Project

General

Profile

Actions

action #166613

open

Yast default selected LSM changes from Apparmor to SELinux, existing openQA test fails in first_boot

Added by cahu 5 months ago. Updated about 23 hours ago.

Status:
New
Priority:
High
Assignee:
-
Category:
Bugs in existing tests
Target version:
-
Start date:
2024-10-21
Due date:
% Done:

60%

Estimated time:
(Total: 40.00 h)
Difficulty:

Description

The test failure in Staging:D (see below) is caused because we changed the default LSM selected in Yast from AppArmor to
SELinux, so this needs to be adapted in the openQA tests.
I started working on a fix, which fixes the concrete test case currently:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20125
However, as @dimstar mentioned upgrade scenarios are not covered and since I am not a openQA test developer,
I struggle to understand which tests needs further adaptation.

Could you have a look and show me which test cases need changes or create a fix?
Thanks a lot :)

Test failure report:

Observation

openQA test in scenario opensuse-Staging:D-Staging-DVD-x86_64-textmode@64bit fails in
first_boot

Test suite description

Installation in textmode and selecting the textmode "desktop" during installation.

Reproducible

Fails since (at least) Build D.630.1 (current job)

Expected result

Last good: D.629.1 (or more recent)

Further details

Always latest result in this scenario: latest


Subtasks 23 (10 open13 closed)

action #167662: [security][tumbleweed] test fails in aa_enforce: audit 4.0 changes need adaptionResolvedamanzini

Actions
action #168445: [security][tumbleweed] audit 4: test fails in ausearch and aulastlogIn ProgressFSzekely

Actions
action #168571: [security][tumbleweed] test fails in aa_status aa_enforce usr_sbin_smbd settings_disable_enable_apparmor yast2_apparmorWorkable2024-10-21

Actions
action #168574: [security] test fails in selinux_setupResolvedamanzini2024-10-21

Actions
Containers and images - action #168577: [containers] test fails in kubectl helm_K3S - missing k3s-selinux or container-selinuxResolvedrbranco2024-10-21

Actions
action #168583: [qe-core] test fails in yast2_snapper_ncurses - test needs to use a directory in selinux directoryResolvedrfan12024-10-21

Actions
action #168586: [qe-core] test fails in SysctlWorkabledzedro2024-10-21

Actions
action #168589: [qe-core] test fails in wireguardResolvedrfan12024-10-21

Actions
Containers and images - action #168682: [Containers] Establish AppArmor and SELinux test runs on TumbleweedResolvedrbranco2024-10-22

Actions
action #169591: [qe-core] Introduce selinux_* methods in version_utilsResolvedvkatkalov2024-11-08

Actions
action #170461: test fails in wpa_supplicantNew2024-11-28

Actions
action #170467: [qe-core] test fails in vsftpdWorkable2024-11-28

Actions
action #173638: [security][tumbleweed] Test also 'targeted' selinux policy on TumbleweedResolvedfavogt

Actions
action #175320: [security][tumbleweed] sestatus does not use has_selinux and fails on selinux enabled tumbleweed buildResolvedfavogt

Actions
action #175329: test fails in openqa_bootstrapNew2025-01-13

Actions
action #175338: test fails in quotaNew2025-01-13

Actions
action #175401: test fails in muttNew2025-01-14

Actions
Containers and images - action #175419: [MinimalVM] Prepare for switch to SELinux as default MAC in TumbleweedBlockedrbranco2025-01-14

Actions
action #175497: test fails in boot_into_snapshotResolvedfavogt2025-01-15

Actions
action #175839: test fails in cifsResolvedfavogt2025-01-20

Actions
action #175890: test fails in rsync_clientResolvedfavogt2025-01-21

Actions
action #175965: test fails in vnc_two_passwordsResolvedfavogt2025-01-22

Actions
action #176667: delete test yast2_nfs_clientIn Progresscvidot2025-02-06

Actions

Related issues 1 (0 open1 closed)

Related to Containers and images - action #168703: [MinimalVM] Ensure SELinux status is checkedResolvedrmarliere2024-10-22

Actions
Actions #1

Updated by dimstar 5 months ago

  • Tags set to future-technologies
Actions #2

Updated by favogt 5 months ago

Are there any details available why it fails in QA currently? FWICT there's just a massive hack to deal with selinux relabelling which will cause major issues later:

From main_common.pm:

        # SELinux relabel reboots, so grub needs to timeout
        set_var('KEEP_GRUB_TIMEOUT', 1) if check_var('VIRSH_VMM_TYPE', 'linux') || get_var('SELINUX');

Which means that openQA currently relies on the system booting automatically after a needed autorelabel which won't work if e.g. disk encryption is enabled

Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.

I also noticed that it tries to relabel /.snapshots ATM which is not great (https://openqa.opensuse.org/tests/4456186#step/first_boot/4)

Actions #3

Updated by favogt 4 months ago

Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.

PoC for using the microos-tools relabelling mechanism on TW as well: https://github.com/openSUSE/microos-tools/pull/33

Actions #4

Updated by favogt 4 months ago

favogt wrote in #note-3:

Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.

PoC for using the microos-tools relabelling mechanism on TW as well: https://github.com/openSUSE/microos-tools/pull/33

Looks like that works, cryptlvm passes! https://openqa.opensuse.org/tests/overview?version=Staging%3AD&build=D.638.3&distri=opensuse&groupid=2

The autoyast_mini failure looks like a SELinux issue, maybe the policy doesn't work for YaST2-Second-Stage.service.

