[Freeipa-devel] [freeipa PR#5539][opened] [Backport][ipa-4-9] test_installutils: run gpg-agent under a specific SELinux context

Thu, 11 Feb 2021 00:11:54 -0800 

   URL: https://github.com/freeipa/freeipa/pull/5539
Author: flo-renaud
 Title: #5539: [Backport][ipa-4-9] test_installutils: run gpg-agent under a 
specific SELinux context
Action: opened

PR body:
"""
This PR was opened automatically because PR #5535 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5539/head:pr5539
git checkout pr5539

From b233f9152263e708246093099c0409d352950539 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Tue, 9 Feb 2021 13:41:13 +0200
Subject: [PATCH] test_installutils: run gpg-agent under a specific SELinux
 context

system_u:system_r:init_t:s0 cannot execute gpg=agent when SELinux is in
enforcing mode. Use SELinux context that allows this execution:
system_u:system_r:initrc_t:s0 and wrap the whole execution into a bash
run to make sure init_t -> initrc_t transition.

Fixes: https://pagure.io/freeipa/issue/8699
Signed-off-by: Alexander Bokovoy <aboko...@redhat.com>
---
 ipatests/test_ipaserver/test_install/test_installutils.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_ipaserver/test_install/test_installutils.py b/ipatests/test_ipaserver/test_install/test_installutils.py
index 029b2065954..107adfe3cd7 100644
--- a/ipatests/test_ipaserver/test_install/test_installutils.py
+++ b/ipatests/test_ipaserver/test_install/test_installutils.py
@@ -57,10 +57,12 @@ def gpgkey(request, tempdir):
     # daemonize agent (detach from the console and run in the background)
     subprocess.run(
         [paths.SYSTEMD_RUN, '--service-type=forking',
+         '--property', 'SELinuxContext=system_u:system_r:initrc_t:s0',
          '--setenv=GNUPGHOME={}'.format(gnupghome),
          '--setenv=LC_ALL=C.UTF-8',
          '--setenv=LANGUAGE=C',
-         '--unit=gpg-agent', paths.GPG_AGENT, '--daemon', '--batch'],
+         '--unit=gpg-agent', '/bin/bash',
+         '-c', ' '.join([paths.GPG_AGENT, '--daemon', '--batch'])],
         check=True,
         env=env,
     )

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to