vmcheck: add SELinux labeling tests

There's a lot of paths in the core related to SELinux policy changes and
relabeling packages. We currently have no test coverage for them. We add
support in the test libraries here to build such packages.

We also add a test that checks both that we correctly relabel RPMs when
the policy changes and that we handle layered packages that install
SELinux packages properly.

Closes: #999
Approved by: cgwalters
This commit is contained in:
Jonathan Lebon 2017-09-18 19:11:26 +00:00 committed by Atomic Bot
parent 4ad5747b96
commit a9c38d33b8
5 changed files with 145 additions and 2 deletions

View File

@ -21,7 +21,8 @@ pkg_upgrade
pkg_install_builddeps rpm-ostree
# Mostly dependencies for tests
pkg_install ostree{,-devel,-grub2} createrepo_c /usr/bin/jq PyYAML clang \
libubsan libasan libtsan elfutils fuse sudo python-gobject-base
libubsan libasan libtsan elfutils fuse sudo python-gobject-base \
selinux-policy-devel
# For ex-container tests
pkg_install_if_os fedora parallel

View File

@ -2346,7 +2346,8 @@ rpmostree_context_relabel (RpmOstreeContext *self,
rpmostree_output_percent_progress_end ();
sd_journal_send ("MESSAGE_ID=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(RPMOSTREE_MESSAGE_SELINUX_RELABEL),
"MESSAGE=Relabeled %u/%u pkgs, %u files changed", n_changed_pkgs, n_to_relabel, n_changed_files,
"MESSAGE=Relabeled %u/%u pkgs, %u file%s changed", n_changed_pkgs,
n_to_relabel, n_changed_files, _NS(n_changed_files),
"RELABELED_PKGS=%u/%u", n_changed_pkgs, n_to_relabel,
"RELABELED_N_CHANGED_FILES=%u", n_changed_files,
NULL);

View File

@ -488,3 +488,44 @@ baseurl=file:///$PWD/yumrepo
EOF
fi
}
# build an SELinux package ready to be installed -- really, we just support file
# context entries for now, though it's enough to test policy changes
# $1 - package name
# $2+ - pairs of file path regex and context types
build_selinux_rpm() {
local name=$1; shift
local module_dir=$test_tmpdir/policies/$name
mkdir -p $module_dir
local module_te=$module_dir/$name.te
local module_fc=$module_dir/$name.fc
# also declare a type associated with the app; any non-trivial SELinux
# package will have some type enforcement rules that will require policy
# recompilation
cat > $module_te <<EOF
policy_module(${name}, 1.0.0)
type ${name}_t;
EOF
echo -n "" > $module_fc
while [ $# -ne 0 ]; do
local fc_regex=$1; shift
local fc_type=$1; shift
local fc_label="gen_context(system_u:object_r:$fc_type,s0)"
echo "$fc_regex -- $fc_label" >> $module_fc
done
make -C $module_dir -f /usr/share/selinux/devel/Makefile $name.pp
# We point the spec file directly at our pp. This is a bit underhanded, but
# it's cleaner than copying it in and using e.g. Source0 or something.
local pp=$(realpath $module_dir/$name.pp)
local install_dir=/usr/share/selinux/packages
build_rpm $name install "mkdir -p %{buildroot}${install_dir}
install ${pp} %{buildroot}${install_dir}" \
post "semodule -n -i ${install_dir}/${name}.pp" \
files "${install_dir}/${name}.pp"
}

View File

@ -336,6 +336,11 @@ vm_build_rpm() {
vm_send_test_repo 0 # XXX use rsync
}
vm_build_selinux_rpm() {
build_selinux_rpm "$@"
vm_send_test_repo 0 # XXX use rsync
}
vm_get_journal_cursor() {
vm_cmd journalctl -o json -n 1 | jq -r '.["__CURSOR"]'
}

View File

@ -0,0 +1,95 @@
#!/bin/bash
#
# Copyright (C) 2017 Red Hat Inc.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.
set -euo pipefail
. ${commondir}/libtest.sh
. ${commondir}/libvm.sh
set -x
# make sure there's nothing yet
vm_assert_status_jq \
'.deployments[0]["base-checksum"]|not'
# check that pkgs that install sepolicies have their changes take effect
vm_build_selinux_rpm foobar-selinux /usr/bin/foobar install_exec_t
vm_build_rpm foobar requires foobar-selinux
vm_rpmostree install foobar
vm_assert_status_jq \
'.deployments[0]["base-checksum"]' \
'.deployments[0]["packages"]|length == 1' \
'.deployments[0]["packages"]|index("foobar") >= 0'
assert_expected_label() {
local path=$1; shift
local expected=system_u:object_r:$1:s0; shift
local l=$(vm_cmd matchpathcon -n $path)
assert_streq "$l" "$expected"
}
assert_actual_label() {
local path=$1; shift
local expected=system_u:object_r:$1:s0; shift
local l=$(vm_cmd getfattr -n security.selinux --absolute-names --only-values $path)
assert_streq "$l" "$expected"
}
# shouldn't have affected our current policy
assert_expected_label /usr/bin/foobar bin_t
# but should have affected the new root
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/foobar install_exec_t
echo "ok layer selinux pkg"
# now let's change the policy
vm_build_selinux_rpm foobar-selinux /usr/bin/foobar shell_exec_t
vm_cmd ostree commit -b vmcheck --tree=ref=vmcheck
vm_rpmostree upgrade
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/foobar shell_exec_t
echo "ok upgrade selinux pkg"
# check that a change in the base layer binary policy causes a relabel
# we do this by just baking in a layered RPM that recompiles the policy
vm_rpmostree cleanup -p
vm_build_selinux_rpm baz-selinux /usr/bin/baz install_exec_t
vm_rpmostree install baz-selinux
se_csum=$(vm_cmd ostree checksum /usr/etc/selinux/targeted/policy/policy.*)
root=$(vm_get_deployment_root 0)
se_new_csum=$(vm_cmd ostree checksum $root/usr/etc/selinux/targeted/policy/policy.*)
assert_not_streq "$se_csum" "$se_new_csum"
csum=$(vm_get_deployment_info 0 checksum)
vm_cmd ostree commit -b vmcheck --tree=ref=$csum
vm_rpmostree cleanup -p
echo "ok setup relabel"
# now we have a pending upgrade with a different sepolicy
# let's install some packages before upgrading
vm_build_rpm baz
vm_rpmostree install baz
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/baz bin_t
cursor=$(vm_get_journal_cursor)
vm_rpmostree upgrade
vm_assert_journal_has_content $cursor 'Relabeled 1/1 pkgs, 1 file changed'
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/baz install_exec_t
echo "ok relabel"