The yast2_users-staging failure should disappear with https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20125.

My proposal for the next steps:

  1. Investigate and fix the autoyast_mini failure in Staging:D
  2. Replace the selinux-autorelabel package with the microos-tools PR, independent of Staging:D
  3. Drop the KEEP_GRUB_TIMEOUT hack for the SELINUX=1 case for Tumbleweed, no longer needed after step 2.
  4. Add SELINUX=0 to TW upgrade tests
  5. Build a TW product DVD to inject the new control.xml and start a TW test run with SELINUX=1 in openQA.
  6. Once ^ looks good, merge the QA PR to set SELINUX=1 in TW (or maybe adjust the medium type?), then accept the green staging with the skelcd change.
  7. Add some tests to TW that explicitly enable AppArmor
Actions #5

Updated by favogt 4 months ago

favogt wrote in #note-4:

favogt wrote in #note-3:

Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.

PoC for using the microos-tools relabelling mechanism on TW as well: https://github.com/openSUSE/microos-tools/pull/33

Looks like that works, cryptlvm passes! https://openqa.opensuse.org/tests/overview?version=Staging%3AD&build=D.638.3&distri=opensuse&groupid=2

The autoyast_mini failure looks like a SELinux issue, maybe the policy doesn't work for YaST2-Second-Stage.service.

Got fixed.

The yast2_users-staging failure should disappear with https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20125.

Worked.

My proposal for the next steps:

  1. Investigate and fix the autoyast_mini failure in Staging:D

Done.

  1. Replace the selinux-autorelabel package with the microos-tools PR, independent of Staging:D

Done.

  1. Drop the KEEP_GRUB_TIMEOUT hack for the SELINUX=1 case for Tumbleweed, no longer needed after step 2.
  2. Add SELINUX=0 to TW upgrade tests

3+4 weren't necessary - with the different autorelabel design the tests don't actually need SELINUX=1, so no SELINUX=0 needed either.

  1. Build a TW product DVD to inject the new control.xml and start a TW test run with SELINUX=1 in openQA.

Done: https://openqa.opensuse.org/tests/overview?distri=opensuse&version=Tumbleweed&build=20241008-SELinux&groupid=1.

@cahu went through the failures and added them as blockers to the tracker bug: https://bugzilla.suse.com/show_bug.cgi?id=1230118

  1. Once ^ looks good, merge the QA PR to set SELINUX=1 in TW (or maybe adjust the medium type?), then accept the green staging with the skelcd change.

Change: Maybe SELINUX=1 isn't necessary.

  1. Add some tests to TW that explicitly enable AppArmor
Actions #6

Updated by szarate 4 months ago

  • Subtask #168583 added
Actions #7

Updated by szarate 4 months ago

  • Subtask #168577 added
Actions #8

Updated by szarate 4 months ago

  • Subtask #168574 added
Actions #9

Updated by szarate 4 months ago

  • Subtask #167662 added
Actions #10

Updated by szarate 4 months ago

  • Subtask #168445 added
Actions #11

Updated by szarate 4 months ago

  • Subtask #168571 added
Actions #12

Updated by szarate 4 months ago

  • Subtask #168586 added
Actions #13

Updated by szarate 4 months ago

  • Subtask #168589 added
Actions #14

Updated by ph03nix 4 months ago

  • Related to action #168703: [MinimalVM] Ensure SELinux status is checked added
Actions #15

Updated by szarate 3 months ago

  • Subtask #169591 added
Actions #16

Updated by cahu 2 months ago

  • Subtask #168682 added
Actions #17

Updated by cahu 2 months ago

  • Subtask #170461 added
Actions #18

Updated by cahu 2 months ago

  • Subtask #170467 added
Actions #19

Updated by cahu 2 months ago

  • Subtask #173638 added
Actions #20

Updated by cahu 25 days ago

  • Subtask #175320 added
Actions #21

Updated by cahu 25 days ago

  • Subtask #175329 added
Actions #22

Updated by cahu 25 days ago

  • Subtask #175338 added
Actions #23

Updated by cahu 24 days ago

  • Subtask #175401 added
Actions #24

Updated by cahu 23 days ago

  • Subtask #175497 added
Actions #25

Updated by cahu 18 days ago

  • Subtask #175839 added
Actions #26

Updated by cahu 17 days ago

  • Subtask #175890 added
Actions #27

Updated by cahu 16 days ago

  • Subtask #175965 added
Actions #29

Updated by ph03nix 2 days ago ยท Edited

In https://confluence.suse.com/display/~ph03nix/Tumbleweed+SELinux+migration I tried to come up with a convention, which openQA settings we should use to differentiate between Apparmor and SELinux in use as MAC.

In essence there are two settings to be used: SECURITY_MAC and SECURITY_TEST. I selected those because they are already heavily used in the SELinux context and elsewhere as well.

SECURITY_MAC defines the default Linux kernel security module and can be either selinux or apparmor. SECURITY_TEST defines which openQA test modules to load and can be (among others) also apparmor and selinux.

The Tumbleweed test runs should be prepared in such a way, that apparmor test runs would also accept SECURITY_MAC=selinux and selinux test runs would also accept SECURITY_MAC=apparmor. In the case that e.g. SECURITY_MAC=selinux but SECURITY_TEST=apparmor, the test module should disable SELinux and install AppArmor instead.

Actions #30

Updated by ph03nix 2 days ago

  • Subtask #175419 added
Actions #33

Updated by cahu about 23 hours ago

  • Subtask #176667 added
Actions

Also available in: Atom PDF