From: Zack Cerza <zack@redhat.com>
Date: Mon, 30 Jan 2023 19:46:59 +0000 (-0700)
Subject: task/selinux: Fix regressed grepping of audit logs
X-Git-Tag: 1.2.0~130^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=7eacc0efc6cdb6ffd9766a74b2907f536ec9c184;p=teuthology.git

task/selinux: Fix regressed grepping of audit logs

Fixes: https://tracker.ceph.com/issues/58610
Introduced: a106217
Signed-off-by: Zack Cerza <zack@redhat.com>
---

diff --git a/teuthology/task/selinux.py b/teuthology/task/selinux.py
index d28d606ef..ca7390722 100644
--- a/teuthology/task/selinux.py
+++ b/teuthology/task/selinux.py
@@ -141,12 +141,13 @@ class SELinux(Task):
         se_allowlist = self.config.get('allowlist', [])
         if se_allowlist:
             known_denials.extend(se_allowlist)
-        ignore_known_denials = r'\'\(' + str.join(r'\|', known_denials) + r'\)\''
+        get_denials_cmd = ['sudo', 'grep', '-a', 'avc: .*denied', '/var/log/audit/audit.log']
+        filter_denials_cmd = ['grep', '-av']
+        for known_denial in known_denials:
+            filter_denials_cmd.extend(['-e', known_denial])
         for remote in self.cluster.remotes.keys():
             proc = remote.run(
-                args=['sudo', 'grep', '-a', 'avc: .*denied',
-                      '/var/log/audit/audit.log', run.Raw('|'), 'grep', '-av',
-                      run.Raw(ignore_known_denials)],
+                args = get_denials_cmd + [run.Raw('|')] + filter_denials_cmd,
                 stdout=StringIO(),
                 check_status=False,
             )