int semanage_direct_access_check(semanage_handle_t *sh) {
char polpath[PATH_MAX];
snprintf(polpath, PATH_MAX, "%s%s", selinux_path(), sh->conf->store_path);
if (semanage_check_init(polpath))
return -1;
return semanage_store_access_check(sh);
}
/* Tests the semanage_store_access_check function in semanage_store.c
*/
void test_semanage_store_access_check(void)
{
int err;
/* create lock file */
err = mknod(readlockpath, S_IRUSR | S_IWUSR, S_IFREG);
/* check with permissions 000 */
err = chmod(modpath, 0);
CU_ASSERT(err == 0);
err = chmod(readlockpath, 0);
CU_ASSERT(err == 0);
err = chmod(polpath, 0);
CU_ASSERT(err == 0);
err = semanage_store_access_check(sh);
CU_ASSERT(err == -1);
/* check with permissions 500 */
err = chmod(polpath, S_IRUSR | S_IXUSR);
CU_ASSERT(err == 0);
err = chmod(readlockpath, S_IRUSR);
CU_ASSERT(err == 0);
err = chmod(modpath, S_IRUSR | S_IXUSR);
CU_ASSERT(err == 0);
err = semanage_store_access_check(sh);
CU_ASSERT(err == SEMANAGE_CAN_READ);
/* check with permissions 700 */
err = chmod(polpath, S_IRUSR | S_IWUSR | S_IXUSR);
CU_ASSERT(err == 0);
err = chmod(readlockpath, S_IRUSR | S_IWUSR);
CU_ASSERT(err == 0);
err = chmod(modpath, S_IRUSR | S_IWUSR | S_IXUSR);
CU_ASSERT(err == 0);
err = semanage_store_access_check(sh);
CU_ASSERT(err == SEMANAGE_CAN_WRITE);
/* check with lock file 000 and others 500 */
err = chmod(polpath, S_IRUSR | S_IXUSR);
CU_ASSERT(err == 0);
err = chmod(readlockpath, 0);
CU_ASSERT(err == 0);
err = chmod(modpath, S_IRUSR | S_IXUSR);
CU_ASSERT(err == 0);
err = semanage_store_access_check(sh);
CU_ASSERT(err == 0);
/* check with lock file 000 and others 700 */
err = chmod(polpath, S_IRUSR | S_IWUSR | S_IXUSR);
CU_ASSERT(err == 0);
err = chmod(readlockpath, 0);
CU_ASSERT(err == 0);
err = chmod(modpath, S_IRUSR | S_IWUSR | S_IXUSR);
CU_ASSERT(err == 0);
err = semanage_store_access_check(sh);
CU_ASSERT(err == 0);
/* remove lock file */
err = remove(readlockpath);
CU_ASSERT(err == 0);
/* check with no lock file and 000 */
err = chmod(modpath, 0);
CU_ASSERT(err == 0);
err = chmod(lockpath, 0);
CU_ASSERT(err == 0);
err = chmod(polpath, 0);
CU_ASSERT(err == 0);
err = semanage_store_access_check(sh);
CU_ASSERT(err == -1);
/* check with no lock file and 500 */
err = chmod(polpath, S_IRUSR | S_IXUSR);
CU_ASSERT(err == 0);
err = chmod(lockpath, S_IRUSR | S_IXUSR);
CU_ASSERT(err == 0);
err = chmod(modpath, S_IRUSR | S_IXUSR);
CU_ASSERT(err == 0);
err = semanage_store_access_check(sh);
CU_ASSERT(err == 0);
/* check with no lock file but write in lockpath */
err = chmod(lockpath, S_IRUSR | S_IWUSR | S_IXUSR);
CU_ASSERT(err == 0);
err = semanage_store_access_check(sh);
CU_ASSERT(err == SEMANAGE_CAN_READ);
/* check with no lock file and 700 */
err = chmod(polpath, S_IRUSR | S_IWUSR | S_IXUSR);
CU_ASSERT(err == 0);
err = chmod(modpath, S_IRUSR | S_IWUSR | S_IXUSR);
CU_ASSERT(err == 0);
err = semanage_store_access_check(sh);
CU_ASSERT(err == SEMANAGE_CAN_WRITE);
}
