systemd/test/TEST-06-SELINUX/test.sh

#!/usr/bin/env bash
set -e

TEST_DESCRIPTION="SELinux tests"
IMAGE_NAME="selinux"
TEST_NO_NSPAWN=1

# Requirements:
# Fedora 23
# selinux-policy-targeted
# selinux-policy-devel

# Check if selinux-policy-devel is installed, and if it isn't bail out early instead of failing
test -f /usr/share/selinux/devel/include/system/systemd.if || exit 0

# shellcheck source=test/test-functions
. "${TEST_BASE_DIR:?}/test-functions"

SETUP_SELINUX=yes
KERNEL_APPEND="${KERNEL_APPEND:=} selinux=1 security=selinux"

test_append_files() {
    (
        local workspace="${1:?}"
        local policy_headers_dir=/usr/share/selinux/devel
        local modules_dir=/var/lib/selinux

        setup_selinux
        # Make sure we never expand this to "/..."
        rm -rf "${workspace:?}/$modules_dir"

        if ! cp -ar "$modules_dir" "$workspace/$modules_dir"; then
            dfatal "Failed to copy $modules_dir"
            exit 1
        fi

        rm -rf "${workspace:?}/$policy_headers_dir"
        inst_dir /usr/share/selinux

        if ! cp -ar "$policy_headers_dir" "$workspace/$policy_headers_dir"; then
            dfatal "Failed to copy $policy_headers_dir"
            exit 1
        fi

        mkdir "$workspace/systemd-test-module"
        cp systemd_test.te "$workspace/systemd-test-module"
        cp systemd_test.if "$workspace/systemd-test-module"
        cp systemd_test.fc "$workspace/systemd-test-module"
        dracut_install -o sesearch
        dracut_install runcon
        dracut_install checkmodule semodule semodule_package m4 make load_policy sefcontext_compile
        dracut_install -o /usr/libexec/selinux/hll/pp # Fedora/RHEL/...
        dracut_install -o /usr/lib/selinux/hll/pp     # Debian/Ubuntu/...
    )
}

