Project

General

Profile

Actions

action #166613

open

Yast default selected LSM changes from Apparmor to SELinux, existing openQA test fails in first_boot

Added by cahu 2 months ago. Updated 15 days ago.

Status:
New
Priority:
High
Assignee:
-
Category:
Bugs in existing tests
Target version:
-
Start date:
2024-10-21
Due date:
% Done:

33%

Estimated time:
(Total: 8.00 h)
Difficulty:

Description

The test failure in Staging:D (see below) is caused because we changed the default LSM selected in Yast from AppArmor to
SELinux, so this needs to be adapted in the openQA tests.
I started working on a fix, which fixes the concrete test case currently:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20125
However, as @dimstar mentioned upgrade scenarios are not covered and since I am not a openQA test developer,
I struggle to understand which tests needs further adaptation.

Could you have a look and show me which test cases need changes or create a fix?
Thanks a lot :)

Test failure report:

Observation

openQA test in scenario opensuse-Staging:D-Staging-DVD-x86_64-textmode@64bit fails in
first_boot

Test suite description

Installation in textmode and selecting the textmode "desktop" during installation.

Reproducible

Fails since (at least) Build D.630.1 (current job)

Expected result

Last good: D.629.1 (or more recent)

Further details

Always latest result in this scenario: latest


Subtasks 9 (6 open3 closed)

action #167662: [security][tumbleweed] test fails in aa_enforce: audit 4.0 changes need adaptionFeedbackamanzini

Actions
action #168445: [security][tumbleweed] audit 4: test fails in ausearch and aulastlogIn ProgressFSzekely

Actions
action #168571: [security][tumbleweed] test fails in aa_status aa_enforce usr_sbin_smbd settings_disable_enable_apparmor yast2_apparmorRejected2024-10-21

Actions
action #168574: [security] test fails in selinux_setupWorkable2024-10-21

Actions
Containers and images - action #168577: [containers] test fails in kubectl helm_K3S - missing k3s-selinux or container-selinuxFeedbackrbranco2024-10-21

Actions
action #168583: [qe-core] test fails in yast2_snapper_ncurses - test needs to use a directory in selinux directoryFeedbackrfan12024-10-21

Actions
action #168586: [qe-core] test fails in SysctlResolveddzedro2024-10-21

Actions
action #168589: [qe-core] test fails in wireguardResolvedrfan12024-10-21

Actions
action #169591: [qe-core] Introduce selinux_* methods in version_utilsFeedbackvkatkalov2024-11-08

Actions

Related issues 1 (1 open0 closed)

Related to Containers and images - action #168703: [MinimalVM] Ensure SELinux status is checkedWorkable2024-10-22

Actions
Actions #1

Updated by dimstar 2 months ago

  • Tags set to future-technologies
Actions #2

Updated by favogt about 2 months ago

Are there any details available why it fails in QA currently? FWICT there's just a massive hack to deal with selinux relabelling which will cause major issues later:

From main_common.pm:

        # SELinux relabel reboots, so grub needs to timeout
        set_var('KEEP_GRUB_TIMEOUT', 1) if check_var('VIRSH_VMM_TYPE', 'linux') || get_var('SELINUX');

Which means that openQA currently relies on the system booting automatically after a needed autorelabel which won't work if e.g. disk encryption is enabled

Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.

I also noticed that it tries to relabel /.snapshots ATM which is not great (https://openqa.opensuse.org/tests/4456186#step/first_boot/4)

Actions #3

Updated by favogt about 2 months ago

Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.

PoC for using the microos-tools relabelling mechanism on TW as well: https://github.com/openSUSE/microos-tools/pull/33

Actions #4

Updated by favogt about 2 months ago

favogt wrote in #note-3:

Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.

PoC for using the microos-tools relabelling mechanism on TW as well: https://github.com/openSUSE/microos-tools/pull/33

Looks like that works, cryptlvm passes! https://openqa.opensuse.org/tests/overview?version=Staging%3AD&build=D.638.3&distri=opensuse&groupid=2

The autoyast_mini failure looks like a SELinux issue, maybe the policy doesn't work for YaST2-Second-Stage.service.

The yast2_users-staging failure should disappear with https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20125.

My proposal for the next steps:

  1. Investigate and fix the autoyast_mini failure in Staging:D
  2. Replace the selinux-autorelabel package with the microos-tools PR, independent of Staging:D
  3. Drop the KEEP_GRUB_TIMEOUT hack for the SELINUX=1 case for Tumbleweed, no longer needed after step 2.
  4. Add SELINUX=0 to TW upgrade tests
  5. Build a TW product DVD to inject the new control.xml and start a TW test run with SELINUX=1 in openQA.
  6. Once ^ looks good, merge the QA PR to set SELINUX=1 in TW (or maybe adjust the medium type?), then accept the green staging with the skelcd change.
  7. Add some tests to TW that explicitly enable AppArmor
Actions #5

Updated by favogt about 1 month ago

favogt wrote in #note-4:

favogt wrote in #note-3:

Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.

PoC for using the microos-tools relabelling mechanism on TW as well: https://github.com/openSUSE/microos-tools/pull/33

Looks like that works, cryptlvm passes! https://openqa.opensuse.org/tests/overview?version=Staging%3AD&build=D.638.3&distri=opensuse&groupid=2

The autoyast_mini failure looks like a SELinux issue, maybe the policy doesn't work for YaST2-Second-Stage.service.

Got fixed.

The yast2_users-staging failure should disappear with https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20125.

Worked.

My proposal for the next steps:

  1. Investigate and fix the autoyast_mini failure in Staging:D

Done.

  1. Replace the selinux-autorelabel package with the microos-tools PR, independent of Staging:D

Done.

  1. Drop the KEEP_GRUB_TIMEOUT hack for the SELINUX=1 case for Tumbleweed, no longer needed after step 2.
  2. Add SELINUX=0 to TW upgrade tests

3+4 weren't necessary - with the different autorelabel design the tests don't actually need SELINUX=1, so no SELINUX=0 needed either.

  1. Build a TW product DVD to inject the new control.xml and start a TW test run with SELINUX=1 in openQA.

Done: https://openqa.opensuse.org/tests/overview?distri=opensuse&version=Tumbleweed&build=20241008-SELinux&groupid=1.

@cahu went through the failures and added them as blockers to the tracker bug: https://bugzilla.suse.com/show_bug.cgi?id=1230118

  1. Once ^ looks good, merge the QA PR to set SELINUX=1 in TW (or maybe adjust the medium type?), then accept the green staging with the skelcd change.

Change: Maybe SELINUX=1 isn't necessary.

  1. Add some tests to TW that explicitly enable AppArmor
Actions #6

Updated by szarate about 1 month ago

  • Subtask #168583 added
Actions #7

Updated by szarate about 1 month ago

  • Subtask #168577 added
Actions #8

Updated by szarate about 1 month ago

  • Subtask #168574 added
Actions #9

Updated by szarate about 1 month ago

  • Subtask #167662 added
Actions #10

Updated by szarate about 1 month ago

  • Subtask #168445 added
Actions #11

Updated by szarate about 1 month ago

  • Subtask #168571 added
Actions #12

Updated by szarate about 1 month ago

  • Subtask #168586 added
Actions #13

Updated by szarate about 1 month ago

  • Subtask #168589 added
Actions #14

Updated by ph03nix about 1 month ago

  • Related to action #168703: [MinimalVM] Ensure SELinux status is checked added
Actions #15

Updated by szarate 15 days ago

  • Subtask #169591 added
Actions

Also available in: Atom PDF