From 13d2f514bc45499cb06e5ab215096b8a08ec1272 Mon Sep 17 00:00:00 2001 From: Pat Riehecky Date: Thu, 9 Mar 2023 13:40:34 -0600 Subject: [PATCH] Wrap some commands in "if selinux is enabled" --- manifests/fcontext/equivalence.pp | 8 +- manifests/init.pp | 4 +- manifests/module.pp | 170 +++++----- manifests/permissive.pp | 6 +- .../selinux_fcontext_equivalence_spec.rb | 59 +++- spec/defines/selinux_module_spec.rb | 316 ++++++++++-------- spec/defines/selinux_permissive_spec.rb | 72 ++-- 7 files changed, 357 insertions(+), 278 deletions(-) diff --git a/manifests/fcontext/equivalence.pp b/manifests/fcontext/equivalence.pp index 62f3a9ef..d0e50dc0 100644 --- a/manifests/fcontext/equivalence.pp +++ b/manifests/fcontext/equivalence.pp @@ -27,8 +27,10 @@ -> Anchor['selinux::module pre'] } - selinux_fcontext_equivalence { $path: - ensure => $ensure, - target => $target, + if $facts['os']['selinux']['enabled'] { + selinux_fcontext_equivalence { $path: + ensure => $ensure, + target => $target, + } } } diff --git a/manifests/init.pp b/manifests/init.pp index 8db6f3c6..d30e0a5b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -20,8 +20,8 @@ # @param manage_package manage the package for selinux tools and refpolicy # @param auditd_package_name used when `manage_auditd_package` is true # @param manage_setroubleshoot_packages manage the setroubleshoot packages -# @param setroubleshoot_package_names the names of the setroubleshoot packages # @param manage_selinux_sandbox_packages manage the selinux sandbox packages +# @param setroubleshoot_package_names the names of the setroubleshoot packages # @param selinux_sandbox_package_names the names of the selinux sandbox packages # @param module_build_root directory where modules are built. Defaults to `$vardir/puppet-selinux` # @param default_builder which builder to use by default with selinux::module @@ -39,8 +39,8 @@ Boolean $manage_auditd_package, String $refpolicy_package_name, Boolean $manage_setroubleshoot_packages, - Array[String] $setroubleshoot_package_names = [], Boolean $manage_selinux_sandbox_packages, + Array[String] $setroubleshoot_package_names = [], Array[String] $selinux_sandbox_package_names = [], Optional[Enum['enforcing', 'permissive', 'disabled']] $mode = undef, Optional[Enum['targeted', 'minimum', 'mls']] $type = undef, diff --git a/manifests/module.pp b/manifests/module.pp index f94b183e..a4b1fbfc 100644 --- a/manifests/module.pp +++ b/manifests/module.pp @@ -89,100 +89,102 @@ -> Selinux::Module[$title] -> Anchor['selinux::module post'] - $has_source = (pick($source_te, $source_fc, $source_if, $content_te, $content_fc, $content_if, false) != false) - if $has_source and $build_command == undef { - fail('No builder or default builder specified') - } - - if $has_source and $source_pp != undef { - fail('Specifying source files and a pre-compiled policy package are mutually exclusive options') - } - - if $has_source and $ensure == 'present' { - file { "${module_file}.te": - ensure => 'file', - source => $source_te, - content => $content_te, - notify => Exec["clean-module-${title}"], + if $facts['os']['selinux']['enabled'] { + $has_source = (pick($source_te, $source_fc, $source_if, $content_te, $content_fc, $content_if, false) != false) + if $has_source and $build_command == undef { + fail('No builder or default builder specified') } - $content_fc_real = $content_fc ? { undef => $source_fc ? { undef => '', default => undef }, default => $content_fc } - file { "${module_file}.fc": - ensure => 'file', - source => $source_fc, - content => $content_fc_real, - notify => Exec["clean-module-${title}"], + if $has_source and $source_pp != undef { + fail('Specifying source files and a pre-compiled policy package are mutually exclusive options') } - $content_if_real = $content_if ? { undef => $source_if ? { undef => '', default => undef }, default => $content_if } - file { "${module_file}.if": - ensure => 'file', - source => $source_if, - content => $content_if_real, - notify => Exec["clean-module-${title}"], - } - # ensure it doesn't get purged if it exists - file { "${module_file}.pp": selinux_ignore_defaults => true } - - exec { "clean-module-${title}": - path => '/bin:/usr/bin', - cwd => $module_dir, - command => "rm -f '${module_file}.pp' '${module_file}.loaded'", - refreshonly => true, - notify => Exec["build-module-${title}"], + if $has_source and $ensure == 'present' { + file { "${module_file}.te": + ensure => 'file', + source => $source_te, + content => $content_te, + notify => Exec["clean-module-${title}"], + } + + $content_fc_real = $content_fc ? { undef => $source_fc ? { undef => '', default => undef }, default => $content_fc } + file { "${module_file}.fc": + ensure => 'file', + source => $source_fc, + content => $content_fc_real, + notify => Exec["clean-module-${title}"], + } + + $content_if_real = $content_if ? { undef => $source_if ? { undef => '', default => undef }, default => $content_if } + file { "${module_file}.if": + ensure => 'file', + source => $source_if, + content => $content_if_real, + notify => Exec["clean-module-${title}"], + } + # ensure it doesn't get purged if it exists + file { "${module_file}.pp": selinux_ignore_defaults => true } + + exec { "clean-module-${title}": + path => '/bin:/usr/bin', + cwd => $module_dir, + command => "rm -f '${module_file}.pp' '${module_file}.loaded'", + refreshonly => true, + notify => Exec["build-module-${title}"], + } + + exec { "build-module-${title}": + path => '/bin:/usr/bin', + cwd => $module_dir, + command => "${build_command} || (rm -f ${module_file}.pp ${module_file}.loaded && exit 1)", + creates => "${module_file}.pp", + notify => Exec["install-module-${title}"], + } + $install = true + } elsif $source_pp != undef and $ensure == 'present' { + file { "${module_file}.pp": + ensure => 'file', + source => $source_pp, + notify => Exec["clean-module-${title}"], + } + + exec { "clean-module-${title}": + path => '/bin:/usr/bin', + cwd => $module_dir, + command => "rm -f '${module_file}.loaded'", + refreshonly => true, + notify => Exec["install-module-${title}"], + } + + $install = true + } else { + # no source and no .pp, just do plain selmodule {$title:} + $install = false } - exec { "build-module-${title}": - path => '/bin:/usr/bin', - cwd => $module_dir, - command => "${build_command} || (rm -f ${module_file}.pp ${module_file}.loaded && exit 1)", - creates => "${module_file}.pp", - notify => Exec["install-module-${title}"], - } - $install = true - } elsif $source_pp != undef and $ensure == 'present' { - file { "${module_file}.pp": - ensure => 'file', - source => $source_pp, - notify => Exec["clean-module-${title}"], + if $install { + # we need to install the module manually because selmodule is kind of dumb. It ends up + # working fine, though. + exec { "install-module-${title}": + path => '/sbin:/usr/sbin:/bin:/usr/bin', + cwd => $module_dir, + command => "semodule -i ${module_file}.pp && touch ${module_file}.loaded", + creates => "${module_file}.loaded", + before => Selmodule[$title], + } + + # ensure it doesn't get purged if it exists + file { "${module_file}.loaded": } } - exec { "clean-module-${title}": - path => '/bin:/usr/bin', - cwd => $module_dir, - command => "rm -f '${module_file}.loaded'", - refreshonly => true, - notify => Exec["install-module-${title}"], + $module_path = ($has_source or $source_pp != undef) ? { + true => "${module_file}.pp", + false => undef } - $install = true - } else { - # no source and no .pp, just do plain selmodule {$title:} - $install = false - } - - if $install { - # we need to install the module manually because selmodule is kind of dumb. It ends up - # working fine, though. - exec { "install-module-${title}": - path => '/sbin:/usr/sbin:/bin:/usr/bin', - cwd => $module_dir, - command => "semodule -i ${module_file}.pp && touch ${module_file}.loaded", - creates => "${module_file}.loaded", - before => Selmodule[$title], + selmodule { $title: + ensure => $ensure, + selmodulepath => $module_path, } - - # ensure it doesn't get purged if it exists - file { "${module_file}.loaded": } - } - - $module_path = ($has_source or $source_pp != undef) ? { - true => "${module_file}.pp", - false => undef - } - - selmodule { $title: - ensure => $ensure, - selmodulepath => $module_path, } } diff --git a/manifests/permissive.pp b/manifests/permissive.pp index 2f47e456..7701f296 100644 --- a/manifests/permissive.pp +++ b/manifests/permissive.pp @@ -23,7 +23,9 @@ -> Anchor['selinux::module pre'] } - selinux_permissive { $seltype: - ensure => $ensure, + if $facts['os']['selinux']['enabled'] { + selinux_permissive { $seltype: + ensure => $ensure, + } } } diff --git