From 75c06173c7088fbb625bd2dc23b634bb38f6984b Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Tue, 5 Sep 2017 15:53:58 -0500
Subject: [PATCH] Check apparmor_status output

This patch adds a check for the output of `apparmor_status` to
get a more accurate state of AppArmor's status. This should fix
idempotency issues that are plaguing the gate jobs.

Closes-Bug: 1715223
Change-Id: I10bb3212a3cc26ed27aa38cdc2e42ece722a6497
---
 tasks/rhel7stig/lsm.yml | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/tasks/rhel7stig/lsm.yml b/tasks/rhel7stig/lsm.yml
index e106a545..6c51bad2 100644
--- a/tasks/rhel7stig/lsm.yml
+++ b/tasks/rhel7stig/lsm.yml
@@ -13,11 +13,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Check if AppArmor is disabled at boot time
-  shell: "dmesg | grep -i apparmor || true"
-  register: dmesg_apparmor_output
-  changed_when: False
+- name: Check apparmor_status output
+  command: apparmor_status
+  register: apparmor_status_output
   check_mode: no
+  changed_when: false
+  failed_when: false
   when:
     - ansible_pkg_mgr in ['apt', 'zypper']
   tags:
@@ -48,8 +49,6 @@
   when:
     - ansible_pkg_mgr in ['apt', 'zypper']
     - security_rhel7_enable_linux_security_module | bool
-    - not check_mode
-    - '"AppArmor disabled by boot time parameter" not in dmesg_apparmor_output.stdout'
   tags:
     - high
     - V-71989
@@ -67,7 +66,7 @@
     - ansible_pkg_mgr in ['apt', 'zypper']
     - security_rhel7_enable_linux_security_module | bool
     - not check_mode
-    - '"AppArmor disabled by boot time parameter" not in dmesg_apparmor_output.stdout'
+    - '"apparmor filesystem is not mounted" not in apparmor_status_output.stderr'
   tags:
     - high
     - V-71989