Systemd/test/TEST-06-SELINUX/test.sh

#!/usr/bin/env bash
set -e
TEST_DESCRIPTION="SELinux tests"
IMAGE_NAME="selinux"
TEST_NO_NSPAWN=1

# Requirements:
# Fedora 23
# selinux-policy-targeted
# selinux-policy-devel

# Check if selinux-policy-devel is installed, and if it isn't bail out early instead of failing
test -f /usr/share/selinux/devel/include/system/systemd.if || exit 0

. $TEST_BASE_DIR/test-functions
SETUP_SELINUX=yes
KERNEL_APPEND="$KERNEL_APPEND selinux=1 security=selinux"

test_create_image() {
    create_empty_image_rootdir

    # Create what will eventually be our root filesystem onto an overlay
    (
        LOG_LEVEL=5

        setup_basic_environment
        mask_supporting_services

        local _modules_dir=/var/lib/selinux
        rm -rf $initdir/$_modules_dir
        if ! cp -ar $_modules_dir $initdir/$_modules_dir; then
            dfatal "Failed to copy $_modules_dir"
            exit 1
        fi

        local _policy_headers_dir=/usr/share/selinux/devel
        rm -rf $initdir/$_policy_headers_dir
        inst_dir /usr/share/selinux
        if ! cp -ar $_policy_headers_dir $initdir/$_policy_headers_dir; then
            dfatal "Failed to copy $_policy_headers_dir"
            exit 1
        fi

        mkdir $initdir/systemd-test-module
        cp systemd_test.te $initdir/systemd-test-module
        cp systemd_test.if $initdir/systemd-test-module
        dracut_install -o sesearch
        dracut_install runcon
        dracut_install checkmodule semodule semodule_package m4 make load_policy sefcontext_compile
        dracut_install -o /usr/libexec/selinux/hll/pp # Fedora/RHEL/...
        dracut_install -o /usr/lib/selinux/hll/pp     # Debian/Ubuntu/...
    )
}

do_test "$@" 06
treewide: more portable bash shebangs As in 2a5fcfae024ffc370bb780572279f45a1da3f946 and in 3e67e5c9928f8b1e1c5a63def88d53ed1fed12eb using /usr/bin/env allows bash to be looked up in PATH rather than being hard-coded. As with the previous changes the same arguments apply - distributions have scripts to rewrite shebangs on installation and they know what locations to rely on. - For tests/compilation we should rather rely on the user to have setup there PATH correctly. In particular this makes testing from git easier on NixOS where do not provide /bin/bash to improve compose-ability. 2020-03-04 10:35:06 +01:00			`#!/usr/bin/env bash`
test: Run qemu/nspawn tests with "set -e" This catches errors like "ninja not found", missing programs etc. early, instead of silently ignoring them and trying to boot a broken VM. In install_config_files(), allow some distro specific files to be absent (such as /etc/sysconfig/init). 2017-08-07 21:09:21 +02:00			`set -e`
tests: add test-selinux-checks 2016-01-31 10:01:43 +01:00			`TEST_DESCRIPTION="SELinux tests"`
test: rework how images are created Before, we'd create a separate image for each test, in /var/tmp/systemd-test.XXXXX/rootdisk.img. Most of the images where very similar, except that each one had some unit files installed specifically for the test. The installation of those custom unit files was removed in previous commits (all the unit files are always installed). The new approach is to only create as few distinct images as possible. We have: default.img: the "normal" image suitable for almost all the tests basic.img: the same as default image but doesn't mask any services cryptsetup.img: p2 is used for encrypted /var badid.img: /etc/machine-id is overwritten with stuff selinux.img: with selinux added for fun and fun and a few others: ls -l build/test/*img lrwxrwxrwx 1 root root 38 Mar 21 21:23 build/test/badid.img -> /var/tmp/systemd-test.PJFFeo/badid.img lrwxrwxrwx 1 root root 38 Mar 21 21:17 build/test/basic.img -> /var/tmp/systemd-test.na0xOI/basic.img lrwxrwxrwx 1 root root 43 Mar 21 21:18 build/test/cryptsetup.img -> /var/tmp/systemd-test.Tzjv06/cryptsetup.img lrwxrwxrwx 1 root root 40 Mar 21 21:19 build/test/default.img -> /var/tmp/systemd-test.EscAsS/default.img lrwxrwxrwx 1 root root 39 Mar 21 21:22 build/test/nspawn.img -> /var/tmp/systemd-test.HSebKo/nspawn.img lrwxrwxrwx 1 root root 40 Mar 21 21:20 build/test/selinux.img -> /var/tmp/systemd-test.daBjbx/selinux.img lrwxrwxrwx 1 root root 39 Mar 21 21:21 build/test/test08.img -> /var/tmp/systemd-test.OgnN8Z/test08.img I considered trying to use the same image everywhere. It would probably be possible, but it would be very brittle. By using separate images where it is necessary we keep various orthogonal modifications independent. The way that images are cached is complicated by the fact that we still want to keep them in /var/tmp. Thus, an image is created on first use and linked to from build/test/ so it can be found by other tests. Tests cannot be run in parallel. I think that is an acceptable limitation. Creation of the images was probably taking more resources then the actual tests, so we should be better off anyway. 2019-12-12 09:37:19 +01:00			`IMAGE_NAME="selinux"`
test: Factorize common integration test functions (#6540) All test/TEST* but TEST-02-CRYPTSETUP share the same check_result_qemu() and test_cleanup(), so move them into test_functions and only override them in TEST-02-CRYPTSETUP. Also provide a common test_run() which by default assumes that both QEMU and nspawn tests are run. Particular tests which don't support either need to explicitly opt out by setting $TEST_NO_{QEMU,NSPAWN}. Do it this way around to avoid accidentally forgetting to opt in, and to encourage test authors to at least always support nspawn. 2017-08-04 14:34:14 +02:00			`TEST_NO_NSPAWN=1`
tests: add test-selinux-checks 2016-01-31 10:01:43 +01:00
			`# Requirements:`
			`# Fedora 23`
			`# selinux-policy-targeted`
			`# selinux-policy-devel`

