Disable unix-chkpwd AppArmor profile

This is necessary when running Molecule tests against Fedora 40 and 41; otherwise, the privileged container cannot successfully sudo and hence Ansible is unable to do anything. Note that this change is reverted after the Molecule tests are run.
cisagov · Jan 21, 2025 · 51498c9 · 51498c9
1 parent e940403
commit 51498c9
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -238,11 +238,32 @@ jobs:
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+      # Disabling the unix-chkpwd AppArmor profile is necessary when
+      # running Molecule tests against Fedora 40 and 41; otherwise,
+      # the privileged container cannot successfully run sudo and
+      # hence Ansible is unable to do anything.  See
+      # fedora-cloud/docker-brew-fedora#117 for more details.
+      #
+      # Removing passt is currently necessary because the installation
+      # available on the GitHub runner instance contains a wonky
+      # AppArmor file (/etc/apparmor.d/abstractions/passt) that causes
+      # the aa-disable command to fail.
+      - name: Disable unix-chkpwd AppArmor profile
+        run: |
+          sudo apt-get remove passt
+          sudo systemctl reload apparmor.service
+          sudo apt-get install apparmor-utils
+          sudo aa-disable /usr/sbin/unix_chkpwd
+        if: ${{ startsWith(matrix.platform, 'fedora') }}
       - name: Run molecule tests
         run: >-
           molecule test
           --platform-name ${{ matrix.platform }}-${{ matrix.architecture }}
           --scenario-name ${{ matrix.scenario }}
+      - name: Re-enable unix-chkpwd AppArmor profile
+        run: >-
+          sudo aa-enforce /usr/sbin/unix_chkpwd
+        if: ${{ startsWith(matrix.platform, 'fedora') }}
       - name: Setup tmate debug session
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE