Test SELinux filesystem labels

[Ichimonji10]

Add test case FileLabelsTestCase in module
pulp_smash.tests.platform.cli.test_selinux.

Fix: #442

[Ichimonji10]

@dkliban: This test fails like so:

$ python -m unittest pulp_smash.tests.platform.cli.test_selinux.FileLabelsTestCase
..
======================================================================
FAIL: test_pulp_server_fc (pulp_smash.tests.platform.cli.test_selinux.FileLabelsTestCase) [('/var/lib/pulp', ':object_r:httpd_sys_rw_content_t:s0')]
Test files listed in ``pulp-server.fc``.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/ichimonji10/code/pulp-smash/pulp_smash/tests/platform/cli/test_selinux.py", line 175, in test_pulp_server_fc
    self._do_test(file_, label, True)
  File "/home/ichimonji10/code/pulp-smash/pulp_smash/tests/platform/cli/test_selinux.py", line 147, in _do_test
    self.assertEqual(file_label, label, getfattr_file)
AssertionError: ':object_r:pulp_cert_t:s0' != ':object_r:httpd_sys_rw_content_t:s0'
- :object_r:pulp_cert_t:s0
+ :object_r:httpd_sys_rw_content_t:s0
 : ('var/lib/pulp/static/rsa_pub.key',)

----------------------------------------------------------------------
Ran 3 tests in 1.532s

FAILED (failures=1)

Can you provide any input?

EDIT: Tested against a matrix of eight systems, running Pulp 2.10 and 2.11, on RHEL 6.8, RHEL 7.3, Fedora 23 and Fedora 24.

[coveralls]

Coverage remained the same at 66.373% when pulling f911506 on Ichimonji10:psmash-442 into fe72bc0 on PulpQE:master.

[Ichimonji10]

@elyezer This test makes use of the getfattr executable. This executable is available out of the box on Fedora, but needs to be installed on RHEL. Can a step to install the attr package be added to pulp_packaging or some other appropriate script?

[elyezer]

@elyezer This test makes use of the getfattr executable. This executable is available out of the box on Fedora, but needs to be installed on RHEL. Can a step to install the attr package be added to pulp_packaging or some other appropriate script?

Definitely, I will handle that for you.

[Ichimonji10]

By the way, I checked, and the file is called attr on Fedora 23, Fedora 24, RHEL 6.8 and RHEL 7.3. No platform-specific logic should be necessary.

EDIT: Sorry about the "needs work" label flip-flop. I'm still waiting on feedback on #455 (comment).

[Ichimonji10]

Rebased. I also made the minor change of moving a comment.

[coveralls]

Coverage remained the same at 66.373% when pulling 2e0e5f5 on Ichimonji10:psmash-442 into 74d2e2b on PulpQE:master.

[coveralls]

Coverage remained the same at 66.373% when pulling 338754e on Ichimonji10:psmash-442 into 9d23684 on PulpQE:master.

[coveralls]

Coverage remained the same at 66.373% when pulling 279cbe0 on Ichimonji10:psmash-442 into 70214dd on PulpQE:master.

[dkliban]

@Ichimonji10 The pulp_cert_t type makes sense. Without it, SELinux would not allow Pulp to use this file as a cert. However, we should probably have an explicit statement in our SELinux policy that says this file needs to have this security context type. I suspect running restorecon would change the security context type to httpd_sys_rw_content_t.

@bmbouter what do you think?

[coveralls]

Coverage remained the same at 66.373% when pulling e58f43c on Ichimonji10:psmash-442 into c99907a on PulpQE:master.

[Ichimonji10]

@dkliban Running restorecon /var/lib/pulp/static/rsa_pub.key sets the file's context to unconfined_u:object_r:pulp_cert_t:s0. Nothing changes, and the automated Pulp Smash test still fails.

As a reminder, pulp-server.fc states that the file should have a context of system_u:object_r:httpd_sys_rw_content_t:s0.

[Ichimonji10]

Test now passes. See: https://pulp.plan.io/issues/2508

[coveralls]

Coverage remained the same at 66.373% when pulling dbf29a4 on Ichimonji10:psmash-442 into c99907a on PulpQE:master.

[elyezer]

ACK