Bug 1420296

Summary: beah runs test with bad selinux context
Product: [Retired] Beaker Reporter: Dalibor Pospíšil <dapospis>
Component: beahAssignee: beaker-dev-list
Status: CLOSED EOL QA Contact: tools-bugs <tools-bugs>
Severity: medium Docs Contact:
Priority: low    
Version: developCC: mastyk, mjia
Target Milestone: ---Keywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-11 12:17:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
workaround.patch none

Description Dalibor Pospíšil 2017-02-08 11:42:50 UTC
Created attachment 1248590 [details]
workaround.patch

Description of problem:
In the tortilla script, there's check for selinux role and typy. Currently the problem is missing MCS range which is not detected by tortilla script. The issue appears since RHEL-7.3 AFAIK.

Version-Release number of selected component (if applicable):
beah-0.7.10-1.el7_2

How reproducible:
100%

Steps to Reproduce:
1. run id as a task in beaker
2. run 'sandbox true' as a task in beaker

Actual results:
system_u:unconfined_r:unconfined_t:s0
/usr/bin/sandbox: User account must be setup with an MCS Range

Expected results:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
command should pass

Additional info:
In the tortilla script, there is an insufficient check for context. If the check passes, no context change is done. This can be safely omitted and the context change can be done everytime as it does not break anything. I'm using attached workaround for quite long time and it works as expected.

Comment 3 Martin Styk 2020-02-11 12:17:43 UTC
Beah is no longer supported by Beaker development team.
Instead of that, we are working on Restraint test harness. You can find all the features of Restraint here.

https://restraint.readthedocs.io/en/latest/

If you think your RFE should be still implemented as part of Restraint feel free to create a new BZ ticket.

https://bugzilla.redhat.com/enter_bug.cgi?product=Restraint

In case you have any question feel free to reach out to me
Thank you,
Martin Styk <martin.styk@redhat.com>