[libvirt] [PATCH tck] Avoid assumptions about selinux contexts

Thursday, 27 March 2014

The current SELinux tests assume a context system_u:system_r
or system_u:object_r, which is not true if running against
a libvirtd from the source tree.
---
 lib/Sys/Virt/TCK/SELinux.pm               | 30 +++++++++++++++++++++++++++---
 scripts/selinux/050-dynamic-relabel-yes.t | 10 ++++++----
 scripts/selinux/055-dynamic-base-label.t  | 10 ++++++----
 scripts/selinux/100-static-relabel-no.t   |  2 +-
 scripts/selinux/110-static-relabel-yes.t  | 11 +++++++----
 5 files changed, 47 insertions(+), 16 deletions(-)

diff --git a/lib/Sys/Virt/TCK/SELinux.pm b/lib/Sys/Virt/TCK/SELinux.pm
index 9f7c0c1..c117fca 100644
--- a/lib/Sys/Virt/TCK/SELinux.pm
+++ b/lib/Sys/Virt/TCK/SELinux.pm
@@ -18,19 +18,43 @@ use warnings;
 use base qw(Exporter);
 
 use vars qw($SELINUX_GENERIC_CONTEXT $SELINUX_DOMAIN_CONTEXT
- $SELINUX_IMAGE_CONTEXT $SELINUX_OTHER_CONTEXT);
+ $SELINUX_IMAGE_CONTEXT $SELINUX_OTHER_CONTEXT
+ $SELINUX_GENERIC_TYPE $SELINUX_DOMAIN_TYPE
+ $SELINUX_IMAGE_TYPE $SELINUX_OTHER_TYPE);
 
 our @EXPORT = qw(selinux_get_file_context
  selinux_set_file_context
  selinux_restore_file_context
+ selinux_get_type
+ selinux_get_mcs
  $SELINUX_GENERIC_CONTEXT $SELINUX_DOMAIN_CONTEXT
- $SELINUX_IMAGE_CONTEXT $SELINUX_OTHER_CONTEXT);
+ $SELINUX_IMAGE_CONTEXT $SELINUX_OTHER_CONTEXT
+ $SELINUX_GENERIC_TYPE $SELINUX_DOMAIN_TYPE
+ $SELINUX_IMAGE_TYPE $SELINUX_OTHER_TYPE);
 
-$SELINUX_OTHER_CONTEXT = "system_u:object_r:virt_t:s0";
+$SELINUX_OTHER_TYPE = "svirt_tcg_t";
+$SELINUX_GENERIC_TYPE = "virt_image_t";
+$SELINUX_DOMAIN_TYPE = "svirt_t";
+$SELINUX_IMAGE_TYPE = "svirt_image_t";
+
+$SELINUX_OTHER_CONTEXT = "system_u:system_r:svirt_tcg_t:s0";
 $SELINUX_GENERIC_CONTEXT = "system_u:object_r:virt_image_t:s0";
 $SELINUX_DOMAIN_CONTEXT = "system_u:system_r:svirt_t:s0";
 $SELINUX_IMAGE_CONTEXT = "system_u:object_r:svirt_image_t:s0";
 
+sub selinux_get_type {
+    my $context = shift;
+
+    my @bits = split /:/, $context;
+    return $bits[2];
+}
+
+sub selinux_get_mcs {
+    my $context = shift;
+
+    my @bits = split /:/, $context;
+    return $bits[4];
+}
 
 sub selinux_get_file_context {
     my $path = shift;
diff --git a/scripts/selinux/050-dynamic-relabel-yes.t
b/scripts/selinux/050-dynamic-relabel-yes.t
index 2fb6866..5a53b9d 100644
--- a/scripts/selinux/050-dynamic-relabel-yes.t
+++ b/scripts/selinux/050-dynamic-relabel-yes.t
@@ -64,12 +64,14 @@ SKIP: {
     diag "domainlabel $domainlabel";
     my $imagelabel = xpath($dom, "string(/domain/seclabel/imagelabel)");
     diag "imagelabel $imagelabel";
+    my $domaintype = selinux_get_type($domainlabel);
+    my $imagetype = selinux_get_type($imagelabel);
 
-    is(index($domainlabel, $SELINUX_DOMAIN_CONTEXT), 0, "dynamic domain label prefix
is $SELINUX_DOMAIN_CONTEXT");
-    is(index($imagelabel, $SELINUX_IMAGE_CONTEXT), 0, "dynamic image label prefix is
$SELINUX_IMAGE_CONTEXT");
+    is($domaintype, $SELINUX_DOMAIN_TYPE, "dynamic domain label type is
$SELINUX_DOMAIN_TYPE");
+    is($imagetype, $SELINUX_IMAGE_TYPE, "dynamic image label type is
$SELINUX_IMAGE_TYPE");
 
