consistent, so this can be applied with patch -p0.
Reported by Matthew Woehlke.
+ Arrange for "make check-root" to run the new root-only test.
+ * tests/Makefile.am (t9): New target, to run tests/cp/cp-a-selinux.
+ (all_t): Add t9.
+
* Makefile.maint (patch-check): Use patch with its -p2 option,
since that makes this check slightly more strict.
+ Use a directory on a loopback device mounted with -o context=...
+ * tests/cp/cp-a-selinux: Since this test now runs mount and umount,
+ it is a root-only one.
+
2007-01-29 Jim Meyering <jim@meyering.net>
Plug a leak in ls.
. $srcdir/../envvar-check
. $srcdir/../lang-default
. $srcdir/../selinux
-PRIV_CHECK_ARG=require-non-root . $srcdir/../priv-check
+PRIV_CHECK_ARG=require-root . $srcdir/../priv-check
pwd=`pwd`
t0=`echo "$0"|sed 's,.*/,,'`.tmp; tmp=$t0/$$
-trap 'status=$?; cd "$pwd" && chmod -R u+rwx $t0 && rm -rf $t0 && exit $status' 0
+trap 'status=$?; cd "$pwd"; umount $tmp/mnt; chmod -R u+rwx $t0 && rm -rf $t0 && exit $status' 0
trap '(exit $?); exit $?' 1 2 13 15
framework_failure=0
mkdir -p $tmp || framework_failure=1
cd $tmp || framework_failure=1
-echo > f || framework_failure=1
-echo > g || framework_failure=1
+# Create a file system, then mount it with the context=... option.
+dd if=/dev/zero of=blob bs=8192 count=200 > /dev/null 2>&1 \
+ || framework_failure=1
+mkdir mnt || framework_failure=1
+mkfs -t ext2 -F blob > /dev/null 2>&1 || framework_failure=1
+mount -oloop,context=system_u:object_r:removable_t blob mnt \
+ || framework_failure=1
+cd mnt || framework_failure=1
+
+echo > f || framework_failure=1
+echo > g || framework_failure=1
if test $framework_failure = 1; then
echo "$0: failure in testing framework" 1>&2
echo > g
# =====================================================
-# Here, we expect cp to fail, because it (currently?) cannot
-# set the SELinux security context through NFS.
+# Here, we expect cp to fail, because it cannot set the SELinux
+# security context through NFS or a mount with fixed context.
cp --preserve=context f g 2> out && fail=1
# Here, we *do* expect the destination to be empty.
test -s g && fail=1
-# FIXME: currently, this test must be run in an NFS mounted
-# directory, and that's not checked. Move this part into a separate
-# test and make that a prerequisite.
-# In addition, we can add a root-only test that takes one of two
-# approaches: 1) create a loopback context=... mount and run the test there.
-# 2) run in a confined domain (maybe creating/loading it) that lacks the
-# required permissions to the file type).
-
-# Currently, I get this diagnostic:
+# An alternative to the current approach would be to run in a confined
+# domain (maybe creating/loading it) that lacks the required permissions
+# to the file type.
+# Note: this test could also be run by a regular (non-root) user in an
+# NFS mounted directory. When doing that, I get this diagnostic:
# cp: failed to set the security context of `g' to `system_u:object_r:nfs_t': \
# Operation not supported
-# but don't want to depend on ENOTSUP or that specific context triple:
sed "s/ .g' to .*//" out > k
mv k out
projects / thirdparty / coreutils.git / commitdiff
