[libvirt] [PATCH tck] Avoid assumptions about selinux contexts
Daniel P. Berrange
berrange at redhat.com
Thu Mar 27 15:26:03 UTC 2014
The current SELinux tests assume a context system_u:system_r
or system_u:object_r, which is not true if running against
a libvirtd from the source tree.
---
lib/Sys/Virt/TCK/SELinux.pm | 30 +++++++++++++++++++++++++++---
scripts/selinux/050-dynamic-relabel-yes.t | 10 ++++++----
scripts/selinux/055-dynamic-base-label.t | 10 ++++++----
scripts/selinux/100-static-relabel-no.t | 2 +-
scripts/selinux/110-static-relabel-yes.t | 11 +++++++----
5 files changed, 47 insertions(+), 16 deletions(-)
diff --git a/lib/Sys/Virt/TCK/SELinux.pm b/lib/Sys/Virt/TCK/SELinux.pm
index 9f7c0c1..c117fca 100644
--- a/lib/Sys/Virt/TCK/SELinux.pm
+++ b/lib/Sys/Virt/TCK/SELinux.pm
@@ -18,19 +18,43 @@ use warnings;
use base qw(Exporter);
use vars qw($SELINUX_GENERIC_CONTEXT $SELINUX_DOMAIN_CONTEXT
- $SELINUX_IMAGE_CONTEXT $SELINUX_OTHER_CONTEXT);
+ $SELINUX_IMAGE_CONTEXT $SELINUX_OTHER_CONTEXT
+ $SELINUX_GENERIC_TYPE $SELINUX_DOMAIN_TYPE
+ $SELINUX_IMAGE_TYPE $SELINUX_OTHER_TYPE);
our @EXPORT = qw(selinux_get_file_context
selinux_set_file_context
selinux_restore_file_context
+ selinux_get_type
+ selinux_get_mcs
$SELINUX_GENERIC_CONTEXT $SELINUX_DOMAIN_CONTEXT
- $SELINUX_IMAGE_CONTEXT $SELINUX_OTHER_CONTEXT);
+ $SELINUX_IMAGE_CONTEXT $SELINUX_OTHER_CONTEXT
+ $SELINUX_GENERIC_TYPE $SELINUX_DOMAIN_TYPE
+ $SELINUX_IMAGE_TYPE $SELINUX_OTHER_TYPE);
-$SELINUX_OTHER_CONTEXT = "system_u:object_r:virt_t:s0";
+$SELINUX_OTHER_TYPE = "svirt_tcg_t";
+$SELINUX_GENERIC_TYPE = "virt_image_t";
+$SELINUX_DOMAIN_TYPE = "svirt_t";
+$SELINUX_IMAGE_TYPE = "svirt_image_t";
+
+$SELINUX_OTHER_CONTEXT = "system_u:system_r:svirt_tcg_t:s0";
$SELINUX_GENERIC_CONTEXT = "system_u:object_r:virt_image_t:s0";
$SELINUX_DOMAIN_CONTEXT = "system_u:system_r:svirt_t:s0";
$SELINUX_IMAGE_CONTEXT = "system_u:object_r:svirt_image_t:s0";
+sub selinux_get_type {
+ my $context = shift;
+
+ my @bits = split /:/, $context;
+ return $bits[2];
+}
+
+sub selinux_get_mcs {
+ my $context = shift;
+
+ my @bits = split /:/, $context;
+ return $bits[4];
+}
sub selinux_get_file_context {
my $path = shift;
diff --git a/scripts/selinux/050-dynamic-relabel-yes.t b/scripts/selinux/050-dynamic-relabel-yes.t
index 2fb6866..5a53b9d 100644
--- a/scripts/selinux/050-dynamic-relabel-yes.t
+++ b/scripts/selinux/050-dynamic-relabel-yes.t
@@ -64,12 +64,14 @@ SKIP: {
diag "domainlabel $domainlabel";
my $imagelabel = xpath($dom, "string(/domain/seclabel/imagelabel)");
diag "imagelabel $imagelabel";
+ my $domaintype = selinux_get_type($domainlabel);
+ my $imagetype = selinux_get_type($imagelabel);
- is(index($domainlabel, $SELINUX_DOMAIN_CONTEXT), 0, "dynamic domain label prefix is $SELINUX_DOMAIN_CONTEXT");
- is(index($imagelabel, $SELINUX_IMAGE_CONTEXT), 0, "dynamic image label prefix is $SELINUX_IMAGE_CONTEXT");
+ is($domaintype, $SELINUX_DOMAIN_TYPE, "dynamic domain label type is $SELINUX_DOMAIN_TYPE");
+ is($imagetype, $SELINUX_IMAGE_TYPE, "dynamic image label type is $SELINUX_IMAGE_TYPE");
- my $domainmcs = substr $domainlabel, length($SELINUX_DOMAIN_CONTEXT);
- my $imagemcs = substr $imagelabel, length($SELINUX_IMAGE_CONTEXT);
+ my $domainmcs = selinux_get_mcs($domainlabel);
+ my $imagemcs = selinux_get_mcs($imagelabel);
is($domainmcs, $imagemcs, "Domain MCS $domainmcs == Image MCS $imagemcs");
