Re: [PATCH v2] Add a test suite for validating SELinux labelling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 09/21/2012 09:21 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
> 
> There are many aspects of the guest XML which result in the
> SELinux driver applying file labelling. With the increasing
> configuration options it is desirable to test this behaviour.
> It is not possible to assume that the test suite has the
> ability to set SELinux labels. Most filesystems though will
> support extended attributes. Thus for the purpose of testing,
> it is possible to extend the existing LD_PRELOAD hack to
> override setfilecon() and getfilecon() to simply use the
> 'user.libvirt.selinux' attribute for the sake of testing.
> 
> Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
> 
> Changed in v2:
> 
>  - Remove stray debug line
>  - Uncomment VIR_FREE directive
>  - Add test for turning chardev relabelling on/off
>    that Rich just added support for
>  - Opencode the configure.ac check for libattr
> 

Failed syntax-check, but the fix is trivial (see below).  I'm not sure
if this needs a v3 (do I have Rich's patches yet?), or whether you can
figure out why 'make check' failed for me:

 1) Labelling "disks"
... libvir:  error : internal error File
/home/remote/eblake/libvirt/tests/securityselinuxlabeldata/nolabel.raw
context 'unconfined_u:object_r:user_home_t:s0' did not match epected
'(null)'
FAILED
 2) Labelling "kernel"                                                ... OK
 3) Labelling "chardev"
... libvir:  error : internal error File
/home/remote/eblake/libvirt/tests/securityselinuxlabeldata/nolabel.sock
context 'unconfined_u:object_r:user_home_t:s0' did not match epected
'(null)'
FAILED


> ---
>  .gitignore                                 |   1 +
>  configure.ac                               |  52 +++++
>  libvirt.spec.in                            |   1 +
>  tests/Makefile.am                          |  20 +-
>  tests/securityselinuxhelper.c              |  33 +++
>  tests/securityselinuxlabeldata/chardev.txt |   7 +
>  tests/securityselinuxlabeldata/chardev.xml |  47 ++++
>  tests/securityselinuxlabeldata/disks.txt   |   5 +
>  tests/securityselinuxlabeldata/disks.xml   |  52 +++++
>  tests/securityselinuxlabeldata/kernel.txt  |   2 +
>  tests/securityselinuxlabeldata/kernel.xml  |  20 ++
>  tests/securityselinuxlabeltest.c           | 340 +++++++++++++++++++++++++++++
>  12 files changed, 577 insertions(+), 3 deletions(-)
>  create mode 100644 tests/securityselinuxlabeldata/chardev.txt
>  create mode 100644 tests/securityselinuxlabeldata/chardev.xml
>  create mode 100644 tests/securityselinuxlabeldata/disks.txt
>  create mode 100644 tests/securityselinuxlabeldata/disks.xml
>  create mode 100644 tests/securityselinuxlabeldata/kernel.txt
>  create mode 100644 tests/securityselinuxlabeldata/kernel.xml
>  create mode 100644 tests/securityselinuxlabeltest.c

This doesn't touch main libvirt code, so it is safe for 0.10.2.

If we can get all these nits and test failures fixed, then I'd like to
see this go in.

> +++ b/configure.ac
> @@ -1398,6 +1398,53 @@ AM_CONDITIONAL([HAVE_AUDIT], [test "$with_audit" = "yes"])
>  AC_SUBST([AUDIT_CFLAGS])
>  AC_SUBST([AUDIT_LIBS])
>  
> +
> +
> +dnl Libattr library

Maybe comment that this is (currently) for testing purposes only.

> +AC_ARG_WITH([libattr],
> +  AC_HELP_STRING([--with-libattr], [use libattr library @<:@default=check@:>@]),

I think AS_HELP_STRING is better, but since we'll be refactoring this
soon, it's not a show-stopper.

> +
> +  if test "$with_libattr" = "yes" ; then
> +    LIBATTR_LIBS="$LIBATTR_LIBS -lattr"
> +    AC_DEFINE_UNQUOTED([WITH_LIBATTR], 1, [whether liblibattr is available])

s/liblibattr/libattr/

Somewhere, you need s/epected/expected/ based on my test failure listed
above.


Squash this in:

diff --git i/cfg.mk w/cfg.mk
index bbfd4a2..cb89934 100644
--- i/cfg.mk
+++ w/cfg.mk
@@ -771,7 +771,7 @@ exclude_file_name_regexp--sc_prohibit_asprintf = \

^(bootstrap.conf$$|src/util/util\.c$$|examples/domain-events/events-c/event-test\.c$$)

 exclude_file_name_regexp--sc_prohibit_close = \
-  (\.p[yl]$$|^docs/|^(src/util/virfile\.c|src/libvirt\.c)$$)
+
(\.p[yl]$$|^docs/|^(src/util/virfile\.c|src/libvirt\.c|tests/securityselinuxlabeltest\.c)$$)

 exclude_file_name_regexp--sc_prohibit_empty_lines_at_EOF = \
   (^tests/(qemuhelp|nodeinfo)data/|\.(gif|ico|png|diff)$$)
@@ -792,7 +792,7 @@ exclude_file_name_regexp--sc_prohibit_nonreentrant = \
   ^((po|tests)/|docs/.*py|run.in$$)

 exclude_file_name_regexp--sc_prohibit_raw_allocation = \
-  ^(src/util/memory\.[ch]|examples/.*)$$
+  ^(src/util/memory\.[ch]|examples/.*|tests/securityselinuxhelper\.c)$$

 exclude_file_name_regexp--sc_prohibit_readlink = \
   ^src/(util/util|lxc/lxc_container)\.c$$


-- 
Eric Blake   eblake@xxxxxxxxxx    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]