Re: [PATCH testsuite 24/24] ci: add sysadm_t to the test matrix

Topi Miettinen <toiwoton@xxxxxxxxx> · Sat, 30 Jul 2022 23:13:43 +0300

On 29.7.2022 15.02, Ondrej Mosnacek wrote:
The testsuite should now be passing under the sysadm user as well, so
test it.

Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
---
  .github/workflows/checks.yml |  4 +++-
  Vagrantfile                  | 16 ++++++++++++++++
  2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index 96843e4..37455ea 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -15,6 +15,7 @@ jobs:
      strategy:
        fail-fast: false
        matrix:
+        domain: [unconfined_t, sysadm_t]
          env:
            - { version: 35, kernel: default }
            - { version: 36, kernel: default }
@@ -22,6 +23,7 @@ jobs:
      env:
        FEDORA_VERSION: ${{ matrix.env.version }}
        KERNEL_TYPE: ${{ matrix.env.kernel }}
+      ROOT_DOMAIN: ${{ matrix.domain }}
      steps:
        - uses: actions/checkout@v2
        # macOS sometimes allows symlinks to have permissions other than 777,
@@ -39,6 +41,6 @@ jobs:
        - name: Run SELinux testsuite
          run: vagrant ssh -- sudo make -C /root/testsuite test
        - name: Check unwanted denials
-        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep unconfined_t'
+        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep ${{ matrix.domain }}'
        - name: Check .gitignore coverage
          run: test "$(vagrant ssh -- sudo git -C /root/testsuite ls-files -o --exclude-standard | wc -l)" -eq 0
diff --git a/Vagrantfile b/Vagrantfile
index 783df5d..ec3a492 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -51,6 +51,21 @@ Vagrant.configure("2") do |config|
      abort
    end
  
+  extra_commands = ''
+  case ENV['ROOT_DOMAIN']
+  when 'unconfined_t'
+  when 'sysadm_t'
+    extra_commands = <<EOF
+      semanage boolean --modify --on ssh_sysadm_login
+      semanage login --modify -s sysadm_u root
+      semanage login --add -s sysadm_u -r s0-s0:c0.c1023 vagrant
+EOF
+    reboot_cmd = 'reboot'

Is this line needed?

-Topi

+  else
+    print("Invalid ROOT_DOMAIN '#{ENV['ROOT_DOMAIN']}'")
+    abort
+  end
+
    config.vm.provision :shell, inline: <<SCRIPT
      dnf install -y #{dnf_opts} \
        --allowerasing \
@@ -79,6 +94,7 @@ Vagrant.configure("2") do |config|
        jfsutils \
        dosfstools \
        #{kernel_pkgs}
+    #{extra_commands}
      #{reboot_cmd}
  SCRIPT
  end







