rpm-ostree/tests/vmcheck/test-layering-relabel.sh

#!/bin/bash
#
# Copyright (C) 2017 Red Hat Inc.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.

set -euo pipefail

. ${commondir}/libtest.sh
. ${commondir}/libvm.sh

set -x

# make sure there's nothing yet
vm_assert_status_jq \
  '.deployments[0]["base-checksum"]|not'

# check that pkgs that install sepolicies have their changes take effect
vm_build_selinux_rpm foobar-selinux /usr/bin/foobar install_exec_t
vm_build_rpm foobar requires foobar-selinux
vm_rpmostree install foobar
vm_assert_status_jq \
  '.deployments[0]["base-checksum"]' \
  '.deployments[0]["packages"]|length == 1' \
  '.deployments[0]["packages"]|index("foobar") >= 0'

assert_expected_label() {
    local path=$1; shift
    local expected=system_u:object_r:$1:s0; shift
    local l=$(vm_cmd matchpathcon -n $path)
    assert_streq "$l" "$expected"
}

assert_actual_label() {
    local path=$1; shift
    local expected=system_u:object_r:$1:s0; shift
    local l=$(vm_cmd getfattr -n security.selinux --absolute-names --only-values $path)
    assert_streq "$l" "$expected"
}

# shouldn't have affected our current policy
assert_expected_label /usr/bin/foobar bin_t

# but should have affected the new root
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/foobar install_exec_t
echo "ok layer selinux pkg"

# now let's change the policy
vm_build_selinux_rpm foobar-selinux /usr/bin/foobar shell_exec_t
vm_cmd ostree commit -b vmcheck --tree=ref=vmcheck
vm_rpmostree upgrade
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/foobar shell_exec_t
echo "ok upgrade selinux pkg"

# check that a change in the base layer binary policy causes a relabel
# we do this by just baking in a layered RPM that recompiles the policy
vm_rpmostree cleanup -p
vm_build_selinux_rpm baz-selinux /usr/bin/baz install_exec_t
vm_rpmostree install baz-selinux
se_csum=$(vm_cmd ostree checksum /usr/etc/selinux/targeted/policy/policy.*)
root=$(vm_get_deployment_root 0)
se_new_csum=$(vm_cmd ostree checksum $root/usr/etc/selinux/targeted/policy/policy.*)
assert_not_streq "$se_csum" "$se_new_csum"
csum=$(vm_get_deployment_info 0 checksum)
vm_cmd ostree commit -b vmcheck --tree=ref=$csum
vm_rpmostree cleanup -p
echo "ok setup relabel"

# now we have a pending upgrade with a different sepolicy
# let's install some packages before upgrading
vm_build_rpm baz
vm_rpmostree install baz
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/baz bin_t
cursor=$(vm_get_journal_cursor)
vm_rpmostree upgrade
vm_assert_journal_has_content $cursor 'Relabeled 1/1 pkgs'
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/baz install_exec_t
echo "ok relabel"
vmcheck: add SELinux labeling tests There's a lot of paths in the core related to SELinux policy changes and relabeling packages. We currently have no test coverage for them. We add support in the test libraries here to build such packages. We also add a test that checks both that we correctly relabel RPMs when the policy changes and that we handle layered packages that install SELinux packages properly. Closes: #999 Approved by: cgwalters 2017-09-18 22:11:26 +03:00			`#!/bin/bash`
			`#`
			`# Copyright (C) 2017 Red Hat Inc.`
			`#`
			`# This library is free software; you can redistribute it and/or`
			`# modify it under the terms of the GNU Lesser General Public`
			`# License as published by the Free Software Foundation; either`
			`# version 2 of the License, or (at your option) any later version.`
			`#`
			`# This library is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`# Lesser General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU Lesser General Public`
			`# License along with this library; if not, write to the`
			`# Free Software Foundation, Inc., 59 Temple Place - Suite 330,`
			`# Boston, MA 02111-1307, USA.`

			`set -euo pipefail`

			`. ${commondir}/libtest.sh`
			`. ${commondir}/libvm.sh`

			`set -x`

			`# make sure there's nothing yet`
			`vm_assert_status_jq \`
			`'.deployments[0]["base-checksum"]\|not'`

