Bug 1254113

Summary: beah misses avc errors happening during reboots
Product: [Retired] Beaker Reporter: Artem Savkov <asavkov>
Component: beahAssignee: beaker-dev-list
Status: CLOSED EOL QA Contact: tools-bugs <tools-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: developCC: bpeck, jburke, jstancek, mastyk, mjia
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-11 12:11:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Artem Savkov 2015-08-17 07:53:08 UTC 
Description of problem:
While moving some of my tests to use restraint I've noticed that /distribution/kernelinstall test always fails with avc error with restraint on RHEL7, same test always passed with beah. After some debugging it turned out that the source of the problem is an incorrect timestamp beah uses in ausearch missing any error that happened during reboot before beah resuming the task. The avc error was caused by bug 1243764.

Here is an example of passing avc check with added debug output(added another ausearch without a timestamp):
Info: Searching AVC errors produced since 1439381891.97 (Wed Aug 12 08:18:11 2015)
Searching logs...
DT: 08/12/2015 08:18:18
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 08/12/2015 08:18:11 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.NooSVZ 2>&1'
<no matches>
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR'
----
time->Wed Aug 12 08:12:50 2015
type=SYSCALL msg=audit(1439381570.412:146): arch=c000003e syscall=263 success=no exit=-13 a0=ffffffffffffff9c a1=152d0c0 a2=0 a3=7ffe1d1089a0 items=0 ppid=35506 pid=35510 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rm" exe="/usr/bin/rm" subj=system_u:system_r:dhcpc_t:s0 key=(null)
type=AVC msg=audit(1439381570.412:146): avc:  denied  { unlink } for  pid=35510 comm="rm" name="added_servers" dev="tmpfs" ino=23643 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.13.1-37.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1. submit a rhel7 job with /distribution/kernelinstall task

Actual results:
no avc errors reported

Expected results:
all avc errors properly reported

Additional info:
Proposed patch submitted to gerrit: https://gerrit.beaker-project.org/#/c/4344/
Comment 2 Martin Styk 2020-02-11 12:11:15 UTC 
Beah is no longer supported by Beaker development team.
Instead of that, we are working on Restraint test harness. You can find all the features of Restraint here.

https://restraint.readthedocs.io/en/latest/

If you think your RFE should be still implemented as part of Restraint feel free to create a new BZ ticket.

https://bugzilla.redhat.com/enter_bug.cgi?product=Restraint

In case you have any question feel free to reach out to me
Thank you,
Martin Styk <martin.styk>