diff mbox

[1/3] sandbox: tests - use sandbox from cwd

Message ID 1473950369-2547-1-git-send-email-plautrba@redhat.com (mailing list archive)
State Not Applicable
Headers show

Commit Message

Petr Lautrbach Sept. 15, 2016, 2:39 p.m. UTC
The tests executed sandbox from $PATH while they should test sandbox in
cwd. At the same time, tests should be run using the same python as is
used by make to run them.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 policycoreutils/sandbox/test_sandbox.py | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

Comments

Stephen Smalley Sept. 15, 2016, 5:26 p.m. UTC | #1
On 09/15/2016 10:39 AM, Petr Lautrbach wrote:
> The tests executed sandbox from $PATH while they should test sandbox in
> cwd. At the same time, tests should be run using the same python as is
> used by make to run them.
> 
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>

Do the sandbox tests actually work for you?  For me, most of them fail
with the error:
AssertionError: "Sandbox should have succeeded for this test 'ERROR:
could not find datum for type sandbox_t\nsandbox: Sandbox Policy is not
currently installed.\nYou need to install the selinux-policy-sandbox
package in order to run this command\n'

But I do have selinux-policy-sandbox installed.  This is on F24.
sandbox_x_t is defined, but not sandbox_t.

> ---
>  policycoreutils/sandbox/test_sandbox.py | 23 ++++++++++++-----------
>  1 file changed, 12 insertions(+), 11 deletions(-)
> 
> diff --git a/policycoreutils/sandbox/test_sandbox.py b/policycoreutils/sandbox/test_sandbox.py
> index 6f54d0c..d5368c2 100644
> --- a/policycoreutils/sandbox/test_sandbox.py
> +++ b/policycoreutils/sandbox/test_sandbox.py
> @@ -1,6 +1,7 @@
>  import unittest
>  import os
>  import shutil
> +import sys
>  from tempfile import mkdtemp
>  from subprocess import Popen, PIPE
>  
> @@ -26,63 +27,63 @@ class SandboxTests(unittest.TestCase):
>      def test_simple_success(self):
>          "Verify that we can read file descriptors handed to sandbox"
>          p1 = Popen(['cat', '/etc/passwd'], stdout=PIPE)
> -        p2 = Popen(['sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE)
> +        p2 = Popen([sys.executable, 'sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE)
>          out, err = p2.communicate()
>          self.assertTrue(b'root' in out)
>  
>      def test_cant_kill(self):
>          "Verify that we cannot send kill signal in the sandbox"
>          pid = os.getpid()
> -        p = Popen(['sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE)
> +        p = Popen([sys.executable, 'sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE)
>          out, err = p.communicate()
>          self.assertDenied(err)
>  
>      def test_cant_ping(self):
>          "Verify that we can't ping within the sandbox"
> -        p = Popen(['sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE)
> +        p = Popen([sys.executable, 'sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE)
>          out, err = p.communicate()
>          self.assertDenied(err)
>  
>      def test_cant_mkdir(self):
>          "Verify that we can't mkdir within the sandbox"
> -        p = Popen(['sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE)
> +        p = Popen([sys.executable, 'sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE)
>          out, err = p.communicate()
>          self.assertFailure(p.returncode)
>  
>      def test_cant_list_homedir(self):
