[libvirt] [PATCH v2] Add a test suite for validating SELinux labelling

Eric Blake eblake at redhat.com
Fri Sep 21 17:37:02 UTC 2012 

On 09/21/2012 09:21 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
> 
> There are many aspects of the guest XML which result in the
> SELinux driver applying file labelling. With the increasing
> configuration options it is desirable to test this behaviour.
> It is not possible to assume that the test suite has the
> ability to set SELinux labels. Most filesystems though will
> support extended attributes. Thus for the purpose of testing,
> it is possible to extend the existing LD_PRELOAD hack to
> override setfilecon() and getfilecon() to simply use the
> 'user.libvirt.selinux' attribute for the sake of testing.
> 
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> 
> Changed in v2:
> 
>  - Remove stray debug line
>  - Uncomment VIR_FREE directive
>  - Add test for turning chardev relabelling on/off
>    that Rich just added support for
>  - Opencode the configure.ac check for libattr
> 

Failed syntax-check, but the fix is trivial (see below).  I'm not sure
if this needs a v3 (do I have Rich's patches yet?), or whether you can
figure out why 'make check' failed for me:

 1) Labelling "disks"
... libvir:  error : internal error File
/home/remote/eblake/libvirt/tests/securityselinuxlabeldata/nolabel.raw
context 'unconfined_u:object_r:user_home_t:s0' did not match epected
'(null)'
FAILED
 2) Labelling "kernel"                                                ... OK
 3) Labelling "chardev"
... libvir:  error : internal error File
/home/remote/eblake/libvirt/tests/securityselinuxlabeldata/nolabel.sock
context 'unconfined_u:object_r:user_home_t:s0' did not match epected
'(null)'
FAILED


> ---
>  .gitignore                                 |   1 +
>  configure.ac                               |  52 +++++
>  libvirt.spec.in                            |   1 +
>  tests/Makefile.am                          |  20 +-
>  tests/securityselinuxhelper.c              |  33 +++
>  tests/securityselinuxlabeldata/chardev.txt |   7 +
>  tests/securityselinuxlabeldata/chardev.xml |  47 ++++
>  tests/securityselinuxlabeldata/disks.txt   |   5 +
>  tests/securityselinuxlabeldata/disks.xml   |  52 +++++
>  tests/securityselinuxlabeldata/kernel.txt  |   2 +
>  tests/securityselinuxlabeldata/kernel.xml  |  20 ++
>  tests/securityselinuxlabeltest.c           | 340 +++++++++++++++++++++++++++++
>  12 files changed, 577 insertions(+), 3 deletions(-)
>  create mode 100644 tests/securityselinuxlabeldata/chardev.txt
>  create mode 100644 tests/securityselinuxlabeldata/chardev.xml
>  create mode 100644 tests/securityselinuxlabeldata/disks.txt
>  create mode 100644 tests/securityselinuxlabeldata/disks.xml
>  create mode 100644 tests/securityselinuxlabeldata/kernel.txt
>  create mode 100644 tests/securityselinuxlabeldata/kernel.xml
>  create mode 100644 tests/securityselinuxlabeltest.c

This doesn't touch main libvirt code, so it is safe for 0.10.2.

If we can get all these nits and test failures fixed, then I'd like to
see this go in.

> +++ b/configure.ac
> @@ -1398,6 +1398,53 @@ AM_CONDITIONAL([HAVE_AUDIT], [test "$with_audit" = "yes"])
>  AC_SUBST([AUDIT_CFLAGS])
>  AC_SUBST([AUDIT_LIBS])
>  
> +
> +
> +dnl Libattr library

Maybe comment that this is (currently) for testing purposes only.

> +AC_ARG_WITH([libattr],
> +  AC_HELP_STRING([--with-libattr], [use libattr library @<:@default=check@:>@]),

I think AS_HELP_STRING is better, but since we'll be refactoring this
soon, it's not a show-stopper.

> +
> +  if test "$with_libattr" = "yes" ; then
> +    LIBATTR_LIBS="$LIBATTR_LIBS -lattr"
> +    AC_DEFINE_UNQUOTED([WITH_LIBATTR], 1, [whether liblibattr is available])

s/liblibattr/libattr/

Somewhere, you need s/epected/expected/ based on my test failure listed
above.


Squash this in:

diff --git i/cfg.mk w/cfg.mk
index bbfd4a2..cb89934 100644
--- i/cfg.mk
+++ w/cfg.mk
@@ -771,7 +771,7 @@ exclude_file_name_regexp--sc_prohibit_asprintf = \

^(bootstrap.conf$$|src/util/util\.c$$|examples/domain-events/events-c/event-test\.c$$)

 exclude_file_name_regexp--sc_prohibit_close = \
-  (\.p[yl]$$|^docs/|^(src/util/virfile\.c|src/libvirt\.c)$$)
+
(\.p[yl]$$|^docs/|^(src/util/virfile\.c|src/libvirt\.c|tests/securityselinuxlabeltest\.c)$$)

 exclude_file_name_regexp--sc_prohibit_empty_lines_at_EOF = \
   (^tests/(qemuhelp|nodeinfo)data/|\.(gif|ico|png|diff)$$)
@@ -792,7 +792,7 @@ exclude_file_name_regexp--sc_prohibit_nonreentrant = \
   ^((po|tests)/|docs/.*py|run.in$$)

 exclude_file_name_regexp--sc_prohibit_raw_allocation = \
-  ^(src/util/memory\.[ch]|examples/.*)$$
+  ^(src/util/memory\.[ch]|examples/.*|tests/securityselinuxhelper\.c)$$

 exclude_file_name_regexp--sc_prohibit_readlink = \
   ^src/(util/util|lxc/lxc_container)\.c$$


-- 
Eric Blake   eblake at redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 617 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20120921/7765a042/attachment-0001.sig>

More information about the libvir-list mailing list