action #166613
openYast default selected LSM changes from Apparmor to SELinux, existing openQA test fails in first_boot
33%
Description
The test failure in Staging:D (see below) is caused because we changed the default LSM selected in Yast from AppArmor to
SELinux, so this needs to be adapted in the openQA tests.
I started working on a fix, which fixes the concrete test case currently:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20125
However, as @dimstar mentioned upgrade scenarios are not covered and since I am not a openQA test developer,
I struggle to understand which tests needs further adaptation.
Could you have a look and show me which test cases need changes or create a fix?
Thanks a lot :)
Test failure report:
Observation¶
openQA test in scenario opensuse-Staging:D-Staging-DVD-x86_64-textmode@64bit fails in
first_boot
Test suite description¶
Installation in textmode and selecting the textmode "desktop" during installation.
Reproducible¶
Fails since (at least) Build D.630.1 (current job)
Expected result¶
Last good: D.629.1 (or more recent)
Further details¶
Always latest result in this scenario: latest
Updated by favogt about 2 months ago
Are there any details available why it fails in QA currently? FWICT there's just a massive hack to deal with selinux relabelling which will cause major issues later:
From main_common.pm:
# SELinux relabel reboots, so grub needs to timeout
set_var('KEEP_GRUB_TIMEOUT', 1) if check_var('VIRSH_VMM_TYPE', 'linux') || get_var('SELINUX');
Which means that openQA currently relies on the system booting automatically after a needed autorelabel which won't work if e.g. disk encryption is enabled
Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.
I also noticed that it tries to relabel /.snapshots ATM which is not great (https://openqa.opensuse.org/tests/4456186#step/first_boot/4)
Updated by favogt about 2 months ago
Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.
PoC for using the microos-tools relabelling mechanism on TW as well: https://github.com/openSUSE/microos-tools/pull/33
Updated by favogt about 2 months ago
favogt wrote in #note-3:
Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.
PoC for using the microos-tools relabelling mechanism on TW as well: https://github.com/openSUSE/microos-tools/pull/33
Looks like that works, cryptlvm passes! https://openqa.opensuse.org/tests/overview?version=Staging%3AD&build=D.638.3&distri=opensuse&groupid=2
The autoyast_mini failure looks like a SELinux issue, maybe the policy doesn't work for YaST2-Second-Stage.service.
The yast2_users-staging failure should disappear with https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20125.
My proposal for the next steps:
- Investigate and fix the autoyast_mini failure in Staging:D
- Replace the selinux-autorelabel package with the microos-tools PR, independent of Staging:D
- Drop the
KEEP_GRUB_TIMEOUThack for theSELINUX=1case for Tumbleweed, no longer needed after step 2. - Add
SELINUX=0to TW upgrade tests - Build a TW product DVD to inject the new control.xml and start a TW test run with SELINUX=1 in openQA.
- Once ^ looks good, merge the QA PR to set SELINUX=1 in TW (or maybe adjust the medium type?), then accept the green staging with the skelcd change.
- Add some tests to TW that explicitly enable AppArmor
Updated by favogt about 1 month ago
favogt wrote in #note-4:
favogt wrote in #note-3:
Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.
PoC for using the microos-tools relabelling mechanism on TW as well: https://github.com/openSUSE/microos-tools/pull/33
Looks like that works, cryptlvm passes! https://openqa.opensuse.org/tests/overview?version=Staging%3AD&build=D.638.3&distri=opensuse&groupid=2
The autoyast_mini failure looks like a SELinux issue, maybe the policy doesn't work for YaST2-Second-Stage.service.
Got fixed.
The yast2_users-staging failure should disappear with https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20125.
Worked.
My proposal for the next steps:
- Investigate and fix the autoyast_mini failure in Staging:D
Done.
- Replace the selinux-autorelabel package with the microos-tools PR, independent of Staging:D
Done.
- Drop the
KEEP_GRUB_TIMEOUThack for theSELINUX=1case for Tumbleweed, no longer needed after step 2.- Add
SELINUX=0to TW upgrade tests
3+4 weren't necessary - with the different autorelabel design the tests don't actually need SELINUX=1, so no SELINUX=0 needed either.
- Build a TW product DVD to inject the new control.xml and start a TW test run with SELINUX=1 in openQA.
@cahu went through the failures and added them as blockers to the tracker bug: https://bugzilla.suse.com/show_bug.cgi?id=1230118
- Once ^ looks good, merge the QA PR to set SELINUX=1 in TW (or maybe adjust the medium type?), then accept the green staging with the skelcd change.
Change: Maybe SELINUX=1 isn't necessary.
- Add some tests to TW that explicitly enable AppArmor
Updated by ph03nix 29 days ago
- Related to action #168703: [MinimalVM] Ensure SELinux status is checked added