Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Cirrus CI / Vagrant Fedora Rawhide based test" fails with error "setenforce: SELinux is disabled" #2406

Closed
Snorch opened this issue May 20, 2024 · 2 comments · Fixed by #2407
Closed

"Cirrus CI / Vagrant Fedora Rawhide based test" fails with error "setenforce: SELinux is disabled" #2406

Snorch opened this issue May 20, 2024 · 2 comments · Fixed by #2407

Comments

@Snorch
Copy link
Member

Snorch commented May 20, 2024

Description

Steps to reproduce the issue:
Reproduces in CI #2380 (review) https://github.com/checkpoint-restore/criu/pull/2380/checks?check_run_id=25148861695 while executing scripts/ci/run-ci-tests.sh

Describe the results you received:

+ setenforce Permissive
setenforce: SELinux is disabled

Describe the results you expected:

No error.
@adrianreber
Copy link
Member

This is unusual for Fedora to have SELinux disabled. We could extend our script to correctly handle disabled SELinux. There is a test earlier which checks if SELinux is mounted which is usually a sign of a disabled SELinux system. Probably a bug in Fedora rawhide.

@adrianreber
Copy link
Member

Ah, okay. The rawhide tests runs in a container. Containers always have SELinux disabled from the inside. Somehow /sys/fs/selinux is now mounted. We used the existence of that directory if SELinux is available. This seems to be no longer true.

Something like this could help

diff --git a/scripts/ci/run-ci-tests.sh b/scripts/ci/run-ci-tests.sh
index c50dc4174..524adbac2 100755
--- a/scripts/ci/run-ci-tests.sh
+++ b/scripts/ci/run-ci-tests.sh
@@ -306,14 +306,18 @@ if [ "$skip" == 0 ]; then
        if [ -d /sys/fs/selinux ] && command -v getenforce &>/dev/null; then
                # Note: selinux in Enforcing mode prevents us from calling clone3() or writing to ns_last_pid on restore; hence set to Permissive for the test and then set back.
                selinuxmode=$(getenforce)
-               setenforce Permissive
+               if [ "$selinuxmode" != "Disabled" ]; then
+                       setenforce Permissive
+               fi
        fi
        # Run it as non-root in a user namespace. Since CAP_CHECKPOINT_RESTORE behaves differently in non-user namespaces (e.g. no access to map_files) this tests that we can dump and restore
        # under those conditions. Note that the "... && true" part is necessary; we need at least one statement after the tests so that bash can reap zombies in the user namespace,
        # otherwise it will exec the last statement and get replaced and nobody will be left to reap our zombies.
        sudo --user=#65534 --group=#65534 unshare -Ucfpm --mount-proc -- bash -c "./test/zdtm.py run -t zdtm/static/maps00 -f h --rootless && true"
        if [ -d /sys/fs/selinux ] && command -v getenforce &>/dev/null; then
-               setenforce "$selinuxmode"
+               if [ "$selinuxmode" != "Disabled" ]; then
+                       setenforce "$selinuxmode"
+               fi
        fi
        setcap -r criu/criu
 else

@rst0git rst0git mentioned this issue May 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ci: update check for SELinux rst0git/criu
2 participants
@Snorch @adrianreber