From 982f18c2820092fd67715c7f96b0ac816a44203c Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Mon, 11 Apr 2016 20:16:20 -0400
Subject: [PATCH] catch SElinux alerts in permissive mode

Run the tests in permissive mode but run sealert at the end to see if we
have some SElinux alerts that we need to fix.

We want to run catch_selinux_alerts function before exiting the script
(with failure or success) so we can detect alerts:
* right after first Puppet run
* after second Puppet run
* after Tempest run

If an AVC is detected, fails so we can report the bugs in
openstack-selinux and bring useful feedback.

Change-Id: Iaef45c88232505600cbb80f82b195aafcc615474
---
 run_tests.sh | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/run_tests.sh b/run_tests.sh
index 404c2d899..8538c4c8b 100755
--- a/run_tests.sh
+++ b/run_tests.sh
@@ -78,6 +78,9 @@ elif is_fedora; then
     $SUDO rpm -ivh /tmp/puppet.rpm
     $SUDO yum install -y dstat ${PUPPET_PKG} setools setroubleshoot audit
     $SUDO service auditd start
+
+    # SElinux in permissive mode so later we can catch alerts
+    $SUDO setenforce 0
 fi
 
 PUPPET_ARGS="${PUPPET_ARGS} --detailed-exitcodes --verbose --color=false --debug"
@@ -92,6 +95,18 @@ function run_puppet() {
     return $res
 }
 
+function catch_selinux_alerts() {
+    if is_fedora; then
+        $SUDO sealert -a /var/log/audit/audit.log
+        if $SUDO grep -i 'type=AVC' /var/log/audit/audit.log >/dev/null; then
+            echo "AVC detected in /var/log/audit/audit.log"
+            echo "Please file a bug on https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20OpenStack&component=openstack-selinux showing sealert output."
+            exit 1
+        else
+            echo 'No AVC detected in /var/log/audit/audit.log'
+        fi
+    fi
+}
 
 # use dstat to monitor system activity during integration testing
 if type "dstat" 2>/dev/null; then
@@ -111,6 +126,7 @@ run_puppet $SCENARIO
 RESULT=$?
 set -e
 if [ $RESULT -ne 2 ]; then
+    catch_selinux_alerts
     exit 1
 fi
 
@@ -120,6 +136,7 @@ run_puppet $SCENARIO
 RESULT=$?
 set -e
 if [ $RESULT -ne 0 ]; then
+    catch_selinux_alerts
     exit 1
 fi
 
@@ -157,4 +174,7 @@ RESULT=$?
 set -e
 testr last --subunit > /tmp/openstack/tempest/testrepository.subunit
 /tmp/openstack/tempest/.tox/all-plugin/bin/tempest list-plugins
+
+catch_selinux_alerts
+
 exit $RESULT