1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
# -*- perl -*-
#
# Copyright (C) 2009 Red Hat, Inc.
# Copyright (C) 2009 Daniel P. Berrange
#
# This program is free software; You can redistribute it and/or modify
# it under the GNU General Public License as published by the Free
# Software Foundation; either version 2, or (at your option) any
# later version
#
# The file "LICENSE" distributed along with this file provides full
# details of the terms and conditions
#
=pod
=head1 NAME
domain/055-dynamic-base-label.t - Hybrid label generation with relabelling
=head1 DESCRIPTION
The test case validates that hybrid label generation works,
together with flat relabelling of resources.
=cut
use strict;
use warnings;
use Test::More tests => 10;
use Test::Exception;
use Sys::Virt::TCK;
use Sys::Virt::TCK::SELinux;
my $tck = Sys::Virt::TCK->new();
my $conn = eval { $tck->setup(); };
BAIL_OUT "failed to setup test harness: $@" if $@;
END { $tck->cleanup if $tck; }
my $info;
eval {
$info = $conn->get_node_security_model();
};
SKIP: {
skip "Only relevant to SELinux hosts", 10 unless $info && $info->{model} eq "selinux";
my $disk = $tck->create_sparse_disk("selinux", "tck", 50);
my $origlabel = selinux_restore_file_context($disk);
my $xml = $tck->generic_domain("tck")
->seclabel(model => "selinux", type => "dynamic", relabel => "yes", baselabel => $SELINUX_OTHER_CONTEXT)
->disk(src => $disk, dst => "vdb", type => "file")
->as_xml;
diag "Creating a new transient domain";
my $dom = $conn->define_domain($xml);
lives_ok(sub { $dom->create() }, "started persistent domain object");
my $domainlabel = xpath($dom, "string(/domain/seclabel/label)");
diag "domainlabel $domainlabel";
my $imagelabel = xpath($dom, "string(/domain/seclabel/imagelabel)");
diag "imagelabel $imagelabel";
is(index($domainlabel, $SELINUX_OTHER_CONTEXT), 0, "dynamic domain label prefix is $SELINUX_OTHER_CONTEXT");
is(index($imagelabel, $SELINUX_IMAGE_CONTEXT), 0, "dynamic image label prefix is $SELINUX_IMAGE_CONTEXT");
my $domainmcs = substr $domainlabel, length($SELINUX_OTHER_CONTEXT);
my $imagemcs = substr $imagelabel, length($SELINUX_IMAGE_CONTEXT);
is($domainmcs, $imagemcs, "Domain MCS $domainmcs == Image MCS $imagemcs");
is(selinux_get_file_context($disk), $imagelabel, "$disk label is $imagelabel");
diag "Destroying the transient domain";
$dom->destroy;
my $model = xpath($dom, 'string(/domain/seclabel/@model)');
is ($model, "selinux", "model is still defined");
$domainlabel = xpath($dom, "string(/domain/seclabel/label)");
diag "domainlabel $domainlabel";
$imagelabel = xpath($dom, "string(/domain/seclabel/imagelabel)");
diag "imagelabel $imagelabel";
my $baselabel = xpath($dom, "string(/domain/seclabel/baselabel)");
diag "baselabel $baselabel";
is ($domainlabel, "", "domainlabel is cleared");
is ($imagelabel, "", "imagelabel is cleared");
is ($baselabel, $SELINUX_OTHER_CONTEXT, "baselabel is $SELINUX_OTHER_CONTEXT");
is(selinux_get_file_context($disk), $origlabel, "$disk label is $origlabel");
}
# end
|
