action #178822
closedcoordination #127031: [saga][epic] openQA for SUSE customers
coordination #138365: [epic] openQA works in SELinux enforced environments
openQA in openQA tests failing with unreachable webUI, possibly due to SELinux size:S
0%
Description
Observation¶
From #178642-8 as szarate found out
I wonder if this is more about selinux... https://openqa.opensuse.org/tests/4917476#step/dashboard/7 is the same error that I'm having on my Tumbleweed installation of openQA (after updating just today)
and the logs are showing constant denies from selinux:
ket permissive=0
type=AVC msg=audit(1741786133.379:949): avc: denied { name_connect } for pid=3901 comm="httpd-prefork" dest=9526 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:openqa_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1741786133.379:950): avc: denied { name_connect } for pid=16186 comm="httpd-prefork" dest=9526 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:openqa_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1741786133.379:951): avc: denied { name_connect } for pid=16186 comm="httpd-prefork" dest=9526 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:openqa_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1741786133.379:952): avc: denied { name_connect } for pid=3901 comm="httpd-prefork" dest=9526 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:openqa_port_t:s0 tclass=tcp_socket permissive=0
See
https://openqa.opensuse.org/tests/4914440#step/dashboard/6
Further details¶
Always latest result in this scenario: latest
Suggestions¶
- Mitigate by disabling SELinux (at least temporarily)
- Maybe
semanage permissive -a httpd_tfrom https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Permissive_Domains-Making_a_Domain_Permissive just helps enough? - Look into relevant openSUSE SELinux docs
- Look into configuring SELinux explcitly
- Look at existing uses such as Fedora which has been using SELinux for some time and might have enablement for openQA as well (okurz asked on 2025-03-13 https://matrix.to/#/!dRljORKAiNJcGEDbYA:opensuse.org/$sdI9s3xingYg3qEZnE8CGaCY16r469N3dzwJyYlazTk?via=opensuse.org&via=matrix.org&via=fedora.im in https://app.element.io/#/room/#openqa:opensuse.org )
- Extend the post_fail_hook to (unconditionally) show /var/log/audit/audit.log - this should reveal that SELinux is the underlying cause,in the same way that it also reveals apparmor issues
assert_script_run('setenforce 0');assert_script_run('semanage permissive -a httpd_t');
Out of scope¶
- Complete SELinux profiles for openQA - this could be a follow-up ticket resulting from this ticket, though
Updated by okurz about 1 month ago
- Copied from action #178642: openQA in openQA tests failing with 503 errors and timeouts due to misbehaving MirrorCache / CDN auto_review:"retry.*zypper.*ref && zypper --no-cd -n in openQA-worker.*timed out" size:S added
Updated by okurz about 1 month ago
- Project changed from openQA Tests (public) to openQA Project (public)
- Category changed from Bugs in existing tests to Regressions/Crashes
Updated by tinita about 1 month ago
- Status changed from New to In Progress
- Assignee set to tinita
Updated by livdywan about 1 month ago
- Subject changed from openQA in openQA tests failing with unreachable webUI, possibly due to SELinux to openQA in openQA tests failing with unreachable webUI, possibly due to SELinux size:S
- Description updated (diff)
Updated by okurz about 1 month ago
Related improvement: https://github.com/os-autoinst/os-autoinst-distri-openQA/pull/228
Updated by tinita about 1 month ago
- Description updated (diff)
It's actually semanage permissive -a httpd_t not semanage permission -a httpd_t
Updated by tinita about 1 month ago
- Status changed from In Progress to Feedback
Updated by livdywan about 1 month ago
- Status changed from Feedback to In Progress
tinita wrote in #note-9:
https://github.com/os-autoinst/os-autoinst-distri-openQA/pull/229
I'm afraid this needs to stay In Progress until the mitigation is in place. Which then allows us to lower priority.
Updated by tinita about 1 month ago
- Status changed from In Progress to Workable
- Assignee deleted (
tinita) - Priority changed from Urgent to High
Mitigation is in place, tests look fine again: https://openqa.opensuse.org/tests/overview?distri=openqa&version=Tumbleweed&build=%3ATW.35404&groupid=24
Updated by dheidler about 1 month ago
- Status changed from Workable to In Progress
Updated by openqa_review about 1 month ago
- Due date set to 2025-04-02
Setting due date based on mean cycle time of SUSE QE Tools
Updated by dheidler about 1 month ago
- Status changed from In Progress to Blocked
Requesting selinux rule changes: https://bugzilla.opensuse.org/show_bug.cgi?id=1239792
Updated by dheidler about 1 month ago
- Status changed from Blocked to In Progress
Updated by dheidler about 1 month ago
Seems like we should use
semanage boolean -m -1 httpd_can_network_connect
Will add that to the script and docs.
Updated by okurz about 1 month ago
You can likely add it to https://github.com/os-autoinst/openQA/blob/master/script/configure-web-proxy which is called within openQA-bootstrap in https://github.com/os-autoinst/openQA/blob/master/script/openqa-bootstrap#L109
Updated by dheidler about 1 month ago
- Status changed from In Progress to Feedback
Updated by dheidler 29 days ago
Revert Tina's workaround: https://github.com/os-autoinst/os-autoinst-distri-openQA/pull/231
Updated by okurz 19 days ago
- Copied to action #180029: [openqa-in-openqa] Can we call configure-web-proxy in "install_from_git" and remove the selinux workaround? added
Updated by livdywan 13 days ago
- Related to action #180002: openQA-in-openQA test fails in dashboard with 403 Forbidden size:S added