a/spec/defines/selinux_fcontext_equivalence_spec.rb b/spec/defines/selinux_fcontext_equivalence_spec.rb index bcdf3941..2d247e18 100644 --- a/spec/defines/selinux_fcontext_equivalence_spec.rb +++ b/spec/defines/selinux_fcontext_equivalence_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'selinux::fcontext::equivalence' do @@ -9,28 +11,51 @@ facts end - context 'ordering on ensure => present' do - let(:params) do - { - target: '/opt/some/other/path' - } + context 'SELinux enabled' do + let(:facts) do + override_facts(super(), os: { selinux: { enabled: true } }) end - it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_requires('Anchor[selinux::module post]') } - it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_comes_before('Anchor[selinux::end]') } - it { is_expected.to contain_selinux_fcontext_equivalence('/opt/some/path').with(target: '/opt/some/other/path') } + context 'ordering on ensure => present' do + let(:params) do + { + target: '/opt/some/other/path' + } + end + + it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_requires('Anchor[selinux::module post]') } + it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_comes_before('Anchor[selinux::end]') } + it { is_expected.to contain_selinux_fcontext_equivalence('/opt/some/path').with(target: '/opt/some/other/path') } + end + + context 'ordering on ensure => absent' do + let(:params) do + { + ensure: 'absent', + target: '/opt/some/other/path' + } + end + + it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_requires('Anchor[selinux::start]') } + it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_comes_before('Anchor[selinux::module pre]') } + it { is_expected.to contain_selinux_fcontext_equivalence('/opt/some/path').with(ensure: 'absent', target: '/opt/some/other/path') } + end end - context 'ordering on ensure => absent' do - let(:params) do - { - ensure: 'absent', - target: '/opt/some/other/path' - } + + context 'SELinux disabled' do + let(:facts) do + override_facts(super(), os: { selinux: { enabled: false } }) end - it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_requires('Anchor[selinux::start]') } - it { is_expected.to contain_selinux__fcontext__equivalence('/opt/some/path').that_comes_before('Anchor[selinux::module pre]') } - it { is_expected.to contain_selinux_fcontext_equivalence('/opt/some/path').with(ensure: 'absent', target: '/opt/some/other/path') } + context 'make sure it compiles' do + let(:params) do + { + target: '/opt/some/other/path' + } + end + + it { is_expected.to compile } + end end end end diff --git a/spec/defines/selinux_module_spec.rb b/spec/defines/selinux_module_spec.rb index b014d8d1..0e4ec006 100644 --- a/spec/defines/selinux_module_spec.rb +++ b/spec/defines/selinux_module_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'selinux::module' do @@ -15,180 +17,202 @@ '/var/lib/puppet/puppet-selinux/modules/mymodule' end - context 'ordering' do - let(:params) do - { - source_te: 'puppet:///modules/mymodule/selinux/mymodule.te' - } + context 'SELinux enabled' do + let(:facts) do + override_facts(super(), os: { selinux: { enabled: true } }) end - it { is_expected.to contain_selinux__module('mymodule').that_requires('Anchor[selinux::module pre]') } - it { is_expected.to contain_selinux__module('mymodule').that_comes_before('Anchor[selinux::module post]') } - end + context 'ordering' do + let(:params) do + { + source_te: 'puppet:///modules/mymodule/selinux/mymodule.te' + } + end - context 'present case with refpolicy builder and with te file only' do - let(:params) do - { - source_te: 'puppet:///modules/mymodule/selinux/mymodule.te', - builder: 'refpolicy' - } + it { is_expected.to contain_selinux__module('mymodule').that_requires('Anchor[selinux::module pre]') } + it { is_expected.to contain_selinux__module('mymodule').that_comes_before('Anchor[selinux::module post]') } end - it { is_expected.to contain_file(workdir) } - it { is_expected.to contain_file("#{workdir}/mymodule.te").that_notifies('Exec[clean-module-mymodule]') } - it { is_expected.to contain_file("#{workdir}/mymodule.fc").with(source: nil, content: '') } - it { is_expected.to contain_file("#{workdir}/mymodule.if").with(source: nil, content: '') } - it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) } - it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") } - it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") } - it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) } - end - - context 'present case with refpolicy builder and with te and fc file' do - let(:params) do - { - source_te: 'puppet:///modules/mymodule/selinux/mymodule.te', - source_fc: 'puppet:///modules/mymodule/selinux/mymodule.fc', - builder: 'refpolicy' - } + context 'present case with refpolicy builder and with te file only' do + let(:params) do + { + source_te: 'puppet:///modules/mymodule/selinux/mymodule.te', + builder: 'refpolicy' + } + end + + it { is_expected.to contain_file(workdir) } + it { is_expected.to contain_file("#{workdir}/mymodule.te").that_notifies('Exec[clean-module-mymodule]') } + it { is_expected.to contain_file("#{workdir}/mymodule.fc").with(source: nil, content: '') } + it { is_expected.to contain_file("#{workdir}/mymodule.if").with(source: nil, content: '') } + it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) } + it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") } + it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") } + it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) } end - it { is_expected.to contain_file(workdir) } - it { is_expected.to contain_file("#{workdir}/mymodule.te").that_notifies('Exec[clean-module-mymodule]') } - it { is_expected.to contain_file("#{workdir}/mymodule.fc").that_notifies('Exec[clean-module-mymodule]') } - it { is_expected.to contain_file("#{workdir}/mymodule.if").with(source: nil, content: '') } - it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) } - it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") } - it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") } - it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) } - end - - context 'present case with refpolicy builder and with te, fc and if file' do - let(:params) do - { - source_te: 'puppet:///modules/mymodule/selinux/mymodule.te', - source_if: 'puppet:///modules/mymodule/selinux/mymodule.if', - source_fc: 'puppet:///modules/mymodule/selinux/mymodule.fc', - builder: 'refpolicy' - } + context 'present case with refpolicy builder and with te and fc file' do + let(:params) do + { + source_te: 'puppet:///modules/mymodule/selinux/mymodule.te', + source_fc: 'puppet:///modules/mymodule/selinux/mymodule.fc', + builder: 'refpolicy' + } + end + + it { is_expected.to contain_file(workdir) } + it { is_expected.to contain_file("#{workdir}/mymodule.te").that_notifies('Exec[clean-module-mymodule]') } + it { is_expected.to contain_file("#{workdir}/mymodule.fc").that_notifies('Exec[clean-module-mymodule]') } + it { is_expected.to contain_file("#{workdir}/mymodule.if").with(source: nil, content: '') } + it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) } + it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") } + it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") } + it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) } end - it { is_expected.to contain_file(workdir) } - it { is_expected.to contain_file("#{workdir}/mymodule.te").that_notifies('Exec[clean-module-mymodule]') } - it { is_expected.to contain_file("#{workdir}/mymodule.if").that_notifies('Exec[clean-module-mymodule]') } - it { is_expected.to contain_file("#{workdir}/mymodule.fc").that_notifies('Exec[clean-module-mymodule]') } - it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) } - it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") } - it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") } - it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) } - end - - context 'present case with refpolicy builder and with inline te, fc and if file' do - let(:params) do - { - content_te: 'policy_module(puppet_test, 1.0.0)', - content_if: 'interface(puppet_test)', - content_fc: '/bin/sh system_u:object_r:bin_t', - builder: 'refpolicy' - } + context 'present case with refpolicy builder and with te, fc and if file' do + let(:params) do + { + source_te: 'puppet:///modules/mymodule/selinux/mymodule.te', + source_if: 'puppet:///modules/mymodule/selinux/mymodule.if', + source_fc: 'puppet:///modules/mymodule/selinux/mymodule.fc', + builder: 'refpolicy' + } + end + + it { is_expected.to contain_file(workdir) } + it { is_expected.to contain_file("#{workdir}/mymodule.te").that_notifies('Exec[clean-module-mymodule]') } + it { is_expected.to