puppetlabs-apache icon indicating copy to clipboard operation
puppetlabs-apache copied to clipboard

Published 20 hours ago verified publisher icon puppetlabs

Enforce SELinux in acceptance tests

Open ekohl opened this issue 4 years ago • 16 comments

This attempts to unify SELinux handling in the tests. It moves the package installation to the acceptance spec helper to reduce duplication. It then makes the set_apache_defaults line idempotent and restorecon_apache correctly chained. This works around PUP-10548 which is that Puppet doesn't reload file contexts within a run. That means it must first create the file(s) and then run restorecon to get correct contexts.

I'm not entirely sure if this will work.

ekohl avatar Sep 01 '21 09:09 ekohl

This PR has been marked as stale because it has been open for a while and has had no recent activity. If this PR is still important to you please drop a comment below and we will add this to our backlog to complete. Otherwise, it will be closed in 7 days.

github-actions[bot] avatar May 09 '22 02:05 github-actions[bot]

@ekohl Apologies for the late review. Anyway this look's like a good change to me but was wondering if you had more work that you intended to add to it as it has been left a draft?

david22swan avatar May 16 '22 11:05 david22swan

I'm unable to run tests locally, so I pushed this to see the results. They are red but rotated by now. I'll rebase to see if that's still the case.

ekohl avatar May 16 '22 13:05 ekohl

Hello! 👋

This pull request has been open for a while and has had no recent activity. We've labelled it with attention-needed so that we can get a clear view of which PRs need our attention.

If you are waiting on a response from us we will try and address your comments on a future Community Day.

Alternatively, if it is no longer relevant to you please close the PR with a comment.

Please note that if a pull request receives no update for 7 after it has been labelled, it will be closed. We are always happy to re-open pull request if they have been closed in error.

github-actions[bot] avatar Jul 17 '22 02:07 github-actions[bot]

I've rebased it and split it into two commits. First one that cleans things up (which I think should already be good to merge), then one that makes it enforcing. If the enforcing one fails and we can't quickly figure out why it fails I think we should merge the first commit for now.

ekohl avatar Jul 18 '22 07:07 ekohl

@ekohl Look's like your getting some failures across the Redhat OSs Though they don't look fully consistent, some variance across the failures

david22swan avatar Jul 18 '22 08:07 david22swan

To properly debug this I need the logs from /var/log/audit to see the real AVCs. What would be the best way to retrieve those if I can't run the tests locally?

ekohl avatar Jul 18 '22 09:07 ekohl

There's not really an easy answer for that. Since the environment is cleaned up at the end of every run, the machines and any log's are all wiped from existence.

Off the top of my head, you could comment out the unnecessary test's and then add a run_shell command after the failing one's that cat's said log, allowing you to see it.

If that doesn't work, you could disable the cleanup and I could manually retrieve the log's for you. We would need to coordinate though.

david22swan avatar Jul 19 '22 12:07 david22swan

Hello! 👋

This pull request has been open for a while and has had no recent activity. We've labelled it with attention-needed so that we can get a clear view of which PRs need our attention.

If you are waiting on a response from us we will try and address your comments on a future Community Day.

Alternatively, if it is no longer relevant to you please close the PR with a comment.

Please note that if a pull request receives no update for 7 after it has been labelled, it will be closed. We are always happy to re-open pull request if they have been closed in error.

github-actions[bot] avatar Sep 18 '22 02:09 github-actions[bot]

I split off https://github.com/puppetlabs/puppetlabs-apache/pull/2320 which at least cleans some things up. Let's try to get that merged since I don't have time to finish this for now.

ekohl avatar Sep 22 '22 09:09 ekohl

Hello! 👋

This pull request has been open for a while and has had no recent activity. We've labelled it with attention-needed so that we can get a clear view of which PRs need our attention.

If you are waiting on a response from us we will try and address your comments on a future Community Day.

Alternatively, if it is no longer relevant to you please close the PR with a comment.

Please note that if a pull request receives no update for 7 after it has been labelled, it will be closed. We are always happy to re-open pull request if they have been closed in error.

github-actions[bot] avatar Nov 23 '22 02:11 github-actions[bot]

Rebased to resolve conflicts. Includes https://github.com/puppetlabs/puppetlabs-apache/pull/2320 so that should be merged first.

ekohl avatar Nov 23 '22 12:11 ekohl

@ekohl Hey, sorry to bother but just checking in on how this is proceeding so I can update our records?

david22swan avatar Jan 16 '23 10:01 david22swan

@david22swan I need to do some work on this, but I really struggle to find the time for it. Luckily all the preparation work went in, so I'll rebase this to show that.

ekohl avatar Jan 16 '23 10:01 ekohl

Hey @ekohl, are you still interested in working on this project? Perhaps this PR should be closed until work is resumed. Mostly to avoid stale PRs.

LukasAud avatar May 26 '23 16:05 LukasAud

I don't have time for it right now. Perhaps convert it to an issue so it isn't lost?

ekohl avatar May 26 '23 16:05 ekohl