Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

manifests: add selinux-workaround.yaml for >= F41 #3127

Merged
merged 2 commits into from
Sep 4, 2024
Merged

manifests: add selinux-workaround.yaml for >= F41 #3127

merged 2 commits into from
Sep 4, 2024

Conversation

marmijo
Copy link
Member

@marmijo marmijo commented Aug 29, 2024
edited
Loading

Recent changes in the SELinux policy have broken a lot of our code. Add a selinux-workaround.yaml file to revert the affected domains back to permissive mode until fedora-selinux/selinux-policy#2257 merges and the domains are reverted back to permissive mode upstream or the issue is resolved altogether. The selinux-workaround.yaml file is included only when releasever >= 41 since we are seeing these issues in branched and rawhide.

EDIT: Remove the kola-iso test entries for rawhide and branched from the kola-denylist file. These tests now longer fail with the coreos_installer_t domain reverted back to permissive.

EDIT 2: Add the workaround for afterburn_t as well.

bootupd_t: https://bugzilla.redhat.com/show_bug.cgi?id=2300306

coreos_installer_t:

afterburn_t

@marmijo
Copy link
Member Author

marmijo commented Aug 29, 2024
edited
Loading

This was discussed in the community meeting today (2024-08-28):

...let's try to reach out to the selinux-policy maintainers first to try to do this the proper way (either fixing the bug, or merging [travier's] PR)

/hold
Let's wait until a decision can be made about that: fedora-selinux/selinux-policy#2257 (comment)

@marmijo marmijo added the hold label Aug 29, 2024
@dustymabe
Copy link
Member

@marmijo let's convert this into it's own manifest yaml file, conditionally included on all F41 releases and then target this PR for testing-devel.

@jlebon do you know if there are downsides to running semodule like this during the compose? i.e. not shipping the policy exactly as delivered by Fedora?

@marmijo marmijo changed the base branch from branched to testing-devel September 3, 2024 18:55
@marmijo marmijo changed the title [branched] manifests/fedora-coreos: add SELinux workaround manifests: add selinux-workaround.yaml for >= F41 Sep 3, 2024
@marmijo
Copy link
Member Author

marmijo commented Sep 3, 2024

let's convert this into it's own manifest yaml file, conditionally included on all F41 releases and then target this PR for testing-devel.

Done!

@jlebon
Copy link
Member

jlebon commented Sep 3, 2024

@jlebon do you know if there are downsides to running semodule like this during the compose? i.e. not shipping the policy exactly as delivered by Fedora?

Not sure if that's what you mean, but note that the binary policy file isn't shipped in Fedora. On package-mode systems, it's always built client-side. In image-mode systems, it's kinda silly because we recompile it multiple times (once from the scriptlets, and once by rpm-ostree at the end, and now this PR would add a third recompilation in between), but meh...

Probably worth linking the prior art in openshift/os I think this is based on.

The main downside I see is more the higher-level/more social issue of undoing what selinux-policy does, but hopefully that's temporary.

@dustymabe
Copy link
Member

The main downside I see is more the higher-level/more social issue of undoing what selinux-policy does, but hopefully that's temporary.

agree. I think this is just us getting ourselves unblocked. It looks like we're going to be working with selinux on multiple issues related to the new confinements for some time and this will help reduce the time pressure there.

marmijo added a commit to marmijo/fedora-coreos-config that referenced this pull request Sep 3, 2024
@marmijo
denylist: extend expires snoozes
9f4ca05 
- `coreos.ignition.ssh.key`
  - pending afterburn release: coreos/afterburn#1095

- kola-iso tests
  - coreos/fedora-coreos-tracker#1779 is still
    unresolved.
  - coreos#3127
    might unblock these tests for now.

- `ext.config.kdump.crash`
  - this test is still failing in rawhide and branched.
@marmijo marmijo mentioned this pull request Sep 3, 2024
Merged
@dustymabe
Copy link
Member

can we add a similar workaround here for afterburn (related to coreos/fedora-coreos-tracker#1784) ?

marmijo added a commit to marmijo/fedora-coreos-config that referenced this pull request Sep 3, 2024
@marmijo
denylist: extend expired snoozes
02510dd 
- `coreos.ignition.ssh.key`
  - pending afterburn release: coreos/afterburn#1095

- kola-iso tests
  - coreos/fedora-coreos-tracker#1779 is still
    unresolved.
  - coreos#3127
    might unblock these tests for now.

- `ext.config.kdump.crash`
  - this test is still failing in rawhide and branched.
dustymabe pushed a commit that referenced this pull request Sep 3, 2024
@marmijo @dustymabe
denylist: extend expired snoozes
d26c9ba 
- `coreos.ignition.ssh.key`
  - pending afterburn release: coreos/afterburn#1095

- kola-iso tests
  - coreos/fedora-coreos-tracker#1779 is still
    unresolved.
  - #3127
    might unblock these tests for now.

- `ext.config.kdump.crash`
  - this test is still failing in rawhide and branched.
@marmijo
Copy link
Member Author

marmijo commented Sep 3, 2024

can we add a similar workaround here for afterburn (related to coreos/fedora-coreos-tracker#1784) ?

Added!

dustymabe
dustymabe previously approved these changes Sep 3, 2024
View reviewed changes
Copy link
Member

@dustymabe dustymabe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM. Do we need to do any more testing before merging or should we be good to go?

@marmijo
Copy link
Member Author

marmijo commented Sep 3, 2024

I think we should be good to go. I tested this locally and it resolved the kola-iso failures. I haven't done any testing to see if it also resolves the cloud failures for coreos/fedora-coreos-tracker#1784.

From last week's community meeting:

...let's try to reach out to the selinux-policy maintainers first to try to do this the proper way (either fixing the bug, or merging [travier's] PR)

I'm +1 for merging this now to work around all of these failures.
/unhold

@marmijo marmijo removed the hold label Sep 3, 2024
@dustymabe
Copy link
Member

fix conflict and set automerge

@marmijo
manifests: add selinux-workaround.yaml for >= F41
03d42bc 
Recent changes in the SELinux policy have broken a lot of our code.
Revert the affected domains back to permissive mode so we can
continue to build and test `releasever >= 41` until
fedora-selinux/selinux-policy#2257 merges
and the domains are reverted upstream or until the issue is resolved
altogether.

Add the workaround for `afterburn_t` as well so we can unblock
coreos/fedora-coreos-tracker#1784
@marmijo
denylist: remove entries for kola-ISO tests
4cc0404 
The selinux-workaround.yaml manifest reverts the coreos_installer_t
domain to workaround
coreos/fedora-coreos-tracker#1779 for now.
Remove the affected kola-ISO tests so we can run them again in CI.
@marmijo marmijo enabled auto-merge (rebase) September 3, 2024 21:22
dustymabe
dustymabe approved these changes Sep 4, 2024
View reviewed changes
Copy link
Member

@dustymabe dustymabe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@marmijo marmijo merged commit 0720411 into coreos:testing-devel Sep 4, 2024
3 checks passed
This was referenced Sep 5, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dustymabe dustymabe dustymabe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@marmijo @dustymabe @jlebon