diff --git a/scripts/selinux/055-dynamic-base-label.t b/scripts/selinux/055-dynamic-base-label.t
index ba07c09..646c50d 100644
--- a/scripts/selinux/055-dynamic-base-label.t
+++ b/scripts/selinux/055-dynamic-base-label.t
@@ -64,12 +64,14 @@ SKIP: {
diag "domainlabel $domainlabel";
my $imagelabel = xpath($dom, "string(/domain/seclabel/imagelabel)");
diag "imagelabel $imagelabel";
+ my $domaintype = selinux_get_type($domainlabel);
+ my $imagetype = selinux_get_type($imagelabel);
- is(index($domainlabel, $SELINUX_OTHER_CONTEXT), 0, "dynamic domain label prefix is $SELINUX_OTHER_CONTEXT");
- is(index($imagelabel, $SELINUX_IMAGE_CONTEXT), 0, "dynamic image label prefix is $SELINUX_IMAGE_CONTEXT");
+ is($domaintype, $SELINUX_OTHER_TYPE, "dynamic domain label type is $SELINUX_OTHER_TYPE");
+ is($imagetype, $SELINUX_IMAGE_TYPE, "dynamic image label type is $SELINUX_IMAGE_TYPE");
- my $domainmcs = substr $domainlabel, length($SELINUX_OTHER_CONTEXT);
- my $imagemcs = substr $imagelabel, length($SELINUX_IMAGE_CONTEXT);
+ my $domainmcs = selinux_get_mcs($domainlabel);
+ my $imagemcs = selinux_get_mcs($imagelabel);
is($domainmcs, $imagemcs, "Domain MCS $domainmcs == Image MCS $imagemcs");
diff --git a/scripts/selinux/100-static-relabel-no.t b/scripts/selinux/100-static-relabel-no.t
index 36eae47..8d9fda8 100644
--- a/scripts/selinux/100-static-relabel-no.t
+++ b/scripts/selinux/100-static-relabel-no.t
@@ -51,8 +51,8 @@ SKIP: {
my $origdomainlabel = $SELINUX_DOMAIN_CONTEXT . $origmcs;
my $origimagelabel = $SELINUX_IMAGE_CONTEXT . $origmcs;
+ diag "Setting image '$disk' to '$origimagelabel'";
selinux_set_file_context($disk, $origimagelabel);
-
my $xml = $tck->generic_domain(name => "tck")
->seclabel(model => "selinux", type => "static", relabel => "no", label => $origdomainlabel)
->disk(src => $disk, dst => "vdb", type => "file")
diff --git a/scripts/selinux/110-static-relabel-yes.t b/scripts/selinux/110-static-relabel-yes.t
index dc4e1ec..f558cc9 100644
--- a/scripts/selinux/110-static-relabel-yes.t
+++ b/scripts/selinux/110-static-relabel-yes.t
@@ -28,7 +28,7 @@ and files can be relabelled
use strict;
use warnings;
-use Test::More tests => 5;
+use Test::More tests => 6;
use Sys::Virt::TCK;
use Sys::Virt::TCK::SELinux;
@@ -48,8 +48,8 @@ SKIP: {
my $disk = $tck->create_sparse_disk("selinux", "tck", 50);
- my $origmcs = ":c1,c2";
- my $origdomainlabel = $SELINUX_DOMAIN_CONTEXT . $origmcs;
+ my $origmcs = "c1,c2";
+ my $origdomainlabel = $SELINUX_DOMAIN_CONTEXT . ":" . $origmcs;
my $origimagelabel = selinux_restore_file_context($disk);
my $xml = $tck->generic_domain(name => "tck")
@@ -66,9 +66,12 @@ SKIP: {
diag "domainlabel $domainlabel";
my $imagelabel = xpath($dom, "string(/domain/seclabel/imagelabel)");
diag "imagelabel $imagelabel";
+ my $imagetype = selinux_get_type($imagelabel);
+ my $imagemcs = selinux_get_mcs($imagelabel);
is($origdomainlabel, $domainlabel, "static label is $domainlabel");
- is($imagelabel, $SELINUX_IMAGE_CONTEXT . $origmcs, "image label is $SELINUX_DOMAIN_CONTEXT$origmcs");
+ is($imagetype, $SELINUX_IMAGE_TYPE, "image label type is $SELINUX_DOMAIN_TYPE");
+ is($imagemcs, $origmcs, "image label mcs is $origmcs");
is(selinux_get_file_context($disk), $imagelabel, "$disk label is $imagelabel");
--
1.8.5.3
More information about the libvir-list
mailing list