Commit 71aab408 authored by Daniel P. Berrange's avatar Daniel P. Berrange

Add test cases for SELinux svirt driver

This adds test cases for the various modes of operation of
the SELinux svirt driver

* lib/Sys/Virt/TCK/DomainBuilder.pm, t/070-domain-builder.t: Allow
  <seclabel> to be configured
* scripts/selinux/*.t: New SElinux test cases
parent c0d5d5cf
......@@ -46,7 +46,8 @@ sub new {
consoles => [],
inputs => [],
graphics => [],
hostdevs => []
hostdevs => [],
seclabel => {},
};
bless $self, $class;
......@@ -307,6 +308,19 @@ sub filesystem {
return $self;
}
sub seclabel {
my $self = shift;
my %params = @_;
die "model parameter is required" unless $params{model};
die "type parameter is required" unless $params{type};
die "relabel parameter is required" unless $params{relabel};
$self->{seclabel} = \%params;
return $self;
}
sub as_xml {
my $self = shift;
......@@ -453,6 +467,22 @@ sub as_xml {
}
$w->emptyTag("console", type => "pty");
$w->endTag("devices");
if ($self->{seclabel}->{model}) {
$w->startTag("seclabel",
model => $self->{seclabel}->{model},
type => $self->{seclabel}->{type},
relabel => $self->{seclabel}->{relabel});
if ($self->{seclabel}->{label}) {
$w->dataElement("label", $self->{seclabel}->{label});
}
if ($self->{seclabel}->{imagelabel}) {
$w->dataElement("imagelabel", $self->{seclabel}->{imagelabel});
}
if ($self->{seclabel}->{baselabel}) {
$w->dataElement("baselabel", $self->{seclabel}->{baselabel});
}
$w->endTag("seclabel");
}
$w->endTag("domain");
return $data;
......
#
# Copyright (C) 2011 Red Hat, Inc.
#
# This program is free software; You can redistribute it and/or modify
# it under the GNU General Public License as published by the Free
# Software Foundation; either version 2, or (at your option) any
# later version
#
# The file "LICENSE" distributed along with this file provides full
# details of the terms and conditions
#
package Sys::Virt::TCK::SELinux;
use strict;
use warnings;
use base qw(Exporter);
use vars qw($SELINUX_GENERIC_CONTEXT $SELINUX_DOMAIN_CONTEXT
$SELINUX_IMAGE_CONTEXT $SELINUX_OTHER_CONTEXT);
our @EXPORT = qw(selinux_get_file_context
selinux_set_file_context
selinux_restore_file_context
$SELINUX_GENERIC_CONTEXT $SELINUX_DOMAIN_CONTEXT
$SELINUX_IMAGE_CONTEXT $SELINUX_OTHER_CONTEXT);
$SELINUX_OTHER_CONTEXT = "system_u:object_r:virt_t:s0";
$SELINUX_GENERIC_CONTEXT = "system_u:object_r:virt_image_t:s0";
$SELINUX_DOMAIN_CONTEXT = "system_u:system_r:svirt_t:s0";
$SELINUX_IMAGE_CONTEXT = "system_u:object_r:svirt_image_t:s0";
sub selinux_get_file_context {
my $path = shift;
my @attr = split /\n/, `getfattr -n security.selinux $path 2>/dev/null`;
foreach (@attr) {
if (/security.selinux=\"(.*)\"/) {
return $1;
}
}
return undef;
}
sub selinux_set_file_context {
my $path = shift;
my $ctx = shift;
system "chcon $ctx $path";
}
sub selinux_restore_file_context {
my $path = shift;
system "restorecon -F $path";
return selinux_get_file_context($path);
}
# -*- perl -*-
#
# Copyright (C) 2009 Red Hat, Inc.
# Copyright (C) 2009 Daniel P. Berrange
#
# This program is free software; You can redistribute it and/or modify
# it under the GNU General Public License as published by the Free
# Software Foundation; either version 2, or (at your option) any
# later version
#
# The file "LICENSE" distributed along with this file provides full
# details of the terms and conditions
#
=pod
=head1 NAME
domain/050-dynamic-relabel-yes.t - Dynamic label generation with relabelling
=head1 DESCRIPTION
The test case validates that dynamic label generation works,
together with relabelling of resources.
=cut
use strict;
use warnings;
use Test::More tests => 6;
use Sys::Virt::TCK;
use Sys::Virt::TCK::SELinux;
my $tck = Sys::Virt::TCK->new();
my $conn = eval { $tck->setup(); };
BAIL_OUT "failed to setup test harness: $@" if $@;
END { $tck->cleanup if $tck; }
my $info;
eval {
$info = $conn->get_node_security_model();
};
SELINUX: {
skip "Only relevant to SELinux hosts", 6 unless $info && $info->{model} eq "selinux";
my $disk = $tck->create_sparse_disk("selinux", "tck", 50);
my $origlabel = selinux_restore_file_context($disk);
diag "Original $origlabel";
my $xml = $tck->generic_domain("tck")
->seclabel(model => "selinux", type => "dynamic", relabel => "yes")
->disk(src => $disk, dst => "vdb", type => "file")
->as_xml;
diag "Creating a new transient domain";
my $dom;
ok_domain(sub { $dom = $conn->create_domain($xml) }, "created transient domain object");
my $domainlabel = xpath($dom, "string(/domain/seclabel/label)");
diag "domainlabel $domainlabel";
my $imagelabel = xpath($dom, "string(/domain/seclabel/imagelabel)");
diag "imagelabel $imagelabel";
is(index($domainlabel, $SELINUX_DOMAIN_CONTEXT), 0, "dynamic domain label prefix is $SELINUX_DOMAIN_CONTEXT");
is(index($imagelabel, $SELINUX_IMAGE_CONTEXT), 0, "dynamic image label prefix is $SELINUX_IMAGE_CONTEXT");
my $domainmcs = substr $domainlabel, length($SELINUX_DOMAIN_CONTEXT);
my $imagemcs = substr $imagelabel, length($SELINUX_IMAGE_CONTEXT);
is($domainmcs, $imagemcs, "Domain MCS $domainmcs == Image MCS $imagemcs");
is(selinux_get_file_context($disk), $imagelabel, "$disk label is $imagelabel");
diag "Destroying the transient domain";
$dom->destroy;
is(selinux_get_file_context($disk), $origlabel, "$disk label is $origlabel");
}
# end
# -*- perl -*-
#
# Copyright (C) 2009 Red Hat, Inc.
# Copyright (C) 2009 Daniel P. Berrange
#
# This program is free software; You can redistribute it and/or modify
# it under the GNU General Public License as published by the Free
# Software Foundation; either version 2, or (at your option) any
# later version
#
# The file "LICENSE" distributed along with this file provides full
# details of the terms and conditions
#
=pod
=head1 NAME
domain/055-dynamic-base-label.t - Hybrid label generation with relabelling
=head1 DESCRIPTION
The test case validates that hybrid label generation works,
together with flat relabelling of resources.
=cut
use strict;
use warnings;
use Test::More tests => 10;
use Test::Exception;
use Sys::Virt::TCK;
use Sys::Virt::TCK::SELinux;
my $tck = Sys::Virt::TCK->new();
my $conn = eval { $tck->setup(); };
BAIL_OUT "failed to setup test harness: $@" if $@;
END { $tck->cleanup if $tck; }
my $info;
eval {
$info = $conn->get_node_security_model();
};
SELINUX: {
skip "Only relevant to SELinux hosts", 10 unless $info && $info->{model} eq "selinux";
my $disk = $tck->create_sparse_disk("selinux", "tck", 50);
my $origlabel = selinux_restore_file_context($disk);
my $xml = $tck->generic_domain("tck")
->seclabel(model => "selinux", type => "dynamic", relabel => "yes", baselabel => $SELINUX_OTHER_CONTEXT)
->disk(src => $disk, dst => "vdb", type => "file")
->as_xml;
diag "Creating a new transient domain";
my $dom = $conn->define_domain($xml);
lives_ok(sub { $dom->create() }, "started persistent domain object");
my $domainlabel = xpath($dom, "string(/domain/seclabel/label)");
diag "domainlabel $domainlabel";
my $imagelabel = xpath($dom, "string(/domain/seclabel/imagelabel)");
diag "imagelabel $imagelabel";
is(index($domainlabel, $SELINUX_OTHER_CONTEXT), 0, "dynamic domain label prefix is $SELINUX_OTHER_CONTEXT");
is(index($imagelabel, $SELINUX_IMAGE_CONTEXT), 0, "dynamic image label prefix is $SELINUX_IMAGE_CONTEXT");
my $domainmcs = substr $domainlabel, length($SELINUX_OTHER_CONTEXT);
my $imagemcs = substr $imagelabel, length($SELINUX_IMAGE_CONTEXT);
is($domainmcs, $imagemcs, "Domain MCS $domainmcs == Image MCS $imagemcs");
is(selinux_get_file_context($disk), $imagelabel, "$disk label is $imagelabel");
diag "Destroying the transient domain";
$dom->destroy;
my $model = xpath($dom, 'string(/domain/seclabel/@model)');
is ($model, "selinux", "model is still defined");
$domainlabel = xpath($dom, "string(/domain/seclabel/label)");
diag "domainlabel $domainlabel";
$imagelabel = xpath($dom, "string(/domain/seclabel/imagelabel)");
diag "imagelabel $imagelabel";
my $baselabel = xpath($dom, "string(/domain/seclabel/baselabel)");
diag "baselabel $baselabel";
is ($domainlabel, "", "domainlabel is cleared");
is ($imagelabel, "", "imagelabel is cleared");
is ($baselabel, $SELINUX_OTHER_CONTEXT, "baselabel is $SELINUX_OTHER_CONTEXT");
is(selinux_get_file_context($disk), $origlabel, "$disk label is $origlabel");
}
# end
# -*- perl -*-
#
# Copyright (C) 2009 Red Hat, Inc.
# Copyright (C) 2009 Daniel P. Berrange
#
# This program is free software; You can redistribute it and/or modify
# it under the GNU General Public License as published by the Free
# Software Foundation; either version 2, or (at your option) any
# later version
#
# The file "LICENSE" distributed along with this file provides full
# details of the terms and conditions
#
=pod
=head1 NAME
domain/100-static-relabel-no.t - Static label generation with no relabelling
=head1 DESCRIPTION
The test case validates that static labels are honoured
=cut
use strict;
use warnings;
use Test::More tests => 6;
use Sys::Virt::TCK;
use Sys::Virt::TCK::SELinux;
my $tck = Sys::Virt::TCK->new();
my $conn = eval { $tck->setup(); };
BAIL_OUT "failed to setup test harness: $@" if $@;
END { $tck->cleanup if $tck; }
my $info;
eval {
$info = $conn->get_node_security_model();
};
SELINUX: {
skip "Only relevant to SELinux hosts", 6 unless $info && $info->{model} eq "selinux";
my $disk = $tck->create_sparse_disk("selinux", "tck", 50);
my $origmcs = ":c1,c2";
my $origdomainlabel = $SELINUX_DOMAIN_CONTEXT . $origmcs;
my $origimagelabel = $SELINUX_IMAGE_CONTEXT . $origmcs;
selinux_set_file_context($disk, $origimagelabel);
my $xml = $tck->generic_domain("tck")
->seclabel(model => "selinux", type => "static", relabel => "no", label => $origdomainlabel)
->disk(src => $disk, dst => "vdb", type => "file")
->as_xml;
diag "Creating a new transient domain";
my $dom;
ok_domain(sub { $dom = $conn->create_domain($xml) }, "created transient domain object");
my $domainlabel = xpath($dom, "string(/domain/seclabel/label)");
diag "domainlabel $domainlabel";
my $imagelabel = xpath($dom, "string(/domain/seclabel/imagelabel)");
diag "imagelabel $imagelabel";
is($origdomainlabel, $domainlabel, "static label is $domainlabel");
is($imagelabel, "", "image label is empty");
my $domainmcs = substr $domainlabel, length($SELINUX_DOMAIN_CONTEXT);
is($domainmcs, $origmcs, "Domain MCS $domainmcs == Original MCS $origmcs");
is(selinux_get_file_context($disk), $origimagelabel, "$disk label is $origimagelabel");
diag "Destroying the transient domain";
$dom->destroy;
is(selinux_get_file_context($disk), $origimagelabel, "$disk label is $origimagelabel");
