action #168571
closedaction #166613: Yast default selected LSM changes from Apparmor to SELinux, existing openQA test fails in first_boot
[security][tumbleweed] test fails in aa_status aa_enforce usr_sbin_smbd settings_disable_enable_apparmor yast2_apparmor
0%
Description
Tumbleweed iso test with SELinux enabled by default, see context:
https://bugzilla.suse.com/show_bug.cgi?id=1230118
also see: https://progress.opensuse.org/issues/166613
these test fails due to the reason that they check if Apparmor is installed and enabled
but it is not, as SELinux is selected as the default during install
https://openqa.opensuse.org/tests/4548583#step/aa_status/1
https://openqa.opensuse.org/tests/4548583#step/aa_enforce/9
https://openqa.opensuse.org/tests/4548641#step/usr_sbin_smbd/1
https://openqa.opensuse.org/tests/4548716#step/settings_disable_enable_apparmor/1
https://openqa.opensuse.org/tests/4548767#step/yast2_apparmor/6
Observation¶
openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-apparmor@64bit fails in
aa_status
Test suite description¶
Maintainer: QE Security; test AppArmor tool with an existing disk image.
Reproducible¶
Fails since (at least) Build 20231102
Expected result¶
Last good: 20231020 (or more recent)
Further details¶
Always latest result in this scenario: latest
Updated by tjyrinki_suse 2 months ago · Edited
- Tags set to apparmor
- Subject changed from [qe-security] test fails in aa_status aa_enforce usr_sbin_smbd settings_disable_enable_apparmor yast2_apparmor to [security][tumbleweed] test fails in aa_status aa_enforce usr_sbin_smbd settings_disable_enable_apparmor yast2_apparmor
- Status changed from New to Workable
Above comment says "#168571 can be rejected in favor of #167662", so closing this and trying to change 167662 accordingly.
Updated by cahu 2 months ago
just a quick note: for the verification runs you can create an iso as described here:
https://bugzilla.suse.com/show_bug.cgi?id=1230118#c7
Updated by tjyrinki_suse about 2 months ago
- Is duplicate of action #167662: [security][tumbleweed] test fails in aa_enforce: audit 4.0 changes need adaption added
Updated by tjyrinki_suse about 2 months ago · Edited
- Status changed from Workable to Rejected
Updated by cahu 29 days ago
- Status changed from Rejected to Workable
I had a look and this does not seem similar to 167662. Please let me know if i am wrong.
What we need here is:
- https://openqa.opensuse.org/tests/4548583#step/aa_status/1 --> in case
has_selinuxis set, do not run the tests for apparmor - https://openqa.opensuse.org/tests/4548583#step/aa_enforce/9 --> same here
- https://openqa.opensuse.org/tests/4548716#step/settings_disable_enable_apparmor/1 --> same here
- https://openqa.opensuse.org/tests/4548641#step/usr_sbin_smbd/1 --> in case
has_selinuxis set, do not try to restart apparmor - https://openqa.opensuse.org/tests/4548767#step/yast2_apparmor/6 --> in case
has_selinuxis set, stop checking for apparmor packages
For context, we added the has_selinux interface here:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20125/files#diff-d88cf05f1a6280e0ba39facdace5d89c4b408a07a6a44364b238ced8fbc6113bR987
Please let me know if I am misunderstanding something or you have any more questions.
Updated by tjyrinki_suse 7 days ago
- Status changed from Workable to Resolved
Added a relation to the other ticket and closing. Thank you!