diff --git a/0002-Add-an-option-for-running-tests-with-real-modules.patch b/0002-Add-an-option-for-running-tests-with-real-modules.patch new file mode 100644 index 0000000..d381746 --- /dev/null +++ b/0002-Add-an-option-for-running-tests-with-real-modules.patch @@ -0,0 +1,51 @@ +From ec0fa884fe5f3880c76fa08a6dac1fd3abee9d30 Mon Sep 17 00:00:00 2001 +From: Jan Zarsky +Date: Tue, 7 May 2019 10:48:00 +0200 +Subject: [PATCH 1/2] Add an option for running tests with real modules + +For testing purposes, the selinux and semanage modules are mocked. This +allows running the tests without SELinux enabled (e.g. in a container). +On SELinux-enabled systems, it makes sense to rerun the tests with the +actual selinux and semanage modules present on the system. For this +purpose, add a global constant named 'SELINUX_ENABLED'. +--- + tests/test_main.py | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tests/test_main.py b/tests/test_main.py +index 9d8ac6d..08805db 100644 +--- a/tests/test_main.py ++++ b/tests/test_main.py +@@ -22,6 +22,11 @@ from unittest.mock import patch + sys.path.insert(0, os.path.abspath('..')) + import udica.__main__ + ++# Use the selinux and semanage packages provided by the system instead of the mock ones. When ++# running on a system with SELinux disabled (e.g. in a container), it must be set to False. ++# On RHEL, CentOS or Fedora it may be set to True. ++SELINUX_ENABLED = False ++ + class TestMain(unittest.TestCase): + """Test basic functionality of udica""" + +@@ -72,11 +77,17 @@ class TestMain(unittest.TestCase): + # FIXME: the load_policy function is not properly restoring current working directory + self.cwd = os.getcwd() + ++ if SELINUX_ENABLED: ++ sys.path = [path for path in sys.path if path not in (os.getcwd(), '')] ++ + import selinux + importlib.reload(selinux) + import semanage + importlib.reload(semanage) + ++ if SELINUX_ENABLED: ++ sys.path = [''] + sys.path ++ + with patch('sys.argv', args): + with patch('sys.stderr.write') as mock_err, patch('sys.stdout.write') as mock_out: + mock_out.output = "" +-- +2.20.1 + diff --git a/0003-Allow-running-test_main.py-directly.patch b/0003-Allow-running-test_main.py-directly.patch new file mode 100644 index 0000000..52a6752 --- /dev/null +++ b/0003-Allow-running-test_main.py-directly.patch @@ -0,0 +1,33 @@ +From aa7037f35c77ea1bbb78860e7dc3c40509a980d9 Mon Sep 17 00:00:00 2001 +From: Jan Zarsky +Date: Tue, 7 May 2019 11:03:36 +0200 +Subject: [PATCH 2/2] Allow running test_main.py directly + +By default, the tests are run using the 'python3 -m unittest' command. +Allow running 'test_main.py' directly so that the 'selinux_enabled' +argument can be specified. + +When running on SELinux-enabled systems, the tests can be rerun with: + + python3 test_main.py selinux_enabled +--- + tests/test_main.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tests/test_main.py b/tests/test_main.py +index 08805db..6f37cbd 100644 +--- a/tests/test_main.py ++++ b/tests/test_main.py +@@ -116,3 +116,9 @@ class TestMain(unittest.TestCase): + self.assertMultiLineEqual(policy, exp_policy) + + os.unlink('my_container.cil') ++ ++if __name__ == "__main__": ++ if 'selinux_enabled' in sys.argv: ++ SELINUX_ENABLED = True ++ sys.argv.remove('selinux_enabled') ++ unittest.main() +-- +2.20.1 + diff --git a/udica.spec b/udica.spec index 17759af..f717a10 100644 --- a/udica.spec +++ b/udica.spec @@ -13,15 +13,16 @@ Requires: python3 python3-libsemanage python3-libselinux BuildRequires: python2 python2-devel python2-setuptools Requires: python2 libsemanage-python libselinux-python %endif -patch00: 0001-Add-allow-rules-for-container_runtime_t-to-base_cont.patch +patch1: 0001-Add-allow-rules-for-container_runtime_t-to-base_cont.patch +patch2: 0002-Add-an-option-for-running-tests-with-real-modules.patch +patch3: 0003-Allow-running-test_main.py-directly.patch %description Tool for generating SELinux security profiles for containers based on inspection of container JSON file. %prep -%setup -q -%patch00 -p1 +%autosetup -p 1 %build %if 0%{?fedora} || 0%{?rhel} > 7