Wrap some commands in "if selinux is enabled"

voxpupuli · Mar 10, 2023 · 13d2f51 · 13d2f51
1 parent 5a1e1fa
commit 13d2f51
Show file tree

Hide file tree

Showing 7 changed files with 357 additions and 278 deletions.
diff --git a/manifests/fcontext/equivalence.pp b/manifests/fcontext/equivalence.pp
@@ -27,8 +27,10 @@
     -> Anchor['selinux::module pre']
   }
 
-  selinux_fcontext_equivalence { $path:
-    ensure => $ensure,
-    target => $target,
+  if $facts['os']['selinux']['enabled'] {
+    selinux_fcontext_equivalence { $path:
+      ensure => $ensure,
+      target => $target,
+    }
   }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -20,8 +20,8 @@
 # @param manage_package manage the package for selinux tools and refpolicy
 # @param auditd_package_name used when `manage_auditd_package` is true
 # @param manage_setroubleshoot_packages manage the setroubleshoot packages
-# @param setroubleshoot_package_names the names of the setroubleshoot packages
 # @param manage_selinux_sandbox_packages manage the selinux sandbox packages
+# @param setroubleshoot_package_names the names of the setroubleshoot packages
 # @param selinux_sandbox_package_names the names of the selinux sandbox packages
 # @param module_build_root directory where modules are built. Defaults to `$vardir/puppet-selinux`
 # @param default_builder which builder to use by default with selinux::module
@@ -39,8 +39,8 @@
   Boolean $manage_auditd_package,
   String $refpolicy_package_name,
   Boolean $manage_setroubleshoot_packages,
-  Array[String] $setroubleshoot_package_names                 = [],
   Boolean $manage_selinux_sandbox_packages,
+  Array[String] $setroubleshoot_package_names                 = [],
   Array[String] $selinux_sandbox_package_names                = [],
   Optional[Enum['enforcing', 'permissive', 'disabled']] $mode = undef,
   Optional[Enum['targeted', 'minimum', 'mls']] $type          = undef,

diff --git a/manifests/module.pp b/manifests/module.pp
@@ -89,100 +89,102 @@
   -> Selinux::Module[$title]
   -> Anchor['selinux::module post']
 
-  $has_source = (pick($source_te, $source_fc, $source_if, $content_te, $content_fc, $content_if, false) != false)
-  if $has_source and $build_command == undef {
-    fail('No builder or default builder specified')
-  }
-
-  if $has_source and $source_pp != undef {
-    fail('Specifying source files and a pre-compiled policy package are mutually exclusive options')
-  }
-
-  if $has_source and $ensure == 'present' {
-    file { "${module_file}.te":
-      ensure  => 'file',
-      source  => $source_te,
-      content => $content_te,
-      notify  => Exec["clean-module-${title}"],
+  if $facts['os']['selinux']['enabled'] {
+    $has_source = (pick($source_te, $source_fc, $source_if, $content_te, $content_fc, $content_if, false) != false)
+    if $has_source and $build_command == undef {
+      fail('No builder or default builder specified')
     }
 
-    $content_fc_real = $content_fc ? { undef => $source_fc ? { undef => '', default => undef }, default => $content_fc }
-    file { "${module_file}.fc":
-      ensure  => 'file',
-      source  => $source_fc,
-      content => $content_fc_real,
-      notify  => Exec["clean-module-${title}"],
+    if $has_source and $source_pp != undef {
+      fail('Specifying source files and a pre-compiled policy package are mutually exclusive options')
     }
 
