IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Check for SELinux AVCs after installation

Browse Source 
Look for SELinux violation after installing a master with CA, KRA, and
DNS with DNSSEC. The test does not fail yet, because there are known
SELinux violations.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Christian Heimes
2019-04-25 13:24:50 +02:00
parent dcd488b3d9
commit d7e17655c7
2 changed files with 24 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ipatests/pytest_ipa/integration/tasks.py
View File

@@ -1433,12 +1433,13 @@ def install_ca(host, domain_level=None, first_instance=False,
return result return result
def install_dns(host, raiseonerr=True): def install_dns(host, raiseonerr=True, extra_args=()):
args = [ args = [
"ipa-dns-install", "ipa-dns-install",
"--forwarder", host.config.dns_forwarder, "--forwarder", host.config.dns_forwarder,
"-U", "-U",
] ]
args.extend(extra_args)
ret = host.run_command(args, raiseonerr=raiseonerr) ret = host.run_command(args, raiseonerr=raiseonerr)
Firewall(host).enable_service("dns") Firewall(host).enable_service("dns")
return ret return ret

23
ipatests/test_integration/test_installation.py
View File

@@ -19,6 +19,7 @@ import pytest
from ipalib.constants import DOMAIN_LEVEL_0 from ipalib.constants import DOMAIN_LEVEL_0
from ipaplatform.constants import constants from ipaplatform.constants import constants
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipaplatform.tasks import tasks as platformtasks
from ipatests.pytest_ipa.integration.env_config import get_global_config from ipatests.pytest_ipa.integration.env_config import get_global_config
from ipatests.test_integration.base import IntegrationTest from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks from ipatests.pytest_ipa.integration import tasks
@@ -396,7 +397,10 @@ class TestInstallMaster(IntegrationTest):
tasks.install_kra(self.master, first_instance=True) tasks.install_kra(self.master, first_instance=True)
def test_install_dns(self): def test_install_dns(self):
tasks.install_dns(self.master) tasks.install_dns(
self.master,
extra_args=['--dnssec-master', '--no-dnssec-validation']
)
def test_WSGI_worker_process(self): def test_WSGI_worker_process(self):
""" Test if WSGI worker process count is set to 4 """ Test if WSGI worker process count is set to 4
@@ -476,6 +480,23 @@ class TestInstallMaster(IntegrationTest):
assert "softhsm" not in result.stdout_text.lower() assert "softhsm" not in result.stdout_text.lower()
assert "opendnssec" not in result.stdout_text.lower() assert "opendnssec" not in result.stdout_text.lower()
@pytest.mark.skipif(
not platformtasks.is_selinux_enabled(),
reason="Test needs SELinux enabled")
def test_selinux_avcs(self):
# Use journalctl instead of ausearch. The ausearch command is not
# installed by default and journalctl gives us all AVCs.
result = self.master.run_command([
"journalctl", "--full", "--grep=AVC", "--since=yesterday"
])
avcs = list(
line.strip() for line in result.stdout_text.split('\n')
if "AVC avc:" in line
)
if avcs:
print('\n'.join(avcs))
# Use expected failure until all SELinux violations are fixed
pytest.xfail("{} AVCs found".format(len(avcs)))
class TestInstallMasterKRA(IntegrationTest): class TestInstallMasterKRA(IntegrationTest):