[testsuite,24/24] ci: add sysadm_t to the test matrix

Commit Message

Ondrej Mosnacek July 29, 2022, 12:02 p.m. UTC

The testsuite should now be passing under the sysadm user as well, so
test it.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
 .github/workflows/checks.yml |  4 +++-
 Vagrantfile                  | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

Comments

Topi Miettinen July 30, 2022, 8:13 p.m. UTC | #1

On 29.7.2022 15.02, Ondrej Mosnacek wrote:
> The testsuite should now be passing under the sysadm user as well, so
> test it.
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>   .github/workflows/checks.yml |  4 +++-
>   Vagrantfile                  | 16 ++++++++++++++++
>   2 files changed, 19 insertions(+), 1 deletion(-)
> 
> diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
> index 96843e4..37455ea 100644
> --- a/.github/workflows/checks.yml
> +++ b/.github/workflows/checks.yml
> @@ -15,6 +15,7 @@ jobs:
>       strategy:
>         fail-fast: false
>         matrix:
> +        domain: [unconfined_t, sysadm_t]
>           env:
>             - { version: 35, kernel: default }
>             - { version: 36, kernel: default }
> @@ -22,6 +23,7 @@ jobs:
>       env:
>         FEDORA_VERSION: ${{ matrix.env.version }}
>         KERNEL_TYPE: ${{ matrix.env.kernel }}
> +      ROOT_DOMAIN: ${{ matrix.domain }}
>       steps:
>         - uses: actions/checkout@v2
>         # macOS sometimes allows symlinks to have permissions other than 777,
> @@ -39,6 +41,6 @@ jobs:
>         - name: Run SELinux testsuite
>           run: vagrant ssh -- sudo make -C /root/testsuite test
>         - name: Check unwanted denials
> -        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep unconfined_t'
> +        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep ${{ matrix.domain }}'
>         - name: Check .gitignore coverage
>           run: test "$(vagrant ssh -- sudo git -C /root/testsuite ls-files -o --exclude-standard | wc -l)" -eq 0
> diff --git a/Vagrantfile b/Vagrantfile
> index 783df5d..ec3a492 100644
> --- a/Vagrantfile
> +++ b/Vagrantfile
> @@ -51,6 +51,21 @@ Vagrant.configure("2") do |config|
>       abort
>     end
>   
> +  extra_commands = ''
> +  case ENV['ROOT_DOMAIN']
> +  when 'unconfined_t'
> +  when 'sysadm_t'
> +    extra_commands = <<EOF
> +      semanage boolean --modify --on ssh_sysadm_login
> +      semanage login --modify -s sysadm_u root
> +      semanage login --add -s sysadm_u -r s0-s0:c0.c1023 vagrant
> +EOF
> +    reboot_cmd = 'reboot'

Is this line needed?

-Topi

> +  else
> +    print("Invalid ROOT_DOMAIN '#{ENV['ROOT_DOMAIN']}'")
> +    abort
> +  end
> +
>     config.vm.provision :shell, inline: <<SCRIPT
>       dnf install -y #{dnf_opts} \
>         --allowerasing \
> @@ -79,6 +94,7 @@ Vagrant.configure("2") do |config|
>         jfsutils \
>         dosfstools \
>         #{kernel_pkgs}
> +    #{extra_commands}
>       #{reboot_cmd}
>   SCRIPT
>   end