-    $content_if_real = $content_if ? { undef => $source_if ? { undef => '', default => undef }, default => $content_if }
-    file { "${module_file}.if":
-      ensure  => 'file',
-      source  => $source_if,
-      content => $content_if_real,
-      notify  => Exec["clean-module-${title}"],
-    }
-    # ensure it doesn't get purged if it exists
-    file { "${module_file}.pp": selinux_ignore_defaults => true }
-
-    exec { "clean-module-${title}":
-      path        => '/bin:/usr/bin',
-      cwd         => $module_dir,
-      command     => "rm -f '${module_file}.pp' '${module_file}.loaded'",
-      refreshonly => true,
-      notify      => Exec["build-module-${title}"],
+    if $has_source and $ensure == 'present' {
+      file { "${module_file}.te":
+        ensure  => 'file',
+        source  => $source_te,
+        content => $content_te,
+        notify  => Exec["clean-module-${title}"],
+      }
+
+      $content_fc_real = $content_fc ? { undef => $source_fc ? { undef => '', default => undef }, default => $content_fc }
+      file { "${module_file}.fc":
+        ensure  => 'file',
+        source  => $source_fc,
+        content => $content_fc_real,
+        notify  => Exec["clean-module-${title}"],
+      }
+
+      $content_if_real = $content_if ? { undef => $source_if ? { undef => '', default => undef }, default => $content_if }
+      file { "${module_file}.if":
+        ensure  => 'file',
+        source  => $source_if,
+        content => $content_if_real,
+        notify  => Exec["clean-module-${title}"],
+      }
+      # ensure it doesn't get purged if it exists
+      file { "${module_file}.pp": selinux_ignore_defaults => true }
+
+      exec { "clean-module-${title}":
+        path        => '/bin:/usr/bin',
+        cwd         => $module_dir,
+        command     => "rm -f '${module_file}.pp' '${module_file}.loaded'",
+        refreshonly => true,
+        notify      => Exec["build-module-${title}"],
+      }
+
+      exec { "build-module-${title}":
+        path    => '/bin:/usr/bin',
+        cwd     => $module_dir,
+        command => "${build_command} || (rm -f ${module_file}.pp ${module_file}.loaded && exit 1)",
+        creates => "${module_file}.pp",
+        notify  => Exec["install-module-${title}"],
+      }
+      $install = true
+    } elsif $source_pp != undef and $ensure == 'present' {
+      file { "${module_file}.pp":
+        ensure => 'file',
+        source => $source_pp,
+        notify => Exec["clean-module-${title}"],
+      }
+
+      exec { "clean-module-${title}":
+        path        => '/bin:/usr/bin',
+        cwd         => $module_dir,
+        command     => "rm -f '${module_file}.loaded'",
+        refreshonly => true,
+        notify      => Exec["install-module-${title}"],
+      }
+
+      $install = true
+    } else {
+      # no source and no .pp, just do plain selmodule {$title:}
+      $install = false
     }
 
-    exec { "build-module-${title}":
-      path    => '/bin:/usr/bin',
-      cwd     => $module_dir,
-      command => "${build_command} || (rm -f ${module_file}.pp ${module_file}.loaded && exit 1)",
-      creates => "${module_file}.pp",
-      notify  => Exec["install-module-${title}"],
-    }
-    $install = true
-  } elsif $source_pp != undef and $ensure == 'present' {
-    file { "${module_file}.pp":
-      ensure => 'file',
-      source => $source_pp,
-      notify => Exec["clean-module-${title}"],
+    if $install {
+      # we need to install the module manually because selmodule is kind of dumb. It ends up
+      # working fine, though.
+      exec { "install-module-${title}":
+        path    => '/sbin:/usr/sbin:/bin:/usr/bin',
+        cwd     => $module_dir,
+        command => "semodule -i ${module_file}.pp && touch ${module_file}.loaded",
+        creates => "${module_file}.loaded",
+        before  => Selmodule[$title],
+      }
+
+      # ensure it doesn't get purged if it exists
+      file { "${module_file}.loaded": }
     }
 
-    exec { "clean-module-${title}":
-      path        => '/bin:/usr/bin',
-      cwd         => $module_dir,
-      command     => "rm -f '${module_file}.loaded'",
-      refreshonly => true,
-      notify      => Exec["install-module-${title}"],
+    $module_path = ($has_source or $source_pp != undef) ? {
+      true  => "${module_file}.pp",
+      false => undef
     }
 
