Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

platform/util: enable selinux logs for SELinux tests #180

Merged
merged 1 commit into from
Jul 6, 2021
Merged

platform/util: enable selinux logs for SELinux tests #180

merged 1 commit into from
Jul 6, 2021

Conversation

tormath1
Copy link
Contributor

By default, all kola tests setenforce 1. This change allows user to read SELinux AVC logs from kola logs - Flatcar prevents natively AVC logs gathering (https://github.com/kinvolk/coreos-overlay/blob/main/sys-process/audit/files/rules.d/80-selinux.rules)

It will ease to identify SELinux related errors.

How to use

before

cat _kola_temp/qemu-2021-06-22-1518-657712/docker.torcx-manifest-pkgs/151167d1-5fde-4862-93bc-312debdd4814/console.txt
...
[  167.267644] IPv6: ADDRCONF(NETDEV_CHANGE): veth1cda38f: link becomes ready
[  167.269177] docker0: port 1(veth1cda38f) entered blocking state
[  167.270341] docker0: port 1(veth1cda38f) entered forwarding state
[  167.350524] docker0: port 1(veth1cda38f) entered disabled state
[  167.352651] vethfac6db4: renamed from eth0
[  167.370865] docker0: port 1(veth1cda38f) entered disabled state
[  167.373590] device veth1cda38f left promiscuous mode

after

cat _kola_temp/qemu-latest/docker.torcx-manifest-pkgs/8b6b8551-b49e-467f-bba4-00702bda9429/console.txt
[  165.151453] docker0: port 1(veth8f24c8f) entered forwarding state
[  165.197868] audit: type=1400 audit(1624369059.983:507): avc:  denied  { read } for  pid=9403 comm="sh" path="pipe:[40100]" dev="pipefs" ino=40100 scontext=system_u:system_r:svirt_lxc_net_t:s0:c98,c688 tcontext=system_u:system_r:kernel_t:s0 tclass=fifo_file permissive=0
[  165.204510] audit: type=1400 audit(1624369059.983:507): avc:  denied  { write } for  pid=9403 comm="sh" path="pipe:[40101]" dev="pipefs" ino=40101 scontext=system_u:system_r:svirt_lxc_net_t:s0:c98,c688 tcontext=system_u:system_r:kernel_t:s0 tclass=fifo_file permissive=0
[  165.273261] docker0: port 1(veth8f24c8f) entered disabled state
[  165.279903] veth880cb8f: renamed from eth0
[  165.308471] docker0: port 1(veth8f24c8f) entered disabled state

platform/util: enable selinux logs for SELinux tests
c0f1527 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
@tormath1 tormath1 added the enhancement New feature or request label Jun 22, 2021
@tormath1 tormath1 requested a review from a team June 22, 2021 14:05
@tormath1 tormath1 self-assigned this Jun 22, 2021
@tormath1 tormath1 merged commit 8413819 into flatcar-master Jul 6, 2021
@tormath1 tormath1 deleted the tormath1/selinux-logs branch July 6, 2021 15:28
@pothos
Copy link
Member

pothos commented Jul 7, 2021

This doesn't work on arm64: kola: creating new machine for semver check: machine "9322ee7e-6111-4ea1-ade8-41c94ea6def9" failed to enable selinux: unable to enable SELinux audit logs: Process exited with status 5: Failed to restart audit-rules.service: Unit audit-rules.service not found.

@tormath1 tormath1 mentioned this pull request Jul 7, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dongsupark dongsupark dongsupark approved these changes

Assignees

@tormath1 tormath1

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tormath1 @pothos @dongsupark