Blob Blame History Raw
---
- hosts: localhost
  vars:
  - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
  tags:
  - classic
  tasks:
  # switch SELinux to permissive mode
  - name: Get default kernel
    command: "grubby --default-kernel"
    register: default_kernel
  - debug: msg="{{ default_kernel.stdout }}"
  - name: Set permissive mode
    command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}"

  - name: reboot
    block:
      - name: restart host
        shell: sleep 2 && shutdown -r now "Ansible updates triggered"
        async: 1
        poll: 0
        ignore_errors: true

      - name: wait for host to come back
        wait_for_connection:
          delay: 10
          timeout: 300

      - name: Re-create /tmp/artifacts
        command: mkdir /tmp/artifacts

      - name: Gather SELinux denials since boot
        shell: |
            result=pass
            dmesg | grep -i -e type=1300 -e type=1400 > /tmp/avc.log && result=fail
            ausearch -m avc -m selinux_err -m user_avc -ts boot >> /tmp/avc.log 2> /tmp/avc.err.log
            grep -q '<no matches>' /tmp/avc.err.log || result=fail
            echo -e "results:\n- test: reboot and collect AVC\n  result: $result\n" > /tmp/results.yml

    always:
      - name: Pull out the artifacts
        fetch:
          dest: "{{ artifacts }}/"
          src: "{{ item }}"
          flat: yes
        with_items:
          - /tmp/avc.log
          - /tmp/avc.err.log
          - /tmp/results.yml