test: bypass selinux integration test if selinux policy devel package is not installed With this "sudo ./run-integration-tests.sh" should work fully without exception, even on systems lacking SELinux (in which case that test will just be skipped) 2018-03-23 09:48:15 +01:00			`# Check if selinux-policy-devel is installed, and if it isn't bail out early instead of failing`
tests: tighten check for TEST-06-SELINUX dependencies a bit As it turns out /usr/share/selinux/devel/ is now included in more RPMs than just selinux-policy-devel (specifically container-selinux, which is pulled in by various container related RPMs). Let's hence tighten the dependency check a bit and look for systemd's .if file, which is what we actually care about. 2018-06-05 21:27:01 +02:00			`test -f /usr/share/selinux/devel/include/system/systemd.if \|\| exit 0`
test: bypass selinux integration test if selinux policy devel package is not installed With this "sudo ./run-integration-tests.sh" should work fully without exception, even on systems lacking SELinux (in which case that test will just be skipped) 2018-03-23 09:48:15 +01:00
tests: add test-selinux-checks 2016-01-31 10:01:43 +01:00			`. $TEST_BASE_DIR/test-functions`
			`SETUP_SELINUX=yes`
tests: force booting the kernel with SELinux selinux=1 is not sufficient when running on a kernel which also has another LSM (such as AppArmor) enabled and defaults to that. 2016-06-23 10:25:44 +02:00			`KERNEL_APPEND="$KERNEL_APPEND selinux=1 security=selinux"`
tests: add test-selinux-checks 2016-01-31 10:01:43 +01:00
test: rework how images are created Before, we'd create a separate image for each test, in /var/tmp/systemd-test.XXXXX/rootdisk.img. Most of the images where very similar, except that each one had some unit files installed specifically for the test. The installation of those custom unit files was removed in previous commits (all the unit files are always installed). The new approach is to only create as few distinct images as possible. We have: default.img: the "normal" image suitable for almost all the tests basic.img: the same as default image but doesn't mask any services cryptsetup.img: p2 is used for encrypted /var badid.img: /etc/machine-id is overwritten with stuff selinux.img: with selinux added for fun and fun and a few others: ls -l build/test/*img lrwxrwxrwx 1 root root 38 Mar 21 21:23 build/test/badid.img -> /var/tmp/systemd-test.PJFFeo/badid.img lrwxrwxrwx 1 root root 38 Mar 21 21:17 build/test/basic.img -> /var/tmp/systemd-test.na0xOI/basic.img lrwxrwxrwx 1 root root 43 Mar 21 21:18 build/test/cryptsetup.img -> /var/tmp/systemd-test.Tzjv06/cryptsetup.img lrwxrwxrwx 1 root root 40 Mar 21 21:19 build/test/default.img -> /var/tmp/systemd-test.EscAsS/default.img lrwxrwxrwx 1 root root 39 Mar 21 21:22 build/test/nspawn.img -> /var/tmp/systemd-test.HSebKo/nspawn.img lrwxrwxrwx 1 root root 40 Mar 21 21:20 build/test/selinux.img -> /var/tmp/systemd-test.daBjbx/selinux.img lrwxrwxrwx 1 root root 39 Mar 21 21:21 build/test/test08.img -> /var/tmp/systemd-test.OgnN8Z/test08.img I considered trying to use the same image everywhere. It would probably be possible, but it would be very brittle. By using separate images where it is necessary we keep various orthogonal modifications independent. The way that images are cached is complicated by the fact that we still want to keep them in /var/tmp. Thus, an image is created on first use and linked to from build/test/ so it can be found by other tests. Tests cannot be run in parallel. I think that is an acceptable limitation. Creation of the images was probably taking more resources then the actual tests, so we should be better off anyway. 2019-12-12 09:37:19 +01:00			`test_create_image() {`
test: add create_empty_image_rootdir() to simplify testcase setup Almost all tests were manually mounting/unmounting $TESTDIR/root from the loopback image; this moves all that into test-functions so the test setup functions are simplier. Also add test_setup_cleanup() function, to cleanup what is mounted by create_empty_image_rootdir() 2019-07-12 17:47:26 +02:00			`create_empty_image_rootdir`
tests: add test-selinux-checks 2016-01-31 10:01:43 +01:00
			`# Create what will eventually be our root filesystem onto an overlay`
			`(`
			`LOG_LEVEL=5`