>          "Verify that we can't list homedir within the sandbox"
> -        p = Popen(['sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE)
> +        p = Popen([sys.executable, 'sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE)
>          out, err = p.communicate()
>          self.assertFailure(p.returncode)
>  
>      def test_cant_send_mail(self):
>          "Verify that we can't send mail within the sandbox"
> -        p = Popen(['sandbox', 'mail'], stdout=PIPE, stderr=PIPE)
> +        p = Popen([sys.executable, 'sandbox', 'mail'], stdout=PIPE, stderr=PIPE)
>          out, err = p.communicate()
>          self.assertDenied(err)
>  
>      def test_cant_sudo(self):
>          "Verify that we can't run sudo within the sandbox"
> -        p = Popen(['sandbox', 'sudo'], stdout=PIPE, stderr=PIPE)
> +        p = Popen([sys.executable, 'sandbox', 'sudo'], stdout=PIPE, stderr=PIPE)
>          out, err = p.communicate()
>          self.assertFailure(p.returncode)
>  
>      def test_mount(self):
>          "Verify that we mount a file system"
> -        p = Popen(['sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE)
> +        p = Popen([sys.executable, 'sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE)
>          out, err = p.communicate()
>          self.assertSuccess(p.returncode, err)
>  
>      def test_set_level(self):
>          "Verify that we set level a file system"
> -        p = Popen(['sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE)
> +        p = Popen([sys.executable, 'sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE)
>          out, err = p.communicate()
>          self.assertSuccess(p.returncode, err)
>  
>      def test_homedir(self):
>          "Verify that we set homedir a file system"
>          homedir = mkdtemp(dir=".", prefix=".sandbox_test")
> -        p = Popen(['sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
> +        p = Popen([sys.executable, 'sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
>          out, err = p.communicate()
>          shutil.rmtree(homedir)
>          self.assertSuccess(p.returncode, err)
> @@ -90,7 +91,7 @@ class SandboxTests(unittest.TestCase):
>      def test_tmpdir(self):
>          "Verify that we set tmpdir a file system"
>          tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_test")
> -        p = Popen(['sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
> +        p = Popen([sys.executable, 'sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
>          out, err = p.communicate()
>          shutil.rmtree(tmpdir)
>          self.assertSuccess(p.returncode, err)
>
Petr Lautrbach Sept. 15, 2016, 6:24 p.m. UTC | #2
On 09/15/2016 07:26 PM, Stephen Smalley wrote:
> On 09/15/2016 10:39 AM, Petr Lautrbach wrote:
>> The tests executed sandbox from $PATH while they should test sandbox in
>> cwd. At the same time, tests should be run using the same python as is
>> used by make to run them.
>>
>> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> 
> Do the sandbox tests actually work for you?  For me, most of them fail
> with the error:
> AssertionError: "Sandbox should have succeeded for this test 'ERROR:
> could not find datum for type sandbox_t\nsandbox: Sandbox Policy is not
> currently installed.\nYou need to install the selinux-policy-sandbox
> package in order to run this command\n'
> 
> But I do have selinux-policy-sandbox installed.  This is on F24.
> sandbox_x_t is defined, but not sandbox_t.

