--- - hosts: localhost vars: - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}" tags: - classic tasks: # switch SELinux to permissive mode - name: Get default kernel command: "grubby --default-kernel" register: default_kernel - debug: msg="{{ default_kernel.stdout }}" - name: Set permissive mode command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}" - name: reboot block: - name: restart host shell: sleep 2 && shutdown -r now "Ansible updates triggered" async: 1 poll: 0 ignore_errors: true - name: wait for host to come back wait_for_connection: delay: 10 timeout: 300 - name: Re-create /tmp/artifacts command: mkdir /tmp/artifacts - name: Gather SELinux denials since boot shell: | result=pass dmesg | grep -i -e type=1300 -e type=1400 > /tmp/avc.log && result=fail ausearch -m avc -m selinux_err -m user_avc -ts boot >> /tmp/avc.log 2> /tmp/avc.err.log grep -q '' /tmp/avc.err.log || result=fail echo -e "results:\n- test: reboot and collect AVC\n result: $result\n" > /tmp/results.yml always: - name: Pull out the artifacts fetch: dest: "{{ artifacts }}/" src: "{{ item }}" flat: yes with_items: - /tmp/avc.log - /tmp/avc.err.log - /tmp/results.yml