Browse Source

New validation: validate-selinux

This validation ensures we don't have any untracked AVCs in system
audit.log.
Such SELinux issues might lead to a broken deploy/user experience at
some point, so we probably better want to ensure we're on a clean
system.

This validation will also be used within the CI job in order to ensure a
green job doesn't have any AVC - for now, it's not checked at all...

Change-Id: I4b6b151a89f3fcf0a1ed94390175d2f8230b90d7
(cherry picked from commit 718a2ccd82)
changes/19/702619/4
Cédric Jeanneret Gael Chamoulaud (Strider) 2 months ago
parent
commit
65ceb1ce3f
No known key found for this signature in database GPG Key ID: 4119D0305C651D66
13 changed files with 450 additions and 3 deletions
  1. +6
    -0
      doc/source/roles/role-validate-selinux.rst
  2. +21
    -0
      playbooks/validate-selinux.yaml
  3. +27
    -0
      roles/validate-selinux/defaults/main.yml
  4. +15
    -0
      roles/validate-selinux/handlers/main.yml
  5. +37
    -0
      roles/validate-selinux/molecule/default/Dockerfile
  6. +49
    -0
      roles/validate-selinux/molecule/default/molecule.yml
  7. +63
    -0
      roles/validate-selinux/molecule/default/playbook.yml
  8. +57
    -0
      roles/validate-selinux/molecule/default/prepare.yml
  9. +15
    -0
      roles/validate-selinux/molecule/default/verify.yml
  10. +123
    -0
      roles/validate-selinux/tasks/main.yml
  11. +3
    -0
      roles/validate-selinux/templates/skip-list.j2
  12. +22
    -0
      roles/validate-selinux/vars/main.yml
  13. +12
    -3
      zuul.d/molecule.yaml

+ 6
- 0
doc/source/roles/role-validate-selinux.rst View File

@@ -0,0 +1,6 @@
================
validate-selinux
================

.. ansibleautoplugin::
:role: roles/validate-selinux

+ 21
- 0
playbooks/validate-selinux.yaml View File

@@ -0,0 +1,21 @@
---
- hosts: all
vars:
metadata:
name: validate-selinux
description: >-
Ensures we don't have any SELinux denials on the system
groups:
- pre-deployment
- post-deployment
- pre-upgrade
- post-upgrade
validate_selinux_working_dir: /var/log/validations
validate_selinux_audit_source: /var/log/audit/audit.log
validate_selinux_skip_list_dest: "{{ validate_selinux_working_dir }}/denials-skip-list.txt"
validate_selinux_filtered_denials_dest: "{{ validate_selinux_working_dir }}/denials-filtered.log"
validate_selinux_strict: false
validate_selinux_filter: "None"
validate_selinux_skip_list: {}
roles:
- validate-selinux

+ 27
- 0
roles/validate-selinux/defaults/main.yml View File

@@ -0,0 +1,27 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.


# All variables intended for modification should place placed in this file.

# All variables within this role should have a prefix of "validate_selinux"
validate_selinux_working_dir: /var/log/validations
validate_selinux_audit_source: /var/log/audit/audit.log
validate_selinux_skip_list_dest: "{{ validate_selinux_working_dir }}/denials-skip-list.txt"
validate_selinux_filtered_denials_dest: "{{ validate_selinux_working_dir }}/denials-filtered.log"
validate_selinux_strict: false
validate_selinux_filter: "None"
validate_selinux_skip_list: {}

+ 15
- 0
roles/validate-selinux/handlers/main.yml View File

@@ -0,0 +1,15 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

+ 37
- 0
roles/validate-selinux/molecule/default/Dockerfile View File

@@ -0,0 +1,37 @@
# Molecule managed
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.


