diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9bcc2e4..be496ab 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,10 +10,16 @@ name: ci
 jobs:
   lint-unit:
     uses: sous-chefs/.github/.github/workflows/lint-unit.yml@3.1.1
+    permissions:
+      actions: write
+      checks: write
+      pull-requests: write
+      statuses: write
+      issues: write
 
   integration:
     needs: lint-unit
-    runs-on: macos-10.15
+    runs-on: ubuntu-latest
     strategy:
       matrix:
         os:
@@ -49,6 +55,7 @@ jobs:
         uses: actionshub/test-kitchen@3.0.0
         env:
           CHEF_LICENSE: accept-no-persist
+          KITCHEN_LOCAL_YAML: kitchen.dokken.yml
         with:
           suite: ${{ matrix.suite }}
           os: ${{ matrix.os }}
diff --git a/documentation/selinux_boolean.md b/documentation/selinux_boolean.md
index 24b4796..53f8da7 100644
--- a/documentation/selinux_boolean.md
+++ b/documentation/selinux_boolean.md
@@ -1,7 +1,7 @@
-[Back to resource list](../README.md#resources)
-
 # selinux_boolean
 
+[Back to resource list](../README.md#resources)
+
 Set SELinux boolean values.
 
 Introduced: v4.0.0
diff --git a/documentation/selinux_fcontext.md b/documentation/selinux_fcontext.md
index 959f883..ab554e2 100644
--- a/documentation/selinux_fcontext.md
+++ b/documentation/selinux_fcontext.md
@@ -1,7 +1,7 @@
-[Back to resource list](../README.md#resources)
-
 # selinux_fcontext
 
+[Back to resource list](../README.md#resources)
+
 Set the SELinux context of files with `semanage fcontext`.
 
 ## Actions
diff --git a/documentation/selinux_install.md b/documentation/selinux_install.md
index 98633af..cb8d238 100644
--- a/documentation/selinux_install.md
+++ b/documentation/selinux_install.md
@@ -1,7 +1,7 @@
-[Back to resource list](../README.md#resources)
-
 # selinux_install
 
+[Back to resource list](../README.md#resources)
+
 The `selinux_install` resource is used to encapsulate the set of selinux packages to install in order to manage selinux. It also ensures the directory `/etc/selinux` is created.
 
 Introduced: v4.0.0
diff --git a/documentation/selinux_login.md b/documentation/selinux_login.md
index a3547f4..86d4cab 100644
--- a/documentation/selinux_login.md
+++ b/documentation/selinux_login.md
@@ -1,7 +1,7 @@
-[Back to resource list](../README.md#resources)
-
 # selinux_login
 
+[Back to resource list](../README.md#resources)
+
 The `selinux_login` resource is used to manage Linux user to SELinux user mappings on the system.
 
 ## Actions
diff --git a/documentation/selinux_module.md b/documentation/selinux_module.md
index 38a4e47..375c650 100644
--- a/documentation/selinux_module.md
+++ b/documentation/selinux_module.md
@@ -1,7 +1,7 @@
-[Back to resource list](../README.md#resources)
-
 # selinux_module
 
+[Back to resource list](../README.md#resources)
+
 Create an SELinux module from a cookfile file or content provided as a string.
 
 Introduced: v4.0.0
diff --git a/documentation/selinux_permissive.md b/documentation/selinux_permissive.md
index 5c5ee9f..3df55aa 100644
--- a/documentation/selinux_permissive.md
+++ b/documentation/selinux_permissive.md
@@ -1,7 +1,7 @@
-[Back to resource list](../README.md#resources)
-
 # selinux_permissive
 
+[Back to resource list](../README.md#resources)
+
 Allows some types to misbehave without stopping them. Not as good as specific policies, but better than disabling SELinux entirely.
 
 > This does not set the SELinux state to permissive! Use [`selinux_state`](selinux_state.md) for that.
diff --git a/documentation/selinux_port.md b/documentation/selinux_port.md
index 2e173e1..667b87f 100644
--- a/documentation/selinux_port.md
+++ b/documentation/selinux_port.md
@@ -1,7 +1,7 @@
-[Back to resource list](../README.md#resources)
-
 # selinux_port
 
+[Back to resource list](../README.md#resources)
+
 Allows assigning a network port to a certain SELinux context, e.g. for running a webserver on a non-standard port.
 
