Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update sebool template for bootable containers #12564

Merged
merged 2 commits into from
Nov 4, 2024
Merged

Update sebool template for bootable containers #12564

merged 2 commits into from
Nov 4, 2024

Conversation

matusmarhefka
Copy link
Member

@matusmarhefka matusmarhefka commented Nov 1, 2024
edited
Loading

Add an SCE check to the sebool template for bootable containers. OVAL can't be used in this case because selinuxboolean probe as currently implemented won't work inside a container as it uses security_get_boolean_names from libselinux which checks runtime status and that is not possible in a container build environment. The new SCE check uses seinfo binary (from setools-console RPM) which checks static configuration (/etc/selinux/targeted/policy/policy.33 policy file) to obtain SELinux booleans values which will be used once a container is booted.

Related PR in openscap - OpenSCAP/openscap#2171

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Nov 1, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Nov 1, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 1, 2024

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@matusmarhefka matusmarhefka added the Image Mode Bootable containers and Image Mode RHEL label Nov 1, 2024
@matusmarhefka matusmarhefka mentioned this pull request Nov 1, 2024
Merged
@jan-cerny jan-cerny self-assigned this Nov 4, 2024
@matusmarhefka matusmarhefka marked this pull request as ready for review November 4, 2024 10:04
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Nov 4, 2024
@matusmarhefka
Update test_xccdf_values_in_ds.sh to account for Bash variables
6e1a694 
Bash variables whose names start with `$XCCDF_VALUE_` are valid in SCE
content. The `$XCCDF_VALUE_` variables are exported by `oscap` so that
the SCE check can use XCCDF Values in its code.
@codeclimate CodeClimate
Copy link

codeclimate bot commented Nov 4, 2024

Code Climate has analyzed commit 6e1a694 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 60.9% (0.0% change).

View more on Code Climate.

@jan-cerny jan-cerny added this to the 0.1.75 milestone Nov 4, 2024
@jan-cerny jan-cerny merged commit d163e1a into ComplianceAsCode:master Nov 4, 2024
103 of 105 checks passed
@matusmarhefka matusmarhefka deleted the sebool_bootc branch November 4, 2024 12:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny approved these changes

Assignees

@jan-cerny jan-cerny

Labels
Image Mode Bootable containers and Image Mode RHEL
Projects
None yet
Milestone
0.1.75
Development

Successfully merging this pull request may close these issues.
2 participants
@matusmarhefka @jan-cerny