On 07/22/2013 07:06 AM, Osier Yang wrote: > On 19/07/13 20:32, John Ferlan wrote: >> Although they produce no seclabel data, add some tests for coverage of >> various network and volume disk definitions >> --- >> tests/securityselinuxlabeldata/netdisks.txt | 5 +++ >> tests/securityselinuxlabeldata/netdisks.xml | 58 >> +++++++++++++++++++++++++++++ >> tests/securityselinuxlabeldata/voldisks.txt | 5 +++ >> tests/securityselinuxlabeldata/voldisks.xml | 45 ++++++++++++++++++++++ >> tests/securityselinuxlabeltest.c | 2 + >> 5 files changed, 115 insertions(+) >> create mode 100644 tests/securityselinuxlabeldata/netdisks.txt >> create mode 100644 tests/securityselinuxlabeldata/netdisks.xml >> create mode 100644 tests/securityselinuxlabeldata/voldisks.txt >> create mode 100644 tests/securityselinuxlabeldata/voldisks.xml >> >> diff --git a/tests/securityselinuxlabeldata/netdisks.txt >> b/tests/securityselinuxlabeldata/netdisks.txt >> new file mode 100644 >> index 0000000..b6bf95f >> --- /dev/null >> +++ b/tests/securityselinuxlabeldata/netdisks.txt >> @@ -0,0 +1,5 @@ >> +/nbd.raw; >> +/iscsi.raw; >> +/rbd.raw; >> +/sheepdog.raw; >> +/gluster.raw; >> diff --git a/tests/securityselinuxlabeldata/netdisks.xml >> b/tests/securityselinuxlabeldata/netdisks.xml >> new file mode 100644 >> index 0000000..ab5e964 >> --- /dev/null >> +++ b/tests/securityselinuxlabeldata/netdisks.xml >> @@ -0,0 +1,58 @@ >> +<domain type='kvm'> >> + <name>vm1</name> >> + <uuid>c7b3edbd-edaf-9455-926a-d65c16db1800</uuid> >> + <memory unit='KiB'>219200</memory> >> + <os> >> + <type arch='i686' machine='pc-1.0'>hvm</type> >> + <boot dev='cdrom'/> >> + </os> >> + <devices> >> + <disk type='network' device='disk'> >> + <driver name='qemu' type='raw'/> >> + <source protocol='nbd' file="/nbd.raw"> >> + <host name='example.org' port='6000'/> >> + </source> >> + <target dev='vda' bus='virtio'/> >> + </disk> >> + <disk type='network' device='disk'> >> + <driver name='qemu' type='raw'/> >> + <source protocol='iscsi' name='iqn.1992-01.com.example/1' >> file="/iscsi.raw"> > > i'm not clear with the security tests, but this xml looks incorrect. > "file" is one > way to represent the disk source, it's exclusive with other ways (e.g. > protocol/name > here) in semantics. similar for below. why do you use both "file" and > other ways > for disk source represention together? > Following syntax found in the following files tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-*.xml where '*' is {gluster, nbd, rbd, sheepdog, & iscsi} I can hold off pushing this patch if desired. The 'file' names are found in the 'netdisks.txt' file which are where the seclabels get listed for other tests. For the network types there are no seclabels. John >> + <host name='example.org' port='6000'/> >> + </source> >> + <target dev='vdb' bus='virtio'/> >> + </disk> >> + <disk type='network'> >> + <driver name="qemu" type="raw"/> >> + <source protocol="rbd" name="image_name2" file="/rbd.raw"> >> + <host name="hostname" port="7000"/> >> + </source> >> + <target dev="hdb" bus="ide"/> >> + <auth username='myuser'> >> + <secret type='ceph' usage='mypassid'/> >> + </auth> >> + </disk> >> + <disk type='network'> >> + <driver name="qemu" type="raw"/> >> + <source protocol="sheepdog" name="image_name" >> file="/sheepdog.raw"> >> + <host name="hostname" port="7000"/> >> + </source> >> + <target dev="hdb" bus="ide"/> >> + </disk> >> + <disk type='network' device='disk'> >> + <driver