From 15986d929757aec059f5cb5695b9f793384e3b94 Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Sat, 13 Jun 2020 19:38:18 +0200
Subject: [PATCH] test: add selinux stage test

Add a simple check for the selinux check by building the f32-base
image with an added selinux stage. Use the options from a test
json file and verify the labels against a set of labels given in
the aforementioned test file.
---
 test/data/stages/selinux/test_basic.json | 15 ++++++++++++
 test/run/test_stages.py                  | 31 ++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 test/data/stages/selinux/test_basic.json

diff --git a/test/data/stages/selinux/test_basic.json b/test/data/stages/selinux/test_basic.json
new file mode 100644
index 00000000..d15fafb4
--- /dev/null
+++ b/test/data/stages/selinux/test_basic.json
@@ -0,0 +1,15 @@
+{
+  "options": {
+    "file_contexts": "etc/selinux/targeted/contexts/files/file_contexts"
+  },
+  "labels": {
+    "/bin": "system_u:object_r:bin_t:s0",
+    "/boot": "system_u:object_r:boot_t:s0",
+    "/dev": "system_u:object_r:device_t:s0",
+    "/etc": "system_u:object_r:etc_t:s0",
+    "/home": "system_u:object_r:home_root_t:s0",
+    "/lib": "system_u:object_r:lib_t:s0",
+    "/usr": "system_u:object_r:usr_t:s0",
+    "/usr/bin/cp": "system_u:object_r:bin_t:s0"
+  }
+}
diff --git a/test/run/test_stages.py b/test/run/test_stages.py
index 91de7671..b6fef7dc 100644
--- a/test/run/test_stages.py
+++ b/test/run/test_stages.py
@@ -10,6 +10,7 @@ import pprint
 import tempfile
 import unittest
 
+from osbuild.util import selinux
 from .. import test
 
 
@@ -127,3 +128,33 @@ class TestStages(test.TestBase):
             test_name = os.path.basename(test_path)
             with self.subTest(stage=test_name):
                 self.run_stage_diff_test(test_path)
+
+    def test_selinux(self):
+        datadir = self.locate_test_data()
+        testdir = os.path.join(datadir, "stages", "selinux")
+
+        def load_manifest(manifest_name):
+            with open(os.path.join(datadir, f"manifests/{manifest_name}")) as f:
+                manifest = json.load(f)
+                return manifest
+
+        with self.osbuild as osb:
+
+            for t in glob.glob(f"{testdir}/test_*.json"):
+                manifest = load_manifest("f32-base.json")
+                with open(t) as f:
+                    check = json.load(f)
+                manifest["pipeline"]["stages"].append({
+                    "name": "org.osbuild.selinux",
+                    "options": check["options"]
+                })
+
+                jsdata = json.dumps(manifest)
+                treeid = osb.treeid_from_manifest(jsdata)
+                osb.compile(jsdata, checkpoints=[treeid])
+                ctx = osb.map_object(treeid)
+
+                with ctx as tree:
+                    for path, want in check["labels"].items():
+                        have = selinux.getfilecon(f"{tree}/{path}")
+                        self.assertEqual(have, want)