github.com/opencontainers/runc@v1.2.0-rc.1.0.20240520010911-492dc558cdd6/tests/integration/selinux.bats (about) 1 #!/usr/bin/env bats 2 3 load helpers 4 5 function setup() { 6 requires root # for chcon 7 if ! selinuxenabled; then 8 skip "requires SELinux enabled and in enforcing mode" 9 fi 10 11 setup_busybox 12 13 # Use a copy of runc binary with proper selinux label set. 14 cp "$RUNC" . 15 export RUNC="$PWD/runc" 16 chcon -u system_u -r object_r -t container_runtime_exec_t "$RUNC" 17 18 # Label container fs. 19 chcon -u system_u -r object_r -t container_file_t -R rootfs 20 21 # Save the start date and time for ausearch. 22 AU_DD="$(date +%x)" 23 AU_TT="$(date +%H:%M:%S)" 24 } 25 26 function teardown() { 27 teardown_bundle 28 # Show any avc denials. 29 if [[ -v AU_DD && -v AU_TT ]] && command -v ausearch &>/dev/null; then 30 ausearch -ts "$AU_DD" "$AU_TT" -i -m avc || true 31 fi 32 } 33 34 # Baseline test, to check that runc works with selinux enabled. 35 @test "runc run (no selinux label)" { 36 update_config ' .process.args = ["/bin/true"]' 37 runc run tst 38 [ "$status" -eq 0 ] 39 } 40 41 # https://github.com/opencontainers/runc/issues/4057 42 @test "runc run (custom selinux label, RUNC_DMZ=true)" { 43 # centos-7 has an outdated container-selinux (<2.224.0) which means 44 # runc-dmz won't work. 45 exclude_os centos-7 46 47 update_config ' .process.selinuxLabel |= "system_u:system_r:container_t:s0:c4,c5" 48 | .process.args = ["/bin/true"]' 49 RUNC_DMZ=true runc run tst 50 [ "$status" -eq 0 ] 51 } 52 53 @test "runc run (custom selinux label)" { 54 update_config ' .process.selinuxLabel |= "system_u:system_r:container_t:s0:c4,c5" 55 | .process.args = ["/bin/true"]' 56 runc run tst 57 [ "$status" -eq 0 ] 58 }