---

- hosts: localhost

  vars:

  - artifacts: "{{ lookup('env', 'TEST_ARTIFACTS')|default('./artifacts', true) }}"

  tags:

  - classic

  tasks:

  # switch SELinux to permissive mode

  - name: Get default kernel

    command: "grubby --default-kernel"

    register: default_kernel

  - debug: msg="{{ default_kernel.stdout }}"

  - name: Set permissive mode

    command: "grubby --args=enforcing=0 --update-kernel {{ default_kernel.stdout }}"

  - name: reboot

    block:

      - name: restart host

        shell: sleep 2 && shutdown -r now "Ansible updates triggered"

        async: 1

        poll: 0

        ignore_errors: true

      - name: wait for host to come back

        wait_for_connection:

          delay: 10

          timeout: 300

      - name: Re-create /tmp/artifacts

        command: mkdir /tmp/artifacts

      - name: Gather SELinux denials since boot

        shell: |

            ausearch -m avc -m selinux_err -m user_avc -ts boot > /tmp/avc.log 2> /tmp/avc.err.log

            grep -q '<no matches>' /tmp/avc.err.log && result=pass || result=fail

            echo -e "results:\n- {result: $result, test: reboot}" > /tmp/results.yml

    always:

      - name: Pull out the artifacts

        fetch:

          dest: "{{ artifacts }}/"

          src: "{{ item }}"

          flat: yes

        with_items:

          - /tmp/avc.log

          - /tmp/avc.err.log

          - /tmp/results.yml