RFE: allow running without IPv6 support

tests/extended_socket_class/test

@@ -1,7 +1,17 @@
 #!/usr/bin/perl
 
 use Test;
-BEGIN { plan tests => 16 }
+
+BEGIN {
+    if ( system("test -f /proc/net/if_inet6") eq 0 ) {
+        $test_ipv6 = 1;
+        plan tests => 16;
+    }
+    else {
+        $test_ipv6 = 0;
+        plan tests => 10;
+    }
+}
 
 $basedir = $0;
 $basedir =~ s|(.*)/[^/]*|$1|;
@@ -20,17 +30,20 @@ $result = system(
 );
 ok($result);
 
-# Verify that test_icmp_socket_t can create an ICMPv6 socket.
-$result = system(
+if ($test_ipv6) {
+
+    # Verify that test_icmp_socket_t can create an ICMPv6 socket.
+    $result = system(
 "runcon -t test_icmp_socket_t -- $basedir/sockcreate inet6 dgram icmpv6 2>&1"
-);
-ok( $result, 0 );
+    );
+    ok( $result, 0 );
 
-# Verify that test_no_icmp_socket_t cannot create an ICMPv6 socket.
-$result = system(
+    # Verify that test_no_icmp_socket_t cannot create an ICMPv6 socket.
+    $result = system(
 "runcon -t test_no_icmp_socket_t -- $basedir/sockcreate inet6 dgram icmpv6 2>&1"
-);
-ok($result);
+    );
+    ok($result);
+}
 
 # Restore to the kernel defaults - no one allowed to create ICMP sockets.
 system("echo 1 0 > /proc/sys/net/ipv4/ping_group_range");
@@ -59,29 +72,32 @@ $result = system(
 );
 ok($result);
 
-# Verify that test_sctp_socket_t can create an IPv6 stream SCTP socket.
-$result = system(
-    "runcon -t test_sctp_socket_t -- $basedir/sockcreate inet6 stream sctp 2>&1"
-);
-ok( $result, 0 );
+if ($test_ipv6) {
 
-# Verify that test_no_sctp_socket_t cannot create an IPv6 stream SCTP socket.
-$result = system(
+    # Verify that test_sctp_socket_t can create an IPv6 stream SCTP socket.
+    $result = system(
+"runcon -t test_sctp_socket_t -- $basedir/sockcreate inet6 stream sctp 2>&1"
+    );
+    ok( $result, 0 );
+
+   # Verify that test_no_sctp_socket_t cannot create an IPv6 stream SCTP socket.
+    $result = system(
 "runcon -t test_no_sctp_socket_t -- $basedir/sockcreate inet6 stream sctp 2>&1"
-);
-ok($result);
+    );
+    ok($result);
 
-# Verify that test_sctp_socket_t can create an IPv6 seqpacket SCTP socket.
-$result = system(
+    # Verify that test_sctp_socket_t can create an IPv6 seqpacket SCTP socket.
+    $result = system(
 "runcon -t test_sctp_socket_t -- $basedir/sockcreate inet6 seqpacket sctp 2>&1"
-);
-ok( $result, 0 );
+    );
+    ok( $result, 0 );
 
 # Verify that test_no_sctp_socket_t cannot create an IPv6 seqpacket SCTP socket.
-$result = system(
+    $result = system(
 "runcon -t test_no_sctp_socket_t -- $basedir/sockcreate inet6 seqpacket sctp 2>&1"
-);
-ok($result);
+    );
+    ok($result);
+}
 
 # Verify that test_bluetooth_socket_t can create a Bluetooth socket.
 $result = system(

tests/inet_socket/ipsec-load

@@ -11,7 +11,9 @@ ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto tcp dir out ctx "system_u:o
 ip xfrm policy add src 127.0.0.1 dst 127.0.0.1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required
 
 # IPv6 loopback
-ip xfrm state add src ::1 dst ::1 proto ah spi 0x200 ctx $goodclientcon auth sha1 0123456789012345
-ip xfrm state add src ::1 dst ::1 proto ah spi 0x250 ctx $badclientcon auth sha1 0123456789012345
-ip xfrm policy add src ::1 dst ::1 proto tcp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required
-ip xfrm policy add src ::1 dst ::1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required
+if test -f /proc/net/if_inet6; then
+	ip xfrm state add src ::1 dst ::1 proto ah spi 0x200 ctx $goodclientcon auth sha1 0123456789012345
+	ip xfrm state add src ::1 dst ::1 proto ah spi 0x250 ctx $badclientcon auth sha1 0123456789012345
+	ip xfrm policy add src ::1 dst ::1 proto tcp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required
+	ip xfrm policy add src ::1 dst ::1 proto udp dir out ctx "system_u:object_r:test_spd_t:s0" tmpl proto ah mode transport level required
+fi

tests/inet_socket/server.c

@@ -39,12 +39,16 @@ int main(int argc, char **argv)
 	socklen_t sinlen;
 	struct sockaddr_storage sin;
 	struct addrinfo hints, *res;
+	sa_family_t family = AF_INET;
 	char byte;
 	bool nopeer = false;
 	char *flag_file = NULL;
 
