1 package label
2
3 import (
4 "errors"
5 "os"
6 "strings"
7 "testing"
8
9 "github.com/opencontainers/selinux/go-selinux"
10 )
11
12 func needSELinux(t *testing.T) {
13 t.Helper()
14 if !selinux.GetEnabled() {
15 t.Skip("SELinux not enabled, skipping.")
16 }
17 }
18
19 func TestInit(t *testing.T) {
20 needSELinux(t)
21
22 var testNull []string
23 _, _, err := InitLabels(testNull)
24 if err != nil {
25 t.Fatalf("InitLabels failed: %v:", err)
26 }
27 testDisabled := []string{"disable"}
28 roMountLabel := ROMountLabel()
29 if roMountLabel == "" {
30 t.Fatal("ROMountLabel: empty")
31 }
32 plabel, mlabel, err := InitLabels(testDisabled)
33 if err != nil {
34 t.Fatalf("InitLabels(disabled) failed: %v", err)
35 }
36 if plabel != "" {
37 t.Fatalf("InitLabels(disabled): %q not empty", plabel)
38 }
39 if mlabel != "system_u:object_r:container_file_t:s0:c1022,c1023" {
40 t.Fatalf("InitLabels Disabled mlabel Failed, %s", mlabel)
41 }
42
43 testUser := []string{"user:user_u", "role:user_r", "type:user_t", "level:s0:c1,c15"}
44 plabel, mlabel, err = InitLabels(testUser)
45 if err != nil {
46 t.Fatalf("InitLabels(user) failed: %v", err)
47 }
48 if plabel != "user_u:user_r:user_t:s0:c1,c15" || (mlabel != "user_u:object_r:container_file_t:s0:c1,c15" && mlabel != "user_u:object_r:svirt_sandbox_file_t:s0:c1,c15") {
49 t.Fatalf("InitLabels(user) failed (plabel=%q, mlabel=%q)", plabel, mlabel)
50 }
51
52 testBadData := []string{"user", "role:user_r", "type:user_t", "level:s0:c1,c15"}
53 if _, _, err = InitLabels(testBadData); err == nil {
54 t.Fatal("InitLabels(bad): expected error, got nil")
55 }
56 }
57
58 func TestDuplicateLabel(t *testing.T) {
59 secopt, err := DupSecOpt("system_u:system_r:container_t:s0:c1,c2")
60 if err != nil {
61 t.Fatalf("DupSecOpt: %v", err)
62 }
63 for _, opt := range secopt {
64 con := strings.SplitN(opt, ":", 2)
65 if con[0] == "user" {
66 if con[1] != "system_u" {
67 t.Errorf("DupSecOpt Failed user incorrect")
68 }
69 continue
70 }
71 if con[0] == "role" {
72 if con[1] != "system_r" {
73 t.Errorf("DupSecOpt Failed role incorrect")
74 }
75 continue
76 }
77 if con[0] == "type" {
78 if con[1] != "container_t" {
79 t.Errorf("DupSecOpt Failed type incorrect")
80 }
81 continue
82 }
83 if con[0] == "level" {
84 if con[1] != "s0:c1,c2" {
85 t.Errorf("DupSecOpt Failed level incorrect")
86 }
87 continue
88 }
89 t.Errorf("DupSecOpt failed: invalid field %q", con[0])
90 }
91 secopt = DisableSecOpt()
92 if secopt[0] != "disable" {
93 t.Errorf("DisableSecOpt failed: expected \"disable\", got %q", secopt[0])
94 }
95 }
96
97 func TestRelabel(t *testing.T) {
98 needSELinux(t)
99
100 testdir := t.TempDir()
101 label := "system_u:object_r:container_file_t:s0:c1,c2"
102 if err := Relabel(testdir, "", true); err != nil {
103 t.Fatalf("Relabel with no label failed: %v", err)
104 }
105 if err := Relabel(testdir, label, true); err != nil {
106 t.Fatalf("Relabel shared failed: %v", err)
107 }
108 if err := Relabel(testdir, label, false); err != nil {
109 t.Fatalf("Relabel unshared failed: %v", err)
110 }
111 if err := Relabel("/etc", label, false); err == nil {
