From add8b3614847cacba66662ee701d0ce2f3e36802 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Mon, 12 Feb 2007 19:35:25 +0100 Subject: Arrange for "make check-root" to run the new root-only test. * tests/Makefile.am (t9): New target, to run tests/cp/cp-a-selinux. (all_t): Add t9. Use a directory on a loopback device mounted with -o context=... * tests/cp/cp-a-selinux: Since this test now runs mount and umount, it is a root-only one. --- ChangeLog | 8 ++++++++ tests/Makefile.am | 4 +++- tests/cp/cp-a-selinux | 36 ++++++++++++++++++++---------------- 3 files changed, 31 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1396ed803..f3549aa80 100644 --- a/ChangeLog +++ b/ChangeLog @@ -614,9 +614,17 @@ consistent, so this can be applied with patch -p0. Reported by Matthew Woehlke. + Arrange for "make check-root" to run the new root-only test. + * tests/Makefile.am (t9): New target, to run tests/cp/cp-a-selinux. + (all_t): Add t9. + * Makefile.maint (patch-check): Use patch with its -p2 option, since that makes this check slightly more strict. + Use a directory on a loopback device mounted with -o context=... + * tests/cp/cp-a-selinux: Since this test now runs mount and umount, + it is a root-only one. + 2007-01-29 Jim Meyering Plug a leak in ls. diff --git a/tests/Makefile.am b/tests/Makefile.am index b2cbbfc09..4371d73a9 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -30,7 +30,7 @@ SUBDIRS = \ tsort unexpand uniq wc ## N O T E :: Please do not add new directories. -all_t = t1 t2 t3 t4 t5 t6 t7 t8 +all_t = t1 t2 t3 t4 t5 t6 t7 t8 t9 .PHONY: check-root $(all_t) check-root: $(all_t) @@ -50,6 +50,8 @@ t7: cd ls && $(MAKE) check TESTS=nameless-uid t8: cd misc && $(MAKE) check TESTS=chcon +t9: + cd cp && $(MAKE) check TESTS=cp-a-selinux check-recursive: root-hint diff --git a/tests/cp/cp-a-selinux b/tests/cp/cp-a-selinux index d28b333e0..338044f16 100755 --- a/tests/cp/cp-a-selinux +++ b/tests/cp/cp-a-selinux @@ -27,19 +27,28 @@ fi . $srcdir/../envvar-check . $srcdir/../lang-default . $srcdir/../selinux -PRIV_CHECK_ARG=require-non-root . $srcdir/../priv-check +PRIV_CHECK_ARG=require-root . $srcdir/../priv-check pwd=`pwd` t0=`echo "$0"|sed 's,.*/,,'`.tmp; tmp=$t0/$$ -trap 'status=$?; cd "$pwd" && chmod -R u+rwx $t0 && rm -rf $t0 && exit $status' 0 +trap 'status=$?; cd "$pwd"; umount $tmp/mnt; chmod -R u+rwx $t0 && rm -rf $t0 && exit $status' 0 trap '(exit $?); exit $?' 1 2 13 15 framework_failure=0 mkdir -p $tmp || framework_failure=1 cd $tmp || framework_failure=1 -echo > f || framework_failure=1 -echo > g || framework_failure=1 +# Create a file system, then mount it with the context=... option. +dd if=/dev/zero of=blob bs=8192 count=200 > /dev/null 2>&1 \ + || framework_failure=1 +mkdir mnt || framework_failure=1 +mkfs -t ext2 -F blob > /dev/null 2>&1 || framework_failure=1 +mount -oloop,context=system_u:object_r:removable_t blob mnt \ + || framework_failure=1 +cd mnt || framework_failure=1 + +echo > f || framework_failure=1 +echo > g || framework_failure=1 if test $framework_failure = 1; then echo "$0: failure in testing framework" 1>&2 @@ -58,25 +67,20 @@ rm -f g err echo > g # ===================================================== -# Here, we expect cp to fail, because it (currently?) cannot -# set the SELinux security context through NFS. +# Here, we expect cp to fail, because it cannot set the SELinux +# security context through NFS or a mount with fixed context. cp --preserve=context f g 2> out && fail=1 # Here, we *do* expect the destination to be empty. test -s g && fail=1 -# FIXME: currently, this test must be run in an NFS mounted -# directory, and that's not checked. Move this part into a separate -# test and make that a prerequisite. -# In addition, we can add a root-only test that takes one of two -# approaches: 1) create a loopback context=... mount and run the test there. -# 2) run in a confined domain (maybe creating/loading it) that lacks the -# required permissions to the file type). - -# Currently, I get this diagnostic: +# An alternative to the current approach would be to run in a confined +# domain (maybe creating/loading it) that lacks the required permissions +# to the file type. +# Note: this test could also be run by a regular (non-root) user in an +# NFS mounted directory. When doing that, I get this diagnostic: # cp: failed to set the security context of `g' to `system_u:object_r:nfs_t': \ # Operation not supported -# but don't want to depend on ENOTSUP or that specific context triple: sed "s/ .g' to .*//" out > k mv k out -- cgit v1.2.3-54-g00ecf