1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
From 97f0b56bcad827d954f9a6fe2051aa63ab591478 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Thu, 11 Feb 2016 15:07:52 +0100
Subject: [PATCH 1/1] tests: support non-MLS enabled SELinux systems
When running "make check" on a Linux system running SELinux with a
non-MLS policy, tests/mkdir/restorecon.sh test fails with:
chcon: invalid context: root:object_r:tmp_t:s0: Invalid argument
Indeed in such a configuration, contexts cannot have ":s0" suffix.
* init.cfg (get_selinux_type): Refactor this function to here
from various tests. Update to work with a non-MLS policy.
(mls_enabled_): A new function to detect if MLS is enabled.
(skip_if_mcstransd_is_running_): Update to not skip when
MLS is not enabled.
* tests/mkdir/restorecon.sh: Use a valid non-MLS context when needed.
* tests/install/install-Z-selinux.sh: Likewise.
* tests/cp/cp-a-selinux.sh: Likewise.
* tests/misc/selinux.sh: Likewise.
* tests/misc/chcon.sh: Skip if non-MLS as --range used throughout.
Fixes http://bugs.gnu.org/22631
---
init.cfg | 18 +++++++++++++++---
tests/cp/cp-a-selinux.sh | 4 ++--
tests/install/install-Z-selinux.sh | 7 +++----
tests/misc/chcon.sh | 1 +
tests/misc/selinux.sh | 3 ++-
tests/mkdir/restorecon.sh | 7 +++----
6 files changed, 26 insertions(+), 14 deletions(-)
diff --git a/init.cfg b/init.cfg
index db861944c6af..d29b3f254585 100644
--- a/init.cfg
+++ b/init.cfg
@@ -128,6 +128,15 @@ require_selinux_()
esac
}
+# Return the SELinux type component if available
+get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\)[: ].*/\1/p'; }
+
+# Whether SELinux Multi Level Security is enabled
+mls_enabled_() {
+ sestatus 2>&1 |
+ grep 'Policy MLS status:.*enabled' > /dev/null
+}
+
# Skip this test if we're not in SELinux "enforcing" mode.
require_selinux_enforcing_()
{
@@ -637,10 +646,13 @@ skip_if_mcstransd_is_running_()
# and if it's running, skip this test.
__ctx=$(stat --printf='%C\n' .) || framework_failure_
case $__ctx in
- *:*:*:*) ;; # four components is ok
- *) # anything else probably means mcstransd is running
- skip_ "unexpected context '$__ctx'; turn off mcstransd" ;;
+ *:*:*:*) __ctx_ok=1 ;; # four components is ok
+ *:*:*) # three components is ok too if there is no MLS
+ mls_enabled_ || __ctx_ok=1 ;;
esac
+
+ test "$__ctx_ok" ||
+ skip_ "unexpected context '$__ctx'; turn off mcstransd"
}
# Skip the current test if umask doesn't work as usual.
diff --git a/tests/cp/cp-a-selinux.sh b/tests/cp/cp-a-selinux.sh
index 89735b65a832..3915952188dd 100755
--- a/tests/cp/cp-a-selinux.sh
+++ b/tests/cp/cp-a-selinux.sh
@@ -28,7 +28,8 @@ cwd=$(pwd)
cleanup_() { cd /; umount "$cwd/mnt"; }
# This context is special: it works even when mcstransd isn't running.
-ctx=root:object_r:tmp_t:s0
+ctx='root:object_r:tmp_t'
+mls_enabled_ && ctx="$ctx:s0"
# Check basic functionality - before check on fixed context mount
touch c || framework_failure_
@@ -62,7 +63,6 @@ grep $ctx ed_ctx &&
{ ls -lZd restore/existing_dir; fail=1; }
# Check restorecon (-Z) functionality for file and directory
-get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
# Also make a dir with our known context
mkdir c_d || framework_failure_
chcon $ctx c_d || framework_failure_
diff --git a/tests/install/install-Z-selinux.sh b/tests/install/install-Z-selinux.sh
index 9c3b6420bc95..c63a4786230a 100755
--- a/tests/install/install-Z-selinux.sh
+++ b/tests/install/install-Z-selinux.sh
@@ -21,11 +21,10 @@
print_ver_ ginstall
require_selinux_
-
-get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
-
mkdir subdir || framework_failure_
-chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
+ctx='root:object_r:tmp_t'
+mls_enabled_ && ctx="$ctx:s0"
+chcon "$ctx" subdir || framework_failure_
cd subdir
# Since in a tmp_t dir, dirs can be created as user_tmp_t ...
diff --git a/tests/misc/chcon.sh b/tests/misc/chcon.sh
index bd40fbc7d314..c99021907172 100755
--- a/tests/misc/chcon.sh
+++ b/tests/misc/chcon.sh
@@ -21,6 +21,7 @@ print_ver_ chcon
require_root_
require_selinux_
skip_if_mcstransd_is_running_
+mls_enabled_ || skip_ 'MLS is disabled'
mkdir -p d/sub/s2 || framework_failure_
touch f g d/sub/1 d/sub/2 || framework_failure_
diff --git a/tests/misc/selinux.sh b/tests/misc/selinux.sh
index a9515680a44f..28c05c4f82d7 100755
--- a/tests/misc/selinux.sh
+++ b/tests/misc/selinux.sh
@@ -30,7 +30,8 @@ mkfifo_or_skip_ p
# special context that works both with and without mcstransd
-ctx=root:object_r:tmp_t:s0
+ctx='root:object_r:tmp_t'
+mls_enabled_ && ctx="$ctx:s0"
chcon $ctx f d p ||
skip_ '"chcon '$ctx' ..." failed'
diff --git a/tests/mkdir/restorecon.sh b/tests/mkdir/restorecon.sh
index 0e7f03bc93db..49e72196ff88 100755
--- a/tests/mkdir/restorecon.sh
+++ b/tests/mkdir/restorecon.sh
@@ -20,11 +20,10 @@
print_ver_ mkdir mknod mkfifo
require_selinux_
-
-get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
-
mkdir subdir || framework_failure_
-chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
+ctx='root:object_r:tmp_t'
+mls_enabled_ && ctx="$ctx:s0"
+chcon "$ctx" subdir || framework_failure_
cd subdir
# --- mkdir -Z ---
--
2.11.0
|