summaryrefslogtreecommitdiff
path: root/tests/cp
diff options
context:
space:
mode:
Diffstat (limited to 'tests/cp')
-rwxr-xr-xtests/cp/cp-a-selinux36
1 files changed, 20 insertions, 16 deletions
diff --git a/tests/cp/cp-a-selinux b/tests/cp/cp-a-selinux
index d28b333e0..338044f16 100755
--- a/tests/cp/cp-a-selinux
+++ b/tests/cp/cp-a-selinux
@@ -27,19 +27,28 @@ fi
. $srcdir/../envvar-check
. $srcdir/../lang-default
. $srcdir/../selinux
-PRIV_CHECK_ARG=require-non-root . $srcdir/../priv-check
+PRIV_CHECK_ARG=require-root . $srcdir/../priv-check
pwd=`pwd`
t0=`echo "$0"|sed 's,.*/,,'`.tmp; tmp=$t0/$$
-trap 'status=$?; cd "$pwd" && chmod -R u+rwx $t0 && rm -rf $t0 && exit $status' 0
+trap 'status=$?; cd "$pwd"; umount $tmp/mnt; chmod -R u+rwx $t0 && rm -rf $t0 && exit $status' 0
trap '(exit $?); exit $?' 1 2 13 15
framework_failure=0
mkdir -p $tmp || framework_failure=1
cd $tmp || framework_failure=1
-echo > f || framework_failure=1
-echo > g || framework_failure=1
+# Create a file system, then mount it with the context=... option.
+dd if=/dev/zero of=blob bs=8192 count=200 > /dev/null 2>&1 \
+ || framework_failure=1
+mkdir mnt || framework_failure=1
+mkfs -t ext2 -F blob > /dev/null 2>&1 || framework_failure=1
+mount -oloop,context=system_u:object_r:removable_t blob mnt \
+ || framework_failure=1
+cd mnt || framework_failure=1
+
+echo > f || framework_failure=1
+echo > g || framework_failure=1
if test $framework_failure = 1; then
echo "$0: failure in testing framework" 1>&2
@@ -58,25 +67,20 @@ rm -f g err
echo > g
# =====================================================
-# Here, we expect cp to fail, because it (currently?) cannot
-# set the SELinux security context through NFS.
+# Here, we expect cp to fail, because it cannot set the SELinux
+# security context through NFS or a mount with fixed context.
cp --preserve=context f g 2> out && fail=1
# Here, we *do* expect the destination to be empty.
test -s g && fail=1
-# FIXME: currently, this test must be run in an NFS mounted
-# directory, and that's not checked. Move this part into a separate
-# test and make that a prerequisite.
-# In addition, we can add a root-only test that takes one of two
-# approaches: 1) create a loopback context=... mount and run the test there.
-# 2) run in a confined domain (maybe creating/loading it) that lacks the
-# required permissions to the file type).
-
-# Currently, I get this diagnostic:
+# An alternative to the current approach would be to run in a confined
+# domain (maybe creating/loading it) that lacks the required permissions
+# to the file type.
+# Note: this test could also be run by a regular (non-root) user in an
+# NFS mounted directory. When doing that, I get this diagnostic:
# cp: failed to set the security context of `g' to `system_u:object_r:nfs_t': \
# Operation not supported
-# but don't want to depend on ENOTSUP or that specific context triple:
sed "s/ .g' to .*//" out > k
mv k out