The RNG for<seclabel> was too strict - if it was present, then it
had to have sub-elements, even if those didn't make sense for the
given attributes. Also, we didn't have any tests of<seclabel>
parsing or XML output.
In this patch, I added more parsing tests than output tests (since
the output populates and/or reorders fields not present in certain
inputs). Making the RNG reliable is a precursor to using<seclabel>
variants in more places in the XML in later patches.
See also:
http://berrange.com/posts/2011/09/29/two-small-improvements-to-svirt-guest-configuration-flexibility-with-kvmlibvirt/
* docs/schemas/domaincommon.rng (seclabel): Tighten rules.
* tests/qemuxml2argvtest.c (mymain): New tests.
* tests/qemuxml2xmltest.c (mymain): Likewise.
* tests/qemuxml2argvdata/qemuxml2argv-seclabel-*.*: New files.
---
docs/schemas/domaincommon.rng | 88 ++++++++++++++------
.../qemuxml2argv-seclabel-dynamic-baselabel.args | 4 +
.../qemuxml2argv-seclabel-dynamic-baselabel.xml | 28 ++++++
.../qemuxml2argv-seclabel-dynamic.args | 4 +
.../qemuxml2argv-seclabel-dynamic.xml | 26 ++++++
.../qemuxml2argv-seclabel-static-relabel.args | 4 +
.../qemuxml2argv-seclabel-static-relabel.xml | 29 +++++++
.../qemuxml2argv-seclabel-static.args | 4 +
.../qemuxml2argv-seclabel-static.xml | 28 ++++++
tests/qemuxml2argvtest.c | 5 +
tests/qemuxml2xmltest.c | 3 +
11 files changed, 199 insertions(+), 24 deletions(-)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 553a6f0..dd76f91 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -50,30 +50,70 @@
</define>
<define name="seclabel">
<element name="seclabel">
-<attribute name="model">
-<text/>
-</attribute>
-<attribute name="type">
-<choice>
-<value>dynamic</value>
-<value>static</value>
-</choice>
-</attribute>
-<attribute name="relabel">
-<choice>
-<value>yes</value>
-<value>no</value>
-</choice>
-</attribute>
-<element name="label">
-<text/>
-</element>
-<element name="imagelabel">
-<text/>
-</element>
-<element name="baselabel">
-<text/>
-</element>
+<optional>
+<attribute name='model'>
+<text/>
+</attribute>
+</optional>
+<choice>
+<group>
+<!-- with dynamic label (default), relabel must be yes, baselabel
+ is optional, and label and imagelabel are output-only -->
+<optional>
+<attribute name='type'>
+<value>dynamic</value>
+</attribute>
+</optional>
+<optional>
+<attribute name='relabel'>
+<value>yes</value>
+</attribute>
+</optional>
+<interleave>
+<optional>
+<element name='label'>
+<text/>
+</element>
+</optional>
+<optional>
+<element name='imagelabel'>
+<text/>
+</element>
+</optional>
+<optional>
+<element name='baselabel'>
+<text/>
+</element>
+</optional>
+</interleave>
+</group>
+<group>
+<!-- with static label, relabel can be either format (default
+ no), label is required, imagelabel is output-only, and no
+ baselabel is present -->
+<attribute name='type'>
+<value>static</value>
+</attribute>
+<optional>
+<attribute name='relabel'>
+<choice>
+<value>yes</value>
+<value>no</value>
+</choice>
+</attribute>
+</optional>
+<interleave>
+<element name='label'>
+<text/>
+</element>
+<optional>
+<element name='imagelabel'>
+<text/>
+</element>
+</optional>
+</interleave>
+</group>
+</choice>
</element>
</define>
<define name="hvs">
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args
new file mode 100644
index 0000000..651793d
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args
@@ -0,0 +1,4 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \
+pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\
+server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \
+none -parallel none -usb
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml
new file mode 100644
index 0000000..fea0eb7
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml
@@ -0,0 +1,28 @@
+<domain type='qemu'>
+<name>QEMUGuest1</name>
+<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+<memory>219100</memory>
+<currentMemory>219100</currentMemory>
+<vcpu cpuset='1-4,8-20,525'>1</vcpu>
+<os>
+<type arch='i686' machine='pc'>hvm</type>
+<boot dev='hd'/>
+</os>
+<clock offset='utc'/>
+<on_poweroff>destroy</on_poweroff>
+<on_reboot>restart</on_reboot>
+<on_crash>destroy</on_crash>
+<devices>
+<emulator>/usr/bin/qemu</emulator>
+<disk type='block' device='disk'>
+<source dev='/dev/HostVG/QEMUGuest1'/>
+<target dev='hda' bus='ide'/>
+<address type='drive' controller='0' bus='0' unit='0'/>
+</disk>
+<controller type='ide' index='0'/>
+<memballoon model='virtio'/>
+</devices>
+<seclabel type='dynamic' model='selinux' relabel='yes'>
+<baselabel>system_u:system_r:svirt_custom_t:s0</baselabel>
+</seclabel>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args
new file mode 100644
index 0000000..651793d
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args
@@ -0,0 +1,4 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \
+pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\
+server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \
+none -parallel none -usb
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml
new file mode 100644
index 0000000..096c766
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml
@@ -0,0 +1,26 @@
+<domain type='qemu'>
+<name>QEMUGuest1</name>
+<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+<memory>219100</memory>
+<currentMemory>219100</currentMemory>
+<vcpu cpuset='1-4,8-20,525'>1</vcpu>
+<os>
+<type arch='i686' machine='pc'>hvm</type>
+<boot dev='hd'/>
+</os>
+<clock offset='utc'/>
+<on_poweroff>destroy</on_poweroff>
+<on_reboot>restart</on_reboot>
+<on_crash>destroy</on_crash>
+<devices>
+<emulator>/usr/bin/qemu</emulator>
+<disk type='block' device='disk'>
+<source dev='/dev/HostVG/QEMUGuest1'/>
+<target dev='hda' bus='ide'/>
+<address type='drive' controller='0' bus='0' unit='0'/>
+</disk>
+<controller type='ide' index='0'/>
+<memballoon model='virtio'/>
+</devices>
+<seclabel type='dynamic' relabel='yes'/>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args
new file mode 100644
index 0000000..651793d
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args
@@ -0,0 +1,4 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \
+pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\
+server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \
+none -parallel none -usb
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml
new file mode 100644
index 0000000..3b2ad04
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml
@@ -0,0 +1,29 @@
+<domain type='qemu'>
+<name>QEMUGuest1</name>
+<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+<memory>219100</memory>
+<currentMemory>219100</currentMemory>
+<vcpu cpuset='1-4,8-20,525'>1</vcpu>
+<os>
+<type arch='i686' machine='pc'>hvm</type>
+<boot dev='hd'/>
+</os>
+<clock offset='utc'/>
+<on_poweroff>destroy</on_poweroff>
+<on_reboot>restart</on_reboot>
+<on_crash>destroy</on_crash>
+<devices>
+<emulator>/usr/bin/qemu</emulator>
+<disk type='block' device='disk'>
+<source dev='/dev/HostVG/QEMUGuest1'/>
+<target dev='hda' bus='ide'/>
+<address type='drive' controller='0' bus='0' unit='0'/>
+</disk>
+<controller type='ide' index='0'/>
+<memballoon model='virtio'/>
+</devices>
+<seclabel type='static' model='selinux' relabel='yes'>
+<label>system_u:system_r:svirt_custom_t:s0:c192,c392</label>
+<imagelabel>system_u:system_r:svirt_custom_t:s0:c192,c392</imagelabel>
+</seclabel>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args
new file mode 100644
index 0000000..651793d
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args
@@ -0,0 +1,4 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \
+pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\
+server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \
+none -parallel none -usb
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml
new file mode 100644
index 0000000..416bd86
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml
@@ -0,0 +1,28 @@
+<domain type='qemu'>
+<name>QEMUGuest1</name>
+<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+<memory>219100</memory>
+<currentMemory>219100</currentMemory>
+<vcpu cpuset='1-4,8-20,525'>1</vcpu>
+<os>
+<type arch='i686' machine='pc'>hvm</type>
+<boot dev='hd'/>
+</os>
+<clock offset='utc'/>
+<on_poweroff>destroy</on_poweroff>
+<on_reboot>restart</on_reboot>
+<on_crash>destroy</on_crash>
+<devices>
+<emulator>/usr/bin/qemu</emulator>
+<disk type='block' device='disk'>
+<source dev='/dev/HostVG/QEMUGuest1'/>
+<target dev='hda' bus='ide'/>
+<address type='drive' controller='0' bus='0' unit='0'/>
+</disk>
+<controller type='ide' index='0'/>
+<memballoon model='virtio'/>
+</devices>
+<seclabel type='static' model='selinux' relabel='no'>
+<label>system_u:system_r:svirt_custom_t:s0:c192,c392</label>
+</seclabel>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index e1221eb..18e8941 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -660,6 +660,11 @@ mymain(void)
QEMU_CAPS_CHARDEV, QEMU_CAPS_MONITOR_JSON, QEMU_CAPS_NODEFCONFIG,
QEMU_CAPS_NO_SHUTDOWN);
+ DO_TEST("seclabel-dynamic", false, QEMU_CAPS_NAME);
+ DO_TEST("seclabel-dynamic-baselabel", false, QEMU_CAPS_NAME);
+ DO_TEST("seclabel-static", false, QEMU_CAPS_NAME);
+ DO_TEST("seclabel-static-relabel", false, QEMU_CAPS_NAME);
+
free(driver.stateDir);
virCapabilitiesFree(driver.caps);
free(map);
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 35bfdce..e4b99c4 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -194,6 +194,9 @@ mymain(void)
DO_TEST("usb-redir");
DO_TEST("blkdeviotune");
+ DO_TEST("seclabel-dynamic-baselabel");
+ DO_TEST("seclabel-static");
+
/* These tests generate different XML */
DO_TEST_DIFFERENT("balloon-device-auto");
DO_TEST_DIFFERENT("channel-virtio-auto");