On 22/07/13 23:40, John Ferlan wrote:
On 07/22/2013 07:06 AM, Osier Yang wrote:
Although they produce no seclabel data, add some tests for coverage of various network and volume disk definitions --- tests/securityselinuxlabeldata/netdisks.txt | 5 +++ tests/securityselinuxlabeldata/netdisks.xml | 58 +++++++++++++++++++++++++++++ tests/securityselinuxlabeldata/voldisks.txt | 5 +++ tests/securityselinuxlabeldata/voldisks.xml | 45 ++++++++++++++++++++++ tests/securityselinuxlabeltest.c | 2 + 5 files changed, 115 insertions(+) create mode 100644 tests/securityselinuxlabeldata/netdisks.txt create mode 100644 tests/securityselinuxlabeldata/netdisks.xml create mode 100644 tests/securityselinuxlabeldata/voldisks.txt create mode 100644 tests/securityselinuxlabeldata/voldisks.xml
diff --git a/tests/securityselinuxlabeldata/netdisks.txt b/tests/securityselinuxlabeldata/netdisks.txt new file mode 100644 index 0000000..b6bf95f --- /dev/null +++ b/tests/securityselinuxlabeldata/netdisks.txt @@ -0,0 +1,5 @@ +/nbd.raw; +/iscsi.raw; +/rbd.raw; +/sheepdog.raw; +/gluster.raw; diff --git a/tests/securityselinuxlabeldata/netdisks.xml b/tests/securityselinuxlabeldata/netdisks.xml new file mode 100644 index 0000000..ab5e964 --- /dev/null +++ b/tests/securityselinuxlabeldata/netdisks.xml @@ -0,0 +1,58 @@ +<domain type='kvm'> + <name>vm1</name> + <uuid>c7b3edbd-edaf-9455-926a-d65c16db1800</uuid> + <memory unit='KiB'>219200</memory> + <os> + <type arch='i686' machine='pc-1.0'>hvm</type> + <boot dev='cdrom'/> + </os> + <devices> + <disk type='network' device='disk'> + <driver name='qemu' type='raw'/> + <source protocol='nbd' file="/nbd.raw"> + <host name='example.org' port='6000'/> + </source> + <target dev='vda' bus='virtio'/> + </disk> + <disk type='network' device='disk'> + <driver name='qemu' type='raw'/> + <source protocol='iscsi' name='iqn.1992-01.com.example/1' file="/iscsi.raw"> i'm not clear with the security tests, but this xml looks incorrect. "file" is one way to represent the disk source, it's exclusive with other ways (e.g.
On 19/07/13 20:32, John Ferlan wrote: protocol/name here) in semantics. similar for below. why do you use both "file" and other ways for disk source represention together?
Following syntax found in the following files
tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-*.xml
where '*' is {gluster, nbd, rbd, sheepdog, & iscsi}
I can hold off pushing this patch if desired.
i believe you will need a further patch to fix it if it's pushed. :\
The 'file' names are found in the 'netdisks.txt' file which are where the seclabels get listed for other tests. For the network types there are no seclabels.
these still don't answer my question, the (file="$file") and other representation ways are conflicted in semantics, though xml parsing could report no error, since one of the ways (e.g. "file") is ignored when parsing. see the disk source rng schema: <group> <attribute name="type"> <value>file</value> </attribute> <interleave> <optional> <element name="source"> <optional> <attribute name="file"> <ref name="absFilePath"/> </attribute> </optional> <optional> <ref name="startupPolicy"/> </optional> <optional> <ref name='devSeclabel'/> </optional> </element> </optional> <ref name="diskspec"/> </interleave> </group> <group> <attribute name="type"> <value>block</value> </attribute> <interleave> <optional> <element name="source"> <attribute name="dev"> <ref name="absFilePath"/> </attribute> <optional> <ref name='devSeclabel'/> </optional> </element> </optional> <ref name="diskspec"/> </interleave> </group> <group> <attribute name="type"> <value>dir</value> </attribute> <interleave> <optional> <element name="source"> <attribute name="dir"> <ref name="absFilePath"/> </attribute> <empty/> </element> </optional> <ref name="diskspec"/> </interleave> </group> <group> <attribute name="type"> <value>network</value> </attribute> <interleave> <optional> <element name="source"> <ref name='diskSourceNetwork'/> </element> </optional> <ref name="diskspec"/> </interleave> </group> <group> <attribute name="type"> <value>volume</value> </attribute> <interleave> <optional> <element name="source"> <attribute name="pool"> <ref name="genericName"/> </attribute> <attribute name="volume"> <ref name="volName"/> </attribute> <optional> <ref name="startupPolicy"/> </optional> <optional> <ref name='devSeclabel'/> </optional> </element> </optional> <ref name="diskspec"/> </interleave> </group> this patch is not that important for the feature. so i think it can be delayed till there is a right solution.
