Open aaradhak opened 2 months ago
Opened a BZ for this selinux-policy avc denial - https://bugzilla.redhat.com/show_bug.cgi?id=2306352
A workaround was added for this in: https://github.com/coreos/fedora-coreos-config/pull/3127.
We're now able to run the affected kola cloud tests in rawhide
and branched
.
Describe the bug
In the recent rawhide & branched cloud platform builds, the kola tests are failing due to an error in the afterburn service.
harness.go:1823: mach.Start() failed: machine "i-0c58eeb79e70a7d44" failed basic checks: detected failed or stuck systemd units: some systemd units failed: afterburn-sshkeys@core.service; <nil>
On further debugging, it is found that the afterburn process attempted to write to the /var/home/core/.ssh/authorized_keys.d/ directory but was denied by SELinux . This denial caused the afterburn-sshkeys service to fail with a "Permission denied (os error 13)" error.
This seems to be like a selinux-policy issue.
Apart from the above AVC denials, came across few other AVC denials in the journal log as below:
Reproduction steps
Start a pipeline job build of the kola cloud platforms.
Expected behavior
The SELinux policy to allow the afterburn process to write to the directory in question.
Actual behavior
kola tests fails with this error:
harness.go:1823: mach.Start() failed: machine "i-0c58eeb79e70a7d44" failed basic checks: detected failed or stuck systemd units: some systemd units failed: afterburn-sshkeys@core.service; <nil>
System details
Kola cloud platform pipeline jobs. Streams - rawhide & branched
Butane or Ignition config
No response
Additional information
There's a similar afterburn issue that was filed against c9s that was fixed, but possibly the fixes there need to be brought to Fedora too: https://issues.redhat.com/browse/RHEL-49735