tests/int: add selinux test case

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
opencontainers · Oct 5, 2023 · 67c58b7 · 67c58b7
1 parent d8d576c
commit 67c58b7
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 3 deletions.
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -57,7 +57,7 @@ task:
     mkdir -p -m 0700 /root/.ssh
     vagrant ssh-config >> /root/.ssh/config
   guest_info_script: |
-    ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release && go version"'
+    ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release && go version && sestatus"'
   check_config_script: |
     ssh default /vagrant/script/check-config.sh
   unit_tests_script: |
@@ -79,7 +79,7 @@ task:
     CIRRUS_WORKING_DIR: /home/runc
     GO_VERSION: "1.20"
     BATS_VERSION: "v1.9.0"
-    RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs
+    RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux
     # yamllint disable rule:key-duplicates
     matrix:
       DISTRO: centos-7
@@ -170,6 +170,8 @@ task:
     # -----
     df -T
     # -----
+    sestatus
+    # -----
     cat /proc/cpuinfo
   check_config_script: |
     /home/runc/script/check-config.sh

diff --git a/Vagrantfile.fedora b/Vagrantfile.fedora
@@ -23,7 +23,7 @@ Vagrant.configure("2") do |config|
       cat << EOF | dnf -y --exclude=kernel,kernel-core shell && break
 config install_weak_deps false
 update
-install iptables gcc golang-go make glibc-static libseccomp-devel bats jq git-core criu fuse-sshfs
+install iptables gcc golang-go make glibc-static libseccomp-devel bats jq git-core criu fuse-sshfs container-selinux
 ts run
 EOF
     done

diff --git a/tests/integration/selinux.bats b/tests/integration/selinux.bats
@@ -0,0 +1,50 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function setup() {
+	requires root # for chcon
+	if ! selinuxenabled; then
+		skip "requires SELinux enabled and in enforcing mode"
+	fi
+
+	# Use a copy of runc binary with proper selinux label set.
+	cp "$RUNC" .
+	export RUNC="$PWD/runc"
+	chcon -u system_u -r object_r -t container_runtime_exec_t "$RUNC"
+
+	setup_busybox
+	if ! chcon -u system_u -r object_r -t container_file_t -R rootfs; then
+		skip "chcon failed"
+	fi
+}
+
+function teardown() {
+	teardown_bundle
+	# If the test fails, show any avc denials
+	# (some older ones may be unrelated).
+	grep denied /var/log/audit/audit.log | tail || true
+}
+
+# Baseline test, to check that runc works with selinux enabled.
+@test "runc run (no selinux label)" {
+	update_config '	  .process.args = ["/bin/true"]'
+	runc run tst
+	[ "$status" -eq 0 ]
+}
+
+# https://github.com/opencontainers/runc/issues/4057
+@test "runc run (custom selinux label)" {
+	update_config '	  .process.selinuxLabel |= "system_u:system_r:container_t:s0:c4,c5"
+			| .process.args = ["/bin/true"]'
+	runc run tst
+	[ "$status" -eq 0 ]
+}
+
+@test "runc run (custom selinux label, RUNC_DMZ=legacy)" {
+	export RUNC_DMZ=legacy
+	update_config '	  .process.selinuxLabel |= "system_u:system_r:container_t:s0:c4,c5"
+			| .process.args = ["/bin/true"]'
+	runc run tst
+	[ "$status" -eq 0 ]
+}