diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 00000000..d00491fd --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 6794eb74..858273d7 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -1,5 +1,6 @@ name: checks on: [push, pull_request] + jobs: style-check: runs-on: ubuntu-latest @@ -10,43 +11,19 @@ jobs: - uses: actions/checkout@v4 - run: sudo chown $(id -u):$(id -g) . - run: tools/check-syntax -f && git diff --exit-code - fedora-test: - runs-on: macos-12 + run: + runs-on: ubuntu-latest strategy: fail-fast: false matrix: domain: [unconfined_t, sysadm_t] - env: - - { version: 38, kernel: default } - - { version: 39, kernel: default } - - { version: 39, kernel: secnext } - env: - FEDORA_VERSION: ${{ matrix.env.version }} - KERNEL_TYPE: ${{ matrix.env.kernel }} - ROOT_DOMAIN: ${{ matrix.domain }} + arch: [x86_64, aarch64] + kernel: [latest, secnext] steps: - - name: Install GNU coreutils - run: brew install coreutils - - uses: actions/checkout@v4 - # macOS sometimes allows symlinks to have permissions other than 777, - # so change all symlink perms to match the Linux convention. Otherwise - # the rsync run by Vagrant will complain that it can't copy over the - # perms. - - name: Fix symlink permissions - run: find . -type link -exec chmod -h 777 \{\} \; - - name: Treat compiler warnings as errors - run: sed -i '' 's/-Wall/-Wall -Werror/' tests/Makefile - - name: Create a Vagrant VM - run: vagrant up - - name: Wait for the machine to come up if rebooting (max 5m) - run: gtimeout 5m "$SHELL" -c 'while ! vagrant ssh -- true; do sleep 1; done' - - name: Show Vagrant VM details - run: | - vagrant ssh -- uname -a - vagrant ssh -- cat /proc/cmdline - - name: Run SELinux testsuite - run: vagrant ssh -- sudo make -C /root/testsuite test - - name: Check unwanted denials - run: vagrant ssh -- '! sudo ausearch -m avc -i ssh_workaround.cil + semodule -i ssh_workaround.cil + rm -f ssh_workaround.cil + + case "$STS_ROOT_DOMAIN" in + unconfined_t|'') + ;; + sysadm_t) + semanage boolean --modify --on ssh_sysadm_login + semanage login --modify -s sysadm_u root + + # Work around missing policy for sysadm_t + # https://github.com/fedora-selinux/selinux-policy/pull/2340 + echo '(allow sysadm_t self (key_socket (create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown)))' >sysadm_workaround.cil + semodule -i sysadm_workaround.cil + rm -f sysadm_workaround.cil + + reboot=1 + ;; + *) + echo "Invalid STS_ROOT_DOMAIN value!" + exit 1 + ;; + esac + + case "$STS_KERNEL" in + default|'') + dnf install -y kernel-modules-$(uname -r) kernel-devel-$(uname -r) + ;; + latest) + dnf install -y kernel-modules kernel-devel + ;; + secnext) + dnf install -y --disablerepo testing-farm-tag-repository \ + --nogpgcheck --releasever rawhide \ + --repofrompath 'kernel-secnext,https://repo.paul-moore.com/rawhide/$basearch' \ + kernel-modules kernel-devel + ;; + *) + echo "Invalid STS_KERNEL value!" + exit 1 + ;; + esac + + if [ "$(grubby --default-kernel)" != "/boot/vmlinuz-$(uname -r)" ]; then + reboot=1 + fi + + if [ "$reboot" -ne 0 ]; then + tmt-reboot + fi + fi + + # reset the audit log + :>/var/log/audit.log + rm -f /var/log/audit.log.* +/machine-info: + summary: Show machine info + order: 2 + test: | + set -x + + uname -r + id -Z + rpm -q libselinux + rpm -q selinux-policy + lscpu +/run: + summary: Run the testsuite + order: 3 + duration: 20m + require: + - make + - perl-Test + - perl-Test-Harness + - perl-Test-Simple + - perl-lib + - selinux-policy-devel + - gcc + - libselinux-devel + - net-tools + - netlabel_tools + - iptables + - nftables + - lksctp-tools-devel + - attr + - libbpf-devel + - keyutils-libs-devel + - quota + - xfsprogs-devel + - libuuid-devel + - e2fsprogs + - jfsutils + - dosfstools + - rdma-core-devel + test: make -C .. test +/run-nfs: + summary: Run the NFS tests + order: 3 + duration: 25m + require: nfs-utils + test: env -C .. bash -x ./tools/nfs.sh +/avc-check: + summary: Check unwanted denials + order: 4 + tag: [ci] + test: '! ausearch -m avc -i "$HOME/.config/git/ignore" + + git -C .. ls-files -o --exclude-standard + test "$(git -C .. ls-files -o --exclude-standard | wc -l)" -eq 0 +/unprepare: + summary: Undo the preparation + order: 5 + require: policycoreutils-python-utils + test: | + set -ex + + make -C ../policy unload || true + if [ "$STS_ROOT_DOMAIN" = sysadm_t ]; then + semanage boolean --modify --off ssh_sysadm_login + semanage login --modify -s unconfined_u root + semodule -r sysadm_workaround + fi + semodule -r ssh_workaround