testCreateUrlSource fails in updates-testing due to SELinux rejection

[cockpituous]

The job fedora-41/updates-testing failed on commit 2c51415.

Log: https://cockpit-logs.us-east-1.linodeobjects.com/pull-0-2c514156-20250118-020715-fedora-41-updates-testing/log.html

[martinpitt]

This smells real:

audit[35789]: AVC avc: denied { connectto } for pid=35789 comm="nbd-connect" path="/var/lib/libvirt/qemu/domain-1-subVmTestCreate8/nbdkit-libvirt-1-storage.socket" scontext=system_u:system_r:svirt_tcg_t:s0:c404,c745 tcontext=system_u:system_r:nbdkit_t:s0:c404,c745 tclass=unix_stream_socket permissive=0

selinux-policy 41.29-1.fc41 ?

[martinpitt]

I updated our F41 image from selinux-policy 41.27-1.fc41 to 41.29-1.fc41 with the dnf command from https://bodhi.fedoraproject.org/updates/FEDORA-2025-e7a319968a and that does not make the test fail. Not even after a reboot.

It would be interesting to test this on a refreshed fedora-41 image to bisect away all the already released updates, but
cockpit-project/bots#7320 currently fails (repeatedly). I manually dnf updated a running image and re-ran the test, and it still passes. After rebooting into the new 6.12.8 → 6.12.9 kernel it still passes.

Finally, dnf update --enablerepo=updates-testing. Packages all sound unrelated at first sight, and test passes, also after reboot.

So that might be a flake? I retriggered the run, let's compare: https://cockpit-logs.us-east-1.linodeobjects.com/pull-0-2c514156-20250118-040910-fedora-41-updates-testing/log.html

[martinpitt]

The failure repeats, so this isn't a flake.

In cockpit-project/bots#7321 I fix the fedora-41 image refresh, which will be helpful to bisect all updates which already made it to stable.

I tried TEST_SCENARIO=updates-testing make prepare-check and ran the test, and that indeed reproduces the failure. So there's some subtle difference between my step-wise updates from above, and the more wholesale updates.

It is enough to just run that last runner.createTest(), everything above can be commented out.

I 👎 'ed https://bodhi.fedoraproject.org/updates/FEDORA-2025-e7a319968a for the time being.

[martinpitt]

The c-machines f41 run from the image refresh looks good, so we can rule out stable updates.

I locally ran prepare-check against the updated image in cockpit-project/bots#7321 . This gets a much smaller set of updates, selinux-policy plus a bunch of "really should not matter" ones. The test still fails.

With this targeted update:

--- Makefile
+++ Makefile
@@ -175,7 +175,7 @@ VM_CUSTOMIZE_FLAGS += --install $(COCKPIT_WHEEL)
 endif
 
 ifeq ("$(TEST_SCENARIO)","updates-testing")
-VM_CUSTOMIZE_FLAGS = --run-command 'dnf -y update --setopt=install_weak_deps=False --enablerepo=updates-testing >&2'
+VM_CUSTOMIZE_FLAGS = --run-command 'dnf -y update --setopt=install_weak_deps=False --enablerepo=updates-testing selinux-policy >&2'
 endif
 
 # build a VM with locally built distro pkgs installed

the test still passes. That's pretty much exactly what I did before in the previous comment, albeit with a manual dnf command. So let's bisect further, there must be something subtle with the extra "harmless/unrelated" package updates.

I tested preparing a normal image (without u-testing), then installing everything in one go:

dnf -y update --setopt=install_weak_deps=False --enablerepo=updates-testing

and then test against the running image. That fails, so it's at least not a weird effect of shutting down and rebooting the VM. Perhaps pcp-selinux? Installing that may mess up something.

dnf -y update --setopt=install_weak_deps=False --enablerepo=updates-testing selinux-policy pcp-selinux

indeed fails.

So finally, let's test https://bodhi.fedoraproject.org/updates/FEDORA-2025-f69b50954b in isolation (that just made it to -updates 2 hours ago):

dnf -y update --setopt=install_weak_deps=False --enablerepo=updates-testing pcp-selinux

This passes, and also the previous nightly run grabbed that update and it passed. Updating selinux-policy still passes.