test: move SELinux fixes to plan preparation steps

Add the missing SELinux permissions to the plan preparation steps instead of fixing them in each test. Signed-off-by: Miguel Martín <[email protected]>
mmartinv · Oct 7, 2024 · fd006fe · fd006fe
1 parent b599aec
commit fd006fe
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 49 deletions.
diff --git a/test/fmf/plans/onboarding.fmf b/test/fmf/plans/onboarding.fmf
@@ -8,6 +8,20 @@ prepare:
       copr: ${PACKIT_COPR_PROJECT}
     - how: shell
       script: dnf install -y ${PACKIT_COPR_RPMS} postgresql-server sqlite
+    - how: shell
+      script: |
+        echo "Adding missing SELinux permissions"
+        tee /tmp/fdo-missing.cil <<EOF
+        (allow fdo_t etc_t (file (write)))
+        (allow fdo_t fdo_conf_t (file (append create rename setattr unlink write)))
+        (allow fdo_t fdo_var_lib_t (dir (add_name remove_name write)))
+        (allow fdo_t fdo_var_lib_t (file (create setattr unlink write)))
+        (allow fdo_t krb5_keytab_t (dir (search)))
+        (allow fdo_t postgresql_port_t (tcp_socket (name_connect)))
+        (allow fdo_t sssd_t (unix_stream_socket (connectto)))
+        (allow fdo_t sssd_var_run_t (sock_file (write)))
+        EOF
+        semodule -i /tmp/fdo-missing.cil
 provision:
     how: virtual
     memory: 4096

diff --git a/test/fmf/tests/onboarding/run-onboarding.sh b/test/fmf/tests/onboarding/run-onboarding.sh
@@ -189,57 +189,8 @@ onboard() {
   /usr/libexec/fdo/fdo-client-linuxapp
 }
 
-fix_selinux_policies() {
-  SELINUX_MODULE="fdo-db"
-  SELINUX_TE_FILE="${SELINUX_MODULE}.te"
-  SELINUX_MOD_FILE="${SELINUX_MODULE}.mod"
-  SELINUX_POLICY_FILE="${SELINUX_MODULE}.pp"
-  semodule -l | grep -q "${SELINUX_MODULE}" || (tee "${SELINUX_TE_FILE}" <<EOF
-module fdo-db 1.0;
-
-require {
-	type postgresql_port_t;
-	type fdo_conf_t;
-	type fdo_t;
-	type etc_t;
-	type krb5_keytab_t;
-	type sssd_var_run_t;
-	type fdo_var_lib_t;
-	type sssd_t;
-	class tcp_socket name_connect;
-	class dir { add_name remove_name search write };
-	class sock_file write;
-	class unix_stream_socket connectto;
-	class file { append create rename setattr unlink write };
-}
-
-#============= fdo_t ==============
-
-allow fdo_t etc_t:file write;
-
-allow fdo_t fdo_conf_t:file { append create rename setattr unlink write };
-
-allow fdo_t fdo_var_lib_t:dir { add_name remove_name write };
-
-allow fdo_t fdo_var_lib_t:file { create setattr unlink write };
-
-allow fdo_t krb5_keytab_t:dir search;
-
-allow fdo_t postgresql_port_t:tcp_socket name_connect;
-
-allow fdo_t sssd_t:unix_stream_socket connectto;
-
-allow fdo_t sssd_var_run_t:sock_file write;
-EOF
-  checkmodule -M -m -o ${SELINUX_MOD_FILE} ${SELINUX_TE_FILE}
-  semodule_package -o ${SELINUX_POLICY_FILE} -m ${SELINUX_MOD_FILE}
-  semodule -i ${SELINUX_POLICY_FILE})
-
-}
-
 [ "${OV_STORE_DRIVER}" != "Sqlite" ] || setup_sqlite
 [ "${OV_STORE_DRIVER}" != "Postgres" ] || setup_postgresql
-fix_selinux_policies
 generate_keys
 setup_manufacturing
 setup_owner