From 962c72add89302b61e71e6668d8cd7a438ac8c56 Mon Sep 17 00:00:00 2001 From: Dusty Mabe Date: Fri, 20 Sep 2024 15:49:47 -0400 Subject: [PATCH] tests/kola: catch SELinux unlabeled and mislabeled files This adds a unlabeled and mislabeled files test and also adds code to the extended upgrade test to verify there aren't any suprises there either. --- tests/kola/selinux/file-context-policy-match | 24 ++++++++++++ tests/kola/upgrade/extended/test.sh | 41 ++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100755 tests/kola/selinux/file-context-policy-match diff --git a/tests/kola/selinux/file-context-policy-match b/tests/kola/selinux/file-context-policy-match new file mode 100755 index 000000000..afe16fc3a --- /dev/null +++ b/tests/kola/selinux/file-context-policy-match @@ -0,0 +1,24 @@ +#!/bin/bash +## kola: +## exclusive: false +## tags: "platform-independent" +## description: Verify there are no unlabeled or mislabeled files on the system. + +# See https://github.com/coreos/fedora-coreos-tracker/issues/1772 + +set -xeuo pipefail + +# shellcheck disable=SC1091 +. "$KOLA_EXT_DATA/commonlib.sh" + +unlabeled="$(find /sysroot -context *unlabeled_t* | xargs -I{} ls -ldZ '{}')" +if [ -n "${unlabeled}" ]; then + fatal "Some unlabeled files were found" +fi + +mislabeled="$(restorecon -vnr /var/ /etc/ /usr/ /boot/)" +if [ -n "${mislabeled}" ]; then + fatal "Some mislabeled files were found" +fi + +ok "No unlabeled or mislabeled files found!" diff --git a/tests/kola/upgrade/extended/test.sh b/tests/kola/upgrade/extended/test.sh index 988acaaee..089d95f64 100755 --- a/tests/kola/upgrade/extended/test.sh +++ b/tests/kola/upgrade/extended/test.sh @@ -154,6 +154,45 @@ move-to-cgroups-v2() { fi } +selinux-sanity-check() { + # Verify SELinux labels are sane. Migration scripts should have cleaned + # up https://github.com/coreos/fedora-coreos-tracker/issues/1772 + unlabeled="$(find /sysroot -context *unlabeled_t* | xargs -I{} 'ls -ldZ {}')" + if [ -n "${unlabeled}" ]; then + fatal "Some unlabeled files were found" + fi + mislabeled="$(restorecon -vnr /var/ /etc/ /usr/ /boot/)" + if [ -n "${mislabeled}" ]; then + # Exceptions for files that could be wrong (sometimes upgrades are messy) + # Would relabel /var/lib/cni from system_u:object_r:var_lib_t:s0 to system_u:object_r:container_var_lib_t:s0 + # Would relabel /etc/selinux/targeted/semanage.read.LOCK from system_u:object_r:semanage_trans_lock_t:s0 to system_u:object_r:selinux_config_t:s0 + # Would relabel /etc/selinux/targeted/semanage.trans.LOCK from system_u:object_r:semanage_trans_lock_t:s0 to system_u:object_r:selinux_config_t:s0 + # Would relabel /etc/systemd/journald.conf.d from system_u:object_r:etc_t:s0 to system_u:object_r:systemd_conf_t:s0 + # Would relabel /etc/systemd/journald.conf.d/forward-to-console.conf from system_u:object_r:etc_t:s0 to system_u:object_r:systemd_conf_t:s0 + # Would relabel /boot/lost+found from system_u:object_r:unlabeled_t:s0 to system_u:object_r:lost_found_t:s0' ']' + declare -A exceptions=( + '/var/lib/cni' '1' + '/etc/selinux/targeted/semanage.read.LOCK' '1' + '/etc/selinux/targeted/semanage.trans.LOCK' '1' + '/etc/systemd/journald.conf.d' '1' + '/etc/systemd/journald.conf.d/forward-to-console.conf' '1' + '/boot/lost+found' '1' + ) + paths="$(echo "${mislabeled}" | grep "Would relabel" | cut -d ' ' -f 3)" + while read path; do + found="" + if [[ "${exceptions[$path]:-noexception}" == 'noexception' ]]; then + echo "Unexpected mislabeled file found: ${path}" + found="1" + fi + done <<< "${paths}" + if [ "${found}" == "1" ];then + fatal "Some unexpected mislabeled files were found." + fi + fi + ok "Selinux sanity checks passed" +} + ok "Reached version: $version" # Are we all the way at the desired target version? @@ -166,6 +205,8 @@ if vereq $version $target_version; then if ! echo "$state" | grep -q "CoreOS aleph version"; then fatal "check bootupctl status output" fi + # One last check! + selinux-sanity-check exit 0 fi