			`# check that pkgs that install sepolicies have their changes take effect`
			`vm_build_selinux_rpm foobar-selinux /usr/bin/foobar install_exec_t`
			`vm_build_rpm foobar requires foobar-selinux`
			`vm_rpmostree install foobar`
			`vm_assert_status_jq \`
			`'.deployments[0]["base-checksum"]' \`
			`'.deployments[0]["packages"]\|length == 1' \`
			`'.deployments[0]["packages"]\|index("foobar") >= 0'`

			`assert_expected_label() {`
			`local path=$1; shift`
			`local expected=system_u:object_r:$1:s0; shift`
			`local l=$(vm_cmd matchpathcon -n $path)`
			`assert_streq "$l" "$expected"`
			`}`

			`assert_actual_label() {`
			`local path=$1; shift`
			`local expected=system_u:object_r:$1:s0; shift`
			`local l=$(vm_cmd getfattr -n security.selinux --absolute-names --only-values $path)`
			`assert_streq "$l" "$expected"`
			`}`

			`# shouldn't have affected our current policy`
			`assert_expected_label /usr/bin/foobar bin_t`

			`# but should have affected the new root`
			`root=$(vm_get_deployment_root 0)`
			`assert_actual_label $root/usr/bin/foobar install_exec_t`
			`echo "ok layer selinux pkg"`

			`# now let's change the policy`
			`vm_build_selinux_rpm foobar-selinux /usr/bin/foobar shell_exec_t`
			`vm_cmd ostree commit -b vmcheck --tree=ref=vmcheck`
			`vm_rpmostree upgrade`
			`root=$(vm_get_deployment_root 0)`
			`assert_actual_label $root/usr/bin/foobar shell_exec_t`
			`echo "ok upgrade selinux pkg"`

			`# check that a change in the base layer binary policy causes a relabel`
			`# we do this by just baking in a layered RPM that recompiles the policy`
			`vm_rpmostree cleanup -p`
			`vm_build_selinux_rpm baz-selinux /usr/bin/baz install_exec_t`
			`vm_rpmostree install baz-selinux`
			`se_csum=$(vm_cmd ostree checksum /usr/etc/selinux/targeted/policy/policy.*)`
			`root=$(vm_get_deployment_root 0)`
			`se_new_csum=$(vm_cmd ostree checksum $root/usr/etc/selinux/targeted/policy/policy.*)`
			`assert_not_streq "$se_csum" "$se_new_csum"`
			`csum=$(vm_get_deployment_info 0 checksum)`
			`vm_cmd ostree commit -b vmcheck --tree=ref=$csum`
			`vm_rpmostree cleanup -p`
			`echo "ok setup relabel"`

			`# now we have a pending upgrade with a different sepolicy`
			`# let's install some packages before upgrading`
			`vm_build_rpm baz`
			`vm_rpmostree install baz`
			`root=$(vm_get_deployment_root 0)`
			`assert_actual_label $root/usr/bin/baz bin_t`
			`cursor=$(vm_get_journal_cursor)`
			`vm_rpmostree upgrade`
core: Change relabeling to use libostree's SELinux support This function is now basically reimplementing all of the intelligence we have in libostree today. It wouldn't have worked before we fixed https://github.com/ostreedev/ostree/issues/1165 but now that's done, conceptually we just need to call `ostree_repo_commit_modifier_set_sepolicy()`. However, I had to drop the "number of files changed" since currently the libostree API doesn't support that. Also, in order to detect the case that content changes at all (so we still have some useful information in the journal), implement a "content hash" check. See also https://github.com/projectatomic/rpm-ostree/pull/1123 (And note we don't use `DEVINO_CANONICAL` here) Closes: #1138 Approved by: jlebon 2017-12-08 14:05:00 +03:00			`vm_assert_journal_has_content $cursor 'Relabeled 1/1 pkgs'`
vmcheck: add SELinux labeling tests There's a lot of paths in the core related to SELinux policy changes and relabeling packages. We currently have no test coverage for them. We add support in the test libraries here to build such packages. We also add a test that checks both that we correctly relabel RPMs when the policy changes and that we handle layered packages that install SELinux packages properly. Closes: #999 Approved by: cgwalters 2017-09-18 22:11:26 +03:00			`root=$(vm_get_deployment_root 0)`
			`assert_actual_label $root/usr/bin/baz install_exec_t`
			`echo "ok relabel"`