testcases/audit-test/libpam/tests/test_mls_level_login_fail.bash

   1 #!/bin/bash
   2 ###############################################################################
   3 # (c) Copyright Hewlett-Packard Development Company, L.P., 2006
   4 #
   5 #   This program is free software: you can redistribute it and/or modify
   6 #   it under the terms of version 2 the GNU General Public License as
   7 #   published by the Free Software Foundation.
   8 #
   9 #   This program is distributed in the hope that it will be useful,
  10 #   but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 #   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 #   GNU General Public License for more details.
  13 #
  14 #   You should have received a copy of the GNU General Public License
  15 #   along with this program.  If not, see <http://www.gnu.org/licenses/>.
  16 ###############################################################################
  17 #
  18 # PURPOSE:
  19 # Verify audit of failed login when user selects and invalid level.
  20 # User is only allowed s0 but picks s15.
  21
  22 source pam_functions.bash || exit 2
  23
  24 # setup
  25 # allow TEST_USER to write to tmpfile
  26 chmod 666 $localtmp
  27
  28 # if in LSPP mode, map the TEST_USER to staff_u
  29 if [[ $PPROFILE == "lspp" ]]; then
  30         semanage login -d $TEST_USER
  31         semanage login -a -s staff_u $TEST_USER
  32         # XXX should compute the default context from the policy
  33         def_context=staff_u:sysadm_r:sysadm_t:s0
  34         sel_context=staff_u:sysadm_r:sysadm_t:s15
  35         auid=$(id -u "$TEST_USER")
  36 else
  37         exit_error "Not in lspp mode"
  38 fi
  39
  40 # calling login in this manner leaves an entry in /var/run/utmp
  41 # use backup (and automatic restore) to work around this
  42 backup /var/run/utmp
  43
  44 # test
  45 (
  46     export localtmp
  47     expect -c '
  48         spawn login
  49         expect -nocase {login: $} {send "$env(TEST_USER)\r"}
  50         expect -nocase {password: $} {send "$env(TEST_USER_PASSWD)\r"}
  51         expect -nocase {level} {send "Y\r"}
  52         expect -nocase {role:} {send "\r"}
  53         expect -nocase {level:} {send "s15\r"}
  54         expect -nocase {"authentication failure"} {close; wait}'
  55 )
  56
  57 msg_1="acct=\"*$TEST_USER\"* : exe=./bin/login.* res=failed.*"
  58 augrok -q type=USER_START msg_1=~"PAM: session open $msg_1" auid=$auid \
  59         subj=$login_context || exit_fail
  60 augrok -q type=USER_ROLE_CHANGE msg_1=~"pam: default-context=$def_context selected-context=$sel_context: exe=./bin/login.* res=failed.*" auid=$auid || exit_fail
  61 exit_pass