Test it once with SELinux enabled and once with it disabled. Signed-off-by: Michael Chapman <mike@xxxxxxxxxxxxxxxxx> --- tests/Makefile.am | 4 +++ tests/viridentitytest.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 78 insertions(+), 1 deletion(-) diff --git a/tests/Makefile.am b/tests/Makefile.am index cd91734..acc9e26 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -779,6 +779,10 @@ virstoragetest_LDADD = $(LDADDS) viridentitytest_SOURCES = \ viridentitytest.c testutils.h testutils.c viridentitytest_LDADD = $(LDADDS) +if WITH_SELINUX +viridentitytest_DEPENDENCIES = libsecurityselinuxhelper.la \ + ../src/libvirt.la +endif WITH_SELINUX virkeycodetest_SOURCES = \ virkeycodetest.c testutils.h testutils.c diff --git a/tests/viridentitytest.c b/tests/viridentitytest.c index 814db4f..9fcdcd3 100644 --- a/tests/viridentitytest.c +++ b/tests/viridentitytest.c @@ -22,6 +22,10 @@ #include <stdlib.h> +#if WITH_SELINUX +# include <selinux/selinux.h> +#endif + #include "testutils.h" #include "viridentity.h" @@ -148,7 +152,7 @@ static int testIdentityEqual(const void *data ATTRIBUTE_UNUSED) goto cleanup; if (virIdentityIsEqual(identa, identb)) { - VIR_DEBUG("Mis-atched identities should not be equal"); + VIR_DEBUG("Mis-matched identities should not be equal"); goto cleanup; } @@ -159,17 +163,86 @@ cleanup: return ret; } +static int testIdentityGetSystem(const void *data) +{ + const char *context = data; + int ret = -1; + virIdentityPtr ident = NULL; + const char *val; + +#if !WITH_SELINUX + if (context) { + VIR_DEBUG("libvirt not compiled with SELinux, skipping this test"); + ret = EXIT_AM_SKIP; + goto cleanup; + } +#endif + + if (!(ident = virIdentityGetSystem())) { + VIR_DEBUG("Unable to get system identity"); + goto cleanup; + } + + if (virIdentityGetAttr(ident, + VIR_IDENTITY_ATTR_SELINUX_CONTEXT, + &val) < 0) + goto cleanup; + + if (STRNEQ_NULLABLE(val, context)) { + VIR_DEBUG("Unexpected SELinux context attribute"); + goto cleanup; + } + + ret = 0; +cleanup: + virObjectUnref(ident); + return ret; +} + +static int testSetFakeSELinuxContext(const void *data ATTRIBUTE_UNUSED) +{ +#if WITH_SELINUX + return setcon_raw((security_context_t)data); +#else + VIR_DEBUG("libvirt not compiled with SELinux, skipping this test"); + return EXIT_AM_SKIP; +#endif +} + +static int testDisableFakeSELinux(const void *data ATTRIBUTE_UNUSED) +{ +#if WITH_SELINUX + return security_disable(); +#else + VIR_DEBUG("libvirt not compiled with SELinux, skipping this test"); + return EXIT_AM_SKIP; +#endif +} + static int mymain(void) { + const char *context = "unconfined_u:unconfined_r:unconfined_t:s0"; int ret = 0; if (virtTestRun("Identity attributes ", testIdentityAttrs, NULL) < 0) ret = -1; if (virtTestRun("Identity equality ", testIdentityEqual, NULL) < 0) ret = -1; + if (virtTestRun("Setting fake SELinux context ", testSetFakeSELinuxContext, context) < 0) + ret = -1; + if (virtTestRun("System identity (fake SELinux enabled) ", testIdentityGetSystem, context) < 0) + ret = -1; + if (virtTestRun("Disabling fake SELinux ", testDisableFakeSELinux, NULL) < 0) + ret = -1; + if (virtTestRun("System identity (fake SELinux disabled) ", testIdentityGetSystem, NULL) < 0) + ret = -1; return ret==0 ? EXIT_SUCCESS : EXIT_FAILURE; } +#if WITH_SELINUX +VIRT_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/libsecurityselinuxhelper.so") +#else VIRT_TEST_MAIN(mymain) +#endif -- 1.8.5.3 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list