tests/int: add selinux test case

Signed-off-by: Kir Kolyshkin <[email protected]>

Author: kolyshkin

.cirrus.yml

@@ -57,7 +57,7 @@ task:
     mkdir -p -m 0700 /root/.ssh
     vagrant ssh-config >> /root/.ssh/config
   guest_info_script: |
-    ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release && go version"'
+    ssh default 'sh -exc "uname -a && systemctl --version && df -T && cat /etc/os-release && go version; sestatus; ls -lZ /"'
   check_config_script: |
     ssh default /vagrant/script/check-config.sh
   unit_tests_script: |
@@ -79,7 +79,7 @@ task:
     CIRRUS_WORKING_DIR: /home/runc
     GO_VERSION: "1.20"
     BATS_VERSION: "v1.9.0"
-    RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs
+    RPMS: gcc git iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux
     # yamllint disable rule:key-duplicates
     matrix:
       DISTRO: centos-7
@@ -170,6 +170,10 @@ task:
     # -----
     df -T
     # -----
+    sestatus
+    # -----
+    ls -lZ /
+    # -----
     cat /proc/cpuinfo
   check_config_script: |
     /home/runc/script/check-config.sh

Vagrantfile.fedora

@@ -23,7 +23,7 @@ Vagrant.configure("2") do |config|
       cat << EOF | dnf -y --exclude=kernel,kernel-core shell && break
 config install_weak_deps false
 update
-install iptables gcc golang-go make glibc-static libseccomp-devel bats jq git-core criu fuse-sshfs
+install iptables gcc golang-go make glibc-static libseccomp-devel bats jq git-core criu fuse-sshfs container-selinux
 ts run
 EOF
     done

tests/integration/selinux.bats

@@ -0,0 +1,44 @@
+#!/usr/bin/env bats
+
+load helpers
+
+function setup() {
+	requires root # for chcon
+	if ! selinuxenabled; then
+		skip "requires SELinux enabled and in enforcing mode"
+	fi
+
+	# FIXME this should be done elsewhere!
+	chcon -u system_u -r object_r -t container_runtime_exec_t "$(readlink -f "${INTEGRATION_ROOT}/../../runc")"
+
+	setup_busybox
+	if ! chcon -u system_u -r object_r -t container_file_t -R rootfs; then
+		skip "chcon failed"
+	fi
+}
+
+function teardown() {
+	teardown_bundle
+	grep denied /var/log/audit/audit.log | tail
+}
+
+@test "runc run (no selinux label)" {
+	update_config '	  .process.args = ["/bin/true"]'
+	runc run tst
+	[ "$status" -eq 0 ]
+}
+
+@test "runc run (custom selinux label)" {
+	update_config '	  .process.selinuxLabel |= "system_u:system_r:container_t:s0:c4,c5"
+			| .process.args = ["/bin/true"]'
+	runc run tst
+	[ "$status" -eq 0 ]
+}
+
+@test "runc run (custom selinux label, RUNC_DMZ=legacy)" {
+	export RUNC_DMZ=legacy
+	update_config '	  .process.selinuxLabel |= "system_u:system_r:container_t:s0:c4,c5"
+			| .process.args = ["/bin/true"]'
+	runc run tst
+	[ "$status" -eq 0 ]
+}