task/selinux: Fix regressed grepping of audit logs

author Zack Cerza <zack@redhat.com>

Mon, 30 Jan 2023 19:46:59 +0000 (12:46 -0700)

committer Zack Cerza <zack@redhat.com>

Mon, 30 Jan 2023 22:11:22 +0000 (15:11 -0700)
author Zack Cerza <zack@redhat.com>
Mon, 30 Jan 2023 19:46:59 +0000 (12:46 -0700)
committer Zack Cerza <zack@redhat.com>
Mon, 30 Jan 2023 22:11:22 +0000 (15:11 -0700)
diff --git a/teuthology/task/selinux.py b/teuthology/task/selinux.py

index d28d606ef49b0691c04bc5588bd6c6b078eb7ca2..ca739072293c5c4811778b965e66d9d16e6ee183 100644 (file)
--- a/teuthology/task/selinux.py
+++ b/teuthology/task/selinux.py
@@ -141,12 +141,13 @@ class SELinux(Task):
          se_allowlist = self.config.get('allowlist', [])
          if se_allowlist:
              known_denials.extend(se_allowlist)
-        ignore_known_denials = r'\'\(' + str.join(r'\|', known_denials) + r'\)\''
+        get_denials_cmd = ['sudo', 'grep', '-a', 'avc: .*denied', '/var/log/audit/audit.log']
+        filter_denials_cmd = ['grep', '-av']
+        for known_denial in known_denials:
+            filter_denials_cmd.extend(['-e', known_denial])
          for remote in self.cluster.remotes.keys():
              proc = remote.run(
-                args=['sudo', 'grep', '-a', 'avc: .*denied',
-                      '/var/log/audit/audit.log', run.Raw('|'), 'grep', '-av',
-                      run.Raw(ignore_known_denials)],
+                args = get_denials_cmd + [run.Raw('|')] + filter_denials_cmd,
                  stdout=StringIO(),
                  check_status=False,
              )
author	Zack Cerza <zack@redhat.com>
	Mon, 30 Jan 2023 19:46:59 +0000 (12:46 -0700)
committer	Zack Cerza <zack@redhat.com>
	Mon, 30 Jan 2023 22:11:22 +0000 (15:11 -0700)