On 17/12/16 14:11, Pádraig Brady wrote:
> On 16/12/16 20:47, Nicolas Iooss wrote:
>> On 12/02/16 05:33, Pádraig Brady wrote:
>>> On 11/02/16 06:07, Nicolas Iooss wrote:
>>>> When running "make check" on a Linux system running SELinux with a
>>>> non-MLS policy, tests/mkdir/restorecon.sh test fails with:
>>>>
>>>>   chcon: invalid context: root:object_r:tmp_t:s0: Invalid argument
>>>>
>>>> Indeed in such a configuration, contexts cannot have ":s0" suffix.
>>>>
>>>> * tests/mkdir/restorecon.sh: detect non-MLS SELinux configurations by
>>>>   using sestatus and in this case use a valid context when calling
>>>>   runcon.  Update the sed pattern of get_selinux_type to always grab the
>>>>   SELinux type from the output of "ls -Zd" even with a non-MLS policy.
>>>> ---
>>>>  tests/mkdir/restorecon.sh | 8 ++++++--
>>>>  1 file changed, 6 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/tests/mkdir/restorecon.sh b/tests/mkdir/restorecon.sh
>>>> index 0e7f03bc93db..cfd3bdda9637 100755
>>>> --- a/tests/mkdir/restorecon.sh
>>>> +++ b/tests/mkdir/restorecon.sh
>>>> @@ -21,10 +21,14 @@ print_ver_ mkdir mknod mkfifo
>>>>  require_selinux_
>>>>  
>>>>  
>>>> -get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\):.*/\1/p'; }
>>>> +get_selinux_type() { ls -Zd "$1" | sed -n 's/.*:\(.*_t\)[: ].*/\1/p'; }
>>>>  
>>>>  mkdir subdir || framework_failure_
>>>> -chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
>>>> +if sestatus 2>&1 |grep 'Policy MLS status:.*enabled' > /dev/null; then
>>>> +  chcon 'root:object_r:tmp_t:s0' subdir || framework_failure_
>>>> +else
>>>> +  chcon 'root:object_r:tmp_t' subdir || framework_failure_
>>>> +fi
>>>>  cd subdir
>>>>  
>>>>  # --- mkdir -Z ---
>>>>
>>>
>>> +1
>>>
>>> thanks!
>>> Pádraig
>>
>> Hi,
>> This patch has not been included in coreutils 8.26, which makes
>> mkdir/restorecon.sh tests still fails on my system. What should I do for
>> this patch to be merged?
>>
>> Moreover the code which was modified in this patch has been copied in
>> tests/install/install-Z-selinux.sh. So this test also fails on systems
>> where SELinux is configured with a non-MLS policy. Do I need to send a
>> new patch which also modifies this file?
> 
> My bad. Sorry I missed this.
> 
> I presume these root tests have the same issue?
> 
>   $ git grep -l ':s0' tests | xargs grep -l require_root_
>   tests/cp/cp-a-selinux.sh
>   tests/misc/chcon.sh
>   tests/misc/selinux.sh
> 
> I updated those also which can be tested like:
> 
>   git am < cu-non-mls-tests.patch
>   sudo make TESTS="$(echo $(git show --name-only | grep ^tests))" check SUBDIRS=.
> 
> Do those pass on your system?
> 
> I'll apply the attached in your name if so.
> 
> thanks for the follow up.
> Pádraig

Thanks for your quick reply. With your patch I get 3 PASS and 2 SKIP on
my system instead of 3 ERROR and 2 SKIP:

PASS: tests/mkdir/restorecon.sh
chcon.sh: skipped test: unexpected context
'sysadm_u:object_r:user_home_t'; turn off mcstransd
SKIP: tests/misc/chcon.sh
PASS: tests/install/install-Z-selinux.sh
PASS: tests/cp/cp-a-selinux.sh
selinux.sh: skipped test: unexpected context
'sysadm_u:object_r:user_home_t'; turn off mcstransd
SKIP: tests/misc/selinux.sh

I am not running mcstransd on and the SKIP were due to incorrect
matching in skip_if_mcstransd_is_running_ function. I updated this
function to accept contexts with three components if MLS is disabled and
got one more PASS:

PASS: tests/mkdir/restorecon.sh
chcon.sh: skipped test: MLS is disabled
SKIP: tests/misc/chcon.sh
PASS: tests/install/install-Z-selinux.sh
PASS: tests/cp/cp-a-selinux.sh
PASS: tests/misc/selinux.sh

My updated patch is attached to this email.

Regards,
Nicolas