From patchwork Thu Jan  7 13:53:07 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Maxime Chevallier <maxime.chevallier@bootlin.com>
X-Patchwork-Id: 1423310
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net
 (client-ip=140.211.166.138; helo=whitealder.osuosl.org;
 envelope-from=buildroot-bounces@busybox.net; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=none (p=none dis=none) header.from=bootlin.com
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4DBSPN11NLz9sVt
	for <incoming-buildroot@patchwork.ozlabs.org>;
 Fri,  8 Jan 2021 00:53:28 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id B25A686C29;
	Thu,  7 Jan 2021 13:53:26 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id nipS0HmfHY2J; Thu,  7 Jan 2021 13:53:23 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by whitealder.osuosl.org (Postfix) with ESMTP id 91B5B86BF7;
	Thu,  7 Jan 2021 13:53:23 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by ash.osuosl.org (Postfix) with ESMTP id E65521BF3A1
 for <buildroot@lists.busybox.net>; Thu,  7 Jan 2021 13:53:20 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by whitealder.osuosl.org (Postfix) with ESMTP id E1C0B86C29
 for <buildroot@lists.busybox.net>; Thu,  7 Jan 2021 13:53:20 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id lm1fiCYL4xhM for <buildroot@lists.busybox.net>;
 Thu,  7 Jan 2021 13:53:20 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from relay12.mail.gandi.net (relay12.mail.gandi.net
 [217.70.178.232])
 by whitealder.osuosl.org (Postfix) with ESMTPS id AEAE186C0E
 for <buildroot@buildroot.org>; Thu,  7 Jan 2021 13:53:19 +0000 (UTC)
Received: from pc-2.home (apoitiers-259-1-26-122.w90-55.abo.wanadoo.fr
 [90.55.97.122]) (Authenticated sender: maxime.chevallier@bootlin.com)
 by relay12.mail.gandi.net (Postfix) with ESMTPSA id 9730F200016;
 Thu,  7 Jan 2021 13:53:16 +0000 (UTC)
From: Maxime Chevallier <maxime.chevallier@bootlin.com>
To: buildroot@buildroot.org
Date: Thu,  7 Jan 2021 14:53:07 +0100
Message-Id: <20210107135307.1762186-4-maxime.chevallier@bootlin.com>
X-Mailer: git-send-email 2.25.4
In-Reply-To: <20210107135307.1762186-1-maxime.chevallier@bootlin.com>
References: <20210107135307.1762186-1-maxime.chevallier@bootlin.com>
MIME-Version: 1.0
Subject: [Buildroot] [PATCH 3/3] support/testing: improve SELinux test
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Antoine Tenart <atenart@kernel.org>,
 Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
 Maxime Chevallier <maxime.chevallier@bootlin.com>
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Now that we have support for the refpolicy in buildroot with the latest
pending patches and the buildroot module, we are able to boot a system
without any denied actions.

Make the test check for the number of denied actions, making sure it's
0.

For ow, we don't switch to "Enforcing" mode yet due to some issues still
being present, although not reported as denied actions, possibly because
of "dontaudit" rules.

Suggested-by: Antoine Tenart <atenart@kernel.org>
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
 support/testing/tests/init/test_systemd_selinux.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/support/testing/tests/init/test_systemd_selinux.py b/support/testing/tests/init/test_systemd_selinux.py
index 73604cfc32..dd8ee6e9b0 100644
--- a/support/testing/tests/init/test_systemd_selinux.py
+++ b/support/testing/tests/init/test_systemd_selinux.py
@@ -17,6 +17,8 @@ class TestSELinuxSystemd(infra.basetest.BRTest):
         BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/x86_64/linux.config"
         BR2_PACKAGE_LIBSELINUX=y
         BR2_PACKAGE_REFPOLICY=y
+        BR2_REFPOLICY_EXTRA_MODULES_DIRS="package/refpolicy/selinux-modules"
+        BR2_REFPOLICY_EXTRA_MODULES="buildroot"
         """
 
     def wait_boot(self):
@@ -50,6 +52,10 @@ class TestSELinuxSystemd(infra.basetest.BRTest):
         self.assertEqual(ret, 0)
         self.assertEqual(out[0], "system_u:system_r:init_t\0")
 
+        # Check no action was denied by the policy while booting.
+        out, ret = self.emulator.run("journalctl -e | grep audit | grep denied | wc -l")
+        self.assertEqual(ret, 0)
+        self.assertEqual(out[0], "0")
 
 class TestSELinuxSystemdExt4(TestSELinuxSystemd):
     config = TestSELinuxSystemd.config + \