summaryrefslogtreecommitdiff
path: root/test/system/410-selinux.bats
Commit message (Collapse)AuthorAge
* Don't relabel volumes if running in a privileged containerDaniel J Walsh2021-04-05
| | | | | | | | | Docker does not relabel this content, and openstack is running containers in this manner. There is a penalty for doing this on each container, that is not worth taking on a disable SELinux container. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* System tests: reenable a bunch of skipped testsEd Santiago2021-03-20
| | | | | | | | Checking for 'skip.*[0-9]{4,5}', and checking status on said issues, finds several that have been closed. Let's see if they're really fixed. Signed-off-by: Ed Santiago <santiago@redhat.com>
* Add tests for selinux kvm/init labelsDaniel J Walsh2021-03-04
| | | | | | spc_t tests should be able to run rootless as well. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Check for supportsKVM based on basename of the runtimeDaniel J Walsh2021-03-03
| | | | | | | | | | | Fixes: https://github.com/containers/podman/issues/9582 This PR also adds tests to make sure SELinux labels match the runtime, or if init is specified works with the correct label. Add tests for selinux kvm/init labels Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* System tests: cover gaps from the last monthEd Santiago2021-01-25
| | | | | | | | | | | | | | | | | | | - stop: test --all and --ignore (#9051) - build: test /run/secrets (#8679, but see below) - sensitive mount points: deal with 'stat' failures - selinux: confirm useful diagnostics on unknown labels (#8946) The 'build' test is intended as a fix for #8679, in which 'podman build' does not mount secrets from mounts.conf. Unfortunately, as of this writing, 'podman build' does not pass the --default-mounts-file option to buildah, so there's no reasonable way to test this path. Still, we can at least confirm /run/secrets on 'podman run'. The /sys thing is related to #8949: RHEL8, rootless, cgroups v1. It's just a workaround to get gating tests to pass on RHEL. Signed-off-by: Ed Santiago <santiago@redhat.com>
* system tests: cleanup, and add more testsEd Santiago2020-10-07
| | | | | | | | | | | | | | | | | | | | - images test: add test for 'table' and '\t' formatting - image mount test: check output from 'umount', test repeat umount (NOP), and test invalid-umount - kill test: remove kludgy workaround for crun signal bug ref: #5004 -- code is no longer needed (fingers crossed), and the workaround involved pulling an expensive image. - selinux test: add new tests for shared context in: * pods , w/ and w/o infra container (ref: #7902) * containers with namespace sharing: --ipc, --pid, --net - selinux test: new test for --pid=host (disabled pending propagation of container-selinux-2.146, ref: #7939) Signed-off-by: Ed Santiago <santiago@redhat.com>
* Handle podman-remote run --rmDaniel J Walsh2020-08-04
| | | | | | | | We need to remove the container after it has exited for podman-remote run --rm commands. If we don't remove this container at this step, we open ourselves up to race conditions. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
* Reenable remote system testsEd Santiago2020-08-03
| | | | | | | | | | | | | | | | | | | podman-remote is in better shape now. Let's see what needs to be done to reenable remote system tests. - logs test: skip multilog, it doesn't work remote - diff test: use -l only when local, not with remote - many other tests: skip_if_remote, with 'FIXME: pending #xxxx' where xxxx is a filed issue. Unrelated: added new helper to skip_if_remote and _if_rootless, where we check if the source message includes "remote"/"rootless" and insert it if missing. This is a minor usability enhancement to make it easier to understand at-a-glance why a skip triggers. Signed-off-by: Ed Santiago <santiago@redhat.com>
* system tests: new tests for run, execEd Santiago2020-07-14
| | | | | | | | | | | | | | | | | | | | | | - Issue #6735 : problem with multiple namespaces; confirms combinations of --userns=keep-id, --privileged, --user=XX - Issue #6829 : --userns=keep-id will add a /etc/passwd entry - Issue #6593 : podman exec, with --userns=keep-id, errors (test is currently skipped because issue remains live) ...and, addendum: add new helper function, remove_same_dev_warning. Some CI systems issue a warning on podman run --privileged: WARNING: The same type, major and minor should not be used for multiple devices. We already had special-case code to ignore than in the SELinux test, but now we're seeing it in the new run tests I added, so I've refactored the "ignore this warning" code and written tests for the removal code. Signed-off-by: Ed Santiago <santiago@redhat.com>
* system tests: add pod, inspect testingEd Santiago2020-06-26
| | | | | | | | | | | | | | | | Followup to #6761: confirm that 'podman ps' shows the ports on a running container in a pod created with -p (not to be confused with the container itself running with -p, tested in 500-networking.bats). While we're at it, test that the port handling itself works, by sending random text to the container and making sure the container receives it. Followup to #6752: 'podman inspect' should show multiple security opts Signed-off-by: Ed Santiago <santiago@redhat.com>
* more BATS testsEd Santiago2020-01-13
- run: --name (includes 'podman container exists' tests) - run: --pull (always, never, missing) - build: new test for ADD URL (#4420) - exec: new test for issue #4785 (pipe getting lost) - diff: new test - selinux (mostly copied from docker-autotest) Plus a bug fix: the wait_for_output() helper would continue checking, eventually timing out, even if the container had already exited (probably because of an error). Fix: as part of the loop, run 'podman inspect' and bail out if container is not running. Include exit code and logs. Signed-off-by: Ed Santiago <santiago@redhat.com>