search

containers / qm

QM is a containerized environment for running Functional Safety qm (Quality Management) software
https://github.com/containers/qm
GNU General Public License v2.0
20 stars 20 forks source link

selinux issues while running tests #451

Open Yarboa opened 1 month ago

Yarboa commented 1 month ago

Looking at ffi packet test results i see too many errors like this one 

Relabeled /var/lib/containers/storage/overlay-containers/da316b1062ee5dce9044b6bde054801891601d2e770f700dcfa1c08e2a5c75d5 from unconfined_u:object_r:container_var_lib_t:s0 to system_u:object_r:container_var_lib_t:s0

please see this output https://artifacts.dev.testing-farm.io/0f693132-db2f-43af-8363-e6d3196c1b73/work-ffikrs_25fp/plans/e2e/ffi/execute/data/guest/default-0/tests/ffi/qm-oom-score-adj-3/output.txt

Verify images are removed as per this 

   Now, if you remove a container from the container runtime and leave the content on disk,
  there is a chance the label will be reused. The best thing to do with this content is to  
  change the type of the content when the container is removed. The command 
  restorecon -rF /var/lib/previouscontainer will force the label of the content back to a 
  label that containers can't read/write.
Yarboa commented 1 month ago

I think i understand the issue Looking at the tests running in ci gate it looks like /tests/ffi/memory runs first, once test is done, container content left on disk there is a chance the label will be reused, this is why we need to use restorecon -rF /var/lib/container on cleanup

Please refer this article https://opensource.com/article/18/2/selinux-labels-container-runtimes