action #167662
openaction #166613: Yast default selected LSM changes from Apparmor to SELinux, existing openQA test fails in first_boot
[security][tumbleweed] test fails in aa_enforce: audit 4.0 changes need adaption
0%
Description
Observation¶
Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details.
YxdDO-4-
auditd.service has: RefuseManualStop=yes
The service that can be restarted with Audit 4.0 is audit-rules; from the upstream changelog:
One of the main features is the separation of loading rules and logging
events into separate services, audit-rules.service and auditd.service.
openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-apparmor@64bit fails in
aa_enforce
Further details¶
NOTE: The failure in most runs is linked to an existing bug report about wtmp, but the linked error above has been apparently executed on "selinux by default" special image similar to ticket #168571 - it can be seen that the special runs have most/all aa_* tests failing, while the bug related failure only happens in one test.
Acceptance Criteria¶
- Adapt the test to detected whether the daemon to restart is auditd or audit-rules. Newer auditd refuses to be manually restarted.
- Study #168571 as well, see if we can exit gracefully aa_status and aa_enforce when SELinux is enabled by default. Check if the remaining aa_* modules can still be executed with the audit reload fixed. Or should apparmor simply be removed once the switch to selinux by default is done?
Updated by dimstar about 2 months ago
This ticket serves as placeholder for all issues around audit 4 service restarts. It has been observed in those tests so far:
- https://openqa.opensuse.org/tests/4524944
- https://openqa.opensuse.org/tests/4524941
- https://openqa.opensuse.org/tests/4524940
- https://openqa.opensuse.org/tests/4524939
- https://openqa.opensuse.org/tests/4524937
- https://openqa.opensuse.org/tests/4524935
- https://openqa.opensuse.org/tests/4524943
- https://openqa.opensuse.org/tests/4524936
Updated by dimstar about 2 months ago
Updated by szarate about 2 months ago
- Tags set to bugbusters
- Assignee set to dimstar
Updated by dimstar about 2 months ago
The previous fix was merged - some missing parts:
- https://openqa.opensuse.org/tests/4525310#step/auditd/8
- https://openqa.opensuse.org/tests/4525310#step/autrace/11 (autrace: command not found) => The auvirt and autrace programs have been dropped
Updated by slo-gin about 1 month ago
This ticket was set to Urgent priority but was not updated within the SLO period. Please consider picking up this ticket or just set the ticket to the next lower priority.
Updated by szarate about 1 month ago
- Related to action #165686: perl-Bootloader package is now update-bootloader in Tumbleweed added
Updated by slo-gin about 1 month ago
- Priority changed from Urgent to High
This ticket was set to Urgent priority but was not updated within the SLO period. The ticket will be set to the next lower priority High.
Updated by szarate about 1 month ago
- Parent task set to #166613
Contact @cahu if any questions.
cc @tjyrinki_suse
Looks like for apparmor and security audit testsuites need to be reworked too. #168571 can be rejected in favor of #167662
Updated by szarate about 1 month ago
- Tags deleted (
bugbusters) - Assignee changed from dimstar to tjyrinki_suse
Updated by tjyrinki_suse 29 days ago
- Tags set to apparmor
- Subject changed from test fails in aa_enforce: audit 4.0 changes need adaption to [security][tumbleweed] test fails in aa_enforce: audit 4.0 changes need adaption
- Status changed from New to Workable
- Assignee deleted (
tjyrinki_suse) - Priority changed from High to Normal
Updated by tjyrinki_suse 23 days ago
- Has duplicate action #168571: [security][tumbleweed] test fails in aa_status aa_enforce usr_sbin_smbd settings_disable_enable_apparmor yast2_apparmor added
Updated by tjyrinki_suse 23 days ago
- Description updated (diff)
removed misleading 2023 openQA links from the description
Updated by tjyrinki_suse 23 days ago
- Description updated (diff)
- Estimated time set to 8.00 h
Update description.
Updated by tjyrinki_suse 23 days ago
- Description updated (diff)
- Start date deleted (
2024-10-01)
Updated by tjyrinki_suse 22 days ago
- Related to action #168445: [security][tumbleweed] audit 4: test fails in ausearch and aulastlog added
Updated by amanzini 16 days ago ยท Edited
as a recap,
- the audit 4 restart issue has been solved (AC1)
- fails in
aulastlog(like https://openqa.opensuse.org/tests/4618465) is being addressed with https://progress.opensuse.org/issues/168445 - aa_notify fail https://openqa.opensuse.org/tests/4618530 is related to https://bugzilla.opensuse.org/show_bug.cgi?id=1216660
is there something missing ? I'm a bit confused on what this ticket is asking :)
Updated by amanzini 10 days ago
- Status changed from Workable to Feedback
szarate wrote in #note-19:
@amanzini see: https://progress.opensuse.org/issues/168574#note-6
well that's another ticket, so I guess this one can be closed ?
(BTW it's still not clear how we are going to manage it, probably it needs some refining )