openQA FreeIPA upgrade test in current Rawhide (tests upgrade from Fedora 31 to Rawhide) is hitting a repeated SELinux denial which seems to break the upgrade process: Feb 19 09:17:41 ipa001.domain.local audit[971]: AVC avc: denied { search } for pid=971 comm="certmonger" name="opencryptoki" dev="tmpfs" ino=26947 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pkcs_slotd_lock_t:s0 tclass=dir permissive=0 I'm assuming this will hit F32 as well for now (can't tell yet as all F32 composes so far have had the Plymouth bug, which caused this test to fail earlier). So proposing as a Beta blocker as a violation of "It must be possible to successfully complete a direct upgrade from a fully updated installation of each of the last two stable Fedora Server releases with the system configured as a FreeIPA domain controller or postgresql server as specified in the relevant criteria." If this turns out *not* to be affecting F32 once we get a testable compose, I'll withdraw the nomination.
Note - this may also hit fresh FreeIPA deployments on F32/Rawhide, I can't tell yet because those tests are failing earlier due to some silly fedora-repos shenanigans I won't bore you with here. We should be able to tell with the next composes.
commit f7a21a9f173e1c8071718b1dea40eed2271c284d (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Lukas Vrabec <lvrabec> Date: Thu Feb 20 15:20:04 2020 +0100 Allow certmonger_t domain to read pkcs_slotd lock files
I reported this bug 3 months ago but freeIPA folks did not invest lot of time with explanation https://bugzilla.redhat.com/show_bug.cgi?id=1772445