#8514 Nightly failure (enforcing mode) in test_acme.py::TestACME::test_mod_md
Closed: fixed 3 years ago by abbra. Opened 3 years ago by frenaud.

Issue

The nightly test test_acme.py::TestACME::test_mod_md is failing in enforcing mode on master + fedora 32, see PR #422.

The report and logs show AVCs on the client binding to port 443:

avc:  denied  { name_connect } for  pid=20605 comm="httpd" dest=443 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0

Metadata Update from @frenaud:
- Issue tagged with: test-failure, tests

3 years ago

If I pass this into audit2allow I get:

 #!!!! This avc is allowed in the current policy
 allow httpd_t http_port_t:tcp_socket name_connect;

Should this be set up by the test_acme.py itself? It shouldn't be part of IPA policy as it is needed for the test, not for IPA itself.

On F32 anyway this operation is already allowed by policy, I don't know which one, according to audit2allow. So I'm surprised it failed with this.

Similar error observed in [testing_master_testing_selinux] Nightly PR #526
Logs

Metadata Update from @rcritten:
- Issue assigned to rcritten

3 years ago

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1885126

3 years ago

It fails because the SELinux policy is enabled on IPA servers but this test is executed on the client. I think we just need a call to setsebool httpd_can_network_connect=on.

Similar error observed in [testing_master_pki] Nightly PR #560
report

Fixing this would require us to import and maintain the upstream SELinux policy. This is more effort than we need to expend. We aren't supporting mod_md directly, just testing that multiple clients work. This could be a blackhole of work.

Instead I'll skip the test in SELinux mode.

master:

  • df4380c Skip the ACME mod_md test when the client is in enforcing mode

ipa-4-9:

  • 2d576d5 Skip the ACME mod_md test when the client is in enforcing mode

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata