Arrange for "make check-root" to run the new root-only test.

* tests/Makefile.am (t9): New target, to run tests/cp/cp-a-selinux. (all_t): Add t9. Use a directory on a loopback device mounted with -o context=... * tests/cp/cp-a-selinux: Since this test now runs mount and umount, it is a root-only one.
2026-05-24 03:06:46 +02:00 · 2007-02-12 19:35:25 +01:00
parent 6f5700ac8a
commit 5e711ff948
3 changed files with 31 additions and 17 deletions
@@ -486,9 +486,17 @@
 	consistent, so this can be applied with patch -p0.
 	Reported by Matthew Woehlke.

+	Arrange for "make check-root" to run the new root-only test.
+	* tests/Makefile.am (t9): New target, to run tests/cp/cp-a-selinux.
+	(all_t): Add t9.
+
 	* Makefile.maint (patch-check): Use patch with its -p2 option,
 	since that makes this check slightly more strict.

+	Use a directory on a loopback device mounted with -o context=...
+	* tests/cp/cp-a-selinux: Since this test now runs mount and umount,
+	it is a root-only one.
+
 2007-01-29  Jim Meyering  <jim@meyering.net>

 	Plug a leak in ls.
@@ -30,7 +30,7 @@ SUBDIRS = \
  tsort unexpand uniq wc
 ## N O T E :: Please do not add new directories.

-all_t = t1 t2 t3 t4 t5 t6 t7 t8
+all_t = t1 t2 t3 t4 t5 t6 t7 t8 t9
 .PHONY: check-root $(all_t)
 check-root: $(all_t)

@@ -50,6 +50,8 @@ t7:
 	cd ls    && $(MAKE) check TESTS=nameless-uid
 t8:
 	cd misc  && $(MAKE) check TESTS=chcon
+t9:
+	cd cp    && $(MAKE) check TESTS=cp-a-selinux

 check-recursive: root-hint

@@ -27,19 +27,28 @@ fi
 . $srcdir/../envvar-check
 . $srcdir/../lang-default
 . $srcdir/../selinux
-PRIV_CHECK_ARG=require-non-root . $srcdir/../priv-check
+PRIV_CHECK_ARG=require-root . $srcdir/../priv-check

 pwd=`pwd`
 t0=`echo "$0"|sed 's,.*/,,'`.tmp; tmp=$t0/$$
-trap 'status=$?; cd "$pwd" && chmod -R u+rwx $t0 && rm -rf $t0 && exit $status' 0
+trap 'status=$?; cd "$pwd"; umount $tmp/mnt; chmod -R u+rwx $t0 && rm -rf $t0 && exit $status' 0
 trap '(exit $?); exit $?' 1 2 13 15

 framework_failure=0
 mkdir -p $tmp || framework_failure=1
 cd $tmp || framework_failure=1

-echo > f || framework_failure=1
-echo > g || framework_failure=1
+# Create a file system, then mount it with the context=... option.
+dd if=/dev/zero of=blob bs=8192 count=200 > /dev/null 2>&1 \
+                                             || framework_failure=1
+mkdir mnt                                    || framework_failure=1
+mkfs -t ext2 -F blob > /dev/null 2>&1        || framework_failure=1
+mount -oloop,context=system_u:object_r:removable_t blob mnt \
+                                             || framework_failure=1
+cd mnt                                       || framework_failure=1
+
+echo > f                                     || framework_failure=1
+echo > g                                     || framework_failure=1

 if test $framework_failure = 1; then
  echo "$0: failure in testing framework" 1>&2
@@ -58,25 +67,20 @@ rm -f g err
 echo > g

 # =====================================================
-# Here, we expect cp to fail, because it (currently?) cannot
-# set the SELinux security context through NFS.
+# Here, we expect cp to fail, because it cannot set the SELinux
+# security context through NFS or a mount with fixed context.
 cp --preserve=context f g 2> out && fail=1

 # Here, we *do* expect the destination to be empty.
 test -s g && fail=1

-# FIXME: currently, this test must be run in an NFS mounted
-# directory, and that's not checked.  Move this part into a separate
-# test and make that a prerequisite.
-# In addition, we can add a root-only test that takes one of two
-# approaches: 1) create a loopback context=... mount and run the test there.
-# 2) run in a confined domain (maybe creating/loading it) that lacks the
-# required permissions to the file type).
-
-# Currently, I get this diagnostic:
+# An alternative to the current approach would be to run in a confined
+# domain (maybe creating/loading it) that lacks the required permissions
+# to the file type.
+# Note: this test could also be run by a regular (non-root) user in an
+# NFS mounted directory.  When doing that, I get this diagnostic:
 # cp: failed to set the security context of `g' to `system_u:object_r:nfs_t': \
 #   Operation not supported
-# but don't want to depend on ENOTSUP or that specific context triple:
 sed "s/ .g' to .*//" out > k
 mv k out