QA (public) » openQA Project (public) » openQA Tests (public) » Containers and images

We get the first builds: https://openqa.opensuse.org/tests/overview?distri=opensuse&version=Tumbleweed&build=20250115-SELinux&groupid=1

See also https://etherpad.opensuse.org/p/pK_gNfHwhtSptybfXw3S for more details

We need to create a new scenario that disables SELinux, installs AppArmor and then tests AppArmor.

I need to think of a good way for the test runs. It needs to include a simple variable that allows to set the MAC.

After looking at the Tumbleweed test runs and used variables in openQA I suggest the following to enable MinimalVM and Tumbleweed testing for now and during the transition period for AppArmor and SELinux:

• SECURITY_MAC defines which LSM (Linux Security Module) is expected to be installed on the system. Values are apparmor or selinux.
• SECURITY_TEST defines which LSM should be tested. Values are apparmor or selinux.

As a first step to ensure the transitioning from AppArmor to SELinux can happen without interruptions, we need to implement those setting in the current test runs.

Also both the jeos-apparmor and jeos-selinux test modules need to be adjusted such, that the test modules are capable to switch the system from apparmor to selinux and vice-versa if needed.

Missing parts: https://progress.opensuse.org/issues/168571#note-11

So what's still missing are the container apparmor tests. They still need to be prepared to switch back to AppArmor when Tumbleweed is going to switch over to SELinux by default. We can use the above test runs as template for doing so, the test modules for switching to AppArmor already exist.

For the AppArmor test runs, there is also https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/lib/main_security.pm#L141

TLDR: We just need to use SECURITY_MAC=SELinux and then the AppArmor tests should sort it out themselves.