| Message ID | 20220729120229.207584-22-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Ondrej Mosnáček |
| Headers | show |
| Series | Clean up testsuite policy and support running as sysadm_t | expand |
On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote: > We want to allow the testsuite caller to be other than unconfined, so > extract the user from current context and use it instead of hard-coding > unconfined_u. > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > --- > tests/overlay/setup-overlay | 2 +- > tests/overlay/test | 34 ++++++++++++++++------------------ > 2 files changed, 17 insertions(+), 19 deletions(-) > > diff --git a/tests/overlay/setup-overlay b/tests/overlay/setup-overlay > index 4fcd023..3f33499 100755 > --- a/tests/overlay/setup-overlay > +++ b/tests/overlay/setup-overlay > @@ -41,7 +41,7 @@ setup () { > > # Create upper, work, and overlay directories per container. > mkdir -p $BASEDIR/container1/upper $BASEDIR/container1/work $BASEDIR/container1/merged > - chcon -R unconfined_u:object_r:test_overlay_files_ro_t:s0:c10,c20 $BASEDIR/container1 > + chcon -R -t test_overlay_files_ro_t -l s0:c10,c20 $BASEDIR/container1 > > # Label the container directories to match the container context. > # This is simply to ensure correct label inheritance on new file > diff --git a/tests/overlay/test b/tests/overlay/test > index 2b28c47..c8367dd 100755 > --- a/tests/overlay/test > +++ b/tests/overlay/test > @@ -5,6 +5,10 @@ BEGIN { > $basedir = $0; > $basedir =~ s|(.*)/[^/]*|$1|; > > + $seuser = `id -Z`; > + chop($seuser); > + $seuser =~ s|^(\w+):.*$|$1|; Is chop actually needed here? My perl is a little rusty, so there may be some perl regex-y reason, but you're discarding everything after the first ":" anyways. -Daniel > + > $isnfs = `stat -f --print %T $basedir`; > > # check if kernel supports overlayfs and SELinux labeling > @@ -92,7 +96,7 @@ sub test_4_0 { > $output = getfilecon("$basedir/container1/upper/writefile"); > > # Newly created writefile should have s0 MCS Label since it was copied up > - ok( $output eq "unconfined_u:object_r:test_overlay_files_rwx_t:s0" ); > + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0" ); > } > > sub test_4_0_ctx { > @@ -100,8 +104,7 @@ sub test_4_0_ctx { > $output = getfilecon("$basedir/container1/upper/writefile"); > > # Newly created writefile should have s0 MCS Label since it was copied up > - ok( $output eq > - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); > + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); > } > > sub test_5 { > @@ -127,8 +130,7 @@ sub test_5_1 { > $output = getfilecon("$basedir/container1/upper/newdir"); > > # Newly created writedir should have s0:c10,c20 since it was created new > - ok( $output eq > - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); > + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); > } > > sub test_5_2 { > @@ -146,8 +148,7 @@ sub test_5_3 { > $output = getfilecon("$basedir/container1/upper/newdir/touchlink"); > > # Newly created writelink should have s0:c10,c20 since it was created new > - ok( $output eq > - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); > + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); > } > > sub test_6 { > @@ -173,7 +174,7 @@ sub test_7_0 { > $output = getfilecon("$basedir/container1/upper/writedir/bar"); > > # Newly created bar should have s0:c10,c20 since it was created new > - ok( $output eq "unconfined_u:object_r:test_overlay_files_rwx_t:s0" ); > + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0" ); > } > > sub test_7_0_ctx { > @@ -181,8 +182,7 @@ sub test_7_0_ctx { > $output = getfilecon("$basedir/container1/upper/writedir/bar"); > > # Newly created bar should have s0:c10,c20 since it was created new > - ok( $output eq > - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); > + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); > } > > sub test_7_1 { > @@ -200,7 +200,7 @@ sub test_7_1_0 { > $output = getfilecon("$basedir/container1/upper/writedir/writelink"); > > # Newly created writelink should have s0:c10,c20 since it was created new > - ok( $output eq "unconfined_u:object_r:test_overlay_files_rwx_t:s0" ); > + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0" ); > } > > sub test_7_1_0_ctx { > @@ -208,8 +208,7 @@ sub test_7_1_0_ctx { > $output = getfilecon("$basedir/container1/upper/writedir/writelink"); > > # Newly created writelink should have s0:c10,c20 since it was created new > - ok( $output eq > - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); > + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); > } > > sub test_7_2 { > @@ -445,7 +444,7 @@ sub test_42 { > > # Newly created writeout should have s0:c10,c20 since it was created new > ok( $output eq > - "unconfined_u:object_r:test_overlay_transition_files_t:s0:c10,c20" ); > + "$seuser:object_r:test_overlay_transition_files_t:s0:c10,c20" ); > } > > sub test_42_ctx { > @@ -453,8 +452,7 @@ sub test_42_ctx { > $output = getfilecon("$basedir/container1/upper/transition"); > > # Newly created writeout should have s0:c10,c20 since it was created new > - ok( $output eq > - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); > + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); > } > > sub test_43 { > @@ -822,7 +820,7 @@ sub nocontext_test { > sub context_test { > > cleanup(); > - $context = "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20"; > + $context = "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20"; > print "\n\n=====================================================\n"; > print "Testing mounting overlayfs with context switch\n"; > print "context=$context\n"; > @@ -943,7 +941,7 @@ sub context_test { > sub context_rot_t_test { > > cleanup(); > - $context = "unconfined_u:object_r:test_overlay_files_ro_t:s0:c10,c20"; > + $context = "$seuser:object_r:test_overlay_files_ro_t:s0:c10,c20"; > print "\n\n=====================================================\n"; > print "Testing mounting overlayfs with context switch\n"; > print "context=$context\n";
On Tue, Aug 2, 2022 at 7:16 PM Daniel Burgener <dburgener@linux.microsoft.com> wrote: > On 7/29/2022 8:02 AM, Ondrej Mosnacek wrote: > > We want to allow the testsuite caller to be other than unconfined, so > > extract the user from current context and use it instead of hard-coding > > unconfined_u. > > > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> > > --- > > tests/overlay/setup-overlay | 2 +- > > tests/overlay/test | 34 ++++++++++++++++------------------ > > 2 files changed, 17 insertions(+), 19 deletions(-) > > > > diff --git a/tests/overlay/setup-overlay b/tests/overlay/setup-overlay > > index 4fcd023..3f33499 100755 > > --- a/tests/overlay/setup-overlay > > +++ b/tests/overlay/setup-overlay > > @@ -41,7 +41,7 @@ setup () { > > > > # Create upper, work, and overlay directories per container. > > mkdir -p $BASEDIR/container1/upper $BASEDIR/container1/work $BASEDIR/container1/merged > > - chcon -R unconfined_u:object_r:test_overlay_files_ro_t:s0:c10,c20 $BASEDIR/container1 > > + chcon -R -t test_overlay_files_ro_t -l s0:c10,c20 $BASEDIR/container1 > > > > # Label the container directories to match the container context. > > # This is simply to ensure correct label inheritance on new file > > diff --git a/tests/overlay/test b/tests/overlay/test > > index 2b28c47..c8367dd 100755 > > --- a/tests/overlay/test > > +++ b/tests/overlay/test > > @@ -5,6 +5,10 @@ BEGIN { > > $basedir = $0; > > $basedir =~ s|(.*)/[^/]*|$1|; > > > > + $seuser = `id -Z`; > > + chop($seuser); > > + $seuser =~ s|^(\w+):.*$|$1|; > > Is chop actually needed here? My perl is a little rusty, so there may > be some perl regex-y reason, but you're discarding everything after the > first ":" anyways. Yeah, it's actually not needed, but I'd rather leave it there to document that one needs to account for the line ending in the initial value. Otherwise people changing the regex in the future may get bitten by it.
