Re: [PATCH testsuite 24/24] ci: add sysadm_t to the test matrix

Ondrej Mosnacek <omosnace@xxxxxxxxxx> · Mon, 1 Aug 2022 09:57:08 +0200

On Sat, Jul 30, 2022 at 10:13 PM Topi Miettinen <toiwoton@xxxxxxxxx> wrote:
> On 29.7.2022 15.02, Ondrej Mosnacek wrote:
> > The testsuite should now be passing under the sysadm user as well, so
> > test it.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > ---
> >   .github/workflows/checks.yml |  4 +++-
> >   Vagrantfile                  | 16 ++++++++++++++++
> >   2 files changed, 19 insertions(+), 1 deletion(-)
> >
> > diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
> > index 96843e4..37455ea 100644
> > --- a/.github/workflows/checks.yml
> > +++ b/.github/workflows/checks.yml
> > @@ -15,6 +15,7 @@ jobs:
> >       strategy:
> >         fail-fast: false
> >         matrix:
> > +        domain: [unconfined_t, sysadm_t]
> >           env:
> >             - { version: 35, kernel: default }
> >             - { version: 36, kernel: default }
> > @@ -22,6 +23,7 @@ jobs:
> >       env:
> >         FEDORA_VERSION: ${{ matrix.env.version }}
> >         KERNEL_TYPE: ${{ matrix.env.kernel }}
> > +      ROOT_DOMAIN: ${{ matrix.domain }}
> >       steps:
> >         - uses: actions/checkout@v2
> >         # macOS sometimes allows symlinks to have permissions other than 777,
> > @@ -39,6 +41,6 @@ jobs:
> >         - name: Run SELinux testsuite
> >           run: vagrant ssh -- sudo make -C /root/testsuite test
> >         - name: Check unwanted denials
> > -        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep unconfined_t'
> > +        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep ${{ matrix.domain }}'
> >         - name: Check .gitignore coverage
> >           run: test "$(vagrant ssh -- sudo git -C /root/testsuite ls-files -o --exclude-standard | wc -l)" -eq 0
> > diff --git a/Vagrantfile b/Vagrantfile
> > index 783df5d..ec3a492 100644
> > --- a/Vagrantfile
> > +++ b/Vagrantfile
> > @@ -51,6 +51,21 @@ Vagrant.configure("2") do |config|
> >       abort
> >     end
> >
> > +  extra_commands = ''
> > +  case ENV['ROOT_DOMAIN']
> > +  when 'unconfined_t'
> > +  when 'sysadm_t'
> > +    extra_commands = <<EOF
> > +      semanage boolean --modify --on ssh_sysadm_login
> > +      semanage login --modify -s sysadm_u root
> > +      semanage login --add -s sysadm_u -r s0-s0:c0.c1023 vagrant
> > +EOF
> > +    reboot_cmd = 'reboot'
>
> Is this line needed?

Indeed it's not. I used an existing script for setting up MLS policy
on a host as inspiration when writing this and didn't think twice
about whether I also need to preserve the reboot part :) I'll remove
it.

Thanks for the suggestion!

>
> -Topi
>
> > +  else
> > +    print("Invalid ROOT_DOMAIN '#{ENV['ROOT_DOMAIN']}'")
> > +    abort
> > +  end
> > +
> >     config.vm.provision :shell, inline: <<SCRIPT
> >       dnf install -y #{dnf_opts} \
> >         --allowerasing \
> > @@ -79,6 +94,7 @@ Vagrant.configure("2") do |config|
> >         jfsutils \
> >         dosfstools \
> >         #{kernel_pkgs}
> > +    #{extra_commands}
> >       #{reboot_cmd}
> >   SCRIPT
> >   end
>

-- 
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.