The tests work for me with both pythons on Fedora 24.

For sandbox_t you need to enable sandbox module:

semodule -e sandbox

It should be enabled by default when you install selinux-policy-sandbox.
But there's probably a bug which causes the module is not enabled in
some cases.

Simon Sekidde suggested to change the error message a little, see
bellow. But it probably won't be sufficient as well.

             try:
                 sepolicy.info(sepolicy.TYPE, "sandbox_t")
             except RuntimeError:
-                raise ValueError(_("Sandbox Policy is not currently
installed.\nYou need to install the selinux-policy-sandbox package in
order to run this command"))
+                raise ValueError(_("Sandbox Policy is currently
disabled.\nYou need to enable the sandbox module in order to run this
command"))


It would need a detection if the module is only disabled or is not
installed at all.


Petr


> 
>> ---
>>  policycoreutils/sandbox/test_sandbox.py | 23 ++++++++++++-----------
>>  1 file changed, 12 insertions(+), 11 deletions(-)
>>
>> diff --git a/policycoreutils/sandbox/test_sandbox.py b/policycoreutils/sandbox/test_sandbox.py
>> index 6f54d0c..d5368c2 100644
>> --- a/policycoreutils/sandbox/test_sandbox.py
>> +++ b/policycoreutils/sandbox/test_sandbox.py
>> @@ -1,6 +1,7 @@
>>  import unittest
>>  import os
>>  import shutil
>> +import sys
>>  from tempfile import mkdtemp
>>  from subprocess import Popen, PIPE
>>  
>> @@ -26,63 +27,63 @@ class SandboxTests(unittest.TestCase):
>>      def test_simple_success(self):
>>          "Verify that we can read file descriptors handed to sandbox"
>>          p1 = Popen(['cat', '/etc/passwd'], stdout=PIPE)
>> -        p2 = Popen(['sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE)
>> +        p2 = Popen([sys.executable, 'sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE)
>>          out, err = p2.communicate()
>>          self.assertTrue(b'root' in out)
>>  
>>      def test_cant_kill(self):
>>          "Verify that we cannot send kill signal in the sandbox"
>>          pid = os.getpid()
>> -        p = Popen(['sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE)
>> +        p = Popen([sys.executable, 'sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE)
>>          out, err = p.communicate()
>>          self.assertDenied(err)
>>  
>>      def test_cant_ping(self):
>>          "Verify that we can't ping within the sandbox"
>> -        p = Popen(['sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE)
>> +        p = Popen([sys.executable, 'sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE)
>>          out, err = p.communicate()
>>          self.assertDenied(err)
>>  
>>      def test_cant_mkdir(self):
>>          "Verify that we can't mkdir within the sandbox"
>> -        p = Popen(['sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE)
>> +        p = Popen([sys.executable, 'sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE)
>>          out, err = p.communicate()
>>          self.assertFailure(p.returncode)
>>  
>>      def test_cant_list_homedir(self):
>>          "Verify that we can't list homedir within the sandbox"
>> -        p = Popen(['sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE)
>> +        p = Popen([sys.executable, 'sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE)
>>          out, err = p.communicate()
>>          self.assertFailure(p.returncode)
>>  
>>      def test_cant_send_mail(self):
>>          "Verify that we can't send mail within the sandbox"
>> -        p = Popen(['sandbox', 'mail'], stdout=PIPE, stderr=PIPE)
>> +        p = Popen([sys.executable, 'sandbox', 'mail'], stdout=PIPE, stderr=PIPE)
>>          out, err = p.communicate()
>>          self.assertDenied(err)
>>  
>>      def test_cant_sudo(self):
>>          "Verify that we can't run sudo within the sandbox"
>> -        p = Popen(['sandbox', 'sudo'], stdout=PIPE, stderr=PIPE)
>> +        p = Popen([sys.executable, 'sandbox', 'sudo'], stdout=PIPE, stderr=PIPE)
>>          out, err = p.communicate()
>>          self.assertFailure(p.returncode)
>>  
>>      def test_mount(self):
>>          "Verify that we mount a file system"
>> -        p = Popen(['sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE)
>> +        p = Popen([sys.executable, 'sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE)
>>          out, err = p.communicate()
>>          self.assertSuccess(p.returncode, err)
>>  
>>      def test_set_level(self):
>>          "Verify that we set level a file system"
>> -        p = Popen(['sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE)
>> +        p = Popen([sys.executable, 'sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE)
>>          out, err = p.communicate()
>>          self.assertSuccess(p.returncode, err)
>>  
>>      def test_homedir(self):
>>          "Verify that we set homedir a file system"
>>          homedir = mkdtemp(dir=".", prefix=".sandbox_test")
>> -        p = Popen(['sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
>> +        p = Popen([sys.executable, 'sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
>>          out, err = p.communicate()
>>          shutil.rmtree(homedir)
>>          self.assertSuccess(p.returncode, err)
>> @@ -90,7 +91,7 @@ class SandboxTests(unittest.TestCase):
>>      def test_tmpdir(self):
>>          "Verify that we set tmpdir a file system"
>>          tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_test")
>> -        p = Popen(['sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
>> +        p = Popen([sys.executable, 'sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
>>          out, err = p.communicate()
>>          shutil.rmtree(tmpdir)
>>          self.assertSuccess(p.returncode, err)
>>
>
diff mbox

