GitHub - fedora-selinux/DSP_test

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 23 Commits
.fmf		.fmf
README		README
download_sources.sh		download_sources.sh
example_plan.fmf_		example_plan.fmf_
example_plan_2.fmf_		example_plan_2.fmf_
example_plan_3.fmf_		example_plan_3.fmf_
example_tests-DSP.yml		example_tests-DSP.yml
main.fmf		main.fmf
parser.py		parser.py
runtest.sh		runtest.sh
sexp.py		sexp.py
test.py		test.py

Repository files navigation

Place a copy of "example_plan.fmf_" into "plans" directory in your package
distgit repository to test for potentially dangerous policy issues (the file
extension needs to be ".fmf"). The environment section needs to be configured
to your package and the DSP sub-package also needs to be added to the "prepare"
section.

Example environment configurations:

-------------------------------------------------------------------------------
Zabbix - policy sources are placed directly in distgit
(hence POLICY_TAR: '', or not specified at all)
https://src.fedoraproject.org/rpms/zabbix/pull-request/4

TEST_RPM: "zabbix-selinux"
TEST_POLICY: "zabbix"
POLICY_PATH: .

-------------------------------------------------------------------------------
Freeipa - policy sources live in freeipa upstream (in 'selinux' directory)
https://src.fedoraproject.org/rpms/freeipa/tree/master

TEST_RPM: "freeipa-selinux"
TEST_POLICY: "ipa"
POLICY_TAR: 'freeipa-*.tar.gz'
POLICY_PATH: 'freeipa-*/selinux'

-------------------------------------------------------------------------------
USBGuard - policy sources are stored in separate repository (separate tar.gz)
https://src.fedoraproject.org/rpms/usbguard/tree/master

TEST_RPM: "usbguard-selinux"
TEST_POLICY: "usbguard"
POLICY_TAR: 'usbguard-selinux*.tar.gz'
POLICY_PATH: 'usbguard-selinux*'

-------------------------------------------------------------------------------
Fapolicyd - policy sources live in a separate repository, but upstream patches
are applied in %prep (the test relies on rpmbuild)

TEST_RPM: "fapolicyd-selinux"
TEST_POLICY: "fapolicyd"
IGNORE_RULES: "fapolicyd_t:boot_t:dir"

-------------------------------------------------------------------------------

The "prepare" section needs to list the DSP (sub)package as well as any build
dependencies needed for "rpmbuild -rp <package>.src.rpm"

-------------------------------------------------------------------------------
prepare:
  - name: packages
    how: install
    package: freeipa-selinux
-------------------------------------------------------------------------------
prepare:
  - name: packages
    how: install
    package:
        - zabbix-selinux
        - autoconf
        - automake
-------------------------------------------------------------------------------


Debugging test results

"Unsound/dangerous policy practices" section is based on [1], where you can find
more details about each issue and suggestions for possible causes. Policy rules
flagged by this part of the test can be waived using IGNORE_RULES variable
in the example_plan.fmf file (this has to be agreed upon with the SELinux team).
Example:
IGNORE_RULES: >-
  nagios_script_t:system_map_t:file
  nagios_script_t:boot_t:dir

For more details about "SELint static analysis" section, see [2]. Most issues
generated by SELint can be fixed by tweaking the custom policy sources, but in
rare cases it may be necessary to also update the distribution policy (e.g. add
a new interface). In such case you can temporarily (until the necessary change
in distribution policy is merged) disable given check by including the following
comment at the end of the line causing the issue:

#selint-disable:<ISSUE-ID>

You can find the ISSUE-ID et the end of each SELint message.

[1] https://fedoraproject.org/wiki/SELinux/Unsound_or_dangerous_SELinux_policy_practices
[2] https://github.com/TresysTechnology/selint