kola-denylist: Add a few ext.config.shared.networking #1095
Conversation
These are all root caused to injecting networking-related kargs
triggers a selinux denial in `systemd-network-generator`:
```
[ 4.171674] audit: type=1400 audit(1670858949.421:4): avc: denied { add_name } for pid=1214 comm="systemd-network" name="90-eth1.network" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=dir permissive=0
```
This is fixed in c9s, and I think the fix is
fedora-selinux/selinux-policy@c86d943
I don't think the denial here is fatal though for our use case,
it's only about writing networkd files which we don't use.
openshift-ci
bot
added
the
approved
There was a problem hiding this comment.
OK right, and the reason why we can't disable the service entirely is because we may still need parts of it (coreos/fedora-coreos-tracker#1059 (comment)).
| - pattern: ext.config.shared.networking.force-persist-ip | ||
| tracker: https://github.com/fedora-selinux/selinux-policy/commit/c86d943538f907c2e6b20ffda0a8d2b5b5bd2e34 | ||
| osversion: | ||
| - rhel-9.0 |
There was a problem hiding this comment.
Let's snooze them until e.g. mid-January? Snoozing isn't the best UX, but it's a crude way to ensure we don't keep disabling those tests well past when they're no longer needed.
There was a problem hiding this comment.
I don't think the tests will ever pass in rhel 9.0. Note the dot-zero.
There was a problem hiding this comment.
In that case, I think ideally these tests should be skipped on RHEL 9.0 entirely. We have distros, but I don't think we can limit per version yet, but it could make sense to add.
There was a problem hiding this comment.
Agree, though in practice what I think will happen is that we branch and main/master retargets for 9.2 at some point where this is already fixed.
Another way to say this is - the tests should automatically be un-denied when we retarget, which is the main goal.
|
(This needs a |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cgwalters, jlebon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/override ci/prow/scos-9-build-test-qemu |
|
@cgwalters: Overrode contexts on behalf of cgwalters: ci/prow/scos-9-build-test-qemu In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/lgtm |
|
/override ci/prow/scos-9-build-test-qemu |
|
@travier: Overrode contexts on behalf of travier: ci/prow/scos-9-build-test-qemu In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@cgwalters: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
These are all root caused to injecting networking-related kargs triggers a selinux denial in
systemd-network-generator:This is fixed in c9s, and I think the fix is
fedora-selinux/selinux-policy@c86d943
I don't think the denial here is fatal though for our use case, it's only about writing networkd files which we don't use.