feat: Added a fixture for integration tests to check selinux denials

RedHatInsights · Nov 7, 2024 · 9457a1a · 9457a1a
1 parent 964031f
commit 9457a1a
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/integration-tests/conftest.py b/integration-tests/conftest.py
@@ -1,9 +1,7 @@
 import pytest
 import subprocess
 import time
-import logging
-
-logger = logging.getLogger(__name__)
+from pytest_client_tools.util import logged_run
 
 
 @pytest.fixture(scope="session")
@@ -58,3 +56,18 @@ def loop_until(predicate, poll_sec=5, timeout_sec=120):
         time.sleep(poll_sec)
         ok = predicate()
     return ok
+
+
+@pytest.fixture(scope="session", autouse=True)
+def collect_selinux_denials():
+    """This fixture helps in catching selinux denials
+    in the system after tests are run."""
+    yield
+    options = "ausearch -m avc -m user_avc -m selinux_err -i".split()
+    result = logged_run(options, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    if "<no matches>" not in str(result.stdout):
+        lines = str(result.stdout).split("\n")
+        for line in lines:
+            words = line.split()
+            if "denied" in words:
+                assert "permissive=1" in words, "SELinux AVC denials found"