Merge "New validation: validate-selinux"

doc/source/roles/role-validate-selinux.rst

@@ -0,0 +1,6 @@
+================
+validate-selinux
+================
+
+.. ansibleautoplugin::
+   :role: roles/validate-selinux

playbooks/validate-selinux.yaml

@@ -0,0 +1,21 @@
+---
+- hosts: all
+  vars:
+    metadata:
+      name: validate-selinux
+      description: >-
+        Ensures we don't have any SELinux denials on the system
+      groups:
+        - pre-deployment
+        - post-deployment
+        - pre-upgrade
+        - post-upgrade
+    validate_selinux_working_dir: /var/log/validations
+    validate_selinux_audit_source: /var/log/audit/audit.log
+    validate_selinux_skip_list_dest: "{{ validate_selinux_working_dir }}/denials-skip-list.txt"
+    validate_selinux_filtered_denials_dest: "{{ validate_selinux_working_dir }}/denials-filtered.log"
+    validate_selinux_strict: false
+    validate_selinux_filter: "None"
+    validate_selinux_skip_list: {}
+  roles:
+    - validate-selinux

roles/validate-selinux/defaults/main.yml

@@ -0,0 +1,27 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+# All variables intended for modification should place placed in this file.
+
+# All variables within this role should have a prefix of "validate_selinux"
+validate_selinux_working_dir: /var/log/validations
+validate_selinux_audit_source: /var/log/audit/audit.log
+validate_selinux_skip_list_dest: "{{ validate_selinux_working_dir }}/denials-skip-list.txt"
+validate_selinux_filtered_denials_dest: "{{ validate_selinux_working_dir }}/denials-filtered.log"
+validate_selinux_strict: false
+validate_selinux_filter: "None"
+validate_selinux_skip_list: {}

roles/validate-selinux/handlers/main.yml

@@ -0,0 +1,15 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.

roles/validate-selinux/molecule/default/Dockerfile

@@ -0,0 +1,37 @@
+# Molecule managed
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+{% if item.registry is defined %}
+FROM {{ item.registry.url }}/{{ item.image }}
+{% else %}
+FROM {{ item.image }}
+{% endif %}
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
+    elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+    elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
+    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
+    elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
+
+{% for pkg in item.easy_install | default([]) %}
+# install pip for centos where there is no python-pip rpm in default repos
+RUN easy_install {{ pkg }}
+{% endfor %}
+
+
+CMD ["sh", "-c", "while true; do sleep 10000; done"]

roles/validate-selinux/molecule/default/molecule.yml

@@ -0,0 +1,49 @@
+---
+driver:
+  name: docker
+
+log: true
+
+platforms:
+  - name: centos7
+    hostname: centos7
+    image: centos:7
+    dockerfile: Dockerfile
+    pkg_extras: python-setuptools
+    easy_install:
+      - pip
+    environment: &env
+      http_proxy: "{{ lookup('env', 'http_proxy') }}"
+      https_proxy: "{{ lookup('env', 'https_proxy') }}"
+
+  - name: fedora28
+    hostname: fedora28
+    image: fedora:28
+    dockerfile: Dockerfile
+    pkg_extras: python*-setuptools
+    environment:
+      <<: *env
+
+provisioner:
+  name: ansible
+  log: true
+  env:
+    ANSIBLE_STDOUT_CALLBACK: yaml
+    ANSIBLE_LIBRARY: "../../../../library"
+
+scenario:
+  test_sequence:
+    - destroy
+    - create
+    - prepare
+    - converge
+    - verify
+    - destroy
+
+lint:
+  enabled: false
+
+verifier:
+  name: testinfra
+  lint:
+    name: flake8

roles/validate-selinux/molecule/default/playbook.yml

@@ -0,0 +1,63 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Converge
+  hosts: all
+  gather_facts: no
+  vars:
+    validate_selinux_working_dir: '/tmp'
+
+  tasks:
+    - name: Simple run without filter against clean auditlog
+      include_role:
+        name: validate-selinux
+      vars:
+        validate_selinux_audit_source: '/var/log/audit-clean.log'
+
+    - name: Run with filter against unclean auditlog
+      include_role:
+        name: validate-selinux
+      vars:
+        validate_selinux_audit_source: '/var/log/audit-unclean.log'
+        validate_selinux_skip_list:
+          - entry: 'tcontext=system_u:system_r:init_t'
+            comment: 'This one is a real-life entry'
+          - entry: 'tcontext=system_u:system_r:system_dbusd_t'
+            comment: 'This one is another real-life entry'
+
+    - name: Run without filter against unclean auditlog
+      block:
+        - name: Run role
+          include_role:
+            name: validate-selinux
+          vars:
+            validate_selinux_audit_source: '/var/log/audit-unclean.log'
+            validate_selinux_strict: true
+      rescue:
+        - name: Clear host error
+          meta: clear_host_errors
+
+        - name: Status message
+          debug:
+            msg: 'Successfully detected denials issue!'
+
+        - name: End play
+          meta: end_play
+
+    - name: Fail if we get to this place
+      fail:
+        msg: 'Unit test failed: did not detect untracked denials!'

roles/validate-selinux/molecule/default/prepare.yml

@@ -0,0 +1,57 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Prepare
+  hosts: all
+  gather_facts: no
+
+  tasks:
+    - name: Populate fake clean auditlog
+      copy:
+        dest: /var/log/audit-clean.log
+        owner: root
+        mode: 0600
+        group: root
+        content: |
+          type=SERVICE_START msg=audit(1575877870.934:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
+          type=SERVICE_STOP msg=audit(1575878320.981:287): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sssd-kcm comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
+          type=USER_ACCT msg=audit(1575878471.739:288): pid=4430 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
+          type=USER_CMD msg=audit(1575878471.740:289): pid=4430 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=626F7267202D2D696E666F20637265617465202D2D636F6D7072657373696F6E206C7A34202D2D6578636C7564652D636163686573202D2D6578636C756465202A2F2A2E6C6F636B202D2D6578636C756465202A2F2E746F78202D2D6578636C756465202A2F2E737465737472202D2D6578636C756465202A2F727562792D76656E646F72202D2D6578636C756465202A2F7A75756C2F202D2D6578636C756465202A2F73736866732F202D2D6578636C756465202A2F2E6C6F63616C2F7368617265202F6D656469612F6261636B7570732F7268656C3A3A31306130393963382D316135612D313165612D613663622D386331363435366466626265202F686F6D652F636A65616E6E6572 exe="/usr/bin/sudo" terminal=? res=success'UID="root" AUID="unset"
+          type=USER_ACCT msg=audit(1575878554.296:294): pid=4445 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
+          type=USER_CMD msg=audit(1575878554.296:295): pid=4445 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=626F7267206C697374202F6D656469612F6261636B7570732F7268656C exe="/usr/bin/sudo" terminal=? res=success'UID="root" AUID="unset"
+          type=USER_ACCT msg=audit(1575878555.032:300): pid=4449 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
+          type=USER_CMD msg=audit(1575878555.032:301): pid=4449 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 msg='cwd="/root" cmd=626F7267207072756E65202D70202D2D6B6565702D77697468696E203277202D2D7374617473202F6D656469612F6261636B7570732F7268656C exe="/usr/bin/sudo" terminal=? res=success'UID="root" AUID="unset"
+          type=SERVICE_START msg=audit(1575878869.915:306): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
+          type=SERVICE_STOP msg=audit(1575878900.615:312): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
+
+    - name: Populate unclean auditlog
+      copy:
+        dest: /var/log/audit-unclean.log
+        owner: root
+        mode: 0600
+        group: root
+        content: |
+          type=AVC msg=audit(1575534183.234:4933): avc:  denied  { write } for  pid=11266 comm="iptables" path="pipe:[231496]" dev="pipefs" ino=231496 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=fifo_file permissive=1
+          type=AVC msg=audit(1575534183.342:4934): avc:  denied  { write } for  pid=11284 comm="iptables" path="pipe:[231496]" dev="pipefs" ino=231496 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:certmonger_t:s0 tclass=fifo_file permissive=1
+          type=USER_AVC msg=audit(1575535009.861:5275): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=38869 scontext=system_u:system_r:container_t:s0:c313,c573 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
+          type=USER_AVC msg=audit(1575535009.861:5276): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=38869 tpid=1 scontext=system_u:system_r:container_t:s0:c313,c573 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
+          type=USER_AVC msg=audit(1575535009.862:5277): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.1198 spid=1 tpid=38869 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_t:s0:c313,c573 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
+          type=USER_AVC msg=audit(1575535013.340:5290): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=39132 scontext=system_u:system_r:container_t:s0:c192,c917 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
+          type=USER_AVC msg=audit(1575535013.341:5291): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=39132 tpid=1 scontext=system_u:system_r:container_t:s0:c192,c917 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
+          type=USER_AVC msg=audit(1575535013.342:5292): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.1209 spid=1 tpid=39132 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:container_t:s0:c192,c917 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
+          type=USER_AVC msg=audit(1575535028.912:5307): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=39430 scontext=system_u:system_r:container_t:s0:c776,c848 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
+          type=USER_AVC msg=audit(1575535028.913:5308): pid=1397 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=39430 tpid=1 scontext=system_u:system_r:container_t:s0:c776,c848 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