Patch

diff --git a/policycoreutils/sandbox/test_sandbox.py b/policycoreutils/sandbox/test_sandbox.py
index 6f54d0c..d5368c2 100644
--- a/policycoreutils/sandbox/test_sandbox.py
+++ b/policycoreutils/sandbox/test_sandbox.py
@@ -1,6 +1,7 @@ 
 import unittest
 import os
 import shutil
+import sys
 from tempfile import mkdtemp
 from subprocess import Popen, PIPE
 
@@ -26,63 +27,63 @@  class SandboxTests(unittest.TestCase):
     def test_simple_success(self):
         "Verify that we can read file descriptors handed to sandbox"
         p1 = Popen(['cat', '/etc/passwd'], stdout=PIPE)
-        p2 = Popen(['sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE)
+        p2 = Popen([sys.executable, 'sandbox', 'grep', 'root'], stdin=p1.stdout, stdout=PIPE)
         out, err = p2.communicate()
         self.assertTrue(b'root' in out)
 
     def test_cant_kill(self):
         "Verify that we cannot send kill signal in the sandbox"
         pid = os.getpid()
-        p = Popen(['sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE)
+        p = Popen([sys.executable, 'sandbox', 'kill', '-HUP', str(pid)], stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         self.assertDenied(err)
 
     def test_cant_ping(self):
         "Verify that we can't ping within the sandbox"
-        p = Popen(['sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE)
+        p = Popen([sys.executable, 'sandbox', 'ping', '-c 1 ', '127.0.0.1'], stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         self.assertDenied(err)
 
     def test_cant_mkdir(self):
         "Verify that we can't mkdir within the sandbox"
-        p = Popen(['sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE)
+        p = Popen([sys.executable, 'sandbox', 'mkdir', '~/test'], stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         self.assertFailure(p.returncode)
 
     def test_cant_list_homedir(self):
         "Verify that we can't list homedir within the sandbox"
-        p = Popen(['sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE)
+        p = Popen([sys.executable, 'sandbox', 'ls', '~'], stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         self.assertFailure(p.returncode)
 
     def test_cant_send_mail(self):
         "Verify that we can't send mail within the sandbox"
-        p = Popen(['sandbox', 'mail'], stdout=PIPE, stderr=PIPE)
+        p = Popen([sys.executable, 'sandbox', 'mail'], stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         self.assertDenied(err)
 
     def test_cant_sudo(self):
         "Verify that we can't run sudo within the sandbox"
-        p = Popen(['sandbox', 'sudo'], stdout=PIPE, stderr=PIPE)
+        p = Popen([sys.executable, 'sandbox', 'sudo'], stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         self.assertFailure(p.returncode)
 
     def test_mount(self):
         "Verify that we mount a file system"
-        p = Popen(['sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE)
+        p = Popen([sys.executable, 'sandbox', '-M', 'id'], stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         self.assertSuccess(p.returncode, err)
 
     def test_set_level(self):
         "Verify that we set level a file system"
-        p = Popen(['sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE)
+        p = Popen([sys.executable, 'sandbox', '-l', 's0', 'id'], stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         self.assertSuccess(p.returncode, err)
 
     def test_homedir(self):
         "Verify that we set homedir a file system"
         homedir = mkdtemp(dir=".", prefix=".sandbox_test")
-        p = Popen(['sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
+        p = Popen([sys.executable, 'sandbox', '-H', homedir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         shutil.rmtree(homedir)
         self.assertSuccess(p.returncode, err)
@@ -90,7 +91,7 @@  class SandboxTests(unittest.TestCase):
     def test_tmpdir(self):
         "Verify that we set tmpdir a file system"
         tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_test")
-        p = Popen(['sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
+        p = Popen([sys.executable, 'sandbox', '-T', tmpdir, '-M', 'id'], stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         shutil.rmtree(tmpdir)
         self.assertSuccess(p.returncode, err)