[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH v2] Add a test suite for validating SELinux labelling



On 09/21/2012 09:21 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange redhat com>
> 
> There are many aspects of the guest XML which result in the
> SELinux driver applying file labelling. With the increasing
> configuration options it is desirable to test this behaviour.
> It is not possible to assume that the test suite has the
> ability to set SELinux labels. Most filesystems though will
> support extended attributes. Thus for the purpose of testing,
> it is possible to extend the existing LD_PRELOAD hack to
> override setfilecon() and getfilecon() to simply use the
> 'user.libvirt.selinux' attribute for the sake of testing.
> 
> Signed-off-by: Daniel P. Berrange <berrange redhat com>
> 
> Changed in v2:
> 
>  - Remove stray debug line
>  - Uncomment VIR_FREE directive
>  - Add test for turning chardev relabelling on/off
>    that Rich just added support for
>  - Opencode the configure.ac check for libattr
> 

Failed syntax-check, but the fix is trivial (see below).  I'm not sure
if this needs a v3 (do I have Rich's patches yet?), or whether you can
figure out why 'make check' failed for me:

 1) Labelling "disks"
... libvir:  error : internal error File
/home/remote/eblake/libvirt/tests/securityselinuxlabeldata/nolabel.raw
context 'unconfined_u:object_r:user_home_t:s0' did not match epected
'(null)'
FAILED
 2) Labelling "kernel"                                                ... OK
 3) Labelling "chardev"
... libvir:  error : internal error File
/home/remote/eblake/libvirt/tests/securityselinuxlabeldata/nolabel.sock
context 'unconfined_u:object_r:user_home_t:s0' did not match epected
'(null)'
FAILED


> ---
>  .gitignore                                 |   1 +
>  configure.ac                               |  52 +++++
>  libvirt.spec.in                            |   1 +
>  tests/Makefile.am                          |  20 +-
>  tests/securityselinuxhelper.c              |  33 +++
>  tests/securityselinuxlabeldata/chardev.txt |   7 +
>  tests/securityselinuxlabeldata/chardev.xml |  47 ++++
>  tests/securityselinuxlabeldata/disks.txt   |   5 +
>  tests/securityselinuxlabeldata/disks.xml   |  52 +++++
>  tests/securityselinuxlabeldata/kernel.txt  |   2 +
>  tests/securityselinuxlabeldata/kernel.xml  |  20 ++
>  tests/securityselinuxlabeltest.c           | 340 +++++++++++++++++++++++++++++
>  12 files changed, 577 insertions(+), 3 deletions(-)
>  create mode 100644 tests/securityselinuxlabeldata/chardev.txt
>  create mode 100644 tests/securityselinuxlabeldata/chardev.xml
>  create mode 100644 tests/securityselinuxlabeldata/disks.txt
>  create mode 100644 tests/securityselinuxlabeldata/disks.xml
>  create mode 100644 tests/securityselinuxlabeldata/kernel.txt
>  create mode 100644 tests/securityselinuxlabeldata/kernel.xml
>  create mode 100644 tests/securityselinuxlabeltest.c

This doesn't touch main libvirt code, so it is safe for 0.10.2.

If we can get all these nits and test failures fixed, then I'd like to
see this go in.

> +++ b/configure.ac
> @@ -1398,6 +1398,53 @@ AM_CONDITIONAL([HAVE_AUDIT], [test "$with_audit" = "yes"])
>  AC_SUBST([AUDIT_CFLAGS])
>  AC_SUBST([AUDIT_LIBS])
>  
> +
> +
> +dnl Libattr library

Maybe comment that this is (currently) for testing purposes only.

> +AC_ARG_WITH([libattr],
> +  AC_HELP_STRING([--with-libattr], [use libattr library @<:@default=check@:>@]),

I think AS_HELP_STRING is better, but since we'll be refactoring this
soon, it's not a show-stopper.

> +
> +  if test "$with_libattr" = "yes" ; then
> +    LIBATTR_LIBS="$LIBATTR_LIBS -lattr"
> +    AC_DEFINE_UNQUOTED([WITH_LIBATTR], 1, [whether liblibattr is available])

s/liblibattr/libattr/

Somewhere, you need s/epected/expected/ based on my test failure listed
above.


Squash this in:

diff --git i/cfg.mk w/cfg.mk
index bbfd4a2..cb89934 100644
--- i/cfg.mk
+++ w/cfg.mk
@@ -771,7 +771,7 @@ exclude_file_name_regexp--sc_prohibit_asprintf = \

^(bootstrap.conf$$|src/util/util\.c$$|examples/domain-events/events-c/event-test\.c$$)

 exclude_file_name_regexp--sc_prohibit_close = \
-  (\.p[yl]$$|^docs/|^(src/util/virfile\.c|src/libvirt\.c)$$)
+
(\.p[yl]$$|^docs/|^(src/util/virfile\.c|src/libvirt\.c|tests/securityselinuxlabeltest\.c)$$)

 exclude_file_name_regexp--sc_prohibit_empty_lines_at_EOF = \
   (^tests/(qemuhelp|nodeinfo)data/|\.(gif|ico|png|diff)$$)
@@ -792,7 +792,7 @@ exclude_file_name_regexp--sc_prohibit_nonreentrant = \
   ^((po|tests)/|docs/.*py|run.in$$)

 exclude_file_name_regexp--sc_prohibit_raw_allocation = \
-  ^(src/util/memory\.[ch]|examples/.*)$$
+  ^(src/util/memory\.[ch]|examples/.*|tests/securityselinuxhelper\.c)$$

 exclude_file_name_regexp--sc_prohibit_readlink = \
   ^src/(util/util|lxc/lxc_container)\.c$$


-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]