diff options
| author | Colin Walters <walters@verbum.org> | 2017-09-26 12:41:07 -0400 |
|---|---|---|
| committer | Atomic Bot <atomic-devel@projectatomic.io> | 2017-09-27 13:13:14 +0000 |
| commit | 5963d5a2a95b0aea7d306fc4ed5967b3e6ac4d83 (patch) | |
| tree | 8494d98a6e732d5f0962b27776327174271430df /tests/libtest.sh | |
| parent | 25a7c4bd4e8aeaf68689fcd2ddc2f907f2f76f1f (diff) | |
| download | ostree-5963d5a2a95b0aea7d306fc4ed5967b3e6ac4d83.tar.gz | |
tests,ci: Move "test-basic" (bare mode) to installed test
Our CI uses default Docker, which has SELinux labeling but is rather
evil in returning `EOPNOTSUPP` to any attempts to set `security.selinux`,
even if to the same value.
The previous fire 🔥 for this was: https://github.com/ostreedev/ostree/pull/759
The `bare` repo mode really only makes sense as uid 0, so our installed
test framework is a good match for this. However, the unit tests *do*
work in a privileged container even as non-root, and *also* should
work on SELinux-disabled systems. So let's teach the test framework
how to skip in those situations.
I tested this both in a priv container (my default builder) and an unpriv
container (like our CI).
At the same time, start executing the `test-basic.sh` from an installed test,
so we get better coverage than before.
This is just the start - all of the sysroot tests really need the
same treatment.
Closes: #1217
Approved by: jlebon
Diffstat (limited to 'tests/libtest.sh')
| -rwxr-xr-x | tests/libtest.sh | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/tests/libtest.sh b/tests/libtest.sh index 9bfc199f..ed6cc43d 100755 --- a/tests/libtest.sh +++ b/tests/libtest.sh @@ -546,6 +546,30 @@ skip_without_user_xattrs () { fi } +# Skip unless SELinux is disabled, or we can relabel. +# Default Docker has security.selinux xattrs, but returns +# EOPNOTSUPP when trying to set them, even to the existing value. +# https://github.com/ostreedev/ostree/pull/759 +# https://github.com/ostreedev/ostree/pull/1217 +skip_without_no_selinux_or_relabel () { + cd ${test_tmpdir} + echo testlabel > testlabel.txt + selinux_xattr=security.selinux + if getfattr --encoding=base64 -n ${selinux_xattr} testlabel.txt >label.txt 2>err.txt; then + label=$(grep -E -e "^${selinux_xattr}=" < label.txt |sed -e "s,${selinux_xattr}=,,") + if setfattr -n ${selinux_xattr} -v ${label} testlabel.txt 2>err.txt; then + echo "SELinux enabled in $(pwd), and have privileges to relabel" + return 0 + else + sed -e 's/^/# /' < err.txt >&2 + skip "Found SELinux label, but unable to set (Unprivileged Docker?)" + fi + else + sed -e 's/^/# /' < err.txt >&2 + skip "Unable to retrieve SELinux label, assuming disabled" + fi +} + # https://brokenpi.pe/tools/strace-fault-injection _have_strace_fault_injection='' have_strace_fault_injection() { |