Merge pull request #216 from cisagov/bugfix/disable-unix-chkpwd-apparmor-profile

jsf9k · web-flow · commit de58d6e8a5de · 2025-01-24T01:05:56.000Z
Disable `unix-chkpwd` AppArmor profile
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -238,11 +238,46 @@ jobs:
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+      # Disabling the unix-chkpwd AppArmor profile is necessary when
+      # running Molecule tests against Fedora 40 and 41; otherwise,
+      # the privileged container cannot successfully run sudo and
+      # hence Ansible is unable to do anything.  See
+      # fedora-cloud/docker-brew-fedora#117 for more details.
+      #
+      # Purging firefox is currently necessary because the
+      # installation available on the GitHub runner instance provides
+      # two conflicting AppArmor profiles:
+      # /etc/apparmor.d/usr.bin.firefox and /etc/apparmor.d/firefox.
+      # This conflict causes the aa-disable /usr/sbin/unix_chkpwd
+      # command to fail.
+      #
+      # Purging passt is currently necessary because the installation
+      # available on the GitHub runner instance contains a wonky
+      # AppArmor file (/etc/apparmor.d/abstractions/passt) that causes
+      # the aa-disable command to fail.
+      #
+      # TODO: Remove the apt-get purge and systemctl reload commands
+      # when possible.  See cisagov/skeleton-ansible-role#215 for more
+      # details.
+      - name: Disable unix-chkpwd AppArmor profile
+        run: |
+          sudo apt-get purge firefox passt
+          sudo systemctl reload apparmor.service
+          sudo apt-get install apparmor-utils
+          sudo aa-disable /usr/sbin/unix_chkpwd
+        if: ${{ startsWith(matrix.platform, 'fedora') }}
       - name: Run molecule tests
         run: >-
           molecule test
           --platform-name ${{ matrix.platform }}-${{ matrix.architecture }}
           --scenario-name ${{ matrix.scenario }}
+      # TODO: Remove the apt-get install command when possible.  See
+      # cisagov/skeleton-ansible-role#215 for more details.
+      - name: Re-enable unix-chkpwd AppArmor profile
+        run: |
+          sudo aa-enforce /usr/sbin/unix_chkpwd
+          sudo apt-get install firefox passt
+        if: ${{ startsWith(matrix.platform, 'fedora') }}
       - name: Setup tmate debug session
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
