Project

General

Profile

action #104542

[Tumbleweed][security] test fails in sestatus: sed does not disabled apparmor

Added by dimstar about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
llzhao
Category:
Bugs in existing tests
Target version:
-
Start date:
2021-12-31
Due date:
% Done:

100%

Estimated time:
8.00 h
Difficulty:

Description

Observation

openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-selinux@64bit fails in
sestatus

Test suite description

Maintainer (Lily Zhao) llzhao@suse.com

(Started with snapshot 1229, which was only a handful of yast changes, but they DID have relation to LSM/Selinux:

yast2-installation (4.4.30 -> 4.4.31)
yast2-schema (4.4.6 -> 4.4.7)
yast2-security (4.4.1 -> 4.4.3)

08:37 < teclator> I guess the problem with https://bugzilla.opensuse.org/show_bug.cgi?id=1194192 is in the test and the sed option... let me confirm, but 
                  if we check the grub defaults it probably contains lsm=apparmor
08:38 < teclator> DimStar: confirmed
08:38 < teclator> DimStar: see linuxI/boot/vmlinuz-5.15.8-1-default root=UUID=2cc68ef1-a0f0-44a2-86c0-ec4b2cc1f53a  ${extra_cmdline} splash=silent 
                  video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 
                  resume=/dev/disk/by-uuid/e62e089b-ee86-4b21-855d-427e0bcc61af lsm=apparmor mitigations=auto security=selinux selinux=1 enforcing=0
08:38 < teclator> IechoI'Loading initial ramdisk ...'
08:40 < DimStar> teclator: ok, I expected something like that. prior to the yast change, lsm=apparmor was not there yet, right?
08:40 < teclator> we replaced security=X by lsm=X and we are now also specifying the apparmor security module
08:40 < teclator> DimStar: exactly
08:40 < teclator> DimStar: as it is compiled and enabled by default in the kernel it was not needed
08:40 < teclator> DimStar: but the idea is that we could even not enabled it by default and do that through the installation
08:41 < teclator> DimStar: so the pattern could be removed and added only in case of selected 
08:43 < teclator> DimStar: you could replace lsm=apparmor by lsm=selinux selinux=1 enforcing=0 here 
                  https://openqa.opensuse.org/tests/2114514#step/sestatus/17

Reproducible

Fails since (at least) Build 20211229

Expected result

Last good: 20211228 (or more recent)

Further details

Always latest result in this scenario: latest

History

#1 Updated by llzhao about 1 year ago

  • Subject changed from test fails in sestatus: sed does not disabled apparmor to [Tumbleweed][security] test fails in sestatus: sed does not disabled apparmor
  • Assignee set to llzhao
  • Estimated time set to 8.00 h

#2 Updated by llzhao about 1 year ago

See more info in: https://openqa.opensuse.org/tests/2122051/logfile?filename=serial0.txt

[ 0.019322][ T0] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-5.15.12-1-default root=UUID=a59706e3-1eea-4fee-a4e7-26c283dba7dc splash=silent video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 resume=/dev/disk/by-uuid/f7f2c6d8-0be0-419c-87e0-bcabe8b4f2ce lsm=apparmor mitigations=auto security=selinux selinux=1 enforcing=0

...
[ 0.155214][ T0] LSM: Security Framework initializing
[ 0.157390][ T0] LSM: security= is ignored because it is superseded by lsm=
[ 0.158296][ T0] AppArmor: AppArmor initialized

#3 Updated by llzhao about 1 year ago

  • Status changed from New to In Progress

#4 Updated by llzhao about 1 year ago

  • % Done changed from 0 to 90

#5 Updated by llzhao about 1 year ago

  • Status changed from In Progress to Resolved
  • % Done changed from 90 to 100

Also available in: Atom PDF