Bug 1603077

Summary: [RFE] report AVC denials and kernel errors which occurred during the installation
Product: [Retired] Beaker Reporter: Dan Callaghan <dcallagh>
Component: generalAssignee: beaker-dev-list
Status: CLOSED WONTFIX QA Contact: tools-bugs <tools-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: mastyk
Target Milestone: future_maintKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-02 13:28:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1602251    
Bug Blocks:    

Description Dan Callaghan 2018-07-19 06:07:04 UTC 
If your Beaker task does something to cause an SELinux AVC denial, or the kernel produces a serious error message during your task, the harness will notice that and report it as a failure in the results.

However, despite various attempts in /distribution/install (see bug 1188539 comments), AVC denials and kernel errors which occur *during* the Anaconda installation are not treated the same way. There is no failing result indicating that something went wrong during the installation.

The first step is to capture the necessary logs from during the installation. That's bug 1602251. This RFE is about making Beaker catch problems and indicate them as a failure in the test results, in the same way it does for problems which occur after the reboot.
Comment 1 Dan Callaghan 2018-07-19 06:07:48 UTC 
Ideally we would re-use the existing AVC checking and dmesg checking logic from the harness. Right now the behaviour of both Beah and Restraint is not particularly consistent and Beah/RHTS in particular is totally undocumented with some surprising behaviour. But it is important that we at least avoid introducing *yet another* different set of checking logic that does not behave consistently.

Even if it's not possible to reuse the actual checking code from Restraint, we should at least ensure that the same (documented) checking logic is applied in both places.

See also bug 875543.
Comment 2 Dan Callaghan 2018-07-19 06:24:23 UTC 
From bug 1188539...

You should be able to trigger an AVC denial during installation (on RHEL7+) by putting this into the kickstart %pre or %post:

cat >/etc/systemd/system/denyme.service <<"EOF"
[Unit]
Description=Deny Me
[Service]
Type=oneshot
ExecStart=/bin/cat /root/.bash_profile
SELinuxContext=guest_u:guest_r:guest_t:s0
EOF
systemctl daemon-reload
systemctl start denyme

Producing fake kernel bug messages is even easier:

echo BUG this is a fake bug >/dev/kmsg