From d452b01b1d50b4ea2287f413c570ffa1a854b2e1 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Wed, 9 Jun 2021 19:12:16 +0200 Subject: [PATCH] tests: Add decentralized SELinux policy test - Test for unsound/dangerous SELinux policy practices - Perform static policy code check using SELint For more details and debugging tips see https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Testing Signed-off-by: Vit Mojzis --- tests/tests-DSP.yml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 tests/tests-DSP.yml diff --git a/tests/tests-DSP.yml b/tests/tests-DSP.yml new file mode 100644 index 0000000..c1c0f88 --- /dev/null +++ b/tests/tests-DSP.yml @@ -0,0 +1,42 @@ +- hosts: localhost + + roles: + - role: standard-test-beakerlib + tags: + - classic + repositories: + - repo: https://pagure.io/DSP_test.git + dest: DSP_test + version: master + + tests: + - DSP_test + environment: + # RPM package containing the policy module + TEST_RPM: tigervnc-selinux + # policy module name + TEST_POLICY: vncsession + # policy sources will be extracted from corresponding .src.rpm + # policy tar filename regexp (e.g. "usbguard-selinux*.tar.gz") + # or empty string if policy sources are not inside a tar archive + POLICY_TAR: 'tigervnc-*.tar.gz' + # path to policy sources (in of the tar archive) -- //.(te|if|fc) + # or path in the src.rpm if there is no tar archive -- //.(te|if|fc) + # can contain wildcards (e.g. for versions etc.) + POLICY_PATH: 'tigervnc-*/unix/vncserver/selinux' + # allow rules ignored by "Unsound/dangerous policy practices" test + IGNORE_RULES: >- + vnc_session_t:security_t:file + userdomain:user_home_dir_t:dir + vnc_session_t:user_home_dir_t:dir + + required_packages: + - policycoreutils + - selinux-policy + - selinux-policy-targeted + - setools-console + - libselinux-utils + - rpm + - tar + - git + - tigervnc-selinux