{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}

RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi

{% for pkg in item.easy_install | default([]) %}
# install pip for centos where there is no python-pip rpm in default repos
RUN easy_install {{ pkg }}
{% endfor %}


CMD ["sh", "-c", "while true; do sleep 10000; done"]

+ 49
- 0
roles/validate-selinux/molecule/default/molecule.yml View File

@@ -0,0 +1,49 @@
---
driver:
name: docker

log: true

platforms:
- name: centos7
hostname: centos7
image: centos:7
dockerfile: Dockerfile
pkg_extras: python-setuptools
easy_install:
- pip
environment: &env
http_proxy: "{{ lookup('env', 'http_proxy') }}"
https_proxy: "{{ lookup('env', 'https_proxy') }}"

- name: fedora28
hostname: fedora28
image: fedora:28
dockerfile: Dockerfile
pkg_extras: python*-setuptools
environment:
<<: *env

provisioner:
name: ansible
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_LIBRARY: "../../../../library"

scenario:
test_sequence:
- destroy
- create
- prepare
- converge
- verify
- destroy

lint:
enabled: false

verifier:
name: testinfra
lint:
name: flake8

+ 63
- 0
roles/validate-selinux/molecule/default/playbook.yml View File

@@ -0,0 +1,63 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.


- name: Converge
hosts: all
gather_facts: no
vars:
validate_selinux_working_dir: '/tmp'

tasks:
- name: Simple run without filter against clean auditlog
include_role:
name: validate-selinux
vars:
validate_selinux_audit_source: '/var/log/audit-clean.log'

- name: Run with filter against unclean auditlog
include_role:
name: validate-selinux
vars:
validate_selinux_audit_source: '/var/log/audit-unclean.log'
validate_selinux_skip_list:
- entry: 'tcontext=system_u:system_r:init_t'
comment: 'This one is a real-life entry'
- entry: 'tcontext=system_u:system_r:system_dbusd_t'
comment: 'This one is another real-life entry'

- name: Run without filter against unclean auditlog
block:
- name: Run role
include_role:
name: validate-selinux
vars:
validate_selinux_audit_source: '/var/log/audit-unclean.log'
validate_selinux_strict: true
rescue:
- name: Clear host error
meta: clear_host_errors

- name: Status message
debug:
msg: 'Successfully detected denials issue!'

- name: End play
meta: end_play

- name: Fail if we get to this place
fail:
msg: 'Unit test failed: did not detect untracked denials!'

+ 57
- 0
roles/validate-selinux/molecule/default/prepare.yml View File

@@ -0,0 +1,57 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.


- name: Prepare
hosts: all
gather_facts: no

tasks:
- name: Populate fake clean auditlog
copy:
dest: /var/log/audit-clean.log
owner: root
mode: 0600
group: root
content: |
type=SERVICE_START msg=audit(1575877870.934:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1575878320.981:287): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_ACCT msg=audit(1575878471.739:288): pid=4430 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_CMD msg=audit(1575878471.740:289): pid=4430 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=626F7267202D2D696E666F20637265617465202D2D636F6D7072657373696F6E206C7A34202D2D6578636C7564652D636163686573202D2D6578636C756465202A2F2A2E6C6F636B202D2D6578636C756465202A2F2E746F78202D2D6578636C756465202A2F2E737465737472202D2D6578636C756465202A2F727562792D76656E646F72202D2D6578636C756465202A2F7A75756C2F202D2D6578636C756465202A2F73736866732F202D2D6578636C756465202A2F2E6C6F63616C2F7368617265202F6D656469612F6261636B7570732F7268656C3A3A31306130393963382D316135612D313165612D613663622D386331363435366466626265202F686F6D652F636A65616E6E6572 exe="/usr/bin/sudo" terminal=? res=success'UID="root" AUID="unset"
type=USER_ACCT msg=audit(1575878554.296:294): pid=4445 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_CMD msg=audit(1575878554.296:295): pid=4445 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=626F7267206C697374202F6D656469612F6261636B7570732F7268656C exe="/usr/bin/sudo" terminal=? res=success'UID="root" AUID="unset"
type=USER_ACCT msg=audit(1575878555.032:300): pid=4449 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_CMD msg=audit(1575878555.032:301): pid=4449 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=626F7267207072756E65202D70202D2D6B6565702D77697468696E203277202D2D7374617473202F6D656469612F6261636B7570732F7268656C exe="/usr/bin/sudo" terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_START msg=audit(1575878869.915:306): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1575878900.615:312): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"

