action #178822: openQA in openQA tests failing with unreachable webUI, possibly due to SELinux size:S - openQA Project (public) - openSUSE Project Management Tool

action #178822

## Observation 

 From #178642-8 as szarate found out 
 > I wonder if this is more about selinux... https://openqa.opensuse.org/tests/4917476#step/dashboard/7 is the same error that I'm having on my Tumbleweed installation of openQA (after updating just today) 

 and the logs are showing constant denies from selinux: 

 ``` 
 ket permissive=0 
 type=AVC msg=audit(1741786133.379:949): avc:    denied    { name_connect } for    pid=3901 comm="httpd-prefork" dest=9526 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:openqa_port_t:s0 tclass=tcp_socket permissive=0 
 type=AVC msg=audit(1741786133.379:950): avc:    denied    { name_connect } for    pid=16186 comm="httpd-prefork" dest=9526 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:openqa_port_t:s0 tclass=tcp_socket permissive=0 
 type=AVC msg=audit(1741786133.379:951): avc:    denied    { name_connect } for    pid=16186 comm="httpd-prefork" dest=9526 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:openqa_port_t:s0 tclass=tcp_socket permissive=0 
 type=AVC msg=audit(1741786133.379:952): avc:    denied    { name_connect } for    pid=3901 comm="httpd-prefork" dest=9526 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:openqa_port_t:s0 tclass=tcp_socket permissive=0 

 ``` 
 See 
 https://openqa.opensuse.org/tests/4914440#step/dashboard/6 


 ## Further details 

 Always latest result in this scenario: [latest](https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=openqa&flavor=dev&machine=64bit-2G&test=openqa_from_git&version=Tumbleweed) 

 ## Suggestions 
 * Mitigate by disabling SELinux (at least temporarily) 
 * Maybe `semanage permission -a httpd_t` from https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Permissive_Domains-Making_a_Domain_Permissive just helps enough? 
 * Look into relevant openSUSE SELinux docs 
 * Look into configuring SELinux explcitly 
 * Look at existing uses such as Fedora which has been using SELinux for some time and might have enablement for openQA as well (okurz asked on 2025-03-13 https://matrix.to/#/!dRljORKAiNJcGEDbYA:opensuse.org/$sdI9s3xingYg3qEZnE8CGaCY16r469N3dzwJyYlazTk?via=opensuse.org&via=matrix.org&via=fedora.im in https://app.element.io/#/room/#openqa:opensuse.org ) 
 * Extend the post_fail_hook to (unconditionally) show /var/log/audit/audit.log - this should reveal that SELinux is the underlying cause,in the same way that it also reveals apparmor issues 
 * `assert_script_run('setenforce 0');` 
 * `assert_script_run('semanage permission -a httpd_t');` 

 ## Out of scope 
 * Complete SELinux profiles for openQA - this could be a follow-up ticket resulting from this ticket, though

Back

Project

General

Profile

QA (public) » openQA Project (public)

action #178822