			`setup_basic_environment`
test: add function to reduce copied setup boilerplate Many tests were also masking systemd-machined.service. But machined should only start when activated, so having it not masked shouldn't be noticable. TEST-25-IMPORT needs it. 2019-10-08 09:10:12 +02:00			`mask_supporting_services`
tests: add test-selinux-checks 2016-01-31 10:01:43 +01:00
			`local _modules_dir=/var/lib/selinux`
			`rm -rf $initdir/$_modules_dir`
			`if ! cp -ar $_modules_dir $initdir/$_modules_dir; then`
			`dfatal "Failed to copy $_modules_dir"`
			`exit 1`
			`fi`

			`local _policy_headers_dir=/usr/share/selinux/devel`
			`rm -rf $initdir/$_policy_headers_dir`
			`inst_dir /usr/share/selinux`
			`if ! cp -ar $_policy_headers_dir $initdir/$_policy_headers_dir; then`
			`dfatal "Failed to copy $_policy_headers_dir"`
			`exit 1`
			`fi`

			`mkdir $initdir/systemd-test-module`
			`cp systemd_test.te $initdir/systemd-test-module`
			`cp systemd_test.if $initdir/systemd-test-module`
			`dracut_install -o sesearch`
			`dracut_install runcon`
TEST-06-*: also try the installation path for Debian https://salsa.debian.org/systemd-team/systemd/-/blob/debian/master/debian/tests/upstream used sed to adjust the path. I think it's better to make our script more flexible. 2020-03-31 13:19:13 +02:00			`dracut_install checkmodule semodule semodule_package m4 make load_policy sefcontext_compile`
			`dracut_install -o /usr/libexec/selinux/hll/pp # Fedora/RHEL/...`
			`dracut_install -o /usr/lib/selinux/hll/pp # Debian/Ubuntu/...`
test: drop \|\| return 1 expression which is incompatible with set -e The `set -e` option is incompatible with a subshell/compound command, which is followed by \|\| <EXPR>. In such case, the -e option is ignored in all affected subshells/functions (see man bash(1) for command `set`). 2019-07-08 21:11:32 +02:00			`)`
tests: add test-selinux-checks 2016-01-31 10:01:43 +01:00			`}`

test: move most of TEST-06-* setup to static files 2019-12-09 19:42:57 +01:00			`do_test "$@" 06`