Skip to content

tests/kola: Add lockdown LSM test #3326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: testing-devel
Choose a base branch
from
Open

tests/kola: Add lockdown LSM test #3326

wants to merge 1 commit into from

Conversation

travier
Copy link
Member

@travier travier commented Jan 20, 2025

@travier travier force-pushed the lockdown-lsm branch 2 times, most recently from 4f6d317 to 709c6cd Compare January 21, 2025 10:27
jlebon
jlebon reviewed Jan 22, 2025
View reviewed changes
@travier
Copy link
Member Author

travier commented Feb 20, 2025

Will rebase / update once https://bodhi.fedoraproject.org/updates/FEDORA-2025-cca2fcc70c lands in FCOS.

@travier travier force-pushed the lockdown-lsm branch 2 times, most recently from 66efa57 to c8f236f Compare March 10, 2025 09:58
@travier
Copy link
Member Author

travier commented Mar 10, 2025

Updated to account for both Secure Boot and non-SB runs. This should work on all architectures but running it only on x86_64 and aarch64 makes sense.

This needs some special tagging so it only runs on Secure Boot, but I don't think we have something yet, so it'll likely need some kola work.

Hum, do you mean that we should add a special kola tag so that it runs this test in a SB enabled VM? We indeed don't run the general kola tests with SB enabled AFAIK.

@cverna cverna added the jira For syncing to Jira. Only works for issues (i.e. not PRs) label May 15, 2025
@travier travier mentioned this pull request May 21, 2025
Open
@travier travier removed the jira For syncing to Jira. Only works for issues (i.e. not PRs) label May 21, 2025
@travier
Copy link
Member Author

travier commented May 21, 2025

Created coreos/coreos-assembler#4112 to track the work in kola

@PeaceRebel PeaceRebel mentioned this pull request May 27, 2025
Open
travier
travier commented May 27, 2025
View reviewed changes
travier
travier commented May 28, 2025
View reviewed changes
Copy link
Member Author

@travier travier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small nits but LGTM. You can wait to push the fixes as the CI will fail until we get the PR in COSA.

@PeaceRebel
Copy link

Merge after coreos/coreos-assembler#4114

dustymabe
dustymabe reviewed May 28, 2025
View reviewed changes
dustymabe
dustymabe reviewed May 28, 2025
View reviewed changes
tests/kola/security/lockdown
@@ -0,0 +1,24 @@
#!/bin/bash
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we'll need to denylist this test for all centos stuff in the rhel-coreos-config.

we could add a distros: entry here but I prefer to keep all the "overrides" for the secureboot in centos problem in the same place.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I'll take a look at this.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dustymabe Here's the PR for this. coreos/rhel-coreos-config#15

PeaceRebel added a commit to PeaceRebel/rhel-coreos-config that referenced this pull request May 29, 2025
@PeaceRebel
tests/kola/ext: Skip lockdown LSM for all centos
88e52fe 
Add ext.config.security.lockdown to kola-denylist.yaml for centos
version 9, 10, 10.1

Related to: coreos/coreos-assembler#4112
Needed for: coreos/fedora-coreos-config#3326
PeaceRebel added a commit to PeaceRebel/rhel-coreos-config that referenced this pull request May 29, 2025
@PeaceRebel
tests/kola/ext: Skip lockdown LSM test for all centos
cef6623 
Add ext.config.security.lockdown to kola-denylist.yaml for centos
version 9, 10, 10.1

Related to: coreos/coreos-assembler#4112
Needed for: coreos/fedora-coreos-config#3326
@PeaceRebel PeaceRebel mentioned this pull request May 29, 2025
Open
@PeaceRebel PeaceRebel requested a review from dustymabe May 29, 2025 14:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlebon jlebon jlebon left review comments

@PeaceRebel PeaceRebel PeaceRebel left review comments

@HuijingHei HuijingHei HuijingHei left review comments

@dustymabe dustymabe Awaiting requested review from dustymabe

At least 1 approving review is required to merge this pull request.

Assignees

@PeaceRebel PeaceRebel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@travier @PeaceRebel @dustymabe @jlebon @HuijingHei @cverna