do_test "$@"
treewide: more portable bash shebangs As in 2a5fcfae024ffc370bb780572279f45a1da3f946 and in 3e67e5c9928f8b1e1c5a63def88d53ed1fed12eb using /usr/bin/env allows bash to be looked up in PATH rather than being hard-coded. As with the previous changes the same arguments apply - distributions have scripts to rewrite shebangs on installation and they know what locations to rely on. - For tests/compilation we should rather rely on the user to have setup there PATH correctly. In particular this makes testing from git easier on NixOS where do not provide /bin/bash to improve compose-ability. 2020-03-04 12:35:06 +03:00			`#!/usr/bin/env bash`
test: Run qemu/nspawn tests with "set -e" This catches errors like "ninja not found", missing programs etc. early, instead of silently ignoring them and trying to boot a broken VM. In install_config_files(), allow some distro specific files to be absent (such as /etc/sysconfig/init). 2017-08-07 22:09:21 +03:00			`set -e`
test: make the test entrypoint scripts shellcheck-compliant 2021-04-19 14:01:59 +03:00
tests: add test-selinux-checks 2016-01-31 12:01:43 +03:00			`TEST_DESCRIPTION="SELinux tests"`
test: rework how images are created Before, we'd create a separate image for each test, in /var/tmp/systemd-test.XXXXX/rootdisk.img. Most of the images where very similar, except that each one had some unit files installed specifically for the test. The installation of those custom unit files was removed in previous commits (all the unit files are always installed). The new approach is to only create as few distinct images as possible. We have: default.img: the "normal" image suitable for almost all the tests basic.img: the same as default image but doesn't mask any services cryptsetup.img: p2 is used for encrypted /var badid.img: /etc/machine-id is overwritten with stuff selinux.img: with selinux added for fun and fun and a few others: ls -l build/test/*img lrwxrwxrwx 1 root root 38 Mar 21 21:23 build/test/badid.img -> /var/tmp/systemd-test.PJFFeo/badid.img lrwxrwxrwx 1 root root 38 Mar 21 21:17 build/test/basic.img -> /var/tmp/systemd-test.na0xOI/basic.img lrwxrwxrwx 1 root root 43 Mar 21 21:18 build/test/cryptsetup.img -> /var/tmp/systemd-test.Tzjv06/cryptsetup.img lrwxrwxrwx 1 root root 40 Mar 21 21:19 build/test/default.img -> /var/tmp/systemd-test.EscAsS/default.img lrwxrwxrwx 1 root root 39 Mar 21 21:22 build/test/nspawn.img -> /var/tmp/systemd-test.HSebKo/nspawn.img lrwxrwxrwx 1 root root 40 Mar 21 21:20 build/test/selinux.img -> /var/tmp/systemd-test.daBjbx/selinux.img lrwxrwxrwx 1 root root 39 Mar 21 21:21 build/test/test08.img -> /var/tmp/systemd-test.OgnN8Z/test08.img I considered trying to use the same image everywhere. It would probably be possible, but it would be very brittle. By using separate images where it is necessary we keep various orthogonal modifications independent. The way that images are cached is complicated by the fact that we still want to keep them in /var/tmp. Thus, an image is created on first use and linked to from build/test/ so it can be found by other tests. Tests cannot be run in parallel. I think that is an acceptable limitation. Creation of the images was probably taking more resources then the actual tests, so we should be better off anyway. 2019-12-12 11:37:19 +03:00			`IMAGE_NAME="selinux"`
test: Factorize common integration test functions (#6540) All test/TEST* but TEST-02-CRYPTSETUP share the same check_result_qemu() and test_cleanup(), so move them into test_functions and only override them in TEST-02-CRYPTSETUP. Also provide a common test_run() which by default assumes that both QEMU and nspawn tests are run. Particular tests which don't support either need to explicitly opt out by setting $TEST_NO_{QEMU,NSPAWN}. Do it this way around to avoid accidentally forgetting to opt in, and to encourage test authors to at least always support nspawn. 2017-08-04 15:34:14 +03:00			`TEST_NO_NSPAWN=1`
tests: add test-selinux-checks 2016-01-31 12:01:43 +03:00
			`# Requirements:`
			`# Fedora 23`
			`# selinux-policy-targeted`
			`# selinux-policy-devel`

test: bypass selinux integration test if selinux policy devel package is not installed With this "sudo ./run-integration-tests.sh" should work fully without exception, even on systems lacking SELinux (in which case that test will just be skipped) 2018-03-23 11:48:15 +03:00			`# Check if selinux-policy-devel is installed, and if it isn't bail out early instead of failing`
tests: tighten check for TEST-06-SELINUX dependencies a bit As it turns out /usr/share/selinux/devel/ is now included in more RPMs than just selinux-policy-devel (specifically container-selinux, which is pulled in by various container related RPMs). Let's hence tighten the dependency check a bit and look for systemd's .if file, which is what we actually care about. 2018-06-05 22:27:01 +03:00			`test -f /usr/share/selinux/devel/include/system/systemd.if \|\| exit 0`
test: bypass selinux integration test if selinux policy devel package is not installed With this "sudo ./run-integration-tests.sh" should work fully without exception, even on systems lacking SELinux (in which case that test will just be skipped) 2018-03-23 11:48:15 +03:00
test: make the test entrypoint scripts shellcheck-compliant 2021-04-19 14:01:59 +03:00			`# shellcheck source=test/test-functions`
			`. "${TEST_BASE_DIR:?}/test-functions"`

tests: add test-selinux-checks 2016-01-31 12:01:43 +03:00			`SETUP_SELINUX=yes`
test: make the test entrypoint scripts shellcheck-compliant 2021-04-19 14:01:59 +03:00			`KERNEL_APPEND="${KERNEL_APPEND:=} selinux=1 security=selinux"`
tests: add test-selinux-checks 2016-01-31 12:01:43 +03:00
tests: build the image once and then copy/extend it Building custom images for each test takes a lot of time. Build the default one, and if the test needs incompatible changes just copy it and extend it instead. 2021-01-07 00:42:28 +03:00			`test_append_files() {`
tests: add test-selinux-checks 2016-01-31 12:01:43 +03:00			`(`
test: make the test entrypoint scripts shellcheck-compliant 2021-04-19 14:01:59 +03:00			`local workspace="${1:?}"`
			`local policy_headers_dir=/usr/share/selinux/devel`
			`local modules_dir=/var/lib/selinux`

