#!/bin/sh
# PCP QA Test No. 917
# SELinux Testing
#
# Copyright (c) 2017 Red Hat Inc.  All Rights Reserved.
#

seq=`basename $0`
echo "QA output created by $seq"

# get standard environment, filters and checks
. ./common.product
. ./common.filter
. ./common.check

policy_name="pcpupstream"
policy_file="$PCP_VAR_DIR/selinux/$policy_name.pp"
which sedismod >/dev/null 2>&1 || _notrun "sedismod tool not installed (module disassembly)"
which semodule >/dev/null 2>&1 || _notrun "semodule tool not installed"
which seinfo >/dev/null 2>&1 || _notrun "seinfo tool not installed"
[ -f "$policy_file" ] || _notrun "upstream policy package not installed"

nsfs_t=`seinfo -t | grep 'nsfs_t$'`
docker_var_lib_t=""
svirt_lxc_net_t=`seinfo -t | grep "svirt_lxc_net_t$"`
systemd_systemctl_exec_t=`seinfo -t | grep "systemd_systemctl_exec_t$"`
systemd_systemctl_unit_file_t=`seinfo -t | grep "systemd_systemctl_unit_file_t$"`

_filter_semodule()
{
    awk '{ print $1 }'
}

_filter_sedismod()
{
    sed -n '/--- begin avrule block ---/,$p'
}
_filter_sedismod1()
{
    sed -e '/^Command/d'
}
_filter_outfile()
{
    awk -v container_t="$container_runtime_t" \
	-v nsfs_t="$nsfs_t" \
	-v docker_var_lib_t="$docker_var_lib_t" \
	-v svirt_lxc_net_t="$svirt_lxc_net_t" \
	-v class_status="$class_status" \
	-v systemd_systemctl_exec_t="$systemd_systemctl_exec_t" \
	-v systemd_systemctl_unit_file_t="$systemd_systemctl_unit_file_t" \
    '{
    	if (container_t == "" && /container_runtime_t/)
	   !/container_runtime_t/ ;
	else if (nsfs_t == "" && /nsfs_t/)
	   !/nsfs_t/ ;
    	else if (docker_var_lib_t == "" && /docker_var_lib_t/)
	   !/docker_var_lib_t/ ;
    	else if (svirt_lxc_net_t == "" && /svirt_lxc_net_t/)
	   !/svirt_lxc_net_t/ ;
    	else if (systemd_systemctl_exec_t == "" && /systemd_systemctl_exec_t/)
	   !/systemd_systemctl_exec_t/ ;
    	else if (systemd_systemctl_unit_file_t == "" && /systemd_systemctl_unit_file_t/)
	   !/systemd_systemctl_unit_file_t/ ;
	else
	   print;
    }'
}

status=1	# failure is the default!
$sudo rm -rf $tmp $tmp.* $seq.full
trap "cd $here; $sudo rm -rf $tmp $tmp.*; exit \$status" 0 1 2 3 15
echo > $seq.full

cat $seq.out.in | _filter_outfile > $seq.out

echo "full policy modules list on the system"
$sudo semodule -l >> $seq.full
echo "Checking that pcpupstream policy module has been properly installed"
grep "pcpupstream$" $seq.full | _filter_semodule
# real QA test starts here
echo "Checking policies."
printf '1\nq\n' | sedismod $policy_file | _filter_sedismod | _filter_sedismod1


# success, all done
status=0
exit
