diff.py @@ -19,7 +19,7 @@ from setools import RBACRuletype as RRT from setools import TERuletype as TRT -from .mixins import ValidateRule +from . import util @pytest.fixture(scope="class") @@ -28,7 +28,7 @@ def analysis(policy_pair: tuple[setools.SELinuxPolicy, setools.SELinuxPolicy]) - @pytest.mark.obj_args("tests/library/diff_left.conf", "tests/library/diff_right.conf") -class TestPolicyDifference(ValidateRule): +class TestPolicyDifference: """Policy difference tests.""" @@ -234,23 +234,23 @@ def test_added_allow_rules(self, analysis: setools.PolicyDifference) -> None: assert 5 == len(rules) # added rule with existing types - self.validate_rule(rules[0], TRT.allow, "added_rule_source", "added_rule_target", + util.validate_rule(rules[0], TRT.allow, "added_rule_source", "added_rule_target", "infoflow", set(["med_w"])) # added rule with new type - self.validate_rule(rules[1], TRT.allow, "added_type", "added_type", "infoflow2", + util.validate_rule(rules[1], TRT.allow, "added_type", "added_type", "infoflow2", set(["med_w"])) # rule moved out of a conditional - self.validate_rule(rules[2], TRT.allow, "move_from_bool", "move_from_bool", "infoflow4", + util.validate_rule(rules[2], TRT.allow, "move_from_bool", "move_from_bool", "infoflow4", set(["hi_r"])) # rule moved into a conditional - self.validate_rule(rules[3], TRT.allow, "move_to_bool", "move_to_bool", "infoflow4", + util.validate_rule(rules[3], TRT.allow, "move_to_bool", "move_to_bool", "infoflow4", set(["hi_w"]), cond="move_to_bool_b", cond_block=True) # rule moved from one conditional block to another (true to false) - self.validate_rule(rules[4], TRT.allow, "system", "switch_block", "infoflow6", + util.validate_rule(rules[4], TRT.allow, "system", "switch_block", "infoflow6", set(["hi_r"]), cond="switch_block_b", cond_block=False) def test_removed_allow_rules(self, analysis: setools.PolicyDifference) -> None: @@ -259,23 +259,23 @@ def test_removed_allow_rules(self, analysis: setools.PolicyDifference) -> None: assert 5 == len(rules) # rule moved out of a conditional - self.validate_rule(rules[0], TRT.allow, "move_from_bool", "move_from_bool", "infoflow4", + util.validate_rule(rules[0], TRT.allow, "move_from_bool", "move_from_bool", "infoflow4", set(["hi_r"]), cond="move_from_bool_b", cond_block=True) # rule moved into a conditional - self.validate_rule(rules[1], TRT.allow, "move_to_bool", "move_to_bool", "infoflow4", + util.validate_rule(rules[1], TRT.allow, "move_to_bool", "move_to_bool", "infoflow4", set(["hi_w"])) # removed rule with existing types - self.validate_rule(rules[2], TRT.allow, "removed_rule_source", "removed_rule_target", + util.validate_rule(rules[2], TRT.allow, "removed_rule_source", "removed_rule_target", "infoflow", set(["hi_r"])) # removed rule with new type - self.validate_rule(rules[3], TRT.allow, "removed_type", "removed_type", "infoflow3", + util.validate_rule(rules[3], TRT.allow, "removed_type", "removed_type", "infoflow3", set(["null"])) # rule moved from one conditional block to another (true to false) - self.validate_rule(rules[4], TRT.allow, "system", "switch_block", "infoflow6", + util.validate_rule(rules[4], TRT.allow, "system", "switch_block", "infoflow6", set(["hi_r"]), cond="switch_block_b", cond_block=True) def test_modified_allow_rules(self, analysis: setools.PolicyDifference) -> None: @@ -322,23 +322,23 @@ def test_added_auditallow_rules(self, analysis: setools.PolicyDifference) -> Non assert 5 == len(rules) # added rule with existing types - self.validate_rule(rules[0], TRT.auditallow, "aa_added_rule_source", + util.validate_rule(rules[0], TRT.auditallow, "aa_added_rule_source", "aa_added_rule_target", "infoflow", set(["med_w"])) # rule moved out of a conditional - self.validate_rule(rules[1], TRT.auditallow, "aa_move_from_bool", "aa_move_from_bool", + util.validate_rule(rules[1], TRT.auditallow, "aa_move_from_bool", "aa_move_from_bool", "infoflow4", set(["hi_r"])) # rule moved into a conditional - self.validate_rule(rules[2], TRT.auditallow, "aa_move_to_bool", "aa_move_to_bool", + util.validate_rule(rules[2], TRT.auditallow, "aa_move_to_bool", "aa_move_to_bool", "infoflow4", set(["hi_w"]), cond="aa_move_to_bool_b", cond_block=True) # added rule with new type - self.validate_rule(rules[3], TRT.auditallow, "added_type", "added_type", "infoflow7", + util.validate_rule(rules[3], TRT.auditallow, "added_type", "added_type", "infoflow7", set(["super_none"])) # rule moved from one conditional block to another (true to false) - self.validate_rule(rules[4], TRT.auditallow, "system", "aa_switch_block", "infoflow6", + util.validate_rule(rules[4], TRT.auditallow, "system", "aa_switch_block", "infoflow6", set(["hi_r"]), cond="aa_switch_block_b", cond_block=False) def test_removed_auditallow_rules(self, analysis: setools.PolicyDifference) -> None: @@ -347,23 +347,23 @@ def test_removed_auditallow_rules(self, analysis: setools.PolicyDifference) -> N assert 5 == len(rules) # rule moved out of a conditional - self.validate_rule(rules[0], TRT.auditallow, "aa_move_from_bool", "aa_move_from_bool", + util.validate_rule(rules[0], TRT.auditallow, "aa_move_from_bool", "aa_move_from_bool", "infoflow4", set(["hi_r"]), cond="aa_move_from_bool_b", cond_block=True) # rule moved into a conditional - self.validate_rule(rules[1], TRT.auditallow, "aa_move_to_bool", "aa_move_to_bool", + util.validate_rule(rules[1], TRT.auditallow, "aa_move_to_bool", "aa_move_to_bool", "infoflow4", set(["hi_w"])) # removed rule with existing types - self.validate_rule(rules[2], TRT.auditallow, "aa_removed_rule_source", + util.validate_rule(rules[2], TRT.auditallow, "aa_removed_rule_source", "aa_removed_rule_target", "infoflow", set(["hi_r"])) # removed rule with new type - self.validate_rule(rules[3], TRT.auditallow, "removed_type", "removed_type", "infoflow7", + util.validate_rule(rules[3], TRT.auditallow, "removed_type", "removed_type", "infoflow7", set(["super_unmapped"])) # rule moved from one conditional block to another (true to false) - self.validate_rule(rules[4], TRT.auditallow, "system", "aa_switch_block", "infoflow6", + util.validate_rule(rules[4], TRT.auditallow, "system", "aa_switch_block", "infoflow6", set(["hi_r"]), cond="aa_switch_block_b", cond_block=True) def test_modified_auditallow_rules(self, analysis: setools.PolicyDifference) -> None: @@ -410,23 +410,23 @@ def test_added_dontaudit_rules(self, analysis: setools.PolicyDifference) -> None assert 5 == len(rules) # added rule with new type - self.validate_rule(rules[0], TRT.dontaudit, "added_type", "added_type", "infoflow7", + util.validate_rule(rules[0], TRT.dontaudit, "added_type", "added_type", "infoflow7", set(["super_none"])) # added rule with existing types - self.validate_rule(rules[1], TRT.dontaudit, "da_added_rule_source", "da_added_rule_target", + util.validate_rule(rules[1], TRT.dontaudit, "da_added_rule_source", "da_added_rule_target", "infoflow", set(["med_w"])) # rule moved out of a conditional - self.validate_rule(rules[2], TRT.dontaudit, "da_move_from_bool", "da_move_from_bool", + util.validate_rule(rules[2], TRT.dontaudit, "da_move_from_bool", "da_move_from_bool", "infoflow4", set(["hi_r"])) # rule moved into a conditional - self.validate_rule(rules[3], TRT.dontaudit, "da_move_to_bool", "da_move_to_bool", + util.validate_rule(rules[3], TRT.dontaudit, "da_move_to_bool", "da_move_to_bool", "infoflow4", set(["hi_w"]), cond="da_move_to_bool_b", cond_block=True) # rule moved from one conditional block to another (true to false) - self.validate_rule(rules[4], TRT.dontaudit, "system", "da_switch_block", "infoflow6", + util.validate_rule(rules[4], TRT.dontaudit, "system", "da_switch_block", "infoflow6", set(["hi_r"]), cond="da_switch_block_b", cond_block=False) def test_removed_dontaudit_rules(self, analysis: setools.PolicyDifference) -> None: @@ -435,23 +435,23 @@ def test_removed_dontaudit_rules(self, analysis: setools.PolicyDifference) -> No assert 5 == len(rules) # rule moved out of a conditional - self.validate_rule(rules[0], TRT.dontaudit, "da_move_from_bool", "da_move_from_bool", + util.validate_rule(rules[0], TRT.dontaudit, "da_move_from_bool", "da_move_from_bool", "infoflow4", set(["hi_r"]), cond="da_move_from_bool_b", cond_block=True) # rule moved into a conditional - self.validate_rule(rules[1], TRT.dontaudit, "da_move_to_bool", "da_move_to_bool", + util.validate_rule(rules[1], TRT.dontaudit, "da_move_to_bool", "da_move_to_bool", "infoflow4", set(["hi_w"])) # removed rule with existing types - self.validate_rule(rules[2], TRT.dontaudit, "da_removed_rule_source", + util.validate_rule(rules[2], TRT.dontaudit, "da_removed_rule_source", "da_removed_rule_target", "infoflow", set(["hi_r"])) # removed rule with new type - self.validate_rule(rules[3], TRT.dontaudit, "removed_type", "removed_type", "infoflow7", + util.validate_rule(rules[3], TRT.dontaudit, "removed_type", "removed_type", "infoflow7", set(["super_both"])) # rule moved from one conditional block to another (true to false) - self.validate_rule(rules[4], TRT.dontaudit, "system", "da_switch_block", "infoflow6", + util.validate_rule(rules[4], TRT.dontaudit, "system", "da_switch_block", "infoflow6", set(["hi_r"]), cond="da_switch_block_b", cond_block=True) def test_modified_dontaudit_rules(self, analysis: setools.PolicyDifference) -> None: @@ -501,11 +501,11 @@ def test_added_neverallow_rules(self, analysis: setools.PolicyDifference) -> Non # assert 2 == len(rules) # added rule with new type - # self.validate_rule(rules[0], TRT.neverallow, "added_type", "added_type", "added_class", + # util.validate_rule(rules[0], TRT.neverallow, "added_type", "added_type", "added_class", # set(["new_class_perm"])) # added rule with existing types - # self.validate_rule(rules[1], TRT.neverallow, "na_added_rule_source", + # util.validate_rule(rules[1], TRT.neverallow, "na_added_rule_source", # "na_added_rule_target", "infoflow", set(["med_w"])) def test_removed_neverallow_rules(self, analysis: setools.PolicyDifference) -> None: @@ -516,11 +516,11 @@ def test_removed_neverallow_rules(self, analysis: setools.PolicyDifference) -> N # assert 2 == len(rules) # removed rule with existing types - # self.validate_rule(rules[0], TRT.neverallow, "na_removed_rule_source", + # util.validate_rule(rules[0], TRT.neverallow, "na_removed_rule_source", # "na_removed_rule_target", "infoflow", set(["hi_r"])) # removed rule with new type - # self.validate_rule(rules[1], TRT.neverallow, "removed_type", "removed_type", + # util.validate_rule(rules[1], TRT.neverallow, "removed_type", "removed_type", # "removed_class", set(["null_perm"])) def test_modified_neverallow_rules(self, analysis: setools.PolicyDifference) -> None: @@ -569,23 +569,23 @@ def test_added_type_transition_rules(self, analysis: setools.PolicyDifference) - assert 5 == len(rules) # added rule with new type - self.validate_rule(rules[0], TRT.type_transition, "added_type", "system", "infoflow4", + util.validate_rule(rules[0], TRT.type_transition, "added_type", "system", "infoflow4", "system") # rule moved from one conditional block to another (true to false) - self.validate_rule(rules[1], TRT.type_transition, "system", "tt_switch_block", "infoflow6", + util.validate_rule(rules[1], TRT.type_transition, "system", "tt_switch_block", "infoflow6", "system", cond="tt_switch_block_b", cond_block=False) # added rule with existing types - self.validate_rule(rules[2], TRT.type_transition, "tt_added_rule_source", + util.validate_rule(rules[2], TRT.type_transition, "tt_added_rule_source", "tt_added_rule_target", "infoflow", "system") # rule moved out of a conditional - self.validate_rule(rules[3], TRT.type_transition, "tt_move_from_bool", "system", + util.validate_rule(rules[3], TRT.type_transition, "tt_move_from_bool", "system", "infoflow4", "system") # rule moved into a conditional - self.validate_rule(rules[4], TRT.type_transition, "tt_move_to_bool", "system", + util.validate_rule(rules[4], TRT.type_transition, "tt_move_to_bool", "system", "infoflow3", "system", cond="tt_move_to_bool_b", cond_block=True) def test_removed_type_transition_rules(self, analysis: setools.PolicyDifference) -> None: @@ -594,23 +594,23 @@ def test_removed_type_transition_rules(self, analysis: setools.PolicyDifference) assert 5 == len(rules) # removed rule with new type - self.validate_rule(rules[0], TRT.type_transition, "removed_type", "system", "infoflow4", + util.validate_rule(rules[0], TRT.type_transition, "removed_type", "system", "infoflow4", "system") # rule moved from one conditional block to another (true to false) - self.validate_rule(rules[1], TRT.type_transition, "system", "tt_switch_block", "infoflow6", + util.validate_rule(rules[1], TRT.type_transition, "system", "tt_switch_block", "infoflow6", "system", cond="tt_switch_block_b", cond_block=True) # rule moved out of a conditional - self.validate_rule(rules[2], TRT.type_transition, "tt_move_from_bool", "system", + util.validate_rule(rules[2], TRT.type_transition, "tt_move_from_bool", "system", "infoflow4", "system", cond="tt_move_from_bool_b", cond_block=True) # rule moved into a conditional - self.validate_rule(rules[3], TRT.type_transition, "tt_move_to_bool", "system", + util.validate_rule(rules[3], TRT.type_transition, "tt_move_to_bool", "system", "infoflow3", "system") # removed rule with existing types - self.validate_rule(rules[4], TRT.type_transition, "tt_removed_rule_source", + util.validate_rule(rules[4], TRT.type_transition, "tt_removed_rule_source", "tt_removed_rule_target", "infoflow", "system") def test_modified_type_transition_rules(self, analysis: setools.PolicyDifference) -> None: @@ -635,23 +635,23 @@ def test_added_type_change_rules(self, analysis: setools.PolicyDifference) -> No assert 5 == len(rules) # added rule with new type - self.validate_rule(rules[0], TRT.type_change, "added_type", "system", "infoflow4", + util.validate_rule(rules[0], TRT.type_change, "added_type", "system", "infoflow4", "system") # rule moved from one conditional block to another (true to false) - self.validate_rule(rules[1], TRT.type_change, "system", "tc_switch_block", "infoflow6", + util.validate_rule(rules[1], TRT.type_change, "system", "tc_switch_block", "infoflow6", "system", cond="tc_switch_block_b", cond_block=False) # added rule with existing types - self.validate_rule(rules[2], TRT.type_change, "tc_added_rule_source", + util.validate_rule(rules[2], TRT.type_change, "tc_added_rule_source", "tc_added_rule_target", "infoflow", "system") # rule moved out of a conditional - self.validate_rule(rules[3], TRT.type_change, "tc_move_from_bool", "system", + util.validate_rule(rules[3], TRT.type_change, "tc_move_from_bool", "system", "infoflow4", "system") # rule moved into a conditional - self.validate_rule(rules[4], TRT.type_change, "tc_move_to_bool", "system", + util.validate_rule(rules[4], TRT.type_change, "tc_move_to_bool", "system", "infoflow3", "system", cond="tc_move_to_bool_b", cond_block=True) def test_removed_type_change_rules(self, analysis: setools.PolicyDifference) -> None: @@ -660,23 +660,23 @@ def test_removed_type_change_rules(self, analysis: setools.PolicyDifference) -> assert 5 == len(rules) # removed rule with new type - self.validate_rule(rules[0], TRT.type_change, "removed_type", "system", "infoflow4", + util.validate_rule(rules[0], TRT.type_change, "removed_type", "system", "infoflow4", "system") # rule moved from one conditional block to another (true to false) - self.validate_rule(rules[1], TRT.type_change, "system", "tc_switch_block", "infoflow6", + util.validate_rule(rules[1], TRT.type_change, "system", "tc_switch_block", "infoflow6", "system", cond="tc_switch_block_b", cond_block=True) # rule moved out of a conditional - self.validate_rule(rules[2], TRT.type_change, "tc_move_from_bool", "system", + util.validate_rule(rules[2], TRT.type_change, "tc_move_from_bool", "system", "infoflow4", "system", cond="tc_move_from_bool_b", cond_block=True) # rule moved into a conditional - self.validate_rule(rules[3], TRT.type_change, "tc_move_to_bool", "system", + util.validate_rule(rules[3], TRT.type_change, "tc_move_to_bool", "system", "infoflow3", "system") # removed rule with existing types - self.validate_rule(rules[4], TRT.type_change, "tc_removed_rule_source", + util.validate_rule(rules[4], TRT.type_change, "tc_removed_rule_source", "tc_removed_rule_target", "infoflow", "system") def test_modified_type_change_rules(self, analysis: setools.PolicyDifference) -> None: @@ -701,23 +701,23 @@ def test_added_type_member_rules(self, analysis: setools.PolicyDifference) -> No assert 5 == len(rules) # added rule with new type - self.validate_rule(rules[0], TRT.type_member, "added_type", "system", "infoflow4", + util.validate_rule(rules[0], TRT.type_member, "added_type", "system", "infoflow4", "system") # rule moved from one conditional block to another (true to false) - self.validate_rule(rules[1], TRT.type_member, "system", "tm_switch_block", "infoflow6", + util.validate_rule(rules[1], TRT.type_member, "system", "tm_switch_block", "infoflow6", "system", cond="tm_switch_block_b", cond_block=False) # added rule with existing types - self.validate_rule(rules[2], TRT.type_member, "tm_added_rule_source", + util.validate_rule(rules[2], TRT.type_member, "tm_added_rule_source", "tm_added_rule_target", "infoflow", "system") # rule moved out of a conditional - self.validate_rule(rules[3], TRT.type_member, "tm_move_from_bool", "system", + util.validate_rule(rules[3], TRT.type_member, "tm_move_from_bool", "system", "infoflow4", "system") # rule moved into a conditional - self.validate_rule(rules[4], TRT.type_member, "tm_move_to_bool", "system", + util.validate_rule(rules[4], TRT.type_member, "tm_move_to_bool", "system", "infoflow3", "system", cond="tm_move_to_bool_b", cond_block=True) def test_removed_type_member_rules(self, analysis: setools.PolicyDifference) -> None: @@ -726,23 +726,23 @@ def test_removed_type_member_rules(self, analysis: setools.PolicyDifference) -> assert 5 == len(rules) # removed rule with new type - self.validate_rule(rules[0], TRT.type_member, "removed_type", "system", "infoflow4", + util.validate_rule(rules[0], TRT.type_member, "removed_type", "system", "infoflow4", "system") # rule moved from one conditional block to another (true to false) - self.validate_rule(rules[1], TRT.type_member, "system", "tm_switch_block", "infoflow6", + util.validate_rule(rules[1], TRT.type_member, "system", "tm_switch_block", "infoflow6", "system", cond="tm_switch_block_b", cond_block=True) # rule moved out of a conditional - self.validate_rule(rules[2], TRT.type_member, "tm_move_from_bool", "system", + util.validate_rule(rules[2], TRT.type_member, "tm_move_from_bool", "system", "infoflow4", "system", cond="tm_move_from_bool_b", cond_block=True) # rule moved into a