tests: check that there are no selinux denials

mvo5 · Dec 6, 2023 · 0e570a2 · 0e570a2
1 parent 52157c0
commit 0e570a2
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 6 deletions.
diff --git a/test/test_smoke.py b/test/test_smoke.py
@@ -1,6 +1,7 @@
 import json
 import os
 import pathlib
+import re
 import subprocess
 
 import pytest
@@ -36,6 +37,27 @@ def config_json_fixture(output_path):
     return config_json_path
 
 
+OSBUID_SELINUX_DENIALS_RE = re.compile(r"(?ms)avc:\ +denied.*osbuild")
+
+
+def test_osbuild_selinux_denails_re_works():
+    fake_log = (
+        'Dec 05 07:19:39 fedora audit[15624]: AVC avc: denied {'
+        ' nnp_transition nosuid_transition } for pid=15624'
+        ' comm="org.osbuild.ost"'
+        ' scontext=system_u:system_r:install_t:s0:c42,c355'
+        ' tcontext=system_u:system_r:mount_t:s0:c42,c355'
+        ' tclass=process2 permissive=0\n'
+        'Dec 05 07:19:39 other log msg\n'
+        'Dec 05 07:19:39 fedora audit: SELINUX_ERR'
+        ' op=security_bounded_transition seresult=denied'
+        ' oldcontext=system_u:system_r:install_t:s0:c42,c355'
+        ' newcontext=system_u:system_r:mount_t:s0:c42,c355\n'
+    )
+    m = re.search(OSBUID_SELINUX_DENIALS_RE, fake_log)
+    assert isinstance(m, re.Match)
+
+
 @pytest.mark.skipif(os.getuid() != 0, reason="needs root")
 @pytest.mark.skipif(not testutil.has_executable("podman"), reason="need podman")
 def test_smoke(output_path, config_json):
@@ -56,12 +78,16 @@ def test_smoke(output_path, config_json):
         "quay.io/centos-bootc/centos-bootc:stream9",
         "--config", "/output/config.json",
     ])
-    # check that there are no denials
-    # TODO: actually check this once https://github.com/osbuild/images/pull/287
-    #       is merged
-    journal_output = testutil.journal_after_cursor(cursor)
-    assert journal_output != ""
     generated_img = pathlib.Path(output_path) / "qcow2/disk.qcow2"
     assert generated_img.exists(), f"output file missing, dir content: {os.listdir(os.fspath(output_path))}"
+
+    # check that there are no selinux denials
+    journal_output = testutil.journal_after_cursor(cursor)
+    assert journal_output != ""
+    assert generated_img.exists()
+    if testutil.has_executable("selinuxenabled") and subprocess.run("selinuxenabled").returncode == 0:
+        # log example:
+        assert not re.match(OSBUID_SELINUX_DENIALS_RE, journal_output), f"denials in log {journal_output}"
+
     # TODO: boot and do basic checks, see
     # https://github.com/osbuild/osbuild-deploy-container/compare/main...mvo5:integration-test?expand=1
diff --git a/test/testutil.py b/test/testutil.py
@@ -9,7 +9,7 @@ def journal_cursor():
 
 
 def journal_after_cursor(cursor):
-    output = subprocess.check_output(["journalctl", f"--after-cursor={cursor}"])
+    output = subprocess.check_output(["journalctl", f"--after-cursor={cursor}"], encoding="utf8")
     return output