diff --git a/tests/overlay/setup-overlay b/tests/overlay/setup-overlay index 4fcd023..3f33499 100755 --- a/tests/overlay/setup-overlay +++ b/tests/overlay/setup-overlay @@ -41,7 +41,7 @@ setup () { # Create upper, work, and overlay directories per container. mkdir -p $BASEDIR/container1/upper $BASEDIR/container1/work $BASEDIR/container1/merged - chcon -R unconfined_u:object_r:test_overlay_files_ro_t:s0:c10,c20 $BASEDIR/container1 + chcon -R -t test_overlay_files_ro_t -l s0:c10,c20 $BASEDIR/container1 # Label the container directories to match the container context. # This is simply to ensure correct label inheritance on new file diff --git a/tests/overlay/test b/tests/overlay/test index 2b28c47..c8367dd 100755 --- a/tests/overlay/test +++ b/tests/overlay/test @@ -5,6 +5,10 @@ BEGIN { $basedir = $0; $basedir =~ s|(.*)/[^/]*|$1|; + $seuser = `id -Z`; + chop($seuser); + $seuser =~ s|^(\w+):.*$|$1|; + $isnfs = `stat -f --print %T $basedir`; # check if kernel supports overlayfs and SELinux labeling @@ -92,7 +96,7 @@ sub test_4_0 { $output = getfilecon("$basedir/container1/upper/writefile"); # Newly created writefile should have s0 MCS Label since it was copied up - ok( $output eq "unconfined_u:object_r:test_overlay_files_rwx_t:s0" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0" ); } sub test_4_0_ctx { @@ -100,8 +104,7 @@ sub test_4_0_ctx { $output = getfilecon("$basedir/container1/upper/writefile"); # Newly created writefile should have s0 MCS Label since it was copied up - ok( $output eq - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); } sub test_5 { @@ -127,8 +130,7 @@ sub test_5_1 { $output = getfilecon("$basedir/container1/upper/newdir"); # Newly created writedir should have s0:c10,c20 since it was created new - ok( $output eq - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); } sub test_5_2 { @@ -146,8 +148,7 @@ sub test_5_3 { $output = getfilecon("$basedir/container1/upper/newdir/touchlink"); # Newly created writelink should have s0:c10,c20 since it was created new - ok( $output eq - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); } sub test_6 { @@ -173,7 +174,7 @@ sub test_7_0 { $output = getfilecon("$basedir/container1/upper/writedir/bar"); # Newly created bar should have s0:c10,c20 since it was created new - ok( $output eq "unconfined_u:object_r:test_overlay_files_rwx_t:s0" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0" ); } sub test_7_0_ctx { @@ -181,8 +182,7 @@ sub test_7_0_ctx { $output = getfilecon("$basedir/container1/upper/writedir/bar"); # Newly created bar should have s0:c10,c20 since it was created new - ok( $output eq - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); } sub test_7_1 { @@ -200,7 +200,7 @@ sub test_7_1_0 { $output = getfilecon("$basedir/container1/upper/writedir/writelink"); # Newly created writelink should have s0:c10,c20 since it was created new - ok( $output eq "unconfined_u:object_r:test_overlay_files_rwx_t:s0" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0" ); } sub test_7_1_0_ctx { @@ -208,8 +208,7 @@ sub test_7_1_0_ctx { $output = getfilecon("$basedir/container1/upper/writedir/writelink"); # Newly created writelink should have s0:c10,c20 since it was created new - ok( $output eq - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); } sub test_7_2 { @@ -445,7 +444,7 @@ sub test_42 { # Newly created writeout should have s0:c10,c20 since it was created new ok( $output eq - "unconfined_u:object_r:test_overlay_transition_files_t:s0:c10,c20" ); + "$seuser:object_r:test_overlay_transition_files_t:s0:c10,c20" ); } sub test_42_ctx { @@ -453,8 +452,7 @@ sub test_42_ctx { $output = getfilecon("$basedir/container1/upper/transition"); # Newly created writeout should have s0:c10,c20 since it was created new - ok( $output eq - "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); + ok( $output eq "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20" ); } sub test_43 { @@ -822,7 +820,7 @@ sub nocontext_test { sub context_test { cleanup(); - $context = "unconfined_u:object_r:test_overlay_files_rwx_t:s0:c10,c20"; + $context = "$seuser:object_r:test_overlay_files_rwx_t:s0:c10,c20"; print "\n\n=====================================================\n"; print "Testing mounting overlayfs with context switch\n"; print "context=$context\n"; @@ -943,7 +941,7 @@ sub context_test { sub context_rot_t_test { cleanup(); - $context = "unconfined_u:object_r:test_overlay_files_ro_t:s0:c10,c20"; + $context = "$seuser:object_r:test_overlay_files_ro_t:s0:c10,c20"; print "\n\n=====================================================\n"; print "Testing mounting overlayfs with context switch\n"; print "context=$context\n";
We want to allow the testsuite caller to be other than unconfined, so extract the user from current context and use it instead of hard-coding unconfined_u. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- tests/overlay/setup-overlay | 2 +- tests/overlay/test | 34 ++++++++++++++++------------------ 2 files changed, 17 insertions(+), 19 deletions(-)