-
Notifications
You must be signed in to change notification settings - Fork 698
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Load all the profile if not loaded for Ubuntu #12482
Load all the profile if not loaded for Ubuntu #12482
Conversation
Hi @alanmcanonical. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
@alanmcanonical is it expected that test scenarios fail to initialize the testing environment for this rule in containers? |
No. It should succeed to create testing environment. I will have a look |
265924d
to
00149d3
Compare
7fbe584
to
3e27eff
Compare
The apparmor is expected to fail inside the container environment. See here. The docker and podman provide minimal support for apparmor. These tests pass if we tests in qemu/kvm environment. |
@alanmcanonical could you please rebase so that this PR is in effect? |
4b0fdd0
to
87c4223
Compare
@alanmcanonical I see. I think the issue might take a while to resolve. Did you try creating local VM with Ubuntu and using Automatus to test those rules in that VM? If you did that and test scenarios pass, I think this can be merged. |
… of loaded profiles
This is to avoid enforcing the rsyslogd profile which is disabled by default on Jammy. Issue introduced with the recent change of the default value var_apparmor_mode from complain to enforce.
Tests for ensure_apparmor_enforce were failing because aa-complain and aa-enforce enabled the rsyslogd profile, which is disabled by default, thus marking it as an "unconfined process with a defined profile" and failing the SCE. Solution is to restart the service when loading the profiles. Tests for ensure_apparmor_enforce_or_complain were adapted to not load disabled profiles.
87c4223
to
fb6ac37
Compare
All the tests pass on my qemu vm |
Code Climate has analyzed commit d7b3438 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, thanks!
Description:
Rationale: