Project

General

Profile

Actions
Copy link

action #104542

closed

[Tumbleweed][security] test fails in sestatus: sed does not disabled apparmor

Added by dimstar over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
llzhao
Category:
Bugs in existing tests
Target version:
-
Start date:
2021-12-31
Due date:
% Done:

100%

Estimated time:
8.00 h
Difficulty:

Description

Observation

openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-selinux@64bit fails in
sestatus

Test suite description

Maintainer (Lily Zhao) llzhao@suse.com

(Started with snapshot 1229, which was only a handful of yast changes, but they DID have relation to LSM/Selinux:

yast2-installation (4.4.30 -> 4.4.31)
yast2-schema (4.4.6 -> 4.4.7)
yast2-security (4.4.1 -> 4.4.3)

08:37 < teclator> I guess the problem with https://bugzilla.opensuse.org/show_bug.cgi?id=1194192 is in the test and the sed option... let me confirm, but 
                  if we check the grub defaults it probably contains lsm=apparmor
08:38 < teclator> DimStar: confirmed
08:38 < teclator> DimStar: see linuxI/boot/vmlinuz-5.15.8-1-default root=UUID=2cc68ef1-a0f0-44a2-86c0-ec4b2cc1f53a  ${extra_cmdline} splash=silent 
                  video=1024x768 plymouth.ignore-serial-consoles console=ttyS0 console=tty kernel.softlockup_panic=1 
                  resume=/dev/disk/by-uuid/e62e089b-ee86-4b21-855d-427e0bcc61af lsm=apparmor mitigations=auto security=selinux selinux=1 enforcing=0
08:38 < teclator> IechoI'Loading initial ramdisk ...'
08:40 < DimStar> teclator: ok, I expected something like that. prior to the yast change, lsm=apparmor was not there yet, right?
08:40 < teclator> we replaced security=X by lsm=X and we are now also specifying the apparmor security module
08:40 < teclator> DimStar: exactly
08:40 < teclator> DimStar: as it is compiled and enabled by default in the kernel it was not needed
08:40 < teclator> DimStar: but the idea is that we could even not enabled it by default and do that through the installation
08:41 < teclator> DimStar: so the pattern could be removed and added only in case of selected 
08:43 < teclator> DimStar: you could replace lsm=apparmor by lsm=selinux selinux=1 enforcing=0 here 
                  https://openqa.opensuse.org/tests/2114514#step/sestatus/17

Reproducible

Fails since (at least) Build 20211229

Expected result

Last good: 20211228 (or more recent)

Further details

Always latest result in this scenario: latest

Actions
Copy link

Also available in: Atom PDF