keremet/rpm-ostree
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
1bd69619eb
rpm-ostree/tests/vmcheck/test-layering-relabel.sh
Colin Walters 7c99809a71 core: Change relabeling to use libostree's SELinux support 
This function is now basically reimplementing all of the intelligence
we have in libostree today.  It wouldn't have worked before we
fixed https://github.com/ostreedev/ostree/issues/1165 but now
that's done, conceptually we just need to call
`ostree_repo_commit_modifier_set_sepolicy()`.  However, I had
to drop the "number of files changed" since currently the libostree
API doesn't support that.

Also, in order to detect the case that content changes at all (so
we still have some useful information in the journal), implement
a "content hash" check.

See also https://github.com/projectatomic/rpm-ostree/pull/1123
(And note we *don't* use `DEVINO_CANONICAL` here)

Closes: #1138
Approved by: jlebon
2017-12-08 15:01:32 +00:00

96 lines
3.3 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
#
# Copyright (C) 2017 Red Hat Inc.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.
set -euo pipefail
. ${commondir}/libtest.sh
. ${commondir}/libvm.sh
set -x
# make sure there's nothing yet
vm_assert_status_jq \
'.deployments[0]["base-checksum"]|not'
# check that pkgs that install sepolicies have their changes take effect
vm_build_selinux_rpm foobar-selinux /usr/bin/foobar install_exec_t
vm_build_rpm foobar requires foobar-selinux
vm_rpmostree install foobar
vm_assert_status_jq \
'.deployments[0]["base-checksum"]' \
'.deployments[0]["packages"]|length == 1' \
'.deployments[0]["packages"]|index("foobar") >= 0'
assert_expected_label() {
local path=$1; shift
local expected=system_u:object_r:$1:s0; shift
local l=$(vm_cmd matchpathcon -n $path)
assert_streq "$l" "$expected"
}
assert_actual_label() {
local path=$1; shift
local expected=system_u:object_r:$1:s0; shift
local l=$(vm_cmd getfattr -n security.selinux --absolute-names --only-values $path)
assert_streq "$l" "$expected"
}
# shouldn't have affected our current policy
assert_expected_label /usr/bin/foobar bin_t
# but should have affected the new root
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/foobar install_exec_t
echo "ok layer selinux pkg"
# now let's change the policy
vm_build_selinux_rpm foobar-selinux /usr/bin/foobar shell_exec_t
vm_cmd ostree commit -b vmcheck --tree=ref=vmcheck
vm_rpmostree upgrade
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/foobar shell_exec_t
echo "ok upgrade selinux pkg"
# check that a change in the base layer binary policy causes a relabel
# we do this by just baking in a layered RPM that recompiles the policy
vm_rpmostree cleanup -p
vm_build_selinux_rpm baz-selinux /usr/bin/baz install_exec_t
vm_rpmostree install baz-selinux
se_csum=$(vm_cmd ostree checksum /usr/etc/selinux/targeted/policy/policy.*)
root=$(vm_get_deployment_root 0)
se_new_csum=$(vm_cmd ostree checksum $root/usr/etc/selinux/targeted/policy/policy.*)
assert_not_streq "$se_csum" "$se_new_csum"
csum=$(vm_get_deployment_info 0 checksum)
vm_cmd ostree commit -b vmcheck --tree=ref=$csum
vm_rpmostree cleanup -p
echo "ok setup relabel"
# now we have a pending upgrade with a different sepolicy
# let's install some packages before upgrading
vm_build_rpm baz
vm_rpmostree install baz
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/baz bin_t
cursor=$(vm_get_journal_cursor)
vm_rpmostree upgrade
vm_assert_journal_has_content $cursor 'Relabeled 1/1 pkgs'
root=$(vm_get_deployment_root 0)
assert_actual_label $root/usr/bin/baz install_exec_t
echo "ok relabel"
Reference in New Issue View Git Blame Copy Permalink