Actions
action #178822
closedcoordination #127031: [saga][epic] openQA for SUSE customers
coordination #138365: [epic] openQA works in SELinux enforced environments
openQA in openQA tests failing with unreachable webUI, possibly due to SELinux size:S
Start date:
Due date:
% Done:
0%
Estimated time:
Tags:
Description
Observation¶
From #178642-8 as szarate found out
I wonder if this is more about selinux... https://openqa.opensuse.org/tests/4917476#step/dashboard/7 is the same error that I'm having on my Tumbleweed installation of openQA (after updating just today)
and the logs are showing constant denies from selinux:
ket permissive=0
type=AVC msg=audit(1741786133.379:949): avc: denied { name_connect } for pid=3901 comm="httpd-prefork" dest=9526 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:openqa_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1741786133.379:950): avc: denied { name_connect } for pid=16186 comm="httpd-prefork" dest=9526 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:openqa_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1741786133.379:951): avc: denied { name_connect } for pid=16186 comm="httpd-prefork" dest=9526 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:openqa_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1741786133.379:952): avc: denied { name_connect } for pid=3901 comm="httpd-prefork" dest=9526 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:openqa_port_t:s0 tclass=tcp_socket permissive=0
See
https://openqa.opensuse.org/tests/4914440#step/dashboard/6
Further details¶
Always latest result in this scenario: latest
Suggestions¶
- Mitigate by disabling SELinux (at least temporarily)
- Maybe
semanage permissive -a httpd_tfrom https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Permissive_Domains-Making_a_Domain_Permissive just helps enough? - Look into relevant openSUSE SELinux docs
- Look into configuring SELinux explcitly
- Look at existing uses such as Fedora which has been using SELinux for some time and might have enablement for openQA as well (okurz asked on 2025-03-13 https://matrix.to/#/!dRljORKAiNJcGEDbYA:opensuse.org/$sdI9s3xingYg3qEZnE8CGaCY16r469N3dzwJyYlazTk?via=opensuse.org&via=matrix.org&via=fedora.im in https://app.element.io/#/room/#openqa:opensuse.org )
- Extend the post_fail_hook to (unconditionally) show /var/log/audit/audit.log - this should reveal that SELinux is the underlying cause,in the same way that it also reveals apparmor issues
assert_script_run('setenforce 0');assert_script_run('semanage permissive -a httpd_t');
Out of scope¶
- Complete SELinux profiles for openQA - this could be a follow-up ticket resulting from this ticket, though
Actions