From fbfa187ea88bc922206f9c04a524d768e2c6cd3f Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Fri, 4 Aug 2023 11:11:23 +0200 Subject: [PATCH 1/5] ci: Move srpm/rpm build to packit Teach make-srpm.sh to support building a directory with the sprm ingredients (the unpacked directory) to become compatible with the packit workflow. This mostly obsoletes the need of doing custom COPR builds, so eventually .copr/ can be simplified. But keep the old functionality for the time being. Note that this way of building an srpm in packit is still rather unusual: the normal mode is to maintain the .spec and all auxiliary files in the upstream git; that then enables automatic Fedora releases, and make it easier to keep the spec in sync. But one step after another.. Configure packit to automatically build srpm and rpms in the usual temporary COPRs. This makes it much easier to test PRs both by humans and future integration tests. There are no test plans yet, but already enable the TF run to at least cover package installation/upgrade. Run these on Rawhide and the current stable Fedora (38 right now). This entirely replaces the "build-rpm" workflow, so drop that. --- .copr/make-srpm.sh | 15 +++++++++++++-- .github/workflows/build.yml | 29 ----------------------------- packit.yaml | 21 +++++++++++++++++++++ 3 files changed, 34 insertions(+), 31 deletions(-) create mode 100644 packit.yaml diff --git a/.copr/make-srpm.sh b/.copr/make-srpm.sh index 85d7ce1526..3b5465247e 100755 --- a/.copr/make-srpm.sh +++ b/.copr/make-srpm.sh @@ -3,6 +3,12 @@ set -eux outdir="$1"; shift +mkdir -p "$outdir" + +# when this is specified, build a source directory and skip the rpmbuild step +if [ "${1:-}" = "srcdir" ]; then + srcdir=1 +fi rootdir="$(realpath -m "$0/../..")" @@ -45,6 +51,11 @@ cp "$expander_dir/macro-expander.sh" "$distgit_dir/macro-expander" sed -i "s/%global commit [^ ]*$/%global commit $base_head_id/; s/%{?dist}/.$base_date.$base_short_head_id%{?dist}/" "$distgit_dir/selinux-policy.spec" rm -f "$distgit_dir/sources" -rpmbuild --define "_topdir $rpmbuild_dir" -bs "$distgit_dir/selinux-policy.spec" -cp "$rpmbuild_dir/SRPMS/"*.src.rpm "$outdir" +if [ -n "${srcdir:-}" ]; then + cp -r "$distgit_dir"/* "$outdir" +else + # full rpmbuild for copr + rpmbuild --define "_topdir $rpmbuild_dir" -bs "$distgit_dir/selinux-policy.spec" + cp "$rpmbuild_dir/SRPMS/"*.src.rpm "$outdir" +fi diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 531f07b99b..ad11927538 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -14,32 +14,3 @@ jobs: - run: make -j $(nproc) policy - run: make -j $(nproc) validate - run: make -j $(nproc) container.pp - build-rpm: - runs-on: ubuntu-latest - container: - image: fedora:rawhide - options: --security-opt seccomp=unconfined - steps: - - run: dnf install --nogpgcheck -y make git-core rpm-build 'dnf-command(builddep)' - - uses: actions/checkout@v3 - # https://github.blog/2022-04-12-git-security-vulnerability-announced/ - - run: git config --global --add safe.directory "$PWD" - - run: make -C .copr srpm outdir="$PWD" - - name: Store the SRPM as an artifact - uses: actions/upload-artifact@v2 - with: - name: srpm - path: "*.src.rpm" - - run: | - if grep -q rawhide /etc/os-release; then - tag=rawhide - else - tag='f$releasever-build' - fi - dnf builddep --nogpgcheck --repofrompath "koji,https://kojipkgs.fedoraproject.org/repos/$tag/latest/\$arch/" -y *.src.rpm - - run: rpmbuild --define "_topdir $PWD/rpmbuild" -rb *.src.rpm - - name: Store binary RPMs as artifacts - uses: actions/upload-artifact@v2 - with: - name: rpms - path: rpmbuild/RPMS diff --git a/packit.yaml b/packit.yaml new file mode 100644 index 0000000000..55dc249219 --- /dev/null +++ b/packit.yaml @@ -0,0 +1,21 @@ +# See https://packit.dev/docs/configuration/ + +specfile_path: tmp/rpm/selinux-policy.spec + +actions: + post-upstream-clone: + - .copr/make-srpm.sh tmp/rpm srcdir + create-archive: sh -c 'ls tmp/rpm/selinux-policy*.tar.gz' + +jobs: + - job: copr_build + trigger: pull_request + targets: + - fedora-development + - fedora-latest-stable + + - job: tests + trigger: pull_request + targets: + - fedora-development + - fedora-latest-stable From 2b612c3e71df211344006e8677ff0d61b57028b8 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Wed, 2 Aug 2023 13:46:59 +0200 Subject: [PATCH 2/5] ci: Run cockpit tests in PRs See https://cockpit-project.org/blog/tmt-cross-project-testing.html Drop the install-only tests, as TF only runs the default "install check" test if there are no plans, but now we have one. That will cover the installation/upgrade as preparation step. --- .fmf/version | 1 + packit.yaml | 10 ++++++++++ plans/cockpit.fmf | 30 ++++++++++++++++++++++++++++++ 3 files changed, 41 insertions(+) create mode 100644 .fmf/version create mode 100644 plans/cockpit.fmf diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000000..d00491fd7e --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/packit.yaml b/packit.yaml index 55dc249219..2884e6193f 100644 --- a/packit.yaml +++ b/packit.yaml @@ -14,8 +14,18 @@ jobs: - fedora-development - fedora-latest-stable + # run tests for packages which test SELinux policy well, see plans/ with `revdeps == yes` - job: tests + identifier: revdeps trigger: pull_request targets: - fedora-development - fedora-latest-stable + tf_extra_params: + environments: + - artifacts: + - type: repository-file + id: https://copr.fedorainfracloud.org/coprs/g/cockpit/main-builds/repo/fedora-$releasever/group_cockpit-main-builds-fedora-$releasever.repo + tmt: + context: + revdeps: "yes" diff --git a/plans/cockpit.fmf b/plans/cockpit.fmf new file mode 100644 index 0000000000..c716154b8a --- /dev/null +++ b/plans/cockpit.fmf @@ -0,0 +1,30 @@ +# reverse dependency test for https://github.com/cockpit-project/cockpit +# if this fails in a non-obvious way, please contact the cockpit team in your PR for investigation: +# @martinpitt, @marusak, @jelly + +enabled: false +adjust+: + when: revdeps == yes + enabled: true + +discover: + how: fmf + url: https://github.com/cockpit-project/cockpit + ref: main +execute: + how: tmt + +/basic: + summary: Run tests for basic packages + discover+: + test: /test/browser/basic + +/network: + summary: Run tests for cockpit-networkmanager + discover+: + test: /test/browser/network + +/optional: + summary: Run tests for optional packages + discover+: + test: /test/browser/optional From d7293bb1c9464c0e4a81145742c354e2d7b43165 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Thu, 3 Aug 2023 06:42:07 +0200 Subject: [PATCH 3/5] TEST: Break hostnamed policy --- policy/modules/system/systemd.te | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 00ad25169d..7fa4ad2487 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -741,7 +741,7 @@ optional_policy(` ') optional_policy(` - # we have /run/user/$USER/dconf + # we have /run/user/$USER/dconf gnome_delete_home_config(systemd_tmpfiles_t) gnome_delete_home_config_dirs(systemd_tmpfiles_t) gnome_setattr_home_config_dirs(systemd_tmpfiles_t) @@ -873,21 +873,21 @@ optional_policy(` # # Hostnamed policy # -allow systemd_hostnamed_t self:capability sys_admin; +# allow systemd_hostnamed_t self:capability sys_admin; dontaudit systemd_hostnamed_t self:capability