validate_selinux

Role Documentation

Welcome to the “validate_selinux” role documentation.

Role Defaults

This section highlights all of the defaults and variables set within the “validate_selinux” role.

validate_selinux_audit_source: /var/log/audit/audit.log
validate_selinux_filter: None
validate_selinux_filtered_denials_dest: '{{ validate_selinux_working_dir }}/denials-filtered.log'
validate_selinux_skip_list: {}
validate_selinux_skip_list_dest: '{{ validate_selinux_working_dir }}/denials-skip-list.txt'
validate_selinux_strict: false
validate_selinux_working_dir: /var/log/validations

Role Variables: main.yml

null
...

Molecule Scenarios

Molecule is being used to test the “validate_selinux” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.

Scenario: default

Example default configuration
driver:
  name: docker
log: true
platforms:
- dockerfile: Dockerfile
  easy_install:
  - pip
  environment:
    http_proxy: '{{ lookup(''env'', ''http_proxy'') }}'
    https_proxy: '{{ lookup(''env'', ''https_proxy'') }}'
  hostname: centos7
  image: centos:7
  name: centos7
  pkg_extras: python-setuptools
  volumes:
  - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
- dockerfile: Dockerfile
  environment:
    http_proxy: '{{ lookup(''env'', ''http_proxy'') }}'
    https_proxy: '{{ lookup(''env'', ''https_proxy'') }}'
  hostname: centos8
  image: centos:8
  name: centos8
  pkg_extras: python*-setuptools
  volumes:
  - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
provisioner:
  env:
    ANSIBLE_LIBRARY: ../../../../library
    ANSIBLE_STDOUT_CALLBACK: yaml
  log: true
  name: ansible
scenario:
  test_sequence:
  - destroy
  - create
  - prepare
  - converge
  - verify
  - destroy
verifier:
  name: testinfra
Example default playbook
- gather_facts: false
  hosts: all
  name: Converge
  tasks:
  - include_role:
      name: validate_selinux
    name: Simple run without filter against clean auditlog
    vars:
      validate_selinux_audit_source: /var/log/audit-clean.log
  - include_role:
      name: validate_selinux
    name: Run with filter against unclean auditlog
    vars:
      validate_selinux_audit_source: /var/log/audit-unclean.log
      validate_selinux_skip_list:
      - comment: This one is a real-life entry
        entry: tcontext=system_u:system_r:init_t
      - comment: This one is another real-life entry
        entry: tcontext=system_u:system_r:system_dbusd_t
  - block:
    - include_role:
        name: validate_selinux
      name: Run role
      vars:
        validate_selinux_audit_source: /var/log/audit-unclean.log
        validate_selinux_strict: true
    name: Run without filter against unclean auditlog
    rescue:
    - meta: clear_host_errors
      name: Clear host error
    - debug:
        msg: Successfully detected denials issue!
      name: Status message
    - meta: end_play
      name: End play
  - fail:
      msg: 'Unit test failed: did not detect untracked denials!'
    name: Fail if we get to this place
  vars:
    validate_selinux_working_dir: /tmp