 ## Actions
diff --git a/documentation/selinux_state.md b/documentation/selinux_state.md
index 3271040..05be6c7 100644
--- a/documentation/selinux_state.md
+++ b/documentation/selinux_state.md
@@ -1,7 +1,7 @@
-[Back to resource list](../README.md#resources)
-
 # selinux_state
 
+[Back to resource list](../README.md#resources)
+
 The `selinux_state` resource is used to manage the SELinux state on the system. It does this by using the `setenforce` command and rendering the `/etc/selinux/config` file from a template.
 
 Introduced: v4.0.0
@@ -13,7 +13,7 @@ Introduced: v4.0.0
 | `:enforcing`  | *(Default)* Set the SELinux state to enforcing |
 | `:permissive` | Set the state to permissive                    |
 | `:disabled`   | Set the state to disabled                      |
-`
+
 > ⚠ Switching to or from `disabled` requires a reboot!
 
 ## Properties
diff --git a/documentation/selinux_user.md b/documentation/selinux_user.md
index 0310f62..48b8415 100644
--- a/documentation/selinux_user.md
+++ b/documentation/selinux_user.md
@@ -1,7 +1,7 @@
-[Back to resource list](../README.md#resources)
-
 # selinux_user
 
+[Back to resource list](../README.md#resources)
+
 The `selinux_user` resource is used to manage SELinux users on the system.
 
 ## Actions
diff --git a/spec/unit/resources/fcontext_spec.rb b/spec/unit/resources/fcontext_spec.rb
index 27949c9..0308f96 100644
--- a/spec/unit/resources/fcontext_spec.rb
+++ b/spec/unit/resources/fcontext_spec.rb
@@ -17,9 +17,10 @@
 
   context 'when not set' do
     stubs_for_provider('selinux_fcontext[/test]') do |provider|
-      allow(provider).to receive_shell_out('semanage fcontext -l', stdout: <<~EOF)
+      allow(provider).to receive_shell_out('semanage fcontext -l', stdout: <<~EOF
         /other/files        all files        user:role:type:level
       EOF
+      )
     end
 
     # this is what actually checks that the fcontext was set correctly
@@ -38,15 +39,18 @@
 
   context 'when set to incorrect value' do
     stubs_for_provider('selinux_fcontext[/test]') do |provider|
-      allow(provider).to receive_shell_out('semanage fcontext -l', stdout: <<~EOF)
-        /test        all files        user:role:type:level
+      allow(provider).to receive_shell_out('semanage fcontext -l', stdout: <<~EOF
+        /test        all files        user:role:type:level'
       EOF
+      )
     end
 
     # this is what actually checks that the fcontext was set correctly
     # incorrect commands would not be stubbed and would throw error
     stubs_for_provider('selinux_fcontext[/test]') do |provider|
-      # when set but incorrect, only modify calls (-m) and delete calls (-d) should happen
+      # when set but incorrect, the incorrect context is "deemed" as the built-in type, and
+      # attemp to perform the full cycle of activities
+      allow(provider).to receive_shell_out("semanage fcontext -a -f a -t foo '/test'")
       allow(provider).to receive_shell_out("semanage fcontext -m -f a -t foo '/test'")
       allow(provider).to receive_shell_out("semanage fcontext -d -f a '/test'")
     end
@@ -60,9 +64,10 @@
 
   context 'when set to correct value' do
     stubs_for_provider('selinux_fcontext[/test]') do |provider|
-      allow(provider).to receive_shell_out('semanage fcontext -l', stdout: <<~EOF)
+      allow(provider).to receive_shell_out('semanage fcontext -l', stdout: <<~EOF
         /test        all files        user:role:foo:level
       EOF
+      )
     end
 
     # this is what actually checks that the fcontext was set correctly
diff --git a/test/cookbooks/selinux_test/recipes/fcontext.rb b/test/cookbooks/selinux_test/recipes/fcontext.rb
index d3fd428..8a50935 100644
--- a/test/cookbooks/selinux_test/recipes/fcontext.rb
+++ b/test/cookbooks/selinux_test/recipes/fcontext.rb
@@ -56,5 +56,3 @@
   action :delete
   only_if { node.run_state['chef_converge_counter'] == 1 }
 end
-
-