On Tue, Aug 2, 2022 at 7:16 PM Daniel Burgener
<dburgener@xxxxxxxxxxxxxxxxxxx> wrote:
> On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote:
> > We want to allow the testsuite caller to be other than unconfined, so
> > extract the user from current context and use it instead of hard-coding
> > unconfined_u.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > ---
> > tests/overlay/setup-overlay | 2 +-
> > tests/overlay/test | 34 ++++++++++++++++------------------
> > 2 files changed, 17 insertions(+), 19 deletions(-)
> >
> > diff --git a/tests/overlay/setup-overlay b/tests/overlay/setup-overlay
> > index 4fcd023..3f33499 100755
> > --- a/tests/overlay/setup-overlay
> > +++ b/tests/overlay/setup-overlay
> > @@ -41,7 +41,7 @@ setup () {
> >
> > # Create upper, work, and overlay directories per container.
> > mkdir -p $BASEDIR/container1/upper $BASEDIR/container1/work $BASEDIR/container1/merged
> > - chcon -R unconfined_u:object_r:test_overlay_files_ro_t:s0:c10,c20 $BASEDIR/container1
> > + chcon -R -t test_overlay_files_ro_t -l s0:c10,c20 $BASEDIR/container1
> >
> > # Label the container directories to match the container context.
> > # This is simply to ensure correct label inheritance on new file
> > diff --git a/tests/overlay/test b/tests/overlay/test
> > index 2b28c47..c8367dd 100755
> > --- a/tests/overlay/test
> > +++ b/tests/overlay/test
> > @@ -5,6 +5,10 @@ BEGIN {
> > $basedir = $0;
> > $basedir =~ s|(.*)/[^/]*|$1|;
> >
> > + $seuser = `id -Z`;
> > + chop($seuser);
> > + $seuser =~ s|^(\w+):.*$|$1|;
>
> Is chop actually needed here? My perl is a little rusty, so there may
> be some perl regex-y reason, but you're discarding everything after the
> first ":" anyways.
Yeah, it's actually not needed, but I'd rather leave it there to
document that one needs to account for the line ending in the initial
value. Otherwise people changing the regex in the future may get
bitten by it.
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
