Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Added a fixture for integration tests to check selinux denials #312

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

feat: Added a fixture for integration tests to check selinux denials #312

wants to merge 1 commit into from

Conversation

Archana-PandeyM
Copy link
Collaborator

No description provided.

@Archana-PandeyM Archana-PandeyM marked this pull request as draft November 7, 2024 11:01
m-horky
m-horky reviewed Nov 7, 2024
View reviewed changes
Copy link
Contributor

@m-horky m-horky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will make all test fail even if some other RHEL package has SELinux misconfigured and gets run. Which I guess is good, but it could poison our results for some time until it gets fixed.

Would it make sense to only check lines that might be related to our tools (e.g. insights-client, gpg, python, ...?)

integration-tests/conftest.py Outdated Show resolved Hide resolved
@ptoscano
Copy link
Contributor

ptoscano commented Nov 7, 2024

While the idea is good, I think this ought to be done rather in pytest-client-tools:

  • the fixture can run potentially after fixtures, so missing commands
  • pytest-client-tools, as it is a pytest plugin, knows already about the execution time of the test, and thus it is possible to properly restrict the lookup of the SELinux denials for each test specifically (see the checkpoints in ausearch)
  • pytest-client-tools also already has logs for each test, and the log with SELinux denials would be an additional one

@Archana-PandeyM
Copy link
Collaborator Author

While the idea is good, I think this ought to be done rather in pytest-client-tools:

  • the fixture can run potentially after fixtures, so missing commands
  • pytest-client-tools, as it is a pytest plugin, knows already about the execution time of the test, and thus it is possible to properly restrict the lookup of the SELinux denials for each test specifically (see the checkpoints in ausearch)
  • pytest-client-tools also already has logs for each test, and the log with SELinux denials would be an additional one

Thanks for feedback, I agree that we should put it in pytest_client_tools. Eventually we would add such checks in rhc repo as well. So would you suggest keeping this fixture in pytest_client_tools/plugin.py ?

@Archana-PandeyM
Copy link
Collaborator Author

This will make all test fail even if some other RHEL package has SELinux misconfigured and gets run. Which I guess is good, but it could poison our results for some time until it gets fixed.

Would it make sense to only check lines that might be related to our tools (e.g. insights-client, gpg, python, ...?)

Yes I planned to do so.

@ptoscano
Copy link
Contributor

ptoscano commented Nov 7, 2024

I agree that we should put it in pytest_client_tools. Eventually we would add such checks in rhc repo as well. So would you suggest keeping this fixture in pytest_client_tools/plugin.py ?

Not as a fixture, no. There are already hooks that track certain parts of the tests execution flow, and the SELinux checks would need to be added there:

  • before starting the test, a checkpoint needs to be created with ausearch
  • when a test finishes, get the list of denials between the checkpoint and the test completion, logging the result

In pytest-client-tools there are already the bits to handle per-test stuff, so this should not be complicated to add.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@m-horky m-horky m-horky left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Archana-PandeyM @ptoscano @m-horky @archana-redhat