Merge "catch SElinux alerts in permissive mode"

This commit is contained in:
Jenkins 2016-04-14 03:06:13 +00:00 committed by Gerrit Code Review
commit 1cfd3cbb63

View File

@ -96,6 +96,9 @@ elif is_fedora; then
$SUDO rpm -ivh /tmp/puppet.rpm $SUDO rpm -ivh /tmp/puppet.rpm
$SUDO yum install -y dstat ${PUPPET_PKG} setools setroubleshoot audit $SUDO yum install -y dstat ${PUPPET_PKG} setools setroubleshoot audit
$SUDO service auditd start $SUDO service auditd start
# SElinux in permissive mode so later we can catch alerts
$SUDO setenforce 0
fi fi
PUPPET_ARGS="${PUPPET_ARGS} --detailed-exitcodes --color=false --test --trace" PUPPET_ARGS="${PUPPET_ARGS} --detailed-exitcodes --color=false --test --trace"
@ -110,6 +113,18 @@ function run_puppet() {
return $res return $res
} }
function catch_selinux_alerts() {
if is_fedora; then
$SUDO sealert -a /var/log/audit/audit.log
if $SUDO grep -i 'type=AVC' /var/log/audit/audit.log >/dev/null; then
echo "AVC detected in /var/log/audit/audit.log"
echo "Please file a bug on https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20OpenStack&component=openstack-selinux showing sealert output."
exit 1
else
echo 'No AVC detected in /var/log/audit/audit.log'
fi
fi
}
# use dstat to monitor system activity during integration testing # use dstat to monitor system activity during integration testing
if type "dstat" 2>/dev/null; then if type "dstat" 2>/dev/null; then
@ -129,6 +144,7 @@ run_puppet $SCENARIO
RESULT=$? RESULT=$?
set -e set -e
if [ $RESULT -ne 2 ]; then if [ $RESULT -ne 2 ]; then
catch_selinux_alerts
exit 1 exit 1
fi fi
@ -138,6 +154,7 @@ run_puppet $SCENARIO
RESULT=$? RESULT=$?
set -e set -e
if [ $RESULT -ne 0 ]; then if [ $RESULT -ne 0 ]; then
catch_selinux_alerts
exit 1 exit 1
fi fi
@ -176,4 +193,7 @@ RESULT=$?
set -e set -e
testr last --subunit > /tmp/openstack/tempest/testrepository.subunit testr last --subunit > /tmp/openstack/tempest/testrepository.subunit
/tmp/openstack/tempest/.tox/all-plugin/bin/tempest list-plugins /tmp/openstack/tempest/.tox/all-plugin/bin/tempest list-plugins
catch_selinux_alerts
exit $RESULT exit $RESULT