Re: [PATCH] ci: run SE Linux kernel test suite

From: William Roberts <bill.c.roberts@gmail.com>
To: Paul Moore <paul@paul-moore.com>
Cc: SElinux list <selinux@vger.kernel.org>,
	William Roberts <william.c.roberts@intel.com>
Subject: Re: [PATCH] ci: run SE Linux kernel test suite
Date: Tue, 19 May 2020 17:16:03 -0500	[thread overview]
Message-ID: <CAFftDdpPS0wt3VHiMS6sMKTqAgviNB-TBRT1YqbrzgJftPFj_w@mail.gmail.com> (raw)
In-Reply-To: <CAHC9VhRfWHPkz+rCSAa8kvwVu3dds9q47VfnBFSCJbV3GdMjwQ@mail.gmail.com>

On Tue, May 19, 2020 at 5:00 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Tue, May 19, 2020 at 11:15 AM <bill.c.roberts@gmail.com> wrote:
> > From: William Roberts <william.c.roberts@intel.com>
> >
> > The current CI runs the userspace tooling and librariers against
> > policy files, but cannot test against an SE Linux enabled kernel. Thus,
> > some tests are not being done in the CI. Travis, unfortunately only
> > provides Ubuntu images, so in order to run against a modern distro with
> > SE Linux in enforcing mode, we need to launch a KVM with something like
> > Fedora.
> >
> > This patch enables this support by launching a Fedora32 Cloud Image with
> > the selinux userspace library passed on from the travis clone, it then
> > builds and replaces the current selinux bits on the Fedora image and
> > runs the SE Linux testsuite.
> >
> > Signed-off-by: William Roberts <william.c.roberts@intel.com>
> > ---
> >  .travis.yml                      |   8 +++
> >  scripts/ci/README.md             |   8 +++
> >  scripts/ci/fedora-test-runner.sh |  79 +++++++++++++++++++++
> >  scripts/ci/travis-kvm-setup.sh   | 113 +++++++++++++++++++++++++++++++
> >  4 files changed, 208 insertions(+)
> >  create mode 100644 scripts/ci/README.md
> >  create mode 100755 scripts/ci/fedora-test-runner.sh
> >  create mode 100755 scripts/ci/travis-kvm-setup.sh
>
> ...
>
> > diff --git a/scripts/ci/fedora-test-runner.sh b/scripts/ci/fedora-test-runner.sh
> > new file mode 100755
> > index 000000000000..8d4b1bf7b8f5
> > --- /dev/null
> > +++ b/scripts/ci/fedora-test-runner.sh
> > @@ -0,0 +1,79 @@
> > +#!/usr/bin/env bash
> > +
> > +set -ev
> > +
> > +# CI Debug output if things go squirrely.
> > +getenforce
> > +id -Z
> > +nproc
> > +pwd
>
> Granted my automated testing experience has been with Fedora Rawhide
> and not the stable Fedora releases, but there have been occasions
> where the system is broken in some way which prevents the necessary
> test setup.  My current approach is to put the system in permissive
> mode and leave it there until just before I run my tests.

We can do that.

>
> > +dnf install -y \
>
> Another speaking from experience comment: you probably want to add
> "--allowerasing" and "--skip-broken" to the dnf command line.  If you
> can cope with the extra overhead, I would even suggest a "dnf clean
> all -y" at the start.

I don't see why we couldn't.

Not really sure if it matters for those first two things, considering
that were starting
in the same state each time. Its not like we need to work on a system
that's already
been played with.

I can add them and see what kind of increase it adds to the CI time. I'm sure
it's tolerable (obviously set permissive is fast, I'm talking about
the dnf stuff adding time).

>
> > +    git \
> > +    audit-libs-devel \
> > +    bison \
> > +    bzip2-devel \
> > +    CUnit-devel \
> > +    diffutils \
> > +    flex \
> > +    gcc \
> > +    gettext \
> > +    glib2-devel \
> > +    make \
> > +    libcap-devel \
> > +    libcap-ng-devel \
> > +    pam-devel \
> > +    pcre-devel \
> > +    xmlto \
> > +    python3-devel \
> > +    ruby-devel \
> > +    swig \
> > +    perl-Test \
> > +    perl-Test-Harness \
> > +    perl-Test-Simple \
> > +    selinux-policy-devel \
> > +    gcc \
> > +    libselinux-devel \
> > +    net-tools \
> > +    netlabel_tools \
> > +    iptables \
> > +    lksctp-tools-devel \
> > +    attr \
> > +    libbpf-devel \
> > +    keyutils-libs-devel \
> > +    kernel-devel \
> > +    quota \
> > +    xfsprogs-devel \
> > +    libuuid-devel \
> > +    kernel-devel-$(uname -r) \
> > +    kernel-modules-$(uname -r)
> > +
> > +#
> > +# Move to selinux code and build
> > +#
> > +cd ~/selinux
> > +
> > +# Show HEAD commit for sanity checking
> > +git log -1
> > +
> > +#
> > +# Build and replace userspace components
> > +#
> > +# Note: You can't use parallel builds here (make -jX), you'll end up
> > +# with race conditions that manifest like:
> > +# semanage_store.lo: file not recognized: file format not recognized
> > +#
> > +make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
> > +
> > +#
> > +# Get the selinux testsuite, but don't clone it in ~/selinux, move to ~
> > +# first.
> > +#
> > +cd ~
> > +git clone --depth=1 https://github.com/SELinuxProject/selinux-testsuite.git
> > +cd selinux-testsuite
> > +
> > +#
> > +# Run the test suite
> > +#
> > +make test
> > diff --git a/scripts/ci/travis-kvm-setup.sh b/scripts/ci/travis-kvm-setup.sh
> > new file mode 100755
> > index 000000000000..19287fd21642
> > --- /dev/null
> > +++ b/scripts/ci/travis-kvm-setup.sh
> > @@ -0,0 +1,113 @@
> > +#!/usr/bin/env bash
>
> ...
>
> > +#
> > +# Great we have a host running, ssh into it. We specify -o so
> > +# we don't get blocked on asking to add the servers key to
> > +# our known_hosts.
> > +#
> > +ssh -o StrictHostKeyChecking=no "root@$ipaddy" "/root/selinux/$TEST_RUNNER"
>
> Depending on the tests, you'll get better output in the logs if you
> add "-tt" to the SSH command line.  You may also want to add "-o
> LogLevel=QUIET" too.

+1

>
> > +
> > +exit 0
>
> Did you want to return the return value from SSH/$TEST_RUNNER?

set -e, ssh will cause the shell to exit with whatever code it returns
that's not 0.

>
> --
> paul moore
> www.paul-moore.com