On Tue, May 19, 2020 at 11:15 AM <bill.c.roberts@xxxxxxxxx> wrote: > From: William Roberts <william.c.roberts@xxxxxxxxx> > > The current CI runs the userspace tooling and librariers against > policy files, but cannot test against an SE Linux enabled kernel. Thus, > some tests are not being done in the CI. Travis, unfortunately only > provides Ubuntu images, so in order to run against a modern distro with > SE Linux in enforcing mode, we need to launch a KVM with something like > Fedora. > > This patch enables this support by launching a Fedora32 Cloud Image with > the selinux userspace library passed on from the travis clone, it then > builds and replaces the current selinux bits on the Fedora image and > runs the SE Linux testsuite. > > Signed-off-by: William Roberts <william.c.roberts@xxxxxxxxx> > --- > .travis.yml | 8 +++ > scripts/ci/README.md | 8 +++ > scripts/ci/fedora-test-runner.sh | 79 +++++++++++++++++++++ > scripts/ci/travis-kvm-setup.sh | 113 +++++++++++++++++++++++++++++++ > 4 files changed, 208 insertions(+) > create mode 100644 scripts/ci/README.md > create mode 100755 scripts/ci/fedora-test-runner.sh > create mode 100755 scripts/ci/travis-kvm-setup.sh ... > diff --git a/scripts/ci/fedora-test-runner.sh b/scripts/ci/fedora-test-runner.sh > new file mode 100755 > index 000000000000..8d4b1bf7b8f5 > --- /dev/null > +++ b/scripts/ci/fedora-test-runner.sh > @@ -0,0 +1,79 @@ > +#!/usr/bin/env bash > + > +set -ev > + > +# CI Debug output if things go squirrely. > +getenforce > +id -Z > +nproc > +pwd Granted my automated testing experience has been with Fedora Rawhide and not the stable Fedora releases, but there have been occasions where the system is broken in some way which prevents the necessary test setup. My current approach is to put the system in permissive mode and leave it there until just before I run my tests. > +dnf install -y \ Another speaking from experience comment: you probably want to add "--allowerasing" and "--skip-broken" to the dnf command line. If you can cope with the extra overhead, I would even suggest a "dnf clean all -y" at the start. > + git \ > + audit-libs-devel \ > + bison \ > + bzip2-devel \ > + CUnit-devel \ > + diffutils \ > + flex \ > + gcc \ > + gettext \ > + glib2-devel \ > + make \ > + libcap-devel \ > + libcap-ng-devel \ > + pam-devel \ > + pcre-devel \ > + xmlto \ > + python3-devel \ > + ruby-devel \ > + swig \ > + perl-Test \ > + perl-Test-Harness \ > + perl-Test-Simple \ > + selinux-policy-devel \ > + gcc \ > + libselinux-devel \ > + net-tools \ > + netlabel_tools \ > + iptables \ > + lksctp-tools-devel \ > + attr \ > + libbpf-devel \ > + keyutils-libs-devel \ > + kernel-devel \ > + quota \ > + xfsprogs-devel \ > + libuuid-devel \ > + kernel-devel-$(uname -r) \ > + kernel-modules-$(uname -r) > + > +# > +# Move to selinux code and build > +# > +cd ~/selinux > + > +# Show HEAD commit for sanity checking > +git log -1 > + > +# > +# Build and replace userspace components > +# > +# Note: You can't use parallel builds here (make -jX), you'll end up > +# with race conditions that manifest like: > +# semanage_store.lo: file not recognized: file format not recognized > +# > +make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel > + > +# > +# Get the selinux testsuite, but don't clone it in ~/selinux, move to ~ > +# first. > +# > +cd ~ > +git clone --depth=1 https://github.com/SELinuxProject/selinux-testsuite.git > +cd selinux-testsuite > + > +# > +# Run the test suite > +# > +make test > diff --git a/scripts/ci/travis-kvm-setup.sh b/scripts/ci/travis-kvm-setup.sh > new file mode 100755 > index 000000000000..19287fd21642 > --- /dev/null > +++ b/scripts/ci/travis-kvm-setup.sh > @@ -0,0 +1,113 @@ > +#!/usr/bin/env bash ... > +# > +# Great we have a host running, ssh into it. We specify -o so > +# we don't get blocked on asking to add the servers key to > +# our known_hosts. > +# > +ssh -o StrictHostKeyChecking=no "root@$ipaddy" "/root/selinux/$TEST_RUNNER" Depending on the tests, you'll get better output in the logs if you add "-tt" to the SSH command line. You may also want to add "-o LogLevel=QUIET" too. > + > +exit 0 Did you want to return the return value from SSH/$TEST_RUNNER? -- paul moore www.paul-moore.com
