From 9d2435f184883bb6abc5f5f37aaf136076184d96 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Jun 30 2020 09:11:57 +0000
Subject: Add a basic sanity reboot test collecting AVCs


From time to time there's systemd update with new features which could break an
SELinux enabled system. In order to minimize possible damage on composes we need
to be sure that a system can boot with new systemd and it doesn't generate any
AVC denial.

This test reboots a machine and collects AVC, USER_AVC and SELINUX_ERR audit
messages into avc.log file which is propagated as test artifact.

---

diff --git a/tests/test-reboot.yml b/tests/test-reboot.yml
new file mode 100644
index 0000000..f073546
--- /dev/null
+++ b/tests/test-reboot.yml
@@ -0,0 +1,47 @@
+---
+- hosts: localhost
+  vars:
+  - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"
+  tags:
+  - classic
+  tasks:
+  # switch SELinux to permissive mode
+  - name: Get default kernel
+    command: "grubby --default-kernel"
+    register: default_kernel
+  - debug: msg="{{ default_kernel.stdout }}"
+  - name: Set permissive mode
+    command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}"
+
+  - name: reboot
+    block:
+      - name: restart host
+        shell: sleep 2 && shutdown -r now "Ansible updates triggered"
+        async: 1
+        poll: 0
+        ignore_errors: true
+
+      - name: wait for host to come back
+        wait_for_connection:
+          delay: 10
+          timeout: 300
+
+      - name: Re-create /tmp/artifacts
+        command: mkdir /tmp/artifacts
+
+      - name: Gather SELinux denials since boot
+        shell: |
+            ausearch -m avc -m selinux_err -m user_avc -ts boot > /tmp/avc.log 2> /tmp/avc.err.log
+            grep -q '<no matches>' /tmp/avc.err.log && result=pass || result=fail
+            echo -e "results:\n- {result: $result, test: reboot}" > /tmp/results.yml
+
+    always:
+      - name: Pull out the artifacts
+        fetch:
+          dest: "{{ artifacts }}/"
+          src: "{{ item }}"
+          flat: yes
+        with_items:
+          - /tmp/avc.log
+          - /tmp/avc.err.log
+          - /tmp/results.yml
diff --git a/tests/tests.yml b/tests/tests.yml
new file mode 100644
index 0000000..b073ca5
--- /dev/null
+++ b/tests/tests.yml
@@ -0,0 +1 @@
+- import_playbook: test-reboot.yml