9d2435f184
From time to time there's systemd update with new features which could break an SELinux enabled system. In order to minimize possible damage on composes we need to be sure that a system can boot with new systemd and it doesn't generate any AVC denial. This test reboots a machine and collects AVC, USER_AVC and SELINUX_ERR audit messages into avc.log file which is propagated as test artifact.
48 lines
1.4 KiB
YAML
48 lines
1.4 KiB
YAML
---
|
|
- hosts: localhost
|
|
vars:
|
|
- artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
|
|
tags:
|
|
- classic
|
|
tasks:
|
|
# switch SELinux to permissive mode
|
|
- name: Get default kernel
|
|
command: "grubby --default-kernel"
|
|
register: default_kernel
|
|
- debug: msg="{{ default_kernel.stdout }}"
|
|
- name: Set permissive mode
|
|
command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}"
|
|
|
|
- name: reboot
|
|
block:
|
|
- name: restart host
|
|
shell: sleep 2 && shutdown -r now "Ansible updates triggered"
|
|
async: 1
|
|
poll: 0
|
|
ignore_errors: true
|
|
|
|
- name: wait for host to come back
|
|
wait_for_connection:
|
|
delay: 10
|
|
timeout: 300
|
|
|
|
- name: Re-create /tmp/artifacts
|
|
command: mkdir /tmp/artifacts
|
|
|
|
- name: Gather SELinux denials since boot
|
|
shell: |
|
|
ausearch -m avc -m selinux_err -m user_avc -ts boot > /tmp/avc.log 2> /tmp/avc.err.log
|
|
grep -q '<no matches>' /tmp/avc.err.log && result=pass || result=fail
|
|
echo -e "results:\n- {result: $result, test: reboot}" > /tmp/results.yml
|
|
|
|
always:
|
|
- name: Pull out the artifacts
|
|
fetch:
|
|
dest: "{{ artifacts }}/"
|
|
src: "{{ item }}"
|
|
flat: yes
|
|
with_items:
|
|
- /tmp/avc.log
|
|
- /tmp/avc.err.log
|
|
- /tmp/results.yml
|