From e464b8d94bce5c3384f1d24b7428ec459158dcad Mon Sep 17 00:00:00 2001
From: Archana Pandey <arpandey@redhat.com>
Date: Thu, 7 Nov 2024 16:29:04 +0530
Subject: [PATCH] feat: Added a fixture for integration tests to check selinux
 denials

---
 integration-tests/conftest.py | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/integration-tests/conftest.py b/integration-tests/conftest.py
index a8ba7a46..681b1d8d 100644
--- a/integration-tests/conftest.py
+++ b/integration-tests/conftest.py
@@ -1,9 +1,7 @@
 import pytest
 import subprocess
 import time
-import logging
-
-logger = logging.getLogger(__name__)
+from pytest_client_tools.util import logged_run
 
 
 @pytest.fixture(scope="session")
@@ -58,3 +56,18 @@ def loop_until(predicate, poll_sec=5, timeout_sec=120):
         time.sleep(poll_sec)
         ok = predicate()
     return ok
+
+
+@pytest.fixture(scope="session", autouse=True)
+def collect_selinux_denials():
+    """This fixture helps in catching selinux denials
+    in the system after tests are run."""
+    yield
+    command = "ausearch -m avc -m user_avc -m selinux_err -i".split()
+    result = logged_run(command, capture_output=True, text=True)
+    if "<no matches>" not in result.stdout:
+        lines = result.stdout.split("\n")
+        for line in lines:
+            words = line.split()
+            if "denied" in words:
+                assert "permissive=1" in words, "SELinux AVC denials found"