podman/test/e2e/run_selinux_test.go

package integration

import (
	"fmt"
	"os"

	. "github.com/containers/libpod/test/utils"
	. "github.com/onsi/ginkgo"
	. "github.com/onsi/gomega"
	"github.com/opencontainers/selinux/go-selinux"
)

var _ = Describe("Podman run", func() {
	var (
		tempdir    string
		err        error
		podmanTest *PodmanTestIntegration
	)

	BeforeEach(func() {
		tempdir, err = CreateTempDirInTempDir()
		if err != nil {
			os.Exit(1)
		}
		podmanTest = PodmanTestCreate(tempdir)
		podmanTest.RestoreAllArtifacts()
		if !selinux.GetEnabled() {
			Skip("SELinux not enabled")
		}
	})

	AfterEach(func() {
		podmanTest.Cleanup()
		f := CurrentGinkgoTestDescription()
		timedResult := fmt.Sprintf("Test: %s completed in %f seconds", f.TestText, f.Duration.Seconds())
		GinkgoWriter.Write([]byte(timedResult))
	})

	It("podman run selinux", func() {
		session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/proc/self/attr/current"})
		session.WaitWithDefaultTimeout()
		Expect(session.ExitCode()).To(Equal(0))
		match, _ := session.GrepString("container_t")
		Expect(match).Should(BeTrue())
	})

	It("podman run selinux grep test", func() {
		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"})
		session.WaitWithDefaultTimeout()
		Expect(session.ExitCode()).To(Equal(0))
		match, _ := session.GrepString("s0:c1,c2")
		Expect(match).Should(BeTrue())
	})

	It("podman run selinux disable test", func() {
		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"})
		session.WaitWithDefaultTimeout()
		Expect(session.ExitCode()).To(Equal(0))
		match, _ := session.GrepString("spc_t")
		Expect(match).Should(BeTrue())
	})

	It("podman run selinux type check test", func() {
		session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"})
		session.WaitWithDefaultTimeout()
		Expect(session.ExitCode()).To(Equal(0))
		match1, _ := session.GrepString("container_t")
		match2, _ := session.GrepString("svirt_lxc_net_t")
		Expect(match1 || match2).Should(BeTrue())
	})

	It("podman run selinux type setup test", func() {
		session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"})
		session.WaitWithDefaultTimeout()
		Expect(session.ExitCode()).To(Equal(0))
		match, _ := session.GrepString("spc_t")
		Expect(match).Should(BeTrue())
	})

	It("podman privileged selinux", func() {
		session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "cat", "/proc/self/attr/current"})
		session.WaitWithDefaultTimeout()
		Expect(session.ExitCode()).To(Equal(0))
		match, _ := session.GrepString("spc_t")
		Expect(match).Should(BeTrue())
	})

	It("podman test selinux label resolv.conf", func() {
		session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"})
		session.WaitWithDefaultTimeout()
		Expect(session.ExitCode()).To(Equal(0))
		match, _ := session.GrepString("container_file_t")
		Expect(match).Should(BeTrue())
	})

	It("podman test selinux label hosts", func() {
		session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hosts"})
		session.WaitWithDefaultTimeout()
		Expect(session.ExitCode()).To(Equal(0))
		match, _ := session.GrepString("container_file_t")
		Expect(match).Should(BeTrue())
	})

	It("podman test selinux label hostname", func() {
		session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hostname"})
		session.WaitWithDefaultTimeout()
		Expect(session.ExitCode()).To(Equal(0))
		match, _ := session.GrepString("container_file_t")
		Expect(match).Should(BeTrue())
	})

	It("podman test selinux label /run/secrets", func() {
		session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-dZ", "/run/secrets"})
		session.WaitWithDefaultTimeout()
		Expect(session.ExitCode()).To(Equal(0))
		match, _ := session.GrepString("container_file_t")
		Expect(match).Should(BeTrue())
	})

