action #104542
closed[Tumbleweed][security] test fails in sestatus: sed does not disabled apparmor
100%
Description
Observation¶
openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-selinux@64bit fails in
sestatus
Test suite description¶
Maintainer (Lily Zhao) llzhao@suse.com
(Started with snapshot 1229, which was only a handful of yast changes, but they DID have relation to LSM/Selinux:
yast2-installation (4.4.30 -> 4.4.31)
yast2-schema (4.4.6 -> 4.4.7)
yast2-security (4.4.1 -> 4.4.3)
08:37 < teclator> I guess the problem with https://bugzilla.opensuse.org/show_bug.cgi?id=1194192 is in the test and the sed option... let me confirm, but
if we check the grub defaults it probably contains lsm=apparmor
08:38 < teclator> DimStar: confirmed
08:38 < teclator> DimStar: see linuxI/boot/vmlinuz-5.15.8-1-default root=UUID=2cc68ef1-a0f0-44a2-86c0-ec4b2cc1f53a ${extra_cmdline} splash=silent
video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1
resume=/dev/disk/by-uuid/e62e089b-ee86-4b21-855d-427e0bcc61af lsm=apparmor mitigations=auto security=selinux selinux=1 enforcing=0
08:38 < teclator> IechoI'Loading initial ramdisk ...'
08:40 < DimStar> teclator: ok, I expected something like that. prior to the yast change, lsm=apparmor was not there yet, right?
08:40 < teclator> we replaced security=X by lsm=X and we are now also specifying the apparmor security module
08:40 < teclator> DimStar: exactly
08:40 < teclator> DimStar: as it is compiled and enabled by default in the kernel it was not needed
08:40 < teclator> DimStar: but the idea is that we could even not enabled it by default and do that through the installation
08:41 < teclator> DimStar: so the pattern could be removed and added only in case of selected
08:43 < teclator> DimStar: you could replace lsm=apparmor by lsm=selinux selinux=1 enforcing=0 here
https://openqa.opensuse.org/tests/2114514#step/sestatus/17
Reproducible¶
Fails since (at least) Build 20211229
Expected result¶
Last good: 20211228 (or more recent)
Further details¶
Always latest result in this scenario: latest
Updated by llzhao over 2 years ago
- Subject changed from test fails in sestatus: sed does not disabled apparmor to [Tumbleweed][security] test fails in sestatus: sed does not disabled apparmor
- Assignee set to llzhao
- Estimated time set to 8.00 h
Updated by llzhao over 2 years ago
See more info in: https://openqa.opensuse.org/tests/2122051/logfile?filename=serial0.txt
[ 0.019322][ T0] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.15.12-1-default root=UUID=a59706e3-1eea-4fee-a4e7-26c283dba7dc splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/f7f2c6d8-0be0-419c-87e0-bcabe8b4f2ce lsm=apparmor mitigations=auto security=selinux selinux=1 enforcing=0
...
[ 0.155214][ T0] LSM: Security Framework initializing
[ 0.157390][ T0] LSM: security= is ignored because it is superseded by lsm=
[ 0.158296][ T0] AppArmor: AppArmor initialized
Updated by llzhao over 2 years ago
- % Done changed from 0 to 90
Updated by llzhao over 2 years ago
- Status changed from In Progress to Resolved
- % Done changed from 90 to 100
PR merged and VRs are good:
https://openqa.suse.de/tests/7943039#step/selinux_setup/126
https://openqa.opensuse.org/tests/2123041#