diff options
Diffstat (limited to 'tests/cp')
-rwxr-xr-x | tests/cp/cp-a-selinux | 36 |
1 files changed, 20 insertions, 16 deletions
diff --git a/tests/cp/cp-a-selinux b/tests/cp/cp-a-selinux index d28b333e0..338044f16 100755 --- a/tests/cp/cp-a-selinux +++ b/tests/cp/cp-a-selinux @@ -27,19 +27,28 @@ fi . $srcdir/../envvar-check . $srcdir/../lang-default . $srcdir/../selinux -PRIV_CHECK_ARG=require-non-root . $srcdir/../priv-check +PRIV_CHECK_ARG=require-root . $srcdir/../priv-check pwd=`pwd` t0=`echo "$0"|sed 's,.*/,,'`.tmp; tmp=$t0/$$ -trap 'status=$?; cd "$pwd" && chmod -R u+rwx $t0 && rm -rf $t0 && exit $status' 0 +trap 'status=$?; cd "$pwd"; umount $tmp/mnt; chmod -R u+rwx $t0 && rm -rf $t0 && exit $status' 0 trap '(exit $?); exit $?' 1 2 13 15 framework_failure=0 mkdir -p $tmp || framework_failure=1 cd $tmp || framework_failure=1 -echo > f || framework_failure=1 -echo > g || framework_failure=1 +# Create a file system, then mount it with the context=... option. +dd if=/dev/zero of=blob bs=8192 count=200 > /dev/null 2>&1 \ + || framework_failure=1 +mkdir mnt || framework_failure=1 +mkfs -t ext2 -F blob > /dev/null 2>&1 || framework_failure=1 +mount -oloop,context=system_u:object_r:removable_t blob mnt \ + || framework_failure=1 +cd mnt || framework_failure=1 + +echo > f || framework_failure=1 +echo > g || framework_failure=1 if test $framework_failure = 1; then echo "$0: failure in testing framework" 1>&2 @@ -58,25 +67,20 @@ rm -f g err echo > g # ===================================================== -# Here, we expect cp to fail, because it (currently?) cannot -# set the SELinux security context through NFS. +# Here, we expect cp to fail, because it cannot set the SELinux +# security context through NFS or a mount with fixed context. cp --preserve=context f g 2> out && fail=1 # Here, we *do* expect the destination to be empty. test -s g && fail=1 -# FIXME: currently, this test must be run in an NFS mounted -# directory, and that's not checked. Move this part into a separate -# test and make that a prerequisite. -# In addition, we can add a root-only test that takes one of two -# approaches: 1) create a loopback context=... mount and run the test there. -# 2) run in a confined domain (maybe creating/loading it) that lacks the -# required permissions to the file type). - -# Currently, I get this diagnostic: +# An alternative to the current approach would be to run in a confined +# domain (maybe creating/loading it) that lacks the required permissions +# to the file type. +# Note: this test could also be run by a regular (non-root) user in an +# NFS mounted directory. When doing that, I get this diagnostic: # cp: failed to set the security context of `g' to `system_u:object_r:nfs_t': \ # Operation not supported -# but don't want to depend on ENOTSUP or that specific context triple: sed "s/ .g' to .*//" out > k mv k out |