contain_file("#{workdir}/mymodule.if").that_notifies('Exec[clean-module-mymodule]') } + it { is_expected.to contain_file("#{workdir}/mymodule.fc").that_notifies('Exec[clean-module-mymodule]') } + it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) } + it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") } + it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") } + it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) } end - it { is_expected.to contain_file(workdir) } - it { is_expected.to contain_file("#{workdir}/mymodule.te").with(source: nil, content: 'policy_module(puppet_test, 1.0.0)').that_notifies('Exec[clean-module-mymodule]') } - it { is_expected.to contain_file("#{workdir}/mymodule.if").with(source: nil, content: 'interface(puppet_test)').that_notifies('Exec[clean-module-mymodule]') } - it { is_expected.to contain_file("#{workdir}/mymodule.fc").with(source: nil, content: '/bin/sh system_u:object_r:bin_t').that_notifies('Exec[clean-module-mymodule]') } - it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) } - it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") } - it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") } - it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) } - end - - context 'present case with simple builder with te' do - let(:params) do - { - source_te: 'puppet:///modules/mymodule/selinux/mymodule.te', - builder: 'simple' - } + context 'present case with refpolicy builder and with inline te, fc and if file' do + let(:params) do + { + content_te: 'policy_module(puppet_test, 1.0.0)', + content_if: 'interface(puppet_test)', + content_fc: '/bin/sh system_u:object_r:bin_t', + builder: 'refpolicy' + } + end + + it { is_expected.to contain_file(workdir) } + it { is_expected.to contain_file("#{workdir}/mymodule.te").with(source: nil, content: 'policy_module(puppet_test, 1.0.0)').that_notifies('Exec[clean-module-mymodule]') } + it { is_expected.to contain_file("#{workdir}/mymodule.if").with(source: nil, content: 'interface(puppet_test)').that_notifies('Exec[clean-module-mymodule]') } + it { is_expected.to contain_file("#{workdir}/mymodule.fc").with(source: nil, content: '/bin/sh system_u:object_r:bin_t').that_notifies('Exec[clean-module-mymodule]') } + it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) } + it { is_expected.to contain_exec('build-module-mymodule').with(command: "make -f /usr/share/selinux/devel/Makefile mymodule.pp || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") } + it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") } + it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) } end - it { is_expected.to contain_file(workdir) } - it { is_expected.to contain_class('selinux::build').that_comes_before('Selinux::Module[mymodule]') } - it { is_expected.to contain_file("#{workdir}/mymodule.te").that_notifies('Exec[clean-module-mymodule]') } - it { is_expected.to contain_file("#{workdir}/mymodule.fc").with(source: nil, content: '') } - it { is_expected.to contain_file("#{workdir}/mymodule.if").with(source: nil, content: '') } - it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) } - it { is_expected.to contain_exec('build-module-mymodule').with(command: "/var/lib/puppet/puppet-selinux/bin/selinux_build_module_simple.sh mymodule #{workdir} || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") } - it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") } - it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) } - end - - context 'present case with simple builder with inline te' do - let(:params) do - { - content_te: 'policy_module(puppet_test, 1.0.0)', - builder: 'simple' - } + context 'present case with simple builder with te' do + let(:params) do + { + source_te: 'puppet:///modules/mymodule/selinux/mymodule.te', + builder: 'simple' + } + end + + it { is_expected.to contain_file(workdir) } + it { is_expected.to contain_class('selinux::build').that_comes_before('Selinux::Module[mymodule]') } + it { is_expected.to contain_file("#{workdir}/mymodule.te").that_notifies('Exec[clean-module-mymodule]') } + it { is_expected.to contain_file("#{workdir}/mymodule.fc").with(source: nil, content: '') } + it { is_expected.to contain_file("#{workdir}/mymodule.if").with(source: nil, content: '') } + it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) } + it { is_expected.to contain_exec('build-module-mymodule').with(command: "/var/lib/puppet/puppet-selinux/bin/selinux_build_module_simple.sh mymodule #{workdir} || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") } + it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") } + it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) } end - it { is_expected.to contain_file(workdir) } - it { is_expected.to contain_file("#{workdir}/mymodule.te").with(content: 'policy_module(puppet_test, 1.0.0)').that_notifies('Exec[clean-module-mymodule]') } - it { is_expected.to contain_file("#{workdir}/mymodule.fc").with(source: nil, content: '') } - it { is_expected.to contain_file("#{workdir}/mymodule.if").with(source: nil, content: '') } - it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) } - it { is_expected.to contain_exec('build-module-mymodule').with(command: "/var/lib/puppet/puppet-selinux/bin/selinux_build_module_simple.sh mymodule #{workdir} || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") } - it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") } - it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) } - end - - context 'unsupported source with simple builder' do - let(:params) do - { - source_if: 'puppet:///modules/mymodule/selinux/mymodule.te', - builder: 'simple' - } + context 'present case with simple builder with inline te' do + let(:params) do + { + content_te: 'policy_module(puppet_test, 1.0.0)', + builder: 'simple' + } + end + + it { is_expected.to contain_file(workdir) } + it { is_expected.to contain_file("#{workdir}/mymodule.te").with(content: 'policy_module(puppet_test, 1.0.0)').that_notifies('Exec[clean-module-mymodule]') } + it { is_expected.to contain_file("#{workdir}/mymodule.fc").with(source: nil, content: '') } + it { is_expected.to contain_file("#{workdir}/mymodule.if").with(source: nil, content: '') } + it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.pp' '#{module_basepath}.loaded'", cwd: workdir) } + it { is_expected.to contain_exec('build-module-mymodule').with(command: "/var/lib/puppet/puppet-selinux/bin/selinux_build_module_simple.sh mymodule #{workdir} || (rm -f #{module_basepath}.pp #{module_basepath}.loaded && exit 1)", creates: "#{module_basepath}.pp") } + it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") } + it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) } end - it do - is_expected.to compile.and_raise_error(%r{simple builder does not support}) + context 'unsupported source with simple builder' do + let(:params) do + { + source_if: 'puppet:///modules/mymodule/selinux/mymodule.te', + builder: 'simple' + } + end + + it do + is_expected.to compile.and_raise_error(%r{simple builder does not support}) + end end - end - context 'present case with pre-compiled policy package' do - let(:params) do - { - source_pp: 'puppet:///modules/mymodule/selinux/mymodule.pp' - } + context 'present case with pre-compiled policy package' do + let(:params) do + { + source_pp: 'puppet:///modules/mymodule/selinux/mymodule.pp' + } + end + + it { is_expected.to contain_file(workdir) } + it { is_expected.to contain_file("#{workdir}/mymodule.pp").that_notifies('Exec[clean-module-mymodule]') } + it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.loaded'", cwd: workdir) } + it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") } + it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) } end - it { is_expected.to contain_file(workdir) } - it { is_expected.to contain_file("#{workdir}/mymodule.pp").that_notifies('Exec[clean-module-mymodule]') } - it { is_expected.to contain_exec('clean-module-mymodule').with(command: "rm -f '#{module_basepath}.loaded'", cwd: workdir) } - it { is_expected.to contain_exec('install-module-mymodule').with(command: "semodule -i #{module_basepath}.pp && touch #{module_basepath}.loaded", cwd: workdir, creates: "#{module_basepath}.loaded") } - it { is_expected.to contain_selmodule('mymodule').with_ensure('present', selmodulepath: workdir) } - end - - context 'conflicting parameters' do - let(:params) do - { - source_pp: 'puppet:///modules/mymodule/selinux/mymodule.pp', - source_te: 'puppet:///modules/mymodule/selinux/mymodule.te', - builder: 'simple' - } + context 'conflicting parameters' do + let(:params) do + { + source_pp: 'puppet:///modules/mymodule/selinux/mymodule.pp', + source_te: 