roles/validate-selinux/molecule/default/verify.yml

@@ -0,0 +1,15 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.

roles/validate-selinux/tasks/main.yml

@@ -0,0 +1,123 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+# "validate-selinux" tasks
+
+- name: "Ensure {{ validate_selinux_audit_source }} does exist"
+  become: true
+  stat:
+    path: "{{ validate_selinux_audit_source }}"
+  register: auditlog_stat
+
+- name: "Fail if {{ validate_selinux_audit_source }} does not exit"
+  when: not auditlog_stat.stat.exists
+  fail:
+    msg: "ERROR: {{ validate_selinux_audit_source }} does not exist!"
+
+- name: Load skip list from provided file
+  when:
+    - validate_selinux_filter != 'None'
+    - validate_selinux_skip_list is not defined
+  include_vars: "{{ validate_selinux_filter }}"
+
+- name: Gather subset of facts
+  setup:
+    gather_subset: "!min,distribution_major_version"
+  when:
+    - validate_selinux_filter == 'None'
+    - validate_selinux_skip_list is not defined
+    - ansible_distribution_major_version is not defined
+
+- name: Load skip list variables (undercloud or overcloud)
+  when:
+    - validate_selinux_skip_list is not defined
+  include_vars: "{{ lookup('first_found', lookhere, errors='ignore') }}"
+  vars:
+    lookhere:
+      - "selinux_skip_{{ release }}_on_{{ ansible_distribution_major_version }}.yml"
+      - "selinux_skip_{{ release }}.yml"
+
+- name: Fetch denials from auditlog
+  become: true
+  ignore_errors: true
+  changed_when: false
+  shell: |
+    set -o pipefail
+    grep denied {{ validate_selinux_audit_source }} > /tmp/denials.log
+
+- name: Get stat for denials.log
+  stat:
+    path: /tmp/denials.log
+  register: denials_log
+
+- name: Everything is fine
+  when: denials_log.stat.size == 0
+  debug:
+    msg: "No untracked SELinux AVC detected, congratulations!"
+
+- name: Next steps only if we have denials
+  when: denials_log.stat.size > 0
+  block:
+    - name: Create skip list
+      when: validate_selinux_skip_list != {}
+      template:
+        src: skip-list.j2
+        dest: "{{ validate_selinux_skip_list_dest }}"
+        mode: 0644
+
+    - name: Filter out denials
+      when: validate_selinux_skip_list != {}
+      ignore_errors: true
+      changed_when: false
+      shell: |
+        set -o pipefail
+        grep -v -f {{ validate_selinux_skip_list_dest }} /tmp/denials.log > {{ validate_selinux_filtered_denials_dest }}
+
+    - name: No skip_list
+      when: validate_selinux_skip_list == {}
+      copy:
+        remote_src: true
+        src: /tmp/denials.log
+        dest: "{{ validate_selinux_filtered_denials_dest }}"
+
+    - name: Get stat for filtered denials
+      stat:
+        path: "{{ validate_selinux_filtered_denials_dest }}"
+      register: denials_stat
+
+    - name: debug
+      debug:
+        var: denials_stat
+
+    - name: Fail if we found untracked denials
+      when:
+        - validate_selinux_strict|bool
+        - denials_stat.stat.size != 0
+      fail:
+        msg: "Untracked SELinux AVCs found, please refer to {{ validate_selinux_filtered_denials_dest }}"
+
+    - name: Output information in case we do not fail
+      when:
+        - not validate_selinux_strict|bool
+        - denials_stat.stat.size != 0
+      debug:
+        msg: "Untracked SELinux AVCs found, please refer to {{ validate_selinux_filtered_denials_dest }}"
+
+    - name: Output information if everything is fine
+      when: denials_stat.stat.size == 0
+      debug:
+        msg: "No untracked SELinux AVC detected, congratulations!"

