On Thu, Sep 20, 2012 at 04:06:29PM -0600, Eric Blake wrote:
On 09/20/2012 09:01 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
There are many aspects of the guest XML which result in the SELinux driver applying file labelling. With the increasing configuration options it is desirable to test this behaviour. It is not possible to assume that the test suite has the ability to set SELinux labels. Most filesystems though will support extended attributes. Thus for the purpose of testing, it is possible to extend the existing LD_PRELOAD hack to override setfilecon() and getfilecon() to simply use the 'user.libvirt.selinux' attribute for the sake of testing.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- .gitignore | 1 + configure.ac | 3 +
If you were to open-code the configure.ac changes, instead of trying to rely on the new m4/virt-lib.m4, then I'd feel better about taking this patch prior to 0.10.2, while we still hammer out the details of nicer configure.ac for later.
Ok, will repost.
+ +int getfilecon(const char *path, security_context_t *con) +{ + char *constr = NULL; + ssize_t len = getxattr(path, "user.libvirt.selinux", + NULL, 0); + if (len < 0) + return -1; + if (!(constr = malloc(len+1)))
Any reason you can't use VIR_ALLOC_N here? But since it is an LD_PRELOAD wrapper, I guess it makes sense that you have to stick to low-level functionality.
Yep, wanted to avoid linking to libvirt.so in the preload wrapper.
+ } + + if (!(fp = fopen(path, "r"))) { + goto cleanup; + } + + while (!feof(fp)) { + char *line; + char *file, *context; + if (VIR_ALLOC_N(line, 1024) < 0) { + virReportOOMError(); + goto cleanup; + } + if (!fgets(line, 1024, fp)) {
Is readline() any easier to use than VIR_ALLOC_N/fgets()?
Is readline() really what you meant ? That function is for prompting on stdio and reading a response.
+static int +testSELinuxCreateDisks(testSELinuxFile *files, size_t nfiles) +{ + size_t i; + + if (virFileMakePath(abs_builddir "/securityselinuxlabeldata") < 0) + return -1; + + for (i = 0 ; i < nfiles ; i++) { + if (virFileTouch(files[i].file, 0600) < 0) + return -1; + //setfilecon(files[i].file, (security_context_t)"system_u:object_r:original_t:s0");
Leftover debugging?
Opps, yes. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|