validations-common/validations_common/roles/validate_selinux/molecule/default/converge.yml

64 lines
2.0 KiB
YAML

---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
gather_facts: false
vars:
validate_selinux_working_dir: '/tmp'
tasks:
- name: Simple run without filter against clean auditlog
include_role:
name: validate_selinux
vars:
validate_selinux_audit_source: '/var/log/audit-clean.log'
- name: Run with filter against unclean auditlog
include_role:
name: validate_selinux
vars:
validate_selinux_audit_source: '/var/log/audit-unclean.log'
validate_selinux_skip_list:
- entry: 'tcontext=system_u:system_r:init_t'
comment: 'This one is a real-life entry'
- entry: 'tcontext=system_u:system_r:system_dbusd_t'
comment: 'This one is another real-life entry'
- name: Run without filter against unclean auditlog
block:
- name: Run role
include_role:
name: validate_selinux
vars:
validate_selinux_audit_source: '/var/log/audit-unclean.log'
validate_selinux_strict: true
rescue:
- name: Clear host error
meta: clear_host_errors
- name: Status message
debug:
msg: 'Successfully detected denials issue!'
- name: End play
meta: end_play
- name: Fail if we get to this place
fail:
msg: 'Unit test failed: did not detect untracked denials!'