action #175320
closedaction #166613: Yast default selected LSM changes from Apparmor to SELinux, existing openQA test fails in first_boot
[security][tumbleweed] sestatus does not use has_selinux and fails on selinux enabled tumbleweed build
100%
Description
Tumbleweed iso test with SELinux enabled by default, see context:
https://bugzilla.suse.com/show_bug.cgi?id=1230118
also see: https://progress.opensuse.org/issues/166613
after 168574 was fixed, this test fails
Observation¶
openQA test in scenario opensuse-Tumbleweed-DVD-x86_64-selinux@64bit fails in
sestatus
Updated by cahu about 2 months ago
@amanzini @tjyrinki_suse this is the test case that is run after what you fixed in: https://progress.opensuse.org/issues/168574
could you have a look?
i think this could be caused due to a timeout in the tests because the relabeling in the product takes longer, but i am not really sure
Updated by favogt about 2 months ago
The link to the failure in the report is probably wrong and should instead be https://openqa.opensuse.org/tests/4762592#step/sestatus/58
Updated by favogt about 2 months ago
https://github.com/ca-hu/os-autoinst-distri-opensuse/blob/922162461e02ac10f52e9f04f78de0d15f21fcd8/tests/security/selinux/sestatus.pm#L22 doesn't use has_selinux and thus tries to enable the minimum policy in permissive mode (???).
AFAICT that should still work though, so might need some debugging.
Updated by cahu about 2 months ago
favogt wrote in #note-3:
https://github.com/ca-hu/os-autoinst-distri-opensuse/blob/922162461e02ac10f52e9f04f78de0d15f21fcd8/tests/security/selinux/sestatus.pm#L22 doesn't use
has_selinuxand thus tries to enable the minimum policy in permissive mode (???).AFAICT that should still work though, so might need some debugging.
i think the issue is that something is added to the grub commandline like this, which is wrong:
GRUB_CMDLINE_LINUX_DEFAULT="...... security=selinux selinux=1 enforcing=1 mitigations=auto lsm=selinux security=selinux selinux=1 enforcing=0"
see:
https://openqa.opensuse.org/tests/4762592/file/sestatus-grub
if i switch manually to minimum with the correct grub config and relabel, it boots fine for me
let me know if i am missing something
Updated by tjyrinki_suse about 2 months ago
- Tags changed from bugbusters to bugbusters, selinux, fail
- Subject changed from test fails in sestatus to [security][tumbleweed] sestatus does not use has_selinux and fails on selinux enabled tumbleweed build
- Description updated (diff)
- Status changed from New to Workable
- Start date deleted (
2025-01-13)
Updated by favogt about 2 months ago
cahu wrote in #note-4:
favogt wrote in #note-3:
https://github.com/ca-hu/os-autoinst-distri-opensuse/blob/922162461e02ac10f52e9f04f78de0d15f21fcd8/tests/security/selinux/sestatus.pm#L22 doesn't use
has_selinuxand thus tries to enable the minimum policy in permissive mode (???).AFAICT that should still work though, so might need some debugging.
i think the issue is that something is added to the grub commandline like this, which is wrong:
GRUB_CMDLINE_LINUX_DEFAULT="...... security=selinux selinux=1 enforcing=1 mitigations=auto lsm=selinux security=selinux selinux=1 enforcing=0"see:
https://openqa.opensuse.org/tests/4762592/file/sestatus-grubif i switch manually to minimum with the correct grub config and relabel, it boots fine for me
let me know if i am missing something
The QA test did not do a relabel, so it failed to boot due to switching from targeted to minimum incorrectly. So no product bug here and fixing the modules to handle that TW uses targeted in enforcing by itself should be sufficient.
Updated by favogt about 2 months ago
The QA test did not do a relabel, so it failed to boot due to switching from targeted to minimum incorrectly.
That's fixed with https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20986 and passes now. Ideally it should keep the product's own SELinux config active though instead of switching to a different configuration first.
Updated by favogt about 2 months ago
- Assignee set to favogt
- % Done changed from 0 to 90
favogt wrote in #note-7:
The QA test did not do a relabel, so it failed to boot due to switching from targeted to minimum incorrectly.
That's fixed with https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20986 and passes now. Ideally it should keep the product's own SELinux config active though instead of switching to a different configuration first.
Implemented with https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/21005
Updated by favogt about 2 months ago
- Status changed from Workable to Resolved
- % Done changed from 90 to 100
favogt wrote in #note-8:
favogt wrote in #note-7:
The QA test did not do a relabel, so it failed to boot due to switching from targeted to minimum incorrectly.
That's fixed with https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/20986 and passes now. Ideally it should keep the product's own SELinux config active though instead of switching to a different configuration first.
Implemented with https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/21005
... and merged!