github.com/containers/libpod@v1.9.4-0.20220419124438-4284fd425507/test/e2e/run_selinux_test.go (about) 1 // +build !remoteclient 2 3 package integration 4 5 import ( 6 "os" 7 8 . "github.com/containers/libpod/test/utils" 9 . "github.com/onsi/ginkgo" 10 . "github.com/onsi/gomega" 11 "github.com/opencontainers/selinux/go-selinux" 12 ) 13 14 var _ = Describe("Podman run", func() { 15 var ( 16 tempdir string 17 err error 18 podmanTest *PodmanTestIntegration 19 ) 20 21 BeforeEach(func() { 22 tempdir, err = CreateTempDirInTempDir() 23 if err != nil { 24 os.Exit(1) 25 } 26 podmanTest = PodmanTestCreate(tempdir) 27 podmanTest.Setup() 28 podmanTest.SeedImages() 29 if !selinux.GetEnabled() { 30 Skip("SELinux not enabled") 31 } 32 }) 33 34 AfterEach(func() { 35 podmanTest.Cleanup() 36 f := CurrentGinkgoTestDescription() 37 processTestResult(f) 38 39 }) 40 41 It("podman run selinux", func() { 42 session := podmanTest.Podman([]string{"run", ALPINE, "cat", "/proc/self/attr/current"}) 43 session.WaitWithDefaultTimeout() 44 Expect(session.ExitCode()).To(Equal(0)) 45 match, _ := session.GrepString("container_t") 46 Expect(match).Should(BeTrue()) 47 }) 48 49 It("podman run selinux grep test", func() { 50 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=level:s0:c1,c2", ALPINE, "cat", "/proc/self/attr/current"}) 51 session.WaitWithDefaultTimeout() 52 Expect(session.ExitCode()).To(Equal(0)) 53 match, _ := session.GrepString("s0:c1,c2") 54 Expect(match).Should(BeTrue()) 55 }) 56 57 It("podman run selinux disable test", func() { 58 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=disable", ALPINE, "cat", "/proc/self/attr/current"}) 59 session.WaitWithDefaultTimeout() 60 Expect(session.ExitCode()).To(Equal(0)) 61 match, _ := session.GrepString("spc_t") 62 Expect(match).Should(BeTrue()) 63 }) 64 65 It("podman run selinux type check test", func() { 66 session := podmanTest.Podman([]string{"run", "-it", ALPINE, "cat", "/proc/self/attr/current"}) 67 session.WaitWithDefaultTimeout() 68 Expect(session.ExitCode()).To(Equal(0)) 69 match1, _ := session.GrepString("container_t") 70 match2, _ := session.GrepString("svirt_lxc_net_t") 71 Expect(match1 || match2).Should(BeTrue()) 72 }) 73 74 It("podman run selinux type setup test", func() { 75 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", ALPINE, "cat", "/proc/self/attr/current"}) 76 session.WaitWithDefaultTimeout() 77 Expect(session.ExitCode()).To(Equal(0)) 78 match, _ := session.GrepString("spc_t") 79 Expect(match).Should(BeTrue()) 80 }) 81 82 It("podman privileged selinux", func() { 83 session := podmanTest.Podman([]string{"run", "--privileged", ALPINE, "cat", "/proc/self/attr/current"}) 84 session.WaitWithDefaultTimeout() 85 Expect(session.ExitCode()).To(Equal(0)) 86 match, _ := session.GrepString("spc_t") 87 Expect(match).Should(BeTrue()) 88 }) 89 90 It("podman test selinux label resolv.conf", func() { 91 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"}) 92 session.WaitWithDefaultTimeout() 93 Expect(session.ExitCode()).To(Equal(0)) 94 match, _ := session.GrepString("container_file_t") 95 Expect(match).Should(BeTrue()) 96 }) 97 98 It("podman test selinux label hosts", func() { 99 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hosts"}) 100 session.WaitWithDefaultTimeout() 101 Expect(session.ExitCode()).To(Equal(0)) 102 match, _ := session.GrepString("container_file_t") 103 Expect(match).Should(BeTrue()) 104 }) 105 106 It("podman test selinux label hostname", func() { 107 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-Z", "/etc/hostname"}) 108 session.WaitWithDefaultTimeout() 109 Expect(session.ExitCode()).To(Equal(0)) 110 match, _ := session.GrepString("container_file_t") 111 Expect(match).Should(BeTrue()) 112 }) 113 114 It("podman test selinux label /run/secrets", func() { 115 SkipIfRootless() 116 session := podmanTest.Podman([]string{"run", fedoraMinimal, "ls", "-dZ", "/run/secrets"}) 117 session.WaitWithDefaultTimeout() 118 Expect(session.ExitCode()).To(Equal(0)) 119 match, _ := session.GrepString("container_file_t") 120 Expect(match).Should(BeTrue()) 121 }) 122 123 It("podman test selinux --privileged label resolv.conf", func() { 124 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/resolv.conf"}) 125 session.WaitWithDefaultTimeout() 126 Expect(session.ExitCode()).To(Equal(0)) 127 match, _ := session.GrepString("container_file_t") 128 Expect(match).Should(BeTrue()) 129 }) 130 131 It("podman test selinux --privileged label hosts", func() { 132 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hosts"}) 133 session.WaitWithDefaultTimeout() 134 Expect(session.ExitCode()).To(Equal(0)) 135 match, _ := session.GrepString("container_file_t") 136 Expect(match).Should(BeTrue()) 137 }) 138 139 It("podman test selinux --privileged label hostname", func() { 140 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-Z", "/etc/hostname"}) 141 session.WaitWithDefaultTimeout() 142 Expect(session.ExitCode()).To(Equal(0)) 143 match, _ := session.GrepString("container_file_t") 144 Expect(match).Should(BeTrue()) 145 }) 146 147 It("podman test selinux --privileged label /run/secrets", func() { 148 SkipIfRootless() 149 session := podmanTest.Podman([]string{"run", "--privileged", fedoraMinimal, "ls", "-dZ", "/run/secrets"}) 150 session.WaitWithDefaultTimeout() 151 Expect(session.ExitCode()).To(Equal(0)) 152 match, _ := session.GrepString("container_file_t") 153 Expect(match).Should(BeTrue()) 154 }) 155 156 It("podman run selinux file type setup test", func() { 157 session := podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", "--security-opt", "label=filetype:container_var_lib_t", fedoraMinimal, "ls", "-Z", "/dev"}) 158 session.WaitWithDefaultTimeout() 159 Expect(session.ExitCode()).To(Equal(0)) 160 match, _ := session.GrepString("container_var_lib_t") 161 Expect(match).Should(BeTrue()) 162 163 session = podmanTest.Podman([]string{"run", "-it", "--security-opt", "label=type:spc_t", "--security-opt", "label=filetype:foobar", fedoraMinimal, "ls", "-Z", "/dev"}) 164 session.WaitWithDefaultTimeout() 165 Expect(session.ExitCode()).To(Equal(126)) 166 }) 167 168 It("podman exec selinux check", func() { 169 setup := podmanTest.RunTopContainer("test1") 170 setup.WaitWithDefaultTimeout() 171 Expect(setup.ExitCode()).To(Equal(0)) 172 173 session := podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/1/attr/current"}) 174 session.WaitWithDefaultTimeout() 175 session1 := podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"}) 176 session1.WaitWithDefaultTimeout() 177 Expect(session.OutputToString()).To(Equal(session1.OutputToString())) 178 }) 179 180 })