Skip known bootc failure for now

[LecrisUT]

Thanks to #4248 we can actually be more granular about this now 😉.

Tracked in https://bugzilla.redhat.com/show_bug.cgi?id=2443825

[LecrisUT]

@therazix can you check that I am using it correctly? 🙂 Also thanks for this feature

[gemini-code-assist]

Code Review

This pull request adds an adjust rule to tests/provision/bootc/main.fmf to ignore a specific AVC denial. Change the version comparison from distro > fedora-42 to distro >= fedora-42 to ensure the workaround also applies to Fedora 42.

[therazix]

@therazix can you check that I am using it correctly? 🙂 Also thanks for this feature

The usage seems correct, but keep in mind that when you set ignore-pattern yourself, it will override the default ignore patterns. Currently, type=USER_AVC.*received policyload notice is the only default pattern in that list.

[LecrisUT]

Currently, type=USER_AVC.*received policyload notice is the only default pattern in that list.

Oh, thank you for that info. Should I add it here regardless, or wait on the CI to see if we need it?

[therazix]

Oh, thank you for that info. Should I add it here regardless, or wait on the CI to see if we need it?

I would add it regardless.

[happz]

$ http -p b GET https://artifacts.osci.redhat.com/testing-farm/fafbd116-317c-411b-af40-fd4d1b55e7a7/work-bootc3cyhbi6_/plans/provision/bootc/execute/data/guest/default-0/tests/provision/bootc-1/checks/failures.yaml | yq '.[]'
# --- ausearch
# Finished successfully

# stdout (2 lines)
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
type=SELINUX_ERR msg=audit(03/02/26 17:51:06.823:2252) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:install_t:s0:c192,c774 newcontext=system_u:system_r:mount_t:s0:c192,c774
type=SELINUX_ERR msg=audit(03/02/26 18:09:39.471:2953) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:install_t:s0:c603,c905 newcontext=system_u:system_r:mount_t:s0:c603,c905
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# stderr (6 lines)
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ export LC_ALL=C
+ LC_ALL=C
+ source /var/ARTIFACTS/work-bootc3cyhbi6_/plans/provision/bootc/execute/data/guest/default-0/tests/provision/bootc-1/checks/avc-mark.txt
++ export 'AVC_SINCE=03/02/26 17:48:41'
++ AVC_SINCE='03/02/26 17:48:41'
+ ausearch -i --input-logs -m AVC,USER_AVC,SELINUX_ERR -ts 03/02/26 17:48:41
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

What a nice, brand new AVC failure our patterns do not waive because we never seen it before :/

[LecrisUT]

Oops, it was in the original avc.txt but I did not notice the difference in SELINUX_ERR. Reading comprehension and all that

[LecrisUT]

$ http -p b GET https://artifacts.osci.redhat.com/testing-farm/fafbd116-317c-411b-af40-fd4d1b55e7a7/work-bootc3cyhbi6_/plans/provision/bootc/execute/data/guest/default-0/tests/provision/bootc-1/checks/failures.yaml | yq '.[]'
# --- ausearch
# Finished successfully

# stdout (2 lines)
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
type=SELINUX_ERR msg=audit(03/02/26 17:51:06.823:2252) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:install_t:s0:c192,c774 newcontext=system_u:system_r:mount_t:s0:c192,c774
type=SELINUX_ERR msg=audit(03/02/26 18:09:39.471:2953) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:install_t:s0:c603,c905 newcontext=system_u:system_r:mount_t:s0:c603,c905
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# stderr (6 lines)
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ export LC_ALL=C
+ LC_ALL=C
+ source /var/ARTIFACTS/work-bootc3cyhbi6_/plans/provision/bootc/execute/data/guest/default-0/tests/provision/bootc-1/checks/avc-mark.txt
++ export 'AVC_SINCE=03/02/26 17:48:41'
++ AVC_SINCE='03/02/26 17:48:41'
+ ausearch -i --input-logs -m AVC,USER_AVC,SELINUX_ERR -ts 03/02/26 17:48:41
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

What a nice, brand new AVC failure our patterns do not waive because we never seen it before :/

Hmm, it does smell like a genuine issue on our side. Maybe it's an issue with the new bootc mounting during the prepare install step and such?

[happz]

Oops, it was in the original avc.txt but I did not notice the difference in SELINUX_ERR. Reading comprehension and all that

Ah, I thought it's a new one, present just to kick sand in our tea. Never noticed in the previous runs.

[happz]

$ http -p b GET https://artifacts.osci.redhat.com/testing-farm/fafbd116-317c-411b-af40-fd4d1b55e7a7/work-bootc3cyhbi6_/plans/provision/bootc/execute/data/guest/default-0/tests/provision/bootc-1/checks/failures.yaml | yq '.[]'
# --- ausearch
# Finished successfully

# stdout (2 lines)
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
type=SELINUX_ERR msg=audit(03/02/26 17:51:06.823:2252) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:install_t:s0:c192,c774 newcontext=system_u:system_r:mount_t:s0:c192,c774
type=SELINUX_ERR msg=audit(03/02/26 18:09:39.471:2953) : op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:install_t:s0:c603,c905 newcontext=system_u:system_r:mount_t:s0:c603,c905
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# stderr (6 lines)
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ export LC_ALL=C
+ LC_ALL=C
+ source /var/ARTIFACTS/work-bootc3cyhbi6_/plans/provision/bootc/execute/data/guest/default-0/tests/provision/bootc-1/checks/avc-mark.txt
++ export 'AVC_SINCE=03/02/26 17:48:41'
++ AVC_SINCE='03/02/26 17:48:41'
+ ausearch -i --input-logs -m AVC,USER_AVC,SELINUX_ERR -ts 03/02/26 17:48:41
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

What a nice, brand new AVC failure our patterns do not waive because we never seen it before :/

Hmm, it does smell like a genuine issue on our side. Maybe it's an issue with the new bootc mounting during the prepare install step and such?

Could be. A waiver, another tracking issue against selinux policy, and investigate more as we go?

[LecrisUT]

/packit retest-failed

[LecrisUT]

Could be. A waiver, another tracking issue against selinux policy, and investigate more as we go?

Yep, added it to the ignore pattern and opened #4634 as a perpetual check for every next sprint.