action #175419
closedopenQA Tests (public) - action #166613: Yast default selected LSM changes from Apparmor to SELinux, existing openQA test fails in first_boot
[MinimalVM] Prepare for switch to SELinux as default MAC in Tumbleweed
50%
Description
A pending change in Tumbleweed is to switch to SELinux as the default MAC security solution. We need to prepare our test run for this change.
Updated by ph03nix 5 months ago
We get the first builds: https://openqa.opensuse.org/tests/overview?distri=opensuse&version=Tumbleweed&build=20250115-SELinux&groupid=1
See also https://etherpad.opensuse.org/p/pK_gNfHwhtSptybfXw3S for more details
Updated by ph03nix 4 months ago
After looking at the Tumbleweed test runs and used variables in openQA I suggest the following to enable MinimalVM and Tumbleweed testing for now and during the transition period for AppArmor and SELinux:
-
SECURITY_MACdefines which LSM (Linux Security Module) is expected to be installed on the system. Values areapparmororselinux. -
SECURITY_TESTdefines which LSM should be tested. Values areapparmororselinux.
As a first step to ensure the transitioning from AppArmor to SELinux can happen without interruptions, we need to implement those setting in the current test runs.
Also both the jeos-apparmor and jeos-selinux test modules need to be adjusted such, that the test modules are capable to switch the system from apparmor to selinux and vice-versa if needed.
Updated by ph03nix 4 months ago
- Status changed from Workable to In Progress
- Assignee set to ph03nix
- % Done changed from 0 to 50
On second look it appears to me that everything is already in place for the switch
There is https://openqa.opensuse.org/tests/overview?distri=opensuse&version=Tumbleweed&build=20250115-SELinux&groupid=1 with https://openqa.opensuse.org/tests/4784081 and with https://openqa.opensuse.org/tests/4780117 that show that this is already working.
Updated by ph03nix 4 months ago
Missing parts: https://progress.opensuse.org/issues/168571#note-11
Updated by ph03nix 4 months ago
So what's still missing are the container apparmor tests. They still need to be prepared to switch back to AppArmor when Tumbleweed is going to switch over to SELinux by default. We can use the above test runs as template for doing so, the test modules for switching to AppArmor already exist.
Updated by ph03nix 4 months ago ยท Edited
For the AppArmor test runs, there is also https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/lib/main_security.pm#L141
TLDR: We just need to use SECURITY_MAC=SELinux and then the AppArmor tests should sort it out themselves.
Updated by slo-gin 3 months ago
This ticket was set to High priority but was not updated within the SLO period. Please consider picking up this ticket or just set the ticket to the next lower priority.