bug#22631: [PATCH] tests: support non-MLS SELinux systems in mkdir tests

[Pádraig Brady]

On 16/12/16 20:47, Nicolas Iooss wrote:
> On 12/02/16 05:33, Pádraig Brady wrote:
>> On 11/02/16 06:07, Nicolas Iooss wrote:
>>> When running "make check" on a Linux system running SELinux with a
>>> non-MLS policy, tests/mkdir/restorecon.sh test fails with:
>>>
>>>   chcon: invalid context: root:object_r:tmp_t:s0: Invalid argument
>>>
>>> Indeed in such a configuration, contexts cannot have ":s0" suffix.
>>>
>>> * tests/mkdir/restorecon.sh: detect non-MLS SELinux configurations by
>>>   using sestatus and in this case use a valid context when calling
>>>   runcon.  Update the sed pattern of get_selinux_type to always grab the
>>>   SELinux type from the output of "ls -Zd" even with a non-MLS policy.
>>> ---
>>>  tests/mkdir/restorecon.sh | 8 ++++++--
>>>  1 file changed, 6 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/tests/mkdir/restorecon.sh b/tests/mkdir/restorecon.sh
>>> index 0e7f03bc93db..cfd3bdda9637 100755
>>> --- a/tests/mkdir/restorecon.sh
>>> +++ b/tests/mkdir/restorecon.sh
>>> @@ -21,10 +21,14 @@ print_ver_ mkdir mknod mkfifo
>>>  require_selinux_
>>>  
>>>  
>>> -get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
>>> +get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\)[: ].*/\1/p'; }
>>>  
>>>  mkdir subdir || framework_failure_
>>> -chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
>>> +if sestatus 2>&1 |grep 'Policy MLS status:.*enabled' > /dev/null; then
>>> +  chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
>>> +else
>>> +  chcon 'root:object_r:tmp_t' subdir || framework_failure_
>>> +fi
>>>  cd subdir
>>>  
>>>  # --- mkdir -Z ---
>>>
>>
>> +1
>>
>> thanks!
>> Pádraig
> 
> Hi,
> This patch has not been included in coreutils 8.26, which makes
> mkdir/restorecon.sh tests still fails on my system. What should I do for
> this patch to be merged?
> 
> Moreover the code which was modified in this patch has been copied in
> tests/install/install-Z-selinux.sh. So this test also fails on systems
> where SELinux is configured with a non-MLS policy. Do I need to send a
> new patch which also modifies this file?

My bad. Sorry I missed this.

I presume these root tests have the same issue?

  $ git grep -l ':s0' tests | xargs grep -l require_root_
  tests/cp/cp-a-selinux.sh
  tests/misc/chcon.sh
  tests/misc/selinux.sh

I updated those also which can be tested like:

  git am < cu-non-mls-tests.patch
  sudo make TESTS="$(echo $(git show --name-only | grep ^tests))" check 
SUBDIRS=.

Do those pass on your system?

I'll apply the attached in your name if so.

thanks for the follow up.
Pádraig

From f2b9fa2c99ec01c9e767700afaa16fd84f30c97e Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.io...@m4x.org>
Date: Thu, 11 Feb 2016 15:07:52 +0100
Subject: [PATCH] tests: support non-MLS enabled SELinux systems

When running "make check" on a Linux system running SELinux with a
non-MLS policy, tests/mkdir/restorecon.sh test fails with:

  chcon: invalid context: root:object_r:tmp_t:s0: Invalid argument

Indeed in such a configuration, contexts cannot have ":s0" suffix.

* init.cfg (get_selinux_type): Refactor this function to here
from various tests.  Update to work with a non-MLS policy.
(mls_enabled_): A new function to detect if MLS is enabled.
* tests/mkdir/restorecon.sh: Use a valid non-MLS context when needed.
* tests/install/install-Z-selinux.sh: Likewise.
* tests/cp/cp-a-selinux.sh: Likewise.
* tests/misc/selinux.sh: Likewise.
* tests/misc/chcon.sh: Skip if non-MLS as --range used throughout.
Fixes http://bugs.gnu.org/22631
---
 init.cfg                           | 9 +++++++++
 tests/cp/cp-a-selinux.sh           | 4 ++--
 tests/install/install-Z-selinux.sh | 7 +++----
 tests/misc/chcon.sh                | 1 +
 tests/misc/selinux.sh              | 3 ++-
 tests/mkdir/restorecon.sh          | 7 +++----
 6 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/init.cfg b/init.cfg
index db86194..df39183 100644
--- a/init.cfg
+++ b/init.cfg
@@ -128,6 +128,15 @@ require_selinux_()
   esac
 }
 
