New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
data/selinux, tests/main/selinux-clean: fine tune the policy, make sure that no denials are raised #6661
data/selinux, tests/main/selinux-clean: fine tune the policy, make sure that no denials are raised #6661
Changes from all commits
26210a5
cb17df1
5fcff49
eb538e9
e7260e3
261f16f
f329f05
409c4cf
d551851
ee9b270
ab234f5
c99d469
96ddb89
24fbe72
6f500d9
4fa2371
d243da7
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
summary: Check that basic snap management does not raise any SELinux denials | ||
|
||
description: | | ||
On systems where SELinux is supported, make sure that starting snapd and | ||
performing basic install/remove tasks does not cause SELinux denials. Even | ||
though we do not support SELinux for enforcing confinement of snaps, we do | ||
not want to cause unnecessary warnings when users are performing basic | ||
management tasks on snaps. | ||
|
||
systems: [fedora-*, centos-*] | ||
prepare: | | ||
#shellcheck source=tests/lib/pkgdb.sh | ||
. "$TESTSLIB"/pkgdb.sh | ||
|
||
# Install some fonts so that the fc-cache helpers have something to work with | ||
distro_install_package fontconfig dejavu-sans-fonts | ||
|
||
getenforce > enforcing.mode | ||
|
||
# Enable enforcing mode, our policy is already marked as permissive, so we | ||
# will get audit entries but the program will not be stopped by SELinux | ||
setenforce 1 | ||
ausearch --checkpoint stamp -m AVC || true | ||
|
||
restore: | | ||
setenforce "$(cat enforcing.mode)" | ||
rm -f stamp enforcing.mode | ||
|
||
execute: | | ||
snap install test-snapd-tools | ||
test-snapd-tools.cmd echo 'hello world' | ||
su -c 'test-snapd-tools.cmd echo hello world' test | ||
snap remove test-snapd-tools | ||
ausearch --checkpoint stamp --start checkpoint -m AVC 2>&1 | MATCH 'no matches' | ||
|
||
#shellcheck source=tests/lib/snaps.sh | ||
. "$TESTSLIB/snaps.sh" | ||
|
||
install_local test-snapd-service | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can we also test There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Added There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks! |
||
snap stop test-snapd-service | ||
snap start test-snapd-service | ||
# TODO: enable once there is a workaround for denials caused by journalctl | ||
# snap logs test-snapd-service | ||
snap remove test-snapd-service | ||
ausearch --checkpoint stamp --start checkpoint -m AVC 2>&1 | MATCH 'no matches' | ||
|
||
install_local test-snapd-layout | ||
test-snapd-layout.sh -c 'ls /' | ||
su -c "test-snapd-layout.sh -c 'ls /'" test | ||
snap remove test-snapd-layout | ||
ausearch --checkpoint stamp --start checkpoint -m AVC 2>&1 | MATCH 'no matches' | ||
|
||
install_local socket-activation | ||
[ -S /var/snap/socket-activation/common/socket ] | ||
snap remove socket-activation | ||
ausearch --checkpoint stamp --start checkpoint -m AVC 2>&1 | MATCH 'no matches' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also have
systemd_start_all_services
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From inspecting the policy, this is likely covered by systemd_config_all_services(). This is what sesearch tells me: