On Fri, Aug 7, 2020 at 3:42 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > On Fri, Aug 7, 2020 at 9:27 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > This patch removes the old hackery to test-build the testsuite and > > replaces it with scripts that run the full testsuite on a Fedora VM. The > > scripts are based on William Roberts' work on SELinux userspace CI [1], > > which does a similar thing. > > > > The CI currently uses a F32 VM image which comes with a 5.6.6 kernel. > > Eventually we might want to run on a more recent kernel/userspace, but > > even this is already a big improvement over the old CI approach. > > > > One downside is that with this patch we lose the test build against > > refpolicy, but it shouldn't be too hard to add testing on a Debian VM > > with refpolicy later on. > > > > [1] https://github.com/SELinuxProject/selinux/commit/562d6d15272420542bf65da328bc5300219fce76 > > > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > Sounds good to me. Only question I have is whether it would be > possible to use a Fedora rawhide VM instead of a fixed version like > 32? > I understand that may have some stability issues but it would get us > more recent kernel, userspace, and policy for testing. I just posted a v2, which runs the testsuite on both: https://lore.kernel.org/selinux/20200811084555.105374-1-omosnace@xxxxxxxxxx/T/ > On the Debian side, I'd recommend Debian unstable which despite the > name is more stable I think than rawhide and is what I've used for > getting the testsuite up and running on Debian. That exercises more > of the tests than even Fedora rawhide does currently due to defining > more classes/permissions. Yes, it would definitely improve coverage, but I'd rather pass that baton to someone else at this point. -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.
