Actions
action #174175
closed[security][tumbleweed] Add setroubleshootd tests
Start date:
Due date:
% Done:
100%
Estimated time:
8.00 h
Difficulty:
Tags:
Description
Motivation¶
We need to be able to test setroubleshoot automatically so we could catch downgrades or issues in advance to bring better usability to the users.
What should be tested:
- setroubleshootd
- systemd service has no issue when called
- daemon is dbus activated
- policykit restrict direct usage only to setroubleshoot user
Acceptance Criteria¶
- Create a test that runs on SELinux enabled Tumbleweed system, with auditd
- Install the package setroubleshoot-server, check that it installs setroubleshoot-plugins automatically
- Check setroubleshootd DBus activation via systemd service. Check if is-active shows inactive at first, then after restart shows active at first but after about 15 seconds it should be no longer active again.
- Check setroubleshootd invoking via polkit as root, see /usr/share/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf
Further Information¶
Ask for details from for example Zdenek Kubala if something is unclear, or from this ticket's author.
Updated by tjyrinki_suse 2 months ago
- Related to action #174178: [security][tumbleweed] Add sealert tests to setroubleshootd added
Updated by amanzini 2 months ago ยท Edited
tests are in a good shape: https://openqa.opensuse.org/tests/4709307#step/setroubleshootd/11
waiting for clarification about the ac4 (asked on slack) and left a comment on confluence page
Updated by djz88 about 2 months ago
Hello, so for "Check setroubleshootd invoking via polkit as root, see /usr/share/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf"
It could be tested via non priviledge user.
like
localhost:~ # runuser root -c "pkcheck -p $$ -a org.fedoraproject.setroubleshootfixit.write"
localhost:~ # runuser testik -c "pkcheck -p $$ -a org.fedoraproject.setroubleshootfixit.write"
Error checking for authorization org.fedoraproject.setroubleshootfixit.write: GDBus.Error:org.freedesktop.PolicyKit1.Error.NotAuthorized: Only trusted callers (e.g. uid 0 or an action owner) can use CheckAuthorization() for subjects belonging to other identities
and more interactively (user gets password option)
testik@localhost:/root> pkcheck -u -p $$ --enable-internal-agent -a org.fedoraproject.setroubleshootfixit.write
==== AUTHENTICATING FOR org.fedoraproject.setroubleshootfixit.write ====
System policy prevents write access to SETroubleshoot
Authenticating as: root
Password: "$WRONG"
polkit-agent-helper-1: pam_authenticate failed: Authentication failure
==== AUTHENTICATION FAILED ====
Not authorized.
testik@localhost:/root> pkcheck -u -p $$ --enable-internal-agent -a org.fedoraproject.setroubleshootfixit.write
==== AUTHENTICATING FOR org.fedoraproject.setroubleshootfixit.write ====
System policy prevents write access to SETroubleshoot
Authenticating as: root
Password: "$GOOD"
==== AUTHENTICATION COMPLETE ====
Updated by amanzini about 2 months ago
- Status changed from Blocked to In Progress
Updated by amanzini about 2 months ago
- Status changed from In Progress to Feedback
Updated by amanzini about 2 months ago
- Status changed from Feedback to Resolved
Actions