Add Help.fmf

containers · Jul 24, 2024 · 7faf3aa · 7faf3aa
2 parents aeb7478 + 0322896
commit 7faf3aa
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 50 deletions.
diff --git a/tests/e2e/tools/FFI/selinux/README.md b/tests/e2e/tools/FFI/selinux/README.md
@@ -0,0 +1,25 @@
+This test case should test inside QM the command setenforce 0 which must fail.
+
+bash-5.1# setenforce 0
+setenforce: security_setenforce() failed: Permission denied
+
+What is Selinux?
+A test tool insures that inside the QM the command setenforce 0 must fail.
+
+Why?
+QM environment should not allow setenforce to change its state and must always fail.
+It should be validated via FFI tests.
+
+How the deny is made?
+SELinux internal policies prevent a user inside QM change the SELinux setstaus.
+
+How to test?
+
+podman exec -it qm setenforce 0
+setenforce: security_setenforce() failed: Permission denied
+
+or
+
+podman exec -it qm bash
+bash-5.1# setenforce 0
+setenforce: security_setenforce() failed: Permission denied
diff --git a/tests/ffi/selinux/test.sh b/tests/ffi/selinux/test.sh
@@ -1,7 +1,5 @@
 #!/bin/bash
 
-
-
 # shellcheck disable=SC1091
 
 . ../common/prepare.sh
@@ -14,56 +12,15 @@ reload_config
 expected_value="setenforce: security_setenforce() failed: Permission denied"
 
 # Get setenforce 0 permission denied from qm.
-setenforce_0=$(podman exec qm /bin/bash -c \
- "podman exec qm setenforce 0 2>&1" | grep -c "setenforce: security_setenforce() failed: Permission denied")
+setenforce_0=$(podman exec -it qm setenforce 0)
 
 echo "This is what qm returns $setenforce_0"
 
-if [ "$setenforce_0" -eq "$expected_value" ];then
- info_message "Attempt to change Selinux enforcement to 0 denied successfully inside QM container."
- exit 0
+#Check if setenforce 0 succeeds in QM container and fail the test if it does.
+if [[ $setenforce_0 != *"$expected_value"* ]];then
+ echo "Attempt to change Selinux enforcement to 0 succeeded inside QM container. Test failed."
+ exit 1
 fi
 
-
-
-
-
-# This is my script that I use for the different repo
-# I would definitely check how other test.sh look in th qm repo, get some inspiration (for example here)
-
-# Specify files that you need and those files are not in your directory
-# In your case it's prepare.sh
-#. $(dirname $(readlink --canonicalize $0))/../../common.sh
-
-#You need some test image that podman will use (this one is created in common.sh, so I guess yours will be in prepare.sh - look at the prepare.sh)
-#For the test image you can define some parameters like what program you need there (procps in my case)
-#test_image=$(build_container_image procps)
-
-# Echo - see some parameters or messages in the terminal while running the script.
-#echo "Starting container with interference:."
-
-# Podman run is basic command how to run a container
-# But you need to some parameters to configure it
-# --detach is parameter for podman (yours will be different, depends on what you need from the container, see podman manual)
-# $CONTAINER_PARAMS are parameters that are defined somwhere for example in the common.sh where the test image is created 
-# $CONFUSION_OPTS are parameters that I define for my test and are written somewhere else, in my case $CONFUSION_OPTS --pids-limit=100 
-# --name confusion is the name of the container, that you need to specify
-# test_image is the image that you need for your container
-#podman run --detach $CONTAINER_PARAMS $CONFUSION_OPTS --name confusion $test_image
-
-# podman cp copies your script .sh (in my case forkbomb.sh) to the container (you have to specify the name of the container, in my case confusion)
-#podman cp forkbomb.sh confusion:/usr/local/forkbomb.sh
-#echo "Starting forkbomb in the container."
-# podman exec is for executing some command in your container (in my case ps -e | wc -l)
-# -it are parameters for podman, see manual, confusion is name of the container, sh is bash -c is parameter for bash, see bash manual)
-#podman exec -it confusion sh -c "ps -e | wc -l"
-# podman exec will run your .sh script (in my case forkbomb.sh), >/dev/null 2>&1 means tah you wont see the output in your terminal
-#podman exec --detach confusion '/usr/local/forkbomb.sh' >/dev/null 2>&1
-
-
-# Basics
-# podman run -podman_parameters container_parameters your_parameters --name container_name image
-# podman cp bash_script.sh container_name:/where_is_the_script_you_need\
-# podman exec -podman_parameters container_name bash bash_parameter 'bash_command'
-# podman exec -podman_parameters container_name 'your_script'
-
+echo "Attempt to change Selinux enforcement to 0 denied successfully inside QM container."
+exit 0