-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Policies are not generated in order/not reproduceable #84
Comments
We're currently not able to check this as Udica doesn't generate the policy files in order. Related-bug: containers/udica#84 Signed-off-by: Juan Antonio Osorio Robles <[email protected]>
@wrabcak anybody from the team that can check this out? This is preventing us from using Udica in CI environments. |
@JAORMX Thank you for reporting the issue, could you please share a container inspection file (or 2 that have the same content, just ordered differently) that is causing this issue? |
I don't have one handy right now, but this is how we were generating it https://github.com/JAORMX/selinuxd/blob/main/hack/ci/daemon-and-trace.sh#L48 |
This should diminish differences between policies generated for the same container (allow rules should be in the same order). Fixes: Two subsequent calls to Udica on the same container sometimes generate different policy files (functionally equivalent, but with different rule order). This issue makes it difficult to use udica for CI purposes. containers#84 Signed-off-by: Vit Mojzis <[email protected]>
I'm sorry, but after trying several different containers I haven't been able to reproduce the issue. I added sorting to some of the container inspect data, which should diminish differences between policies generated for the same container. But, without a reliable reproducer I cannot be sure this resolves your issue. |
Yes, that is a different issue addressed by 6e74f83 (selinux-policy contains new capabilities unknown to udica). |
This should diminish differences between policies generated for the same container (allow rules should be in the same order). Fixes: Two subsequent calls to Udica on the same container sometimes generate different policy files (functionally equivalent, but with different rule order). This issue makes it difficult to use udica for CI purposes. #84 Signed-off-by: Vit Mojzis <[email protected]>
Describe the bug
When generating selinux policies in CI, one expects that subsequent calls to Udica will generate the same policy, however, this doesn't seem to be the case. While the policies are equivalent, the order of the items in the policy differs. This makes it really hard to detect if new changes come in the policy as the container evolves, and thus, prevents us from checking this in CI.
For instance:
While that diff doesn't differ in content, the issue there is that that section was created a different order in the policy.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Running Udica for a container should always generate the same policy in the same order (so commands like
diff
show they're equivalent.The text was updated successfully, but these errors were encountered: