selinux: enhance test to cover nfs label failure

Daniel Berrange (correctly) pointed out that we should do a better job of testing selinux labeling fallbacks on NFS disks that lack labeling support. * tests/securityselinuxhelper.c (includes): Makefile already guaranteed xattr support. Add additional headers. (init_syms): New function, borrowing from vircgroupmock.c. (setfilecon_raw, getfilecon_raw): Fake NFS failure. (statfs): Fake an NFS mount point. (security_getenforce, security_get_boolean_active): Don't let host environment affect test. * tests/securityselinuxlabeldata/nfs.data: New file. * tests/securityselinuxlabeldata/nfs.xml: New file. * tests/securityselinuxlabeltest.c (testSELinuxCreateDisks) (testSELinuxDeleteDisks): Setup and cleanup for fake NFS mount. (testSELinuxCheckLabels): Test handling of SELinux NFS denial. Fix memory leak. (testSELinuxLabeling): Avoid infinite loop on dirty tree. (mymain): Add new test.
2025-02-25 18:55:26 -06:00 · 2013-08-13 14:19:14 -06:00
parent 0f082e699e
commit 95577af442
4 changed files with 117 additions and 11 deletions
--- a/tests/securityselinuxlabeltest.c
+++ b/tests/securityselinuxlabeltest.c
@@ -209,7 +209,7 @@ testSELinuxCreateDisks(testSELinuxFile *files, size_t nfiles)
 {
    size_t i;

-    if (virFileMakePath(abs_builddir "/securityselinuxlabeldata") < 0)
+    if (virFileMakePath(abs_builddir "/securityselinuxlabeldata/nfs") < 0)
        return -1;

    for (i = 0; i < nfiles; i++) {
@@ -228,6 +228,10 @@ testSELinuxDeleteDisks(testSELinuxFile *files, size_t nfiles)
        if (unlink(files[i].file) < 0)
            return -1;
    }
+    if (rmdir(abs_builddir "/securityselinuxlabeldata/nfs") < 0)
+        return -1;
+    /* Ignore failure to remove non-empty directory with in-tree build */
+    rmdir(abs_builddir "/securityselinuxlabeldata");
    return 0;
 }

@@ -238,9 +242,13 @@ testSELinuxCheckLabels(testSELinuxFile *files, size_t nfiles)
    security_context_t ctx;

    for (i = 0; i < nfiles; i++) {
+        ctx = NULL;
        if (getfilecon(files[i].file, &ctx) < 0) {
            if (errno == ENODATA) {
-                ctx = NULL;
+                /* nothing to do */
+            } else if (errno == EOPNOTSUPP) {
+                if (VIR_STRDUP(ctx, "EOPNOTSUPP") < 0)
+                    return -1;
            } else {
                virReportSystemError(errno,
                                     "Cannot read label on %s",
@@ -252,8 +260,10 @@ testSELinuxCheckLabels(testSELinuxFile *files, size_t nfiles)
            virReportError(VIR_ERR_INTERNAL_ERROR,
                           "File %s context '%s' did not match epected '%s'",
                           files[i].file, ctx, files[i].context);
+            VIR_FREE(ctx);
            return -1;
        }
+        VIR_FREE(ctx);
    }
    return 0;
 }
@@ -287,7 +297,7 @@ testSELinuxLabeling(const void *opaque)

 cleanup:
    if (testSELinuxDeleteDisks(files, nfiles) < 0)
-        goto cleanup;
+        VIR_WARN("unable to fully clean up");

    virDomainDefFree(def);
    for (i = 0; i < nfiles; i++) {
@@ -334,6 +344,7 @@ mymain(void)
    DO_TEST_LABELING("disks");
    DO_TEST_LABELING("kernel");
    DO_TEST_LABELING("chardev");
+    DO_TEST_LABELING("nfs");

    return (ret == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
 }