rpms / zabbix

Clone
Source Code
GIT

#5 Add decentralized SELinux policy test
Merged 3 years ago by orion. Opened 3 years ago by vmojzis.
rpms/ vmojzis/zabbix DSP_test  into  master

file added
+37 
@@ -0,0 +1,37 @@ 
 

+ - hosts: localhost
 

+ 

+   roles:
 

+   - role: standard-test-beakerlib
 

+     tags:
 

+     - classic
 

+     repositories:
 

+       - repo: https://pagure.io/DSP_test.git
 

+         dest: DSP_test
 

+         version: master
 

+ 

+     tests:
 

+     - DSP_test
 

+     environment:
 

+       # RPM package containing the policy module
 

+       TEST_RPM: zabbix-selinux
 

+       # policy module name
 

+       TEST_POLICY: zabbix
 

+       # policy sources will be extracted from corresponding .src.rpm
 

+       # policy tar filename regexp (e.g. "usbguard-selinux*.tar.gz") 

+       # or empty string if policy sources are not inside a tar archive
 

+       POLICY_TAR: ''
 

+       # path to policy sources (in of the tar archive) -- <POLICY_TAR>/<POLICY_PATH>/<TEST_POLICY>.(te|if|fc)
 

+       # or path in the src.rpm if there is no tar archive -- <src.rpm>/<POLICY_PATH>/<TEST_POLICY>.(te|if|fc)
 

+       # can contain wildcards (e.g. for versions etc.)
 

+       POLICY_PATH: .
 

+ 

+     required_packages:
 

+     - policycoreutils
 

+     - selinux-policy
 

+     - selinux-policy-targeted
 

+     - setools-console
 

+     - libselinux-utils
 

+     - rpm
 

+     - tar
 

+     - git
 

+     - zabbix-selinux

file modified
+5 -6 
@@ -72,8 +72,8 @@ 
 

  # zabbix domain local policy
 

  #
 

  

- allow zabbix_domain self:capability { setuid setgid };
 

- allow zabbix_domain self:process { setpgid setsched getsched signal_perms };
 

+ allow zabbix_domain self:capability { setgid setuid };
 

+ allow zabbix_domain self:process { getsched setpgid setsched signal_perms };
 

  allow zabbix_domain self:fifo_file rw_fifo_file_perms;
 

  allow zabbix_domain self:sem create_sem_perms;
 

  allow zabbix_domain self:shm create_shm_perms;
 
@@ -157,7 +157,7 @@ 
 

  ')
 

  

  tunable_policy(`zabbix_run_sudo',`
 

-     allow zabbix_t self:capability { setuid setgid sys_resource };
 

+     allow zabbix_t self:capability { setgid setuid sys_resource };
 

      allow zabbix_t self:process { setrlimit setsched };
 

      allow zabbix_t self:key write;
 

      allow zabbix_t self:passwd { passwd rootok };
 
@@ -285,7 +285,7 @@ 
 

  zabbix_script_domtrans(zabbix_agent_t)
 

  

  tunable_policy(`zabbix_run_sudo',`
 

-     allow zabbix_agent_t self:capability { setuid setgid sys_resource };
 

+     allow zabbix_agent_t self:capability { setgid setuid sys_resource };
 

      allow zabbix_agent_t self:process { setrlimit setsched };
 

      allow zabbix_agent_t self:key write;
 

      allow zabbix_agent_t self:passwd { passwd rootok };
 
@@ -324,8 +324,7 @@ 
 

  

  domtrans_pattern(zabbix_t, zabbix_script_exec_t, zabbix_script_t)
 

  

- allow zabbix_t zabbix_script_exec_t:dir search_dir_perms;
 

- allow zabbix_t zabbix_script_exec_t:dir read_file_perms;
 

+ allow zabbix_t zabbix_script_exec_t:dir list_dir_perms;
 

  allow zabbix_t zabbix_script_exec_t:file ioctl;
 

  allow zabbix_t zabbix_script_t:process signal;

no initial comment

1 new commit added

  • Bump release to test the policy changes
3 years ago

The release bump is just for testing purposes.

[citest]

[citest]

[citest]

This is now broken because the update needs a selinux-update which is not yet even in nightly images. We can solve that by including tag-repository as we do downstream

[citest]

[citest]

@vmojzis should be better finally :fireworks:

@vmojzis sorry selinux-policy src.rpm is not around in that "buildroot" repo :( you will need to find a workaround for that yourself (by using koji for example). Not sure how we could fix it on our side. That workaround will be needed only if selinux-policy is newer then in the compose

Image updated to 20201202 snapshot, where hopefully selinux-policy is around. Restarting.

[citest]

@vmojzis all set :rocket:

3 new commits added

  • Bump release to test the policy changes
  • selinux: Fix issues reported by SELint
  • tests: Add decentralized SELinux policy test
3 years ago

[citest]

[citest]

[citest]

[citest]

[citest]

rebased onto c467855
3 years ago

@orion
Thank you for the opportunity to properly test and tweak this test.

I just cleaned up the "bump release" commit. Could you please have a look (and maybe merge this)?

rebased onto 46909cd
3 years ago

Pull-Request has been merged by orion
3 years ago
Changes Summary 2
+37
file added
tests/tests-DSP.yml
+5 -6
file changed
zabbix.te
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.