Bug 693353

Summary: [RFE] functions to check AVC denials for particular pieces of code
Product: [Fedora] Fedora Reporter: Karel Srot <ksrot>
Component: beakerlibAssignee: Dalibor Pospíšil <dapospis>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: pmuller, psplicha
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-02 13:54:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 555302    
Bug Blocks:    

Description Karel Srot 2011-04-04 12:05:30 UTC 
Description of problem:

Beakerlib functions which are more fancy than:
START_DATE_TIME=`date "+%m/%d/%Y %T"`
and
ausearch -m AVC -ts ${START_DATE_TIME}

Something like
rlSESetTimestamp [label]
rlSECheckAVC [label]

^ ^ This is what I am using at the moment. My current implementation below:


# save the timestamp in ausearch friendly format
# timestamps are available as global variables TIMESTAMP[_NAME]
# Usage: rlSESetTimestamp  [timestamp_name]
function rlSESetTimestamp() {

	local STAMP=`date "+%m/%d/%Y %T"`
	local NAME="TIMESTAMP"
	
	[ -z "$1" ] || NAME="${NAME}_$1"
	eval "export $NAME='$STAMP'"
	rlLog "Setting timestamp '$NAME' [$STAMP]"

}


# function checkes whether there are any AVC since the defined TIMESTAMP
# Usage: rlSECheckAVC [timestamp_name]
function rlSECheckAVC() {

	local NAME="TIMESTAMP"
	[ -z "$1" ] || NAME="${NAME}_$1"

	local STAMP=`eval "echo \\$$NAME"`
	if [ -z "$STAMP" ]; then
		rlLogError "Timestamp $NAME is not defined"
		return 1
	else
		rlRun "ausearch -m AVC -ts $STAMP 2>&1 | grep -v '<no matches>'" 1 "Check AVC since timestamp '$NAME' [$STAMP]"
	fi

}
Comment 1 Petr Muller 2011-04-08 15:26:23 UTC 
Journal overhaul is the prerequisite, I like the concept
Comment 2 Fedora Admin XMLRPC Client 2014-09-02 12:13:24 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 3 Dalibor Pospíšil 2014-09-02 13:54:07 UTC 
This is currently covered by library(selinux-policy/common). There seems to be no urge to make it available in upstream. Feel free to reopen this bug in case the beaker library is insufficient.