From 4697d1c8144c80f7dcc86caad9402951797697f5 Mon Sep 17 00:00:00 2001 From: Pavel Holica Date: Tue, 25 Nov 2025 12:22:18 +0100 Subject: [PATCH 1/2] Add fixture for checking SELinux denials in all tests --- integration-tests/conftest.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/integration-tests/conftest.py b/integration-tests/conftest.py index 1b1a91f4..ffc18626 100644 --- a/integration-tests/conftest.py +++ b/integration-tests/conftest.py @@ -134,3 +134,20 @@ def check_is_bootc_system(): ) except FileNotFoundError: return False + + +@pytest.fixture(autouse=True) +def check_avcs(): + checkpoint_file = f"/tmp/avc_checkpoint.{os.getpid()}" + subprocess.run( + ["ausearch", "-m", "AVC", "--checkpoint", checkpoint_file], + stdout=subprocess.DEVNULL, + stderr=subprocess.DEVNULL, + ) + yield + avcs = subprocess.run( + ["ausearch", "-m", "AVC", "--checkpoint", checkpoint_file], + stdout=subprocess.PIPE, + ) + if avcs.stdout: + pytest.fail("AVCs detected during test run!\n" + avcs.stdout.decode()) From 2403aca40f7572bedb67fed171b95ed6fe2ef77a Mon Sep 17 00:00:00 2001 From: Pavel Holica Date: Fri, 16 Jan 2026 07:17:58 +0100 Subject: [PATCH 2/2] Test pytest fixture parameterization --- integration-tests/conftest.py | 20 +++++++++++++------- integration-tests/test_selinux.py | 4 ++++ systemtest/tests/integration/test.sh | 2 +- 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/integration-tests/conftest.py b/integration-tests/conftest.py index ffc18626..45f2daa6 100644 --- a/integration-tests/conftest.py +++ b/integration-tests/conftest.py @@ -137,17 +137,23 @@ def check_is_bootc_system(): @pytest.fixture(autouse=True) -def check_avcs(): +def check_avcs(request): + try: + avc_skiplist = request.node.get_closest_marker("avc_skiplist").args[0] + except AttributeError: + avc_skiplist = () checkpoint_file = f"/tmp/avc_checkpoint.{os.getpid()}" subprocess.run( ["ausearch", "-m", "AVC", "--checkpoint", checkpoint_file], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, ) + def test_check_avcs(): + avcs = subprocess.run( + ["ausearch", "-m", "AVC", "--checkpoint", checkpoint_file], + stdout=subprocess.PIPE, + ) + if avcs.stdout: + pytest.fail("AVCs detected during test run!\n" + avcs.stdout.decode()) + request.addfinalizer(test_check_avcs) yield - avcs = subprocess.run( - ["ausearch", "-m", "AVC", "--checkpoint", checkpoint_file], - stdout=subprocess.PIPE, - ) - if avcs.stdout: - pytest.fail("AVCs detected during test run!\n" + avcs.stdout.decode()) diff --git a/integration-tests/test_selinux.py b/integration-tests/test_selinux.py index 06edaa7c..ec397fea 100644 --- a/integration-tests/test_selinux.py +++ b/integration-tests/test_selinux.py @@ -387,3 +387,7 @@ def test_selinux_core_context(insights_client): "under incorrect SELinux context or the selinux policy is too graceful.\n" "Only following AVCs were hit:\n" + checker.get_denials() ) + +@pytest.mark.avc_skiplist((".*",)) +def test_avc_fixture(): + pass diff --git a/systemtest/tests/integration/test.sh b/systemtest/tests/integration/test.sh index d1044f47..41ddd01b 100755 --- a/systemtest/tests/integration/test.sh +++ b/systemtest/tests/integration/test.sh @@ -40,7 +40,7 @@ python3 -m venv venv pip install -r integration-tests/requirements.txt -pytest --log-level debug --junit-xml=./junit.xml -v integration-tests ${PYTEST_FILTER:+-k "${PYTEST_FILTER}"} +pytest --setup-show --log-level debug --junit-xml=./junit.xml -v integration-tests ${PYTEST_FILTER:+-k "${PYTEST_FILTER}"} retval=$? if [ -d "$TMT_PLAN_DATA" ]; then