The RNG for <seclabel> was too strict - if it was present, then it had to have sub-elements, even if those didn't make sense for the given attributes. Also, we didn't have any tests of <seclabel> parsing or XML output. In this patch, I added more parsing tests than output tests (since the output populates and/or reorders fields not present in certain inputs). Making the RNG reliable is a precursor to using <seclabel> variants in more places in the XML in later patches. See also: http://berrange.com/posts/2011/09/29/two-small-improvements-to-svirt-guest-configuration-flexibility-with-kvmlibvirt/ * docs/schemas/domaincommon.rng (seclabel): Tighten rules. * tests/qemuxml2argvtest.c (mymain): New tests. * tests/qemuxml2xmltest.c (mymain): Likewise. * tests/qemuxml2argvdata/qemuxml2argv-seclabel-*.*: New files. --- docs/schemas/domaincommon.rng | 88 ++++++++++++++------ .../qemuxml2argv-seclabel-dynamic-baselabel.args | 4 + .../qemuxml2argv-seclabel-dynamic-baselabel.xml | 28 ++++++ .../qemuxml2argv-seclabel-dynamic.args | 4 + .../qemuxml2argv-seclabel-dynamic.xml | 26 ++++++ .../qemuxml2argv-seclabel-static-relabel.args | 4 + .../qemuxml2argv-seclabel-static-relabel.xml | 29 +++++++ .../qemuxml2argv-seclabel-static.args | 4 + .../qemuxml2argv-seclabel-static.xml | 28 ++++++ tests/qemuxml2argvtest.c | 5 + tests/qemuxml2xmltest.c | 3 + 11 files changed, 199 insertions(+), 24 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 553a6f0..dd76f91 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -50,30 +50,70 @@ </define> <define name="seclabel"> <element name="seclabel"> - <attribute name="model"> - <text/> - </attribute> - <attribute name="type"> - <choice> - <value>dynamic</value> - <value>static</value> - </choice> - </attribute> - <attribute name="relabel"> - <choice> - <value>yes</value> - <value>no</value> - </choice> - </attribute> - <element name="label"> - <text/> - </element> - <element name="imagelabel"> - <text/> - </element> - <element name="baselabel"> - <text/> - </element> + <optional> + <attribute name='model'> + <text/> + </attribute> + </optional> + <choice> + <group> + <!-- with dynamic label (default), relabel must be yes, baselabel + is optional, and label and imagelabel are output-only --> + <optional> + <attribute name='type'> + <value>dynamic</value> + </attribute> + </optional> + <optional> + <attribute name='relabel'> + <value>yes</value> + </attribute> + </optional> + <interleave> + <optional> + <element name='label'> + <text/> + </element> + </optional> + <optional> + <element name='imagelabel'> + <text/> + </element> + </optional> + <optional> + <element name='baselabel'> + <text/> + </element> + </optional> + </interleave> + </group> + <group> + <!-- with static label, relabel can be either format (default + no), label is required, imagelabel is output-only, and no + baselabel is present --> + <attribute name='type'> + <value>static</value> + </attribute> + <optional> + <attribute name='relabel'> + <choice> + <value>yes</value> + <value>no</value> + </choice> + </attribute> + </optional> + <interleave> + <element name='label'> + <text/> + </element> + <optional> + <element name='imagelabel'> + <text/> + </element> + </optional> + </interleave> + </group> + </choice> </element> </define> <define name="hvs"> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args new file mode 100644 index 0000000..651793d --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args @@ -0,0 +1,4 @@ +LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \ +pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\ +server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \ +none -parallel none -usb diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml new file mode 100644 index 0000000..fea0eb7 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml @@ -0,0 +1,28 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory>219100</memory> + <currentMemory>219100</currentMemory> + <vcpu cpuset='1-4,8-20,525'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu</emulator> + <disk type='block' device='disk'> + <source dev='/dev/HostVG/QEMUGuest1'/> + <target dev='hda' bus='ide'/> + <address type='drive' controller='0' bus='0' unit='0'/> + </disk> + <controller type='ide' index='0'/> + <memballoon model='virtio'/> + </devices> + <seclabel type='dynamic' model='selinux' relabel='yes'> + <baselabel>system_u:system_r:svirt_custom_t:s0</baselabel> + </seclabel> +</domain> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args