martinpitt · martinpitt · Aug 4, 2023 · Aug 2, 2023 · Aug 3, 2023 · Aug 3, 2023
diff --git a/.copr/make-srpm.sh b/.copr/make-srpm.sh
@@ -3,6 +3,12 @@
 set -eux
 
 outdir="$1"; shift
+mkdir -p "$outdir"
+
+# when this is specified, build a source directory and skip the rpmbuild step
+if [ "${1:-}" = "srcdir" ]; then
+    srcdir=1
+fi
 
 rootdir="$(realpath -m "$0/../..")"
 
@@ -45,6 +51,11 @@ cp "$expander_dir/macro-expander.sh" "$distgit_dir/macro-expander"
 sed -i "s/%global commit [^ ]*$/%global commit $base_head_id/;
         s/%{?dist}/.$base_date.$base_short_head_id%{?dist}/" "$distgit_dir/selinux-policy.spec"
 rm -f "$distgit_dir/sources"
-rpmbuild --define "_topdir $rpmbuild_dir" -bs "$distgit_dir/selinux-policy.spec"
 
-cp "$rpmbuild_dir/SRPMS/"*.src.rpm "$outdir"
+if [ -n "${srcdir:-}" ]; then
+    cp -r "$distgit_dir"/* "$outdir"
+else
+    # full rpmbuild for copr
+    rpmbuild --define "_topdir $rpmbuild_dir" -bs "$distgit_dir/selinux-policy.spec"
+    cp "$rpmbuild_dir/SRPMS/"*.src.rpm "$outdir"
+fi
diff --git a/.fmf/version b/.fmf/version
@@ -0,0 +1 @@
+1
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -14,32 +14,3 @@ jobs:
       - run: make -j $(nproc) policy
       - run: make -j $(nproc) validate
       - run: make -j $(nproc) container.pp
-  build-rpm:
-    runs-on: ubuntu-latest
-    container:
-      image: fedora:rawhide
-      options: --security-opt seccomp=unconfined
-    steps:
-      - run: dnf install --nogpgcheck -y make git-core rpm-build 'dnf-command(builddep)'
-      - uses: actions/checkout@v3
-      # https://github.blog/2022-04-12-git-security-vulnerability-announced/
-      - run: git config --global --add safe.directory "$PWD"
-      - run: make -C .copr srpm outdir="$PWD"
-      - name: Store the SRPM as an artifact
-        uses: actions/upload-artifact@v2
-        with:
-          name: srpm
-          path: "*.src.rpm"
-      - run: |
-          if grep -q rawhide /etc/os-release; then
-            tag=rawhide
-          else
-            tag='f$releasever-build'
-          fi
-          dnf builddep --nogpgcheck --repofrompath "koji,https://kojipkgs.fedoraproject.org/repos/$tag/latest/\$arch/" -y *.src.rpm
-      - run: rpmbuild --define "_topdir $PWD/rpmbuild" -rb *.src.rpm
-      - name: Store binary RPMs as artifacts
-        uses: actions/upload-artifact@v2
-        with:
-          name: rpms
-          path: rpmbuild/RPMS
diff --git a/packit.yaml b/packit.yaml
@@ -0,0 +1,31 @@
+# See https://packit.dev/docs/configuration/
+
+specfile_path: tmp/rpm/selinux-policy.spec
+
+actions:
+  post-upstream-clone:
+    - .copr/make-srpm.sh tmp/rpm srcdir
+  create-archive: sh -c 'ls tmp/rpm/selinux-policy*.tar.gz'
+
+jobs:
+  - job: copr_build
+    trigger: pull_request
+    targets:
+    - fedora-development
+    - fedora-latest-stable
+
+  # run tests for packages which test SELinux policy well, see plans/ with `revdeps == yes`
+  - job: tests
+    identifier: revdeps
+    trigger: pull_request
+    targets:
+    - fedora-development
+    - fedora-latest-stable
+    tf_extra_params:
+      environments:
+        - artifacts:
+          - type: repository-file
+            id: https://copr.fedorainfracloud.org/coprs/g/cockpit/main-builds/repo/fedora-$releasever/group_cockpit-main-builds-fedora-$releasever.repo
+          tmt:
+            context:
+              revdeps: "yes"
diff --git a/plans/cockpit.fmf b/plans/cockpit.fmf
@@ -0,0 +1,30 @@
+# reverse dependency test for https://github.com/cockpit-project/cockpit
+# if this fails in a non-obvious way, please contact the cockpit team in your PR for investigation:
+# @martinpitt, @marusak, @jelly
+
+enabled: false
+adjust+:
+  when: revdeps == yes
+  enabled: true
+
+discover:
+    how: fmf
+    url: https://github.com/cockpit-project/cockpit
+    ref: main
+execute:
+    how: tmt
+
+/basic:
+    summary: Run tests for basic packages
+    discover+:
+        test: /test/browser/basic
+
+/network:
+    summary: Run tests for cockpit-networkmanager
+    discover+:
+        test: /test/browser/network
+
+/optional:
+    summary: Run tests for optional packages
+    discover+:
+        test: /test/browser/optional
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
@@ -44,27 +44,27 @@ ifdef(`enable_mls',`
 #
 
