|
 |
e76f14 |
From fe88effca288d963c776880bf01b10f1c3579d67 Mon Sep 17 00:00:00 2001
|
|
|
e76f14 |
From: "Richard W.M. Jones" <rjones@redhat.com>
|
|
|
e76f14 |
Date: Thu, 14 Jul 2016 09:03:19 +0100
|
|
|
e76f14 |
Subject: [PATCH] tests: Add a test of the setfiles API.
|
|
|
e76f14 |
|
|
|
e76f14 |
(cherry picked from commit 6ec75f8cfe455493b46f1a3a5a00282359e588a5)
|
|
|
e76f14 |
---
|
|
|
e76f14 |
Makefile.am | 1 +
|
|
|
e76f14 |
configure.ac | 1 +
|
|
|
e76f14 |
tests/relabel/Makefile.am | 28 +++++++++
|
|
|
e76f14 |
tests/relabel/test-relabel.pl | 134 ++++++++++++++++++++++++++++++++++++++++++
|
|
|
e76f14 |
4 files changed, 164 insertions(+)
|
|
|
e76f14 |
create mode 100644 tests/relabel/Makefile.am
|
|
|
e76f14 |
create mode 100755 tests/relabel/test-relabel.pl
|
|
|
e76f14 |
|
|
|
e76f14 |
diff --git a/Makefile.am b/Makefile.am
|
|
|
e76f14 |
index 5be6876..ce20058 100644
|
|
|
e76f14 |
--- a/Makefile.am
|
|
|
e76f14 |
+++ b/Makefile.am
|
|
|
e76f14 |
@@ -65,6 +65,7 @@ SUBDIRS += tests/lvm
|
|
|
e76f14 |
SUBDIRS += tests/luks
|
|
|
e76f14 |
SUBDIRS += tests/md
|
|
|
e76f14 |
SUBDIRS += tests/selinux
|
|
|
e76f14 |
+SUBDIRS += tests/relabel
|
|
|
e76f14 |
SUBDIRS += tests/ntfsclone
|
|
|
e76f14 |
SUBDIRS += tests/btrfs
|
|
|
e76f14 |
SUBDIRS += tests/xfs
|
|
|
e76f14 |
diff --git a/configure.ac b/configure.ac
|
|
|
e76f14 |
index 0bff74f..c971f0d 100644
|
|
|
e76f14 |
--- a/configure.ac
|
|
|
e76f14 |
+++ b/configure.ac
|
|
|
e76f14 |
@@ -273,6 +273,7 @@ AC_CONFIG_FILES([Makefile
|
|
|
e76f14 |
tests/protocol/Makefile
|
|
|
e76f14 |
tests/qemu/Makefile
|
|
|
e76f14 |
tests/regressions/Makefile
|
|
|
e76f14 |
+ tests/relabel/Makefile
|
|
|
e76f14 |
tests/relative-paths/Makefile
|
|
|
e76f14 |
tests/rsync/Makefile
|
|
|
e76f14 |
tests/selinux/Makefile
|
|
|
e76f14 |
diff --git a/tests/relabel/Makefile.am b/tests/relabel/Makefile.am
|
|
|
e76f14 |
new file mode 100644
|
|
|
e76f14 |
index 0000000..3407bef
|
|
|
e76f14 |
--- /dev/null
|
|
|
e76f14 |
+++ b/tests/relabel/Makefile.am
|
|
|
e76f14 |
@@ -0,0 +1,28 @@
|
|
|
e76f14 |
+# libguestfs
|
|
|
e76f14 |
+# Copyright (C) 2016 Red Hat Inc.
|
|
|
e76f14 |
+#
|
|
|
e76f14 |
+# This program is free software; you can redistribute it and/or modify
|
|
|
e76f14 |
+# it under the terms of the GNU General Public License as published by
|
|
|
e76f14 |
+# the Free Software Foundation; either version 2 of the License, or
|
|
|
e76f14 |
+# (at your option) any later version.
|
|
|
e76f14 |
+#
|
|
|
e76f14 |
+# This program is distributed in the hope that it will be useful,
|
|
|
e76f14 |
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
e76f14 |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
e76f14 |
+# GNU General Public License for more details.
|
|
|
e76f14 |
+#
|
|
|
e76f14 |
+# You should have received a copy of the GNU General Public License
|
|
|
e76f14 |
+# along with this program; if not, write to the Free Software
|
|
|
e76f14 |
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+# Test setfiles function.