	It("podman test selinux --privileged label resolv.conf", func() {
		session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"})
		session.WaitWithDefaultTimeout()
		Expect(session.ExitCode()).To(Equal(0))
		match, _ := session.GrepString("container_file_t")
		Expect(match).Should(BeTrue())
	})

	It("podman test selinux --privileged label hosts", func() {
		session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hosts"})
		session.WaitWithDefaultTimeout()
		Expect(session.ExitCode()).To(Equal(0))
		match, _ := session.GrepString("container_file_t")
		Expect(match).Should(BeTrue())
	})

	It("podman test selinux --privileged label hostname", func() {
		session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hostname"})
		session.WaitWithDefaultTimeout()
		Expect(session.ExitCode()).To(Equal(0))
		match, _ := session.GrepString("container_file_t")
		Expect(match).Should(BeTrue())
	})

	It("podman test selinux --privileged label /run/secrets", func() {
		session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-dZ", "/run/secrets"})
		session.WaitWithDefaultTimeout()
		Expect(session.ExitCode()).To(Equal(0))
		match, _ := session.GrepString("container_file_t")
		Expect(match).Should(BeTrue())
	})

})
Disable SELinux labeling if --privileged Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> 2018-10-01 22:31:40 +00:00			`package integration`

			`import (`
			`"fmt"`
			`"os"`

Separate common used test functions and structs to test/utils Put common used test functions and structs to a separated package. So we can use them for more testsuites. Signed-off-by: Yiqiao Pu <ypu@redhat.com> 2018-10-29 06:56:07 +00:00			`. "github.com/containers/libpod/test/utils"`
Disable SELinux labeling if --privileged Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> 2018-10-01 22:31:40 +00:00			`. "github.com/onsi/ginkgo"`
			`. "github.com/onsi/gomega"`
			`"github.com/opencontainers/selinux/go-selinux"`
			`)`

			`var _ = Describe("Podman run", func() {`
			`var (`
			`tempdir string`
			`err error`
Separate common used test functions and structs to test/utils Put common used test functions and structs to a separated package. So we can use them for more testsuites. Signed-off-by: Yiqiao Pu <ypu@redhat.com> 2018-10-29 06:56:07 +00:00			`podmanTest *PodmanTestIntegration`
Disable SELinux labeling if --privileged Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> 2018-10-01 22:31:40 +00:00			`)`

			`BeforeEach(func() {`
			`tempdir, err = CreateTempDirInTempDir()`
			`if err != nil {`
			`os.Exit(1)`
			`}`
Separate common used test functions and structs to test/utils Put common used test functions and structs to a separated package. So we can use them for more testsuites. Signed-off-by: Yiqiao Pu <ypu@redhat.com> 2018-10-29 06:56:07 +00:00			`podmanTest = PodmanTestCreate(tempdir)`
Disable SELinux labeling if --privileged Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> 2018-10-01 22:31:40 +00:00			`podmanTest.RestoreAllArtifacts()`
			`if !selinux.GetEnabled() {`
			`Skip("SELinux not enabled")`
			`}`
			`})`

			`AfterEach(func() {`
			`podmanTest.Cleanup()`
			`f := CurrentGinkgoTestDescription()`
			`timedResult := fmt.Sprintf("Test: %s completed in %f seconds", f.TestText, f.Duration.Seconds())`
			`GinkgoWriter.Write([]byte(timedResult))`
			`})`

			`It("podman run selinux", func() {`
			`session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/proc/self/attr/current"})`
			`session.WaitWithDefaultTimeout()`
			`Expect(session.ExitCode()).To(Equal(0))`
			`match, _ := session.GrepString("container_t")`
			`Expect(match).Should(BeTrue())`
			`})`

			`It("podman run selinux grep test", func() {`
			`session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"})`
			`session.WaitWithDefaultTimeout()`
			`Expect(session.ExitCode()).To(Equal(0))`
			`match, _ := session.GrepString("s0:c1,c2")`
			`Expect(match).Should(BeTrue())`
			`})`

