| Message ID | 156685561015.29917.5393176418461343562.stgit@chester (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | selinux-testsuite: ensure the cgroups_label tests works on old and new systems | expand |
On Mon, Aug 26, 2019 at 5:40 PM Paul Moore <paul@paul-moore.com> wrote: > From: Paul Moore <paul@paul-moore.com> > > Commit 697efc910393 ("selinux-testsuite: fix the cgroups_label test") > fixed the cgroups_label test on new systems, but it broke old systems. > Try to use /sys/fs/cgroup/unified first and if that doesn't exist go > with the new approach introduced in the commit above. > > Signed-off-by: Paul Moore <paul@paul-moore.com> > --- > tests/cgroupfs_label/test | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/tests/cgroupfs_label/test b/tests/cgroupfs_label/test > index 385b953..91517b4 100755 > --- a/tests/cgroupfs_label/test > +++ b/tests/cgroupfs_label/test > @@ -5,7 +5,11 @@ BEGIN { plan tests => 2 } > > my $ret; > > -my $dir = "/sys/fs/cgroup/selinuxtest"; > +# Older systems use /sys/fs/cgroup/unified, newer use /sys/fs/cgroup. > +my $dir = "/sys/fs/cgroup/unified"; > +if (! -d $dir) { > + $dir = "/sys/fs/cgroup/selinuxtest"; > +} Merged with the requisite style fixes (sorry about that, my mistake). > # Create a new cgroupfs directory and relabel it. > mkdir("$dir");
On 8/26/19 5:40 PM, Paul Moore wrote: > From: Paul Moore <paul@paul-moore.com> > > Commit 697efc910393 ("selinux-testsuite: fix the cgroups_label test") > fixed the cgroups_label test on new systems, but it broke old systems. > Try to use /sys/fs/cgroup/unified first and if that doesn't exist go > with the new approach introduced in the commit above. > > Signed-off-by: Paul Moore <paul@paul-moore.com> This leaves the test system in a broken state, with all of /sys/fs/cgroup/unified getting relabeled to test_cgroup_t during the test and then switching to unlabeled_t upon the unloading of the test policy. I get a bajillion denials after the testsuite completes from anything trying to access /sys/fs/cgroup/unified, and ls -Z /sys/fs/cgroup/unified shows it as being unlabeled_t throughout. > --- > tests/cgroupfs_label/test | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/tests/cgroupfs_label/test b/tests/cgroupfs_label/test > index 385b953..91517b4 100755 > --- a/tests/cgroupfs_label/test > +++ b/tests/cgroupfs_label/test > @@ -5,7 +5,11 @@ BEGIN { plan tests => 2 } > > my $ret; > > -my $dir = "/sys/fs/cgroup/selinuxtest"; > +# Older systems use /sys/fs/cgroup/unified, newer use /sys/fs/cgroup. > +my $dir = "/sys/fs/cgroup/unified"; > +if (! -d $dir) { > + $dir = "/sys/fs/cgroup/selinuxtest"; > +} > > # Create a new cgroupfs directory and relabel it. > mkdir("$dir"); > >
On Wed, Sep 4, 2019 at 8:48 AM Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 8/26/19 5:40 PM, Paul Moore wrote: > > From: Paul Moore <paul@paul-moore.com> > > > > Commit 697efc910393 ("selinux-testsuite: fix the cgroups_label test") > > fixed the cgroups_label test on new systems, but it broke old systems. > > Try to use /sys/fs/cgroup/unified first and if that doesn't exist go > > with the new approach introduced in the commit above. > > > > Signed-off-by: Paul Moore <paul@paul-moore.com> > > This leaves the test system in a broken state, with all of > /sys/fs/cgroup/unified getting relabeled to test_cgroup_t during the > test and then switching to unlabeled_t upon the unloading of the test > policy. I get a bajillion denials after the testsuite completes from > anything trying to access /sys/fs/cgroup/unified, and ls -Z > /sys/fs/cgroup/unified shows it as being unlabeled_t throughout. A bajillion, that sounds serious! ;) Anyway, my apologies for breaking things after the test runs. My test systems pretty much just run the tests (over and over and over) so I didn't notice the breakage. I'll post a patch for this right now ... > > --- > > tests/cgroupfs_label/test | 6 +++++- > > 1 file changed, 5 insertions(+), 1 deletion(-) > > > > diff --git a/tests/cgroupfs_label/test b/tests/cgroupfs_label/test > > index 385b953..91517b4 100755 > > --- a/tests/cgroupfs_label/test > > +++ b/tests/cgroupfs_label/test > > @@ -5,7 +5,11 @@ BEGIN { plan tests => 2 } > > > > my $ret; > > > > -my $dir = "/sys/fs/cgroup/selinuxtest"; > > +# Older systems use /sys/fs/cgroup/unified, newer use /sys/fs/cgroup. > > +my $dir = "/sys/fs/cgroup/unified"; > > +if (! -d $dir) { > > + $dir = "/sys/fs/cgroup/selinuxtest"; > > +} > > > > # Create a new cgroupfs directory and relabel it. > > mkdir("$dir"); > >
diff --git a/tests/cgroupfs_label/test b/tests/cgroupfs_label/test index 385b953..91517b4 100755 --- a/tests/cgroupfs_label/test +++ b/tests/cgroupfs_label/test @@ -5,7 +5,11 @@ BEGIN { plan tests => 2 } my $ret; -my $dir = "/sys/fs/cgroup/selinuxtest"; +# Older systems use /sys/fs/cgroup/unified, newer use /sys/fs/cgroup. +my $dir = "/sys/fs/cgroup/unified"; +if (! -d $dir) { + $dir = "/sys/fs/cgroup/selinuxtest"; +} # Create a new cgroupfs directory and relabel it. mkdir("$dir");