On 09/21/2012 09:21 AM, Daniel P. Berrange wrote: > From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> > > There are many aspects of the guest XML which result in the > SELinux driver applying file labelling. With the increasing > configuration options it is desirable to test this behaviour. > It is not possible to assume that the test suite has the > ability to set SELinux labels. Most filesystems though will > support extended attributes. Thus for the purpose of testing, > it is possible to extend the existing LD_PRELOAD hack to > override setfilecon() and getfilecon() to simply use the > 'user.libvirt.selinux' attribute for the sake of testing. > > Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> > > Changed in v2: > > - Remove stray debug line > - Uncomment VIR_FREE directive > - Add test for turning chardev relabelling on/off > that Rich just added support for > - Opencode the configure.ac check for libattr > Failed syntax-check, but the fix is trivial (see below). I'm not sure if this needs a v3 (do I have Rich's patches yet?), or whether you can figure out why 'make check' failed for me: 1) Labelling "disks" ... libvir: error : internal error File /home/remote/eblake/libvirt/tests/securityselinuxlabeldata/nolabel.raw context 'unconfined_u:object_r:user_home_t:s0' did not match epected '(null)' FAILED 2) Labelling "kernel" ... OK 3) Labelling "chardev" ... libvir: error : internal error File /home/remote/eblake/libvirt/tests/securityselinuxlabeldata/nolabel.sock context 'unconfined_u:object_r:user_home_t:s0' did not match epected '(null)' FAILED > --- > .gitignore | 1 + > configure.ac | 52 +++++ > libvirt.spec.in | 1 + > tests/Makefile.am | 20 +- > tests/securityselinuxhelper.c | 33 +++ > tests/securityselinuxlabeldata/chardev.txt | 7 + > tests/securityselinuxlabeldata/chardev.xml | 47 ++++ > tests/securityselinuxlabeldata/disks.txt | 5 + > tests/securityselinuxlabeldata/disks.xml | 52 +++++ > tests/securityselinuxlabeldata/kernel.txt | 2 + > tests/securityselinuxlabeldata/kernel.xml | 20 ++ > tests/securityselinuxlabeltest.c | 340 +++++++++++++++++++++++++++++ > 12 files changed, 577 insertions(+), 3 deletions(-) > create mode 100644 tests/securityselinuxlabeldata/chardev.txt > create mode 100644 tests/securityselinuxlabeldata/chardev.xml > create mode 100644 tests/securityselinuxlabeldata/disks.txt > create mode 100644 tests/securityselinuxlabeldata/disks.xml > create mode 100644 tests/securityselinuxlabeldata/kernel.txt > create mode 100644 tests/securityselinuxlabeldata/kernel.xml > create mode 100644 tests/securityselinuxlabeltest.c This doesn't touch main libvirt code, so it is safe for 0.10.2. If we can get all these nits and test failures fixed, then I'd like to see this go in. > +++ b/configure.ac > @@ -1398,6 +1398,53 @@ AM_CONDITIONAL([HAVE_AUDIT], [test "$with_audit" = "yes"]) > AC_SUBST([AUDIT_CFLAGS]) > AC_SUBST([AUDIT_LIBS]) > > + > + > +dnl Libattr library Maybe comment that this is (currently) for testing purposes only. > +AC_ARG_WITH([libattr], > + AC_HELP_STRING([--with-libattr], [use libattr library @<:@default=check@:>@]), I think AS_HELP_STRING is better, but since we'll be refactoring this soon, it's not a show-stopper. > + > + if test "$with_libattr" = "yes" ; then > + LIBATTR_LIBS="$LIBATTR_LIBS -lattr" > + AC_DEFINE_UNQUOTED([WITH_LIBATTR], 1, [whether liblibattr is available]) s/liblibattr/libattr/ Somewhere, you need s/epected/expected/ based on my test failure listed above. Squash this in: diff --git i/cfg.mk w/cfg.mk index bbfd4a2..cb89934 100644 --- i/cfg.mk +++ w/cfg.mk @@ -771,7 +771,7 @@ exclude_file_name_regexp--sc_prohibit_asprintf = \ ^(bootstrap.conf$$|src/util/util\.c$$|examples/domain-events/events-c/event-test\.c$$) exclude_file_name_regexp--sc_prohibit_close = \ - (\.p[yl]$$|^docs/|^(src/util/virfile\.c|src/libvirt\.c)$$) + (\.p[yl]$$|^docs/|^(src/util/virfile\.c|src/libvirt\.c|tests/securityselinuxlabeltest\.c)$$) exclude_file_name_regexp--sc_prohibit_empty_lines_at_EOF = \ (^tests/(qemuhelp|nodeinfo)data/|\.(gif|ico|png|diff)$$) @@ -792,7 +792,7 @@ exclude_file_name_regexp--sc_prohibit_nonreentrant = \ ^((po|tests)/|docs/.*py|run.in$$) exclude_file_name_regexp--sc_prohibit_raw_allocation = \ - ^(src/util/memory\.[ch]|examples/.*)$$ + ^(src/util/memory\.[ch]|examples/.*|tests/securityselinuxhelper\.c)$$ exclude_file_name_regexp--sc_prohibit_readlink = \ ^src/(util/util|lxc/lxc_container)\.c$$ -- Eric Blake eblake@xxxxxxxxxx +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list