conditional - self.validate_rule(rules[3], TRT.type_member, "tm_move_to_bool", "system", + util.validate_rule(rules[3], TRT.type_member, "tm_move_to_bool", "system", "infoflow3", "system") # removed rule with existing types - self.validate_rule(rules[4], TRT.type_member, "tm_removed_rule_source", + util.validate_rule(rules[4], TRT.type_member, "tm_removed_rule_source", "tm_removed_rule_target", "infoflow", "system") def test_modified_type_member_rules(self, analysis: setools.PolicyDifference) -> None: @@ -767,11 +767,11 @@ def test_added_range_transition_rules(self, analysis: setools.PolicyDifference) assert 2 == len(rules) # added rule with new type - self.validate_rule(rules[0], MRT.range_transition, "added_type", "system", "infoflow4", + util.validate_rule(rules[0], MRT.range_transition, "added_type", "system", "infoflow4", "s3") # added rule with existing types - self.validate_rule(rules[1], MRT.range_transition, "rt_added_rule_source", + util.validate_rule(rules[1], MRT.range_transition, "rt_added_rule_source", "rt_added_rule_target", "infoflow", "s3") def test_removed_range_transition_rules(self, analysis: setools.PolicyDifference) -> None: @@ -780,11 +780,11 @@ def test_removed_range_transition_rules(self, analysis: setools.PolicyDifference assert 2 == len(rules) # removed rule with new type - self.validate_rule(rules[0], MRT.range_transition, "removed_type", "system", "infoflow4", + util.validate_rule(rules[0], MRT.range_transition, "removed_type", "system", "infoflow4", "s1") # removed rule with existing types - self.validate_rule(rules[1], MRT.range_transition, "rt_removed_rule_source", + util.validate_rule(rules[1], MRT.range_transition, "rt_removed_rule_source", "rt_removed_rule_target", "infoflow", "s1") def test_modified_range_transition_rules(self, analysis: setools.PolicyDifference) -> None: @@ -842,11 +842,11 @@ def test_added_role_transition_rules(self, analysis: setools.PolicyDifference) - assert 2 == len(rules) # added rule with new role - self.validate_rule(rules[0], RRT.role_transition, "added_role", "system", "infoflow4", + util.validate_rule(rules[0], RRT.role_transition, "added_role", "system", "infoflow4", "system") # added rule with existing roles - self.validate_rule(rules[1], RRT.role_transition, "role_tr_added_rule_source", + util.validate_rule(rules[1], RRT.role_transition, "role_tr_added_rule_source", "role_tr_added_rule_target", "infoflow6", "system") def test_removed_role_transition_rules(self, analysis: setools.PolicyDifference) -> None: @@ -855,11 +855,11 @@ def test_removed_role_transition_rules(self, analysis: setools.PolicyDifference) assert 2 == len(rules) # removed rule with new role - self.validate_rule(rules[0], RRT.role_transition, "removed_role", "system", "infoflow4", + util.validate_rule(rules[0], RRT.role_transition, "removed_role", "system", "infoflow4", "system") # removed rule with existing roles - self.validate_rule(rules[1], RRT.role_transition, "role_tr_removed_rule_source", + util.validate_rule(rules[1], RRT.role_transition, "role_tr_removed_rule_source", "role_tr_removed_rule_target", "infoflow5", "system") def test_modified_role_transition_rules(self, analysis: setools.PolicyDifference) -> None: @@ -1558,11 +1558,11 @@ def test_added_allowxperm_rules(self, analysis: setools.PolicyDifference) -> Non assert 2 == len(rules) # added rule with new type - self.validate_rule(rules[0], TRT.allowxperm, "added_type", "added_type", "infoflow7", + util.validate_rule(rules[0], TRT.allowxperm, "added_type", "added_type", "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") # added rule with existing types - self.validate_rule(rules[1], TRT.allowxperm, "ax_added_rule_source", "ax_added_rule_target", + util.validate_rule(rules[1], TRT.allowxperm, "ax_added_rule_source", "ax_added_rule_target", "infoflow", setools.IoctlSet([0x0002]), xperm="ioctl") def test_removed_allowxperm_rules(self, analysis: setools.PolicyDifference) -> None: @@ -1571,12 +1571,12 @@ def test_removed_allowxperm_rules(self, analysis: setools.PolicyDifference) -> N assert 2 == len(rules) # removed rule with existing types - self.validate_rule(rules[0], TRT.allowxperm, "ax_removed_rule_source", + util.validate_rule(rules[0], TRT.allowxperm, "ax_removed_rule_source", "ax_removed_rule_target", "infoflow", setools.IoctlSet([0x0002]), xperm="ioctl") # removed rule with new type - self.validate_rule(rules[1], TRT.allowxperm, "removed_type", "removed_type", "infoflow7", + util.validate_rule(rules[1], TRT.allowxperm, "removed_type", "removed_type", "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") def test_modified_allowxperm_rules(self, analysis: setools.PolicyDifference) -> None: @@ -1623,12 +1623,12 @@ def test_added_auditallowxperm_rules(self, analysis: setools.PolicyDifference) - assert 2 == len(rules) # added rule with existing types - self.validate_rule(rules[0], TRT.auditallowxperm, "aax_added_rule_source", + util.validate_rule(rules[0], TRT.auditallowxperm, "aax_added_rule_source", "aax_added_rule_target", "infoflow", setools.IoctlSet([0x0002]), xperm="ioctl") # added rule with new type - self.validate_rule(rules[1], TRT.auditallowxperm, "added_type", "added_type", "infoflow7", + util.validate_rule(rules[1], TRT.auditallowxperm, "added_type", "added_type", "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") def test_removed_auditallowxperm_rules(self, analysis: setools.PolicyDifference) -> None: @@ -1637,12 +1637,12 @@ def test_removed_auditallowxperm_rules(self, analysis: setools.PolicyDifference) assert 2 == len(rules) # removed rule with existing types - self.validate_rule(rules[0], TRT.auditallowxperm, "aax_removed_rule_source", + util.validate_rule(rules[0], TRT.auditallowxperm, "aax_removed_rule_source", "aax_removed_rule_target", "infoflow", setools.IoctlSet([0x0002]), xperm="ioctl") # removed rule with new type - self.validate_rule(rules[1], TRT.auditallowxperm, "removed_type", "removed_type", + util.validate_rule(rules[1], TRT.auditallowxperm, "removed_type", "removed_type", "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") def test_modified_auditallowxperm_rules(self, analysis: setools.PolicyDifference) -> None: @@ -1691,11 +1691,11 @@ def test_added_neverallowxperm_rules(self, analysis: setools.PolicyDifference) - # assert 2 == len(rules) # # # added rule with new type - # self.validate_rule(rules[0], TRT.neverallowxperm, "added_type", "added_type", + # util.validate_rule(rules[0], TRT.neverallowxperm, "added_type", "added_type", # "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") # # # added rule with existing types - # self.validate_rule(rules[1], TRT.neverallowxperm, "nax_added_rule_source", + # util.validate_rule(rules[1], TRT.neverallowxperm, "nax_added_rule_source", # "nax_added_rule_target", "infoflow", setools.IoctlSet([0x0002]), # xperm="ioctl") @@ -1707,12 +1707,12 @@ def test_removed_neverallowxperm_rules(self, analysis: setools.PolicyDifference) # assert 2 == len(rules) # # # removed rule with existing types - # self.validate_rule(rules[0], TRT.neverallowxperm, "nax_removed_rule_source", + # util.validate_rule(rules[0], TRT.neverallowxperm, "nax_removed_rule_source", # "nax_removed_rule_target", "infoflow", setools.IoctlSet([0x0002]), # xperm="ioctl") # # # removed rule with new type - # self.validate_rule(rules[1], TRT.neverallowxperm, "removed_type", "removed_type", + # util.validate_rule(rules[1], TRT.neverallowxperm, "removed_type", "removed_type", # "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") def test_modified_neverallowxperm_rules(self, analysis: setools.PolicyDifference) -> None: @@ -1761,11 +1761,11 @@ def test_added_dontauditxperm_rules(self, analysis: setools.PolicyDifference) -> assert 2 == len(rules) # added rule with new type - self.validate_rule(rules[0], TRT.dontauditxperm, "added_type", "added_type", "infoflow7", + util.validate_rule(rules[0], TRT.dontauditxperm, "added_type", "added_type", "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") # added rule with existing types - self.validate_rule(rules[1], TRT.dontauditxperm, "dax_added_rule_source", + util.validate_rule(rules[1], TRT.dontauditxperm, "dax_added_rule_source", "dax_added_rule_target", "infoflow", setools.IoctlSet([0x0002]), xperm="ioctl") @@ -1775,12 +1775,12 @@ def test_removed_dontauditxperm_rules(self, analysis: setools.PolicyDifference) assert 2 == len(rules) # removed rule with existing types - self.validate_rule(rules[0], TRT.dontauditxperm, "dax_removed_rule_source", + util.validate_rule(rules[0], TRT.dontauditxperm, "dax_removed_rule_source", "dax_removed_rule_target", "infoflow", setools.IoctlSet([0x0002]), xperm="ioctl") # removed rule with new type - self.validate_rule(rules[1], TRT.dontauditxperm, "removed_type", "removed_type", + util.validate_rule(rules[1], TRT.dontauditxperm, "removed_type", "removed_type", "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") def test_modified_dontauditxperm_rules(self, analysis: setools.PolicyDifference) -> None: diff --git a/tests/library/test_dta.py b/tests/library/test_dta.py index a7e43478..f91755de 100644 --- a/tests/library/test_dta.py +++ b/tests/library/test_dta.py @@ -8,7 +8,7 @@ import setools from setools import TERuletype as TERT -from . import mixins +from . import util @pytest.fixture @@ -19,7 +19,7 @@ def analysis(compiled_policy: setools.SELinuxPolicy) -> setools.DomainTransition @pytest.mark.obj_args("tests/library/dta.conf") -class TestDomainTransitionAnalysis(mixins.ValidateRule): +class TestDomainTransitionAnalysis: def test_graph_structure(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: verify graph structure.""" @@ -52,12 +52,12 @@ def test_bothtrans(self, analysis: setools.DomainTransitionAnalysis) -> None: # regular transition r = analysis.G.edges[s, t]["transition"] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition", "dyntransition"])) + util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition", "dyntransition"])) # setexec perms r = analysis.G.edges[s, t]["setexec"] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec", "setcurrent"])) + util.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec", "setcurrent"])) # exec perms k = sorted(analysis.G.edges[s, t]["execute"].keys()) @@ -65,7 +65,7 @@ def test_bothtrans(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["execute"][e] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) + util.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) # entrypoint perms k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) @@ -73,7 +73,7 @@ def test_bothtrans(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["entrypoint"][e] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) + util.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) # type_transition k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) @@ -81,17 +81,17 @@ def test_bothtrans(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["type_transition"][e] assert len(r) == 1 - self.validate_rule(r[0], TERT.type_transition, s, e, "process", t) + util.validate_rule(r[0], TERT.type_transition, s, e, "process", t) # dynamic transition r = analysis.G.edges[s, t]["dyntransition"] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition", "dyntransition"])) + util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition", "dyntransition"])) # setcurrent r = analysis.G.edges[s, t]["setcurrent"] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec", "setcurrent"])) + util.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec", "setcurrent"])) def test_dyntrans(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: setcon() transition.""" @@ -122,12 +122,12 @@ def test_dyntrans(self, analysis: setools.DomainTransitionAnalysis) -> None: # dynamic transition r = analysis.G.edges[s, t]["dyntransition"] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, t, "process", set(["dyntransition"])) + util.validate_rule(r[0], TERT.allow, s, t, "process", set(["dyntransition"])) # setcurrent r = analysis.G.edges[s, t]["setcurrent"] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, s, "process", set(["setcurrent"])) + util.validate_rule(r[0], TERT.allow, s, s, "process", set(["setcurrent"])) def test_trans(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: type_transition transition.""" @@ -139,7 +139,7 @@ def test_trans(self, analysis: setools.DomainTransitionAnalysis) -> None: # regular transition r = analysis.G.edges[s, t]["transition"] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) + util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) # setexec perms r = analysis.G.edges[s, t]["setexec"] @@ -151,7 +151,7 @@ def test_trans(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["execute"][e] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) + util.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) # entrypoint perms k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) @@ -159,7 +159,7 @@ def test_trans(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["entrypoint"][e] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) + util.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) # type_transition k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) @@ -167,7 +167,7 @@ def test_trans(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["type_transition"][e] assert len(r) == 1 - self.validate_rule(r[0], TERT.type_transition, s, e, "process", t) + util.validate_rule(r[0], TERT.type_transition, s, e, "process", t) # dynamic transition r = analysis.G.edges[s, t]["dyntransition"] @@ -187,12 +187,12 @@ def test_setexec(self, analysis: setools.DomainTransitionAnalysis) -> None: # regular transition r = analysis.G.edges[s, t]["transition"] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) + util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) # setexec perms r = analysis.G.edges[s, t]["setexec"] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec"])) + util.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec"])) # exec perms k = sorted(analysis.G.edges[s, t]["execute"].keys()) @@ -200,7 +200,7 @@ def test_setexec(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["execute"][e] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) + util.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) # entrypoint perms k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) @@ -208,7 +208,7 @@ def test_setexec(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["entrypoint"][e] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) + util.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) # type_transition k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) @@ -233,12 +233,12 @@ def test_two_entrypoint(self, analysis: setools.DomainTransitionAnalysis) -> Non # regular transition r = analysis.G.edges[s, t]["transition"] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) + util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) # setexec perms r = analysis.G.edges[s, t]["setexec"] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec"])) + util.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec"])) # exec perms k = sorted(analysis.G.edges[s, t]["execute"].keys()) @@ -246,11 +246,11 @@ def test_two_entrypoint(self, analysis: setools.DomainTransitionAnalysis) -> Non r = analysis.G.edges[s, t]["execute"][e[0]] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, e[0], "file", set(["execute"])) + util.validate_rule(r[0], TERT.allow, s, e[0], "file", set(["execute"])) r = analysis.G.edges[s, t]["execute"][e[1]] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, e[1], "file", set(["execute"])) + util.validate_rule(r[0], TERT.allow, s, e[1], "file", set(["execute"])) # entrypoint perms k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) @@ -258,11 +258,11 @@ def test_two_entrypoint(self, analysis: setools.DomainTransitionAnalysis) -> Non r = analysis.G.edges[s, t]["entrypoint"][e[0]] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, t, e[0], "file", set(["entrypoint"])) + util.validate_rule(r[0], TERT.allow, t, e[0], "file", set(["entrypoint"])) r = analysis.G.edges[s, t]["entrypoint"][e[1]] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, t, e[1], "file", set(["entrypoint"])) + util.validate_rule(r[0], TERT.allow, t, e[1], "file", set(["entrypoint"])) # type_transition k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) @@ -270,7 +270,7 @@ def test_two_entrypoint(self, analysis: setools.DomainTransitionAnalysis) -> Non r = analysis.G.edges[s, t]["type_transition"][e[0]] assert len(r) == 1 - self.validate_rule(r[0], TERT.type_transition, s, e[0], "process", t) + util.validate_rule(r[0], TERT.type_transition, s, e[0], "process", t) # dynamic transition r = analysis.G.edges[s, t]["dyntransition"] @@ -290,7 +290,7 @@ def test_cond_type_trans(self, analysis: setools.DomainTransitionAnalysis) -> No # regular transition r = analysis.G.edges[s, t]["transition"] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) + util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) # setexec perms r = analysis.G.edges[s, t]["setexec"] @@ -302,7 +302,7 @@ def test_cond_type_trans(self, analysis: setools.DomainTransitionAnalysis) -> No r = analysis.G.edges[s, t]["execute"][e] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) + util.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) # entrypoint perms k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) @@ -310,7 +310,7 @@ def test_cond_type_trans(self, analysis: setools.DomainTransitionAnalysis) -> No r = analysis.G.edges[s, t]["entrypoint"][e] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) + util.