Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] many: cgroupsv2 spread run #7193

Closed
wants to merge 7 commits into from
Closed

[WIP] many: cgroupsv2 spread run #7193

wants to merge 7 commits into from

Conversation

bboozzoo
Copy link
Collaborator

Only check how far can spread tests go.

@bboozzoo
Copy link
Collaborator Author

Some of the patches in the branch are in master already. Let's see what fails after a merge from master.

@bboozzoo bboozzoo changed the title [WIP] cgroupsv2 spread run [WIP] many: cgroupsv2 spread run Sep 20, 2019
@zyga
Copy link
Collaborator

zyga commented Oct 18, 2019

@bboozzoo can you please rebase this and perhaps propose parts separately.

There are some new SELinux denials:

+ ausearch -i -m AVC --checkpoint /home/gopath/src/github.com/snapcore/snapd/tests/runtime-state/audit-stamp --start checkpoint
----
type=AVC msg=audit(09/20/19 08:32:48.864:933) : avc:  denied  { relabelto } for  pid=13222 comm=unsquashfs name=snap.yaml dev="sda1" ino=8205 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(09/20/19 08:32:48.864:934) : avc:  denied  { setattr } for  pid=13222 comm=unsquashfs name=snap.yaml dev="sda1" ino=8205 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(09/20/19 08:32:48.864:935) : avc:  denied  { relabelto } for  pid=13222 comm=unsquashfs name=meta dev="sda1" ino=8204 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(09/20/19 08:32:48.864:936) : avc:  denied  { setattr } for  pid=13222 comm=unsquashfs name=meta dev="sda1" ino=8204 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(09/20/19 08:32:48.865:937) : avc:  denied  { search } for  pid=12945 comm=snapd name=unpack dev="sda1" ino=8203 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(09/20/19 08:32:48.865:938) : avc:  denied  { read } for  pid=12945 comm=snapd name=snap.yaml dev="sda1" ino=8205 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(09/20/19 08:32:48.865:939) : avc:  denied  { open } for  pid=12945 comm=snapd path=/tmp/read-file901211458/unpack/meta/snap.yaml dev="sda1" ino=8205 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(09/20/19 08:32:48.865:940) : avc:  denied  { getattr } for  pid=12945 comm=snapd path=/tmp/read-file901211458/unpack/meta/snap.yaml dev="sda1" ino=8205 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(09/20/19 08:32:48.865:941) : avc:  denied  { getattr } for  pid=12945 comm=snapd path=/tmp/read-file901211458/unpack dev="sda1" ino=8203 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(09/20/19 08:32:48.866:942) : avc:  denied  { read } for  pid=12945 comm=snapd name=unpack dev="sda1" ino=8203 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(09/20/19 08:32:48.866:943) : avc:  denied  { open } for  pid=12945 comm=snapd path=/tmp/read-file901211458/unpack dev="sda1" ino=8203 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(09/20/19 08:32:48.866:944) : avc:  denied  { write } for  pid=12945 comm=snapd name=unpack dev="sda1" ino=8203 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(09/20/19 08:32:48.866:945) : avc:  denied  { remove_name } for  pid=12945 comm=snapd name=snap.yaml dev="sda1" ino=8205 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 
----
type=AVC msg=audit(09/20/19 08:32:48.866:946) : avc:  denied  { unlink } for  pid=12945 comm=snapd name=snap.yaml dev="sda1" ino=8205 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(09/20/19 08:32:48.866:947) : avc:  denied  { rmdir } for  pid=12945 comm=snapd name=meta dev="sda1" ino=8204 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1

@bboozzoo
spread: add rawhide machine
df7e52d 
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
@bboozzoo
packaging/fedora-31: symlink to fedora
85441fa
@bboozzoo
tests/main/selinux-lxd: use lxd from edge
5bb7614 
LXD from edge has support for cgroupv2 enabled.

Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
@bboozzoo
spread: add fedora 30 unified cgroups image
8890faa 
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
@bboozzoo
spread: use test image for Fedora 30 with unified hierarchy
d53afb7 
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
@bboozzoo
spread.yaml: fix fedora image names
eb3fb54 
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
@bboozzoo
[DROP] skip unused imports check
732bd95 
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
@bboozzoo bboozzoo mentioned this pull request Oct 31, 2019
Merged
@bboozzoo
Copy link
Collaborator Author

#7702 adds Fedora 31 to spread system. Since F31 already defaults to unified hierarchy, there is no need for this PR anymore.

@bboozzoo bboozzoo closed this Oct 31, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@bboozzoo @zyga