'puppet:///modules/mymodule/selinux/mymodule.te', + builder: 'simple' + } + end + + it do + is_expected.to compile.and_raise_error(%r{mutually exclusive}) + end end - it do - is_expected.to compile.and_raise_error(%r{mutually exclusive}) + context 'absent case' do + let(:params) do + { + ensure: 'absent' + } + end + + it { is_expected.to contain_selmodule('mymodule').with_ensure('absent') } end end - context 'absent case' do - let(:params) do - { - ensure: 'absent' - } + context 'SELinux disabled' do + let(:facts) do + override_facts(super(), os: { selinux: { enabled: false } }) end - it { is_expected.to contain_selmodule('mymodule').with_ensure('absent') } + context 'make sure it compiles' do + let(:params) do + { + source_te: 'puppet:///modules/mymodule/selinux/mymodule.te' + } + end + + it { is_expected.to compile } + end end end end diff --git a/spec/defines/selinux_permissive_spec.rb b/spec/defines/selinux_permissive_spec.rb index 40215215..a1665bb0 100644 --- a/spec/defines/selinux_permissive_spec.rb +++ b/spec/defines/selinux_permissive_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'spec_helper' describe 'selinux::permissive' do @@ -9,39 +11,61 @@ facts end - context 'ensure selinux_permissive oddjob_mkhomedir_t is present' do - let(:params) do - { - seltype: 'oddjob_mkhomedir_t' - } + context 'SELinux enabled' do + let(:facts) do + override_facts(super(), os: { selinux: { enabled: true } }) end - it { is_expected.to contain_selinux_permissive('oddjob_mkhomedir_t').with(ensure: 'present') } - it { is_expected.to contain_selinux__permissive('mycontextp').that_requires('Anchor[selinux::module post]') } - it { is_expected.to contain_selinux__permissive('mycontextp').that_comes_before('Anchor[selinux::end]') } - end + context 'ensure selinux_permissive oddjob_mkhomedir_t is present' do + let(:params) do + { + seltype: 'oddjob_mkhomedir_t' + } + end + + it { is_expected.to contain_selinux_permissive('oddjob_mkhomedir_t').with(ensure: 'present') } + it { is_expected.to contain_selinux__permissive('mycontextp').that_requires('Anchor[selinux::module post]') } + it { is_expected.to contain_selinux__permissive('mycontextp').that_comes_before('Anchor[selinux::end]') } + end + + context 'ensure selinux_permissive oddjob_mkhomedir_t is absent' do + let(:params) do + { + seltype: 'oddjob_mkhomedir_t', + ensure: 'absent' + } + end - context 'ensure selinux_permissive oddjob_mkhomedir_t is absent' do - let(:params) do - { - seltype: 'oddjob_mkhomedir_t', - ensure: 'absent' - } + it { is_expected.to contain_selinux_permissive('oddjob_mkhomedir_t').with(ensure: 'absent') } + it { is_expected.to contain_selinux__permissive('mycontextp').that_requires('Anchor[selinux::start]') } + it { is_expected.to contain_selinux__permissive('mycontextp').that_comes_before('Anchor[selinux::module pre]') } end - it { is_expected.to contain_selinux_permissive('oddjob_mkhomedir_t').with(ensure: 'absent') } - it { is_expected.to contain_selinux__permissive('mycontextp').that_requires('Anchor[selinux::start]') } - it { is_expected.to contain_selinux__permissive('mycontextp').that_comes_before('Anchor[selinux::module pre]') } + context 'selinux_permissive oddjob_mkhomedir_t with title only' do + let(:title) do + 'oddjob_mkhomedir_t' + end + + it { is_expected.to contain_selinux_permissive('oddjob_mkhomedir_t').with(ensure: 'present') } + it { is_expected.to contain_selinux__permissive('oddjob_mkhomedir_t').that_requires('Anchor[selinux::module post]') } + it { is_expected.to contain_selinux__permissive('oddjob_mkhomedir_t').that_comes_before('Anchor[selinux::end]') } + end end - context 'selinux_permissive oddjob_mkhomedir_t with title only' do - let(:title) do - 'oddjob_mkhomedir_t' + context 'SELinux disabled' do + let(:facts) do + override_facts(super(), os: { selinux: { enabled: false } }) end - it { is_expected.to contain_selinux_permissive('oddjob_mkhomedir_t').with(ensure: 'present') } - it { is_expected.to contain_selinux__permissive('oddjob_mkhomedir_t').that_requires('Anchor[selinux::module post]') } - it { is_expected.to contain_selinux__permissive('oddjob_mkhomedir_t').that_comes_before('Anchor[selinux::end]') } + context 'make sure it compiles' do + let(:params) do + { + seltype: 'oddjob_mkhomedir_t' + } + end + + it { is_expected.to compile } + end end end end