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) # type_transition k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) @@ -318,7 +318,7 @@ def test_cond_type_trans(self, analysis: setools.DomainTransitionAnalysis) -> No r = analysis.G.edges[s, t]["type_transition"][e] assert len(r) == 1 - self.validate_rule(r[0], TERT.type_transition, s, e, "process", t, cond="trans5") + util.validate_rule(r[0], TERT.type_transition, s, e, "process", t, cond="trans5") # dynamic transition r = analysis.G.edges[s, t]["dyntransition"] diff --git a/tests/library/test_infoflow.py b/tests/library/test_infoflow.py index c418c8fd..b0f765c0 100644 --- a/tests/library/test_infoflow.py +++ b/tests/library/test_infoflow.py @@ -9,7 +9,7 @@ import setools from setools import TERuletype as TERT -from . import mixins +from . import util # Note: the testing for having correct rules on every edge is only @@ -26,7 +26,7 @@ def analysis(compiled_policy: setools.SELinuxPolicy) -> setools.InfoFlowAnalysis @pytest.mark.obj_args("tests/library/infoflow.conf") -class TestInfoFlowAnalysis(mixins.ValidateRule): +class TestInfoFlowAnalysis: def test_full_graph(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis full graph.""" @@ -63,54 +63,54 @@ def test_full_graph(self, analysis: setools.InfoFlowAnalysis) -> None: r = analysis.G.edges[disconnected1, disconnected2]["rules"] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, "disconnected1", "disconnected2", "infoflow2", + util.validate_rule(r[0], TERT.allow, "disconnected1", "disconnected2", "infoflow2", set(["super"])) r = analysis.G.edges[disconnected2, disconnected1]["rules"] assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, "disconnected1", "disconnected2", "infoflow2", + util.validate_rule(r[0], TERT.allow, "disconnected1", "disconnected2", "infoflow2", set(["super"])) r = sorted(analysis.G.edges[node1, node2]["rules"]) assert len(r) == 2 - self.validate_rule(r[0], TERT.allow, "node1", "node2", "infoflow", set(["med_w"])) - self.validate_rule(r[1], TERT.allow, "node2", "node1", "infoflow", set(["hi_r"])) + util.validate_rule(r[0], TERT.allow, "node1", "node2", "infoflow", set(["med_w"])) + util.validate_rule(r[1], TERT.allow, "node2", "node1", "infoflow", set(["hi_r"])) r = sorted(analysis.G.edges[node1, node3]["rules"]) assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, "node3", "node1", "infoflow", set(["low_r", "med_r"])) + util.validate_rule(r[0], TERT.allow, "node3", "node1", "infoflow", set(["low_r", "med_r"])) r = sorted(analysis.G.edges[node2, node4]["rules"]) assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, "node2", "node4", "infoflow", set(["hi_w"])) + util.validate_rule(r[0], TERT.allow, "node2", "node4", "infoflow", set(["hi_w"])) r = sorted(analysis.G.edges[node3, node5]["rules"]) assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, "node5", "node3", "infoflow", set(["low_r"])) + util.validate_rule(r[0], TERT.allow, "node5", "node3", "infoflow", set(["low_r"])) r = sorted(analysis.G.edges[node4, node6]["rules"]) assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, "node4", "node6", "infoflow2", set(["hi_w"])) + util.validate_rule(r[0], TERT.allow, "node4", "node6", "infoflow2", set(["hi_w"])) r = sorted(analysis.G.edges[node5, node8]["rules"]) assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, "node5", "node8", "infoflow2", set(["hi_w"])) + util.validate_rule(r[0], TERT.allow, "node5", "node8", "infoflow2", set(["hi_w"])) r = sorted(analysis.G.edges[node6, node5]["rules"]) assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, "node5", "node6", "infoflow", set(["med_r"])) + util.validate_rule(r[0], TERT.allow, "node5", "node6", "infoflow", set(["med_r"])) r = sorted(analysis.G.edges[node6, node7]["rules"]) assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, "node6", "node7", "infoflow", set(["hi_w"])) + util.validate_rule(r[0], TERT.allow, "node6", "node7", "infoflow", set(["hi_w"])) r = sorted(analysis.G.edges[node8, node9]["rules"]) assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, "node8", "node9", "infoflow2", set(["super"])) + util.validate_rule(r[0], TERT.allow, "node8", "node9", "infoflow2", set(["super"])) r = sorted(analysis.G.edges[node9, node8]["rules"]) assert len(r) == 1 - self.validate_rule(r[0], TERT.allow, "node8", "node9", "infoflow2", set(["super"])) + util.validate_rule(r[0], TERT.allow, "node8", "node9", "infoflow2", set(["super"])) def test_minimum_3(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis with minimum weight 3.""" diff --git a/tests/library/test_mlsrulequery.py b/tests/library/test_mlsrulequery.py index ecb5dd66..d90d1ccc 100644 --- a/tests/library/test_mlsrulequery.py +++ b/tests/library/test_mlsrulequery.py @@ -7,7 +7,7 @@ from setools import MLSRuleQuery from setools import MLSRuletype as RT -from . import mixins +from . import util # Note: the test policy has been written assuming range_transition # statements could have attributes. However, range_transition @@ -17,7 +17,7 @@ @pytest.mark.obj_args("tests/library/mlsrulequery.conf") -class TestMLSRuleQuery(mixins.ValidateRule): +class TestMLSRuleQuery: def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with no criteria.""" @@ -36,7 +36,7 @@ def test_source_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test1s", "test1t", "infoflow", "s0") + util.validate_rule(r[0], RT.range_transition, "test1s", "test1t", "infoflow", "s0") def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with regex, direct, source match.""" @@ -45,8 +45,8 @@ def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], RT.range_transition, "test3s", "test3t", "infoflow", "s1") - self.validate_rule(r[1], RT.range_transition, "test3s", "test3t", "infoflow2", "s2") + util.validate_rule(r[0], RT.range_transition, "test3s", "test3t", "infoflow", "s1") + util.validate_rule(r[1], RT.range_transition, "test3s", "test3t", "infoflow2", "s2") def test_issue111(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with attribute source criteria, indirect match.""" @@ -55,8 +55,8 @@ def test_issue111(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], RT.range_transition, "test5t1", "test5target", "infoflow", "s1") - self.validate_rule(r[1], RT.range_transition, "test5t2", "test5target", "infoflow7", "s2") + util.validate_rule(r[0], RT.range_transition, "test5t1", "test5target", "infoflow", "s1") + util.validate_rule(r[1], RT.range_transition, "test5t2", "test5target", "infoflow7", "s2") def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with exact, direct, target match.""" @@ -65,8 +65,8 @@ def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], RT.range_transition, "test10s", "test10t", "infoflow", "s0") - self.validate_rule(r[1], RT.range_transition, "test10s", "test10t", "infoflow2", "s1") + util.validate_rule(r[0], RT.range_transition, "test10s", "test10t", "infoflow", "s0") + util.validate_rule(r[1], RT.range_transition, "test10s", "test10t", "infoflow2", "s1") def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with regex, direct, target match.""" @@ -75,7 +75,7 @@ def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test12s", "test12aFAIL", "infoflow", "s2") + util.validate_rule(r[0], RT.range_transition, "test12s", "test12aFAIL", "infoflow", "s2") def test_issue111_2(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with attribute target criteria, indirect match.""" @@ -84,8 +84,8 @@ def test_issue111_2(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], RT.range_transition, "test14source", "test14t1", "infoflow", "s1") - self.validate_rule(r[1], RT.range_transition, "test14source", "test14t2", "infoflow7", + util.validate_rule(r[0], RT.range_transition, "test14source", "test14t1", "infoflow", "s1") + util.validate_rule(r[1], RT.range_transition, "test14source", "test14t2", "infoflow7", "s2") def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -95,8 +95,8 @@ def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], RT.range_transition, "test21", "test21", "infoflow3", "s2") - self.validate_rule(r[1], RT.range_transition, "test21", "test21", "infoflow4", "s1") + util.validate_rule(r[0], RT.range_transition, "test21", "test21", "infoflow3", "s2") + util.validate_rule(r[1], RT.range_transition, "test21", "test21", "infoflow4", "s1") def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with object class regex match.""" @@ -104,8 +104,8 @@ def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], RT.range_transition, "test22", "test22", "infoflow5", "s1") - self.validate_rule(r[1], RT.range_transition, "test22", "test22", "infoflow6", "s2") + util.validate_rule(r[0], RT.range_transition, "test22", "test22", "infoflow5", "s1") + util.validate_rule(r[1], RT.range_transition, "test22", "test22", "infoflow6", "s2") def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range exact match""" @@ -113,7 +113,7 @@ def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test40", "test40", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test40", "test40", "infoflow", "s40:c1 - s40:c0.c4") def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -122,7 +122,7 @@ def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", "s41:c1 - s41:c1.c3") def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -131,7 +131,7 @@ def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", "s41:c1 - s41:c1.c3") def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -140,7 +140,7 @@ def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", "s41:c1 - s41:c1.c3") def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -149,7 +149,7 @@ def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", "s41:c1 - s41:c1.c3") def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -158,7 +158,7 @@ def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", "s41:c1 - s41:c1.c3") def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -167,7 +167,7 @@ def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test42", "test42", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test42", "test42", "infoflow", "s42:c1 - s42:c1.c3") def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -176,7 +176,7 @@ def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test42", "test42", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test42", "test42", "infoflow", "s42:c1 - s42:c1.c3") def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -185,7 +185,7 @@ def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test43", "test43", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test43", "test43", "infoflow", "s43:c1 - s43:c1.c3") def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -194,7 +194,7 @@ def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test43", "test43", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test43", "test43", "infoflow", "s43:c1 - s43:c1.c3") def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -204,7 +204,7 @@ def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> N r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test44", "test44", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test44", "test44", "infoflow", "s44:c1 - s44:c1.c3") def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -222,7 +222,7 @@ def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> N r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test44", "test44", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test44", "test44", "infoflow", "s44:c1 - s44:c1.c3") def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -232,7 +232,7 @@ def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> N r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test44", "test44", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test44", "test44", "infoflow", "s44:c1 - s44:c1.c3") def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -242,7 +242,7 @@ def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test45", "test45", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test45", "test45", "infoflow", "s45:c1 - s45:c1.c3") def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -260,7 +260,7 @@ def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test45", "test45", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test45", "test45", "infoflow", "s45:c1 - s45:c1.c3") def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -270,7 +270,7 @@ def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RT.range_transition, "test45", "test45", "infoflow", + util.validate_rule(r[0], RT.range_transition, "test45", "test45", "infoflow", "s45:c1 - s45:c1.c3") def test_invalid_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: diff --git a/tests/library/test_rbacrulequery.py b/tests/library/test_rbacrulequery.py index 9166dba1..a5c31979 100644 --- a/tests/library/test_rbacrulequery.py +++ b/tests/library/test_rbacrulequery.py @@ -10,11 +10,11 @@ from setools import RBACRuletype as RRT from setools.exception import RuleUseError, RuleNotConditional -from . import mixins +from . import util @pytest.mark.obj_args("tests/library/rbacrulequery.conf") -class TestRBACRuleQuery(mixins.ValidateRule): +class TestRBACRuleQuery: """RBAC rule query unit tests.""" @@ -49,7 +49,7 @@ def test_source_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: assert len(r) == 2 self.validate_allow(r[0], "test1s", "test1t") - self.validate_rule(r[1], RRT.role_transition, "test1s", "system", "infoflow", "test1t") + util.validate_rule(r[1], RRT.role_transition, "test1s", "system", "infoflow", "test1t") def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with regex, direct, source match.""" @@ -84,7 +84,7 @@ def test_target_type(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RRT.role_transition, "test12s", "test12t", "infoflow", "test12d") + util.validate_rule(r[0], RRT.role_transition, "test12s", "test12t", "infoflow", "test12d") def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with object class list match.""" @@ -93,8 +93,8 @@ def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], RRT.role_transition, "test21", "system", "infoflow3", "test21d3") - self.validate_rule(r[1], RRT.role_transition, "test21", "system", "infoflow4", "test21d2") + util.validate_rule(r[0], RRT.role_transition, "test21", "system", "infoflow3", "test21d3") + util.validate_rule(r[1], RRT.role_transition, "test21", "system", "infoflow4", "test21d2") def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with object class regex match.""" @@ -102,8 +102,8 @@ def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], RRT.role_transition, "test22", "system", "infoflow5", "test22d2") - self.validate_rule(r[1], RRT.role_transition, "test22", "system", "infoflow6", "test22d3") + util.validate_rule(r[0], RRT.role_transition, "test22", "system", "infoflow5", "test22d2") + util.validate_rule(r[1], RRT.role_transition, "test22", "system", "infoflow6", "test22d3") def test_default(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with exact default match.""" @@ -112,7 +112,7 @@ def test_default(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], RRT.role_transition, "test30s", "system", "infoflow", "test30d") + util.validate_rule(r[0], RRT.role_transition, "test30s", "system", "infoflow", "test30d") def test_default_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with regex default match.""" @@ -121,8 +121,8 @@ def test_default_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], RRT.role_transition, "test31s", "system", "infoflow7", "test31d3") - self.validate_rule(r[1], RRT.role_transition, "test31s", "system", "process", "test31d2") + util.validate_rule(r[0], RRT.role_transition, "test31s", "system", "infoflow7", "test31d3") + util.validate_rule(r[1], RRT.role_transition, "test31s", "system", "process", "test31d2") def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with rule type.""" diff --git a/tests/library/test_terulequery.py b/tests/library/test_terulequery.py index 4673b632..cc996e78 100644 --- a/tests/library/test_terulequery.py +++ b/tests/library/test_terulequery.py @@ -9,11 +9,11 @@ from setools import TERuleQuery from setools import TERuletype as TRT -from . import mixins +from . import util @pytest.mark.obj_args("tests/library/terulequery.conf") -class TestTERuleQuery(mixins.ValidateRule): +class TestTERuleQuery: """Type enforcement rule query unit tests.""" @@ -34,7 +34,7 @@ def test_source_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], TRT.allow, "test1a", "test1t", "infoflow", set(["hi_w"])) + util.validate_rule(r[0], TRT.allow, "test1a", "test1t", "infoflow", set(["hi_w"])) def test_source_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with exact, indirect, source match.""" @@ -43,7 +43,7 @@ def test_source_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], TRT.allow, "test2a", "test2t", "infoflow", set(["hi_w"])) + util.validate_rule(r[0], TRT.allow, "test2a", "test2t", "infoflow", set(["hi_w"])) def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with regex, direct, source match.""" @@ -52,7 +52,7 @@ def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], TRT.allow, "test3aS", "test3t", "infoflow", set(["low_r"])) + util.validate_rule(r[0], TRT.allow, "test3aS", "test3t", "infoflow", set(["low_r"])) def test_source_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with regex, indirect, source match.""" @@ -61,8 +61,8 @@ def test_source_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.allow, "test4a1", "test4a1", "infoflow", set(["hi_w"])) - self.validate_rule(r[1], TRT.allow, "test4a2", "test4a2", "infoflow", set(["low_r"])) + util.validate_rule(r[0], TRT.allow, "test4a1", "test4a1", "infoflow", set(["hi_w"])) + util.validate_rule(r[1], TRT.allow, "test4a2", "test4a2", "infoflow", set(["low_r"])) def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with exact, direct, target match.""" @@ -71,7 +71,7 @@ def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], TRT.allow, "test5s", "test5a", "infoflow", set(["hi_w"])) + util.validate_rule(r[0], TRT.allow, "test5s", "test5a", "infoflow", set(["hi_w"])) def test_target_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with exact, indirect, target match.""" @@ -80,8 +80,8 @@ def test_target_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.allow, "test6s", "test6a", "infoflow", set(["hi_w"])) - self.validate_rule(r[1], TRT.allow, "test6s", "test6t", "infoflow", set(["low_r"])) + util.validate_rule(r[0], TRT.allow, "test6s", "test6a", "infoflow", set(["hi_w"])) + util.validate_rule(r[1], TRT.allow, "test6s", "test6t", "infoflow", set(["low_r"])) def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with regex, direct, target match.""" @@ -90,7 +90,7 @@ def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], TRT.allow, "test7s", "test7aPASS", "infoflow", set(["low_r"])) + util.validate_rule(r[0], TRT.allow, "test7s", "test7aPASS", "infoflow", set(["low_r"])) def test_target_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with regex, indirect, target match.""" @@ -99,8 +99,8 @@ def test_target_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.allow, "test8a1", "test8a1", "infoflow", set(["hi_w"])) - self.validate_rule(r[1], TRT.allow, "test8a2", "test8a2", "infoflow", set(["low_r"])) + util.validate_rule(r[0], TRT.allow, "test8a1", "test8a1", "infoflow", set(["hi_w"])) + util.validate_rule(r[1], TRT.allow, "test8a2", "test8a2", "infoflow", set(["low_r"])) def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with object class list match.""" @@ -109,8 +109,8 @@ def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.allow, "test10", "test10", "infoflow3", set(["null"])) - self.validate_rule(r[1], TRT.allow, "test10", "test10", "infoflow4", set(["hi_w"])) + util.validate_rule(r[0], TRT.allow, "test10", "test10", "infoflow3", set(["null"])) + util.validate_rule(r[1], TRT.allow, "test10", "test10", "infoflow4", set(["hi_w"])) def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with