-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kola-denylist: Add a few ext.config.shared.networking #1095
kola-denylist: Add a few ext.config.shared.networking #1095
Conversation
These are all root caused to injecting networking-related kargs triggers a selinux denial in `systemd-network-generator`: ``` [ 4.171674] audit: type=1400 audit(1670858949.421:4): avc: denied { add_name } for pid=1214 comm="systemd-network" name="90-eth1.network" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0 ``` This is fixed in c9s, and I think the fix is fedora-selinux/selinux-policy@c86d943 I don't think the denial here is fatal though for our use case, it's only about writing networkd files which we don't use.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK right, and the reason why we can't disable the service entirely is because we may still need parts of it (coreos/fedora-coreos-tracker#1059 (comment)).
- pattern: ext.config.shared.networking.force-persist-ip | ||
tracker: https://github.com/fedora-selinux/selinux-policy/commit/c86d943538f907c2e6b20ffda0a8d2b5b5bd2e34 | ||
osversion: | ||
- rhel-9.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's snooze them until e.g. mid-January? Snoozing isn't the best UX, but it's a crude way to ensure we don't keep disabling those tests well past when they're no longer needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think the tests will ever pass in rhel 9.0. Note the dot-zero.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In that case, I think ideally these tests should be skipped on RHEL 9.0 entirely. We have distros
, but I don't think we can limit per version yet, but it could make sense to add.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, though in practice what I think will happen is that we branch and main/master retargets for 9.2 at some point where this is already fixed.
Another way to say this is - the tests should automatically be un-denied when we retarget, which is the main goal.
(This needs a |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cgwalters, jlebon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/override ci/prow/scos-9-build-test-qemu |
@cgwalters: Overrode contexts on behalf of cgwalters: ci/prow/scos-9-build-test-qemu In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/lgtm |
/override ci/prow/scos-9-build-test-qemu |
@travier: Overrode contexts on behalf of travier: ci/prow/scos-9-build-test-qemu In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@cgwalters: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
These are all root caused to injecting networking-related kargs triggers a selinux denial in
systemd-network-generator
:This is fixed in c9s, and I think the fix is
fedora-selinux/selinux-policy@c86d943
I don't think the denial here is fatal though for our use case, it's only about writing networkd files which we don't use.