+# Return the SELinux type component if available
+get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\)[: ].*/\1/p'; }
+
+# Whether SELinux Multi Level Security is enabled
+mls_enabled_() {
+  sestatus 2>&1 |
+  grep 'Policy MLS status:.*enabled' > /dev/null
+}
+
 # Skip this test if we're not in SELinux "enforcing" mode.
 require_selinux_enforcing_()
 {
diff --git a/tests/cp/cp-a-selinux.sh b/tests/cp/cp-a-selinux.sh
index 89735b6..3915952 100755
--- a/tests/cp/cp-a-selinux.sh
+++ b/tests/cp/cp-a-selinux.sh
@@ -28,7 +28,8 @@ cwd=$(pwd)
 cleanup_() { cd /; umount "$cwd/mnt"; }
 
 # This context is special: it works even when mcstransd isn't running.
-ctx=root:object_r:tmp_t:s0
+ctx='root:object_r:tmp_t'
+mls_enabled_ && ctx="$ctx:s0"
 
 # Check basic functionality - before check on fixed context mount
 touch c || framework_failure_
@@ -62,7 +63,6 @@ grep $ctx ed_ctx &&
   { ls -lZd restore/existing_dir; fail=1; }
 
 # Check restorecon (-Z) functionality for file and directory
-get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
 # Also make a dir with our known context
 mkdir c_d || framework_failure_
 chcon $ctx c_d || framework_failure_
diff --git a/tests/install/install-Z-selinux.sh b/tests/install/install-Z-selinux.sh
index 9c3b642..c63a478 100755
--- a/tests/install/install-Z-selinux.sh
+++ b/tests/install/install-Z-selinux.sh
@@ -21,11 +21,10 @@
 print_ver_ ginstall
 require_selinux_
 
-
-get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
-
 mkdir subdir || framework_failure_
-chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
+ctx='root:object_r:tmp_t'
+mls_enabled_ && ctx="$ctx:s0"
+chcon "$ctx" subdir || framework_failure_
 cd subdir
 
 # Since in a tmp_t dir, dirs can be created as user_tmp_t ...
diff --git a/tests/misc/chcon.sh b/tests/misc/chcon.sh
index bd40fbc..c990219 100755
--- a/tests/misc/chcon.sh
+++ b/tests/misc/chcon.sh
@@ -21,6 +21,7 @@ print_ver_ chcon
 require_root_
 require_selinux_
 skip_if_mcstransd_is_running_
+mls_enabled_ || skip_ 'MLS is disabled'
 
 mkdir -p d/sub/s2 || framework_failure_
 touch f g d/sub/1 d/sub/2 || framework_failure_
diff --git a/tests/misc/selinux.sh b/tests/misc/selinux.sh
index a951568..28c05c4 100755
--- a/tests/misc/selinux.sh
+++ b/tests/misc/selinux.sh
@@ -30,7 +30,8 @@ mkfifo_or_skip_ p
 
 
 # special context that works both with and without mcstransd
-ctx=root:object_r:tmp_t:s0
+ctx='root:object_r:tmp_t'
+mls_enabled_ && ctx="$ctx:s0"
 
 chcon $ctx f d p ||
   skip_ '"chcon '$ctx' ..." failed'
diff --git a/tests/mkdir/restorecon.sh b/tests/mkdir/restorecon.sh
index 0e7f03b..49e7219 100755
--- a/tests/mkdir/restorecon.sh
+++ b/tests/mkdir/restorecon.sh
@@ -20,11 +20,10 @@
 print_ver_ mkdir mknod mkfifo
 require_selinux_
 
-
-get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
-
 mkdir subdir || framework_failure_
-chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
+ctx='root:object_r:tmp_t'
+mls_enabled_ && ctx="$ctx:s0"
+chcon "$ctx" subdir || framework_failure_
 cd subdir
 
 # --- mkdir -Z ---
-- 
2.5.5