-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test SELinux filesystem labels #455
Conversation
@dkliban: This test fails like so: $ python -m unittest pulp_smash.tests.platform.cli.test_selinux.FileLabelsTestCase
..
======================================================================
FAIL: test_pulp_server_fc (pulp_smash.tests.platform.cli.test_selinux.FileLabelsTestCase) [('/var/lib/pulp', ':object_r:httpd_sys_rw_content_t:s0')]
Test files listed in ``pulp-server.fc``.
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/ichimonji10/code/pulp-smash/pulp_smash/tests/platform/cli/test_selinux.py", line 175, in test_pulp_server_fc
self._do_test(file_, label, True)
File "/home/ichimonji10/code/pulp-smash/pulp_smash/tests/platform/cli/test_selinux.py", line 147, in _do_test
self.assertEqual(file_label, label, getfattr_file)
AssertionError: ':object_r:pulp_cert_t:s0' != ':object_r:httpd_sys_rw_content_t:s0'
- :object_r:pulp_cert_t:s0
+ :object_r:httpd_sys_rw_content_t:s0
: ('var/lib/pulp/static/rsa_pub.key',)
----------------------------------------------------------------------
Ran 3 tests in 1.532s
FAILED (failures=1) Can you provide any input? EDIT: Tested against a matrix of eight systems, running Pulp 2.10 and 2.11, on RHEL 6.8, RHEL 7.3, Fedora 23 and Fedora 24. |
@elyezer This test makes use of the |
Definitely, I will handle that for you. |
By the way, I checked, and the file is called EDIT: Sorry about the "needs work" label flip-flop. I'm still waiting on feedback on #455 (comment). |
Pulp Smash is now making use of `getfattr` command, that said, make sure the attr package, which provides `getfattr` command, is installed. For more information check related Pulp Smash PR pulp/pulp-smash#455.
Pulp Smash is now making use of `getfattr` command, that said, make sure the attr package, which provides `getfattr` command, is installed. For more information check related Pulp Smash PR pulp/pulp-smash#455.
Rebased. I also made the minor change of moving a comment. |
@Ichimonji10 The pulp_cert_t type makes sense. Without it, SELinux would not allow Pulp to use this file as a cert. However, we should probably have an explicit statement in our SELinux policy that says this file needs to have this security context type. I suspect running restorecon would change the security context type to httpd_sys_rw_content_t. @bmbouter what do you think? |
@dkliban Running As a reminder, pulp-server.fc states that the file should have a context of |
Add test case `FileLabelsTestCase` in module `pulp_smash.tests.platform.cli.test_selinux`. Fix: #442
Test now passes. See: https://pulp.plan.io/issues/2508 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK
Add test case
FileLabelsTestCase
in modulepulp_smash.tests.platform.cli.test_selinux
.Fix: #442