- name: Populate unclean auditlog
copy:
dest: /var/log/audit-unclean.log
owner: root
mode: 0600
group: root
content: |
type=AVC msg=audit(1575534183.234:4933): avc: denied { write } for pid=11266 comm="iptables" path="pipe:[231496]" dev="pipefs" ino=231496 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=fifo_file permissive=1
type=AVC msg=audit(1575534183.342:4934): avc: denied { write } for pid=11284 comm="iptables" path="pipe:[231496]" dev="pipefs" ino=231496 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=fifo_file permissive=1
type=USER_AVC msg=audit(1575535009.861:5275): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=38869 scontext=system_u:system_r:container_t:s0:c313,c573 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1575535009.861:5276): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=38869 tpid=1 scontext=system_u:system_r:container_t:s0:c313,c573 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1575535009.862:5277): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1198 spid=1 tpid=38869 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_t:s0:c313,c573 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1575535013.340:5290): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=39132 scontext=system_u:system_r:container_t:s0:c192,c917 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1575535013.341:5291): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=39132 tpid=1 scontext=system_u:system_r:container_t:s0:c192,c917 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1575535013.342:5292): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1209 spid=1 tpid=39132 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_t:s0:c192,c917 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1575535028.912:5307): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=39430 scontext=system_u:system_r:container_t:s0:c776,c848 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
type=USER_AVC msg=audit(1575535028.913:5308): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=39430 tpid=1 scontext=system_u:system_r:container_t:s0:c776,c848 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

+ 15
- 0
roles/validate-selinux/molecule/default/verify.yml View File

@@ -0,0 +1,15 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

+ 123
- 0
roles/validate-selinux/tasks/main.yml View File

@@ -0,0 +1,123 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.


# "validate-selinux" tasks

- name: "Ensure {{ validate_selinux_audit_source }} does exist"
become: true
stat:
path: "{{ validate_selinux_audit_source }}"
register: auditlog_stat

- name: "Fail if {{ validate_selinux_audit_source }} does not exit"
when: not auditlog_stat.stat.exists
fail:
msg: "ERROR: {{ validate_selinux_audit_source }} does not exist!"

- name: Load skip list from provided file
when:
- validate_selinux_filter != 'None'
- validate_selinux_skip_list is not defined
include_vars: "{{ validate_selinux_filter }}"

- name: Gather subset of facts
setup:
gather_subset: "!min,distribution_major_version"
when:
- validate_selinux_filter == 'None'
- validate_selinux_skip_list is not defined
- ansible_distribution_major_version is not defined

- name: Load skip list variables (undercloud or overcloud)
when:
- validate_selinux_skip_list is not defined
include_vars: "{{ lookup('first_found', lookhere, errors='ignore') }}"
vars:
lookhere:
- "selinux_skip_{{ release }}_on_{{ ansible_distribution_major_version }}.yml"
- "selinux_skip_{{ release }}.yml"

- name: Fetch denials from auditlog
become: true
ignore_errors: true
changed_when: false
shell: |
set -o pipefail
grep denied {{ validate_selinux_audit_source }} > /tmp/denials.log

- name: Get stat for denials.log
stat:
path: /tmp/denials.log
register: denials_log

- name: Everything is fine
when: denials_log.stat.size == 0
debug:
msg: "No untracked SELinux AVC detected, congratulations!"

