Check for SELinux AVCs after installation

Look for SELinux violation after installing a master with CA, KRA, and DNS with DNSSEC. The test does not fail yet, because there are known SELinux violations. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-04-25 13:24:50 +02:00 · 2019-04-25 13:24:50 +02:00 · d7e17655c7
commit d7e17655c7
parent dcd488b3d9
2 changed files with 24 additions and 2 deletions
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@ -1433,12 +1433,13 @@ def install_ca(host, domain_level=None, first_instance=False,
    return result


-def install_dns(host, raiseonerr=True):
+def install_dns(host, raiseonerr=True, extra_args=()):
    args = [
        "ipa-dns-install",
        "--forwarder", host.config.dns_forwarder,
        "-U",
    ]
+    args.extend(extra_args)
    ret = host.run_command(args, raiseonerr=raiseonerr)
    Firewall(host).enable_service("dns")
    return ret
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@ -19,6 +19,7 @@ import pytest
 from ipalib.constants import DOMAIN_LEVEL_0
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
+from ipaplatform.tasks import tasks as platformtasks
 from ipatests.pytest_ipa.integration.env_config import get_global_config
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.pytest_ipa.integration import tasks
@ -396,7 +397,10 @@ class TestInstallMaster(IntegrationTest):
        tasks.install_kra(self.master, first_instance=True)

    def test_install_dns(self):
-        tasks.install_dns(self.master)
+        tasks.install_dns(
+            self.master,
+            extra_args=['--dnssec-master', '--no-dnssec-validation']
+        )

    def test_WSGI_worker_process(self):
        """ Test if WSGI worker process count is set to 4
@ -476,6 +480,23 @@ class TestInstallMaster(IntegrationTest):
        assert "softhsm" not in result.stdout_text.lower()
        assert "opendnssec" not in result.stdout_text.lower()

+    @pytest.mark.skipif(
+        not platformtasks.is_selinux_enabled(),
+        reason="Test needs SELinux enabled")
+    def test_selinux_avcs(self):
+        # Use journalctl instead of ausearch. The ausearch command is not
+        # installed by default and journalctl gives us all AVCs.
+        result = self.master.run_command([
+            "journalctl", "--full", "--grep=AVC", "--since=yesterday"
+        ])
+        avcs = list(
+            line.strip() for line in result.stdout_text.split('\n')
+            if "AVC avc:" in line
+        )
+        if avcs:
+            print('\n'.join(avcs))
+            # Use expected failure until all SELinux violations are fixed
+            pytest.xfail("{} AVCs found".format(len(avcs)))


 class TestInstallMasterKRA(IntegrationTest):