On 22/07/13 23:40, John Ferlan wrote:
On 07/22/2013 07:06 AM, Osier Yang wrote:
> On 19/07/13 20:32, John Ferlan wrote:
>> Although they produce no seclabel data, add some tests for coverage of
>> various network and volume disk definitions
>> ---
>> tests/securityselinuxlabeldata/netdisks.txt | 5 +++
>> tests/securityselinuxlabeldata/netdisks.xml | 58
>> +++++++++++++++++++++++++++++
>> tests/securityselinuxlabeldata/voldisks.txt | 5 +++
>> tests/securityselinuxlabeldata/voldisks.xml | 45 ++++++++++++++++++++++
>> tests/securityselinuxlabeltest.c | 2 +
>> 5 files changed, 115 insertions(+)
>> create mode 100644 tests/securityselinuxlabeldata/netdisks.txt
>> create mode 100644 tests/securityselinuxlabeldata/netdisks.xml
>> create mode 100644 tests/securityselinuxlabeldata/voldisks.txt
>> create mode 100644 tests/securityselinuxlabeldata/voldisks.xml
>>
>> diff --git a/tests/securityselinuxlabeldata/netdisks.txt
>> b/tests/securityselinuxlabeldata/netdisks.txt
>> new file mode 100644
>> index 0000000..b6bf95f
>> --- /dev/null
>> +++ b/tests/securityselinuxlabeldata/netdisks.txt
>> @@ -0,0 +1,5 @@
>> +/nbd.raw;
>> +/iscsi.raw;
>> +/rbd.raw;
>> +/sheepdog.raw;
>> +/gluster.raw;
>> diff --git a/tests/securityselinuxlabeldata/netdisks.xml
>> b/tests/securityselinuxlabeldata/netdisks.xml
>> new file mode 100644
>> index 0000000..ab5e964
>> --- /dev/null
>> +++ b/tests/securityselinuxlabeldata/netdisks.xml
>> @@ -0,0 +1,58 @@
>> +<domain type='kvm'>
>> + <name>vm1</name>
>> + <uuid>c7b3edbd-edaf-9455-926a-d65c16db1800</uuid>
>> + <memory unit='KiB'>219200</memory>
>> + <os>
>> + <type arch='i686' machine='pc-1.0'>hvm</type>
>> + <boot dev='cdrom'/>
>> + </os>
>> + <devices>
>> + <disk type='network' device='disk'>
>> + <driver name='qemu' type='raw'/>
>> + <source protocol='nbd' file="/nbd.raw">
>> + <host name='example.org' port='6000'/>
>> + </source>
>> + <target dev='vda' bus='virtio'/>
>> + </disk>
>> + <disk type='network' device='disk'>
>> + <driver name='qemu' type='raw'/>
>> + <source protocol='iscsi'
name='iqn.1992-01.com.example/1'
>> file="/iscsi.raw">
> i'm not clear with the security tests, but this xml looks incorrect.
> "file" is one
> way to represent the disk source, it's exclusive with other ways (e.g.
> protocol/name
> here) in semantics. similar for below. why do you use both "file" and
> other ways
> for disk source represention together?
>
Following syntax found in the following files
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-*.xml
where '*' is {gluster, nbd, rbd, sheepdog, & iscsi}
I can hold off pushing this patch if desired.
i believe you will need a further patch to fix it if it's pushed. :\
The 'file' names are found in the 'netdisks.txt' file
which are where
the seclabels get listed for other tests. For the network types there
are no seclabels.
these still don't answer my question, the (file="$file") and other
representation
ways are conflicted in semantics, though xml parsing could report no error,
since one of the ways (e.g. "file") is ignored when parsing.
see the disk source rng schema:
<group>
<attribute name="type">
<value>file</value>
</attribute>
<interleave>
<optional>
<element name="source">
<optional>
<attribute name="file">
<ref name="absFilePath"/>
</attribute>
</optional>
<optional>
<ref name="startupPolicy"/>
</optional>
<optional>
<ref name='devSeclabel'/>
</optional>
</element>
</optional>
<ref name="diskspec"/>
</interleave>
</group>
<group>
<attribute name="type">
<value>block</value>
</attribute>
<interleave>
<optional>
<element name="source">
<attribute name="dev">
<ref name="absFilePath"/>
</attribute>
<optional>
<ref name='devSeclabel'/>
</optional>
</element>
</optional>
<ref name="diskspec"/>
</interleave>
</group>
<group>
<attribute name="type">
<value>dir</value>
</attribute>
<interleave>
<optional>
<element name="source">
<attribute name="dir">
<ref name="absFilePath"/>
</attribute>
<empty/>
</element>
</optional>
<ref name="diskspec"/>
</interleave>
</group>
<group>
<attribute name="type">
<value>network</value>
</attribute>
<interleave>
<optional>
<element name="source">
<ref name='diskSourceNetwork'/>
</element>
</optional>
<ref name="diskspec"/>
</interleave>
</group>
<group>
<attribute name="type">
<value>volume</value>
</attribute>
<interleave>
<optional>
<element name="source">
<attribute name="pool">
<ref name="genericName"/>
</attribute>
<attribute name="volume">
<ref name="volName"/>
</attribute>
<optional>
<ref name="startupPolicy"/>
</optional>
<optional>
<ref name='devSeclabel'/>
</optional>
</element>
</optional>
<ref name="diskspec"/>
</interleave>
</group>
this patch is not that important for the feature. so i think it can be
delayed till
there is a right solution.