}
# end
# -*- perl -*-
#
# Copyright (C) 2009 Red Hat, Inc.
# Copyright (C) 2009 Daniel P. Berrange
#
# This program is free software; You can redistribute it and/or modify
# it under the GNU General Public License as published by the Free
# Software Foundation; either version 2, or (at your option) any
# later version
#
# The file "LICENSE" distributed along with this file provides full
# details of the terms and conditions
#
=pod
=head1 NAME
domain/101-static-relabel-fail.t - Static label generation failed startup
=head1 DESCRIPTION
The test case validates that static labels are honoured
and that if the image label is wrong, the VM fails to
start
=cut
use strict;
use warnings;
use Test::More tests => 2;
use Sys::Virt::TCK;
use Sys::Virt::TCK::SELinux;
my $tck = Sys::Virt::TCK->new();
my $conn = eval { $tck->setup(); };
BAIL_OUT "failed to setup test harness: $@" if $@;
END { $tck->cleanup if $tck; }
my $info;
eval {
$info = $conn->get_node_security_model();
};
SELINUX: {
skip "Only relevant to SELinux hosts", 2 unless $info && $info->{model} eq "selinux";
my $disk = $tck->create_sparse_disk("selinux", "tck", 50);
my $origmcs = ":c1,c2";
my $origdomainlabel = $SELINUX_DOMAIN_CONTEXT . $origmcs;
my $origimagelabel = selinux_restore_file_context($disk);
my $xml = $tck->generic_domain("tck")
->seclabel(model => "selinux", type => "static", relabel => "no", label => $origdomainlabel)
->disk(src => $disk, dst => "vdb", type => "file")
->as_xml;
diag "Creating a new transient domain";
my $dom;
eval { $dom = $conn->create_domain($xml) };
if ($dom) {
my $info = $dom->get_security_label();
is($info->{enforcing}, 0, "domain started due to permissive mode");
diag "Destroying the transient domain";
$dom->destroy;
} else {
ok(!$dom, "domain is not started");
}
is(selinux_get_file_context($disk), $origimagelabel, "$disk label is $origimagelabel");
}
# end
# -*- perl -*-
#
# Copyright (C) 2009 Red Hat, Inc.
# Copyright (C) 2009 Daniel P. Berrange
#
# This program is free software; You can redistribute it and/or modify
# it under the GNU General Public License as published by the Free
# Software Foundation; either version 2, or (at your option) any
# later version
#
# The file "LICENSE" distributed along with this file provides full
# details of the terms and conditions
#
=pod
=head1 NAME
domain/110-static-relabel-yes.t - Static label generation with relabelling
=head1 DESCRIPTION
The test case validates that static labels are honoured
and files can be relabelled
=cut
use strict;
use warnings;
use Test::More tests => 5;
use Sys::Virt::TCK;
use Sys::Virt::TCK::SELinux;
my $tck = Sys::Virt::TCK->new();
my $conn = eval { $tck->setup(); };
BAIL_OUT "failed to setup test harness: $@" if $@;
END { $tck->cleanup if $tck; }
my $info;
eval {
$info = $conn->get_node_security_model();
};
SELINUX: {
skip "Only relevant to SELinux hosts", 5 unless $info && $info->{model} eq "selinux";
my $disk = $tck->create_sparse_disk("selinux", "tck", 50);
my $origmcs = ":c1,c2";
my $origdomainlabel = $SELINUX_DOMAIN_CONTEXT . $origmcs;
my $origimagelabel = selinux_restore_file_context($disk);
my $xml = $tck->generic_domain("tck")
->seclabel(model => "selinux", type => "static", relabel => "yes", label => $origdomainlabel)
->disk(src => $disk, dst => "vdb", type => "file")
->as_xml;
diag "Creating a new transient domain";
my $dom;
ok_domain(sub { $dom = $conn->create_domain($xml) }, "created transient domain object");
diag $dom->get_xml_description();
my $domainlabel = xpath($dom, "string(/domain/seclabel/label)");
diag "domainlabel $domainlabel";
my $imagelabel = xpath($dom, "string(/domain/seclabel/imagelabel)");
diag "imagelabel $imagelabel";
is($origdomainlabel, $domainlabel, "static label is $domainlabel");
is($imagelabel, $SELINUX_IMAGE_CONTEXT . $origmcs, "image label is $SELINUX_DOMAIN_CONTEXT$origmcs");
is(selinux_get_file_context($disk), $imagelabel, "$disk label is $imagelabel");
diag "Destroying the transient domain";
$dom->destroy;
is(selinux_get_file_context($disk), $origimagelabel, "$disk label is $origimagelabel");
}
# end
......@@ -43,6 +43,9 @@ my $xml = <<EOF;
</disk>
<console type="pty" />
</devices>
<seclabel model="selinux" type="hybrid" relabel="flat">
<baselabel>system_u:system_r:svirt_t:s0</baselabel>
</seclabel>
</domain>
EOF
chomp $xml;
......@@ -52,6 +55,7 @@ my $conn = Sys::Virt->new(address => "test:///default");
my $b = Sys::Virt::TCK::DomainBuilder->new(conn => $conn, domain => "xen", ostype => 'hvm')
->with_acpi->memory(500*1025)->vcpu(3)
->disk(format => { name => "qemu", type => "qcow2" }, type => 'block', src => "/dev/hda1", dst => "/dev/xvda", bus => "xen", secret => "0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f")
->seclabel(model => "selinux", relabel => "flat", type => "hybrid", baselabel => "system_u:system_r:svirt_t:s0")
->as_xml;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment