[PATCH testsuite 24/24] ci: add sysadm_t to the test matrix

Ondrej Mosnacek <omosnace@xxxxxxxxxx> · Fri, 29 Jul 2022 14:02:29 +0200

The testsuite should now be passing under the sysadm user as well, so
test it.

Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
 .github/workflows/checks.yml |  4 +++-
 Vagrantfile                  | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index 96843e4..37455ea 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -15,6 +15,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
+        domain: [unconfined_t, sysadm_t]
         env:
           - { version: 35, kernel: default }
           - { version: 36, kernel: default }
@@ -22,6 +23,7 @@ jobs:
     env:
       FEDORA_VERSION: ${{ matrix.env.version }}
       KERNEL_TYPE: ${{ matrix.env.kernel }}
+      ROOT_DOMAIN: ${{ matrix.domain }}
     steps:
       - uses: actions/checkout@v2
       # macOS sometimes allows symlinks to have permissions other than 777,
@@ -39,6 +41,6 @@ jobs:
       - name: Run SELinux testsuite
         run: vagrant ssh -- sudo make -C /root/testsuite test
       - name: Check unwanted denials
-        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep unconfined_t'
+        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep ${{ matrix.domain }}'
       - name: Check .gitignore coverage
         run: test "$(vagrant ssh -- sudo git -C /root/testsuite ls-files -o --exclude-standard | wc -l)" -eq 0
diff --git a/Vagrantfile b/Vagrantfile
index 783df5d..ec3a492 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -51,6 +51,21 @@ Vagrant.configure("2") do |config|
     abort
   end
 
+  extra_commands = ''
+  case ENV['ROOT_DOMAIN']
+  when 'unconfined_t'
+  when 'sysadm_t'
+    extra_commands = <<EOF
+      semanage boolean --modify --on ssh_sysadm_login
+      semanage login --modify -s sysadm_u root
+      semanage login --add -s sysadm_u -r s0-s0:c0.c1023 vagrant
+EOF
+    reboot_cmd = 'reboot'
+  else
+    print("Invalid ROOT_DOMAIN '#{ENV['ROOT_DOMAIN']}'")
+    abort
+  end
+
   config.vm.provision :shell, inline: <<SCRIPT
     dnf install -y #{dnf_opts} \
       --allowerasing \
@@ -79,6 +94,7 @@ Vagrant.configure("2") do |config|
       jfsutils \
       dosfstools \
       #{kernel_pkgs}
+    #{extra_commands}
     #{reboot_cmd}
 SCRIPT
 end
-- 
2.37.1







