PR#46: tests: Add decentralized SELinux policy test - rpms/cockpit

rpms / cockpit

#46 tests: Add decentralized SELinux policy test

Opened 2 years ago by vmojzis. Modified 2 years ago

rpms/ vmojzis/cockpit selinux into rawhide

tests: Add decentralized SELinux policy test

Vit Mojzis • 2 years ago

6a53350

tests/tests-DSP.yml

file added

+37

		`@@ -0,0 +1,37 @@`
		`+ - hosts: localhost`
		`+`
		`+ roles:`
		`+ - role: standard-test-beakerlib`
		`+ tags:`
		`+ - classic`
		`+ repositories:`
		`+ - repo: https://pagure.io/DSP_test.git`
		`+ dest: DSP_test`
		`+ version: master`
		`+`
		`+ tests:`
		`+ - DSP_test`
		`+ environment:`
		`+ # RPM package containing the policy module`
		`+ TEST_RPM: cockpit-selinux`
		`+ # policy module name`
		`+ TEST_POLICY: cockpit`
		`+ # policy sources will be extracted from corresponding .src.rpm`
		`+ # policy tar filename regexp (e.g. "usbguard-selinux*.tar.gz")`
		`+ # or empty string if policy sources are not inside a tar archive`
		`+ POLICY_TAR: 'cockpit-*.tar.xz'`
		`+ # path to policy sources (in of the tar archive) -- <POLICY_TAR>/<POLICY_PATH>/<TEST_POLICY>.(te\|if\|fc)`
		`+ # or path in the src.rpm if there is no tar archive -- <src.rpm>/<POLICY_PATH>/<TEST_POLICY>.(te\|if\|fc)`
		`+ # can contain wildcards (e.g. for versions etc.)`
		`+ POLICY_PATH: 'cockpit-*/selinux'`
		`+`
		`+ required_packages:`
		`+ - policycoreutils`
		`+ - selinux-policy`
		`+ - selinux-policy-targeted`
		`+ - setools-console`
		`+ - libselinux-utils`
		`+ - rpm`
		`+ - tar`
		`+ - git`
		`+ - cockpit-selinux`

vmojzis commented 2 years ago

Test for unsound/dangerous SELinux policy practices
Perform static policy code check using SELint

For more details and debugging tips see
https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Testing

Signed-off-by: Vit Mojzis vmojzis@redhat.com

vmojzis commented 2 years ago

Depends on https://github.com/cockpit-project/cockpit/pull/15918 (the patch needs to be merged and included in a build in order for this test to succeed).

zuul commented 2 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

check-for-arches : SUCCESS in 1m 06s
rpm-scratch-build : SUCCESS in 8m 05s
rpm-scratch-build-s390x : SUCCESS in 9m 19s (non-voting)
rpm-scratch-build-ppc64le : SUCCESS in 9m 22s (non-voting)
rpm-scratch-build-i686 : SUCCESS in 9m 05s (non-voting)
rpm-scratch-build-armv7hl : SUCCESS in 15m 03s (non-voting)
rpm-scratch-build-aarch64 : SUCCESS in 12m 56s (non-voting)
rpm-linter : FAILURE in 4m 25s
rpm-rpminspect : FAILURE in 22m 11s (non-voting)
check-for-tests : SUCCESS in 37s
rpm-install-test : SUCCESS in 4m 32s
rpm-test : SKIPPED

martinpitt commented 2 years ago

Thanks Vit for the suggestion! Great to see that there is a policy validation tool. I just won't want to land it in its current form, because:

This check really belongs into upstream CI -- that's where we break and fix the policy. Running it only on package upload is too late and annoying.
We moved away from Ansible dist-git tests towards FMF, so that we can run the exact same test both upstream and in downstream gating.
The current test fail output is rather unfriendly -- it tells you "you are wrong", but not what exactly.
I really don't want to introduce beakerlib. We already have enough test frameworks, and it's a rather weak one.

So what I'd rather have is to add this to https://github.com/cockpit-project/cockpit/tree/master/test/ , i.e. add a selinux.fmf similar to the already existing verify.fmf. Then this will run upstream in packit and downstream in gating. Then the test script does not need to unpack anything, it has access to the policy sources right away. It can also be run in a mode where it fails in an useful way.

Are you interested in this? If not, I'll add it to our TODO list.

Cheers!