12:37 p.m.
On 09/21/2012 09:21 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange(a)redhat.com>
There are many aspects of the guest XML which result in the
SELinux driver applying file labelling. With the increasing
configuration options it is desirable to test this behaviour.
It is not possible to assume that the test suite has the
ability to set SELinux labels. Most filesystems though will
support extended attributes. Thus for the purpose of testing,
it is possible to extend the existing LD_PRELOAD hack to
override setfilecon() and getfilecon() to simply use the
'user.libvirt.selinux' attribute for the sake of testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
Changed in v2:
- Remove stray debug line
- Uncomment VIR_FREE directive
- Add test for turning chardev relabelling on/off
that Rich just added support for
- Opencode the configure.ac check for libattr
Failed syntax-check, but the fix is trivial (see below). I'm not sure
if this needs a v3 (do I have Rich's patches yet?), or whether you can
figure out why 'make check' failed for me:
1) Labelling "disks"
... libvir: error : internal error File
/home/remote/eblake/libvirt/tests/securityselinuxlabeldata/nolabel.raw
context 'unconfined_u:object_r:user_home_t:s0' did not match epected
'(null)'
FAILED
2) Labelling "kernel" ... OK
3) Labelling "chardev"
... libvir: error : internal error File
/home/remote/eblake/libvirt/tests/securityselinuxlabeldata/nolabel.sock
context 'unconfined_u:object_r:user_home_t:s0' did not match epected
'(null)'
FAILED
---
.gitignore | 1 +
configure.ac | 52 +++++
libvirt.spec.in | 1 +
tests/Makefile.am | 20 +-
tests/securityselinuxhelper.c | 33 +++
tests/securityselinuxlabeldata/chardev.txt | 7 +
tests/securityselinuxlabeldata/chardev.xml | 47 ++++
tests/securityselinuxlabeldata/disks.txt | 5 +
tests/securityselinuxlabeldata/disks.xml | 52 +++++
tests/securityselinuxlabeldata/kernel.txt | 2 +
tests/securityselinuxlabeldata/kernel.xml | 20 ++
tests/securityselinuxlabeltest.c | 340 +++++++++++++++++++++++++++++
12 files changed, 577 insertions(+), 3 deletions(-)
create mode 100644 tests/securityselinuxlabeldata/chardev.txt
create mode 100644 tests/securityselinuxlabeldata/chardev.xml
create mode 100644 tests/securityselinuxlabeldata/disks.txt
create mode 100644 tests/securityselinuxlabeldata/disks.xml
create mode 100644 tests/securityselinuxlabeldata/kernel.txt
create mode 100644 tests/securityselinuxlabeldata/kernel.xml
create mode 100644 tests/securityselinuxlabeltest.c
This doesn't touch main libvirt code, so it is safe for 0.10.2.
If we can get all these nits and test failures fixed, then I'd like to
see this go in.
+++ b/configure.ac
@@ -1398,6 +1398,53 @@ AM_CONDITIONAL([HAVE_AUDIT], [test "$with_audit" =
"yes"])
AC_SUBST([AUDIT_CFLAGS])
AC_SUBST([AUDIT_LIBS])
+
+
+dnl Libattr library
Maybe comment that this is (currently) for testing purposes only.
+AC_ARG_WITH([libattr],
+ AC_HELP_STRING([--with-libattr], [use libattr library @<:@default=check@:>@]),
I think AS_HELP_STRING is better, but since we'll be refactoring this
soon, it's not a show-stopper.
+
+ if test "$with_libattr" = "yes" ; then
+ LIBATTR_LIBS="$LIBATTR_LIBS -lattr"
+ AC_DEFINE_UNQUOTED([WITH_LIBATTR], 1, [whether liblibattr is available])
s/liblibattr/libattr/
Somewhere, you need s/epected/expected/ based on my test failure listed
above.
Squash this in:
diff --git i/cfg.mk w/cfg.mk
index bbfd4a2..cb89934 100644
--- i/cfg.mk
+++ w/cfg.mk
@@ -771,7 +771,7 @@ exclude_file_name_regexp--sc_prohibit_asprintf = \
^(bootstrap.conf$$|src/util/util\.c$$|examples/domain-events/events-c/event-test\.c$$)
exclude_file_name_regexp--sc_prohibit_close = \
- (\.p[yl]$$|^docs/|^(src/util/virfile\.c|src/libvirt\.c)$$)
+
(\.p[yl]$$|^docs/|^(src/util/virfile\.c|src/libvirt\.c|tests/securityselinuxlabeltest\.c)$$)
exclude_file_name_regexp--sc_prohibit_empty_lines_at_EOF = \
(^tests/(qemuhelp|nodeinfo)data/|\.(gif|ico|png|diff)$$)
@@ -792,7 +792,7 @@ exclude_file_name_regexp--sc_prohibit_nonreentrant = \
^((po|tests)/|docs/.*py|run.in$$)
exclude_file_name_regexp--sc_prohibit_raw_allocation = \
- ^(src/util/memory\.[ch]|examples/.*)$$
+ ^(src/util/memory\.[ch]|examples/.*|tests/securityselinuxhelper\.c)$$
exclude_file_name_regexp--sc_prohibit_readlink = \
^src/(util/util|lxc/lxc_container)\.c$$
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org