 # Use capabilities.
-allow getty_t self:capability { dac_read_search  dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
-dontaudit getty_t self:capability sys_tty_config;
-allow getty_t self:process { getpgid setpgid getsession signal_perms };
-allow getty_t self:fifo_file rw_fifo_file_perms;
-
-read_files_pattern(getty_t, getty_etc_t, getty_etc_t)
-read_lnk_files_pattern(getty_t, getty_etc_t, getty_etc_t)
-files_etc_filetrans(getty_t, getty_etc_t,{ file dir })
-
-allow getty_t getty_lock_t:file manage_file_perms;
-files_lock_filetrans(getty_t, getty_lock_t, file)
-
-allow getty_t getty_log_t:file manage_file_perms;
-logging_log_filetrans(getty_t, getty_log_t, file)
-
-allow getty_t getty_tmp_t:file manage_file_perms;
-allow getty_t getty_tmp_t:dir manage_dir_perms;
-files_tmp_filetrans(getty_t, getty_tmp_t, { file dir })
-
-manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t)
-files_pid_filetrans(getty_t, getty_var_run_t, file)
+#allow getty_t self:capability { dac_read_search  dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
+#dontaudit getty_t self:capability sys_tty_config;
+#allow getty_t self:process { getpgid setpgid getsession signal_perms };
+#allow getty_t self:fifo_file rw_fifo_file_perms;
+#
+#read_files_pattern(getty_t, getty_etc_t, getty_etc_t)
+#read_lnk_files_pattern(getty_t, getty_etc_t, getty_etc_t)
+#files_etc_filetrans(getty_t, getty_etc_t,{ file dir })
+#
+#allow getty_t getty_lock_t:file manage_file_perms;
+#files_lock_filetrans(getty_t, getty_lock_t, file)
+#
+#allow getty_t getty_log_t:file manage_file_perms;
+#logging_log_filetrans(getty_t, getty_log_t, file)
+#
+#allow getty_t getty_tmp_t:file manage_file_perms;
+#allow getty_t getty_tmp_t:dir manage_dir_perms;
+#files_tmp_filetrans(getty_t, getty_tmp_t, { file dir })
+#
+#manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t)
+#files_pid_filetrans(getty_t, getty_var_run_t, file)
 
 kernel_read_system_state(getty_t)
 kernel_read_network_state(getty_t)
@@ -137,9 +137,9 @@ tunable_policy(`login_console_enabled',`
 	term_dontaudit_use_console(getty_t)
 ')
 
-optional_policy(`
-    cockpit_read_pid_files(getty_t)
-')
+#optional_policy(`
+#    cockpit_read_pid_files(getty_t)
+#')
 
 optional_policy(`
     hostname_exec(getty_t)

diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
@@ -17,14 +17,14 @@ role system_r types hostname_t;
 
 # for setting the hostname
 allow hostname_t self:process { sigchld sigkill sigstop signull signal };
-allow hostname_t self:capability sys_admin;
-allow hostname_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit hostname_t self:capability sys_tty_config;
+#allow hostname_t self:capability sys_admin;
+#allow hostname_t self:unix_stream_socket create_stream_socket_perms;
+#dontaudit hostname_t self:capability sys_tty_config;
 
-kernel_list_proc(hostname_t)
-kernel_read_net_sysctls(hostname_t)
-kernel_read_proc_symlinks(hostname_t)
-kernel_read_network_state(hostname_t)
+#kernel_list_proc(hostname_t)
+#kernel_read_net_sysctls(hostname_t)
+#kernel_read_proc_symlinks(hostname_t)
+#kernel_read_network_state(hostname_t)
 
 dev_read_sysfs(hostname_t)
 # Early devtmpfs, before udev relabel
@@ -48,10 +48,10 @@ term_dontaudit_use_console(hostname_t)
 term_use_all_inherited_terms(hostname_t)
 term_use_usb_ttys(hostname_t)
 
-init_use_fds(hostname_t)
-init_use_script_fds(hostname_t)
-init_use_script_ptys(hostname_t)
-init_rw_inherited_script_tmp_files(hostname_t)
+#init_use_fds(hostname_t)
+#init_use_script_fds(hostname_t)
+#init_use_script_ptys(hostname_t)
+#init_rw_inherited_script_tmp_files(hostname_t)
 
 logging_send_syslog_msg(hostname_t)
 

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
@@ -56,7 +56,7 @@ gen_tunable(init_create_dirs, true)
 ## Allow init audit_control capability
 ## </p>
 ## </desc>
-gen_tunable(init_audit_control, true)
+gen_tunable(init_audit_control, false)
 
 # used for direct running of init scripts
 # by admin domains