Petr Lautrbach 8c3ddf
---
Petr Lautrbach 8c3ddf
- hosts: localhost
Petr Lautrbach 8c3ddf
  vars:
Petr Lautrbach 8c3ddf
  - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
Petr Lautrbach 8c3ddf
  tags:
Petr Lautrbach 8c3ddf
  - classic
Petr Lautrbach 8c3ddf
  tasks:
Petr Lautrbach 8c3ddf
  # switch SELinux to permissive mode
Petr Lautrbach 8c3ddf
  - name: Get default kernel
Petr Lautrbach 8c3ddf
    command: "grubby --default-kernel"
Petr Lautrbach 8c3ddf
    register: default_kernel
Petr Lautrbach 8c3ddf
  - debug: msg="{{ default_kernel.stdout }}"
Petr Lautrbach 8c3ddf
  - name: Set permissive mode
Petr Lautrbach 8c3ddf
    command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}"
Petr Lautrbach 8c3ddf
Petr Lautrbach 8c3ddf
  - name: reboot
Petr Lautrbach 8c3ddf
    block:
Petr Lautrbach 8c3ddf
      - name: restart host
Petr Lautrbach 8c3ddf
        shell: sleep 2 && shutdown -r now "Ansible updates triggered"
Petr Lautrbach 8c3ddf
        async: 1
Petr Lautrbach 8c3ddf
        poll: 0
Petr Lautrbach 8c3ddf
        ignore_errors: true
Petr Lautrbach 8c3ddf
Petr Lautrbach 8c3ddf
      - name: wait for host to come back
Petr Lautrbach 8c3ddf
        wait_for_connection:
Petr Lautrbach 8c3ddf
          delay: 10
Petr Lautrbach 8c3ddf
          timeout: 300
Petr Lautrbach 8c3ddf
Petr Lautrbach 8c3ddf
      - name: Re-create /tmp/artifacts
Petr Lautrbach 8c3ddf
        command: mkdir /tmp/artifacts
Petr Lautrbach 8c3ddf
Petr Lautrbach 8c3ddf
      - name: Gather SELinux denials since boot
Petr Lautrbach 8c3ddf
        shell: |
Petr Lautrbach 8c3ddf
            result=pass
Petr Lautrbach 8c3ddf
            dmesg | grep -i -e type=1300 -e type=1400 > /tmp/avc.log && result=fail
Petr Lautrbach 74e5e4
            ausearch -m avc -m selinux_err -m user_avc -ts boot &>> /tmp/avc.log
Petr Lautrbach 74e5e4
            grep -q '<no matches>' /tmp/avc.log || result=fail
Petr Lautrbach 74e5e4
            echo -e "\nresults:\n- test: reboot and collect AVC\n  result: $result\n  logs:\n  - avc.log\n\n" > /tmp/results.yml
Petr Lautrbach 74e5e4
            ( [ $result = "pass" ] && echo PASS test-reboot || echo FAIL test-reboot ) > /tmp/test.log
Petr Lautrbach 8c3ddf
Petr Lautrbach 8c3ddf
    always:
Petr Lautrbach 8c3ddf
      - name: Pull out the artifacts
Petr Lautrbach 8c3ddf
        fetch:
Petr Lautrbach 8c3ddf
          dest: "{{ artifacts }}/"
Petr Lautrbach 8c3ddf
          src: "{{ item }}"
Petr Lautrbach 8c3ddf
          flat: yes
Petr Lautrbach 8c3ddf
        with_items:
Petr Lautrbach 74e5e4
          - /tmp/test.log
Petr Lautrbach 8c3ddf
          - /tmp/avc.log
Petr Lautrbach 8c3ddf
          - /tmp/results.yml