Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tests/kola: remove dtb exceptions in upgrade test SELinux checks #3237

Merged
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 27 additions & 2 deletions tests/kola/upgrade/extended/test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -162,10 +162,34 @@ wait-for-coreos-fix-selinux-labels() {
echo "Waited for coreos-fix-selinux-labels.service to finish"
}

# Check if the rollback deployment has the dtb copy fix, which
# means that the dtb files should have the correct SELinux labels.
# https://github.com/coreos/fedora-coreos-tracker/issues/1808
#
# NOTE: we can drop this once the newest barrier release for all
# streams is newer than 41.20241028.x.x.
has_dtb_cp_fix() {
# The dtb copy issue was only ever an issue ever on aarch64
[ "$(arch)" != 'aarch64' ] && return 0
# We have the dtb copy fix if the rollback deployment is newer than
# when the fixed ostree was included. It should be fixed in the
# next round of releases after 41.20241028. Note 41.20241028.0.0
# is not a real build and uses `0` for the stream identifier, but
# should sort accordingly.
previous=$(rpm-ostree status --json | jq -r '.deployments[] | select(.booted == false).version')
if ! vergt $previous '41.20241028.0.0'; then
return 1
else
return 0
fi
}

selinux-sanity-check() {
# First make sure the migrations/fix script has finished if this is the boot
# where the fixes are taking place.
wait-for-coreos-fix-selinux-labels
# Check to see if we have the dtb copy fix
has_dtb_cp_fix || add_dtb_exception='true'
# Verify SELinux labels are sane. Migration scripts should have cleaned
# up https://github.com/coreos/fedora-coreos-tracker/issues/1772
unlabeled="$(find /sysroot -context '*unlabeled_t*' -print0 | xargs --null -I{} ls -ldZ '{}')"
Expand Down Expand Up @@ -206,8 +230,9 @@ selinux-sanity-check() {
# Add in a few temporary glob exceptions
# https://github.com/coreos/fedora-coreos-tracker/issues/1806
[[ "${path}" =~ /etc/selinux/targeted/active/ ]] && continue
# https://github.com/coreos/fedora-coreos-tracker/issues/1808
[[ "${path}" =~ /boot/ostree/.*/dtb ]] && continue
if [ "${add_dtb_exception}" == 'true' ]; then
[[ "${path}" =~ /boot/ostree/.*/dtb ]] && continue
fi
if [[ "${exceptions[$path]:-noexception}" == 'noexception' ]]; then
echo "Unexpected mislabeled file found: ${path}"
found="1"
Expand Down
Loading