-    my $domainmcs = substr $domainlabel, length($SELINUX_DOMAIN_CONTEXT);
-    my $imagemcs = substr $imagelabel, length($SELINUX_IMAGE_CONTEXT);
+    my $domainmcs = selinux_get_mcs($domainlabel);
+    my $imagemcs = selinux_get_mcs($imagelabel);
 
     is($domainmcs, $imagemcs, "Domain MCS $domainmcs == Image MCS $imagemcs");
 
diff --git a/scripts/selinux/055-dynamic-base-label.t
b/scripts/selinux/055-dynamic-base-label.t
index ba07c09..646c50d 100644
--- a/scripts/selinux/055-dynamic-base-label.t
+++ b/scripts/selinux/055-dynamic-base-label.t
@@ -64,12 +64,14 @@ SKIP: {
     diag "domainlabel $domainlabel";
     my $imagelabel = xpath($dom, "string(/domain/seclabel/imagelabel)");
     diag "imagelabel $imagelabel";
+    my $domaintype = selinux_get_type($domainlabel);
+    my $imagetype = selinux_get_type($imagelabel);
 
-    is(index($domainlabel, $SELINUX_OTHER_CONTEXT), 0, "dynamic domain label prefix
is $SELINUX_OTHER_CONTEXT");
-    is(index($imagelabel, $SELINUX_IMAGE_CONTEXT), 0, "dynamic image label prefix is
$SELINUX_IMAGE_CONTEXT");
+    is($domaintype, $SELINUX_OTHER_TYPE, "dynamic domain label type is
$SELINUX_OTHER_TYPE");
+    is($imagetype, $SELINUX_IMAGE_TYPE, "dynamic image label type is
$SELINUX_IMAGE_TYPE");
 
-    my $domainmcs = substr $domainlabel, length($SELINUX_OTHER_CONTEXT);
-    my $imagemcs = substr $imagelabel, length($SELINUX_IMAGE_CONTEXT);
+    my $domainmcs = selinux_get_mcs($domainlabel);
+    my $imagemcs = selinux_get_mcs($imagelabel);
 
     is($domainmcs, $imagemcs, "Domain MCS $domainmcs == Image MCS $imagemcs");
 
diff --git a/scripts/selinux/100-static-relabel-no.t
b/scripts/selinux/100-static-relabel-no.t
index 36eae47..8d9fda8 100644
--- a/scripts/selinux/100-static-relabel-no.t
+++ b/scripts/selinux/100-static-relabel-no.t
@@ -51,8 +51,8 @@ SKIP: {
     my $origdomainlabel = $SELINUX_DOMAIN_CONTEXT . $origmcs;
     my $origimagelabel = $SELINUX_IMAGE_CONTEXT . $origmcs;
 
+    diag "Setting image '$disk' to '$origimagelabel'";
     selinux_set_file_context($disk, $origimagelabel);
-
     my $xml = $tck->generic_domain(name => "tck")
 	->seclabel(model => "selinux", type => "static", relabel
=> "no", label => $origdomainlabel)
 	->disk(src => $disk, dst => "vdb", type => "file")
diff --git a/scripts/selinux/110-static-relabel-yes.t
b/scripts/selinux/110-static-relabel-yes.t
index dc4e1ec..f558cc9 100644
--- a/scripts/selinux/110-static-relabel-yes.t
+++ b/scripts/selinux/110-static-relabel-yes.t
@@ -28,7 +28,7 @@ and files can be relabelled
 use strict;
 use warnings;
 
-use Test::More tests => 5;
+use Test::More tests => 6;
 
 use Sys::Virt::TCK;
 use Sys::Virt::TCK::SELinux;
@@ -48,8 +48,8 @@ SKIP: {
 
     my $disk = $tck->create_sparse_disk("selinux", "tck", 50);
 
-    my $origmcs = ":c1,c2";
-    my $origdomainlabel = $SELINUX_DOMAIN_CONTEXT . $origmcs;
+    my $origmcs = "c1,c2";
+    my $origdomainlabel = $SELINUX_DOMAIN_CONTEXT . ":" . $origmcs;
     my $origimagelabel = selinux_restore_file_context($disk);
 
     my $xml = $tck->generic_domain(name => "tck")
@@ -66,9 +66,12 @@ SKIP: {
     diag "domainlabel $domainlabel";
     my $imagelabel = xpath($dom, "string(/domain/seclabel/imagelabel)");
     diag "imagelabel $imagelabel";
+    my $imagetype = selinux_get_type($imagelabel);
+    my $imagemcs = selinux_get_mcs($imagelabel);
 
     is($origdomainlabel, $domainlabel, "static label is $domainlabel");
-    is($imagelabel, $SELINUX_IMAGE_CONTEXT . $origmcs, "image label is
$SELINUX_DOMAIN_CONTEXT$origmcs");
+    is($imagetype, $SELINUX_IMAGE_TYPE, "image label type is
$SELINUX_DOMAIN_TYPE");
+    is($imagemcs, $origmcs, "image label mcs is $origmcs");
 
     is(selinux_get_file_context($disk), $imagelabel, "$disk label is
$imagelabel");
 
-- 
1.8.5.3


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCH tck] Avoid assumptions about selinux contexts