-	while ((opt = getopt(argc, argv, "f:n")) != -1) {
+	while ((opt = getopt(argc, argv, "6f:n")) != -1) {
 		switch (opt) {
+		case '6':
+			family = AF_INET6;
+			break;
 		case 'f':
 			flag_file = optarg;
 			break;
@@ -61,7 +65,7 @@ int main(int argc, char **argv)
 
 	memset(&hints, 0, sizeof(struct addrinfo));
 	hints.ai_flags = AI_PASSIVE;
-	hints.ai_family = AF_INET6;
+	hints.ai_family = family;
 
 	if (!strcmp(argv[optind], "stream")) {
 		hints.ai_socktype = SOCK_STREAM;

tests/inet_socket/test

@@ -5,11 +5,13 @@ BEGIN {
     $basedir = $0;
     $basedir =~ s|(.*)/[^/]*|$1|;
 
-    $test_count = 38;
+    $test_count_ipv4 = 34;
+    $test_count_ipv6 = 4;
 
     $test_ipsec = 0;
     if ( system("ip xfrm policy help 2>&1 | grep -q ctx") eq 0 ) {
-        $test_count += 8;
+        $test_count_ipv4 += 4;
+        $test_count_ipv6 += 4;
         $test_ipsec = 1;
     }
 
@@ -23,10 +25,17 @@ BEGIN {
 
     $rc = `$basedir/../kvercmp $kvercur $kverminstream`;
     if ( $netlabelctl gt "021" and $rc > 0 ) {
-        $test_count += 3;
+        $test_count_ipv6 += 3;
         $test_calipso_stream = 1;
     }
 
+    $test_count = $test_count_ipv4;
+    $test_ipv6  = 0;
+    if ( system("test -f /proc/net/if_inet6") eq 0 ) {
+        $test_count += $test_count_ipv6;
+        $test_ipv6 = 1;
+    }
+
     plan tests => $test_count;
 }
 
@@ -298,16 +307,6 @@ if ($test_ipsec) {
 "runcon -t test_inet_bad_client_t -- $basedir/client stream 127.0.0.1 65535 2>&1";
     ok( $result >> 8 eq 5 );
 
-    # Verify that authorized client can communicate with the server.
-    $result =
-      system "runcon -t test_inet_client_t $basedir/client stream ::1 65535";
-    ok( $result eq 0 );
-
-    # Verify that unauthorized client cannot communicate with the server.
-    $result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1";
-    ok( $result >> 8 eq 5 );
-
     # Kill the server.
     server_end($pid);
 
@@ -325,24 +324,50 @@ if ($test_ipsec) {
 "runcon -t test_inet_bad_client_t -- $basedir/client dgram 127.0.0.1 65535 2>&1";
     ok( $result >> 8 eq 8 );
 
-    # Verify that unauthorized client cannot communicate with the server.
-    $result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1";
-    ok( $result >> 8 eq 8 );
-
     # Kill the server.
     server_end($pid);
 
-# Start the dgram server for IPSEC test using IPv6 but do not request peer context.
-    $pid = server_start( "-t test_inet_server_t", "-n dgram 65535" );
+    if ($test_ipv6) {
 
-    # This test now passes.
-    $result = system
-      "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
-    ok( $result eq 0 );
+        # Start the IPv6 stream server.
+        $pid = server_start( "-t test_inet_server_t", "-6 stream 65535" );
 
