catch SElinux alerts in permissive mode

Run the tests in permissive mode but run sealert at the end to see if we
have some SElinux alerts that we need to fix.

We want to run catch_selinux_alerts function before exiting the script
(with failure or success) so we can detect alerts:
* right after first Puppet run
* after second Puppet run
* after Tempest run

If an AVC is detected, fails so we can report the bugs in
openstack-selinux and bring useful feedback.

Change-Id: Iaef45c88232505600cbb80f82b195aafcc615474
This commit is contained in:
Emilien Macchi 2016-04-11 20:16:20 -04:00
parent a3117a6449
commit 982f18c282

View File

@ -78,6 +78,9 @@ elif is_fedora; then
$SUDO rpm -ivh /tmp/puppet.rpm
$SUDO yum install -y dstat ${PUPPET_PKG} setools setroubleshoot audit
$SUDO service auditd start
# SElinux in permissive mode so later we can catch alerts
$SUDO setenforce 0
fi
PUPPET_ARGS="${PUPPET_ARGS} --detailed-exitcodes --verbose --color=false --debug"
@ -92,6 +95,18 @@ function run_puppet() {
return $res
}
function catch_selinux_alerts() {
if is_fedora; then
$SUDO sealert -a /var/log/audit/audit.log
if $SUDO grep -i 'type=AVC' /var/log/audit/audit.log >/dev/null; then
echo "AVC detected in /var/log/audit/audit.log"
echo "Please file a bug on https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20OpenStack&component=openstack-selinux showing sealert output."
exit 1
else
echo 'No AVC detected in /var/log/audit/audit.log'
fi
fi
}
# use dstat to monitor system activity during integration testing
if type "dstat" 2>/dev/null; then
@ -111,6 +126,7 @@ run_puppet $SCENARIO
RESULT=$?
set -e
if [ $RESULT -ne 2 ]; then
catch_selinux_alerts
exit 1
fi
@ -120,6 +136,7 @@ run_puppet $SCENARIO
RESULT=$?
set -e
if [ $RESULT -ne 0 ]; then
catch_selinux_alerts
exit 1
fi
@ -157,4 +174,7 @@ RESULT=$?
set -e
testr last --subunit > /tmp/openstack/tempest/testrepository.subunit
/tmp/openstack/tempest/.tox/all-plugin/bin/tempest list-plugins
catch_selinux_alerts
exit $RESULT