selinux-policy/tests/tests-reboot.yml
Petr Lautrbach 8c3ddf27e9 Add a basic sanity reboot test collecting AVCs
In order to minimize possible damage on composes we need to be sure that a
system can boot and it doesn't generate any AVC denial.

This test reboots a machine and collects AVC, USER_AVC and SELINUX_ERR audit
messages into avc.log file which is propagated as test artifact.
2020-08-25 12:25:34 +02:00

50 lines
1.5 KiB
YAML

---
- hosts: localhost
vars:
- artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
tags:
- classic
tasks:
# switch SELinux to permissive mode
- name: Get default kernel
command: "grubby --default-kernel"
register: default_kernel
- debug: msg="{{ default_kernel.stdout }}"
- name: Set permissive mode
command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}"
- name: reboot
block:
- name: restart host
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
async: 1
poll: 0
ignore_errors: true
- name: wait for host to come back
wait_for_connection:
delay: 10
timeout: 300
- name: Re-create /tmp/artifacts
command: mkdir /tmp/artifacts
- name: Gather SELinux denials since boot
shell: |
result=pass
dmesg | grep -i -e type=1300 -e type=1400 > /tmp/avc.log && result=fail
ausearch -m avc -m selinux_err -m user_avc -ts boot >> /tmp/avc.log 2> /tmp/avc.err.log
grep -q '<no matches>' /tmp/avc.err.log || result=fail
echo -e "results:\n- test: reboot and collect AVC\n result: $result\n" > /tmp/results.yml
always:
- name: Pull out the artifacts
fetch:
dest: "{{ artifacts }}/"
src: "{{ item }}"
flat: yes
with_items:
- /tmp/avc.log
- /tmp/avc.err.log
- /tmp/results.yml