tests/cp/cp-a-selinux

   1 #!/bin/sh
   2 # Ensure that cp -a and cp --preserve=context work properly.
   3 # In particular, test on a writable NFS partition.
   4 # Check also locally if --preserve=context, -a and --preserve=all
   5 # does work
   6
   7 # Copyright (C) 2007-2011 Free Software Foundation, Inc.
   8
   9 # This program is free software: you can redistribute it and/or modify
  10 # it under the terms of the GNU General Public License as published by
  11 # the Free Software Foundation, either version 3 of the License, or
  12 # (at your option) any later version.
  13
  14 # This program is distributed in the hope that it will be useful,
  15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17 # GNU General Public License for more details.
  18
  19 # You should have received a copy of the GNU General Public License
  20 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21
  22 . "${srcdir=.}/init.sh"; path_prepend_ ../src
  23 print_ver_ cp
  24 require_root_
  25 require_selinux_
  26
  27 cwd=`pwd`
  28 cleanup_() { cd /; umount "$cwd/mnt"; }
  29
  30 # This context is special: it works even when mcstransd isn't running.
  31 ctx=root:object_r:tmp_t:s0
  32
  33 # Check basic functionality - before check on fixed context mount
  34 touch c || framework_failure_
  35 chcon $ctx c || framework_failure_
  36 cp -a c d 2>err || framework_failure_
  37 cp --preserve=context c e || framework_failure_
  38 cp --preserve=all c f || framework_failure_
  39 ls -Z d | grep $ctx || fail=1
  40 test -s err && fail=1   #there must be no stderr output for -a
  41 ls -Z e | grep $ctx || fail=1
  42 ls -Z f | grep $ctx || fail=1
  43
  44 skip=0
  45 # Create a file system, then mount it with the context=... option.
  46 dd if=/dev/zero of=blob bs=8192 count=200    || skip=1
  47 mkdir mnt                                    || skip=1
  48 mkfs -t ext2 -F blob ||
  49   skip_ "failed to create an ext2 file system"
  50
  51 mount -oloop,context=$ctx blob mnt           || skip=1
  52 test $skip = 1 \
  53   && skip_ "insufficient mount/ext2 support"
  54
  55 cd mnt                                       || framework_failure_
  56
  57 echo > f                                     || framework_failure_
  58
  59 echo > g                                     || framework_failure_
  60 # /bin/cp from coreutils-6.7-3.fc7 would fail this test by letting cp
  61 # succeed (giving no diagnostics), yet leaving the destination file empty.
  62 cp -a f g 2>err || fail=1
  63 test -s g       || fail=1     # The destination file must not be empty.
  64 test -s err     && fail=1     # There must be no stderr output.
  65
  66 # =====================================================
  67 # Here, we expect cp to succeed and not warn with "Operation not supported"
  68 rm -f g
  69 echo > g
  70 cp --preserve=all f g 2>err || fail=1
  71 test -s g || fail=1
  72 grep "Operation not supported" err && fail=1
  73
  74 # =====================================================
  75 # The same as above except destination does not exist
  76 rm -f g
  77 cp --preserve=all f g 2>err || fail=1
  78 test -s g || fail=1
  79 grep "Operation not supported" err && fail=1
  80
  81 # An alternative to the following approach would be to run in a confined
  82 # domain (maybe creating/loading it) that lacks the required permissions
  83 # to the file type.
  84 # Note: this test could also be run by a regular (non-root) user in an
  85 # NFS mounted directory.  When doing that, I get this diagnostic:
  86 # cp: failed to set the security context of `g' to `system_u:object_r:nfs_t': \
  87 #   Operation not supported
  88 cat <<\EOF > exp || framework_failure_
  89 cp: failed to set the security context of
  90 EOF
  91
  92 rm -f g
  93 echo > g
  94 # =====================================================
  95 # Here, we expect cp to fail, because it cannot set the SELinux
  96 # security context through NFS or a mount with fixed context.
  97 cp --preserve=context f g 2> out && fail=1
  98 # Here, we *do* expect the destination to be empty.
  99 test -s g && fail=1
 100 sed "s/ .g' to .*//" out > k
 101 mv k out
 102 compare exp out || fail=1
 103
 104 rm -f g
 105 echo > g
 106 # Check if -a option doesn't silence --preserve=context option diagnostics
 107 cp -a --preserve=context f g 2> out2 && fail=1
 108 # Here, we *do* expect the destination to be empty.
 109 test -s g && fail=1
 110 sed "s/ .g' to .*//" out2 > k
 111 mv k out2
 112 compare exp out2 || fail=1
 113
 114 Exit $fail