Add a basic sanity reboot test collecting AVCs

From time to time there's systemd update with new features which could break an
SELinux enabled system. In order to minimize possible damage on composes we need
to be sure that a system can boot with new systemd and it doesn't generate any
AVC denial.

This test reboots a machine and collects AVC, USER_AVC and SELINUX_ERR audit
messages into avc.log file which is propagated as test artifact.

tests/test-reboot.yml

@@ -0,0 +1,47 @@
+---
+- hosts: localhost
+  vars:
+  - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
+  tags:
+  - classic
+  tasks:
+  # switch SELinux to permissive mode
+  - name: Get default kernel
+    command: "grubby --default-kernel"
+    register: default_kernel
+  - debug: msg="{{ default_kernel.stdout }}"
+  - name: Set permissive mode
+    command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}"
+
+  - name: reboot
+    block:
+      - name: restart host
+        shell: sleep 2 && shutdown -r now "Ansible updates triggered"
+        async: 1
+        poll: 0
+        ignore_errors: true
+
+      - name: wait for host to come back
+        wait_for_connection:
+          delay: 10
+          timeout: 300
+
+      - name: Re-create /tmp/artifacts
+        command: mkdir /tmp/artifacts
+
+      - name: Gather SELinux denials since boot
+        shell: |
+            ausearch -m avc -m selinux_err -m user_avc -ts boot > /tmp/avc.log 2> /tmp/avc.err.log
+            grep -q '<no matches>' /tmp/avc.err.log && result=pass || result=fail
+            echo -e "results:\n- {result: $result, test: reboot}" > /tmp/results.yml
+
+    always:
+      - name: Pull out the artifacts
+        fetch:
+          dest: "{{ artifacts }}/"
+          src: "{{ item }}"
+          flat: yes
+        with_items:
+          - /tmp/avc.log
+          - /tmp/avc.err.log
+          - /tmp/results.yml

tests/tests.yml

@@ -0,0 +1 @@
+- import_playbook: test-reboot.yml