The nightly test test_acme.py::TestACME::test_mod_md is failing in enforcing mode on master + fedora 32, see PR #422.
test_acme.py::TestACME::test_mod_md
The report and logs show AVCs on the client binding to port 443:
avc: denied { name_connect } for pid=20605 comm="httpd" dest=443 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
Metadata Update from @frenaud: - Issue tagged with: test-failure, tests
If I pass this into audit2allow I get:
#!!!! This avc is allowed in the current policy allow httpd_t http_port_t:tcp_socket name_connect;
Should this be set up by the test_acme.py itself? It shouldn't be part of IPA policy as it is needed for the test, not for IPA itself.
test_acme.py
On F32 anyway this operation is already allowed by policy, I don't know which one, according to audit2allow. So I'm surprised it failed with this.
Similar error observed in [testing_master_testing_selinux] Nightly PR #526 Logs
Metadata Update from @rcritten: - Issue assigned to rcritten
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1885126
Issue linked to Bugzilla: Bug 1885126
It fails because the SELinux policy is enabled on IPA servers but this test is executed on the client. I think we just need a call to setsebool httpd_can_network_connect=on.
Similar error observed in [testing_master_pki] Nightly PR #560 report
https://github.com/freeipa/freeipa/pull/5306
Fixing this would require us to import and maintain the upstream SELinux policy. This is more effort than we need to expend. We aren't supporting mod_md directly, just testing that multiple clients work. This could be a blackhole of work.
Instead I'll skip the test in SELinux mode.
master:
ipa-4-9:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.