tests: support non-MLS enabled SELinux systems

When running "make check" on a Linux system running SELinux with a
non-MLS policy, tests/mkdir/restorecon.sh test fails with:

  chcon: invalid context: root:object_r:tmp_t:s0: Invalid argument

Indeed in such a configuration, contexts cannot have ":s0" suffix.

* init.cfg (get_selinux_type): Refactor this function to here
from various tests.  Update to work with a non-MLS policy.
(mls_enabled_): A new function to detect if MLS is enabled.
(skip_if_mcstransd_is_running_): Update to not skip when
MLS is not enabled.
* tests/mkdir/restorecon.sh: Use a valid non-MLS context when needed.
* tests/install/install-Z-selinux.sh: Likewise.
* tests/cp/cp-a-selinux.sh: Likewise.
* tests/misc/selinux.sh: Likewise.
* tests/misc/chcon.sh: Skip if non-MLS as --range used throughout.
Fixes http://bugs.gnu.org/22631

diff --git a/init.cfg b/init.cfg
index db861944c6af45c18dc59294489f7512760bea2a..f2950efb05995f982fc2b0dbc162f1461f167b7b 100644 (file)
--- a/init.cfg
+++ b/init.cfg
@@ -128,6 +128,15 @@ require_selinux_()
   esac
 }
 
+# Return the SELinux type component if available
+get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\)[: ].*/\1/p'; }
+
+# Whether SELinux Multi Level Security is enabled
+mls_enabled_() {
+  sestatus 2>&1 |
+  grep 'Policy MLS status:.*enabled' > /dev/null
+}
+
 # Skip this test if we're not in SELinux "enforcing" mode.
 require_selinux_enforcing_()
 {
@@ -637,10 +646,13 @@ skip_if_mcstransd_is_running_()
   # and if it's running, skip this test.
   __ctx=$(stat --printf='%C\n' .) || framework_failure_
   case $__ctx in
-    *:*:*:*) ;; # four components is ok
-    *) # anything else probably means mcstransd is running
-        skip_ "unexpected context '$__ctx'; turn off mcstransd" ;;
+    *:*:*:*) __ctx_ok=1 ;; # four components is ok
+    *:*:*)  # three components is ok too if there is no MLS
+        mls_enabled_ && __ctk_ok=1 ;;
   esac
+
+  test "$__ctx_ok" ||
+   skip_ "unexpected context '$__ctx'; turn off mcstransd"
 }
 
 # Skip the current test if umask doesn't work as usual.

diff --git a/tests/cp/cp-a-selinux.sh b/tests/cp/cp-a-selinux.sh
index 89735b65a8326de1e0349c1caedd9c9e8bbf1d97..3915952188dd379bd858c9fbf454377c2c962566 100755 (executable)
--- a/tests/cp/cp-a-selinux.sh
+++ b/tests/cp/cp-a-selinux.sh
@@ -28,7 +28,8 @@ cwd=$(pwd)
 cleanup_() { cd /; umount "$cwd/mnt"; }
 
 # This context is special: it works even when mcstransd isn't running.
-ctx=root:object_r:tmp_t:s0
+ctx='root:object_r:tmp_t'
+mls_enabled_ && ctx="$ctx:s0"
 
 # Check basic functionality - before check on fixed context mount
 touch c || framework_failure_
@@ -62,7 +63,6 @@ grep $ctx ed_ctx &&
   { ls -lZd restore/existing_dir; fail=1; }
 
 # Check restorecon (-Z) functionality for file and directory
-get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
 # Also make a dir with our known context
 mkdir c_d || framework_failure_
 chcon $ctx c_d || framework_failure_

diff --git a/tests/install/install-Z-selinux.sh b/tests/install/install-Z-selinux.sh
index 9c3b6420bc95d4791eddff536bd362208ba5a8a9..c63a4786230a38485f4122de00486b6e8281b344 100755 (executable)
--- a/tests/install/install-Z-selinux.sh
+++ b/tests/install/install-Z-selinux.sh
@@ -21,11 +21,10 @@
 print_ver_ ginstall
 require_selinux_
 
-
-get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
-
 mkdir subdir || framework_failure_
-chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
+ctx='root:object_r:tmp_t'
+mls_enabled_ && ctx="$ctx:s0"
+chcon "$ctx" subdir || framework_failure_
 cd subdir
 
 # Since in a tmp_t dir, dirs can be created as user_tmp_t ...

diff --git a/tests/misc/chcon.sh b/tests/misc/chcon.sh
index bd40fbc7d3149640b743496acec19cfba8d5d21c..c99021907172c6abaf7d81ae79bd00ffedb285cd 100755 (executable)
--- a/tests/misc/chcon.sh
+++ b/tests/misc/chcon.sh
@@ -21,6 +21,7 @@ print_ver_ chcon
 require_root_
 require_selinux_
 skip_if_mcstransd_is_running_
+mls_enabled_ || skip_ 'MLS is disabled'
 
 mkdir -p d/sub/s2 || framework_failure_
 touch f g d/sub/1 d/sub/2 || framework_failure_

diff --git a/tests/misc/selinux.sh b/tests/misc/selinux.sh
index a9515680a44fe41116ad9924199e85ec3696780a..28c05c4f82d7736e6baf8dd6fc8ad062ca106824 100755 (executable)
--- a/tests/misc/selinux.sh
+++ b/tests/misc/selinux.sh
@@ -30,7 +30,8 @@ mkfifo_or_skip_ p
 
 
 # special context that works both with and without mcstransd
-ctx=root:object_r:tmp_t:s0
+ctx='root:object_r:tmp_t'
+mls_enabled_ && ctx="$ctx:s0"
 
 chcon $ctx f d p ||
   skip_ '"chcon '$ctx' ..." failed'

diff --git a/tests/mkdir/restorecon.sh b/tests/mkdir/restorecon.sh
index 0e7f03bc93dbee11a7ba0995f1d060284ad8d617..49e72196ff880e7904a338d667873bdada0d8a3f 100755 (executable)
--- a/tests/mkdir/restorecon.sh
+++ b/tests/mkdir/restorecon.sh
@@ -20,11 +20,10 @@
 print_ver_ mkdir mknod mkfifo
 require_selinux_
 
-
-get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
-
 mkdir subdir || framework_failure_
-chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
+ctx='root:object_r:tmp_t'
+mls_enabled_ && ctx="$ctx:s0"
+chcon "$ctx" subdir || framework_failure_
 cd subdir
 
 # --- mkdir -Z ---