object class regex match.""" @@ -118,8 +118,8 @@ def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.allow, "test11", "test11", "infoflow5", set(["low_w"])) - self.validate_rule(r[1], TRT.allow, "test11", "test11", "infoflow6", set(["med_r"])) + util.validate_rule(r[0], TRT.allow, "test11", "test11", "infoflow5", set(["low_w"])) + util.validate_rule(r[1], TRT.allow, "test11", "test11", "infoflow6", set(["med_r"])) def test_perms_any(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with permission set intersection.""" @@ -127,8 +127,8 @@ def test_perms_any(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.allow, "test12a", "test12a", "infoflow7", set(["super_r"])) - self.validate_rule(r[1], TRT.allow, "test12b", "test12b", "infoflow7", + util.validate_rule(r[0], TRT.allow, "test12a", "test12a", "infoflow7", set(["super_r"])) + util.validate_rule(r[1], TRT.allow, "test12b", "test12b", "infoflow7", set(["super_r", "super_none"])) def test_perms_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -138,7 +138,7 @@ def test_perms_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], TRT.allow, "test13c", "test13c", "infoflow7", + util.validate_rule(r[0], TRT.allow, "test13c", "test13c", "infoflow7", set(["super_w", "super_none", "super_both"])) def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -147,9 +147,9 @@ def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.auditallow, "test14", "test14", "infoflow7", + util.validate_rule(r[0], TRT.auditallow, "test14", "test14", "infoflow7", set(["super_both"])) - self.validate_rule(r[1], TRT.dontaudit, "test14", "test14", "infoflow7", + util.validate_rule(r[1], TRT.dontaudit, "test14", "test14", "infoflow7", set(["super_unmapped"])) def test_perms_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -158,9 +158,9 @@ def test_perms_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.allow, "test13c", "test13c", "infoflow7", + util.validate_rule(r[0], TRT.allow, "test13c", "test13c", "infoflow7", set(["super_w", "super_none", "super_both"])) - self.validate_rule(r[1], TRT.allow, "test13d", "test13d", "infoflow7", + util.validate_rule(r[1], TRT.allow, "test13d", "test13d", "infoflow7", set(["super_w", "super_none", "super_both", "super_unmapped"])) def test_perms_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -171,7 +171,7 @@ def test_perms_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], TRT.allow, "test13d", "test13d", "infoflow7", + util.validate_rule(r[0], TRT.allow, "test13d", "test13d", "infoflow7", set(["super_w", "super_none", "super_both", "super_unmapped"])) def test_default(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -180,7 +180,7 @@ def test_default(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], TRT.type_transition, "test100", "test100", "infoflow7", "test100d") + util.validate_rule(r[0], TRT.type_transition, "test100", "test100", "infoflow7", "test100d") def test_default_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with default type regex match.""" @@ -188,9 +188,9 @@ def test_default_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.type_transition, "test101", "test101d", "infoflow7", + util.validate_rule(r[0], TRT.type_transition, "test101", "test101d", "infoflow7", "test101e") - self.validate_rule(r[1], TRT.type_transition, "test101", "test101e", "infoflow7", + util.validate_rule(r[1], TRT.type_transition, "test101", "test101e", "infoflow7", "test101d") def test_boolean_intersection(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -199,9 +199,9 @@ def test_boolean_intersection(self, compiled_policy: setools.SELinuxPolicy) -> N r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.allow, "test200t1", "test200t1", "infoflow7", + util.validate_rule(r[0], TRT.allow, "test200t1", "test200t1", "infoflow7", set(["super_w"]), cond="test200") - self.validate_rule(r[1], TRT.allow, "test200t2", "test200t2", "infoflow7", + util.validate_rule(r[1], TRT.allow, "test200t2", "test200t2", "infoflow7", set(["super_w"]), cond="test200a && test200") def test_boolean_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -210,7 +210,7 @@ def test_boolean_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], TRT.allow, "test201t1", "test201t1", "infoflow7", + util.validate_rule(r[0], TRT.allow, "test201t1", "test201t1", "infoflow7", set(["super_unmapped"]), cond="test201b && test201a") def test_boolean_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -219,9 +219,9 @@ def test_boolean_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.allow, "test202t1", "test202t1", "infoflow7", + util.validate_rule(r[0], TRT.allow, "test202t1", "test202t1", "infoflow7", set(["super_none"]), cond="test202a") - self.validate_rule(r[1], TRT.allow, "test202t2", "test202t2", "infoflow7", + util.validate_rule(r[1], TRT.allow, "test202t2", "test202t2", "infoflow7", set(["super_unmapped"]), cond="test202b || test202c") def test_issue111(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -231,11 +231,11 @@ def test_issue111(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 4 - self.validate_rule(r[0], TRT.allow, "test300a", "test300target", "infoflow7", set(["hi_w"])) - self.validate_rule(r[1], TRT.allow, "test300b", "test300target", "infoflow7", + util.validate_rule(r[0], TRT.allow, "test300a", "test300target", "infoflow7", set(["hi_w"])) + util.validate_rule(r[1], TRT.allow, "test300b", "test300target", "infoflow7", set(["super_w"])) - self.validate_rule(r[2], TRT.allow, "test300t1", "test300t1", "infoflow7", set(["hi_r"])) - self.validate_rule(r[3], TRT.allow, "test300t2", "test300t2", "infoflow7", set(["med_w"])) + util.validate_rule(r[2], TRT.allow, "test300t1", "test300t1", "infoflow7", set(["hi_r"])) + util.validate_rule(r[3], TRT.allow, "test300t2", "test300t2", "infoflow7", set(["med_w"])) def test_issue111_2(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with attribute target criteria, indirect match.""" @@ -244,11 +244,11 @@ def test_issue111_2(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 4 - self.validate_rule(r[0], TRT.allow, "test301source", "test301a", "infoflow7", set(["hi_w"])) - self.validate_rule(r[1], TRT.allow, "test301source", "test301b", "infoflow7", + util.validate_rule(r[0], TRT.allow, "test301source", "test301a", "infoflow7", set(["hi_w"])) + util.validate_rule(r[1], TRT.allow, "test301source", "test301b", "infoflow7", set(["super_w"])) - self.validate_rule(r[2], TRT.allow, "test301t1", "test301t1", "infoflow7", set(["hi_r"])) - self.validate_rule(r[3], TRT.allow, "test301t2", "test301t2", "infoflow7", set(["med_w"])) + util.validate_rule(r[2], TRT.allow, "test301t1", "test301t1", "infoflow7", set(["hi_r"])) + util.validate_rule(r[3], TRT.allow, "test301t2", "test301t2", "infoflow7", set(["med_w"])) def test_issue111_3(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with attribute default type criteria.""" @@ -257,14 +257,14 @@ def test_issue111_3(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.type_transition, "test302source", "test302t1", "infoflow7", + util.validate_rule(r[0], TRT.type_transition, "test302source", "test302t1", "infoflow7", "test302t1") - self.validate_rule(r[1], TRT.type_transition, "test302source", "test302t2", "infoflow7", + util.validate_rule(r[1], TRT.type_transition, "test302source", "test302t2", "infoflow7", "test302t2") @pytest.mark.obj_args("tests/library/terulequery2.conf") -class TERuleQueryXperm(mixins.ValidateRule): +class TERuleQueryXperm: """TE Rule Query with extended permission rules.""" @@ -275,7 +275,7 @@ def test_source_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], TRT.allowxperm, "test1a", "test1t", "infoflow", + util.validate_rule(r[0], TRT.allowxperm, "test1a", "test1t", "infoflow", setools.IoctlSet(range(0xebe0, 0xebff + 1)), xperm="ioctl") def test_source_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -285,7 +285,7 @@ def test_source_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], TRT.allowxperm, "test2a", "test2t", "infoflow", + util.validate_rule(r[0], TRT.allowxperm, "test2a", "test2t", "infoflow", setools.IoctlSet([0x5411, 0x5451]), xperm="ioctl") def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -295,7 +295,7 @@ def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], TRT.allowxperm, "test3aS", "test3t", "infoflow", + util.validate_rule(r[0], TRT.allowxperm, "test3aS", "test3t", "infoflow", setools.IoctlSet([0x1111]), xperm="ioctl") def test_source_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -305,9 +305,9 @@ def test_source_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.allowxperm, "test4a1", "test4a1", "infoflow", + util.validate_rule(r[0], TRT.allowxperm, "test4a1", "test4a1", "infoflow", setools.IoctlSet([0x9999]), xperm="ioctl") - self.validate_rule(r[1], TRT.allowxperm, "test4a2", "test4a2", "infoflow", + util.validate_rule(r[1], TRT.allowxperm, "test4a2", "test4a2", "infoflow", setools.IoctlSet([0x1111]), xperm="ioctl") def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -317,7 +317,7 @@ def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], TRT.allowxperm, "test5s", "test5a", "infoflow", + util.validate_rule(r[0], TRT.allowxperm, "test5s", "test5a", "infoflow", setools.IoctlSet([0x9999]), xperm="ioctl") def test_target_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -327,9 +327,9 @@ def test_target_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.allowxperm, "test6s", "test6a", "infoflow", + util.validate_rule(r[0], TRT.allowxperm, "test6s", "test6a", "infoflow", setools.IoctlSet([0x9999]), xperm="ioctl") - self.validate_rule(r[1], TRT.allowxperm, "test6s", "test6t", "infoflow", + util.validate_rule(r[1], TRT.allowxperm, "test6s", "test6t", "infoflow", setools.IoctlSet([0x1111]), xperm="ioctl") def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -339,7 +339,7 @@ def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], TRT.allowxperm, "test7s", "test7aPASS", "infoflow", + util.validate_rule(r[0], TRT.allowxperm, "test7s", "test7aPASS", "infoflow", setools.IoctlSet([0x1111]), xperm="ioctl") def test_target_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -349,9 +349,9 @@ def test_target_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.allowxperm, "test8a1", "test8a1", "infoflow", + util.validate_rule(r[0], TRT.allowxperm, "test8a1", "test8a1", "infoflow", setools.IoctlSet([0x9999]), xperm="ioctl") - self.validate_rule(r[1], TRT.allowxperm, "test8a2", "test8a2", "infoflow", + util.validate_rule(r[1], TRT.allowxperm, "test8a2", "test8a2", "infoflow", setools.IoctlSet([0x1111]), xperm="ioctl") def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -361,9 +361,9 @@ def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.allowxperm, "test10", "test10", "infoflow3", + util.validate_rule(r[0], TRT.allowxperm, "test10", "test10", "infoflow3", setools.IoctlSet([0]), xperm="ioctl") - self.validate_rule(r[1], TRT.allowxperm, "test10", "test10", "infoflow4", + util.validate_rule(r[1], TRT.allowxperm, "test10", "test10", "infoflow4", setools.IoctlSet([0x9999]), xperm="ioctl") def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -372,9 +372,9 @@ def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.allowxperm, "test11", "test11", "infoflow5", + util.validate_rule(r[0], TRT.allowxperm, "test11", "test11", "infoflow5", setools.IoctlSet([0x1111]), xperm="ioctl") - self.validate_rule(r[1], TRT.allowxperm, "test11", "test11", "infoflow6", + util.validate_rule(r[1], TRT.allowxperm, "test11", "test11", "infoflow6", setools.IoctlSet([0x5555]), xperm="ioctl") def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -383,9 +383,9 @@ def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_rule(r[0], TRT.auditallowxperm, "test14", "test14", "infoflow7", + util.validate_rule(r[0], TRT.auditallowxperm, "test14", "test14", "infoflow7", setools.IoctlSet([0x1234]), xperm="ioctl") - self.validate_rule(r[1], TRT.dontauditxperm, "test14", "test14", "infoflow7", + util.validate_rule(r[1], TRT.dontauditxperm, "test14", "test14", "infoflow7", setools.IoctlSet([0x4321]), xperm="ioctl") def test_std_perm_any(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -397,9 +397,9 @@ def test_std_perm_any(self, compiled_policy: setools.SELinuxPolicy) -> None: assert len(r) == 0 # changed after dropping source policy support # assert len(r) == 2 - # self.validate_rule(r[0], TRT.neverallow, "test100", "system", "infoflow2", + # util.validate_rule(r[0], TRT.neverallow, "test100", "system", "infoflow2", # set(["ioctl", "hi_w"])) - # self.validate_rule(r[1], TRT.neverallowxperm, "test100", "test100", "infoflow2", + # util.validate_rule(r[1], TRT.neverallowxperm, "test100", "test100", "infoflow2", # setools.IoctlSet([0x1234]), xperm="ioctl") def test_std_perm_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -411,7 +411,7 @@ def test_std_perm_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: assert len(r) == 0 # changed after dropping source policy support # assert len(r) == 1 - # self.validate_rule(r[0], TRT.neverallow, "test100", "system", "infoflow2", + # util.validate_rule(r[0], TRT.neverallow, "test100", "system", "infoflow2", # set(["ioctl", "hi_w"])) def test_xperm_any(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -420,13 +420,13 @@ def test_xperm_any(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 4 - self.validate_rule(r[0], TRT.allowxperm, "test101a", "test101a", "infoflow7", + util.validate_rule(r[0], TRT.allowxperm, "test101a", "test101a", "infoflow7", setools.IoctlSet([0x9011]), xperm="ioctl") - self.validate_rule(r[1], TRT.allowxperm, "test101b", "test101b", "infoflow7", + util.validate_rule(r[1], TRT.allowxperm, "test101b", "test101b", "infoflow7", setools.IoctlSet([0x9011, 0x9012]), xperm="ioctl") - self.validate_rule(r[2], TRT.allowxperm, "test101c", "test101c", "infoflow7", + util.validate_rule(r[2], TRT.allowxperm, "test101c", "test101c", "infoflow7", setools.IoctlSet([0x9011, 0x9012, 0x9013]), xperm="ioctl") - self.validate_rule(r[3], TRT.allowxperm, "test101d", "test101d", "infoflow7", + util.validate_rule(r[3], TRT.allowxperm, "test101d", "test101d", "infoflow7", setools.IoctlSet([0x9011, 0x9012, 0x9013, 0x9014]), xperm="ioctl") def test_xperm_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: @@ -435,5 +435,5 @@ def test_xperm_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_rule(r[0], TRT.allowxperm, "test101c", "test101c", "infoflow7", + util.validate_rule(r[0], TRT.allowxperm, "test101c", "test101c", "infoflow7", setools.IoctlSet([0x9011, 0x9012, 0x9013]), xperm="ioctl") diff --git a/tests/library/util.py b/tests/library/util.py new file mode 100644 index 00000000..fcb364e8 --- /dev/null +++ b/tests/library/util.py @@ -0,0 +1,48 @@ +"""Unit test mixin classes.""" +# Copyright 2015, Tresys Technology, LLC +# +# SPDX-License-Identifier: GPL-2.0-only +# +# pylint: disable=too-few-public-methods +import pytest +import setools + + +def validate_rule(rule: setools.policyrep.PolicyRule, + ruletype: setools.policyrep.PolicyEnum | str, + source: setools.policyrep.PolicySymbol | str, + target: setools.policyrep.PolicySymbol | str, + tclass: setools.ObjClass | str, + last_item: set[str] | setools.IoctlSet | setools.policyrep.PolicySymbol | str, + cond: str | None = None, + cond_block: bool | None = None, + xperm: str | None = None) -> None: + + """Validate a rule.""" + assert ruletype == rule.ruletype + assert source == rule.source + assert target == rule.target + assert tclass == rule.tclass + + try: + # This is the common case. + assert last_item == rule.perms + except (AttributeError, setools.exception.RuleUseError): + assert last_item == rule.default + + if cond: + assert cond == rule.conditional + else: + with pytest.raises(setools.exception.RuleNotConditional): + rule.conditional + + if cond_block is not None: + assert cond_block == rule.conditional_block + + if xperm: + assert xperm == rule.xperm_type + assert rule.extended + else: + with pytest.raises(AttributeError): + rule.xperm_type + assert not rule.extended From 0856100fcb3e96e11cd7f0b6d5e698d4b266591a Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 19 Apr 2024 14:41:29 -0400 Subject: [PATCH 71/71] tests/util: Refactor validate_rule() to handle role allows. Signed-off-by: Chris PeBenito --- tests/library/test_diff.py | 267 +++++++++++++++------------- tests/library/test_dta.py | 67 ++++--- tests/library/test_infoflow.py | 41 +++-- tests/library/test_mlsrulequery.py | 107 ++++++----- tests/library/test_rbacrulequery.py | 47 +++-- tests/library/test_terulequery.py | 231 +++++++++++++----------- tests/library/util.py | 28 +-- 7 files changed, 435 insertions(+), 353 deletions(-) diff --git a/tests/library/test_diff.py b/tests/library/test_diff.py index 20ed89ef..c2ae1d78 100644 --- a/tests/library/test_diff.py +++ b/tests/library/test_diff.py @@ -235,23 +235,24 @@ def test_added_allow_rules(self, analysis: setools.PolicyDifference) -> None: # added rule with existing types util.validate_rule(rules[0], TRT.allow, "added_rule_source", "added_rule_target", - "infoflow", set(["med_w"])) + tclass="infoflow", perms=set(["med_w"])) # added rule with new type - util.validate_rule(rules[1], TRT.allow, "added_type", "added_type", "infoflow2", - set(["med_w"])) + util.validate_rule(rules[1], TRT.allow, "added_type", "added_type", tclass="infoflow2", + perms=set(["med_w"])) # rule moved out of a conditional - util.validate_rule(rules[2], TRT.allow, "move_from_bool", "move_from_bool", "infoflow4", - set(["hi_r"])) + util.validate_rule(rules[2], TRT.allow, "move_from_bool", "move_from_bool", + tclass="infoflow4", perms=set(["hi_r"])) # rule moved into a conditional - util.validate_rule(rules[3], TRT.allow, "move_to_bool", "move_to_bool", "infoflow4", - set(["hi_w"]), cond="move_to_bool_b", cond_block=True) + util.validate_rule(rules[3], TRT.allow, "move_to_bool", "move_to_bool", + tclass="infoflow4", perms=set(["hi_w"]), cond="move_to_bool_b", + cond_block=True) # rule moved from one conditional block to another (true to false) - util.validate_rule(rules[4], TRT.allow, "system", "switch_block", "infoflow6", - set(["hi_r"]), cond="switch_block_b", cond_block=False) + util.validate_rule(rules[4], TRT.allow, "system", "switch_block", tclass="infoflow6", + perms=set(["hi_r"]), cond="switch_block_b", cond_block=False) def test_removed_allow_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed allow rules.""" @@ -259,24 +260,25 @@ def test_removed_allow_rules(self, analysis: setools.PolicyDifference) -> None: assert 5 == len(rules) # rule moved out of a conditional - util.validate_rule(rules[0], TRT.allow, "move_from_bool", "move_from_bool", "infoflow4", - set(["hi_r"]), cond="move_from_bool_b", cond_block=True) + util.validate_rule(rules[0], TRT.allow, "move_from_bool", "move_from_bool", + tclass="infoflow4", perms=set(["hi_r"]), cond="move_from_bool_b", + cond_block=True) # rule moved into a conditional - util.validate_rule(rules[1], TRT.allow, "move_to_bool", "move_to_bool", "infoflow4", - set(["hi_w"])) + util.validate_rule(rules[1], TRT.allow, "move_to_bool", "move_to_bool", tclass="infoflow4", + perms=set(["hi_w"])) # removed rule with existing types util.validate_rule(rules[2], TRT.allow, "removed_rule_source", "removed_rule_target", - "infoflow", set(["hi_r"])) + tclass="infoflow", perms=set(["hi_r"])) # removed rule with new type - util.validate_rule(rules[3], TRT.allow, "removed_type", "removed_type", "infoflow3", - set(["null"])) + util.validate_rule(rules[3], TRT.allow, "removed_type", "removed_type", tclass="infoflow3", + perms=set(["null"])) # rule moved from one conditional block to another (true to false) - util.validate_rule(rules[4], TRT.allow, "system", "switch_block", "infoflow6", - set(["hi_r"]), cond="switch_block_b", cond_block=True) + util.validate_rule(rules[4], TRT.allow, "system", "switch_block", tclass="infoflow6", + perms=set(["hi_r"]), cond="switch_block_b", cond_block=True) def test_modified_allow_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified allow rules.""" @@ -323,23 +325,25 @@ def test_added_auditallow_rules(self, analysis: setools.PolicyDifference) -> Non # added rule with existing types util.validate_rule(rules[0], TRT.auditallow, "aa_added_rule_source", - "aa_added_rule_target", "infoflow", set(["med_w"])) + "aa_added_rule_target", tclass="infoflow", perms=set(["med_w"])) # rule moved out of a conditional util.validate_rule(rules[1], TRT.auditallow, "aa_move_from_bool", "aa_move_from_bool", - "infoflow4", set(["hi_r"])) + tclass="infoflow4", perms=set(["hi_r"])) # rule moved into a conditional util.validate_rule(rules[2], TRT.auditallow, "aa_move_to_bool", "aa_move_to_bool", - "infoflow4", set(["hi_w"]), cond="aa_move_to_bool_b", cond_block=True) + tclass="infoflow4", perms=set(["hi_w"]), cond="aa_move_to_bool_b", + cond_block=True) # added rule with new type - util.validate_rule(rules[3], TRT.auditallow, "added_type", "added_type", "infoflow7", - set(["super_none"])) + util.validate_rule(rules[3], TRT.auditallow, "added_type", "added_type", tclass="infoflow7", + perms=set(["super_none"])) # rule moved from one conditional block to another (true to false) - util.validate_rule(rules[4], TRT.auditallow, "system", "aa_switch_block", "infoflow6", - set(["hi_r"]), cond="aa_switch_block_b", cond_block=False) + util.validate_rule(rules[4], TRT.auditallow, "system", "aa_switch_block", + tclass="infoflow6", perms=set(["hi_r"]), cond="aa_switch_block_b", + cond_block=False) def test_removed_auditallow_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed auditallow rules.""" @@ -348,23 +352,25 @@ def test_removed_auditallow_rules(self, analysis: setools.PolicyDifference) -> N # rule moved out of a conditional util.validate_rule(rules[0], TRT.auditallow, "aa_move_from_bool", "aa_move_from_bool", - "infoflow4", set(["hi_r"]), cond="aa_move_from_bool_b", cond_block=True) + tclass="infoflow4", perms=set(["hi_r"]), cond="aa_move_from_bool_b", + cond_block=True) # rule moved into a conditional util.validate_rule(rules[1], TRT.auditallow, "aa_move_to_bool", "aa_move_to_bool", - "infoflow4", set(["hi_w"])) + tclass="infoflow4", perms=set(["hi_w"])) # removed rule with existing types util.validate_rule(rules[2], TRT.auditallow, "aa_removed_rule_source", - "aa_removed_rule_target", "infoflow", set(["hi_r"])) + "aa_removed_rule_target", tclass="infoflow", perms=set(["hi_r"])) # removed rule with new type - util.validate_rule(rules[3], TRT.auditallow, "removed_type", "removed_type", "infoflow7", - set(["super_unmapped"])) + util.validate_rule(rules[3], TRT.auditallow, "removed_type", "removed_type", + tclass="infoflow7", perms=set(["super_unmapped"])) # rule moved from one conditional block to another (true to false) - util.validate_rule(rules[4], TRT.auditallow, "system", "aa_switch_block", "infoflow6", - set(["hi_r"]), cond="aa_switch_block_b", cond_block=True) + util.validate_rule(rules[4], TRT.auditallow, "system", "aa_switch_block", + tclass="infoflow6", perms=set(["hi_r"]), cond="aa_switch_block_b", + cond_block=True) def test_modified_auditallow_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified auditallow rules.""" @@ -410,24 +416,26 @@ def test_added_dontaudit_rules(self, analysis: setools.PolicyDifference) -> None assert 5 == len(rules) # added rule with new type - util.validate_rule(rules[0], TRT.dontaudit, "added_type", "added_type", "infoflow7", - set(["super_none"])) + util.validate_rule(rules[0], TRT.dontaudit, "added_type", "added_type", tclass="infoflow7", + perms=set(["super_none"])) # added rule with existing types util.validate_rule(rules[1], TRT.dontaudit, "da_added_rule_source", "da_added_rule_target", - "infoflow", set(["med_w"])) + tclass="infoflow", perms=set(["med_w"])) # rule moved out of a conditional util.validate_rule(rules[2], TRT.dontaudit, "da_move_from_bool", "da_move_from_bool", - "infoflow4", set(["hi_r"])) + tclass="infoflow4", perms=set(["hi_r"])) # rule moved into a conditional util.validate_rule(rules[3], TRT.dontaudit, "da_move_to_bool", "da_move_to_bool", - "infoflow4", set(["hi_w"]), cond="da_move_to_bool_b", cond_block=True) + tclass="infoflow4", perms=set(["hi_w"]), cond="da_move_to_bool_b", + cond_block=True) # rule moved from one conditional block to another (true to false) - util.validate_rule(rules[4], TRT.dontaudit, "system", "da_switch_block", "infoflow6", - set(["hi_r"]), cond="da_switch_block_b", cond_block=False) + util.validate_rule(rules[4], TRT.dontaudit, "system", "da_switch_block", + tclass="infoflow6", perms=set(["hi_r"]), cond="da_switch_block_b", + cond_block=False) def test_removed_dontaudit_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed dontaudit rules.""" @@ -436,23 +444,25 @@ def test_removed_dontaudit_rules(self, analysis: setools.PolicyDifference) -> No # rule moved out of a conditional util.validate_rule(rules[0], TRT.dontaudit, "da_move_from_bool", "da_move_from_bool", - "infoflow4", set(["hi_r"]), cond="da_move_from_bool_b", cond_block=True) + tclass="infoflow4", perms=set(["hi_r"]), cond="da_move_from_bool_b", + cond_block=True) # rule moved into a conditional util.validate_rule(rules[1], TRT.dontaudit, "da_move_to_bool", "da_move_to_bool", - "infoflow4", set(["hi_w"])) + tclass="infoflow4", perms=set(["hi_w"])) # removed rule with existing types util.validate_rule(rules[2], TRT.dontaudit, "da_removed_rule_source", - "da_removed_rule_target", "infoflow", set(["hi_r"])) + "da_removed_rule_target", tclass="infoflow", perms=set(["hi_r"])) # removed rule with new type - util.validate_rule(rules[3], TRT.dontaudit, "removed_type", "removed_type", "infoflow7", - set(["super_both"])) + util.validate_rule(rules[3], TRT.dontaudit, "removed_type", "removed_type", + tclass="infoflow7", perms=set(["super_both"])) # rule moved from one conditional block to another (true to false) - util.validate_rule(rules[4], TRT.dontaudit, "system", "da_switch_block", "infoflow6", - set(["hi_r"]), cond="da_switch_block_b", cond_block=True) + util.validate_rule(rules[4], TRT.dontaudit, "system", "da_switch_block", + tclass="infoflow6", perms=set(["hi_r"]), cond="da_switch_block_b", + cond_block=True) def test_modified_dontaudit_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified dontaudit rules.""" @@ -569,24 +579,26 @@ def test_added_type_transition_rules(self, analysis: setools.PolicyDifference) - assert 5 == len(rules) # added rule with new type - util.validate_rule(rules[0], TRT.type_transition, "added_type", "system", "infoflow4", - "system") + util.validate_rule(rules[0], TRT.type_transition, "added_type", "system", + tclass="infoflow4", default="system") # rule moved from one conditional block to another (true to false) - util.validate_rule(rules[1], TRT.type_transition, "system", "tt_switch_block", "infoflow6", - "system", cond="tt_switch_block_b", cond_block=False) + util.validate_rule(rules[1], TRT.type_transition, "system", "tt_switch_block", + tclass="infoflow6", default="system", cond="tt_switch_block_b", + cond_block=False) # added rule with existing types util.validate_rule(rules[2], TRT.type_transition, "tt_added_rule_source", - "tt_added_rule_target", "infoflow", "system") + "tt_added_rule_target", tclass="infoflow", default="system") # rule moved out of a conditional util.validate_rule(rules[3], TRT.type_transition, "tt_move_from_bool", "system", - "infoflow4", "system") + tclass="infoflow4", default="system") # rule moved into a conditional util.validate_rule(rules[4], TRT.type_transition, "tt_move_to_bool", "system", - "infoflow3", "system", cond="tt_move_to_bool_b", cond_block=True) + tclass="infoflow3", default="system", cond="tt_move_to_bool_b", + cond_block=True) def test_removed_type_transition_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed type_transition rules.""" @@ -594,24 +606,26 @@ def test_removed_type_transition_rules(self, analysis: setools.PolicyDifference) assert 5 == len(rules) # removed rule with new type - util.validate_rule(rules[0], TRT.type_transition, "removed_type", "system", "infoflow4", - "system") + util.validate_rule(rules[0], TRT.type_transition, "removed_type", "system", + tclass="infoflow4", default="system") # rule moved from one conditional block to another (true to false) - util.validate_rule(rules[1], TRT.type_transition, "system", "tt_switch_block", "infoflow6", - "system", cond="tt_switch_block_b", cond_block=True) + util.validate_rule(rules[1], TRT.type_transition, "system", "tt_switch_block", + tclass="infoflow6", default="system", cond="tt_switch_block_b", + cond_block=True) # rule moved out of a conditional util.validate_rule(rules[2], TRT.type_transition, "tt_move_from_bool", "system", - "infoflow4", "system", cond="tt_move_from_bool_b", cond_block=True) + tclass="infoflow4", default="system", cond="tt_move_from_bool_b", + cond_block=True) # rule moved into a conditional util.validate_rule(rules[3], TRT.type_transition, "tt_move_to_bool", "system", - "infoflow3", "system") + tclass="infoflow3", default="system") # removed rule with existing types util.validate_rule(rules[4], TRT.type_transition, "tt_removed_rule_source", - "tt_removed_rule_target", "infoflow", "system") + "tt_removed_rule_target", tclass="infoflow", default="system") def test_modified_type_transition_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified type_transition rules.""" @@ -635,24 +649,26 @@ def test_added_type_change_rules(self, analysis: setools.PolicyDifference) -> No assert 5 == len(rules) # added rule with new type - util.validate_rule(rules[0], TRT.type_change, "added_type", "system", "infoflow4", - "system") + util.validate_rule(rules[0], TRT.type_change, "added_type", "system", tclass="infoflow4", + default="system") # rule moved from one conditional block to another (true to false) - util.validate_rule(rules[1], TRT.type_change, "system", "tc_switch_block", "infoflow6", - "system", cond="tc_switch_block_b", cond_block=False) + util.validate_rule(rules[1], TRT.type_change, "system", "tc_switch_block", + tclass="infoflow6", default="system", cond="tc_switch_block_b", + cond_block=False) # added rule with existing types util.validate_rule(rules[2], TRT.type_change, "tc_added_rule_source", - "tc_added_rule_target", "infoflow", "system") + "tc_added_rule_target", tclass="infoflow", default="system") # rule moved out of a conditional util.validate_rule(rules[3], TRT.type_change, "tc_move_from_bool", "system", - "infoflow4", "system") + tclass="infoflow4", default="system") # rule moved into a conditional util.validate_rule(rules[4], TRT.type_change, "tc_move_to_bool", "system", - "infoflow3", "system", cond="tc_move_to_bool_b", cond_block=True) + tclass="infoflow3", default="system", cond="tc_move_to_bool_b", + cond_block=True) def test_removed_type_change_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed type_change rules.""" @@ -660,24 +676,26 @@ def test_removed_type_change_rules(self, analysis: setools.PolicyDifference) -> assert 5 == len(rules) # removed rule with new type - util.validate_rule(rules[0], TRT.type_change, "removed_type", "system", "infoflow4", - "system") + util.validate_rule(rules[0], TRT.type_change, "removed_type", "system", tclass="infoflow4", + default="system") # rule moved from one conditional block to another (true to false) - util.validate_rule(rules[1], TRT.type_change, "system", "tc_switch_block", "infoflow6", - "system", cond="tc_switch_block_b", cond_block=True) + util.validate_rule(rules[1], TRT.type_change, "system", "tc_switch_block", + tclass="infoflow6", default="system", cond="tc_switch_block_b", + cond_block=True) # rule moved out of a conditional util.validate_rule(rules[2], TRT.type_change, "tc_move_from_bool", "system", - "infoflow4", "system", cond="tc_move_from_bool_b", cond_block=True) + tclass="infoflow4", default="system", cond="tc_move_from_bool_b", + cond_block=True) # rule moved into a conditional util.validate_rule(rules[3], TRT.type_change, "tc_move_to_bool", "system", - "infoflow3", "system") + tclass="infoflow3", default="system") # removed rule with existing types util.validate_rule(rules[4], TRT.type_change, "tc_removed_rule_source", - "tc_removed_rule_target", "infoflow", "system") + "tc_removed_rule_target", tclass="infoflow", default="system") def test_modified_type_change_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified type_change rules.""" @@ -701,24 +719,26 @@ def test_added_type_member_rules(self, analysis: setools.PolicyDifference) -> No assert 5 == len(rules) # added rule with new type - util.validate_rule(rules[0], TRT.type_member, "added_type", "system", "infoflow4", - "system") + util.validate_rule(rules[0], TRT.type_member, "added_type", "system", tclass="infoflow4", + default="system") # rule moved from one conditional block to another (true to false) - util.validate_rule(rules[1], TRT.type_member, "system", "tm_switch_block", "infoflow6", - "system", cond="tm_switch_block_b", cond_block=False) + util.validate_rule(rules[1], TRT.type_member, "system", "tm_switch_block", + tclass="infoflow6", default="system", cond="tm_switch_block_b", + cond_block=False) # added rule with existing types util.validate_rule(rules[2], TRT.type_member, "tm_added_rule_source", - "tm_added_rule_target", "infoflow", "system") + "tm_added_rule_target", tclass="infoflow", default="system") # rule moved out of a conditional util.validate_rule(rules[3], TRT.type_member, "tm_move_from_bool", "system", - "infoflow4", "system") + tclass="infoflow4", default="system") # rule moved into a conditional util.validate_rule(rules[4], TRT.type_member, "tm_move_to_bool", "system", - "infoflow3", "system", cond="tm_move_to_bool_b", cond_block=True) + tclass="infoflow3", default="system", cond="tm_move_to_bool_b", + cond_block=True) def test_removed_type_member_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed type_member rules.""" @@ -726,24 +746,26 @@ def test_removed_type_member_rules(self, analysis: setools.PolicyDifference) -> assert 5 == len(rules) # removed rule with new type - util.validate_rule(rules[0], TRT.type_member, "removed_type", "system", "infoflow4", - "system") + util.validate_rule(rules[0], TRT.type_member, "removed_type", "system", tclass="infoflow4", + default="system") # rule moved from one conditional block to another (true to false) - util.validate_rule(rules[1], TRT.type_member, "system", "tm_switch_block", "infoflow6", - "system", cond="tm_switch_block_b", cond_block=True) + util.validate_rule(rules[1], TRT.type_member, "system", "tm_switch_block", + tclass="infoflow6", default="system", cond="tm_switch_block_b", + cond_block=True) # rule moved out of a conditional util.validate_rule(rules[2], TRT.type_member, "tm_move_from_bool", "system", - "infoflow4", "system", cond="tm_move_from_bool_b", cond_block=True) + tclass="infoflow4", default="system", cond="tm_move_from_bool_b", + cond_block=True) # rule moved into a conditional util.validate_rule(rules[3], TRT.type_member, "tm_move_to_bool", "system", - "infoflow3", "system") + tclass="infoflow3", default="system") # removed rule with existing types util.validate_rule(rules[4], TRT.type_member, "tm_removed_rule_source", - "tm_removed_rule_target", "infoflow", "system") + "tm_removed_rule_target", tclass="infoflow", default="system") def test_modified_type_member_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified type_member rules.""" @@ -767,12 +789,12 @@ def test_added_range_transition_rules(self, analysis: setools.PolicyDifference) assert 2 == len(rules) # added rule with new type - util.validate_rule(rules[0], MRT.range_transition, "added_type", "system", "infoflow4", - "s3") + util.validate_rule(rules[0], MRT.range_transition, "added_type", "system", + tclass="infoflow4", default="s3") # added rule with existing types util.validate_rule(rules[1], MRT.range_transition, "rt_added_rule_source", - "rt_added_rule_target", "infoflow", "s3") + "rt_added_rule_target", tclass="infoflow", default="s3") def test_removed_range_transition_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed range_transition rules.""" @@ -780,12 +802,12 @@ def test_removed_range_transition_rules(self, analysis: setools.PolicyDifference assert 2 == len(rules) # removed rule with new type - util.validate_rule(rules[0], MRT.range_transition, "removed_type", "system", "infoflow4", - "s1") + util.validate_rule(rules[0], MRT.range_transition, "removed_type", "system", + tclass="infoflow4", default="s1") # removed rule with existing types util.validate_rule(rules[1], MRT.range_transition, "rt_removed_rule_source", - "rt_removed_rule_target", "infoflow", "s1") + "rt_removed_rule_target", tclass="infoflow", default="s1") def test_modified_range_transition_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified range_transition rules.""" @@ -842,12 +864,12 @@ def test_added_role_transition_rules(self, analysis: setools.PolicyDifference) - assert 2 == len(rules) # added rule with new role - util.validate_rule(rules[0], RRT.role_transition, "added_role", "system", "infoflow4", - "system") + util.validate_rule(rules[0], RRT.role_transition, "added_role", "system", + tclass="infoflow4", default="system") # added rule with existing roles util.validate_rule(rules[1], RRT.role_transition, "role_tr_added_rule_source", - "role_tr_added_rule_target", "infoflow6", "system") + "role_tr_added_rule_target", tclass="infoflow6", default="system") def test_removed_role_transition_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed role_transition rules.""" @@ -855,12 +877,12 @@ def test_removed_role_transition_rules(self, analysis: setools.PolicyDifference) assert 2 == len(rules) # removed rule with new role - util.validate_rule(rules[0], RRT.role_transition, "removed_role", "system", "infoflow4", - "system") + util.validate_rule(rules[0], RRT.role_transition, "removed_role", "system", + tclass="infoflow4", default="system") # removed rule with existing roles util.validate_rule(rules[1], RRT.role_transition, "role_tr_removed_rule_source", - "role_tr_removed_rule_target", "infoflow5", "system") + "role_tr_removed_rule_target", tclass="infoflow5", default="system") def test_modified_role_transition_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified role_transition rules.""" @@ -1558,12 +1580,13 @@ def test_added_allowxperm_rules(self, analysis: setools.PolicyDifference) -> Non assert 2 == len(rules) # added rule with new type - util.validate_rule(rules[0], TRT.allowxperm, "added_type", "added_type", "infoflow7", - setools.IoctlSet([0x0009]), xperm="ioctl") + util.validate_rule(rules[0], TRT.allowxperm, "added_type", "added_type", + tclass="infoflow7", perms=setools.IoctlSet([0x0009]), xperm="ioctl") # added rule with existing types - util.validate_rule(rules[1], TRT.allowxperm, "ax_added_rule_source", "ax_added_rule_target", - "infoflow", setools.IoctlSet([0x0002]), xperm="ioctl") + util.validate_rule(rules[1], TRT.allowxperm, "ax_added_rule_source", + "ax_added_rule_target", tclass="infoflow", + perms=setools.IoctlSet([0x0002]), xperm="ioctl") def test_removed_allowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed allowxperm rules.""" @@ -1572,12 +1595,12 @@ def test_removed_allowxperm_rules(self, analysis: setools.PolicyDifference) -> N # removed rule with existing types util.validate_rule(rules[0], TRT.allowxperm, "ax_removed_rule_source", - "ax_removed_rule_target", "infoflow", setools.IoctlSet([0x0002]), - xperm="ioctl") + "ax_removed_rule_target", tclass="infoflow", + perms=setools.IoctlSet([0x0002]), xperm="ioctl") # removed rule with new type - util.validate_rule(rules[1], TRT.allowxperm, "removed_type", "removed_type", "infoflow7", - setools.IoctlSet([0x0009]), xperm="ioctl") + util.validate_rule(rules[1], TRT.allowxperm, "removed_type", "removed_type", + tclass="infoflow7", perms=setools.IoctlSet([0x0009]), xperm="ioctl") def test_modified_allowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified allowxperm rules.""" @@ -1624,12 +1647,12 @@ def test_added_auditallowxperm_rules(self, analysis: setools.PolicyDifference) - # added rule with existing types util.validate_rule(rules[0], TRT.auditallowxperm, "aax_added_rule_source", - "aax_added_rule_target", "infoflow", setools.IoctlSet([0x0002]), - xperm="ioctl") + "aax_added_rule_target", tclass="infoflow", + perms=setools.IoctlSet([0x0002]), xperm="ioctl") # added rule with new type - util.validate_rule(rules[1], TRT.auditallowxperm, "added_type", "added_type", "infoflow7", - setools.IoctlSet([0x0009]), xperm="ioctl") + util.validate_rule(rules[1], TRT.auditallowxperm, "added_type", "added_type", + tclass="infoflow7", perms=setools.IoctlSet([0x0009]), xperm="ioctl") def test_removed_auditallowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed auditallowxperm rules.""" @@ -1638,12 +1661,12 @@ def test_removed_auditallowxperm_rules(self, analysis: setools.PolicyDifference) # removed rule with existing types util.validate_rule(rules[0], TRT.auditallowxperm, "aax_removed_rule_source", - "aax_removed_rule_target", "infoflow", setools.IoctlSet([0x0002]), - xperm="ioctl") + "aax_removed_rule_target", tclass="infoflow", + perms=setools.IoctlSet([0x0002]), xperm="ioctl") # removed rule with new type util.validate_rule(rules[1], TRT.auditallowxperm, "removed_type", "removed_type", - "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") + tclass="infoflow7", perms=setools.IoctlSet([0x0009]), xperm="ioctl") def test_modified_auditallowxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified auditallowxperm rules.""" @@ -1761,13 +1784,13 @@ def test_added_dontauditxperm_rules(self, analysis: setools.PolicyDifference) -> assert 2 == len(rules) # added rule with new type - util.validate_rule(rules[0], TRT.dontauditxperm, "added_type", "added_type", "infoflow7", - setools.IoctlSet([0x0009]), xperm="ioctl") + util.validate_rule(rules[0], TRT.dontauditxperm, "added_type", "added_type", + tclass="infoflow7", perms=setools.IoctlSet([0x0009]), xperm="ioctl") # added rule with existing types util.validate_rule(rules[1], TRT.dontauditxperm, "dax_added_rule_source", - "dax_added_rule_target", "infoflow", setools.IoctlSet([0x0002]), - xperm="ioctl") + "dax_added_rule_target", tclass="infoflow", + perms=setools.IoctlSet([0x0002]), xperm="ioctl") def test_removed_dontauditxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: removed dontauditxperm rules.""" @@ -1776,12 +1799,12 @@ def test_removed_dontauditxperm_rules(self, analysis: setools.PolicyDifference) # removed rule with existing types util.validate_rule(rules[0], TRT.dontauditxperm, "dax_removed_rule_source", - "dax_removed_rule_target", "infoflow", setools.IoctlSet([0x0002]), - xperm="ioctl") + "dax_removed_rule_target", tclass="infoflow", + perms=setools.IoctlSet([0x0002]), xperm="ioctl") # removed rule with new type util.validate_rule(rules[1], TRT.dontauditxperm, "removed_type", "removed_type", - "infoflow7", setools.IoctlSet([0x0009]), xperm="ioctl") + tclass="infoflow7", perms=setools.IoctlSet([0x0009]), xperm="ioctl") def test_modified_dontauditxperm_rules(self, analysis: setools.PolicyDifference) -> None: """Diff: modified dontauditxperm rules.""" diff --git a/tests/library/test_dta.py b/tests/library/test_dta.py index f91755de..69536c7c 100644 --- a/tests/library/test_dta.py +++ b/tests/library/test_dta.py @@ -52,12 +52,14 @@ def test_bothtrans(self, analysis: setools.DomainTransitionAnalysis) -> None: # regular transition r = analysis.G.edges[s, t]["transition"] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition", "dyntransition"])) + util.validate_rule(r[0], TERT.allow, s, t, tclass="process", + perms=set(["transition", "dyntransition"])) # setexec perms r = analysis.G.edges[s, t]["setexec"] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec", "setcurrent"])) + util.validate_rule(r[0], TERT.allow, s, s, tclass="process", + perms=set(["setexec", "setcurrent"])) # exec perms k = sorted(analysis.G.edges[s, t]["execute"].keys()) @@ -65,7 +67,7 @@ def test_bothtrans(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["execute"][e] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) + util.validate_rule(r[0], TERT.allow, s, e, tclass="file", perms=set(["execute"])) # entrypoint perms k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) @@ -73,7 +75,7 @@ def test_bothtrans(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["entrypoint"][e] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) + util.validate_rule(r[0], TERT.allow, t, e, tclass="file", perms=set(["entrypoint"])) # type_transition k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) @@ -81,17 +83,19 @@ def test_bothtrans(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["type_transition"][e] assert len(r) == 1 - util.validate_rule(r[0], TERT.type_transition, s, e, "process", t) + util.validate_rule(r[0], TERT.type_transition, s, e, tclass="process", default=t) # dynamic transition r = analysis.G.edges[s, t]["dyntransition"] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition", "dyntransition"])) + util.validate_rule(r[0], TERT.allow, s, t, tclass="process", + perms=set(["transition", "dyntransition"])) # setcurrent r = analysis.G.edges[s, t]["setcurrent"] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec", "setcurrent"])) + util.validate_rule(r[0], TERT.allow, s, s, tclass="process", + perms=set(["setexec", "setcurrent"])) def test_dyntrans(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: setcon() transition.""" @@ -122,12 +126,14 @@ def test_dyntrans(self, analysis: setools.DomainTransitionAnalysis) -> None: # dynamic transition r = analysis.G.edges[s, t]["dyntransition"] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, t, "process", set(["dyntransition"])) + util.validate_rule(r[0], TERT.allow, s, t, tclass="process", + perms=set(["dyntransition"])) # setcurrent r = analysis.G.edges[s, t]["setcurrent"] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, s, "process", set(["setcurrent"])) + util.validate_rule(r[0], TERT.allow, s, s, tclass="process", + perms=set(["setcurrent"])) def test_trans(self, analysis: setools.DomainTransitionAnalysis) -> None: """DTA: type_transition transition.""" @@ -139,7 +145,8 @@ def test_trans(self, analysis: setools.DomainTransitionAnalysis) -> None: # regular transition r = analysis.G.edges[s, t]["transition"] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) + util.validate_rule(r[0], TERT.allow, s, t, tclass="process", + perms=set(["transition"])) # setexec perms r = analysis.G.edges[s, t]["setexec"] @@ -151,7 +158,8 @@ def test_trans(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["execute"][e] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) + util.validate_rule(r[0], TERT.allow, s, e, tclass="file", + perms=set(["execute"])) # entrypoint perms k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) @@ -159,7 +167,8 @@ def test_trans(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["entrypoint"][e] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) + util.validate_rule(r[0], TERT.allow, t, e, tclass="file", + perms=set(["entrypoint"])) # type_transition k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) @@ -167,7 +176,8 @@ def test_trans(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["type_transition"][e] assert len(r) == 1 - util.validate_rule(r[0], TERT.type_transition, s, e, "process", t) + util.validate_rule(r[0], TERT.type_transition, s, e, tclass="process", + default=t) # dynamic transition r = analysis.G.edges[s, t]["dyntransition"] @@ -187,12 +197,12 @@ def test_setexec(self, analysis: setools.DomainTransitionAnalysis) -> None: # regular transition r = analysis.G.edges[s, t]["transition"] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) + util.validate_rule(r[0], TERT.allow, s, t, tclass="process", perms=set(["transition"])) # setexec perms r = analysis.G.edges[s, t]["setexec"] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec"])) + util.validate_rule(r[0], TERT.allow, s, s, tclass="process", perms=set(["setexec"])) # exec perms k = sorted(analysis.G.edges[s, t]["execute"].keys()) @@ -200,7 +210,7 @@ def test_setexec(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["execute"][e] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) + util.validate_rule(r[0], TERT.allow, s, e, tclass="file", perms=set(["execute"])) # entrypoint perms k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) @@ -208,7 +218,7 @@ def test_setexec(self, analysis: setools.DomainTransitionAnalysis) -> None: r = analysis.G.edges[s, t]["entrypoint"][e] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) + util.validate_rule(r[0], TERT.allow, t, e, tclass="file", perms=set(["entrypoint"])) # type_transition k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) @@ -233,12 +243,12 @@ def test_two_entrypoint(self, analysis: setools.DomainTransitionAnalysis) -> Non # regular transition r = analysis.G.edges[s, t]["transition"] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) + util.validate_rule(r[0], TERT.allow, s, t, tclass="process", perms=set(["transition"])) # setexec perms r = analysis.G.edges[s, t]["setexec"] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, s, "process", set(["setexec"])) + util.validate_rule(r[0], TERT.allow, s, s, tclass="process", perms=set(["setexec"])) # exec perms k = sorted(analysis.G.edges[s, t]["execute"].keys()) @@ -246,11 +256,11 @@ def test_two_entrypoint(self, analysis: setools.DomainTransitionAnalysis) -> Non r = analysis.G.edges[s, t]["execute"][e[0]] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, e[0], "file", set(["execute"])) + util.validate_rule(r[0], TERT.allow, s, e[0], tclass="file", perms=set(["execute"])) r = analysis.G.edges[s, t]["execute"][e[1]] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, e[1], "file", set(["execute"])) + util.validate_rule(r[0], TERT.allow, s, e[1], tclass="file", perms=set(["execute"])) # entrypoint perms k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) @@ -258,11 +268,11 @@ def test_two_entrypoint(self, analysis: setools.DomainTransitionAnalysis) -> Non r = analysis.G.edges[s, t]["entrypoint"][e[0]] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, t, e[0], "file", set(["entrypoint"])) + util.validate_rule(r[0], TERT.allow, t, e[0], tclass="file", perms=set(["entrypoint"])) r = analysis.G.edges[s, t]["entrypoint"][e[1]] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, t, e[1], "file", set(["entrypoint"])) + util.validate_rule(r[0], TERT.allow, t, e[1], tclass="file", perms=set(["entrypoint"])) # type_transition k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) @@ -270,7 +280,7 @@ def test_two_entrypoint(self, analysis: setools.DomainTransitionAnalysis) -> Non r = analysis.G.edges[s, t]["type_transition"][e[0]] assert len(r) == 1 - util.validate_rule(r[0], TERT.type_transition, s, e[0], "process", t) + util.validate_rule(r[0], TERT.type_transition, s, e[0], tclass="process", default=t) # dynamic transition r = analysis.G.edges[s, t]["dyntransition"] @@ -290,7 +300,7 @@ def test_cond_type_trans(self, analysis: setools.DomainTransitionAnalysis) -> No # regular transition r = analysis.G.edges[s, t]["transition"] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, t, "process", set(["transition"])) + util.validate_rule(r[0], TERT.allow, s, t, tclass="process", perms=set(["transition"])) # setexec perms r = analysis.G.edges[s, t]["setexec"] @@ -302,7 +312,7 @@ def test_cond_type_trans(self, analysis: setools.DomainTransitionAnalysis) -> No r = analysis.G.edges[s, t]["execute"][e] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, s, e, "file", set(["execute"])) + util.validate_rule(r[0], TERT.allow, s, e, tclass="file", perms=set(["execute"])) # entrypoint perms k = sorted(analysis.G.edges[s, t]["entrypoint"].keys()) @@ -310,7 +320,7 @@ def test_cond_type_trans(self, analysis: setools.DomainTransitionAnalysis) -> No r = analysis.G.edges[s, t]["entrypoint"][e] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, t, e, "file", set(["entrypoint"])) + util.validate_rule(r[0], TERT.allow, t, e, tclass="file", perms=set(["entrypoint"])) # type_transition k = sorted(analysis.G.edges[s, t]["type_transition"].keys()) @@ -318,7 +328,8 @@ def test_cond_type_trans(self, analysis: setools.DomainTransitionAnalysis) -> No r = analysis.G.edges[s, t]["type_transition"][e] assert len(r) == 1 - util.validate_rule(r[0], TERT.type_transition, s, e, "process", t, cond="trans5") + util.validate_rule(r[0], TERT.type_transition, s, e, tclass="process", default=t, + cond="trans5", cond_block=True) # dynamic transition r = analysis.G.edges[s, t]["dyntransition"] diff --git a/tests/library/test_infoflow.py b/tests/library/test_infoflow.py index b0f765c0..6af34124 100644 --- a/tests/library/test_infoflow.py +++ b/tests/library/test_infoflow.py @@ -63,54 +63,65 @@ def test_full_graph(self, analysis: setools.InfoFlowAnalysis) -> None: r = analysis.G.edges[disconnected1, disconnected2]["rules"] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, "disconnected1", "disconnected2", "infoflow2", - set(["super"])) + util.validate_rule(r[0], TERT.allow, "disconnected1", "disconnected2", tclass="infoflow2", + perms=set(["super"])) r = analysis.G.edges[disconnected2, disconnected1]["rules"] assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, "disconnected1", "disconnected2", "infoflow2", - set(["super"])) + util.validate_rule(r[0], TERT.allow, "disconnected1", "disconnected2", tclass="infoflow2", + perms=set(["super"])) r = sorted(analysis.G.edges[node1, node2]["rules"]) assert len(r) == 2 - util.validate_rule(r[0], TERT.allow, "node1", "node2", "infoflow", set(["med_w"])) - util.validate_rule(r[1], TERT.allow, "node2", "node1", "infoflow", set(["hi_r"])) + util.validate_rule(r[0], TERT.allow, "node1", "node2", tclass="infoflow", + perms=set(["med_w"])) + util.validate_rule(r[1], TERT.allow, "node2", "node1", tclass="infoflow", + perms=set(["hi_r"])) r = sorted(analysis.G.edges[node1, node3]["rules"]) assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, "node3", "node1", "infoflow", set(["low_r", "med_r"])) + util.validate_rule(r[0], TERT.allow, "node3", "node1", tclass="infoflow", + perms=set(["low_r", "med_r"])) r = sorted(analysis.G.edges[node2, node4]["rules"]) assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, "node2", "node4", "infoflow", set(["hi_w"])) + util.validate_rule(r[0], TERT.allow, "node2", "node4", tclass="infoflow", + perms=set(["hi_w"])) r = sorted(analysis.G.edges[node3, node5]["rules"]) assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, "node5", "node3", "infoflow", set(["low_r"])) + util.validate_rule(r[0], TERT.allow, "node5", "node3", tclass="infoflow", + perms=set(["low_r"])) r = sorted(analysis.G.edges[node4, node6]["rules"]) assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, "node4", "node6", "infoflow2", set(["hi_w"])) + util.validate_rule(r[0], TERT.allow, "node4", "node6", tclass="infoflow2", + perms=set(["hi_w"])) r = sorted(analysis.G.edges[node5, node8]["rules"]) assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, "node5", "node8", "infoflow2", set(["hi_w"])) + util.validate_rule(r[0], TERT.allow, "node5", "node8", tclass="infoflow2", + perms=set(["hi_w"])) r = sorted(analysis.G.edges[node6, node5]["rules"]) assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, "node5", "node6", "infoflow", set(["med_r"])) + util.validate_rule(r[0], TERT.allow, "node5", "node6", tclass="infoflow", + perms=set(["med_r"])) r = sorted(analysis.G.edges[node6, node7]["rules"]) assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, "node6", "node7", "infoflow", set(["hi_w"])) + util.validate_rule(r[0], TERT.allow, "node6", "node7", tclass="infoflow", + perms=set(["hi_w"])) r = sorted(analysis.G.edges[node8, node9]["rules"]) assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, "node8", "node9", "infoflow2", set(["super"])) + util.validate_rule(r[0], TERT.allow, "node8", "node9", tclass="infoflow2", + perms=set(["super"])) r = sorted(analysis.G.edges[node9, node8]["rules"]) assert len(r) == 1 - util.validate_rule(r[0], TERT.allow, "node8", "node9", "infoflow2", set(["super"])) + util.validate_rule(r[0], TERT.allow, "node8", "node9", tclass="infoflow2", + perms=set(["super"])) def test_minimum_3(self, analysis: setools.InfoFlowAnalysis) -> None: """Information flow analysis with minimum weight 3.""" diff --git a/tests/library/test_mlsrulequery.py b/tests/library/test_mlsrulequery.py index d90d1ccc..f283902f 100644 --- a/tests/library/test_mlsrulequery.py +++ b/tests/library/test_mlsrulequery.py @@ -36,7 +36,8 @@ def test_source_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test1s", "test1t", "infoflow", "s0") + util.validate_rule(r[0], RT.range_transition, "test1s", "test1t", tclass="infoflow", + default="s0") def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with regex, direct, source match.""" @@ -45,8 +46,10 @@ def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], RT.range_transition, "test3s", "test3t", "infoflow", "s1") - util.validate_rule(r[1], RT.range_transition, "test3s", "test3t", "infoflow2", "s2") + util.validate_rule(r[0], RT.range_transition, "test3s", "test3t", tclass="infoflow", + default="s1") + util.validate_rule(r[1], RT.range_transition, "test3s", "test3t", tclass="infoflow2", + default="s2") def test_issue111(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with attribute source criteria, indirect match.""" @@ -55,8 +58,10 @@ def test_issue111(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], RT.range_transition, "test5t1", "test5target", "infoflow", "s1") - util.validate_rule(r[1], RT.range_transition, "test5t2", "test5target", "infoflow7", "s2") + util.validate_rule(r[0], RT.range_transition, "test5t1", "test5target", tclass="infoflow", + default="s1") + util.validate_rule(r[1], RT.range_transition, "test5t2", "test5target", tclass="infoflow7", + default="s2") def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with exact, direct, target match.""" @@ -65,8 +70,10 @@ def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], RT.range_transition, "test10s", "test10t", "infoflow", "s0") - util.validate_rule(r[1], RT.range_transition, "test10s", "test10t", "infoflow2", "s1") + util.validate_rule(r[0], RT.range_transition, "test10s", "test10t", tclass="infoflow", + default="s0") + util.validate_rule(r[1], RT.range_transition, "test10s", "test10t", tclass="infoflow2", + default="s1") def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with regex, direct, target match.""" @@ -75,7 +82,8 @@ def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test12s", "test12aFAIL", "infoflow", "s2") + util.validate_rule(r[0], RT.range_transition, "test12s", "test12aFAIL", tclass="infoflow", + default="s2") def test_issue111_2(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with attribute target criteria, indirect match.""" @@ -84,9 +92,10 @@ def test_issue111_2(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], RT.range_transition, "test14source", "test14t1", "infoflow", "s1") - util.validate_rule(r[1], RT.range_transition, "test14source", "test14t2", "infoflow7", - "s2") + util.validate_rule(r[0], RT.range_transition, "test14source", "test14t1", + tclass="infoflow", default="s1") + util.validate_rule(r[1], RT.range_transition, "test14source", "test14t2", + tclass="infoflow7", default="s2") def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with object class list match.""" @@ -95,8 +104,10 @@ def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], RT.range_transition, "test21", "test21", "infoflow3", "s2") - util.validate_rule(r[1], RT.range_transition, "test21", "test21", "infoflow4", "s1") + util.validate_rule(r[0], RT.range_transition, "test21", "test21", tclass="infoflow3", + default="s2") + util.validate_rule(r[1], RT.range_transition, "test21", "test21", tclass="infoflow4", + default="s1") def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with object class regex match.""" @@ -104,8 +115,10 @@ def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], RT.range_transition, "test22", "test22", "infoflow5", "s1") - util.validate_rule(r[1], RT.range_transition, "test22", "test22", "infoflow6", "s2") + util.validate_rule(r[0], RT.range_transition, "test22", "test22", tclass="infoflow5", + default="s1") + util.validate_rule(r[1], RT.range_transition, "test22", "test22", tclass="infoflow6", + default="s2") def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range exact match""" @@ -113,8 +126,8 @@ def test_range_exact(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test40", "test40", "infoflow", - "s40:c1 - s40:c0.c4") + util.validate_rule(r[0], RT.range_transition, "test40", "test40", tclass="infoflow", + default="s40:c1 - s40:c0.c4") def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range overlap match (equal)""" @@ -122,8 +135,8 @@ def test_range_overlap1(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", - "s41:c1 - s41:c1.c3") + util.validate_rule(r[0], RT.range_transition, "test41", "test41", tclass="infoflow", + default="s41:c1 - s41:c1.c3") def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range overlap match (subset)""" @@ -131,8 +144,8 @@ def test_range_overlap2(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", - "s41:c1 - s41:c1.c3") + util.validate_rule(r[0], RT.range_transition, "test41", "test41", tclass="infoflow", + default="s41:c1 - s41:c1.c3") def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range overlap match (superset)""" @@ -140,8 +153,8 @@ def test_range_overlap3(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", - "s41:c1 - s41:c1.c3") + util.validate_rule(r[0], RT.range_transition, "test41", "test41", tclass="infoflow", + default="s41:c1 - s41:c1.c3") def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range overlap match (overlap low level)""" @@ -149,8 +162,8 @@ def test_range_overlap4(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", - "s41:c1 - s41:c1.c3") + util.validate_rule(r[0], RT.range_transition, "test41", "test41", tclass="infoflow", + default="s41:c1 - s41:c1.c3") def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range overlap match (overlap high level)""" @@ -158,8 +171,8 @@ def test_range_overlap5(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test41", "test41", "infoflow", - "s41:c1 - s41:c1.c3") + util.validate_rule(r[0], RT.range_transition, "test41", "test41", tclass="infoflow", + default="s41:c1 - s41:c1.c3") def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range subset match""" @@ -167,8 +180,8 @@ def test_range_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test42", "test42", "infoflow", - "s42:c1 - s42:c1.c3") + util.validate_rule(r[0], RT.range_transition, "test42", "test42", tclass="infoflow", + default="s42:c1 - s42:c1.c3") def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range subset match (equal)""" @@ -176,8 +189,8 @@ def test_range_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test42", "test42", "infoflow", - "s42:c1 - s42:c1.c3") + util.validate_rule(r[0], RT.range_transition, "test42", "test42", tclass="infoflow", + default="s42:c1 - s42:c1.c3") def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range superset match""" @@ -185,8 +198,8 @@ def test_range_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test43", "test43", "infoflow", - "s43:c1 - s43:c1.c3") + util.validate_rule(r[0], RT.range_transition, "test43", "test43", tclass="infoflow", + default="s43:c1 - s43:c1.c3") def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range superset match (equal)""" @@ -194,8 +207,8 @@ def test_range_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test43", "test43", "infoflow", - "s43:c1 - s43:c1.c3") + util.validate_rule(r[0], RT.range_transition, "test43", "test43", tclass="infoflow", + default="s43:c1 - s43:c1.c3") def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range proper subset match""" @@ -204,8 +217,8 @@ def test_range_proper_subset1(self, compiled_policy: setools.SELinuxPolicy) -> N r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test44", "test44", "infoflow", - "s44:c1 - s44:c1.c3") + util.validate_rule(r[0], RT.range_transition, "test44", "test44", tclass="infoflow", + default="s44:c1 - s44:c1.c3") def test_range_proper_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range proper subset match (equal)""" @@ -222,8 +235,8 @@ def test_range_proper_subset3(self, compiled_policy: setools.SELinuxPolicy) -> N r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test44", "test44", "infoflow", - "s44:c1 - s44:c1.c3") + util.validate_rule(r[0], RT.range_transition, "test44", "test44", tclass="infoflow", + default="s44:c1 - s44:c1.c3") def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range proper subset match (equal high only)""" @@ -232,8 +245,8 @@ def test_range_proper_subset4(self, compiled_policy: setools.SELinuxPolicy) -> N r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test44", "test44", "infoflow", - "s44:c1 - s44:c1.c3") + util.validate_rule(r[0], RT.range_transition, "test44", "test44", tclass="infoflow", + default="s44:c1 - s44:c1.c3") def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range proper superset match""" @@ -242,8 +255,8 @@ def test_range_proper_superset1(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test45", "test45", "infoflow", - "s45:c1 - s45:c1.c3") + util.validate_rule(r[0], RT.range_transition, "test45", "test45", tclass="infoflow", + default="s45:c1 - s45:c1.c3") def test_range_proper_superset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range proper superset match (equal)""" @@ -260,8 +273,8 @@ def test_range_proper_superset3(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test45", "test45", "infoflow", - "s45:c1 - s45:c1.c3") + util.validate_rule(r[0], RT.range_transition, "test45", "test45", tclass="infoflow", + default="s45:c1 - s45:c1.c3") def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with context range proper superset match (equal high)""" @@ -270,8 +283,8 @@ def test_range_proper_superset4(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RT.range_transition, "test45", "test45", "infoflow", - "s45:c1 - s45:c1.c3") + util.validate_rule(r[0], RT.range_transition, "test45", "test45", tclass="infoflow", + default="s45:c1 - s45:c1.c3") def test_invalid_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: """MLS rule query with invalid rule type.""" diff --git a/tests/library/test_rbacrulequery.py b/tests/library/test_rbacrulequery.py index a5c31979..b5b979e8 100644 --- a/tests/library/test_rbacrulequery.py +++ b/tests/library/test_rbacrulequery.py @@ -18,18 +18,6 @@ class TestRBACRuleQuery: """RBAC rule query unit tests.""" - def validate_allow(self, rule, source, target) -> None: - """Validate a role allow rule.""" - assert RRT.allow == rule.ruletype - assert source == rule.source - assert target == rule.target - with pytest.raises(RuleUseError): - rule.tclass - with pytest.raises(RuleUseError): - rule.default - with pytest.raises(RuleNotConditional): - rule.conditional - def test_unset(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with no criteria.""" # query with no parameters gets all RBAC rules. @@ -48,8 +36,9 @@ def test_source_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - self.validate_allow(r[0], "test1s", "test1t") - util.validate_rule(r[1], RRT.role_transition, "test1s", "system", "infoflow", "test1t") + util.validate_rule(r[0], RRT.allow, "test1s", "test1t") + util.validate_rule(r[1], RRT.role_transition, "test1s", "system", tclass="infoflow", + default="test1t") def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with regex, direct, source match.""" @@ -58,7 +47,7 @@ def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 1 - self.validate_allow(r[0], "test2s1", "test2t") + util.validate_rule(r[0], RRT.allow, "test2s1", "test2t") def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with exact, direct, target match.""" @@ -67,7 +56,7 @@ def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - self.validate_allow(r[0], "test10s", "test10t") + util.validate_rule(r[0], RRT.allow, "test10s", "test10t") def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with regex, direct, target match.""" @@ -76,7 +65,7 @@ def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 1 - self.validate_allow(r[0], "test11s", "test11t1") + util.validate_rule(r[0], RRT.allow, "test11s", "test11t1") def test_target_type(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with a type as target.""" @@ -84,7 +73,8 @@ def test_target_type(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RRT.role_transition, "test12s", "test12t", "infoflow", "test12d") + util.validate_rule(r[0], RRT.role_transition, "test12s", "test12t", tclass="infoflow", + default="test12d") def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with object class list match.""" @@ -93,8 +83,10 @@ def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], RRT.role_transition, "test21", "system", "infoflow3", "test21d3") - util.validate_rule(r[1], RRT.role_transition, "test21", "system", "infoflow4", "test21d2") + util.validate_rule(r[0], RRT.role_transition, "test21", "system", tclass="infoflow3", + default="test21d3") + util.validate_rule(r[1], RRT.role_transition, "test21", "system", tclass="infoflow4", + default="test21d2") def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with object class regex match.""" @@ -102,8 +94,10 @@ def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], RRT.role_transition, "test22", "system", "infoflow5", "test22d2") - util.validate_rule(r[1], RRT.role_transition, "test22", "system", "infoflow6", "test22d3") + util.validate_rule(r[0], RRT.role_transition, "test22", "system", tclass="infoflow5", + default="test22d2") + util.validate_rule(r[1], RRT.role_transition, "test22", "system", tclass="infoflow6", + default="test22d3") def test_default(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with exact default match.""" @@ -112,7 +106,8 @@ def test_default(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], RRT.role_transition, "test30s", "system", "infoflow", "test30d") + util.validate_rule(r[0], RRT.role_transition, "test30s", "system", tclass="infoflow", + default="test30d") def test_default_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with regex default match.""" @@ -121,8 +116,10 @@ def test_default_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], RRT.role_transition, "test31s", "system", "infoflow7", "test31d3") - util.validate_rule(r[1], RRT.role_transition, "test31s", "system", "process", "test31d2") + util.validate_rule(r[0], RRT.role_transition, "test31s", "system", tclass="infoflow7", + default="test31d3") + util.validate_rule(r[1], RRT.role_transition, "test31s", "system", tclass="process", + default="test31d2") def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: """RBAC rule query with rule type.""" diff --git a/tests/library/test_terulequery.py b/tests/library/test_terulequery.py index cc996e78..7b837aea 100644 --- a/tests/library/test_terulequery.py +++ b/tests/library/test_terulequery.py @@ -34,7 +34,8 @@ def test_source_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], TRT.allow, "test1a", "test1t", "infoflow", set(["hi_w"])) + util.validate_rule(r[0], TRT.allow, "test1a", "test1t", tclass="infoflow", + perms=set(["hi_w"])) def test_source_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with exact, indirect, source match.""" @@ -43,7 +44,8 @@ def test_source_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], TRT.allow, "test2a", "test2t", "infoflow", set(["hi_w"])) + util.validate_rule(r[0], TRT.allow, "test2a", "test2t", tclass="infoflow", + perms=set(["hi_w"])) def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with regex, direct, source match.""" @@ -52,7 +54,8 @@ def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], TRT.allow, "test3aS", "test3t", "infoflow", set(["low_r"])) + util.validate_rule(r[0], TRT.allow, "test3aS", "test3t", tclass="infoflow", + perms=set(["low_r"])) def test_source_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with regex, indirect, source match.""" @@ -61,8 +64,10 @@ def test_source_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.allow, "test4a1", "test4a1", "infoflow", set(["hi_w"])) - util.validate_rule(r[1], TRT.allow, "test4a2", "test4a2", "infoflow", set(["low_r"])) + util.validate_rule(r[0], TRT.allow, "test4a1", "test4a1", tclass="infoflow", + perms=set(["hi_w"])) + util.validate_rule(r[1], TRT.allow, "test4a2", "test4a2", tclass="infoflow", + perms=set(["low_r"])) def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with exact, direct, target match.""" @@ -71,7 +76,8 @@ def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], TRT.allow, "test5s", "test5a", "infoflow", set(["hi_w"])) + util.validate_rule(r[0], TRT.allow, "test5s", "test5a", tclass="infoflow", + perms=set(["hi_w"])) def test_target_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with exact, indirect, target match.""" @@ -80,8 +86,10 @@ def test_target_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.allow, "test6s", "test6a", "infoflow", set(["hi_w"])) - util.validate_rule(r[1], TRT.allow, "test6s", "test6t", "infoflow", set(["low_r"])) + util.validate_rule(r[0], TRT.allow, "test6s", "test6a", tclass="infoflow", + perms=set(["hi_w"])) + util.validate_rule(r[1], TRT.allow, "test6s", "test6t", tclass="infoflow", + perms=set(["low_r"])) def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with regex, direct, target match.""" @@ -90,7 +98,8 @@ def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], TRT.allow, "test7s", "test7aPASS", "infoflow", set(["low_r"])) + util.validate_rule(r[0], TRT.allow, "test7s", "test7aPASS", tclass="infoflow", + perms=set(["low_r"])) def test_target_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with regex, indirect, target match.""" @@ -99,8 +108,10 @@ def test_target_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.allow, "test8a1", "test8a1", "infoflow", set(["hi_w"])) - util.validate_rule(r[1], TRT.allow, "test8a2", "test8a2", "infoflow", set(["low_r"])) + util.validate_rule(r[0], TRT.allow, "test8a1", "test8a1", tclass="infoflow", + perms=set(["hi_w"])) + util.validate_rule(r[1], TRT.allow, "test8a2", "test8a2", tclass="infoflow", + perms=set(["low_r"])) def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with object class list match.""" @@ -109,8 +120,10 @@ def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.allow, "test10", "test10", "infoflow3", set(["null"])) - util.validate_rule(r[1], TRT.allow, "test10", "test10", "infoflow4", set(["hi_w"])) + util.validate_rule(r[0], TRT.allow, "test10", "test10", tclass="infoflow3", + perms=set(["null"])) + util.validate_rule(r[1], TRT.allow, "test10", "test10", tclass="infoflow4", + perms=set(["hi_w"])) def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with object class regex match.""" @@ -118,8 +131,10 @@ def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.allow, "test11", "test11", "infoflow5", set(["low_w"])) - util.validate_rule(r[1], TRT.allow, "test11", "test11", "infoflow6", set(["med_r"])) + util.validate_rule(r[0], TRT.allow, "test11", "test11", tclass="infoflow5", + perms=set(["low_w"])) + util.validate_rule(r[1], TRT.allow, "test11", "test11", tclass="infoflow6", + perms=set(["med_r"])) def test_perms_any(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with permission set intersection.""" @@ -127,9 +142,10 @@ def test_perms_any(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.allow, "test12a", "test12a", "infoflow7", set(["super_r"])) - util.validate_rule(r[1], TRT.allow, "test12b", "test12b", "infoflow7", - set(["super_r", "super_none"])) + util.validate_rule(r[0], TRT.allow, "test12a", "test12a", tclass="infoflow7", + perms=set(["super_r"])) + util.validate_rule(r[1], TRT.allow, "test12b", "test12b", tclass="infoflow7", + perms=set(["super_r", "super_none"])) def test_perms_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with permission set equality.""" @@ -138,8 +154,8 @@ def test_perms_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], TRT.allow, "test13c", "test13c", "infoflow7", - set(["super_w", "super_none", "super_both"])) + util.validate_rule(r[0], TRT.allow, "test13c", "test13c", tclass="infoflow7", + perms=set(["super_w", "super_none", "super_both"])) def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with rule type match.""" @@ -147,10 +163,10 @@ def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.auditallow, "test14", "test14", "infoflow7", - set(["super_both"])) - util.validate_rule(r[1], TRT.dontaudit, "test14", "test14", "infoflow7", - set(["super_unmapped"])) + util.validate_rule(r[0], TRT.auditallow, "test14", "test14", tclass="infoflow7", + perms=set(["super_both"])) + util.validate_rule(r[1], TRT.dontaudit, "test14", "test14", tclass="infoflow7", + perms=set(["super_unmapped"])) def test_perms_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with permission subset.""" @@ -158,10 +174,10 @@ def test_perms_subset1(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.allow, "test13c", "test13c", "infoflow7", - set(["super_w", "super_none", "super_both"])) - util.validate_rule(r[1], TRT.allow, "test13d", "test13d", "infoflow7", - set(["super_w", "super_none", "super_both", "super_unmapped"])) + util.validate_rule(r[0], TRT.allow, "test13c", "test13c", tclass="infoflow7", + perms=set(["super_w", "super_none", "super_both"])) + util.validate_rule(r[1], TRT.allow, "test13d", "test13d", tclass="infoflow7", + perms=set(["super_w", "super_none", "super_both", "super_unmapped"])) def test_perms_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with permission subset (equality).""" @@ -171,8 +187,8 @@ def test_perms_subset2(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], TRT.allow, "test13d", "test13d", "infoflow7", - set(["super_w", "super_none", "super_both", "super_unmapped"])) + util.validate_rule(r[0], TRT.allow, "test13d", "test13d", tclass="infoflow7", + perms=set(["super_w", "super_none", "super_both", "super_unmapped"])) def test_default(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with default type exact match.""" @@ -180,7 +196,8 @@ def test_default(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], TRT.type_transition, "test100", "test100", "infoflow7", "test100d") + util.validate_rule(r[0], TRT.type_transition, "test100", "test100", tclass="infoflow7", + default="test100d") def test_default_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with default type regex match.""" @@ -188,10 +205,10 @@ def test_default_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.type_transition, "test101", "test101d", "infoflow7", - "test101e") - util.validate_rule(r[1], TRT.type_transition, "test101", "test101e", "infoflow7", - "test101d") + util.validate_rule(r[0], TRT.type_transition, "test101", "test101d", tclass="infoflow7", + default="test101e") + util.validate_rule(r[1], TRT.type_transition, "test101", "test101e", tclass="infoflow7", + default="test101d") def test_boolean_intersection(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with intersection Boolean set match.""" @@ -199,10 +216,10 @@ def test_boolean_intersection(self, compiled_policy: setools.SELinuxPolicy) -> N r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.allow, "test200t1", "test200t1", "infoflow7", - set(["super_w"]), cond="test200") - util.validate_rule(r[1], TRT.allow, "test200t2", "test200t2", "infoflow7", - set(["super_w"]), cond="test200a && test200") + util.validate_rule(r[0], TRT.allow, "test200t1", "test200t1", tclass="infoflow7", + perms=set(["super_w"]), cond="test200", cond_block=True) + util.validate_rule(r[1], TRT.allow, "test200t2", "test200t2", tclass="infoflow7", + perms=set(["super_w"]), cond="test200a && test200", cond_block=True) def test_boolean_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with equal Boolean set match.""" @@ -210,8 +227,9 @@ def test_boolean_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], TRT.allow, "test201t1", "test201t1", "infoflow7", - set(["super_unmapped"]), cond="test201b && test201a") + util.validate_rule(r[0], TRT.allow, "test201t1", "test201t1", tclass="infoflow7", + perms=set(["super_unmapped"]), cond="test201b && test201a", + cond_block=True) def test_boolean_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with regex Boolean match.""" @@ -219,10 +237,11 @@ def test_boolean_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.allow, "test202t1", "test202t1", "infoflow7", - set(["super_none"]), cond="test202a") - util.validate_rule(r[1], TRT.allow, "test202t2", "test202t2", "infoflow7", - set(["super_unmapped"]), cond="test202b || test202c") + util.validate_rule(r[0], TRT.allow, "test202t1", "test202t1", tclass="infoflow7", + perms=set(["super_none"]), cond="test202a", cond_block=True) + util.validate_rule(r[1], TRT.allow, "test202t2", "test202t2", tclass="infoflow7", + perms=set(["super_unmapped"]), cond="test202b || test202c", + cond_block=True) def test_issue111(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with attribute source criteria, indirect match.""" @@ -231,11 +250,14 @@ def test_issue111(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 4 - util.validate_rule(r[0], TRT.allow, "test300a", "test300target", "infoflow7", set(["hi_w"])) - util.validate_rule(r[1], TRT.allow, "test300b", "test300target", "infoflow7", - set(["super_w"])) - util.validate_rule(r[2], TRT.allow, "test300t1", "test300t1", "infoflow7", set(["hi_r"])) - util.validate_rule(r[3], TRT.allow, "test300t2", "test300t2", "infoflow7", set(["med_w"])) + util.validate_rule(r[0], TRT.allow, "test300a", "test300target", tclass="infoflow7", + perms=set(["hi_w"])) + util.validate_rule(r[1], TRT.allow, "test300b", "test300target", tclass="infoflow7", + perms=set(["super_w"])) + util.validate_rule(r[2], TRT.allow, "test300t1", "test300t1", tclass="infoflow7", + perms=set(["hi_r"])) + util.validate_rule(r[3], TRT.allow, "test300t2", "test300t2", tclass="infoflow7", + perms=set(["med_w"])) def test_issue111_2(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with attribute target criteria, indirect match.""" @@ -244,11 +266,14 @@ def test_issue111_2(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 4 - util.validate_rule(r[0], TRT.allow, "test301source", "test301a", "infoflow7", set(["hi_w"])) - util.validate_rule(r[1], TRT.allow, "test301source", "test301b", "infoflow7", - set(["super_w"])) - util.validate_rule(r[2], TRT.allow, "test301t1", "test301t1", "infoflow7", set(["hi_r"])) - util.validate_rule(r[3], TRT.allow, "test301t2", "test301t2", "infoflow7", set(["med_w"])) + util.validate_rule(r[0], TRT.allow, "test301source", "test301a", tclass="infoflow7", + perms=set(["hi_w"])) + util.validate_rule(r[1], TRT.allow, "test301source", "test301b", tclass="infoflow7", + perms=set(["super_w"])) + util.validate_rule(r[2], TRT.allow, "test301t1", "test301t1", tclass="infoflow7", + perms=set(["hi_r"])) + util.validate_rule(r[3], TRT.allow, "test301t2", "test301t2", tclass="infoflow7", + perms=set(["med_w"])) def test_issue111_3(self, compiled_policy: setools.SELinuxPolicy) -> None: """TE rule query with attribute default type criteria.""" @@ -257,10 +282,10 @@ def test_issue111_3(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.type_transition, "test302source", "test302t1", "infoflow7", - "test302t1") - util.validate_rule(r[1], TRT.type_transition, "test302source", "test302t2", "infoflow7", - "test302t2") + util.validate_rule(r[0], TRT.type_transition, "test302source", "test302t1", + tclass="infoflow7", default="test302t1") + util.validate_rule(r[1], TRT.type_transition, "test302source", "test302t2", + tclass="infoflow7", default="test302t2") @pytest.mark.obj_args("tests/library/terulequery2.conf") @@ -275,8 +300,8 @@ def test_source_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], TRT.allowxperm, "test1a", "test1t", "infoflow", - setools.IoctlSet(range(0xebe0, 0xebff + 1)), xperm="ioctl") + util.validate_rule(r[0], TRT.allowxperm, "test1a", "test1t", tclass="infoflow", + perms=setools.IoctlSet(range(0xebe0, 0xebff + 1)), xperm="ioctl") def test_source_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with exact, indirect, source match.""" @@ -285,8 +310,8 @@ def test_source_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], TRT.allowxperm, "test2a", "test2t", "infoflow", - setools.IoctlSet([0x5411, 0x5451]), xperm="ioctl") + util.validate_rule(r[0], TRT.allowxperm, "test2a", "test2t", tclass="infoflow", + perms=setools.IoctlSet([0x5411, 0x5451]), xperm="ioctl") def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with regex, direct, source match.""" @@ -295,8 +320,8 @@ def test_source_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], TRT.allowxperm, "test3aS", "test3t", "infoflow", - setools.IoctlSet([0x1111]), xperm="ioctl") + util.validate_rule(r[0], TRT.allowxperm, "test3aS", "test3t", tclass="infoflow", + perms=setools.IoctlSet([0x1111]), xperm="ioctl") def test_source_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with regex, indirect, source match.""" @@ -305,10 +330,10 @@ def test_source_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.allowxperm, "test4a1", "test4a1", "infoflow", - setools.IoctlSet([0x9999]), xperm="ioctl") - util.validate_rule(r[1], TRT.allowxperm, "test4a2", "test4a2", "infoflow", - setools.IoctlSet([0x1111]), xperm="ioctl") + util.validate_rule(r[0], TRT.allowxperm, "test4a1", "test4a1", tclass="infoflow", + perms=setools.IoctlSet([0x9999]), xperm="ioctl") + util.validate_rule(r[1], TRT.allowxperm, "test4a2", "test4a2", tclass="infoflow", + perms=setools.IoctlSet([0x1111]), xperm="ioctl") def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with exact, direct, target match.""" @@ -317,8 +342,8 @@ def test_target_direct(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], TRT.allowxperm, "test5s", "test5a", "infoflow", - setools.IoctlSet([0x9999]), xperm="ioctl") + util.validate_rule(r[0], TRT.allowxperm, "test5s", "test5a", tclass="infoflow", + perms=setools.IoctlSet([0x9999]), xperm="ioctl") def test_target_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with exact, indirect, target match.""" @@ -327,10 +352,10 @@ def test_target_indirect(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.allowxperm, "test6s", "test6a", "infoflow", - setools.IoctlSet([0x9999]), xperm="ioctl") - util.validate_rule(r[1], TRT.allowxperm, "test6s", "test6t", "infoflow", - setools.IoctlSet([0x1111]), xperm="ioctl") + util.validate_rule(r[0], TRT.allowxperm, "test6s", "test6a", tclass="infoflow", + perms=setools.IoctlSet([0x9999]), xperm="ioctl") + util.validate_rule(r[1], TRT.allowxperm, "test6s", "test6t", tclass="infoflow", + perms=setools.IoctlSet([0x1111]), xperm="ioctl") def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with regex, direct, target match.""" @@ -339,8 +364,8 @@ def test_target_direct_regex(self, compiled_policy: setools.SELinuxPolicy) -> No r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], TRT.allowxperm, "test7s", "test7aPASS", "infoflow", - setools.IoctlSet([0x1111]), xperm="ioctl") + util.validate_rule(r[0], TRT.allowxperm, "test7s", "test7aPASS", tclass="infoflow", + perms=setools.IoctlSet([0x1111]), xperm="ioctl") def test_target_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with regex, indirect, target match.""" @@ -349,10 +374,10 @@ def test_target_indirect_regex(self, compiled_policy: setools.SELinuxPolicy) -> r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.allowxperm, "test8a1", "test8a1", "infoflow", - setools.IoctlSet([0x9999]), xperm="ioctl") - util.validate_rule(r[1], TRT.allowxperm, "test8a2", "test8a2", "infoflow", - setools.IoctlSet([0x1111]), xperm="ioctl") + util.validate_rule(r[0], TRT.allowxperm, "test8a1", "test8a1", tclass="infoflow", + perms=setools.IoctlSet([0x9999]), xperm="ioctl") + util.validate_rule(r[1], TRT.allowxperm, "test8a2", "test8a2", tclass="infoflow", + perms=setools.IoctlSet([0x1111]), xperm="ioctl") def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with object class list match.""" @@ -361,10 +386,10 @@ def test_class_list(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.allowxperm, "test10", "test10", "infoflow3", - setools.IoctlSet([0]), xperm="ioctl") - util.validate_rule(r[1], TRT.allowxperm, "test10", "test10", "infoflow4", - setools.IoctlSet([0x9999]), xperm="ioctl") + util.validate_rule(r[0], TRT.allowxperm, "test10", "test10", tclass="infoflow3", + perms=setools.IoctlSet([0]), xperm="ioctl") + util.validate_rule(r[1], TRT.allowxperm, "test10", "test10", tclass="infoflow4", + perms=setools.IoctlSet([0x9999]), xperm="ioctl") def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with object class regex match.""" @@ -372,10 +397,10 @@ def test_class_regex(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.allowxperm, "test11", "test11", "infoflow5", - setools.IoctlSet([0x1111]), xperm="ioctl") - util.validate_rule(r[1], TRT.allowxperm, "test11", "test11", "infoflow6", - setools.IoctlSet([0x5555]), xperm="ioctl") + util.validate_rule(r[0], TRT.allowxperm, "test11", "test11", tclass="infoflow5", + perms=setools.IoctlSet([0x1111]), xperm="ioctl") + util.validate_rule(r[1], TRT.allowxperm, "test11", "test11", tclass="infoflow6", + perms=setools.IoctlSet([0x5555]), xperm="ioctl") def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query with rule type match.""" @@ -383,10 +408,10 @@ def test_ruletype(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 2 - util.validate_rule(r[0], TRT.auditallowxperm, "test14", "test14", "infoflow7", - setools.IoctlSet([0x1234]), xperm="ioctl") - util.validate_rule(r[1], TRT.dontauditxperm, "test14", "test14", "infoflow7", - setools.IoctlSet([0x4321]), xperm="ioctl") + util.validate_rule(r[0], TRT.auditallowxperm, "test14", "test14", tclass="infoflow7", + perms=setools.IoctlSet([0x1234]), xperm="ioctl") + util.validate_rule(r[1], TRT.dontauditxperm, "test14", "test14", tclass="infoflow7", + perms=setools.IoctlSet([0x4321]), xperm="ioctl") def test_std_perm_any(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query match by standard permission.""" @@ -420,14 +445,14 @@ def test_xperm_any(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 4 - util.validate_rule(r[0], TRT.allowxperm, "test101a", "test101a", "infoflow7", - setools.IoctlSet([0x9011]), xperm="ioctl") - util.validate_rule(r[1], TRT.allowxperm, "test101b", "test101b", "infoflow7", - setools.IoctlSet([0x9011, 0x9012]), xperm="ioctl") - util.validate_rule(r[2], TRT.allowxperm, "test101c", "test101c", "infoflow7", - setools.IoctlSet([0x9011, 0x9012, 0x9013]), xperm="ioctl") - util.validate_rule(r[3], TRT.allowxperm, "test101d", "test101d", "infoflow7", - setools.IoctlSet([0x9011, 0x9012, 0x9013, 0x9014]), xperm="ioctl") + util.validate_rule(r[0], TRT.allowxperm, "test101a", "test101a", tclass="infoflow7", + perms=setools.IoctlSet([0x9011]), xperm="ioctl") + util.validate_rule(r[1], TRT.allowxperm, "test101b", "test101b", tclass="infoflow7", + perms=setools.IoctlSet([0x9011, 0x9012]), xperm="ioctl") + util.validate_rule(r[2], TRT.allowxperm, "test101c", "test101c", tclass="infoflow7", + perms=setools.IoctlSet([0x9011, 0x9012, 0x9013]), xperm="ioctl") + util.validate_rule(r[3], TRT.allowxperm, "test101d", "test101d", tclass="infoflow7", + perms=setools.IoctlSet([0x9011, 0x9012, 0x9013, 0x9014]), xperm="ioctl") def test_xperm_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: """Xperm rule query match equal perm set.""" @@ -435,5 +460,5 @@ def test_xperm_equal(self, compiled_policy: setools.SELinuxPolicy) -> None: r = sorted(q.results()) assert len(r) == 1 - util.validate_rule(r[0], TRT.allowxperm, "test101c", "test101c", "infoflow7", - setools.IoctlSet([0x9011, 0x9012, 0x9013]), xperm="ioctl") + util.validate_rule(r[0], TRT.allowxperm, "test101c", "test101c", tclass="infoflow7", + perms=setools.IoctlSet([0x9011, 0x9012, 0x9013]), xperm="ioctl") diff --git a/tests/library/util.py b/tests/library/util.py index fcb364e8..78b2a3d2 100644 --- a/tests/library/util.py +++ b/tests/library/util.py @@ -12,8 +12,10 @@ def validate_rule(rule: setools.policyrep.PolicyRule, ruletype: setools.policyrep.PolicyEnum | str, source: setools.policyrep.PolicySymbol | str, target: setools.policyrep.PolicySymbol | str, - tclass: setools.ObjClass | str, - last_item: set[str] | setools.IoctlSet | setools.policyrep.PolicySymbol | str, + /, *, + tclass: setools.ObjClass | str | None = None, + perms: set[str] | setools.IoctlSet | None = None, + default: setools.policyrep.PolicySymbol | str | None = None, cond: str | None = None, cond_block: bool | None = None, xperm: str | None = None) -> None: @@ -22,27 +24,27 @@ def validate_rule(rule: setools.policyrep.PolicyRule, assert ruletype == rule.ruletype assert source == rule.source assert target == rule.target - assert tclass == rule.tclass - try: - # This is the common case. - assert last_item == rule.perms - except (AttributeError, setools.exception.RuleUseError): - assert last_item == rule.default + if tclass is not None: + assert tclass == rule.tclass + + if perms is not None: + assert perms == rule.perms + + elif default is not None: + assert default == rule.default if cond: assert cond == rule.conditional + assert cond_block == rule.conditional_block else: with pytest.raises(setools.exception.RuleNotConditional): rule.conditional - - if cond_block is not None: - assert cond_block == rule.conditional_block + with pytest.raises(setools.exception.RuleNotConditional): + rule.conditional_block if xperm: assert xperm == rule.xperm_type assert rule.extended else: - with pytest.raises(AttributeError): - rule.xperm_type assert not rule.extended