[PATCH] selinux-testsuite: ensure the cgroups_label tests works on old and new systems

[PATCH] selinux-testsuite: ensure the cgroups_label tests works on old and new systems

[Paul Moore]

From: Paul Moore <paul@paul-moore.com>

Commit 697efc910393 ("selinux-testsuite: fix the cgroups_label test")
fixed the cgroups_label test on new systems, but it broke old systems.
Try to use /sys/fs/cgroup/unified first and if that doesn't exist go
with the new approach introduced in the commit above.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 tests/cgroupfs_label/test |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tests/cgroupfs_label/test b/tests/cgroupfs_label/test
index 385b953..91517b4 100755
--- a/tests/cgroupfs_label/test
+++ b/tests/cgroupfs_label/test
@@ -5,7 +5,11 @@ BEGIN { plan tests => 2 }
 
 my $ret;
 
-my $dir = "/sys/fs/cgroup/selinuxtest";
+# Older systems use /sys/fs/cgroup/unified, newer use /sys/fs/cgroup.
+my $dir = "/sys/fs/cgroup/unified";
+if (! -d $dir) {
+	$dir = "/sys/fs/cgroup/selinuxtest";
+}
 
 # Create a new cgroupfs directory and relabel it.
 mkdir("$dir");

Re: [PATCH] selinux-testsuite: ensure the cgroups_label tests works on old and new systems

[Paul Moore]

On Mon, Aug 26, 2019 at 5:40 PM Paul Moore <paul@paul-moore.com> wrote:
> From: Paul Moore <paul@paul-moore.com>
>
> Commit 697efc910393 ("selinux-testsuite: fix the cgroups_label test")
> fixed the cgroups_label test on new systems, but it broke old systems.
> Try to use /sys/fs/cgroup/unified first and if that doesn't exist go
> with the new approach introduced in the commit above.
>
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  tests/cgroupfs_label/test |    6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/tests/cgroupfs_label/test b/tests/cgroupfs_label/test
> index 385b953..91517b4 100755
> --- a/tests/cgroupfs_label/test
> +++ b/tests/cgroupfs_label/test
> @@ -5,7 +5,11 @@ BEGIN { plan tests => 2 }
>
>  my $ret;
>
> -my $dir = "/sys/fs/cgroup/selinuxtest";
> +# Older systems use /sys/fs/cgroup/unified, newer use /sys/fs/cgroup.
> +my $dir = "/sys/fs/cgroup/unified";
> +if (! -d $dir) {
> +       $dir = "/sys/fs/cgroup/selinuxtest";
> +}

Merged with the requisite style fixes (sorry about that, my mistake).

>  # Create a new cgroupfs directory and relabel it.
>  mkdir("$dir");

-- 
paul moore
www.paul-moore.com

Re: [PATCH] selinux-testsuite: ensure the cgroups_label tests works on old and new systems

[Stephen Smalley]

On 8/26/19 5:40 PM, Paul Moore wrote:
> From: Paul Moore <paul@paul-moore.com>
> 
> Commit 697efc910393 ("selinux-testsuite: fix the cgroups_label test")
> fixed the cgroups_label test on new systems, but it broke old systems.
> Try to use /sys/fs/cgroup/unified first and if that doesn't exist go
> with the new approach introduced in the commit above.
> 
> Signed-off-by: Paul Moore <paul@paul-moore.com>

This leaves the test system in a broken state, with all of 
/sys/fs/cgroup/unified getting relabeled to test_cgroup_t during the 
test and then switching to unlabeled_t upon the unloading of the test 
policy.  I get a bajillion denials after the testsuite completes from 
anything trying to access /sys/fs/cgroup/unified, and ls -Z 
/sys/fs/cgroup/unified shows it as being unlabeled_t throughout.

> ---
>   tests/cgroupfs_label/test |    6 +++++-
>   1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/tests/cgroupfs_label/test b/tests/cgroupfs_label/test
> index 385b953..91517b4 100755
> --- a/tests/cgroupfs_label/test
> +++ b/tests/cgroupfs_label/test
> @@ -5,7 +5,11 @@ BEGIN { plan tests => 2 }
>   
>   my $ret;
>   
> -my $dir = "/sys/fs/cgroup/selinuxtest";
> +# Older systems use /sys/fs/cgroup/unified, newer use /sys/fs/cgroup.
> +my $dir = "/sys/fs/cgroup/unified";
> +if (! -d $dir) {
> +	$dir = "/sys/fs/cgroup/selinuxtest";
> +}
>   
>   # Create a new cgroupfs directory and relabel it.
>   mkdir("$dir");
> 
> 

Re: [PATCH] selinux-testsuite: ensure the cgroups_label tests works on old and new systems

[Paul Moore]

On Wed, Sep 4, 2019 at 8:48 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 8/26/19 5:40 PM, Paul Moore wrote:
> > From: Paul Moore <paul@paul-moore.com>
> >
> > Commit 697efc910393 ("selinux-testsuite: fix the cgroups_label test")
> > fixed the cgroups_label test on new systems, but it broke old systems.
> > Try to use /sys/fs/cgroup/unified first and if that doesn't exist go
> > with the new approach introduced in the commit above.
> >
> > Signed-off-by: Paul Moore <paul@paul-moore.com>
>
> This leaves the test system in a broken state, with all of
> /sys/fs/cgroup/unified getting relabeled to test_cgroup_t during the
> test and then switching to unlabeled_t upon the unloading of the test
> policy.  I get a bajillion denials after the testsuite completes from
> anything trying to access /sys/fs/cgroup/unified, and ls -Z
> /sys/fs/cgroup/unified shows it as being unlabeled_t throughout.

A bajillion, that sounds serious! ;)

Anyway, my apologies for breaking things after the test runs.  My test
systems pretty much just run the tests (over and over and over) so I
didn't notice the breakage.  I'll post a patch for this right now ...

> > ---
> >   tests/cgroupfs_label/test |    6 +++++-
> >   1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/tests/cgroupfs_label/test b/tests/cgroupfs_label/test
> > index 385b953..91517b4 100755
> > --- a/tests/cgroupfs_label/test
> > +++ b/tests/cgroupfs_label/test
> > @@ -5,7 +5,11 @@ BEGIN { plan tests => 2 }
> >
> >   my $ret;
> >
> > -my $dir = "/sys/fs/cgroup/selinuxtest";
> > +# Older systems use /sys/fs/cgroup/unified, newer use /sys/fs/cgroup.
> > +my $dir = "/sys/fs/cgroup/unified";
> > +if (! -d $dir) {
> > +     $dir = "/sys/fs/cgroup/selinuxtest";
> > +}
> >
> >   # Create a new cgroupfs directory and relabel it.
> >   mkdir("$dir");
> >

-- 
paul moore
www.paul-moore.com