Skip to content

Commit

Permalink
add selinux debug
Browse files Browse the repository at this point in the history
Signed-off-by: Kir Kolyshkin <[email protected]>

Signed-off-by: Kir Kolyshkin <[email protected]>
  • Loading branch information
kolyshkin committed May 10, 2024
1 parent 9eb6310 commit 8fccb2d
Showing 1 changed file with 26 additions and 0 deletions.
26 changes: 26 additions & 0 deletions tests/rootless.sh
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,12 @@ features_powerset="$(powerset "${ALL_FEATURES[@]}")"
# rootless user won't be able to write to $TESTDATA.
"$ROOT"/tests/integration/get-images.sh >/dev/null

# If SELinux is enabled, fix runc's context.
if selinuxenabled 2>/dev/null; then
chcon -u system_u -r object_r -t container_runtime_exec_t runc
ls -lZ runc
fi

# Iterate over the powerset of all features.
IFS=:
idx=0
Expand All @@ -178,9 +184,17 @@ for enabled_features in $features_powerset; do
"$hook_func"
done

# Save the start date and time for ausearch.
if command -v ausearch &>/dev/null; then
AU_DD="$(date +%x)"
AU_TT="$(date +%H:%M:%S)"
fi

# Run the test suite!
echo "path: $PATH"
export ROOTLESS_FEATURES="$enabled_features"
# Allow the test to fail and use RET.
set +e
if [ -v RUNC_USE_SYSTEMD ]; then
# We use `ssh rootless@localhost` instead of `sudo -u rootless` for creating systemd user session.
# Alternatively we could use `machinectl shell`, but it is known not to work well on SELinux-enabled hosts as of April 2020:
Expand All @@ -189,5 +203,17 @@ for enabled_features in $features_powerset; do
else
sudo -HE -u rootless PATH="$PATH" "$(which bats)" -t "$ROOT/tests/integration$ROOTLESS_TESTPATH"
fi
RET=$?
set -e

# Show any avc denials.
if [[ -v AU_DD && -v AU_TT ]]; then
ausearch -ts "$AU_DD" "$AU_TT" -i -m avc || true
fi

cleanup
if [ $RET -ne 0 ]; then
echo "FAILED" >&2
exit $RET
fi
done

0 comments on commit 8fccb2d

Please sign in to comment.