Message ID | 1473950369-2547-1-git-send-email-plautrba@redhat.com (mailing list archive) |
---|---|
State | Not Applicable |
Headers | show |
On 09/15/2016 10:39 AM, Petr Lautrbach wrote: > The tests executed sandbox from $PATH while they should test sandbox in > cwd. At the same time, tests should be run using the same python as is > used by make to run them. > > Signed-off-by: Petr Lautrbach <plautrba@redhat.com> Do the sandbox tests actually work for you? For me, most of them fail with the error: AssertionError: "Sandbox should have succeeded for this test 'ERROR: could not find datum for type sandbox_t\nsandbox: Sandbox Policy is not currently installed.\nYou need to install the selinux-policy-sandbox package in order to run this command\n' But I do have selinux-policy-sandbox installed. This is on F24. sandbox_x_t is defined, but not sandbox_t. > --- > policycoreutils/sandbox/test_sandbox.py | 23 ++++++++++++----------- > 1 file changed, 12 insertions(+), 11 deletions(-) > > diff --git a/policycoreutils/sandbox/test_sandbox.py b/policycoreutils/sandbox/test_sandbox.py > index 6f54d0c..d5368c2 100644 > --- a/policycoreutils/sandbox/test_sandbox.py > +++ b/policycoreutils/sandbox/test_sandbox.py > @@ -1,6 +1,7 @@ > import unittest > import os > import shutil > +import sys > from tempfile import mkdtemp > from subprocess import Popen, PIPE > > @@ -26,63 +27,63 @@ class SandboxTests(unittest.TestCase): > def test_simple_success(self): > "Verify that we can read file descriptors handed to sandbox" > p1 = Popen(['cat', '/etc/passwd'], stdout=PIPE) > - p2 = Popen(['sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE) > + p2 = Popen([sys.executable, 'sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE) > out, err = p2.communicate() > self.assertTrue(b'root' in out) > > def test_cant_kill(self): > "Verify that we cannot send kill signal in the sandbox" > pid = os.getpid() > - p = Popen(['sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE) > + p = Popen([sys.executable, 'sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE) > out, err = p.communicate() > self.assertDenied(err) > > def test_cant_ping(self): > "Verify that we can't ping within the sandbox" > - p = Popen(['sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE) > + p = Popen([sys.executable, 'sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE) > out, err = p.communicate() > self.assertDenied(err) > > def test_cant_mkdir(self): > "Verify that we can't mkdir within the sandbox" > - p = Popen(['sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE) > + p = Popen([sys.executable, 'sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE) > out, err = p.communicate() > self.assertFailure(p.returncode) > > def test_cant_list_homedir(self): > "Verify that we can't list homedir within the sandbox" > - p = Popen(['sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE) > + p = Popen([sys.executable, 'sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE) > out, err = p.communicate() > self.assertFailure(p.returncode) > > def test_cant_send_mail(self): > "Verify that we can't send mail within the sandbox" > - p = Popen(['sandbox', 'mail'], stdout=PIPE, stderr=PIPE) > + p = Popen([sys.executable, 'sandbox', 'mail'], stdout=PIPE, stderr=PIPE) > out, err = p.communicate() > self.assertDenied(err) > > def test_cant_sudo(self): > "Verify that we can't run sudo within the sandbox" > - p = Popen(['sandbox', 'sudo'], stdout=PIPE, stderr=PIPE) > + p = Popen([sys.executable, 'sandbox', 'sudo'], stdout=PIPE, stderr=PIPE) > out, err = p.communicate() > self.assertFailure(p.returncode) > > def test_mount(self): > "Verify that we mount a file system" > - p = Popen(['sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE) > + p = Popen([sys.executable, 'sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE) > out, err = p.communicate() > self.assertSuccess(p.returncode, err) > > def test_set_level(self): > "Verify that we set level a file system" > - p = Popen(['sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE) > + p = Popen([sys.executable, 'sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE) > out, err = p.communicate() > self.assertSuccess(p.returncode, err) > > def test_homedir(self): > "Verify that we set homedir a file system" > homedir = mkdtemp(dir=".", prefix=".sandbox_test") > - p = Popen(['sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE) > + p = Popen([sys.executable, 'sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE) > out, err = p.communicate() > shutil.rmtree(homedir) > self.assertSuccess(p.returncode, err) > @@ -90,7 +91,7 @@ class SandboxTests(unittest.TestCase): > def test_tmpdir(self): > "Verify that we set tmpdir a file system" > tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_test") > - p = Popen(['sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE) > + p = Popen([sys.executable, 'sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE) > out, err = p.communicate() > shutil.rmtree(tmpdir) > self.assertSuccess(p.returncode, err) >
