From 66cb1d2d5b99c6f1286b40600ae99a161566cb22 Mon Sep 17 00:00:00 2001
From: Michael Vogt <michael.vogt@gmail.com>
Date: Tue, 5 Dec 2023 07:28:11 +0100
Subject: [PATCH] tests: check that there are no selinux denials

---
 test/test_smoke.py | 40 +++++++++++++++++++++++++++++++++++-----
 test/testutil.py   |  2 +-
 2 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/test/test_smoke.py b/test/test_smoke.py
index 174b1b07e..fedec60c1 100644
--- a/test/test_smoke.py
+++ b/test/test_smoke.py
@@ -1,6 +1,7 @@
 import json
 import os
 import pathlib
+import re
 import subprocess
 
 import pytest
@@ -36,6 +37,28 @@ def config_json_fixture(output_path):
     return config_json_path
 
 
+def log_has_osbuild_selinux_denials(log):
+    OSBUID_SELINUX_DENIALS_RE = re.compile(r"(?ms)avc:\ +denied.*osbuild")
+    return re.search(OSBUID_SELINUX_DENIALS_RE, log)
+
+
+def test_osbuild_selinux_denails_re_works():
+    fake_log = (
+        'Dec 05 07:19:39 other log msg\n'
+        'Dec 05 07:19:39 fedora audit: SELINUX_ERR'
+        ' op=security_bounded_transition seresult=denied'
+        ' oldcontext=system_u:system_r:install_t:s0:c42,c355'
+        ' newcontext=system_u:system_r:mount_t:s0:c42,c355\n'
+        'Dec 06 16:00:54 internal audit[14368]: AVC avc:  denied '
+        '{ nnp_transition nosuid_transition } for  pid=14368 '
+        'comm="org.osbuild.ost" scontext=system_u:system_r:install_t:s0:'
+        'c516,c631 tcontext=system_u:system_r:mount_t:s0:c516,c631 '
+        'tclass=process2 permissive=0'
+    )
+    assert log_has_osbuild_selinux_denials(fake_log)
+    assert not log_has_osbuild_selinux_denials("some\nrandom\nlogs")
+
+
 @pytest.mark.skipif(os.getuid() != 0, reason="needs root")
 @pytest.mark.skipif(not testutil.has_executable("podman"), reason="need podman")
 def test_smoke(output_path, config_json):
@@ -56,12 +79,19 @@ def test_smoke(output_path, config_json):
         "quay.io/centos-bootc/centos-bootc:stream9",
         "--config", "/output/config.json",
     ])
-    # check that there are no denials
-    # TODO: actually check this once https://github.com/osbuild/images/pull/287
-    #       is merged
-    journal_output = testutil.journal_after_cursor(cursor)
-    assert journal_output != ""
     generated_img = pathlib.Path(output_path) / "qcow2/disk.qcow2"
     assert generated_img.exists(), f"output file missing, dir content: {os.listdir(os.fspath(output_path))}"
+
+    # check that there are no selinux denials
+    journal_output = testutil.journal_after_cursor(cursor)
+    assert journal_output != ""
+    assert generated_img.exists()
+    if testutil.has_executable("selinuxenabled") and subprocess.run("selinuxenabled").returncode == 0:
+        # log example:
+        assert not log_has_osbuild_selinux_denials(journal_output), f"denials in log {journal_output}"
+        # print(f"DEBUG: journal output:\n{journal_output}")
+    else:
+        print("WARNING: selinux not enabled, cannot check for denials")
+
     # TODO: boot and do basic checks, see
     # https://github.com/osbuild/osbuild-deploy-container/compare/main...mvo5:integration-test?expand=1
diff --git a/test/testutil.py b/test/testutil.py
index 47da18e03..e1fc954b5 100644
--- a/test/testutil.py
+++ b/test/testutil.py
@@ -9,7 +9,7 @@ def journal_cursor():
 
 
 def journal_after_cursor(cursor):
-    output = subprocess.check_output(["journalctl", f"--after-cursor={cursor}"])
+    output = subprocess.check_output(["journalctl", f"--after-cursor={cursor}"], encoding="utf8")
     return output