keremet/rpm-ostree
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
7f5082deef
rpm-ostree/tests/vmcheck/test-layering-relabel.sh

96 lines
3.3 KiB
Bash
Raw Normal View History

vmcheck: add SELinux labeling tests There's a lot of paths in the core related to SELinux policy changes and relabeling packages. We currently have no test coverage for them. We add support in the test libraries here to build such packages. We also add a test that checks both that we correctly relabel RPMs when the policy changes and that we handle layered packages that install SELinux packages properly. Closes: #999 Approved by: cgwalters
2017-09-18 22:11:26 +03:00
#!/bin/bash
#
# Copyright (C) 2017 Red Hat Inc.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.
set -euo pipefail
. ${commondir}/libtest.sh
. ${commondir}/libvm.sh
set -x
# make sure there's nothing yet
vm_assert_status_jq \
'.deployments[0]["base-checksum"]|not'
# check that pkgs that install sepolicies have their changes take effect
vm_build_selinux_rpm foobar-selinux /usr/bin/foobar install_exec_t
vm_build_rpm foobar requires foobar-selinux
vm_rpmostree install foobar
vm_assert_status_jq \
'.deployments[0]["base-checksum"]' \
'.deployments[0]["packages"]|length == 1' \
'.deployments[0]["packages"]|index("foobar") >= 0'
assert_expected_label() {
local path=$1; shift
local expected=system_u:object_r:$1:s0; shift
local l=$(vm_cmd matchpathcon -n $path)
assert_streq "$l" "$expected"
}
assert_actual_label() {
local path=$1; shift
local expected=system_u:object_r:$1:s0; shift
local l=$(vm_cmd getfattr -n security.selinux --absolute-names --only-values $path)
assert_streq "$l" "$expected"
}
# shouldn't have affected our current policy
assert_expected_label /usr/bin/foobar bin_t
# but should have affected the new root
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/foobar install_exec_t
echo "ok layer selinux pkg"
# now let's change the policy
vm_build_selinux_rpm foobar-selinux /usr/bin/foobar shell_exec_t
vm_cmd ostree commit -b vmcheck --tree=ref=vmcheck
vm_rpmostree upgrade
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/foobar shell_exec_t
echo "ok upgrade selinux pkg"
# check that a change in the base layer binary policy causes a relabel
# we do this by just baking in a layered RPM that recompiles the policy
vm_rpmostree cleanup -p
vm_build_selinux_rpm baz-selinux /usr/bin/baz install_exec_t
vm_rpmostree install baz-selinux
se_csum=$(vm_cmd ostree checksum /usr/etc/selinux/targeted/policy/policy.*)
root=$(vm_get_deployment_root 0)
se_new_csum=$(vm_cmd ostree checksum $root/usr/etc/selinux/targeted/policy/policy.*)
assert_not_streq "$se_csum" "$se_new_csum"
csum=$(vm_get_deployment_info 0 checksum)
vm_cmd ostree commit -b vmcheck --tree=ref=$csum
vm_rpmostree cleanup -p
echo "ok setup relabel"
# now we have a pending upgrade with a different sepolicy
# let's install some packages before upgrading
vm_build_rpm baz
vm_rpmostree install baz
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/baz bin_t
cursor=$(vm_get_journal_cursor)
vm_rpmostree upgrade
vm_assert_journal_has_content $cursor 'Relabeled 1/1 pkgs, 1 file changed'
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/baz install_exec_t
echo "ok relabel"
Reference in New Issue Copy Permalink