-    $install = true
-  } else {
-    # no source and no .pp, just do plain selmodule {$title:}
-    $install = false
-  }
-
-  if $install {
-    # we need to install the module manually because selmodule is kind of dumb. It ends up
-    # working fine, though.
-    exec { "install-module-${title}":
-      path    => '/sbin:/usr/sbin:/bin:/usr/bin',
-      cwd     => $module_dir,
-      command => "semodule -i ${module_file}.pp && touch ${module_file}.loaded",
-      creates => "${module_file}.loaded",
-      before  => Selmodule[$title],
+    selmodule { $title:
+      ensure        => $ensure,
+      selmodulepath => $module_path,
     }
-
-    # ensure it doesn't get purged if it exists
-    file { "${module_file}.loaded": }
-  }
-
-  $module_path = ($has_source or $source_pp != undef) ? {
-    true  => "${module_file}.pp",
-    false => undef
-  }
-
-  selmodule { $title:
-    ensure        => $ensure,
-    selmodulepath => $module_path,
   }
 }
diff --git a/manifests/permissive.pp b/manifests/permissive.pp
@@ -23,7 +23,9 @@
     -> Anchor['selinux::module pre']
   }
 
-  selinux_permissive { $seltype:
-    ensure => $ensure,
+  if $facts['os']['selinux']['enabled'] {
+    selinux_permissive { $seltype:
+      ensure => $ensure,
+    }
   }
 }
diff --git a/spec/defines/selinux_fcontext_equivalence_spec.rb b/spec/defines/selinux_fcontext_equivalence_spec.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'selinux::fcontext::equivalence' do
@@ -9,28 +11,51 @@
         facts
       end
 
-      context 'ordering on ensure => present' do
-        let(:params) do
-          {
-            target: '/opt/some/other/path'
-          }
+      context 'SELinux enabled' do
+        let(:facts) do
+          override_facts(super(), os: { selinux: { enabled: true } })
         end
 
-        it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_requires('Anchor[selinux::module post]') }
-        it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_comes_before('Anchor[selinux::end]') }
-        it { is_expected.to contain_selinux_fcontext_equivalence('/opt/some/path').with(target: '/opt/some/other/path') }
+        context 'ordering on ensure => present' do
+          let(:params) do
+            {
+              target: '/opt/some/other/path'
+            }
+          end
+
+          it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_requires('Anchor[selinux::module post]') }
+          it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_comes_before('Anchor[selinux::end]') }
+          it { is_expected.to contain_selinux_fcontext_equivalence('/opt/some/path').with(target: '/opt/some/other/path') }
+        end
+
+        context 'ordering on ensure => absent' do
+          let(:params) do
+            {
+              ensure: 'absent',
+              target: '/opt/some/other/path'
+            }
+          end
+
+          it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_requires('Anchor[selinux::start]') }
+          it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_comes_before('Anchor[selinux::module pre]') }
+          it { is_expected.to contain_selinux_fcontext_equivalence('/opt/some/path').with(ensure: 'absent', target: '/opt/some/other/path') }
+        end
       end
-      context 'ordering on ensure => absent' do
-        let(:params) do
-          {
-            ensure: 'absent',
-            target: '/opt/some/other/path'
-          }
+
+      context 'SELinux disabled' do
+        let(:facts) do
+          override_facts(super(), os: { selinux: { enabled: false } })
         end
 
-        it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_requires('Anchor[selinux::start]') }
-        it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_comes_before('Anchor[selinux::module pre]') }
-        it { is_expected.to contain_selinux_fcontext_equivalence('/opt/some/path').with(ensure: 'absent', target: '/opt/some/other/path') }
+        context 'make sure it compiles' do
+          let(:params) do
+            {
+              target: '/opt/some/other/path'
+            }
+          end
+
+          it { is_expected.to compile }
+        end
       end
     end
   end