Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test QM selinux permissions #494

Merged
merged 2 commits into from
Jul 25, 2024
Merged

Test QM selinux permissions #494

merged 2 commits into from
Jul 25, 2024

Conversation

nsednev
Copy link
Collaborator

@nsednev nsednev commented Jul 24, 2024
edited by Yarboa
Loading

This test case should test inside QM the command setenforce 0 which must fail.

bash-5.1# setenforce 0
setenforce: security_setenforce() failed: Permission denied

What is Selinux?
A test tool insures that inside the QM the command setenforce 0 must fail.

Why?
QM environment should not allow setenforce to change its state and must always fail.
It should be validated via FFI tests.

How the deny is made?
SELinux internal policies prevent a user inside QM change the SELinux setstaus.

How to test?

# podman exec -it qm setenforce 0
setenforce:  security_setenforce() failed:  Permission denied

or

# podman exec -it qm bash
bash-5.1# setenforce 0
setenforce:  security_setenforce() failed:  Permission denied

@nsednev nsednev marked this pull request as draft July 25, 2024 08:02
@nsednev nsednev force-pushed the VROOM-19246 branch 3 times, most recently from 1ceac8c to 0368b84 Compare July 25, 2024 09:27
@nsednev nsednev marked this pull request as ready for review July 25, 2024 09:29
dracher
dracher reviewed Jul 25, 2024
View reviewed changes
tests/ffi/selinux/test.sh Outdated Show resolved Hide resolved
Yarboa
Yarboa reviewed Jul 25, 2024
View reviewed changes
tests/ffi/selinux/test.sh Outdated Show resolved Hide resolved
Yarboa
Yarboa reviewed Jul 25, 2024
View reviewed changes
tests/ffi/selinux/test.sh Outdated Show resolved Hide resolved
@Yarboa Yarboa changed the title Vroom 19246 Test QM selinux permissions Jul 25, 2024
Yarboa
Yarboa approved these changes Jul 25, 2024
View reviewed changes
Copy link
Collaborator

@Yarboa Yarboa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Yarboa Yarboa merged commit b5efe51 into containers:main Jul 25, 2024
7 checks passed
@pengshanyu
Copy link
Collaborator

should add polarion-id to main.fmf

@nsednev nsednev deleted the VROOM-19246 branch July 28, 2024 12:09
@dougsland dougsland mentioned this pull request Sep 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dracher dracher dracher left review comments

@pengshanyu pengshanyu pengshanyu left review comments

@Yarboa Yarboa Yarboa approved these changes

@rhatdan rhatdan Awaiting requested review from rhatdan rhatdan is a code owner

@lsm5 lsm5 Awaiting requested review from lsm5 lsm5 is a code owner

@dougsland dougsland Awaiting requested review from dougsland dougsland is a code owner

@odra odra Awaiting requested review from odra

@sandrobonazzola sandrobonazzola Awaiting requested review from sandrobonazzola sandrobonazzola is a code owner

@dennisbrendel dennisbrendel Awaiting requested review from dennisbrendel

@priyverm priyverm Awaiting requested review from priyverm

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nsednev @pengshanyu @dracher @Yarboa