Project

General

Profile

Actions
Copy link

action #168571

open

action #166613: Yast default selected LSM changes from Apparmor to SELinux, existing openQA test fails in first_boot

[security][tumbleweed] test fails in aa_status aa_enforce usr_sbin_smbd settings_disable_enable_apparmor yast2_apparmor

Added by cahu 8 months ago. Updated 4 months ago.

Status:
Workable
Priority:
Normal
Assignee:
-
Category:
Bugs in existing tests
Target version:
-
Start date:
2024-10-21
Due date:
% Done:

50%

Estimated time:
8.00 h
Difficulty:
Tags:
apparmor

Description

Tumbleweed iso test with SELinux enabled by default, see context:
https://bugzilla.suse.com/show_bug.cgi?id=1230118

also see: https://progress.opensuse.org/issues/166613

these test fails due to the reason that they check if Apparmor is installed and enabled
but it is not, as SELinux is selected as the default during install

https://openqa.opensuse.org/tests/4548583#step/aa_status/1
https://openqa.opensuse.org/tests/4548583#step/aa_enforce/9
https://openqa.opensuse.org/tests/4548641#step/usr_sbin_smbd/1
https://openqa.opensuse.org/tests/4548716#step/settings_disable_enable_apparmor/1
https://openqa.opensuse.org/tests/4548767#step/yast2_apparmor/6

Observation

openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-apparmor@64bit fails in
aa_status

Test suite description

Maintainer: QE Security; test AppArmor tool with an existing disk image.

Reproducible

Fails since (at least) Build 20231102

Expected result

Last good: 20231020 (or more recent)

Further details

Always latest result in this scenario: latest

Related issues 1 (0 open1 closed)

Is duplicate of openQA Tests (public) - action #167662: [security][tumbleweed] test fails in aa_enforce: audit 4.0 changes need adaptionResolvedamanzini

Actions
Actions
Copy link
 #1

Updated by szarate 7 months ago

  • Parent task set to #166613

Contact @cahu if any questions.

cc @tjyrinki_suse
Looks like for apparmor and security audit testsuites need to be reworked too. #168571 can be rejected in favor of #167662

Actions
Copy link
 #2

Updated by szarate 7 months ago

  • Subject changed from test fails in aa_status aa_enforce usr_sbin_smbd settings_disable_enable_apparmor yast2_apparmor to [qe-security] test fails in aa_status aa_enforce usr_sbin_smbd settings_disable_enable_apparmor yast2_apparmor
Actions
Copy link
 #3

Updated by tjyrinki_suse 7 months ago · Edited

  • Tags set to apparmor
  • Subject changed from [qe-security] test fails in aa_status aa_enforce usr_sbin_smbd settings_disable_enable_apparmor yast2_apparmor to [security][tumbleweed] test fails in aa_status aa_enforce usr_sbin_smbd settings_disable_enable_apparmor yast2_apparmor
  • Status changed from New to Workable

Above comment says "#168571 can be rejected in favor of #167662", so closing this and trying to change 167662 accordingly.

Actions
Copy link
 #4

Updated by cahu 7 months ago

just a quick note: for the verification runs you can create an iso as described here:
https://bugzilla.suse.com/show_bug.cgi?id=1230118#c7

Actions
Copy link
 #5

Updated by tjyrinki_suse 7 months ago

  • Is duplicate of action #167662: [security][tumbleweed] test fails in aa_enforce: audit 4.0 changes need adaption added
Actions
Copy link
 #6

Updated by tjyrinki_suse 7 months ago · Edited

  • Status changed from Workable to Rejected
Actions
Copy link
 #7

Updated by cahu 6 months ago

  • Status changed from Rejected to Workable

I had a look and this does not seem similar to 167662. Please let me know if i am wrong.

What we need here is:

For context, we added the has_selinux interface here:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20125/files#diff-d88cf05f1a6280e0ba39facdace5d89c4b408a07a6a44364b238ced8fbc6113bR987

Please let me know if I am misunderstanding something or you have any more questions.

Actions
Copy link
 #8

Updated by tjyrinki_suse 6 months ago

  • Estimated time set to 8.00 h
Actions
Copy link
 #9

Updated by tjyrinki_suse 6 months ago

  • Status changed from Workable to Resolved

Added a relation to the other ticket and closing. Thank you!

Actions
Copy link
 #10

Updated by cahu 5 months ago · Edited

  • Status changed from Resolved to Workable

Hi, I reran the iso tests again, and it seems to be still happening:

e.g. https://openqa.opensuse.org/tests/4762559#step/aa_status/1

the full iso test:
https://openqa.opensuse.org/tests/overview?distri=opensuse&version=Tumbleweed&build=20250108-SELinux&groupid=1&todo=1

I could not find a PR with changes for this.
Could you have another look? Thanks!

Actions
Copy link
 #11

Updated by favogt 5 months ago

  • % Done changed from 0 to 50

With https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20986, the code for switching from SELinux to AppArmor works and jeos-apparmor passes.

What's missing now is to hook this up in the other apparmor scenarios as well.

Actions
Copy link
 #12

Updated by ph03nix 4 months ago

favogt wrote in #note-11:

With https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20986, the code for switching from SELinux to AppArmor works and jeos-apparmor passes.

What's missing now is to hook this up in the other apparmor scenarios as well.

For the container tests there is https://progress.opensuse.org/issues/175419#note-8 in place.

I also see two dedicated tests for the DVD flavor, where I don't know yet who's gonna be in charge.

Actions
Copy link
 #13

Updated by szarate 3 months ago

  • Related to action #176154: test fails in aa_genprof: nscd had been removed added
Actions
Copy link
 #14

Updated by szarate 3 months ago

  • Related to deleted (action #176154: test fails in aa_genprof: nscd had been removed )
Actions
Copy link

Also available in: Atom PDF