Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1686004 - Nova tests failing on RHEL8
Summary: Nova tests failing on RHEL8
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 15.0 (Stein)
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
: ---
Assignee: Julie Pichon
QA Contact: nlevinki
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-06 14:02 UTC by Nir Magnezi
Modified: 2019-03-08 04:32 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description Nir Magnezi 2019-03-06 14:02:01 UTC
Description of problem:
=======================
While working on bug 1684885, I noticed the following errors produced when using the master branch:

Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/os-nova/cil:23
OSError: [Errno 0] Error
Setting OpenStack booleans...
ValueError: Boolean os_nova_use_execmem is not defined

Find full output here: https://gist.github.com/nmagnezi/39b33d755165eedc280e111dbe42e964#file-gistfile1-txt-L284-L287

How reproducible:
=================
Always

Steps to Reproduce:
===================
1. Run 'make clean all install check' on an RHEL8 machine.

Comment 1 Julie Pichon 2019-03-06 14:27:21 UTC
Investigating.

Comment 2 Julie Pichon 2019-03-06 15:56:24 UTC
Seems like it's an issue with os-virt as well. The other modules appear fine.

Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/os-virt/cil:7

Comment 3 Julie Pichon 2019-03-06 17:12:07 UTC
I managed to look into the cil files with the help of /usr/libexec/selinux/hll/pp.

It looks like os-nova is failing on:

(typeattributeset cil_gen_require container_share_t)

and os-virt on:

(typeattributeset cil_gen_require spc_t)

Comment 4 Julie Pichon 2019-03-07 09:30:07 UTC
Workaround: It looks like the issue is resolved after installing the containers-selinux package. This causes a bunch of "duplicate definition" warnings to be displayed, but the rest works well including the tests.

Note that I'm not seeing the same issue on Fedora 29 despite not having that package, so perhaps there is a fix in a more recent version of the selinux policy (selinux-policy-3.14.2-47.fc29.noarch vs selinux-policy-3.14.1-61.el8.noarch).

Comment 5 Nir Magnezi 2019-03-07 09:59:52 UTC
(In reply to Julie Pichon from comment #4)
> Workaround: It looks like the issue is resolved after installing the
> containers-selinux package. This causes a bunch of "duplicate definition"
> warnings to be displayed, but the rest works well including the tests.
> 
> Note that I'm not seeing the same issue on Fedora 29 despite not having that
> package, so perhaps there is a fix in a more recent version of the selinux
> policy (selinux-policy-3.14.2-47.fc29.noarch vs
> selinux-policy-3.14.1-61.el8.noarch).

I can confirm that it worked for me as you described:
Without container-selinux: https://gist.github.com/nmagnezi/bf9620593462cd64a25c5ff7f1a34ccb
With container-selinux: https://gist.github.com/nmagnezi/2709b93ad7aca1856b6b84933dd5c426


Note You need to log in before you can comment on or make changes to this bug.