- name: Next steps only if we have denials
when: denials_log.stat.size > 0
block:
- name: Create skip list
when: validate_selinux_skip_list != {}
template:
src: skip-list.j2
dest: "{{ validate_selinux_skip_list_dest }}"
mode: 0644

- name: Filter out denials
when: validate_selinux_skip_list != {}
ignore_errors: true
changed_when: false
shell: |
set -o pipefail
grep -v -f {{ validate_selinux_skip_list_dest }} /tmp/denials.log > {{ validate_selinux_filtered_denials_dest }}

- name: No skip_list
when: validate_selinux_skip_list == {}
copy:
remote_src: true
src: /tmp/denials.log
dest: "{{ validate_selinux_filtered_denials_dest }}"

- name: Get stat for filtered denials
stat:
path: "{{ validate_selinux_filtered_denials_dest }}"
register: denials_stat

- name: debug
debug:
var: denials_stat

- name: Fail if we found untracked denials
when:
- validate_selinux_strict|bool
- denials_stat.stat.size != 0
fail:
msg: "Untracked SELinux AVCs found, please refer to {{ validate_selinux_filtered_denials_dest }}"

- name: Output information in case we do not fail
when:
- not validate_selinux_strict|bool
- denials_stat.stat.size != 0
debug:
msg: "Untracked SELinux AVCs found, please refer to {{ validate_selinux_filtered_denials_dest }}"

- name: Output information if everything is fine
when: denials_stat.stat.size == 0
debug:
msg: "No untracked SELinux AVC detected, congratulations!"

+ 3
- 0
roles/validate-selinux/templates/skip-list.j2 View File

@@ -0,0 +1,3 @@
{% for entry in validate_selinux_skip_list %}
{{ entry.entry }}
{% endfor %}

+ 22
- 0
roles/validate-selinux/vars/main.yml View File

@@ -0,0 +1,22 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.


# While options found within the vars/ path can be overridden using extra
# vars, items within this path are considered part of the role and not
# intended to be modified.

# All variables within this role should have a prefix of "validate-selinux"

+ 12
- 3
zuul.d/molecule.yaml View File

@@ -1,7 +1,6 @@
---
- project-template:
check:
queue: integrated
jobs:
- tripleo-validations-centos-7-molecule-controller-token
- tripleo-validations-centos-7-molecule-controller-ulimits
@@ -23,8 +22,9 @@
- tripleo-validations-centos-7-molecule-rabbitmq-limits
- tripleo-validations-centos-7-molecule-stonith-exists
- tripleo-validations-centos-7-molecule-check-latest-packages-version
gate:
- tripleo-validations-centos-7-molecule-validate-selinux
queue: integrated
gate:
jobs:
- tripleo-validations-centos-7-molecule-controller-token
- tripleo-validations-centos-7-molecule-controller-ulimits
@@ -46,6 +46,8 @@
- tripleo-validations-centos-7-molecule-rabbitmq-limits
- tripleo-validations-centos-7-molecule-stonith-exists
- tripleo-validations-centos-7-molecule-check-latest-packages-version
- tripleo-validations-centos-7-molecule-validate-selinux
queue: integrated
name: tripleo-validations-molecule-jobs
- job:
files:
@@ -122,9 +124,9 @@
- ^roles/xfs-check-ftype/.*
name: tripleo-validations-centos-7-molecule-xfs-check-ftype
parent: tripleo-validations-centos-7-base
voting: false
vars:
tripleo_validations_role_name: xfs-check-ftype
voting: false
- job:
files:
- ^roles/no-op-firewall-nova-driver/.*
@@ -188,3 +190,10 @@
parent: tripleo-validations-centos-7-base
vars:
tripleo_validations_role_name: check-latest-packages-version
- job:
files:
- ^roles/validate-selinux/.*
name: tripleo-validations-centos-7-molecule-validate-selinux
parent: tripleo-validations-centos-7-base
vars:
tripleo_validations_role_name: validate-selinux

Loading…
Cancel
Save