action #167662
closedaction #166613: Yast default selected LSM changes from Apparmor to SELinux, existing openQA test fails in first_boot
[security][tumbleweed] test fails in aa_enforce: audit 4.0 changes need adaption
100%
Description
Observation¶
Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details.
YxdDO-4-
auditd.service has: RefuseManualStop=yes
The service that can be restarted with Audit 4.0 is audit-rules; from the upstream changelog:
One of the main features is the separation of loading rules and logging
events into separate services, audit-rules.service and auditd.service.
openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-apparmor@64bit fails in
aa_enforce
Further details¶
NOTE: The failure in most runs is linked to an existing bug report about wtmp, but the linked error above has been apparently executed on "selinux by default" special image similar to ticket #168571 - it can be seen that the special runs have most/all aa_* tests failing, while the bug related failure only happens in one test.
Acceptance Criteria¶
- Adapt the test to detected whether the daemon to restart is auditd or audit-rules. Newer auditd refuses to be manually restarted.
- Study #168571 as well, see if we can exit gracefully aa_status and aa_enforce when SELinux is enabled by default. Check if the remaining aa_* modules can still be executed with the audit reload fixed. Or should apparmor simply be removed once the switch to selinux by default is done?
Updated by dimstar 8 months ago
This ticket serves as placeholder for all issues around audit 4 service restarts. It has been observed in those tests so far:
- https://openqa.opensuse.org/tests/4524944
- https://openqa.opensuse.org/tests/4524941
- https://openqa.opensuse.org/tests/4524940
- https://openqa.opensuse.org/tests/4524939
- https://openqa.opensuse.org/tests/4524937
- https://openqa.opensuse.org/tests/4524935
- https://openqa.opensuse.org/tests/4524943
- https://openqa.opensuse.org/tests/4524936
Updated by dimstar 8 months ago
The previous fix was merged - some missing parts:
- https://openqa.opensuse.org/tests/4525310#step/auditd/8
- https://openqa.opensuse.org/tests/4525310#step/autrace/11 (autrace: command not found) => The auvirt and autrace programs have been dropped
Updated by slo-gin 8 months ago
This ticket was set to Urgent priority but was not updated within the SLO period. Please consider picking up this ticket or just set the ticket to the next lower priority.
Updated by szarate 8 months ago
- Related to action #165686: perl-Bootloader package is now update-bootloader in Tumbleweed added
Updated by slo-gin 8 months ago
- Priority changed from Urgent to High
This ticket was set to Urgent priority but was not updated within the SLO period. The ticket will be set to the next lower priority High.
Updated by tjyrinki_suse 7 months ago
- Tags set to apparmor
- Subject changed from test fails in aa_enforce: audit 4.0 changes need adaption to [security][tumbleweed] test fails in aa_enforce: audit 4.0 changes need adaption
- Status changed from New to Workable
- Assignee deleted (
tjyrinki_suse) - Priority changed from High to Normal
Updated by tjyrinki_suse 7 months ago
- Has duplicate action #168571: [security][tumbleweed] test fails in aa_status aa_enforce usr_sbin_smbd settings_disable_enable_apparmor yast2_apparmor added
Updated by tjyrinki_suse 7 months ago
- Description updated (diff)
removed misleading 2023 openQA links from the description
Updated by tjyrinki_suse 7 months ago
- Description updated (diff)
- Estimated time set to 8.00 h
Update description.
Updated by tjyrinki_suse 7 months ago
- Description updated (diff)
- Start date deleted (
2024-10-01)
Updated by tjyrinki_suse 7 months ago
- Related to action #168445: [security][tumbleweed] audit 4: test fails in ausearch and aulastlog added
Updated by amanzini 7 months ago ยท Edited
as a recap,
- the audit 4 restart issue has been solved (AC1)
- fails in
aulastlog(like https://openqa.opensuse.org/tests/4618465) is being addressed with https://progress.opensuse.org/issues/168445 - aa_notify fail https://openqa.opensuse.org/tests/4618530 is related to https://bugzilla.opensuse.org/show_bug.cgi?id=1216660
is there something missing ? I'm a bit confused on what this ticket is asking :)
Updated by amanzini 7 months ago
- Status changed from Workable to Feedback
szarate wrote in #note-19:
@amanzini see: https://progress.opensuse.org/issues/168574#note-6
well that's another ticket, so I guess this one can be closed ?
(BTW it's still not clear how we are going to manage it, probably it needs some refining )
Updated by tjyrinki_suse 6 months ago
- Related to action #168574: [security] test fails in selinux_setup added
Updated by tjyrinki_suse 6 months ago
- Status changed from Feedback to Resolved
Added a relation to the other ticket and closing. Thank you!