On 09/15/2016 07:26 PM, Stephen Smalley wrote: > On 09/15/2016 10:39 AM, Petr Lautrbach wrote: >> The tests executed sandbox from $PATH while they should test sandbox in >> cwd. At the same time, tests should be run using the same python as is >> used by make to run them. >> >> Signed-off-by: Petr Lautrbach <plautrba@redhat.com> > > Do the sandbox tests actually work for you? For me, most of them fail > with the error: > AssertionError: "Sandbox should have succeeded for this test 'ERROR: > could not find datum for type sandbox_t\nsandbox: Sandbox Policy is not > currently installed.\nYou need to install the selinux-policy-sandbox > package in order to run this command\n' > > But I do have selinux-policy-sandbox installed. This is on F24. > sandbox_x_t is defined, but not sandbox_t. The tests work for me with both pythons on Fedora 24. For sandbox_t you need to enable sandbox module: semodule -e sandbox It should be enabled by default when you install selinux-policy-sandbox. But there's probably a bug which causes the module is not enabled in some cases. Simon Sekidde suggested to change the error message a little, see bellow. But it probably won't be sufficient as well. try: sepolicy.info(sepolicy.TYPE, "sandbox_t") except RuntimeError: - raise ValueError(_("Sandbox Policy is not currently installed.\nYou need to install the selinux-policy-sandbox package in order to run this command")) + raise ValueError(_("Sandbox Policy is currently disabled.\nYou need to enable the sandbox module in order to run this command")) It would need a detection if the module is only disabled or is not installed at all. Petr > >> --- >> policycoreutils/sandbox/test_sandbox.py | 23 ++++++++++++----------- >> 1 file changed, 12 insertions(+), 11 deletions(-) >> >> diff --git a/policycoreutils/sandbox/test_sandbox.py b/policycoreutils/sandbox/test_sandbox.py >> index 6f54d0c..d5368c2 100644 >> --- a/policycoreutils/sandbox/test_sandbox.py >> +++ b/policycoreutils/sandbox/test_sandbox.py >> @@ -1,6 +1,7 @@ >> import unittest >> import os >> import shutil >> +import sys >> from tempfile import mkdtemp >> from subprocess import Popen, PIPE >> >> @@ -26,63 +27,63 @@ class SandboxTests(unittest.TestCase): >> def test_simple_success(self): >> "Verify that we can read file descriptors handed to sandbox" >> p1 = Popen(['cat', '/etc/passwd'], stdout=PIPE) >> - p2 = Popen(['sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE) >> + p2 = Popen([sys.executable, 'sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE) >> out, err = p2.communicate() >> self.assertTrue(b'root' in out) >> >> def test_cant_kill(self): >> "Verify that we cannot send kill signal in the sandbox" >> pid = os.getpid() >> - p = Popen(['sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE) >> + p = Popen([sys.executable, 'sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE) >> out, err = p.communicate() >> self.assertDenied(err) >> >> def test_cant_ping(self): >> "Verify that we can't ping within the sandbox" >> - p = Popen(['sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE) >> + p = Popen([sys.executable, 'sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE) >> out, err = p.communicate() >> self.assertDenied(err) >> >> def test_cant_mkdir(self): >> "Verify that we can't mkdir within the sandbox" >> - p = Popen(['sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE) >> + p = Popen([sys.executable, 'sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE) >> out, err = p.communicate() >> self.assertFailure(p.returncode) >> >> def test_cant_list_homedir(self): >> "Verify that we can't list homedir within the sandbox" >> - p = Popen(['sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE) >> + p = Popen([sys.executable, 'sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE) >> out, err = p.communicate() >> self.assertFailure(p.returncode) >> >> def test_cant_send_mail(self): >> "Verify that we can't send mail within the sandbox" >> - p = Popen(['sandbox', 'mail'], stdout=PIPE, stderr=PIPE) >> + p = Popen([sys.executable, 'sandbox', 'mail'], stdout=PIPE, stderr=PIPE) >> out, err = p.communicate() >> self.assertDenied(err) >> >> def test_cant_sudo(self): >> "Verify that we can't run sudo within the sandbox" >> - p = Popen(['sandbox', 'sudo'], stdout=PIPE, stderr=PIPE) >> + p = Popen([sys.executable, 'sandbox', 'sudo'], stdout=PIPE, stderr=PIPE) >> out, err = p.communicate() >> self.assertFailure(p.returncode) >> >> def test_mount(self): >> "Verify that we mount a file system" >> - p = Popen(['sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE) >> + p = Popen([sys.executable, 'sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE) >> out, err = p.communicate() >> self.assertSuccess(p.returncode, err) >> >> def test_set_level(self): >> "Verify that we set level a file system" >> - p = Popen(['sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE) >> + p = Popen([sys.executable, 'sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE) >> out, err = p.communicate() >> self.assertSuccess(p.returncode, err) >> >> def