tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative

This expects PermissionError: [Errno 1] Operation not permitted,
but it seems that setxattr() for security.NTACL works on gitlab
runners without being root.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/ntacls.py b/python/samba/tests/ntacls.py
index 0b7963d902e7f312f48518f47ad8a67c19e3c0f9..6e2adda6a0d30aaaa67b9f513eea449fce6d9912 100644 (file)
--- a/python/samba/tests/ntacls.py
+++ b/python/samba/tests/ntacls.py
@@ -83,5 +83,5 @@ class NtaclsTests(TestCaseInTempDir):
         lp = LoadParm()
         open(self.tempf, 'w').write("empty")
         lp.set("posix:eadb", os.path.join(self.tempdir, "eadbtest.tdb"))
-        self.assertRaises(Exception, setntacl, lp, self.tempf, NTACL_SDDL,
+        self.assertRaises(PermissionError, setntacl, lp, self.tempf, NTACL_SDDL,
                           DOMAIN_SID, self.session_info, "native")

diff --git a/selftest/flapping.d/gitlab-setxattr-security b/selftest/flapping.d/gitlab-setxattr-security
new file mode 100644 (file)
index 0000000..d7d2403
--- /dev/null
+++ b/selftest/flapping.d/gitlab-setxattr-security
@@ -0,0 +1,18 @@
+# gitlab runners with kernel 5.15.109+
+# allow setxattr() on security.NTACL
+#
+# It's not clear in detail why there's a difference
+# between various systems, one reason could be that
+# with selinux inode_owner_or_capable() is used to check
+# setxattr() permissions:
+# it checks for the fileowner too, as well as CAP_FOWNER.
+# Otherwise cap_inode_setxattr() is used, which checks for
+# CAP_SYS_ADMIN.
+#
+# But the kernel doesn't have selinux only apparmor...
+#
+# test_setntacl_forcenative expects
+# PermissionError: [Errno 1] Operation not permitted
+#
+# So for now we allow this to fail...
+^samba.tests.ntacls.samba.tests.ntacls.NtaclsTests.test_setntacl_forcenative.none