10:40 a.m.
On 07/22/2013 07:06 AM, Osier Yang wrote:
On 19/07/13 20:32, John Ferlan wrote:
> Although they produce no seclabel data, add some tests for coverage of
> various network and volume disk definitions
> ---
> tests/securityselinuxlabeldata/netdisks.txt | 5 +++
> tests/securityselinuxlabeldata/netdisks.xml | 58
> +++++++++++++++++++++++++++++
> tests/securityselinuxlabeldata/voldisks.txt | 5 +++
> tests/securityselinuxlabeldata/voldisks.xml | 45 ++++++++++++++++++++++
> tests/securityselinuxlabeltest.c | 2 +
> 5 files changed, 115 insertions(+)
> create mode 100644 tests/securityselinuxlabeldata/netdisks.txt
> create mode 100644 tests/securityselinuxlabeldata/netdisks.xml
> create mode 100644 tests/securityselinuxlabeldata/voldisks.txt
> create mode 100644 tests/securityselinuxlabeldata/voldisks.xml
>
> diff --git a/tests/securityselinuxlabeldata/netdisks.txt
> b/tests/securityselinuxlabeldata/netdisks.txt
> new file mode 100644
> index 0000000..b6bf95f
> --- /dev/null
> +++ b/tests/securityselinuxlabeldata/netdisks.txt
> @@ -0,0 +1,5 @@
> +/nbd.raw;
> +/iscsi.raw;
> +/rbd.raw;
> +/sheepdog.raw;
> +/gluster.raw;
> diff --git a/tests/securityselinuxlabeldata/netdisks.xml
> b/tests/securityselinuxlabeldata/netdisks.xml
> new file mode 100644
> index 0000000..ab5e964
> --- /dev/null
> +++ b/tests/securityselinuxlabeldata/netdisks.xml
> @@ -0,0 +1,58 @@
> +<domain type='kvm'>
> + <name>vm1</name>
> + <uuid>c7b3edbd-edaf-9455-926a-d65c16db1800</uuid>
> + <memory unit='KiB'>219200</memory>
> + <os>
> + <type arch='i686' machine='pc-1.0'>hvm</type>
> + <boot dev='cdrom'/>
> + </os>
> + <devices>
> + <disk type='network' device='disk'>
> + <driver name='qemu' type='raw'/>
> + <source protocol='nbd' file="/nbd.raw">
> + <host name='example.org' port='6000'/>
> + </source>
> + <target dev='vda' bus='virtio'/>
> + </disk>
> + <disk type='network' device='disk'>
> + <driver name='qemu' type='raw'/>
> + <source protocol='iscsi' name='iqn.1992-01.com.example/1'
> file="/iscsi.raw">
i'm not clear with the security tests, but this xml looks incorrect.
"file" is one
way to represent the disk source, it's exclusive with other ways (e.g.
protocol/name
here) in semantics. similar for below. why do you use both "file" and
other ways
for disk source represention together?
Following syntax found in the following files
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-*.xml
where '*' is {gluster, nbd, rbd, sheepdog, & iscsi}
I can hold off pushing this patch if desired.
The 'file' names are found in the 'netdisks.txt' file which are where
the seclabels get listed for other tests. For the network types there
are no seclabels.
