On Tue, Aug 11, 2020 at 4:59 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > On Fri, Aug 7, 2020 at 3:42 PM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > On Fri, Aug 7, 2020 at 9:27 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > > > This patch removes the old hackery to test-build the testsuite and > > > replaces it with scripts that run the full testsuite on a Fedora VM. The > > > scripts are based on William Roberts' work on SELinux userspace CI [1], > > > which does a similar thing. > > > > > > The CI currently uses a F32 VM image which comes with a 5.6.6 kernel. > > > Eventually we might want to run on a more recent kernel/userspace, but > > > even this is already a big improvement over the old CI approach. > > > > > > One downside is that with this patch we lose the test build against > > > refpolicy, but it shouldn't be too hard to add testing on a Debian VM > > > with refpolicy later on. > > > > > > [1] https://github.com/SELinuxProject/selinux/commit/562d6d15272420542bf65da328bc5300219fce76 > > > > > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > > > Sounds good to me. Only question I have is whether it would be > > possible to use a Fedora rawhide VM instead of a fixed version like > > 32? > > I understand that may have some stability issues but it would get us > > more recent kernel, userspace, and policy for testing. > > I just posted a v2, which runs the testsuite on both: > https://lore.kernel.org/selinux/20200811084555.105374-1-omosnace@xxxxxxxxxx/T/ Thank you. While Fedora, and RH, likely care most about the latest stable Fedora release, the Rawhide results are the most interesting from an upstream perspective. > > On the Debian side, I'd recommend Debian unstable which despite the > > name is more stable I think than rawhide and is what I've used for > > getting the testsuite up and running on Debian. That exercises more > > of the tests than even Fedora rawhide does currently due to defining > > more classes/permissions. > > Yes, it would definitely improve coverage, but I'd rather pass that > baton to someone else at this point. I've mentioned this before and I feel like this is a good time to stress this point again - I think it is very important to work on becoming less Fedora/RH centric. I recognize that this might be a bit of a learning curve for most of us as we try to get up to speed with different distros and packaging formats (the latter is a pain point I'm currently working through with Debian's dpkg), but I think this is an important part of helping to increase SELinux adoption. -- paul moore www.paul-moore.com