sys_ptrace; allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms; allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms; allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms; -manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) -manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) -files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file) -init_pid_filetrans(systemd_hostnamed_t, hostname_etc_t, file ) +# manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) +# manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) +# files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file) +# init_pid_filetrans(systemd_hostnamed_t, hostname_etc_t, file ) -kernel_dgram_send(systemd_hostnamed_t) -kernel_read_xen_state(systemd_hostnamed_t) -kernel_read_sysctl(systemd_hostnamed_t) +# kernel_dgram_send(systemd_hostnamed_t) +# kernel_read_xen_state(systemd_hostnamed_t) +# kernel_read_sysctl(systemd_hostnamed_t) dev_write_kmsg(systemd_hostnamed_t) dev_read_sysfs(systemd_hostnamed_t) From 465ce330462f5b16e721c80474b2798809aaeae6 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Thu, 3 Aug 2023 08:47:26 +0200 Subject: [PATCH 4/5] break more stuff --- policy/modules/system/getty.te | 48 +++++++++++++++---------------- policy/modules/system/hostname.te | 22 +++++++------- policy/modules/system/systemd.te | 18 ++++++------ 3 files changed, 44 insertions(+), 44 deletions(-) diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index 03748d1e2b..3444fe0495 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -44,27 +44,27 @@ ifdef(`enable_mls',` # # Use capabilities. -allow getty_t self:capability { dac_read_search dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; -dontaudit getty_t self:capability sys_tty_config; -allow getty_t self:process { getpgid setpgid getsession signal_perms }; -allow getty_t self:fifo_file rw_fifo_file_perms; - -read_files_pattern(getty_t, getty_etc_t, getty_etc_t) -read_lnk_files_pattern(getty_t, getty_etc_t, getty_etc_t) -files_etc_filetrans(getty_t, getty_etc_t,{ file dir }) - -allow getty_t getty_lock_t:file manage_file_perms; -files_lock_filetrans(getty_t, getty_lock_t, file) - -allow getty_t getty_log_t:file manage_file_perms; -logging_log_filetrans(getty_t, getty_log_t, file) - -allow getty_t getty_tmp_t:file manage_file_perms; -allow getty_t getty_tmp_t:dir manage_dir_perms; -files_tmp_filetrans(getty_t, getty_tmp_t, { file dir }) - -manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t) -files_pid_filetrans(getty_t, getty_var_run_t, file) +#allow getty_t self:capability { dac_read_search dac_override chown setgid sys_resource sys_tty_config fowner fsetid }; +#dontaudit getty_t self:capability sys_tty_config; +#allow getty_t self:process { getpgid setpgid getsession signal_perms }; +#allow getty_t self:fifo_file rw_fifo_file_perms; +# +#read_files_pattern(getty_t, getty_etc_t, getty_etc_t) +#read_lnk_files_pattern(getty_t, getty_etc_t, getty_etc_t) +#files_etc_filetrans(getty_t, getty_etc_t,{ file dir }) +# +#allow getty_t getty_lock_t:file manage_file_perms; +#files_lock_filetrans(getty_t, getty_lock_t, file) +# +#allow getty_t getty_log_t:file manage_file_perms; +#logging_log_filetrans(getty_t, getty_log_t, file) +# +#allow getty_t getty_tmp_t:file manage_file_perms; +#allow getty_t getty_tmp_t:dir manage_dir_perms; +#files_tmp_filetrans(getty_t, getty_tmp_t, { file dir }) +# +#manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t) +#files_pid_filetrans(getty_t, getty_var_run_t, file) kernel_read_system_state(getty_t) kernel_read_network_state(getty_t) @@ -137,9 +137,9 @@ tunable_policy(`login_console_enabled',` term_dontaudit_use_console(getty_t) ') -optional_policy(` - cockpit_read_pid_files(getty_t) -') +#optional_policy(` +# cockpit_read_pid_files(getty_t) +#') optional_policy(` hostname_exec(getty_t) diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te