8c3ddf27e9
In order to minimize possible damage on composes we need to be sure that a system can boot and it doesn't generate any AVC denial. This test reboots a machine and collects AVC, USER_AVC and SELINUX_ERR audit messages into avc.log file which is propagated as test artifact.
50 lines
1.5 KiB
YAML
50 lines
1.5 KiB
YAML
---
|
|
- hosts: localhost
|
|
vars:
|
|
- artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
|
|
tags:
|
|
- classic
|
|
tasks:
|
|
# switch SELinux to permissive mode
|
|
- name: Get default kernel
|
|
command: "grubby --default-kernel"
|
|
register: default_kernel
|
|
- debug: msg="{{ default_kernel.stdout }}"
|
|
- name: Set permissive mode
|
|
command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}"
|
|
|
|
- name: reboot
|
|
block:
|
|
- name: restart host
|
|
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
|
|
async: 1
|
|
poll: 0
|
|
ignore_errors: true
|
|
|
|
- name: wait for host to come back
|
|
wait_for_connection:
|
|
delay: 10
|
|
timeout: 300
|
|
|
|
- name: Re-create /tmp/artifacts
|
|
command: mkdir /tmp/artifacts
|
|
|
|
- name: Gather SELinux denials since boot
|
|
shell: |
|
|
result=pass
|
|
dmesg | grep -i -e type=1300 -e type=1400 > /tmp/avc.log && result=fail
|
|
ausearch -m avc -m selinux_err -m user_avc -ts boot >> /tmp/avc.log 2> /tmp/avc.err.log
|
|
grep -q '<no matches>' /tmp/avc.err.log || result=fail
|
|
echo -e "results:\n- test: reboot and collect AVC\n result: $result\n" > /tmp/results.yml
|
|
|
|
always:
|
|
- name: Pull out the artifacts
|
|
fetch:
|
|
dest: "{{ artifacts }}/"
|
|
src: "{{ item }}"
|
|
flat: yes
|
|
with_items:
|
|
- /tmp/avc.log
|
|
- /tmp/avc.err.log
|
|
- /tmp/results.yml
|