From 7eacc0efc6cdb6ffd9766a74b2907f536ec9c184 Mon Sep 17 00:00:00 2001
From: Zack Cerza <zack@redhat.com>
Date: Mon, 30 Jan 2023 12:46:59 -0700
Subject: [PATCH] task/selinux: Fix regressed grepping of audit logs

Fixes: https://tracker.ceph.com/issues/58610
Introduced: a106217
Signed-off-by: Zack Cerza <zack@redhat.com>
---
 teuthology/task/selinux.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/teuthology/task/selinux.py b/teuthology/task/selinux.py
index d28d606ef4..ca73907229 100644
--- a/teuthology/task/selinux.py
+++ b/teuthology/task/selinux.py
@@ -141,12 +141,13 @@ class SELinux(Task):
         se_allowlist = self.config.get('allowlist', [])
         if se_allowlist:
             known_denials.extend(se_allowlist)
-        ignore_known_denials = r'\'\(' + str.join(r'\|', known_denials) + r'\)\''
+        get_denials_cmd = ['sudo', 'grep', '-a', 'avc: .*denied', '/var/log/audit/audit.log']
+        filter_denials_cmd = ['grep', '-av']
+        for known_denial in known_denials:
+            filter_denials_cmd.extend(['-e', known_denial])
         for remote in self.cluster.remotes.keys():
             proc = remote.run(
-                args=['sudo', 'grep', '-a', 'avc: .*denied',
-                      '/var/log/audit/audit.log', run.Raw('|'), 'grep', '-av',
-                      run.Raw(ignore_known_denials)],
+                args = get_denials_cmd + [run.Raw('|')] + filter_denials_cmd,
                 stdout=StringIO(),
                 check_status=False,
             )
-- 
2.39.5