index ca0229d327..2d38dcf3df 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te @@ -17,14 +17,14 @@ role system_r types hostname_t; # for setting the hostname allow hostname_t self:process { sigchld sigkill sigstop signull signal }; -allow hostname_t self:capability sys_admin; -allow hostname_t self:unix_stream_socket create_stream_socket_perms; -dontaudit hostname_t self:capability sys_tty_config; +#allow hostname_t self:capability sys_admin; +#allow hostname_t self:unix_stream_socket create_stream_socket_perms; +#dontaudit hostname_t self:capability sys_tty_config; -kernel_list_proc(hostname_t) -kernel_read_net_sysctls(hostname_t) -kernel_read_proc_symlinks(hostname_t) -kernel_read_network_state(hostname_t) +#kernel_list_proc(hostname_t) +#kernel_read_net_sysctls(hostname_t) +#kernel_read_proc_symlinks(hostname_t) +#kernel_read_network_state(hostname_t) dev_read_sysfs(hostname_t) # Early devtmpfs, before udev relabel @@ -48,10 +48,10 @@ term_dontaudit_use_console(hostname_t) term_use_all_inherited_terms(hostname_t) term_use_usb_ttys(hostname_t) -init_use_fds(hostname_t) -init_use_script_fds(hostname_t) -init_use_script_ptys(hostname_t) -init_rw_inherited_script_tmp_files(hostname_t) +#init_use_fds(hostname_t) +#init_use_script_fds(hostname_t) +#init_use_script_ptys(hostname_t) +#init_rw_inherited_script_tmp_files(hostname_t) logging_send_syslog_msg(hostname_t) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 7fa4ad2487..00ad25169d 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -741,7 +741,7 @@ optional_policy(` ') optional_policy(` - # we have /run/user/$USER/dconf + # we have /run/user/$USER/dconf gnome_delete_home_config(systemd_tmpfiles_t) gnome_delete_home_config_dirs(systemd_tmpfiles_t) gnome_setattr_home_config_dirs(systemd_tmpfiles_t) @@ -873,21 +873,21 @@ optional_policy(` # # Hostnamed policy # -# allow systemd_hostnamed_t self:capability sys_admin; +allow systemd_hostnamed_t self:capability sys_admin; dontaudit systemd_hostnamed_t self:capability sys_ptrace; allow systemd_hostnamed_t self:fifo_file rw_fifo_file_perms; allow systemd_hostnamed_t self:unix_stream_socket create_stream_socket_perms; allow systemd_hostnamed_t self:unix_dgram_socket create_socket_perms; -# manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) -# manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) -# files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file) -# init_pid_filetrans(systemd_hostnamed_t, hostname_etc_t, file ) +manage_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) +manage_lnk_files_pattern(systemd_hostnamed_t, hostname_etc_t, hostname_etc_t) +files_etc_filetrans(systemd_hostnamed_t, hostname_etc_t, file) +init_pid_filetrans(systemd_hostnamed_t, hostname_etc_t, file ) -# kernel_dgram_send(systemd_hostnamed_t) -# kernel_read_xen_state(systemd_hostnamed_t) -# kernel_read_sysctl(systemd_hostnamed_t) +kernel_dgram_send(systemd_hostnamed_t) +kernel_read_xen_state(systemd_hostnamed_t) +kernel_read_sysctl(systemd_hostnamed_t) dev_write_kmsg(systemd_hostnamed_t) dev_read_sysfs(systemd_hostnamed_t) From 7e50ee6d1ff29056df298ced9f9ec4c3c59bffde Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Thu, 3 Aug 2023 10:26:13 +0200 Subject: [PATCH 5/5] reintroduce rhbz#2213571 --- policy/modules/system/init.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 91d53c6886..74882174db 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -56,7 +56,7 @@ gen_tunable(init_create_dirs, true) ## Allow init audit_control capability ##

## -gen_tunable(init_audit_control, true) +gen_tunable(init_audit_control, false) # used for direct running of init scripts # by admin domains