test_homedir(self): >> "Verify that we set homedir a file system" >> homedir = mkdtemp(dir=".", prefix=".sandbox_test") >> - p = Popen(['sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE) >> + p = Popen([sys.executable, 'sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE) >> out, err = p.communicate() >> shutil.rmtree(homedir) >> self.assertSuccess(p.returncode, err) >> @@ -90,7 +91,7 @@ class SandboxTests(unittest.TestCase): >> def test_tmpdir(self): >> "Verify that we set tmpdir a file system" >> tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_test") >> - p = Popen(['sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE) >> + p = Popen([sys.executable, 'sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE) >> out, err = p.communicate() >> shutil.rmtree(tmpdir) >> self.assertSuccess(p.returncode, err) >> >
diff --git a/policycoreutils/sandbox/test_sandbox.py b/policycoreutils/sandbox/test_sandbox.py index 6f54d0c..d5368c2 100644 --- a/policycoreutils/sandbox/test_sandbox.py +++ b/policycoreutils/sandbox/test_sandbox.py @@ -1,6 +1,7 @@ import unittest import os import shutil +import sys from tempfile import mkdtemp from subprocess import Popen, PIPE @@ -26,63 +27,63 @@ class SandboxTests(unittest.TestCase): def test_simple_success(self): "Verify that we can read file descriptors handed to sandbox" p1 = Popen(['cat', '/etc/passwd'], stdout=PIPE) - p2 = Popen(['sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE) + p2 = Popen([sys.executable, 'sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE) out, err = p2.communicate() self.assertTrue(b'root' in out) def test_cant_kill(self): "Verify that we cannot send kill signal in the sandbox" pid = os.getpid() - p = Popen(['sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE) + p = Popen([sys.executable, 'sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE) out, err = p.communicate() self.assertDenied(err) def test_cant_ping(self): "Verify that we can't ping within the sandbox" - p = Popen(['sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE) + p = Popen([sys.executable, 'sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE) out, err = p.communicate() self.assertDenied(err) def test_cant_mkdir(self): "Verify that we can't mkdir within the sandbox" - p = Popen(['sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE) + p = Popen([sys.executable, 'sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE) out, err = p.communicate() self.assertFailure(p.returncode) def test_cant_list_homedir(self): "Verify that we can't list homedir within the sandbox" - p = Popen(['sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE) + p = Popen([sys.executable, 'sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE) out, err = p.communicate() self.assertFailure(p.returncode) def test_cant_send_mail(self): "Verify that we can't send mail within the sandbox" - p = Popen(['sandbox', 'mail'], stdout=PIPE, stderr=PIPE) + p = Popen([sys.executable, 'sandbox', 'mail'], stdout=PIPE, stderr=PIPE) out, err = p.communicate() self.assertDenied(err) def test_cant_sudo(self): "Verify that we can't run sudo within the sandbox" - p = Popen(['sandbox', 'sudo'], stdout=PIPE, stderr=PIPE) + p = Popen([sys.executable, 'sandbox', 'sudo'], stdout=PIPE, stderr=PIPE) out, err = p.communicate() self.assertFailure(p.returncode) def test_mount(self): "Verify that we mount a file system" - p = Popen(['sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE) + p = Popen([sys.executable, 'sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE) out, err = p.communicate() self.assertSuccess(p.returncode, err) def test_set_level(self): "Verify that we set level a file system" - p = Popen(['sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE) + p = Popen([sys.executable, 'sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE) out, err = p.communicate() self.assertSuccess(p.returncode, err) def test_homedir(self): "Verify that we set homedir a file system" homedir = mkdtemp(dir=".", prefix=".sandbox_test") - p = Popen(['sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE) + p = Popen([sys.executable, 'sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE) out, err = p.communicate() shutil.rmtree(homedir) self.assertSuccess(p.returncode, err) @@ -90,7 +91,7 @@ class SandboxTests(unittest.TestCase): def test_tmpdir(self): "Verify that we set tmpdir a file system" tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_test") - p = Popen(['sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE) + p = Popen([sys.executable, 'sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE) out, err = p.communicate() shutil.rmtree(tmpdir) self.assertSuccess(p.returncode, err)
The tests executed sandbox from $PATH while they should test sandbox in cwd. At the same time, tests should be run using the same python as is used by make to run them. Signed-off-by: Petr Lautrbach <plautrba@redhat.com> --- policycoreutils/sandbox/test_sandbox.py | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-)