tests: build the image once and then copy/extend it Building custom images for each test takes a lot of time. Build the default one, and if the test needs incompatible changes just copy it and extend it instead. 2021-01-07 00:42:28 +03:00			`setup_selinux`
test: make the test entrypoint scripts shellcheck-compliant 2021-04-19 14:01:59 +03:00			`# Make sure we never expand this to "/..."`
			`rm -rf "${workspace:?}/$modules_dir"`

			`if ! cp -ar "$modules_dir" "$workspace/$modules_dir"; then`
			`dfatal "Failed to copy $modules_dir"`
tests: add test-selinux-checks 2016-01-31 12:01:43 +03:00			`exit 1`
			`fi`

test: make the test entrypoint scripts shellcheck-compliant 2021-04-19 14:01:59 +03:00			`rm -rf "${workspace:?}/$policy_headers_dir"`
tests: add test-selinux-checks 2016-01-31 12:01:43 +03:00			`inst_dir /usr/share/selinux`
test: make the test entrypoint scripts shellcheck-compliant 2021-04-19 14:01:59 +03:00
			`if ! cp -ar "$policy_headers_dir" "$workspace/$policy_headers_dir"; then`
			`dfatal "Failed to copy $policy_headers_dir"`
tests: add test-selinux-checks 2016-01-31 12:01:43 +03:00			`exit 1`
			`fi`

test: make the test entrypoint scripts shellcheck-compliant 2021-04-19 14:01:59 +03:00			`mkdir "$workspace/systemd-test-module"`
			`cp systemd_test.te "$workspace/systemd-test-module"`
			`cp systemd_test.if "$workspace/systemd-test-module"`
			`cp systemd_test.fc "$workspace/systemd-test-module"`
tests: add test-selinux-checks 2016-01-31 12:01:43 +03:00			`dracut_install -o sesearch`
			`dracut_install runcon`
test: reintroduce m4 dependency for TEST-06-SELINUX m4 is required to build the test SELinux module: ``` [ 31.321789] sh[483]: /bin/sh: line 1: m4: command not found [ 31.882668] sh[488]: Compiling targeted systemd_test module [ 32.120862] sh[492]: /bin/sh: line 1: m4: command not found [ 32.159897] sh[458]: make: *** [/usr/share/selinux/devel/include/Makefile:156: tmp/systemd_test.mod] Error 127 ``` 2021-05-19 11:49:56 +03:00			`dracut_install checkmodule semodule semodule_package m4 make load_policy sefcontext_compile`
TEST-06-*: also try the installation path for Debian https://salsa.debian.org/systemd-team/systemd/-/blob/debian/master/debian/tests/upstream used sed to adjust the path. I think it's better to make our script more flexible. 2020-03-31 14:19:13 +03:00			`dracut_install -o /usr/libexec/selinux/hll/pp # Fedora/RHEL/...`
			`dracut_install -o /usr/lib/selinux/hll/pp # Debian/Ubuntu/...`
test: drop \|\| return 1 expression which is incompatible with set -e The `set -e` option is incompatible with a subshell/compound command, which is followed by \|\| <EXPR>. In such case, the -e option is ignored in all affected subshells/functions (see man bash(1) for command `set`). 2019-07-08 22:11:32 +03:00			`)`
tests: add test-selinux-checks 2016-01-31 12:01:43 +03:00			`}`

test: "detect" the test number automagically Specifying the test number manually is tedious and prone to errors (as recently proven). Since we have all the necessary data to work out the test number, let's do it automagically. 2021-04-26 20:20:18 +03:00			`do_test "$@"`