From 1298f19773574963b9ce5ba7ca3b1637d1a07ef6 Mon Sep 17 00:00:00 2001
From: Ed Santiago <santiago@redhat.com>
Date: Mon, 23 Dec 2019 05:43:08 -0700
Subject: more BATS tests

- run: --name (includes 'podman container exists' tests)
- run: --pull (always, never, missing)
- build: new test for ADD URL (#4420)
- exec: new test for issue #4785 (pipe getting lost)
- diff: new test
- selinux (mostly copied from docker-autotest)

Plus a bug fix: the wait_for_output() helper would continue
checking, eventually timing out, even if the container had
already exited (probably because of an error). Fix: as
part of the loop, run 'podman inspect' and bail out if
container is not running. Include exit code and logs.

Signed-off-by: Ed Santiago <santiago@redhat.com>
---
 test/system/410-selinux.bats | 66 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 test/system/410-selinux.bats

(limited to 'test/system/410-selinux.bats')

diff --git a/test/system/410-selinux.bats b/test/system/410-selinux.bats
new file mode 100644
index 000000000..8a0477eff
--- /dev/null
+++ b/test/system/410-selinux.bats
@@ -0,0 +1,66 @@
+#!/usr/bin/env bats   -*- bats -*-
+#
+# 410-selinux - podman selinux tests
+#
+
+load helpers
+
+
+function check_label() {
+    if [ ! -e /usr/sbin/selinuxenabled ] || ! /usr/sbin/selinuxenabled; then
+        skip "selinux disabled or not available"
+    fi
+
+    local args="$1"; shift        # command-line args for run
+
+    # FIXME: it'd be nice to specify the command to run, e.g. 'ls -dZ /',
+    # but alpine ls (from busybox) doesn't support -Z
+    run_podman run --rm $args $IMAGE cat -v /proc/self/attr/current
+
+    # FIXME: on some CI systems, 'run --privileged' emits a spurious
+    # warning line about dup devices. Ignore it.
+    local context="$output"
+    if [ ${#lines[@]} -gt 1 ]; then
+        if expr "${lines[0]}" : "WARNING: .* type, major" >/dev/null; then
+            echo "# ${lines[0]} [ignored]" >&3
+            context="${lines[1]}"
+        else
+            die "FAILED: too much output, expected one single line"
+        fi
+    fi
+
+    is "$context" ".*_u:system_r:.*" "SELinux role should always be system_r"
+
+    # e.g. system_u:system_r:container_t:s0:c45,c745 -> "container_t"
+    type=$(cut -d: -f3 <<<"$context")
+    is "$type" "$1" "SELinux type"
+
+    if [ -n "$2" ]; then
+        # e.g. from the above example -> "s0:c45,c745"
+        range=$(cut -d: -f4,5 <<<"$context")
+        is "$range" "$2" "SELinux range"
+    fi
+}
+
+
+@test "podman selinux: confined container" {
+    check_label "" "container_t"
+}
+
+@test "podman selinux: container with label=disable" {
+    skip_if_rootless
+
+    check_label "--security-opt label=disable" "spc_t"
+}
+
+@test "podman selinux: privileged container" {
+    skip_if_rootless
+
+    check_label "--privileged --userns=host" "spc_t"
+}
+
+@test "podman selinux: container with overridden range" {
+    check_label "--security-opt label=level:s0:c1,c2" "container_t" "s0:c1,c2"
+}
+
+# vim: filetype=sh
-- 
cgit v1.2.3-54-g00ecf