Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
lima-vm
GitHub Repository: lima-vm/lima
 Path: blob/master/hack/test-selinux.sh
1637 views
1
#!/usr/bin/env bash

2


3
# SPDX-FileCopyrightText: Copyright The Lima Authors

4
# SPDX-License-Identifier: Apache-2.0

5


6
set -eu -o pipefail

7


8
scriptdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

9
# shellcheck source=common.inc.sh

10
source "${scriptdir}/common.inc.sh"

11


12
if [ "$#" -ne 1 ]; then

13
	ERROR "Usage: $0 NAME"

14
	exit 1

15
fi

16


17
NAME="$1"

18
##########################################################################################

19
## When using vz & virtiofs, initially container_file_t selinux label

20
## was considered which works perfectly for container work loads

21
## but it might break for other work loads if the process is running with

22
## different label. Also these are the remote mounts from the host machine,

23
## so keeping the label as nfs_t fits right. Package container-selinux by

24
## default adds rules for nfs_t context which allows container workloads to work as well.

25
## https://github.com/lima-vm/lima/pull/1965

26
##

27
## With integration[https://github.com/lima-vm/lima/pull/2474] with systemd-binfmt,

28
## the existing "nfs_t" selinux label for Rosetta is causing issues while registering it.

29
## This behaviour needs to be fixed by setting the label as "bin_t"

30
## https://github.com/lima-vm/lima/pull/2630

31
##########################################################################################

32
INFO "Testing secontext is set for rosetta"

33
expected="context=system_u:object_r:bin_t:s0"

34
#Skip Rosetta checks for x86 GHA mac runners

35
if [[ "$(uname)" == "Darwin" && "$(arch)" == "arm64" ]]; then

36
	INFO "Testing secontext is set for rosetta mounts"

37
	got=$(limactl shell "$NAME" mount | grep "rosetta" | awk '{print $6}')

38
	INFO "secontext rosetta: expected=${expected}, got=${got}"

39
	if [[ $got != *$expected* ]]; then

40
		ERROR "secontext for rosetta mount is not set or Invalid"

41
		exit 1

42
	fi

43
fi

44
INFO "Testing secontext is set for bind mounts"

45
expected="context=system_u:object_r:nfs_t:s0"

46
INFO "Checking in mounts"

47
got=$(limactl shell "$NAME" mount | grep "$HOME" | awk '{print $6}')

48
INFO "secontext ${HOME}: expected=${expected}, got=${got}"

49
if [[ $got != *$expected* ]]; then

50
	ERROR "secontext for \"$HOME\" dir is not set or Invalid"

51
	exit 1

52
fi

53
got=$(limactl shell "$NAME" mount | grep "/tmp/lima" | awk '{print $6}')

54
INFO "secontext /tmp/lima: expected=${expected}, got=${got}"

55
if [[ $got != *$expected* ]]; then

56
	ERROR 'secontext for "/tmp/lima" dir is not set or Invalid'

57
	exit 1

58
fi

59
INFO "Checking in fstab file"

60
expected='context="system_u:object_r:nfs_t:s0"'

61
got=$(limactl shell "$NAME" cat /etc/fstab | grep "$HOME" | awk '{print $4}')

62
INFO "secontext ${HOME}: expected=${expected}, got=${got}"

63
if [[ $got != *$expected* ]]; then

64
	ERROR "secontext for \"$HOME\" dir is not set or Invalid"

65
	exit 1

66
fi

67
got=$(limactl shell "$NAME" cat /etc/fstab | grep "/tmp/lima" | awk '{print $4}')

68
INFO "secontext /tmp/lima: expected=${expected}, got=${got}"

69
if [[ $got != *$expected* ]]; then

70
	ERROR 'secontext for "/tmp/lima" dir is not set or Invalid'

71
	exit 1

72
fi

73


74