Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce SELinux in acceptance tests #2187

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Enforce SELinux in acceptance tests #2187

wants to merge 1 commit into from

Conversation

ekohl
Copy link
Collaborator

@ekohl ekohl commented Sep 1, 2021

This attempts to unify SELinux handling in the tests. It moves the package installation to the acceptance spec helper to reduce duplication. It then makes the set_apache_defaults line idempotent and restorecon_apache correctly chained. This works around PUP-10548 which is that Puppet doesn't reload file contexts within a run. That means it must first create the file(s) and then run restorecon to get correct contexts.

I'm not entirely sure if this will work.

@github-actions
Copy link

github-actions bot commented May 9, 2022

This PR has been marked as stale because it has been open for a while and has had no recent activity. If this PR is still important to you please drop a comment below and we will add this to our backlog to complete. Otherwise, it will be closed in 7 days.

@github-actions github-actions bot added the stale label May 9, 2022
@david22swan
Copy link
Member

@ekohl Apologies for the late review.
Anyway this look's like a good change to me but was wondering if you had more work that you intended to add to it as it has been left a draft?

@ekohl
Copy link
Collaborator Author

ekohl commented May 16, 2022

I'm unable to run tests locally, so I pushed this to see the results. They are red but rotated by now. I'll rebase to see if that's still the case.

@ekohl ekohl force-pushed the fix-selinux-in-tests branch from ec3cc7a to f6bce28 Compare May 16, 2022 13:29
@github-actions github-actions bot removed the stale label May 17, 2022
@ekohl ekohl mentioned this pull request Jun 9, 2022
Merged
@github-actions
Copy link

Hello! 👋

This pull request has been open for a while and has had no recent activity. We've labelled it with attention-needed so that we can get a clear view of which PRs need our attention.

If you are waiting on a response from us we will try and address your comments on a future Community Day.

Alternatively, if it is no longer relevant to you please close the PR with a comment.

Please note that if a pull request receives no update for 7 after it has been labelled, it will be closed. We are always happy to re-open pull request if they have been closed in error.

@ekohl ekohl force-pushed the fix-selinux-in-tests branch from f6bce28 to 34facc3 Compare July 18, 2022 07:33
@ekohl
Copy link
Collaborator Author

ekohl commented Jul 18, 2022

I've rebased it and split it into two commits. First one that cleans things up (which I think should already be good to merge), then one that makes it enforcing. If the enforcing one fails and we can't quickly figure out why it fails I think we should merge the first commit for now.

@david22swan
Copy link
Member

@ekohl Look's like your getting some failures across the Redhat OSs
Though they don't look fully consistent, some variance across the failures

@ekohl
Copy link
Collaborator Author

ekohl commented Jul 18, 2022

To properly debug this I need the logs from /var/log/audit to see the real AVCs. What would be the best way to retrieve those if I can't run the tests locally?

@david22swan
Copy link
Member

david22swan commented Jul 19, 2022
edited
Loading

There's not really an easy answer for that. Since the environment is cleaned up at the end of every run, the machines and any log's are all wiped from existence.

Off the top of my head, you could comment out the unnecessary test's and then add a run_shell command after the failing one's that cat's said log, allowing you to see it.

If that doesn't work, you could disable the cleanup and I could manually retrieve the log's for you. We would need to coordinate though.

@github-actions
Copy link

Hello! 👋

This pull request has been open for a while and has had no recent activity. We've labelled it with attention-needed so that we can get a clear view of which PRs need our attention.

If you are waiting on a response from us we will try and address your comments on a future Community Day.

Alternatively, if it is no longer relevant to you please close the PR with a comment.

Please note that if a pull request receives no update for 7 after it has been labelled, it will be closed. We are always happy to re-open pull request if they have been closed in error.

@ekohl
Copy link
Collaborator Author

ekohl commented Sep 22, 2022

I split off #2320 which at least cleans some things up. Let's try to get that merged since I don't have time to finish this for now.

@ekohl ekohl force-pushed the fix-selinux-in-tests branch from 34facc3 to 4adb586 Compare September 22, 2022 09:47
@github-actions
Copy link

Hello! 👋

This pull request has been open for a while and has had no recent activity. We've labelled it with attention-needed so that we can get a clear view of which PRs need our attention.

If you are waiting on a response from us we will try and address your comments on a future Community Day.

Alternatively, if it is no longer relevant to you please close the PR with a comment.

Please note that if a pull request receives no update for 7 after it has been labelled, it will be closed. We are always happy to re-open pull request if they have been closed in error.

@ekohl ekohl force-pushed the fix-selinux-in-tests branch from 4adb586 to f5dbd6e Compare November 23, 2022 12:14
@ekohl
Copy link
Collaborator Author

ekohl commented Nov 23, 2022

Rebased to resolve conflicts. Includes #2320 so that should be merged first.

@ekohl ekohl force-pushed the fix-selinux-in-tests branch from f5dbd6e to 0c96ba6 Compare December 1, 2022 12:06
@david22swan
Copy link
Member

@ekohl Hey, sorry to bother but just checking in on how this is proceeding so I can update our records?

@ekohl
Copy link
Collaborator Author

ekohl commented Jan 16, 2023

@david22swan I need to do some work on this, but I really struggle to find the time for it. Luckily all the preparation work went in, so I'll rebase this to show that.

@ekohl ekohl force-pushed the fix-selinux-in-tests branch from 0c96ba6 to 6f3b124 Compare January 16, 2023 10:48
@LukasAud
Copy link
Contributor

Hey @ekohl, are you still interested in working on this project? Perhaps this PR should be closed until work is resumed. Mostly to avoid stale PRs.

@ekohl
Copy link
Collaborator Author

ekohl commented May 26, 2023

I don't have time for it right now. Perhaps convert it to an issue so it isn't lost?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bastelfreak bastelfreak Awaiting requested review from bastelfreak bastelfreak will be requested when the pull request is marked ready for review bastelfreak is a code owner

@smortex smortex Awaiting requested review from smortex smortex will be requested when the pull request is marked ready for review smortex is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
community
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ekohl @david22swan @LukasAud @chelnak