mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative
This expects PermissionError: [Errno 1] Operation not permitted,
but it seems that setxattr() for security.NTACL works on gitlab
runners without being root.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 237d9d0228
)
This commit is contained in:
parent
1b21c09d51
commit
dfcbd88504
@ -83,5 +83,5 @@ class NtaclsTests(TestCaseInTempDir):
|
||||
lp = LoadParm()
|
||||
open(self.tempf, 'w').write("empty")
|
||||
lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
|
||||
self.assertRaises(Exception, setntacl, lp, self.tempf, NTACL_SDDL,
|
||||
self.assertRaises(PermissionError, setntacl, lp, self.tempf, NTACL_SDDL,
|
||||
DOMAIN_SID, self.session_info, "native")
|
||||
|
18
selftest/flapping.d/gitlab-setxattr-security
Normal file
18
selftest/flapping.d/gitlab-setxattr-security
Normal file
@ -0,0 +1,18 @@
|
||||
# gitlab runners with kernel 5.15.109+
|
||||
# allow setxattr() on security.NTACL
|
||||
#
|
||||
# It's not clear in detail why there's a difference
|
||||
# between various systems, one reason could be that
|
||||
# with selinux inode_owner_or_capable() is used to check
|
||||
# setxattr() permissions:
|
||||
# it checks for the fileowner too, as well as CAP_FOWNER.
|
||||
# Otherwise cap_inode_setxattr() is used, which checks for
|
||||
# CAP_SYS_ADMIN.
|
||||
#
|
||||
# But the kernel doesn't have selinux only apparmor...
|
||||
#
|
||||
# test_setntacl_forcenative expects
|
||||
# PermissionError: [Errno 1] Operation not permitted
|
||||
#
|
||||
# So for now we allow this to fail...
|
||||
^samba.tests.ntacls.samba.tests.ntacls.NtaclsTests.test_setntacl_forcenative.none
|
Loading…
Reference in New Issue
Block a user