forked from snapcore/snapd
/
task.yaml
56 lines (45 loc) · 2.08 KB
/
task.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
summary: Check that basic snap management does not raise any SELinux denials
description: |
On systems where SELinux is supported, make sure that starting snapd and
performing basic install/remove tasks does not cause SELinux denials. Even
though we do not support SELinux for enforcing confinement of snaps, we do
not want to cause unnecessary warnings when users are performing basic
management tasks on snaps.
systems: [fedora-*, centos-*]
prepare: |
#shellcheck source=tests/lib/pkgdb.sh
. "$TESTSLIB"/pkgdb.sh
# Install some fonts so that the fc-cache helpers have something to work with
distro_install_package fontconfig dejavu-sans-fonts
getenforce > enforcing.mode
# Enable enforcing mode, our policy is already marked as permissive, so we
# will get audit entries but the program will not be stopped by SELinux
setenforce 1
ausearch --checkpoint stamp -m AVC || true
restore: |
setenforce "$(cat enforcing.mode)"
rm -f stamp enforcing.mode
execute: |
snap install test-snapd-tools
test-snapd-tools.cmd echo 'hello world'
su -c 'test-snapd-tools.cmd echo hello world' test
snap remove test-snapd-tools
ausearch --checkpoint stamp --start checkpoint -m AVC 2>&1 | MATCH 'no matches'
#shellcheck source=tests/lib/snaps.sh
. "$TESTSLIB/snaps.sh"
install_local test-snapd-service
snap stop test-snapd-service
snap start test-snapd-service
# TODO: enable once there is a workaround for denials caused by journalctl
# snap logs test-snapd-service
snap remove test-snapd-service
ausearch --checkpoint stamp --start checkpoint -m AVC 2>&1 | MATCH 'no matches'
install_local test-snapd-layout
test-snapd-layout.sh -c 'ls /'
su -c "test-snapd-layout.sh -c 'ls /'" test
snap remove test-snapd-layout
ausearch --checkpoint stamp --start checkpoint -m AVC 2>&1 | MATCH 'no matches'
install_local socket-activation
[ -S /var/snap/socket-activation/common/socket ]
snap remove socket-activation
ausearch --checkpoint stamp --start checkpoint -m AVC 2>&1 | MATCH 'no matches'