Last modified 6 years ago Last modified on 08/21/08 13:28:33

A simple tutorial to write your test in python


Tests consists of two files:

  • source file "", which is usually located in /usr/share/sectool/tests/
  • description file "", the number before underline specifies an order in which sectool starts the tests. Usual location /etc/sectool/tests.

Description file

The purpose of description file is that it creates an abstraction layer between sectool and the scripts source, so the tests might be more simply implemented in different languages. Let's have a look at its syntax.

The description file consists of at least of two sections: header and default. This is an example of a header section

DESCRIPTION="Example test. It only checks if you have selinux enabled."
LEVELS="2 3 4 5"

As you could guess,

  • NAME - defines test name,
  • FILE_NAME - is the name of source file,
  • DESCRIPTION - describes what the test does,
  • LEVELS - specify in which levels is the test enabled in by default,
  • GROUPS - tests may be grouped in one or more groups,
  • DEPS - test depends on these binaries, in case they are not available on the system, the test won't run.

In default section we specify test settings via environment variables that are set up by sectool before tests starts. For example:


The last, not mandatory, part of description file is set of [LEVEL_{12345}] sections. In this part, we can override the default settings in certain levels.


Source file

Python test source begins with:

#!/usr/bin/env python
from python_defs import *

python_defs is a python library that provides functions for unified output, which can be easily parsed by sectool test runner.

The rest of the test is its body. We should use these functions in it:

  • report - to report errors and warnings that were discovered by test,
  • test_exit - to finish the test.

report syntax: report( type, id, msg )

  • type:
    • ERROR - something wrong discovered
    • WARNING - theoretical problem discovered
    • HINT - advice, how to fix error or warning
    • INFO - info message
  • id - purpose of id is to pair error - hint or warning - hint
  • msg - the message text

test_exit syntax: test_exit( E_OK|E_FAIL|E_FATAL, message )

  • E_OK - test runs without problems
  • E_FAIL - something unexpected happened, test couldn't be finished
  • E_FATAL - something unexpected happened, all tests in queue are cancelled

E_FAIL and E_FATAL are followed by an explanation message

example text body:

selinux_mode = get_selinux_mode( )
if ( selinux_mode != get_var('MODE') ) and ( selinux_mode != 'Enforcing' ):
    report(ERROR, 1, "Selinux is disabled or running in wrong mode")
    report(HINT, 1, "see man selinux")



When you merge these example you get 09_someName1.dsc and Place them in "/usr/share/sectool/tests", set root owner and enjoy sectool :-).

Usage examples:

# getenforce

# sectool -i selinux
Name         : selinux
Script name  :
Groups       : selinux
Levels       : 2 3 4 5
Description  : Example test. It only checks if you have selinux enabled.

# sectool -n -r selinux
Test Name: selinux                                            Test Result: ERROR
        Error(01)     Selinux is disabled or running in wrong mode
        Hint(01)      see man selinux

# sectool -L 2 -r selinux
Test Name: selinux                                             Test Result: PASS