diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2021-03-03 08:28:29 -0500 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2021-03-03 16:49:51 -0500 |
commit | 252aec1c9ae7e7ed01a4b72cf208e3c0130eb7e7 (patch) | |
tree | 2aba6df6f8320f0b475120cf722956d21503daa7 /test/system/410-selinux.bats | |
parent | 87e20560ac885c541784af1341098ce8e1e7a940 (diff) | |
download | podman-252aec1c9ae7e7ed01a4b72cf208e3c0130eb7e7.tar.gz podman-252aec1c9ae7e7ed01a4b72cf208e3c0130eb7e7.tar.bz2 podman-252aec1c9ae7e7ed01a4b72cf208e3c0130eb7e7.zip |
Check for supportsKVM based on basename of the runtime
Fixes: https://github.com/containers/podman/issues/9582
This PR also adds tests to make sure SELinux labels match the runtime,
or if init is specified works with the correct label.
Add tests for selinux kvm/init labels
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'test/system/410-selinux.bats')
-rw-r--r-- | test/system/410-selinux.bats | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats index 7482d3e55..215b2832e 100644 --- a/test/system/410-selinux.bats +++ b/test/system/410-selinux.bats @@ -39,17 +39,17 @@ function check_label() { } @test "podman selinux: container with label=disable" { - skip_if_rootless - check_label "--security-opt label=disable" "spc_t" } @test "podman selinux: privileged container" { - skip_if_rootless - check_label "--privileged --userns=host" "spc_t" } +@test "podman selinux: init container" { + check_label "--systemd=always" "container_init_t" +} + @test "podman selinux: pid=host" { # FIXME FIXME FIXME: Remove these lines once all VMs have >= 2.146.0 # (this is ugly, but better than an unconditional skip) @@ -74,6 +74,18 @@ function check_label() { check_label "--security-opt label=level:s0:c1,c2" "container_t" "s0:c1,c2" } +@test "podman selinux: inspect kvm labels" { + skip_if_no_selinux + skip_if_remote "runtime flag is not passed over remote" + if [ ! -e /usr/bin/kata-runtime ]; then + skip "kata-runtime not available" + fi + + run_podman create --runtime=kata --name myc $IMAGE + run_podman inspect --format='{{ .ProcessLabel }}' myc + is "$output" ".*container_kvm_t.*" +} + # pr #6752 @test "podman selinux: inspect multiple labels" { skip_if_no_selinux |