Selinux checks and reports

[LecrisUT]

I am confused by the selinux checks and reports:

• Random rawhide bodhi update passes, but the selinux check is not visible
• Openssh zuul and bodhi tests fail with selinux

But the random bodhi update happened after openssh got stable, so why is that not failing on selinux. This failure is really weird. @AdamWill you investigated this at one point, do you have any ideas?

[AdamWill]

at a guess, the AVCs just don't happen on every package install. It probably depends on scriptlets, other packages in the transaction, and so on. Look at the full logs:

• failure full log
• success full log

the success case is very simple - the package has no deps that aren't already installed (I guess python and whatever else it needs are already there), and the package itself has no scriptlets, it only triggers a single other scriptlet (from glibc). The failure case is far more complex - it pulls in 170+ additional dependencies, many of which run scriptlets. I would guess that something in that whole set is what triggers the AVCs. Unfortunately it doesn't look like it's possible to see exactly when during the transaction the AVCs were triggered, from that log.