Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1686004

Summary:	Nova tests failing on RHEL8
Product:	Red Hat OpenStack	Reporter:	Nir Magnezi <nmagnezi>
Component:	openstack-selinux	Assignee:	Julie Pichon <jpichon>
Status:	CLOSED NOTABUG	QA Contact:	nlevinki <nlevinki>
Severity:	medium	Docs Contact:
Priority:	low
Version:	15.0 (Stein)	CC:	lhh, zcaplovi
Target Milestone:	---	Keywords:	Triaged, ZStream
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-11-08 14:35:32 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Nir Magnezi 2019-03-06 14:02:01 UTC

Description of problem:
=======================
While working on bug 1684885, I noticed the following errors produced when using the master branch:

Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/os-nova/cil:23
OSError: [Errno 0] Error
Setting OpenStack booleans...
ValueError: Boolean os_nova_use_execmem is not defined

Find full output here: https://gist.github.com/nmagnezi/39b33d755165eedc280e111dbe42e964#file-gistfile1-txt-L284-L287

How reproducible:
=================
Always

Steps to Reproduce:
===================
1. Run 'make clean all install check' on an RHEL8 machine.

Comment 1 Julie Pichon 2019-03-06 14:27:21 UTC

Investigating.

Comment 2 Julie Pichon 2019-03-06 15:56:24 UTC

Seems like it's an issue with os-virt as well. The other modules appear fine.

Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/os-virt/cil:7

Comment 3 Julie Pichon 2019-03-06 17:12:07 UTC

I managed to look into the cil files with the help of /usr/libexec/selinux/hll/pp.

It looks like os-nova is failing on:

(typeattributeset cil_gen_require container_share_t)

and os-virt on:

(typeattributeset cil_gen_require spc_t)

Comment 4 Julie Pichon 2019-03-07 09:30:07 UTC

Workaround: It looks like the issue is resolved after installing the containers-selinux package. This causes a bunch of "duplicate definition" warnings to be displayed, but the rest works well including the tests.

Note that I'm not seeing the same issue on Fedora 29 despite not having that package, so perhaps there is a fix in a more recent version of the selinux policy (selinux-policy-3.14.2-47.fc29.noarch vs selinux-policy-3.14.1-61.el8.noarch).

Comment 5 Nir Magnezi 2019-03-07 09:59:52 UTC

(In reply to Julie Pichon from comment #4)
> Workaround: It looks like the issue is resolved after installing the
> containers-selinux package. This causes a bunch of "duplicate definition"
> warnings to be displayed, but the rest works well including the tests.
> 
> Note that I'm not seeing the same issue on Fedora 29 despite not having that
> package, so perhaps there is a fix in a more recent version of the selinux
> policy (selinux-policy-3.14.2-47.fc29.noarch vs
> selinux-policy-3.14.1-61.el8.noarch).

I can confirm that it worked for me as you described:
Without container-selinux: https://gist.github.com/nmagnezi/bf9620593462cd64a25c5ff7f1a34ccb
With container-selinux: https://gist.github.com/nmagnezi/2709b93ad7aca1856b6b84933dd5c426

Comment 8 Julie Pichon 2019-11-08 14:35:32 UTC

It is now possible to build/run the tests without installing container-selinux. The warnings still show if you install that RPM, but that's because the types are now defined both in main policy/devel and in that package (cf bug 1567980).