Eric Blake 95577af442 selinux: enhance test to cover nfs label failure
Daniel Berrange (correctly) pointed out that we should do a better
job of testing selinux labeling fallbacks on NFS disks that lack
labeling support.

* tests/securityselinuxhelper.c (includes): Makefile already
guaranteed xattr support.  Add additional headers.
(init_syms): New function, borrowing from vircgroupmock.c.
(setfilecon_raw, getfilecon_raw): Fake NFS failure.
(statfs): Fake an NFS mount point.
(security_getenforce, security_get_boolean_active): Don't let host
environment affect test.
* tests/securityselinuxlabeldata/nfs.data: New file.
* tests/securityselinuxlabeldata/nfs.xml: New file.
* tests/securityselinuxlabeltest.c (testSELinuxCreateDisks)
(testSELinuxDeleteDisks): Setup and cleanup for fake NFS mount.
(testSELinuxCheckLabels): Test handling of SELinux NFS denial.
Fix memory leak.
(testSELinuxLabeling): Avoid infinite loop on dirty tree.
(mymain): Add new test.
2013-08-20 10:46:58 -06:00

25 lines
788 B
XML

<domain type='kvm'>
<name>vm1</name>
<uuid>c7b3edbd-edaf-9455-926a-d65c16db1800</uuid>
<memory unit='KiB'>219200</memory>
<os>
<type arch='i686' machine='pc-1.0'>hvm</type>
<boot dev='cdrom'/>
</os>
<devices>
<disk type='file' device='disk'>
<driver name='qemu' type='raw'/>
<source file='/nfs/plain.raw'/>
<target dev='vda' bus='virtio'/>
</disk>
<input type='mouse' bus='ps2'/>
<graphics type='vnc' port='-1' autoport='yes' listen='0.0.0.0'>
<listen type='address' address='0.0.0.0'/>
</graphics>
</devices>
<seclabel model="selinux" type="dynamic" relabel="yes">
<label>system_u:system_r:svirt_t:s0:c41,c264</label>
<imagelabel>system_u:object_r:svirt_image_t:s0:c41,c264</imagelabel>
</seclabel>
</domain>