John
+ <host name='example.org' port='6000'/> + </source> + <target dev='vdb' bus='virtio'/> + </disk> + <disk type='network'> + <driver name="qemu" type="raw"/> + <source protocol="rbd" name="image_name2" file="/rbd.raw"> + <host name="hostname" port="7000"/> + </source> + <target dev="hdb" bus="ide"/> + <auth username='myuser'> + <secret type='ceph' usage='mypassid'/> + </auth> + </disk> + <disk type='network'> + <driver name="qemu" type="raw"/> + <source protocol="sheepdog" name="image_name" file="/sheepdog.raw"> + <host name="hostname" port="7000"/> + </source> + <target dev="hdb" bus="ide"/> + </disk> + <disk type='network' device='disk'> + <driver name='qemu' type='raw'/> + <source protocol='gluster' name='Volume/Image' file='/gluster.raw'> + <host name='example.org' port='6000' transport='tcp'/> + </source> + <target dev='vda' bus='virtio'/> + </disk> + + <input type='mouse' bus='ps2'/> + <graphics type='vnc' port='-1' autoport='yes' listen='0.0.0.0'> + <listen type='address' address='0.0.0.0'/> + </graphics> + </devices> + <seclabel model="selinux" type="dynamic" relabel="yes"> + <label>system_u:system_r:svirt_t:s0:c41,c264</label> + <imagelabel>system_u:object_r:svirt_image_t:s0:c41,c264</imagelabel> + </seclabel> +</domain> diff --git a/tests/securityselinuxlabeldata/voldisks.txt b/tests/securityselinuxlabeldata/voldisks.txt new file mode 100644 index 0000000..bd5d755 --- /dev/null +++ b/tests/securityselinuxlabeldata/voldisks.txt @@ -0,0 +1,5 @@ +/file.raw; +/disk.raw; +/host.raw; +/direct.raw; +/cdrom.raw; diff --git a/tests/securityselinuxlabeldata/voldisks.xml b/tests/securityselinuxlabeldata/voldisks.xml new file mode 100644 index 0000000..ae7e629 --- /dev/null +++ b/tests/securityselinuxlabeldata/voldisks.xml @@ -0,0 +1,45 @@ +<domain type='kvm'> + <name>vm1</name> + <uuid>c7b3edbd-edaf-9455-926a-d65c16db1800</uuid> + <memory unit='KiB'>219200</memory> + <os> + <type arch='i686' machine='pc-1.0'>hvm</type> + <boot dev='cdrom'/> + </os> + <devices> + <disk type='volume' device='disk'> + <driver name='qemu' type='raw'/> + <source pool='dir-pool0' volume='dir-pool0-vol0' file='/file.raw'/> + <target dev='hda' bus='ide'/> + </disk> + <disk type='volume' device='disk'> + <driver name='qemu' type='raw'/> + <source pool='dir-pool0' volume='dir-pool0-vol0' mode='host' file='/host.raw'/> + <target dev='hda' bus='ide'/> + </disk> + <disk type='volume' device='disk'> + <driver name='qemu' type='raw'/> + <source pool='dir-pool0' volume='dir-pool0-vol0' mode='direct' file='/direct.raw'/> + <target dev='hda' bus='ide'/> + </disk> + <disk type='volume' device='disk'> + <driver name='qemu' type='raw'/> + <source pool='blk-pool0' volume='blk-pool0-vol0' file='/plain.raw'/> + <target dev='hda' bus='ide'/> + </disk> + <disk type='volume' device='cdrom'> + <driver name='qemu' type='raw'/> + <source pool='blk-pool0' volume='blk-pool0-vol1' file='/cdrom.raw'/> + <target dev='hda' bus='ide'/> + <readonly/> + </disk> + <input type='mouse' bus='ps2'/> + <graphics type='vnc' port='-1' autoport='yes' listen='0.0.0.0'> + <listen type='address' address='0.0.0.0'/> + </graphics> + </devices> + <seclabel model="selinux" type="dynamic" relabel="yes"> + <label>system_u:system_r:svirt_t:s0:c41,c264</label> + <imagelabel>system_u:object_r:svirt_image_t:s0:c41,c264</imagelabel> + </seclabel> +</domain> diff --git a/tests/securityselinuxlabeltest.c b/tests/securityselinuxlabeltest.c index efe825a..8c88cfd 100644 --- a/tests/securityselinuxlabeltest.c +++ b/tests/securityselinuxlabeltest.c @@ -332,6 +332,8 @@ mymain(void)
setcon((security_context_t)"system_r:system_u:libvirtd_t:s0:c0.c1023"); DO_TEST_LABELING("disks"); + DO_TEST_LABELING("netdisks"); + DO_TEST_LABELING("voldisks"); DO_TEST_LABELING("kernel"); DO_TEST_LABELING("chardev");