name='qemu' type='raw'/> >> + <source protocol='gluster' name='Volume/Image' >> file='/gluster.raw'> >> + <host name='example.org' port='6000' transport='tcp'/> >> + </source> >> + <target dev='vda' bus='virtio'/> >> + </disk> >> + >> + <input type='mouse' bus='ps2'/> >> + <graphics type='vnc' port='-1' autoport='yes' listen='0.0.0.0'> >> + <listen type='address' address='0.0.0.0'/> >> + </graphics> >> + </devices> >> + <seclabel model="selinux" type="dynamic" relabel="yes"> >> + <label>system_u:system_r:svirt_t:s0:c41,c264</label> >> + <imagelabel>system_u:object_r:svirt_image_t:s0:c41,c264</imagelabel> >> + </seclabel> >> +</domain> >> diff --git a/tests/securityselinuxlabeldata/voldisks.txt >> b/tests/securityselinuxlabeldata/voldisks.txt >> new file mode 100644 >> index 0000000..bd5d755 >> --- /dev/null >> +++ b/tests/securityselinuxlabeldata/voldisks.txt >> @@ -0,0 +1,5 @@ >> +/file.raw; >> +/disk.raw; >> +/host.raw; >> +/direct.raw; >> +/cdrom.raw; >> diff --git a/tests/securityselinuxlabeldata/voldisks.xml >> b/tests/securityselinuxlabeldata/voldisks.xml >> new file mode 100644 >> index 0000000..ae7e629 >> --- /dev/null >> +++ b/tests/securityselinuxlabeldata/voldisks.xml >> @@ -0,0 +1,45 @@ >> +<domain type='kvm'> >> + <name>vm1</name> >> + <uuid>c7b3edbd-edaf-9455-926a-d65c16db1800</uuid> >> + <memory unit='KiB'>219200</memory> >> + <os> >> + <type arch='i686' machine='pc-1.0'>hvm</type> >> + <boot dev='cdrom'/> >> + </os> >> + <devices> >> + <disk type='volume' device='disk'> >> + <driver name='qemu' type='raw'/> >> + <source pool='dir-pool0' volume='dir-pool0-vol0' >> file='/file.raw'/> >> + <target dev='hda' bus='ide'/> >> + </disk> >> + <disk type='volume' device='disk'> >> + <driver name='qemu' type='raw'/> >> + <source pool='dir-pool0' volume='dir-pool0-vol0' mode='host' >> file='/host.raw'/> >> + <target dev='hda' bus='ide'/> >> + </disk> >> + <disk type='volume' device='disk'> >> + <driver name='qemu' type='raw'/> >> + <source pool='dir-pool0' volume='dir-pool0-vol0' mode='direct' >> file='/direct.raw'/> >> + <target dev='hda' bus='ide'/> >> + </disk> >> + <disk type='volume' device='disk'> >> + <driver name='qemu' type='raw'/> >> + <source pool='blk-pool0' volume='blk-pool0-vol0' >> file='/plain.raw'/> >> + <target dev='hda' bus='ide'/> >> + </disk> >> + <disk type='volume' device='cdrom'> >> + <driver name='qemu' type='raw'/> >> + <source pool='blk-pool0' volume='blk-pool0-vol1' >> file='/cdrom.raw'/> >> + <target dev='hda' bus='ide'/> >> + <readonly/> >> + </disk> >> + <input type='mouse' bus='ps2'/> >> + <graphics type='vnc' port='-1' autoport='yes' listen='0.0.0.0'> >> + <listen type='address' address='0.0.0.0'/> >> + </graphics> >> + </devices> >> + <seclabel model="selinux" type="dynamic" relabel="yes"> >> + <label>system_u:system_r:svirt_t:s0:c41,c264</label> >> + <imagelabel>system_u:object_r:svirt_image_t:s0:c41,c264</imagelabel> >> + </seclabel> >> +</domain> >> diff --git a/tests/securityselinuxlabeltest.c >> b/tests/securityselinuxlabeltest.c >> index efe825a..8c88cfd 100644 >> --- a/tests/securityselinuxlabeltest.c >> +++ b/tests/securityselinuxlabeltest.c >> @@ -332,6 +332,8 @@ mymain(void) >> >> setcon((security_context_t)"system_r:system_u:libvirtd_t:s0:c0.c1023"); >> DO_TEST_LABELING("disks"); >> + DO_TEST_LABELING("netdisks"); >> + DO_TEST_LABELING("voldisks"); >> DO_TEST_LABELING("kernel"); >> DO_TEST_LABELING("chardev"); >> > -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list