John
>> + <host name='example.org' port='6000'/>
>> + </source>
>> + <target dev='vdb' bus='virtio'/>
>> + </disk>
>> + <disk type='network'>
>> + <driver name="qemu" type="raw"/>
>> + <source protocol="rbd" name="image_name2"
file="/rbd.raw">
>> + <host name="hostname" port="7000"/>
>> + </source>
>> + <target dev="hdb" bus="ide"/>
>> + <auth username='myuser'>
>> + <secret type='ceph' usage='mypassid'/>
>> + </auth>
>> + </disk>
>> + <disk type='network'>
>> + <driver name="qemu" type="raw"/>
>> + <source protocol="sheepdog" name="image_name"
>> file="/sheepdog.raw">
>> + <host name="hostname" port="7000"/>
>> + </source>
>> + <target dev="hdb" bus="ide"/>
>> + </disk>
>> + <disk type='network' device='disk'>
>> + <driver name='qemu' type='raw'/>
>> + <source protocol='gluster' name='Volume/Image'
>> file='/gluster.raw'>
>> + <host name='example.org' port='6000'
transport='tcp'/>
>> + </source>
>> + <target dev='vda' bus='virtio'/>
>> + </disk>
>> +
>> + <input type='mouse' bus='ps2'/>
>> + <graphics type='vnc' port='-1' autoport='yes'
listen='0.0.0.0'>
>> + <listen type='address' address='0.0.0.0'/>
>> + </graphics>
>> + </devices>
>> + <seclabel model="selinux" type="dynamic"
relabel="yes">
>> + <label>system_u:system_r:svirt_t:s0:c41,c264</label>
>> +
<imagelabel>system_u:object_r:svirt_image_t:s0:c41,c264</imagelabel>
>> + </seclabel>
>> +</domain>
>> diff --git a/tests/securityselinuxlabeldata/voldisks.txt
>> b/tests/securityselinuxlabeldata/voldisks.txt
>> new file mode 100644
>> index 0000000..bd5d755
>> --- /dev/null
>> +++ b/tests/securityselinuxlabeldata/voldisks.txt
>> @@ -0,0 +1,5 @@
>> +/file.raw;
>> +/disk.raw;
>> +/host.raw;
>> +/direct.raw;
>> +/cdrom.raw;
>> diff --git a/tests/securityselinuxlabeldata/voldisks.xml
>> b/tests/securityselinuxlabeldata/voldisks.xml
>> new file mode 100644
>> index 0000000..ae7e629
>> --- /dev/null
>> +++ b/tests/securityselinuxlabeldata/voldisks.xml
>> @@ -0,0 +1,45 @@
>> +<domain type='kvm'>
>> + <name>vm1</name>
>> + <uuid>c7b3edbd-edaf-9455-926a-d65c16db1800</uuid>
>> + <memory unit='KiB'>219200</memory>
>> + <os>
>> + <type arch='i686' machine='pc-1.0'>hvm</type>
>> + <boot dev='cdrom'/>
>> + </os>
>> + <devices>
>> + <disk type='volume' device='disk'>
>> + <driver name='qemu' type='raw'/>
>> + <source pool='dir-pool0' volume='dir-pool0-vol0'
>> file='/file.raw'/>
>> + <target dev='hda' bus='ide'/>
>> + </disk>
>> + <disk type='volume' device='disk'>
>> + <driver name='qemu' type='raw'/>
>> + <source pool='dir-pool0' volume='dir-pool0-vol0'
mode='host'
>> file='/host.raw'/>
>> + <target dev='hda' bus='ide'/>
>> + </disk>
>> + <disk type='volume' device='disk'>
>> + <driver name='qemu' type='raw'/>
>> + <source pool='dir-pool0' volume='dir-pool0-vol0'
mode='direct'
>> file='/direct.raw'/>
>> + <target dev='hda' bus='ide'/>
>> + </disk>
>> + <disk type='volume' device='disk'>
>> + <driver name='qemu' type='raw'/>
>> + <source pool='blk-pool0' volume='blk-pool0-vol0'
>> file='/plain.raw'/>
>> + <target dev='hda' bus='ide'/>
>> + </disk>
>> + <disk type='volume' device='cdrom'>
>> + <driver name='qemu' type='raw'/>
>> + <source pool='blk-pool0' volume='blk-pool0-vol1'
>> file='/cdrom.raw'/>
>> + <target dev='hda' bus='ide'/>
>> + <readonly/>
>> + </disk>
>> + <input type='mouse' bus='ps2'/>
>> + <graphics type='vnc' port='-1' autoport='yes'
listen='0.0.0.0'>
>> + <listen type='address' address='0.0.0.0'/>
>> + </graphics>
>> + </devices>
>> + <seclabel model="selinux" type="dynamic"
relabel="yes">
>> + <label>system_u:system_r:svirt_t:s0:c41,c264</label>
>> +
<imagelabel>system_u:object_r:svirt_image_t:s0:c41,c264</imagelabel>
>> + </seclabel>
>> +</domain>
>> diff --git a/tests/securityselinuxlabeltest.c
>> b/tests/securityselinuxlabeltest.c
>> index efe825a..8c88cfd 100644
>> --- a/tests/securityselinuxlabeltest.c
>> +++ b/tests/securityselinuxlabeltest.c
>> @@ -332,6 +332,8 @@ mymain(void)
>>
>>
setcon((security_context_t)"system_r:system_u:libvirtd_t:s0:c0.c1023");
>> DO_TEST_LABELING("disks");
>> + DO_TEST_LABELING("netdisks");
>> + DO_TEST_LABELING("voldisks");
>> DO_TEST_LABELING("kernel");
>> DO_TEST_LABELING("chardev");
>>