On 09/20/2012 09:01 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
There are many aspects of the guest XML which result in the SELinux driver applying file labelling. With the increasing configuration options it is desirable to test this behaviour. It is not possible to assume that the test suite has the ability to set SELinux labels. Most filesystems though will support extended attributes. Thus for the purpose of testing, it is possible to extend the existing LD_PRELOAD hack to override setfilecon() and getfilecon() to simply use the 'user.libvirt.selinux' attribute for the sake of testing.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- .gitignore | 1 + configure.ac | 3 +
If you were to open-code the configure.ac changes, instead of trying to rely on the new m4/virt-lib.m4, then I'd feel better about taking this patch prior to 0.10.2, while we still hammer out the details of nicer configure.ac for later.
+++ b/m4/virt-libattr.m4 @@ -0,0 +1,9 @@ +dnl The libattr.so library
No copyright statement?
+ +AC_DEFUN([LIBVIRT_CHECK_LIBATTR],[ + LIBVIRT_CHECK_LIB([LIBATTR], [libattr], [attr], [getxattr], [attr/xattr.h]) +]) + +AC_DEFUN([LIBVIRT_RESULT_LIBATTR],[ + LIBVIRT_RESULT_LIB([LIBATTR], [libattr]) +]) + +int getfilecon(const char *path, security_context_t *con) +{ + char *constr = NULL; + ssize_t len = getxattr(path, "user.libvirt.selinux", + NULL, 0); + if (len < 0) + return -1; + if (!(constr = malloc(len+1)))
Any reason you can't use VIR_ALLOC_N here? But since it is an LD_PRELOAD wrapper, I guess it makes sense that you have to stick to low-level functionality.
--- /dev/null +++ b/tests/securityselinuxlabeltest.c @@ -0,0 +1,341 @@ +/* + * Copyright (C) 2011-2012 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * License along with this library; If not, see
Bogus copy-and-paste. I'll push the trivial fixes to tests/securityselinux*.c in the meantime.
+ } + + if (!(fp = fopen(path, "r"))) { + goto cleanup; + } + + while (!feof(fp)) { + char *line; + char *file, *context; + if (VIR_ALLOC_N(line, 1024) < 0) { + virReportOOMError(); + goto cleanup; + } + if (!fgets(line, 1024, fp)) {
Is readline() any easier to use than VIR_ALLOC_N/fgets()?
+static int +testSELinuxCreateDisks(testSELinuxFile *files, size_t nfiles) +{ + size_t i; + + if (virFileMakePath(abs_builddir "/securityselinuxlabeldata") < 0) + return -1; + + for (i = 0 ; i < nfiles ; i++) { + if (virFileTouch(files[i].file, 0600) < 0) + return -1; + //setfilecon(files[i].file, (security_context_t)"system_u:object_r:original_t:s0");
Leftover debugging? -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org