action #166613
open
Yast default selected LSM changes from Apparmor to SELinux, existing openQA test fails in first_boot
Added by cahu 2 months ago.
Updated 13 days ago.
Category:
Bugs in existing tests
Estimated time:
(Total: 8.00 h)
Description
The test failure in Staging:D (see below) is caused because we changed the default LSM selected in Yast from AppArmor to
SELinux, so this needs to be adapted in the openQA tests.
I started working on a fix, which fixes the concrete test case currently:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20125
However, as @dimstar mentioned upgrade scenarios are not covered and since I am not a openQA test developer,
I struggle to understand which tests needs further adaptation.
Could you have a look and show me which test cases need changes or create a fix?
Thanks a lot :)
Test failure report:
Observation¶
openQA test in scenario opensuse-Staging:D-Staging-DVD-x86_64-textmode@64bit fails in
first_boot
Test suite description¶
Installation in textmode and selecting the textmode "desktop" during installation.
Reproducible¶
Fails since (at least) Build D.630.1 (current job)
Expected result¶
Last good: D.629.1 (or more recent)
Further details¶
Always latest result in this scenario: latest
Related issues
1 (1 open — 0 closed)
- Tags set to future-technologies
Are there any details available why it fails in QA currently? FWICT there's just a massive hack to deal with selinux relabelling which will cause major issues later:
From main_common.pm:
# SELinux relabel reboots, so grub needs to timeout
set_var('KEEP_GRUB_TIMEOUT', 1) if check_var('VIRSH_VMM_TYPE', 'linux') || get_var('SELINUX');
Which means that openQA currently relies on the system booting automatically after a needed autorelabel which won't work if e.g. disk encryption is enabled
Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.
I also noticed that it tries to relabel /.snapshots ATM which is not great (https://openqa.opensuse.org/tests/4456186#step/first_boot/4)
Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.
PoC for using the microos-tools relabelling mechanism on TW as well: https://github.com/openSUSE/microos-tools/pull/33
favogt wrote in #note-3:
Would it be possible to perform relabelling in the initrd and not reboot? That way QA wouldn't need such hacks and enabling it would be trivial.
PoC for using the microos-tools relabelling mechanism on TW as well: https://github.com/openSUSE/microos-tools/pull/33
Looks like that works, cryptlvm passes! https://openqa.opensuse.org/tests/overview?version=Staging%3AD&build=D.638.3&distri=opensuse&groupid=2
The autoyast_mini failure looks like a SELinux issue, maybe the policy doesn't work for YaST2-Second-Stage.service.
The yast2_users-staging failure should disappear with https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20125.
My proposal for the next steps:
- Investigate and fix the autoyast_mini failure in Staging:D
- Replace the selinux-autorelabel package with the microos-tools PR, independent of Staging:D
- Drop the
KEEP_GRUB_TIMEOUT hack for the SELINUX=1 case for Tumbleweed, no longer needed after step 2.
- Add
SELINUX=0 to TW upgrade tests
- Build a TW product DVD to inject the new control.xml and start a TW test run with SELINUX=1 in openQA.
- Once ^ looks good, merge the QA PR to set SELINUX=1 in TW (or maybe adjust the medium type?), then accept the green staging with the skelcd change.
- Add some tests to TW that explicitly enable AppArmor
- Related to action #168703: [MinimalVM] Ensure SELinux status is checked added
Also available in: Atom
PDF