John
> + <host name='example.org'
port='6000'/>
> + </source>
> + <target dev='vdb' bus='virtio'/>
> + </disk>
> + <disk type='network'>
> + <driver name="qemu" type="raw"/>
> + <source protocol="rbd" name="image_name2"
file="/rbd.raw">
> + <host name="hostname" port="7000"/>
> + </source>
> + <target dev="hdb" bus="ide"/>
> + <auth username='myuser'>
> + <secret type='ceph' usage='mypassid'/>
> + </auth>
> + </disk>
> + <disk type='network'>
> + <driver name="qemu" type="raw"/>
> + <source protocol="sheepdog" name="image_name"
> file="/sheepdog.raw">
> + <host name="hostname" port="7000"/>
> + </source>
> + <target dev="hdb" bus="ide"/>
> + </disk>
> + <disk type='network' device='disk'>
> + <driver name='qemu' type='raw'/>
> + <source protocol='gluster' name='Volume/Image'
> file='/gluster.raw'>
> + <host name='example.org' port='6000'
transport='tcp'/>
> + </source>
> + <target dev='vda' bus='virtio'/>
> + </disk>
> +
> + <input type='mouse' bus='ps2'/>
> + <graphics type='vnc' port='-1' autoport='yes'
listen='0.0.0.0'>
> + <listen type='address' address='0.0.0.0'/>
> + </graphics>
> + </devices>
> + <seclabel model="selinux" type="dynamic"
relabel="yes">
> + <label>system_u:system_r:svirt_t:s0:c41,c264</label>
> +
<imagelabel>system_u:object_r:svirt_image_t:s0:c41,c264</imagelabel>
> + </seclabel>
> +</domain>
> diff --git a/tests/securityselinuxlabeldata/voldisks.txt
> b/tests/securityselinuxlabeldata/voldisks.txt
> new file mode 100644
> index 0000000..bd5d755
> --- /dev/null
> +++ b/tests/securityselinuxlabeldata/voldisks.txt
> @@ -0,0 +1,5 @@
> +/file.raw;
> +/disk.raw;
> +/host.raw;
> +/direct.raw;
> +/cdrom.raw;
> diff --git a/tests/securityselinuxlabeldata/voldisks.xml
> b/tests/securityselinuxlabeldata/voldisks.xml
> new file mode 100644
> index 0000000..ae7e629
> --- /dev/null
> +++ b/tests/securityselinuxlabeldata/voldisks.xml
> @@ -0,0 +1,45 @@
> +<domain type='kvm'>
> + <name>vm1</name>
> + <uuid>c7b3edbd-edaf-9455-926a-d65c16db1800</uuid>
> + <memory unit='KiB'>219200</memory>
> + <os>
> + <type arch='i686' machine='pc-1.0'>hvm</type>
> + <boot dev='cdrom'/>
> + </os>
> + <devices>
> + <disk type='volume' device='disk'>
> + <driver name='qemu' type='raw'/>
> + <source pool='dir-pool0' volume='dir-pool0-vol0'
> file='/file.raw'/>
> + <target dev='hda' bus='ide'/>
> + </disk>
> + <disk type='volume' device='disk'>
> + <driver name='qemu' type='raw'/>
> + <source pool='dir-pool0' volume='dir-pool0-vol0'
mode='host'
> file='/host.raw'/>
> + <target dev='hda' bus='ide'/>
> + </disk>
> + <disk type='volume' device='disk'>
> + <driver name='qemu' type='raw'/>
> + <source pool='dir-pool0' volume='dir-pool0-vol0'
mode='direct'
> file='/direct.raw'/>
> + <target dev='hda' bus='ide'/>
> + </disk>
> + <disk type='volume' device='disk'>
> + <driver name='qemu' type='raw'/>
> + <source pool='blk-pool0' volume='blk-pool0-vol0'
> file='/plain.raw'/>
> + <target dev='hda' bus='ide'/>
> + </disk>
> + <disk type='volume' device='cdrom'>
> + <driver name='qemu' type='raw'/>
> + <source pool='blk-pool0' volume='blk-pool0-vol1'
> file='/cdrom.raw'/>
> + <target dev='hda' bus='ide'/>
> + <readonly/>
> + </disk>
> + <input type='mouse' bus='ps2'/>
> + <graphics type='vnc' port='-1' autoport='yes'
listen='0.0.0.0'>
> + <listen type='address' address='0.0.0.0'/>
> + </graphics>
> + </devices>
> + <seclabel model="selinux" type="dynamic"
relabel="yes">
> + <label>system_u:system_r:svirt_t:s0:c41,c264</label>
> +
<imagelabel>system_u:object_r:svirt_image_t:s0:c41,c264</imagelabel>
> + </seclabel>
> +</domain>
> diff --git a/tests/securityselinuxlabeltest.c
> b/tests/securityselinuxlabeltest.c
> index efe825a..8c88cfd 100644
> --- a/tests/securityselinuxlabeltest.c
> +++ b/tests/securityselinuxlabeltest.c
> @@ -332,6 +332,8 @@ mymain(void)
>
> setcon((security_context_t)"system_r:system_u:libvirtd_t:s0:c0.c1023");
> DO_TEST_LABELING("disks");
> + DO_TEST_LABELING("netdisks");
> + DO_TEST_LABELING("voldisks");
> DO_TEST_LABELING("kernel");
> DO_TEST_LABELING("chardev");
>