Skip to content

tests: fix failures on SELinux-enabled systems #609

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 6, 2025
Merged

tests: fix failures on SELinux-enabled systems #609

merged 1 commit into from
Sep 6, 2025

Conversation

cyphar
Copy link
Member

@cyphar cyphar commented Aug 18, 2025

Our tests would incorrectly treat security.selinux like a regular xattr,
which lead to failures because it gets auto-set on all new files. The
solution is quite simple -- just include any such xattrs in expected
sets (or filter them out) before doing checks in our tests.

umoci itself still handle security.selinux fine (we emulate it using a
fake user xattr), this is just a bug in our tests' handling of
security.selinux.

Fixes #605
Fixes: 6fd1e0e ("oci: ignore system.nfs4_acl and extend forbidden-xattr handling")
Fixes: 9a1cefa ("oci: layer: correctly handle trusted.overlay xattr namespace escaping")
Fixes: 54f34c9 ("oci: layer: refix auto-applied xattr handling")
Signed-off-by: Aleksa Sarai cyphar@cyphar.com

@codecov-commenter
Copy link

codecov-commenter commented Aug 18, 2025
edited
Loading

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.74%. Comparing base (e0662ee) to head (df3a23e).
⚠️ Report is 29 commits behind head on main.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #609      +/-   ##
==========================================
+ Coverage   73.68%   73.74%   +0.05%     
==========================================
  Files          69       69              
  Lines        5556     5557       +1     
==========================================
+ Hits         4094     4098       +4     
+ Misses       1074     1072       -2     
+ Partials      388      387       -1

see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@cyphar cyphar mentioned this pull request Aug 18, 2025
Closed
@cyphar
Copy link
Member Author

cyphar commented Aug 18, 2025
edited
Loading

It would be nice to add CirrusCI for AlmaLinux tests (like runc does) but I cannot enable the CirrusCI app on this repo...

@estesp Do you know who to ping to click "install" on this configuration page for the umoci repo? Also it would be nice for you to install the CodeCov app as well (see the above errors)!

@estesp
Copy link

estesp commented Aug 18, 2025

It would be nice to add CirrusCI for AlmaLinux tests (like runc does) but I cannot enable the CirrusCI app on this repo...

@estesp Do you know who to ping to click "install" on this configuration page for the umoci repo? Also it would be nice for you to install the CodeCov app as well (see the above errors)!

I'm checking who has "admin" at the organizational level; apparently I don't :)

@cyphar
tests: fix failures on SELinux-enabled systems
df3a23e 
Our tests would incorrectly treat security.selinux like a regular xattr,
which lead to failures because it gets auto-set on all new files. The
solution is quite simple -- just include any such xattrs in expected
sets (or filter them out) before doing checks in our tests.

umoci itself still handle security.selinux fine (we emulate it using a
fake user xattr), this is just a bug in our tests' handling of
security.selinux.

Fixes: 6fd1e0e ("oci: ignore system.nfs4_acl and extend forbidden-xattr handling")
Fixes: 9a1cefa ("oci: layer: correctly handle trusted.overlay xattr namespace escaping")
Fixes: 54f34c9 ("oci: layer: refix auto-applied xattr handling")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar cyphar merged commit c41e8bf into opencontainers:main Sep 6, 2025
20 checks passed
@cyphar cyphar deleted the xattr-selinux branch September 16, 2025 13:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fedora Package Build Fails SELinux Related Unit Tests
3 participants
@cyphar @codecov-commenter @estesp