roles/validate-selinux/templates/skip-list.j2

@@ -0,0 +1,3 @@
+{% for entry in validate_selinux_skip_list %}
+{{ entry.entry }}
+{% endfor %}

roles/validate-selinux/vars/main.yml

@@ -0,0 +1,22 @@
+---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+# While options found within the vars/ path can be overridden using extra
+# vars, items within this path are considered part of the role and not
+# intended to be modified.
+
+# All variables within this role should have a prefix of "validate-selinux"

zuul.d/molecule.yaml

@@ -1,7 +1,6 @@
 ---
 - project-template:
     check:
-      queue: integrated
       jobs:
       - tripleo-validations-centos-7-molecule-controller-token
       - tripleo-validations-centos-7-molecule-controller-ulimits
@@ -23,8 +22,9 @@
       - tripleo-validations-centos-7-molecule-rabbitmq-limits
       - tripleo-validations-centos-7-molecule-stonith-exists
       - tripleo-validations-centos-7-molecule-check-latest-packages-version
+      - tripleo-validations-centos-7-molecule-validate-selinux
+      queue: integrated
     gate:
-      queue: integrated
       jobs:
       - tripleo-validations-centos-7-molecule-controller-token
       - tripleo-validations-centos-7-molecule-controller-ulimits
@@ -46,6 +46,8 @@
       - tripleo-validations-centos-7-molecule-rabbitmq-limits
       - tripleo-validations-centos-7-molecule-stonith-exists
       - tripleo-validations-centos-7-molecule-check-latest-packages-version
+      - tripleo-validations-centos-7-molecule-validate-selinux
+      queue: integrated
     name: tripleo-validations-molecule-jobs
 - job:
     files:
@@ -122,9 +124,9 @@
     - ^roles/xfs-check-ftype/.*
     name: tripleo-validations-centos-7-molecule-xfs-check-ftype
     parent: tripleo-validations-centos-7-base
-    voting: false
     vars:
       tripleo_validations_role_name: xfs-check-ftype
+    voting: false
 - job:
     files:
     - ^roles/no-op-firewall-nova-driver/.*
@@ -188,3 +190,10 @@
     parent: tripleo-validations-centos-7-base
     vars:
       tripleo_validations_role_name: check-latest-packages-version
+- job:
+    files:
+    - ^roles/validate-selinux/.*
+    name: tripleo-validations-centos-7-molecule-validate-selinux
+    parent: tripleo-validations-centos-7-base
+    vars:
+      tripleo_validations_role_name: validate-selinux