manifests: add selinux-workaround.yaml for >= F41 #3127
Conversation
|
This was discussed in the community meeting today (2024-08-28):
/hold |
|
@marmijo let's convert this into it's own manifest yaml file, conditionally included on all F41 releases and then target this PR for @jlebon do you know if there are downsides to running |
marmijo
force-pushed
the
branched-selinux-workaround
branch
from
f5585db to
706d1e6
Compare
marmijo
changed the title
Done! |
Not sure if that's what you mean, but note that the binary policy file isn't shipped in Fedora. On package-mode systems, it's always built client-side. In image-mode systems, it's kinda silly because we recompile it multiple times (once from the scriptlets, and once by rpm-ostree at the end, and now this PR would add a third recompilation in between), but meh... Probably worth linking the prior art in openshift/os I think this is based on. The main downside I see is more the higher-level/more social issue of undoing what selinux-policy does, but hopefully that's temporary. |
agree. I think this is just us getting ourselves unblocked. It looks like we're going to be working with selinux on multiple issues related to the new confinements for some time and this will help reduce the time pressure there. |
- `coreos.ignition.ssh.key` - pending afterburn release: coreos/afterburn#1095 - kola-iso tests - coreos/fedora-coreos-tracker#1779 is still unresolved. - coreos#3127 might unblock these tests for now. - `ext.config.kdump.crash` - this test is still failing in rawhide and branched.
|
can we add a similar workaround here for afterburn (related to coreos/fedora-coreos-tracker#1784) ? |
- `coreos.ignition.ssh.key` - pending afterburn release: coreos/afterburn#1095 - kola-iso tests - coreos/fedora-coreos-tracker#1779 is still unresolved. - coreos#3127 might unblock these tests for now. - `ext.config.kdump.crash` - this test is still failing in rawhide and branched.
- `coreos.ignition.ssh.key` - pending afterburn release: coreos/afterburn#1095 - kola-iso tests - coreos/fedora-coreos-tracker#1779 is still unresolved. - #3127 might unblock these tests for now. - `ext.config.kdump.crash` - this test is still failing in rawhide and branched.
marmijo
force-pushed
the
branched-selinux-workaround
branch
from
706d1e6 to
77c1f9a
Compare
Added! |
|
I think we should be good to go. I tested this locally and it resolved the kola-iso failures. I haven't done any testing to see if it also resolves the cloud failures for coreos/fedora-coreos-tracker#1784. From last week's community meeting:
I'm +1 for merging this now to work around all of these failures. |
|
fix conflict and set automerge |
Recent changes in the SELinux policy have broken a lot of our code. Revert the affected domains back to permissive mode so we can continue to build and test `releasever >= 41` until fedora-selinux/selinux-policy#2257 merges and the domains are reverted upstream or until the issue is resolved altogether. Add the workaround for `afterburn_t` as well so we can unblock coreos/fedora-coreos-tracker#1784
The selinux-workaround.yaml manifest reverts the coreos_installer_t domain to workaround coreos/fedora-coreos-tracker#1779 for now. Remove the affected kola-ISO tests so we can run them again in CI.
marmijo
force-pushed
the
branched-selinux-workaround
branch
from
77c1f9a to
4cc0404
Compare
Recent changes in the SELinux policy have broken a lot of our code. Add a
selinux-workaround.yamlfile to revert the affected domains back to permissive mode until fedora-selinux/selinux-policy#2257 merges and the domains are reverted back to permissive mode upstream or the issue is resolved altogether. Theselinux-workaround.yamlfile is included only whenreleasever >= 41since we are seeing these issues inbranchedandrawhide.EDIT: Remove the kola-iso test entries for
rawhideandbranchedfrom the kola-denylist file. These tests now longer fail with the coreos_installer_t domain reverted back to permissive.EDIT 2: Add the workaround for afterburn_t as well.
bootupd_t: https://bugzilla.redhat.com/show_bug.cgi?id=2300306
coreos_installer_t:
afterburn_t