Overview - DSP_test

DSP_test

Created 3 years ago
Maintained by vmojzis
Sanity check of custom SELinux policy
master7350dd4 Distinguish between tar.gz and tar.xz archives
Vit Mojzis committed 2 years ago
Place a copy of "example_tests-DSP.yml" into the resulting package distgit
"tests" repository to test for potentially dangerous policy issues (we recommend
renaming it to "tests-DSP.yml", but anything that fits "tests*.yml" will work).
The environment section needs to be configured to your package and the package
also needs to be added to required_packages.

Example environment configurations:

-------------------------------------------------------------------------------
Zabbix - policy sources are placed directly in distgit (hence POLICY_TAR: '' )
https://src.fedoraproject.org/rpms/zabbix/pull-request/4

TEST_RPM: zabbix-selinux
TEST_POLICY: zabbix
POLICY_TAR: ''
POLICY_PATH: .

-------------------------------------------------------------------------------
Freeipa - policy sources live in freeipa upstream (in 'selinux' directory)
https://src.fedoraproject.org/rpms/freeipa/tree/master

TEST_RPM: freeipa-selinux
TEST_POLICY: ipa
POLICY_TAR: 'freeipa-*.tar.gz'
POLICY_PATH: 'freeipa-*/selinux'

-------------------------------------------------------------------------------
USBGuard - policy sources are stored in separate repository (separate tar.gz)
https://src.fedoraproject.org/rpms/usbguard/tree/master

TEST_RPM: usbguard-selinux
TEST_POLICY: usbguard
POLICY_TAR: 'usbguard-selinux*.tar.gz'
POLICY_PATH: 'usbguard-selinux*'

-------------------------------------------------------------------------------
Debugging test results

"Unsound/dangerous policy practices" section is based on [1], where you can find
more details about each issue and suggestions for possible causes. Policy rules
flagged by this part of the test can be waived using IGNORE_RULES variable
in testing-DSP.yml file (this has to be agreed upon with the SELinux team).
Example:
IGNORE_RULES: >-
  nagios_script_t:system_map_t:file
  nagios_script_t:boot_t:dir

For more details about "SELint static analysis" section, see [2]. Most issues
generated by SELint can be fixed by tweaking the custom policy sources, but in
rare cases it may be necessary to also update the distribution policy (e.g. add
a new interface). In such case you can temporarily (until the necessary change
in distribution policy is merged) disable given check by including the following
comment at the end of the line causing the issue:

#selint-disable:<ISSUE-ID>

You can find the ISSUE-ID et the end of each SELint message.

[1] https://fedoraproject.org/wiki/SELinux/Unsound_or_dangerous_SELinux_policy_practices
[2] https://github.com/TresysTechnology/selint
DSP_test

Source Code

DSP_test

vmojzis