new file mode 100644 index 0000000..651793d --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args @@ -0,0 +1,4 @@ +LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \ +pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\ +server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \ +none -parallel none -usb diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml new file mode 100644 index 0000000..096c766 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml @@ -0,0 +1,26 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory>219100</memory> + <currentMemory>219100</currentMemory> + <vcpu cpuset='1-4,8-20,525'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu</emulator> + <disk type='block' device='disk'> + <source dev='/dev/HostVG/QEMUGuest1'/> + <target dev='hda' bus='ide'/> + <address type='drive' controller='0' bus='0' unit='0'/> + </disk> + <controller type='ide' index='0'/> + <memballoon model='virtio'/> + </devices> + <seclabel type='dynamic' relabel='yes'/> +</domain> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args new file mode 100644 index 0000000..651793d --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args @@ -0,0 +1,4 @@ +LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \ +pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\ +server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \ +none -parallel none -usb diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml new file mode 100644 index 0000000..3b2ad04 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml @@ -0,0 +1,29 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory>219100</memory> + <currentMemory>219100</currentMemory> + <vcpu cpuset='1-4,8-20,525'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu</emulator> + <disk type='block' device='disk'> + <source dev='/dev/HostVG/QEMUGuest1'/> + <target dev='hda' bus='ide'/> + <address type='drive' controller='0' bus='0' unit='0'/> + </disk> + <controller type='ide' index='0'/> + <memballoon model='virtio'/> + </devices> + <seclabel type='static' model='selinux' relabel='yes'> + <label>system_u:system_r:svirt_custom_t:s0:c192,c392</label> + <imagelabel>system_u:system_r:svirt_custom_t:s0:c192,c392</imagelabel> + </seclabel> +</domain> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args new file mode 100644 index 0000000..651793d --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args @@ -0,0 +1,4 @@ +LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \ +pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\ +server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \ +none -parallel none -usb diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml new file mode 100644 index 0000000..416bd86 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml @@ -0,0 +1,28 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory>219100</memory> + <currentMemory>219100</currentMemory> + <vcpu cpuset='1-4,8-20,525'>1</vcpu> + <os> + <type arch='i686' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu</emulator> + <disk type='block' device='disk'> + <source dev='/dev/HostVG/QEMUGuest1'/> + <target dev='hda' bus='ide'/> + <address type='drive' controller='0' bus='0' unit='0'/> + </disk> + <controller type='ide' index='0'/> + <memballoon model='virtio'/> + </devices> + <seclabel type='static' model='selinux' relabel='no'> + <label>system_u:system_r:svirt_custom_t:s0:c192,c392</label> + </seclabel> +</domain> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index e1221eb..18e8941 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -660,6 +660,11 @@ mymain(void) QEMU_CAPS_CHARDEV, QEMU_CAPS_MONITOR_JSON, QEMU_CAPS_NODEFCONFIG, QEMU_CAPS_NO_SHUTDOWN); + DO_TEST("seclabel-dynamic", false, QEMU_CAPS_NAME); + DO_TEST("seclabel-dynamic-baselabel", false, QEMU_CAPS_NAME); + DO_TEST("seclabel-static", false, QEMU_CAPS_NAME); + DO_TEST("seclabel-static-relabel", false, QEMU_CAPS_NAME); + free(driver.stateDir); virCapabilitiesFree(driver.caps); free(map); diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c index 35bfdce..e4b99c4 100644 --- a/tests/qemuxml2xmltest.c +++ b/tests/qemuxml2xmltest.c @@ -194,6 +194,9 @@ mymain(void) DO_TEST("usb-redir"); DO_TEST("blkdeviotune"); + DO_TEST("seclabel-dynamic-baselabel"); + DO_TEST("seclabel-static"); + /* These tests generate different XML */ DO_TEST_DIFFERENT("balloon-device-auto"); DO_TEST_DIFFERENT("channel-virtio-auto"); -- 1.7.7.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list