112 t.Fatalf("Relabel /etc succeeded")
113 }
114 if err := Relabel("/", label, false); err == nil {
115 t.Fatalf("Relabel / succeeded")
116 }
117 if err := Relabel("/usr", label, false); err == nil {
118 t.Fatalf("Relabel /usr succeeded")
119 }
120 if err := Relabel("/usr/", label, false); err == nil {
121 t.Fatalf("Relabel /usr/ succeeded")
122 }
123 if err := Relabel("/etc/passwd", label, false); err == nil {
124 t.Fatalf("Relabel /etc/passwd succeeded")
125 }
126 if home := os.Getenv("HOME"); home != "" {
127 if err := Relabel(home, label, false); err == nil {
128 t.Fatalf("Relabel %s succeeded", home)
129 }
130 }
131 }
132
133 func TestValidate(t *testing.T) {
134 if err := Validate("zZ"); !errors.Is(err, ErrIncompatibleLabel) {
135 t.Fatalf("Expected incompatible error, got %v", err)
136 }
137 if err := Validate("Z"); err != nil {
138 t.Fatal(err)
139 }
140 if err := Validate("z"); err != nil {
141 t.Fatal(err)
142 }
143 if err := Validate(""); err != nil {
144 t.Fatal(err)
145 }
146 }
147
148 func TestIsShared(t *testing.T) {
149 if shared := IsShared("Z"); shared {
150 t.Fatalf("Expected label `Z` to not be shared, got %v", shared)
151 }
152 if shared := IsShared("z"); !shared {
153 t.Fatalf("Expected label `z` to be shared, got %v", shared)
154 }
155 if shared := IsShared("Zz"); !shared {
156 t.Fatalf("Expected label `Zz` to be shared, got %v", shared)
157 }
158 }
159
160 func TestSELinuxNoLevel(t *testing.T) {
161 needSELinux(t)
162
163 tlabel := "system_u:system_r:container_t"
164 dup, err := DupSecOpt(tlabel)
165 if err != nil {
166 t.Fatal(err)
167 }
168
169 if len(dup) != 3 {
170 t.Errorf("DupSecOpt failed on non mls label: expected 3, got %d", len(dup))
171 }
172 con, err := selinux.NewContext(tlabel)
173 if err != nil {
174 t.Fatal(err)
175 }
176 if con.Get() != tlabel {
177 t.Errorf("NewContaxt and con.Get() failed on non mls label: expected %q, got %q", tlabel, con.Get())
178 }
179 }
180
181 func TestSocketLabel(t *testing.T) {
182 needSELinux(t)
183
184 label := "system_u:object_r:container_t:s0:c1,c2"
185 if err := selinux.SetSocketLabel(label); err != nil {
186 t.Fatal(err)
187 }
188 nlabel, err := selinux.SocketLabel()
189 if err != nil {
190 t.Fatal(err)
191 }
192 if label != nlabel {
193 t.Errorf("SocketLabel %s != %s", nlabel, label)
194 }
195 }
196
197 func TestKeyLabel(t *testing.T) {
198 needSELinux(t)
199
200 label := "system_u:object_r:container_t:s0:c1,c2"
201 if err := selinux.SetKeyLabel(label); err != nil {
202 t.Fatal(err)
203 }
204 nlabel, err := selinux.KeyLabel()
205 if err != nil {
206 t.Fatal(err)
207 }
208 if label != nlabel {
209 t.Errorf("KeyLabel %s != %s", nlabel, label)
210 }
211 }
212
213 func TestFileLabel(t *testing.T) {
214 needSELinux(t)
215
216 testUser := []string{"filetype:test_file_t", "level:s0:c1,c15"}
217 _, mlabel, err := InitLabels(testUser)
218 if err != nil {
219 t.Fatalf("InitLabels(user) failed: %v", err)
220 }
221 if mlabel != "system_u:object_r:test_file_t:s0:c1,c15" {
222 t.Fatalf("InitLabels(filetype) failed: %v", err)
223 }
224 }
225
View as plain text