action #174175
closed
[security][tumbleweed] Add setroubleshootd tests
Added by tjyrinki_suse 4 months ago.
Updated 3 months ago.
Description
Motivation¶
We need to be able to test setroubleshoot automatically so we could catch downgrades or issues in advance to bring better usability to the users.
What should be tested:
- setroubleshootd
- systemd service has no issue when called
- daemon is dbus activated
- policykit restrict direct usage only to setroubleshoot user
Acceptance Criteria¶
- Create a test that runs on SELinux enabled Tumbleweed system, with auditd
- Install the package setroubleshoot-server, check that it installs setroubleshoot-plugins automatically
- Check setroubleshootd DBus activation via systemd service. Check if is-active shows inactive at first, then after restart shows active at first but after about 15 seconds it should be no longer active again.
- Check setroubleshootd invoking via polkit as root, see /usr/share/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf
Further Information¶
Ask for details from for example Zdenek Kubala if something is unclear, or from this ticket's author.
Related issues
1 (1 open — 0 closed)
- Related to action #174178: [security][tumbleweed] Add sealert tests to setroubleshootd added
- % Done changed from 0 to 10
- Status changed from Workable to In Progress
- Status changed from In Progress to Blocked
- % Done changed from 10 to 20
Hello, so for "Check setroubleshootd invoking via polkit as root, see /usr/share/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf"
It could be tested via non priviledge user.
like
localhost:~ # runuser root -c "pkcheck -p $$ -a org.fedoraproject.setroubleshootfixit.write"
localhost:~ # runuser testik -c "pkcheck -p $$ -a org.fedoraproject.setroubleshootfixit.write"
Error checking for authorization org.fedoraproject.setroubleshootfixit.write: GDBus.Error:org.freedesktop.PolicyKit1.Error.NotAuthorized: Only trusted callers (e.g. uid 0 or an action owner) can use CheckAuthorization() for subjects belonging to other identities
and more interactively (user gets password option)
testik@localhost:/root> pkcheck -u -p $$ --enable-internal-agent -a org.fedoraproject.setroubleshootfixit.write
==== AUTHENTICATING FOR org.fedoraproject.setroubleshootfixit.write ====
System policy prevents write access to SETroubleshoot
Authenticating as: root
Password: "$WRONG"
polkit-agent-helper-1: pam_authenticate failed: Authentication failure
==== AUTHENTICATION FAILED ====
Not authorized.
testik@localhost:/root> pkcheck -u -p $$ --enable-internal-agent -a org.fedoraproject.setroubleshootfixit.write
==== AUTHENTICATING FOR org.fedoraproject.setroubleshootfixit.write ====
System policy prevents write access to SETroubleshoot
Authenticating as: root
Password: "$GOOD"
==== AUTHENTICATION COMPLETE ====
- Status changed from Blocked to In Progress
- % Done changed from 20 to 60
- Status changed from In Progress to Feedback
- % Done changed from 60 to 100
- Status changed from Feedback to Resolved
Also available in: Atom
PDF