Fix transition test to work with latest selinux policy

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2023-05-30 14:30:49 -04:00 · 2023-05-30 14:30:49 -04:00 · 135b5a8f03
parent 159bf35270
commit 135b5a8f03
11 changed files with 21 additions and 52 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -27,12 +27,12 @@ env:
    ####
    # GCE project where images live
    IMAGE_PROJECT: "libpod-218412"
-    FEDORA_NAME: "fedora-37"
+    FEDORA_NAME: "fedora-38"
-    PRIOR_FEDORA_NAME: "fedora-36"
+    PRIOR_FEDORA_NAME: "fedora-37"
-    DEBIAN_NAME: "debian-12"
+    DEBIAN_NAME: "debian-13"
    # Image identifiers
-    IMAGE_SUFFIX: "c20230405t152256z-f37f36d12"
+    IMAGE_SUFFIX: "c20230614t132754z-f38f37d13"
    FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
    PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
    DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}"
--- a/go.mod
+++ b/go.mod
@ -9,7 +9,7 @@ require (
 	github.com/containers/common v0.54.0
 	github.com/containers/image/v5 v5.26.0
 	github.com/containers/ocicrypt v1.1.7
-	github.com/containers/storage v1.47.0
+	github.com/containers/storage v1.48.0
 	github.com/cyphar/filepath-securejoin v0.2.3
 	github.com/docker/distribution v2.8.2+incompatible
 	github.com/docker/docker v24.0.2+incompatible
--- a/go.sum
+++ b/go.sum
@ -59,8 +59,8 @@ github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYgle
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
 github.com/containers/ocicrypt v1.1.7 h1:thhNr4fu2ltyGz8aMx8u48Ae0Pnbip3ePP9/mzkZ/3U=
 github.com/containers/ocicrypt v1.1.7/go.mod h1:7CAhjcj2H8AYp5YvEie7oVSK2AhBY8NscCYRawuDNtw=
-github.com/containers/storage v1.47.0 h1:Tl/onL8yE/4QABc2kfPDaTSYijk3QrmXGrO21KXkj58=
+github.com/containers/storage v1.48.0 h1:wiPs8J2xiFoOEAhxHDRtP6A90Jzj57VqzLRXOqeizns=
-github.com/containers/storage v1.47.0/go.mod h1:pRp3lkRo2qodb/ltpnudoXggrviRmaCmU5a5GhTBae0=
+github.com/containers/storage v1.48.0/go.mod h1:pRp3lkRo2qodb/ltpnudoXggrviRmaCmU5a5GhTBae0=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
--- a/tests/conformance/conformance_test.go
+++ b/tests/conformance/conformance_test.go
@ -9,6 +9,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
 	"io/fs"
 	"os"
 	"path/filepath"
 	"reflect"
@ -782,7 +783,7 @@ func fsHeaderForEntry(hdr *tar.Header) FSHeader {
 		Name:     hdr.Name,
 		Linkname: hdr.Linkname,
 		Size:     hdr.Size,
-		Mode:     hdr.Mode,
+		Mode:     (hdr.Mode & int64(fs.ModePerm)),
 		UID:      hdr.Uid,
 		GID:      hdr.Gid,
 		ModTime:  hdr.ModTime,
--- a/tests/selinux.bats
+++ b/tests/selinux.bats
@ -46,10 +46,11 @@ load helpers
  cid=$output
  run_buildah run $cid sh -c 'tr \\0 \\n < /proc/self/attr/current'
  context=$output
-
+  run id -Z
  crole=$(secon -r $output)
  # Role and Type should always be constant. (We don't check user)
  role=$(awk -F: '{print $2}' <<<$context)
-  expect_output --from="$role" "system_r" "SELinux role"
+  expect_output --from="$role" "${crole}" "SELinux role"
  type=$(awk -F: '{print $3}' <<<$context)
  expect_output --from="$type" "spc_t" "SELinux type"
--- a/vendor/github.com/containers/storage/VERSION
+++ b/vendor/github.com/containers/storage/VERSION
@ -1 +1 @@
-1.47.0
+1.48.0
--- a/vendor/github.com/containers/storage/pkg/archive/archive.go
+++ b/vendor/github.com/containers/storage/pkg/archive/archive.go
@ -131,16 +131,6 @@ const (
 	OverlayWhiteoutFormat
 )
 const (
 	modeISDIR  = 0o40000  // Directory
 	modeISFIFO = 0o10000  // FIFO
 	modeISREG  = 0o100000 // Regular file
 	modeISLNK  = 0o120000 // Symbolic link
 	modeISBLK  = 0o60000  // Block special file
 	modeISCHR  = 0o20000  // Character special file
 	modeISSOCK = 0o140000 // Socket
 )
 // IsArchivePath checks if the (possibly compressed) file at the given path
 // starts with a tar file header.
