Disable unix-chkpwd AppArmor profile

jsf9k · jsf9k · commit 3e3ea4c77b73 · 2025-01-22T11:59:10.000-05:00
This is necessary when running Molecule tests against Fedora 40 and 41; otherwise, the privileged container cannot successfully sudo and hence Ansible is unable to do anything. Note that this change is reverted after the Molecule tests are run. For now, disabling the unix-chkpwd AppArmor profile also requires an apt-get purge of the firefox and passt packages. It should be possible to remove this purge (and the ensuing systemctl reload apparmor.service) at a future date. See #215 for more details.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -238,11 +238,43 @@ jobs:
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+      # Disabling the unix-chkpwd AppArmor profile is necessary when
+      # running Molecule tests against Fedora 40 and 41; otherwise,
+      # the privileged container cannot successfully run sudo and
+      # hence Ansible is unable to do anything.  See
+      # fedora-cloud/docker-brew-fedora#117 for more details.
+      #
+      # Purging firefox is currently necessary because the
+      # installation available on the GitHub runner instance provides
+      # two conflicting AppArmor profiles:
+      # /etc/apparmor.d/usr.bin.firefox and /etc/apparmor.d/firefox.
+      # This conflict causes the aa-disable /usr/sbin/unix_chkpwd
+      # command to fail.
+      #
+      # Purging passt is currently necessary because the installation
+      # available on the GitHub runner instance contains a wonky
+      # AppArmor file (/etc/apparmor.d/abstractions/passt) that causes
+      # the aa-disable command to fail.
+      #
+      # TODO: Remove the apt-get purge and systemctl reload commands
+      # when possible.  See cisagov/skeleton-ansible-role#215 for more
+      # details.
+      - name: Disable unix-chkpwd AppArmor profile
+        run: |
+          sudo apt-get purge firefox passt
+          sudo systemctl reload apparmor.service
+          sudo apt-get install apparmor-utils
+          sudo aa-disable /usr/sbin/unix_chkpwd
+        if: ${{ startsWith(matrix.platform, 'fedora') }}
       - name: Run molecule tests
         run: >-
           molecule test
           --platform-name ${{ matrix.platform }}-${{ matrix.architecture }}
           --scenario-name ${{ matrix.scenario }}
+      - name: Re-enable unix-chkpwd AppArmor profile
+        run: >-
+          sudo aa-enforce /usr/sbin/unix_chkpwd
+        if: ${{ startsWith(matrix.platform, 'fedora') }}
       - name: Setup tmate debug session
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
