image-info: changes related to reading SELinux labels unknown to host

When `image-info` inspects ostree images, the `/usr/etc` is bind-mounted to `/etc`. This results in conflicting SELinux policy specification for these files and makes the outcome dependent on the `setfiles` build. All the files in `/etc` have mismatch in the expected vs. actual SELinux context. Exclude `/etc` from the check of SELinux ctx mismatches in case the analysed tree is from an ostree-based image. Sort the list returned `read_selinux_ctx_mismatch()` based on the item's `filename` key, to make the result consistent across runs. `image-info` can not read SELinux labels from the images, which are not known to the host. This makes the report content depend on the host environment. As a temporary workaround, relabel the image-info script with osbuild_exec_t label to allow it to read unknown SELinux labels. Modify documentation in `test/README.md` to explain the issue with `image-info` and unknown SELinux labels. Modify the `generate-all-test-cases` to relabel `image-info` before generating test cases. Modify the `image_tests.sh` to relabel `image-info` before running image test cases. Add 'tar' image for 'rhel-8' on 's390x' back to the matrix of generated test cases, as it was removed by mistake. Regenerate the image test case. Remove 'tar' image from 'rhel-84' on 's390x' from the matrix of generated test cases, as it is not supported. Regenerate all affected image test cases. Signed-off-by: Tomas Hozza <thozza@redhat.com>
2021-06-11 12:40:15 +02:00 · 2021-06-11 12:40:15 +02:00 · bce603586e
commit bce603586e
parent 95cd5b782e
26 changed files with 134 additions and 144862 deletions
--- a/test/README.md
+++ b/test/README.md
@ -74,6 +74,18 @@ the same architecture, as the one intended for the generated test
 cases. In other words, you need to generate e.g test cases for `aarch64`
 images on an `aarch64` host.

+**Important Note:** `image-info` by default won't be able to read SELinux
+labels used in the image, which are unknown to the host's policy. If you are
+generating the image test case using
+`tools/test-case-generators/generate-test-cases`, you'll have to relabel the
+`image-info` tool with `osbuild_exec_t` in order to get correct report.
+
+You can do this by running:
+```bash
+OSBUILD_LABEL=$(matchpathcon -n $(which osbuild))
+chcon $OSBUILD_LABEL tools/image-info
+```
+
 Alternatively to (re)generate test cases for all architectures, or just
 the ones different from your host's architecture, you can use the tool
 `tools/test-case-generators/generate-all-test-cases`. It creates
@ -81,8 +93,10 @@ an ephemeral virtual machine for each necessary architecture using the
 `qemu-system-<arch>` command and generates test cases using the
 `generate-test-cases` tool inside the virtual machine. It is important
 to note that test case generation in virtual machines may take several
-hours. The `generate-all-test-cases` currently does not work with RHEL
-images because of missing "9p" filesystem support.
+hours. The script also handles the "unknown SELinux labels" issue automatically
+for you and produces correct reports. The `generate-all-test-cases` currently
+does not work with RHEL images because of missing "9p" filesystem support.
+It also does not work on MacOS due to missing support for virtfs in QEMU.

 ### Setting up Azure upload tests