 func IsArchivePath(path string) bool {
@ -358,7 +348,7 @@ func FileInfoHeader(name string, fi os.FileInfo, link string) (*tar.Header, erro
 	if err != nil {
 		return nil, err
 	}
-	hdr.Mode = fillGo18FileTypeBits(int64(chmodTarEntry(os.FileMode(hdr.Mode))), fi)
+	hdr.Mode = int64(chmodTarEntry(os.FileMode(hdr.Mode)))
 	name, err = canonicalTarName(name, fi.IsDir())
 	if err != nil {
 		return nil, fmt.Errorf("tar: cannot canonicalize path: %w", err)
@ -370,31 +360,6 @@ func FileInfoHeader(name string, fi os.FileInfo, link string) (*tar.Header, erro
 	return hdr, nil
 }
 // fillGo18FileTypeBits fills type bits which have been removed on Go 1.9 archive/tar
 // https://github.com/golang/go/commit/66b5a2f
 func fillGo18FileTypeBits(mode int64, fi os.FileInfo) int64 {
 	fm := fi.Mode()
 	switch {
 	case fm.IsRegular():
 		mode |= modeISREG
 	case fi.IsDir():
 		mode |= modeISDIR
 	case fm&os.ModeSymlink != 0:
 		mode |= modeISLNK
 	case fm&os.ModeDevice != 0:
 		if fm&os.ModeCharDevice != 0 {
 			mode |= modeISCHR
 		} else {
 			mode |= modeISBLK
 		}
 	case fm&os.ModeNamedPipe != 0:
 		mode |= modeISFIFO
 	case fm&os.ModeSocket != 0:
 		mode |= modeISSOCK
 	}
 	return mode
 }
 // ReadSecurityXattrToTarHeader reads security.capability, security,image
 // xattrs from filesystem to a tar header
 func ReadSecurityXattrToTarHeader(path string, hdr *tar.Header) error {
--- a/vendor/github.com/containers/storage/pkg/regexp/regexp.go
+++ b/vendor/github.com/containers/storage/pkg/regexp/regexp.go
@ -10,7 +10,9 @@ import (
 // used as global variables. Using this structure helps speed the startup time
 // of apps that want to use global regex variables. This library initializes them on
 // first use as opposed to the start of the executable.
-type Regexp = *regexpStruct
+type Regexp struct {
 	*regexpStruct
 }
 type regexpStruct struct {
 	_      noCopy
@ -26,7 +28,7 @@ func Delayed(val string) Regexp {
 	if precompile {
 		re.regexp = regexp.MustCompile(re.val)
 	}
-	return re
+	return Regexp{re}
 }
 func (re *regexpStruct) compile() {
--- a/vendor/github.com/containers/storage/pkg/unshare/unshare_freebsd.go
+++ b/vendor/github.com/containers/storage/pkg/unshare/unshare_freebsd.go
@ -59,7 +59,7 @@ func (c *Cmd) Start() error {
 	if err != nil {
 		pidRead.Close()
 		pidWrite.Close()
-		return fmt.Errorf("creating pid pipe: %w", err)
+		return fmt.Errorf("creating continue read/write pipe: %w", err)
 	}
 	c.Env = append(c.Env, fmt.Sprintf("_Containers-continue-pipe=%d", len(c.ExtraFiles)+3))
 	c.ExtraFiles = append(c.ExtraFiles, continueRead)
--- a/vendor/github.com/containers/storage/pkg/unshare/unshare_linux.go
+++ b/vendor/github.com/containers/storage/pkg/unshare/unshare_linux.go
@ -129,7 +129,7 @@ func (c *Cmd) Start() error {
 	if err != nil {
 		pidRead.Close()
 		pidWrite.Close()
-		return fmt.Errorf("creating pid pipe: %w", err)
+		return fmt.Errorf("creating continue read/write pipe: %w", err)
 	}
 	c.Env = append(c.Env, fmt.Sprintf("_Containers-continue-pipe=%d", len(c.ExtraFiles)+3))
 	c.ExtraFiles = append(c.ExtraFiles, continueRead)
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -222,7 +222,7 @@ github.com/containers/ocicrypt/keywrap/pkcs7
 github.com/containers/ocicrypt/spec
 github.com/containers/ocicrypt/utils
 github.com/containers/ocicrypt/utils/keyprovider
-# github.com/containers/storage v1.47.0
+# github.com/containers/storage v1.48.0
 ## explicit; go 1.19
 github.com/containers/storage
 github.com/containers/storage/drivers