-    # Kill the server.
-    server_end($pid);
+        # Verify that authorized client can communicate with the server.
+        $result = system
+          "runcon -t test_inet_client_t $basedir/client stream ::1 65535";
+        ok( $result eq 0 );
+
+        # Verify that unauthorized client cannot communicate with the server.
+        $result = system
+"runcon -t test_inet_bad_client_t -- $basedir/client stream ::1 65535 2>&1";
+        ok( $result >> 8 eq 5 );
+
+        # Kill the server.
+        server_end($pid);
+
+        # Start the IPv6 dgram server.
+        $pid = server_start( "-t test_inet_server_t", "-6 dgram 65535" );
+
+        # Verify that unauthorized client cannot communicate with the server.
+        $result = system
+"runcon -t test_inet_bad_client_t -- $basedir/client dgram ::1 65535 2>&1";
+        ok( $result >> 8 eq 8 );
+
+        # Kill the server.
+        server_end($pid);
+
+        # Start the dgram server for IPSEC test using IPv6 but do not request
+        # peer context.
+        $pid = server_start( "-t test_inet_server_t", "-6n dgram 65535" );
+
+        # This test now passes.
+        $result = system
+"runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
+        ok( $result eq 0 );
+
+        # Kill the server.
+        server_end($pid);
+    }
 
     # Flush IPSEC configuration.
     system "/bin/sh $basedir/ipsec-flush";
@@ -364,16 +389,6 @@ $result = system
 "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream 127.0.0.1 65535 2>&1";
 ok( $result >> 8 eq 5 );
 
-# Verify that authorized client can communicate with the server.
-$result = system
-  "runcon -t test_inet_client_t -- $basedir/client -e nopeer stream ::1 65535";
-ok( $result eq 0 );
-
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
-"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream ::1 65535 2>&1";
-ok( $result >> 8 eq 5 );
-
 # Kill the server.
 server_end($pid);
 
@@ -390,41 +405,69 @@ $result = system
 "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram 127.0.0.1 65535 2>&1";
 ok( $result >> 8 eq 8 );
 
-# Verify that authorized client can communicate with the server.
-$result = system
-  "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
-ok( $result eq 0 );
+# Kill the server.
+server_end($pid);
 
-# Verify that unauthorized client cannot communicate with the server.
-$result = system
+if ($test_ipv6) {
+
+    # Start the IPv6 stream server.
+    $pid = server_start( "-t test_inet_server_t", "-6n stream 65535" );
+
+    # Verify that authorized client can communicate with the server.
+    $result = system
+"runcon -t test_inet_client_t -- $basedir/client -e nopeer stream ::1 65535";
+    ok( $result eq 0 );
+
+    # Verify that unauthorized client cannot communicate with the server.
+    $result = system
+"runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer stream ::1 65535 2>&1";
+    ok( $result >> 8 eq 5 );
+
+    # Kill the server.
+    server_end($pid);
+
+    # Start the IPv6 dgram server.
+    $pid = server_start( "-t test_inet_server_t", "-6n dgram 65535" );
+
+    # Verify that authorized client can communicate with the server.
+    $result = system
+      "runcon -t test_inet_client_t $basedir/client -e nopeer dgram ::1 65535";
+    ok( $result eq 0 );
+
+    # Verify that unauthorized client cannot communicate with the server.
+    $result = system
 "runcon -t test_inet_bad_client_t -- $basedir/client -e nopeer dgram ::1 65535 2>&1";
-ok( $result >> 8 eq 8 );
+    ok( $result >> 8 eq 8 );
 
-# Kill the server.
-server_end($pid);
+    # Kill the server.
+    server_end($pid);
+}
 
 # Flush iptables configuration.
 system "/bin/sh $basedir/iptables-flush";
 
-if ($test_calipso_stream) {
+if ( $test_ipv6 and $test_calipso_stream ) {
 
     # Load NetLabel configuration for CALIPSO/IPv6 labeling over loopback.
     system "/bin/sh $basedir/calipso-load";
 
     # Start the stream server.
-    $pid = server_start( "-t test_inet_server_t -l s0:c0.c10", "stream 65535" );
+    $pid =
+      server_start( "-t test_inet_server_t -l s0:c0.c10", "-6 stream 65535" );
 
     # Verify that authorized client can communicate with the server.
     $result = system
 "runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 stream ::1 65535";
     ok( $result eq 0 );
 
-# Verify that authorized client can communicate with the server using different valid level.
+    # Verify that authorized client can communicate with the server using
+    # different valid level.
     $result = system
 "runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e  system_u:object_r:netlabel_peer_t:s0:c8.c10 stream ::1 65535";
     ok( $result eq 0 );
 
-# Verify that authorized client cannot communicate with the server using invalid level.
+    # Verify that authorized client cannot communicate with the server using
+    # invalid level.
     $result = system
 "runcon -t test_inet_client_t -l s0:c8.c12 -- $basedir/client stream ::1 65535 2>&1";
     ok( $result >> 8 eq 5 );