openQA Project (public) » openQA Tests (public)

Please note, when we enable SELinux by default in tumbleweed, the default policy will be in targeted mode and enforcing.

There are a few points:

• the policy will then already be enabled directly after the installation, so tests for "if enabling works" should only be run for scenarios where it is not yet enabled (e.g. UPGRADE from old tumbleweed and the user wants to switch from apparmor to selinux or UPGRADE from old leap that has apparmor); there we should test if manually switching from apparmor works to selinux targeted enforcing and minimum enforcing (the user guide: https://en.opensuse.org/Portal:SELinux/Setup#Setup_SELinux_on_existing_tumbleweed_systems).
• in general, ( the most important thing ) when SELinux is enabled the audit log should be checked for AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR entries in the audit log after every test in the whole openQA test set so that we can see if policy changes break the functionality; this is partially already done, so it makes sense to check where it is not the case
• the toolchain tests should also be done in targeted mode (currently they seem to be done in minimum only)
• testing switching from targeted to minimum and back should be done (with audit log)

Please let me know if you need more infos :)
Please also refer to the tracker ticket: https://progress.opensuse.org/issues/166613