Re: [libvirt] [PATCH 02/29] Add a test suite for validating SELinux labelling
On Thu, Sep 20, 2012 at 04:06:29PM -0600, Eric Blake wrote:
On 09/20/2012 09:01 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange(a)redhat.com>
>
> There are many aspects of the guest XML which result in the
> SELinux driver applying file labelling. With the increasing
> configuration options it is desirable to test this behaviour.
> It is not possible to assume that the test suite has the
> ability to set SELinux labels. Most filesystems though will
> support extended attributes. Thus for the purpose of testing,
> it is possible to extend the existing LD_PRELOAD hack to
> override setfilecon() and getfilecon() to simply use the
> 'user.libvirt.selinux' attribute for the sake of testing.
>
> Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
> ---
> .gitignore | 1 +
> configure.ac | 3 +
If you were to open-code the configure.ac changes, instead of trying to
rely on the new m4/virt-lib.m4, then I'd feel better about taking this
patch prior to 0.10.2, while we still hammer out the details of nicer
configure.ac for later.
Ok, will repost.
> +
> +int getfilecon(const char *path, security_context_t *con)
> +{
> + char *constr = NULL;
> + ssize_t len = getxattr(path, "user.libvirt.selinux",
> + NULL, 0);
> + if (len < 0)
> + return -1;
> + if (!(constr = malloc(len+1)))
Any reason you can't use VIR_ALLOC_N here? But since it is an
LD_PRELOAD wrapper, I guess it makes sense that you have to stick to
low-level functionality.
Yep, wanted to avoid linking to libvirt.so in the preload wrapper.
> + }
> +
> + if (!(fp = fopen(path, "r"))) {
> + goto cleanup;
> + }
> +
> + while (!feof(fp)) {
> + char *line;
> + char *file, *context;
> + if (VIR_ALLOC_N(line, 1024) < 0) {
> + virReportOOMError();
> + goto cleanup;
> + }
> + if (!fgets(line, 1024, fp)) {
Is readline() any easier to use than VIR_ALLOC_N/fgets()?
Is readline() really what you meant ? That function is for
prompting on stdio and reading a response.
> +static int
> +testSELinuxCreateDisks(testSELinuxFile *files, size_t nfiles)
> +{
> + size_t i;
> +
> + if (virFileMakePath(abs_builddir "/securityselinuxlabeldata") <
0)
> + return -1;
> +
> + for (i = 0 ; i < nfiles ; i++) {
> + if (virFileTouch(files[i].file, 0600) < 0)
> + return -1;
> + //setfilecon(files[i].file,
(security_context_t)"system_u:object_r:original_t:s0");
Leftover debugging?
Opps, yes.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|