#8514 Nightly failure (enforcing mode) in test_acme.py::TestACME::test_mod_md
Opened 3 months ago by frenaud. Modified 3 hours ago

Issue

The nightly test test_acme.py::TestACME::test_mod_md is failing in enforcing mode on master + fedora 32, see PR #422.

The report and logs show AVCs on the client binding to port 443:

avc:  denied  { name_connect } for  pid=20605 comm="httpd" dest=443 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0

Metadata Update from @frenaud:
- Issue tagged with: test-failure, tests

3 months ago

If I pass this into audit2allow I get:

 #!!!! This avc is allowed in the current policy
 allow httpd_t http_port_t:tcp_socket name_connect;

Should this be set up by the test_acme.py itself? It shouldn't be part of IPA policy as it is needed for the test, not for IPA itself.

On F32 anyway this operation is already allowed by policy, I don't know which one, according to audit2allow. So I'm surprised it failed with this.

Similar error observed in [testing_master_testing_selinux] Nightly PR #526
Logs

Metadata Update from @rcritten:
- Issue assigned to rcritten

10 days ago

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1885126

10 days ago

It fails because the SELinux policy is enabled on IPA servers but this test is executed on the client. I think we just need a call to setsebool httpd_can_network_connect=on.

Similar error observed in [testing_master_pki] Nightly PR #560
report

Login to comment on this ticket.

Metadata