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+include $(top_srcdir)/subdir-rules.mk
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+TESTS = \
|
|
|
e76f14 |
+ test-relabel.pl
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+TESTS_ENVIRONMENT = $(top_builddir)/run --test
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+EXTRA_DIST = \
|
|
|
e76f14 |
+ test-relabel.pl
|
|
|
e76f14 |
diff --git a/tests/relabel/test-relabel.pl b/tests/relabel/test-relabel.pl
|
|
|
e76f14 |
new file mode 100755
|
|
|
e76f14 |
index 0000000..744d1f5
|
|
|
e76f14 |
--- /dev/null
|
|
|
e76f14 |
+++ b/tests/relabel/test-relabel.pl
|
|
|
e76f14 |
@@ -0,0 +1,134 @@
|
|
|
e76f14 |
+#!/usr/bin/env perl
|
|
|
e76f14 |
+# Copyright (C) 2016 Red Hat Inc.
|
|
|
e76f14 |
+#
|
|
|
e76f14 |
+# This program is free software; you can redistribute it and/or modify
|
|
|
e76f14 |
+# it under the terms of the GNU General Public License as published by
|
|
|
e76f14 |
+# the Free Software Foundation; either version 2 of the License, or
|
|
|
e76f14 |
+# (at your option) any later version.
|
|
|
e76f14 |
+#
|
|
|
e76f14 |
+# This program is distributed in the hope that it will be useful,
|
|
|
e76f14 |
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
e76f14 |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
e76f14 |
+# GNU General Public License for more details.
|
|
|
e76f14 |
+#
|
|
|
e76f14 |
+# You should have received a copy of the GNU General Public License
|
|
|
e76f14 |
+# along with this program; if not, write to the Free Software
|
|
|
e76f14 |
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+use strict;
|
|
|
e76f14 |
+use warnings;
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+use Sys::Guestfs;
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+my $prog = $0;
|
|
|
e76f14 |
+$prog =~ s{.*/}{};
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+# Because we parse error message strings below.
|
|
|
e76f14 |
+$ENV{LANG} = "C";
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+if ($ENV{"SKIP_TEST_RELABEL_PL"}) {
|
|
|
e76f14 |
+ print "$prog: test skipped because environment variable is set.\n";
|
|
|
e76f14 |
+ exit 77
|
|
|
e76f14 |
+}
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+# SELinux labelling won't work (and can be skipped) if SELinux isn't
|
|
|
e76f14 |
+# installed on the host.
|
|
|
e76f14 |
+if (! -f "/etc/selinux/config" || ! -x "/usr/sbin/load_policy") {
|
|
|
e76f14 |
+ print "$prog: test skipped because SELinux is not available.\n";
|
|
|
e76f14 |
+ exit 77
|
|
|
e76f14 |
+}
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+# Create a filesystem.
|
|
|
e76f14 |
+my $g = Sys::Guestfs->new ();
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+$g->add_drive_scratch (256*1024*1024);
|
|
|
e76f14 |
+$g->launch ();
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+# If Linux extended attrs aren't available then we cannot test this.
|
|
|
e76f14 |
+unless ($g->feature_available (["linuxxattrs"])) {
|
|
|
e76f14 |
+ print "$prog: test skipped because 'linuxxattrs' feature not available.\n";
|
|
|
e76f14 |
+ $g->close ();
|
|
|
e76f14 |
+ exit 77
|
|
|
e76f14 |
+}
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+$g->part_disk ("/dev/sda", "mbr");
|
|
|
e76f14 |
+$g->mkfs ("ext4", "/dev/sda1");
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+$g->mount_options ("user_xattr", "/dev/sda1", "/");
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+# Create some files and directories that we want to have relabelled.
|
|
|
e76f14 |
+$g->mkdir ("/bin");
|
|
|
e76f14 |
+$g->touch ("/bin/ls");
|
|
|
e76f14 |
+$g->mkdir ("/etc");
|
|
|
e76f14 |
+$g->mkdir ("/tmp");
|
|
|
e76f14 |
+$g->touch ("/tmp/test");
|
|
|
e76f14 |
+$g->mkdir ("/var");
|
|
|
e76f14 |
+$g->mkdir ("/var/log");
|
|
|
e76f14 |
+$g->touch ("/var/log/messages");
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+# Create a spec file.
|
|
|
e76f14 |
+# This doesn't test the optional file_type field. XXX
|
|
|
e76f14 |
+# See also file_contexts(5).
|
|
|
e76f14 |
+$g->write ("/etc/file_contexts", <<'EOF');
|
|
|
e76f14 |
+/.* system_u:object_r:default_t:s0
|
|
|
e76f14 |
+/bin/.* system_u:object_r:bin_t:s0
|
|
|
e76f14 |
+/etc/.* system_u:object_r:etc_t:s0
|
|
|
e76f14 |
+/etc/file_contexts <<none>>
|
|
|
e76f14 |
+/tmp/.* <<none>>
|
|
|
e76f14 |
+/var/.* system_u:object_r:var_t:s0
|
|
|
e76f14 |
+/var/log/.* system_u:object_r:var_log_t:s0
|
|
|
e76f14 |
+EOF
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+# Do the relabel.
|
|
|
e76f14 |
+$g->selinux_relabel ("/etc/file_contexts", "/", force => 1);
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+# Check the labels were set correctly.
|
|
|
e76f14 |
+my $errors = 0;
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+sub check_label
|
|
|
e76f14 |
+{
|
|
|
e76f14 |
+ my $file = shift;
|
|
|
e76f14 |
+ my $expected_label = shift;
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+ my $actual_label = $g->lgetxattr ($file, "security.selinux");
|
|
|
e76f14 |
+ # The label returned from lgetxattr has \0 appended.
|
|
|
e76f14 |
+ if ("$expected_label\0" ne $actual_label) {
|
|
|
e76f14 |
+ print STDERR "$prog: expected label on file $file: expected=$expected_label actual=$actual_label\n";
|
|
|
e76f14 |
+ $errors++;
|
|
|
e76f14 |
+ }
|
|
|
e76f14 |
+}
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+sub check_label_none
|
|
|
e76f14 |
+{
|
|
|
e76f14 |
+ my $file = shift;
|
|
|
e76f14 |
+ my $r;
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+ eval {
|
|
|
e76f14 |
+ $r = $g->lgetxattr ($file, "security.selinux");
|
|
|
e76f14 |
+ };
|
|
|
e76f14 |
+ if (defined $r) {
|
|
|
e76f14 |
+ print STDERR "$prog: expecting no label on file $file, but got $r\n";
|
|
|
e76f14 |
+ $errors++;
|
|
|
e76f14 |
+ } elsif ($@) {
|
|
|
e76f14 |
+ if ($@ !~ /No data available/) {
|
|
|
e76f14 |
+ print STDERR "$prog: expecting an error reading label from file $file, but got $@\n";
|
|
|
e76f14 |
+ $errors++;
|
|
|
e76f14 |
+ }
|
|
|
e76f14 |
+ }
|
|
|
e76f14 |
+}
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+check_label ("/bin", "system_u:object_r:default_t:s0");
|
|
|
e76f14 |
+check_label ("/bin/ls", "system_u:object_r:bin_t:s0");
|
|
|
e76f14 |
+check_label ("/etc", "system_u:object_r:default_t:s0");
|
|
|
e76f14 |
+check_label_none ("/etc/file_contexts");
|
|
|
e76f14 |
+check_label ("/tmp", "system_u:object_r:default_t:s0");
|
|
|
e76f14 |
+check_label_none ("/tmp/test");
|
|
|
e76f14 |
+check_label ("/var", "system_u:object_r:default_t:s0");
|
|
|
e76f14 |
+check_label ("/var/log", "system_u:object_r:var_t:s0");
|
|
|
e76f14 |
+check_label ("/var/log/messages", "system_u:object_r:var_log_t:s0");
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+# Finish up.
|
|
|
e76f14 |
+$g->shutdown ();
|
|
|
e76f14 |
+$g->close ();
|
|
|
e76f14 |
+
|
|
|
e76f14 |
+exit ($errors == 0 ? 0 : 1);
|
|
|
e76f14 |
--
|
|
|
7af31e |
1.8.3.1
|
|
|
e76f14 |
|