summaryrefslogtreecommitdiff
path: root/test/e2e/run_selinux_test.go
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2020-10-05 10:32:28 +0200
committerGitHub <noreply@github.com>2020-10-05 10:32:28 +0200
commit7353000a06f3636515ebcd3b79ca8309db48b693 (patch)
tree0144357de85b0e2c59a3d6529268477421156200 /test/e2e/run_selinux_test.go
parent7c12967257742063206c05f0baec517bc08cbeb6 (diff)
parentd0f3c17912643aca73372aa87f3eadf757621ccc (diff)
downloadpodman-7353000a06f3636515ebcd3b79ca8309db48b693.tar.gz
podman-7353000a06f3636515ebcd3b79ca8309db48b693.tar.bz2
podman-7353000a06f3636515ebcd3b79ca8309db48b693.zip
Merge pull request #7902 from rhatdan/selinux
Add SELinux support for pods
Diffstat (limited to 'test/e2e/run_selinux_test.go')
-rw-r--r--test/e2e/run_selinux_test.go111
1 files changed, 111 insertions, 0 deletions
diff --git a/test/e2e/run_selinux_test.go b/test/e2e/run_selinux_test.go
index 219750bcb..3294f6d3b 100644
--- a/test/e2e/run_selinux_test.go
+++ b/test/e2e/run_selinux_test.go
@@ -182,4 +182,115 @@ var _ = Describe("Podman run", func() {
match2, _ := session.GrepString("s0:c1,c2")
Expect(match2).To(BeTrue())
})
+
+ It("podman pod container share SELinux labels", func() {
+ session := podmanTest.Podman([]string{"pod", "create"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ podID := session.OutputToString()
+
+ session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ label1 := session.OutputToString()
+
+ session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(Equal(label1))
+
+ session = podmanTest.Podman([]string{"pod", "rm", podID, "--force"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ })
+
+ It("podman pod container --infra=false doesn't share SELinux labels", func() {
+ session := podmanTest.Podman([]string{"pod", "create", "--infra=false"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ podID := session.OutputToString()
+
+ session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ label1 := session.OutputToString()
+
+ session = podmanTest.Podman([]string{"run", "--pod", podID, ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(Not(Equal(label1)))
+
+ session = podmanTest.Podman([]string{"pod", "rm", podID, "--force"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ })
+
+ It("podman shared IPC NS container share SELinux labels", func() {
+ session := podmanTest.RunTopContainer("test1")
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ label1 := session.OutputToString()
+
+ session = podmanTest.Podman([]string{"run", "--ipc", "container:test1", ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(Equal(label1))
+ })
+
+ It("podman shared PID NS container share SELinux labels", func() {
+ session := podmanTest.RunTopContainer("test1")
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ label1 := session.OutputToString()
+
+ session = podmanTest.Podman([]string{"run", "--pid", "container:test1", ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(Equal(label1))
+ })
+
+ It("podman shared NET NS container doesn't share SELinux labels", func() {
+ session := podmanTest.RunTopContainer("test1")
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+
+ session = podmanTest.Podman([]string{"exec", "test1", "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ label1 := session.OutputToString()
+
+ session = podmanTest.Podman([]string{"run", "--net", "container:test1", ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(Not(Equal(label1)))
+ })
+
+ It("podman test --pid=host", func() {
+ session := podmanTest.Podman([]string{"run", "--pid=host", ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring("spc_t"))
+ })
+
+ It("podman test --ipc=host", func() {
+ session := podmanTest.Podman([]string{"run", "--ipc=host", ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring("spc_t"))
+ })
+
+ It("podman test --ipc=net", func() {
+ session := podmanTest.Podman([]string{"run", "--net=host", ALPINE, "cat", "/proc/self/attr/current"})
+ session.WaitWithDefaultTimeout()
+ Expect(session.ExitCode()).To(Equal(0))
+ Expect(session.OutputToString()).To(ContainSubstring("container_t"))
+ })
})