			`It("podman run selinux disable test", func() {`
			`session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"})`
			`session.WaitWithDefaultTimeout()`
			`Expect(session.ExitCode()).To(Equal(0))`
			`match, _ := session.GrepString("spc_t")`
			`Expect(match).Should(BeTrue())`
			`})`

			`It("podman run selinux type check test", func() {`
			`session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"})`
			`session.WaitWithDefaultTimeout()`
			`Expect(session.ExitCode()).To(Equal(0))`
			`match1, _ := session.GrepString("container_t")`
			`match2, _ := session.GrepString("svirt_lxc_net_t")`
			`Expect(match1 \|\| match2).Should(BeTrue())`
			`})`

			`It("podman run selinux type setup test", func() {`
			`session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"})`
			`session.WaitWithDefaultTimeout()`
			`Expect(session.ExitCode()).To(Equal(0))`
			`match, _ := session.GrepString("spc_t")`
			`Expect(match).Should(BeTrue())`
			`})`

			`It("podman privileged selinux", func() {`
			`session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "cat", "/proc/self/attr/current"})`
			`session.WaitWithDefaultTimeout()`
			`Expect(session.ExitCode()).To(Equal(0))`
			`match, _ := session.GrepString("spc_t")`
			`Expect(match).Should(BeTrue())`
			`})`

Add tests for selinux labels Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> 2018-10-03 15:06:17 +00:00			`It("podman test selinux label resolv.conf", func() {`
			`session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"})`
			`session.WaitWithDefaultTimeout()`
			`Expect(session.ExitCode()).To(Equal(0))`
			`match, _ := session.GrepString("container_file_t")`
			`Expect(match).Should(BeTrue())`
			`})`

			`It("podman test selinux label hosts", func() {`
			`session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hosts"})`
			`session.WaitWithDefaultTimeout()`
			`Expect(session.ExitCode()).To(Equal(0))`
			`match, _ := session.GrepString("container_file_t")`
			`Expect(match).Should(BeTrue())`
			`})`

			`It("podman test selinux label hostname", func() {`
			`session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hostname"})`
			`session.WaitWithDefaultTimeout()`
			`Expect(session.ExitCode()).To(Equal(0))`
			`match, _ := session.GrepString("container_file_t")`
			`Expect(match).Should(BeTrue())`
			`})`

			`It("podman test selinux label /run/secrets", func() {`
			`session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-dZ", "/run/secrets"})`
			`session.WaitWithDefaultTimeout()`
			`Expect(session.ExitCode()).To(Equal(0))`
			`match, _ := session.GrepString("container_file_t")`
			`Expect(match).Should(BeTrue())`
			`})`

			`It("podman test selinux --privileged label resolv.conf", func() {`
			`session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"})`
			`session.WaitWithDefaultTimeout()`
			`Expect(session.ExitCode()).To(Equal(0))`
			`match, _ := session.GrepString("container_file_t")`
			`Expect(match).Should(BeTrue())`
			`})`

			`It("podman test selinux --privileged label hosts", func() {`
			`session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hosts"})`
			`session.WaitWithDefaultTimeout()`
			`Expect(session.ExitCode()).To(Equal(0))`
			`match, _ := session.GrepString("container_file_t")`
			`Expect(match).Should(BeTrue())`
			`})`

			`It("podman test selinux --privileged label hostname", func() {`
			`session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hostname"})`
			`session.WaitWithDefaultTimeout()`
			`Expect(session.ExitCode()).To(Equal(0))`
			`match, _ := session.GrepString("container_file_t")`
			`Expect(match).Should(BeTrue())`
			`})`

			`It("podman test selinux --privileged label /run/secrets", func() {`
			`session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-dZ", "/run/secrets"})`
			`session.WaitWithDefaultTimeout()`
			`Expect(session.ExitCode()).To(Equal(0))`
			`match, _ := session.GrepString("container_file_t")`
			`Expect(match).Should(BeTrue())`
			`})`

Disable SELinux labeling if --privileged Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> 2018-10-01 22:31:40 +00:00			`})`