From 8c3ddf27e9e713059c899b68506986636525bc2a Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 17 Jul 2020 10:30:01 +0200 Subject: [PATCH] Add a basic sanity reboot test collecting AVCs In order to minimize possible damage on composes we need to be sure that a system can boot and it doesn't generate any AVC denial. This test reboots a machine and collects AVC, USER_AVC and SELINUX_ERR audit messages into avc.log file which is propagated as test artifact. --- tests/tests-reboot.yml | 49 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 tests/tests-reboot.yml diff --git a/tests/tests-reboot.yml b/tests/tests-reboot.yml new file mode 100644 index 00000000..44774a03 --- /dev/null +++ b/tests/tests-reboot.yml @@ -0,0 +1,49 @@ +--- +- hosts: localhost + vars: + - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}" + tags: + - classic + tasks: + # switch SELinux to permissive mode + - name: Get default kernel + command: "grubby --default-kernel" + register: default_kernel + - debug: msg="{{ default_kernel.stdout }}" + - name: Set permissive mode + command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}" + + - name: reboot + block: + - name: restart host + shell: sleep 2 && shutdown -r now "Ansible updates triggered" + async: 1 + poll: 0 + ignore_errors: true + + - name: wait for host to come back + wait_for_connection: + delay: 10 + timeout: 300 + + - name: Re-create /tmp/artifacts + command: mkdir /tmp/artifacts + + - name: Gather SELinux denials since boot + shell: | + result=pass + dmesg | grep -i -e type=1300 -e type=1400 > /tmp/avc.log && result=fail + ausearch -m avc -m selinux_err -m user_avc -ts boot >> /tmp/avc.log 2> /tmp/avc.err.log + grep -q '' /tmp/avc.err.log || result=fail + echo -e "results:\n- test: reboot and collect AVC\n result: $result\n" > /tmp/results.yml + + always: + - name: Pull out the artifacts + fetch: + dest: "{{ artifacts }}/" + src: "{{ item }}" + flat: yes + with_items: + - /tmp/avc.log + - /tmp/avc.err.log + - /tmp/results.yml