[libvirt] [PATCH 02/29] Add a test suite for validating SELinux labelling

Fri Sep 21 13:21:18 UTC 2012

On Thu, Sep 20, 2012 at 04:06:29PM -0600, Eric Blake wrote:
> On 09/20/2012 09:01 AM, Daniel P. Berrange wrote:
> > From: "Daniel P. Berrange" <berrange at redhat.com>
> > 
> > There are many aspects of the guest XML which result in the
> > SELinux driver applying file labelling. With the increasing
> > configuration options it is desirable to test this behaviour.
> > It is not possible to assume that the test suite has the
> > ability to set SELinux labels. Most filesystems though will
> > support extended attributes. Thus for the purpose of testing,
> > it is possible to extend the existing LD_PRELOAD hack to
> > override setfilecon() and getfilecon() to simply use the
> > 'user.libvirt.selinux' attribute for the sake of testing.
> > 
> > Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> > ---
> >  .gitignore                                 |   1 +
> >  configure.ac                               |   3 +
> 
> If you were to open-code the configure.ac changes, instead of trying to
> rely on the new m4/virt-lib.m4, then I'd feel better about taking this
> patch prior to 0.10.2, while we still hammer out the details of nicer
> configure.ac for later.

Ok, will repost.

> > +
> > +int getfilecon(const char *path, security_context_t *con)
> > +{
> > +    char *constr = NULL;
> > +    ssize_t len = getxattr(path, "user.libvirt.selinux",
> > +                           NULL, 0);
> > +    if (len < 0)
> > +        return -1;
> > +    if (!(constr = malloc(len+1)))
> 
> Any reason you can't use VIR_ALLOC_N here?  But since it is an
> LD_PRELOAD wrapper, I guess it makes sense that you have to stick to
> low-level functionality.

Yep, wanted to avoid linking to libvirt.so in the preload wrapper.

> > +    }
> > +
> > +    if (!(fp = fopen(path, "r"))) {
> > +        goto cleanup;
> > +    }
> > +
> > +    while (!feof(fp)) {
> > +        char *line;
> > +        char *file, *context;
> > +        if (VIR_ALLOC_N(line, 1024) < 0) {
> > +            virReportOOMError();
> > +            goto cleanup;
> > +        }
> > +        if (!fgets(line, 1024, fp)) {
> 
> Is readline() any easier to use than VIR_ALLOC_N/fgets()?

Is readline() really what you meant ? That function is for
prompting on stdio and reading a response.

> > +static int
> > +testSELinuxCreateDisks(testSELinuxFile *files, size_t nfiles)
> > +{
> > +    size_t i;
> > +
> > +    if (virFileMakePath(abs_builddir "/securityselinuxlabeldata") < 0)
> > +        return -1;
> > +
> > +    for (i = 0 ; i < nfiles ; i++) {
> > +        if (virFileTouch(files[i].file, 0600) < 0)
> > +            return -1;
> > +        //setfilecon(files[i].file, (security_context_t)"system_u:object_r:original_t:s0");
> 
> Leftover debugging?

Opps, yes.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|