Ondrej Mosnacek Aug. 1, 2022, 7:57 a.m. UTC | #2

On Sat, Jul 30, 2022 at 10:13 PM Topi Miettinen <toiwoton@gmail.com> wrote:
> On 29.7.2022 15.02, Ondrej Mosnacek wrote:
> > The testsuite should now be passing under the sysadm user as well, so
> > test it.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> >   .github/workflows/checks.yml |  4 +++-
> >   Vagrantfile                  | 16 ++++++++++++++++
> >   2 files changed, 19 insertions(+), 1 deletion(-)
> >
> > diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
> > index 96843e4..37455ea 100644
> > --- a/.github/workflows/checks.yml
> > +++ b/.github/workflows/checks.yml
> > @@ -15,6 +15,7 @@ jobs:
> >       strategy:
> >         fail-fast: false
> >         matrix:
> > +        domain: [unconfined_t, sysadm_t]
> >           env:
> >             - { version: 35, kernel: default }
> >             - { version: 36, kernel: default }
> > @@ -22,6 +23,7 @@ jobs:
> >       env:
> >         FEDORA_VERSION: ${{ matrix.env.version }}
> >         KERNEL_TYPE: ${{ matrix.env.kernel }}
> > +      ROOT_DOMAIN: ${{ matrix.domain }}
> >       steps:
> >         - uses: actions/checkout@v2
> >         # macOS sometimes allows symlinks to have permissions other than 777,
> > @@ -39,6 +41,6 @@ jobs:
> >         - name: Run SELinux testsuite
> >           run: vagrant ssh -- sudo make -C /root/testsuite test
> >         - name: Check unwanted denials
> > -        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep unconfined_t'
> > +        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep ${{ matrix.domain }}'
> >         - name: Check .gitignore coverage
> >           run: test "$(vagrant ssh -- sudo git -C /root/testsuite ls-files -o --exclude-standard | wc -l)" -eq 0
> > diff --git a/Vagrantfile b/Vagrantfile
> > index 783df5d..ec3a492 100644
> > --- a/Vagrantfile
> > +++ b/Vagrantfile
> > @@ -51,6 +51,21 @@ Vagrant.configure("2") do |config|
> >       abort
> >     end
> >
> > +  extra_commands = ''
> > +  case ENV['ROOT_DOMAIN']
> > +  when 'unconfined_t'
> > +  when 'sysadm_t'
> > +    extra_commands = <<EOF
> > +      semanage boolean --modify --on ssh_sysadm_login
> > +      semanage login --modify -s sysadm_u root
> > +      semanage login --add -s sysadm_u -r s0-s0:c0.c1023 vagrant
> > +EOF
> > +    reboot_cmd = 'reboot'
>
> Is this line needed?

Indeed it's not. I used an existing script for setting up MLS policy
on a host as inspiration when writing this and didn't think twice
about whether I also need to preserve the reboot part :) I'll remove
it.

Thanks for the suggestion!

>
> -Topi
>
> > +  else
> > +    print("Invalid ROOT_DOMAIN '#{ENV['ROOT_DOMAIN']}'")
> > +    abort
> > +  end
> > +
> >     config.vm.provision :shell, inline: <<SCRIPT
> >       dnf install -y #{dnf_opts} \
> >         --allowerasing \
> > @@ -79,6 +94,7 @@ Vagrant.configure("2") do |config|
> >         jfsutils \
> >         dosfstools \
> >         #{kernel_pkgs}
> > +    #{extra_commands}
> >       #{reboot_cmd}
> >   SCRIPT
> >   end
>

Patch

diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
index 96843e4..37455ea 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -15,6 +15,7 @@  jobs:
     strategy:
       fail-fast: false
       matrix:
+        domain: [unconfined_t, sysadm_t]
         env:
           - { version: 35, kernel: default }
           - { version: 36, kernel: default }
@@ -22,6 +23,7 @@  jobs:
     env:
       FEDORA_VERSION: ${{ matrix.env.version }}
       KERNEL_TYPE: ${{ matrix.env.kernel }}
+      ROOT_DOMAIN: ${{ matrix.domain }}
     steps:
       - uses: actions/checkout@v2
       # macOS sometimes allows symlinks to have permissions other than 777,
@@ -39,6 +41,6 @@  jobs:
       - name: Run SELinux testsuite
         run: vagrant ssh -- sudo make -C /root/testsuite test
       - name: Check unwanted denials
-        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep unconfined_t'
+        run: vagrant ssh -- '! sudo ausearch -m avc -i </dev/null | grep ${{ matrix.domain }}'
       - name: Check .gitignore coverage
         run: test "$(vagrant ssh -- sudo git -C /root/testsuite ls-files -o --exclude-standard | wc -l)" -eq 0
diff --git a/Vagrantfile b/Vagrantfile
index 783df5d..ec3a492 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -51,6 +51,21 @@  Vagrant.configure("2") do |config|
     abort
   end
 
+  extra_commands = ''
+  case ENV['ROOT_DOMAIN']
+  when 'unconfined_t'
+  when 'sysadm_t'
+    extra_commands = <<EOF
+      semanage boolean --modify --on ssh_sysadm_login
+      semanage login --modify -s sysadm_u root
+      semanage login --add -s sysadm_u -r s0-s0:c0.c1023 vagrant
+EOF
+    reboot_cmd = 'reboot'
+  else
+    print("Invalid ROOT_DOMAIN '#{ENV['ROOT_DOMAIN']}'")
+    abort
+  end
+
   config.vm.provision :shell, inline: <<SCRIPT
     dnf install -y #{dnf_opts} \
       --allowerasing \
@@ -79,6 +94,7 @@  Vagrant.configure("2") do |config|
       jfsutils \
       dosfstools \
       #{kernel_pkgs}
+    #{extra_commands}
     #{reboot_cmd}
 SCRIPT
 end