18badc5e8b
Rebase to latest upstream (1937938) should not reload the SELinux policy if its not changed (1757869) Ability to install custom SELinux module via Ansible (1848683) Related: rhbz#1961404
196 lines
6.6 KiB
Diff
196 lines
6.6 KiB
Diff
From 4a8f0c2b240ffccde5018d2de1166e6c22daa500 Mon Sep 17 00:00:00 2001
|
|
From: Rich Megginson <rmeggins@redhat.com>
|
|
Date: Mon, 22 Mar 2021 17:13:26 -0600
|
|
Subject: [PATCH] add tags; fix cleanup task
|
|
|
|
---
|
|
tests/set_selinux_variables.yml | 8 ++++++
|
|
tests/tests_all_purge.yml | 6 ++++-
|
|
tests/tests_all_transitions.yml | 2 ++
|
|
tests/tests_boolean.yml | 3 ++-
|
|
tests/tests_fcontext.yml | 2 +-
|
|
tests/tests_login.yml | 2 +-
|
|
tests/tests_port.yml | 2 +-
|
|
tests/tests_selinux_disabled.yml | 45 +++++++++++++++++++++-----------
|
|
8 files changed, 50 insertions(+), 20 deletions(-)
|
|
|
|
diff --git a/tests/set_selinux_variables.yml b/tests/set_selinux_variables.yml
|
|
index 05f0c88..3446647 100644
|
|
--- a/tests/set_selinux_variables.yml
|
|
+++ b/tests/set_selinux_variables.yml
|
|
@@ -1,4 +1,12 @@
|
|
---
|
|
+- name: Install SELinux tool semanage on Fedora
|
|
+ package:
|
|
+ name:
|
|
+ - policycoreutils-python-utils
|
|
+ state: present
|
|
+ when: ansible_distribution == "Fedora" or
|
|
+ ( ansible_distribution_major_version > "7" and
|
|
+ ( ansible_distribution == "CentOS" or ansible_distribution == "RedHat" ))
|
|
- name: Get local modifications - boolean
|
|
command: /usr/sbin/semanage boolean -l -n -C
|
|
changed_when: false
|
|
diff --git a/tests/tests_all_purge.yml b/tests/tests_all_purge.yml
|
|
index 40e933b..4688994 100644
|
|
--- a/tests/tests_all_purge.yml
|
|
+++ b/tests/tests_all_purge.yml
|
|
@@ -8,13 +8,17 @@
|
|
fcontext -a -t user_home_dir_t /tmp/test_dir
|
|
login -a -s staff_u sar-user
|
|
|
|
+ tags:
|
|
+ - 'tests::avc'
|
|
tasks:
|
|
- name: Install SELinux tool semanage on Fedora
|
|
package:
|
|
name:
|
|
- policycoreutils-python-utils
|
|
state: present
|
|
- when: ansible_distribution == "Fedora"
|
|
+ when: ansible_distribution == "Fedora" or
|
|
+ ( ansible_distribution_major_version > "7" and
|
|
+ ( ansible_distribution == "CentOS" or ansible_distribution == "RedHat" ))
|
|
|
|
- name: Add a Linux System Roles SELinux User
|
|
user:
|
|
diff --git a/tests/tests_all_transitions.yml b/tests/tests_all_transitions.yml
|
|
index acd37ad..20f96c4 100644
|
|
--- a/tests/tests_all_transitions.yml
|
|
+++ b/tests/tests_all_transitions.yml
|
|
@@ -1,6 +1,8 @@
|
|
- name: Test all the possible selinux_state transitions
|
|
hosts: all
|
|
become: true
|
|
+ tags:
|
|
+ - 'tests::reboot'
|
|
vars:
|
|
states:
|
|
- permissive
|
|
diff --git a/tests/tests_boolean.yml b/tests/tests_boolean.yml
|
|
index 368e8dc..966abe4 100644
|
|
--- a/tests/tests_boolean.yml
|
|
+++ b/tests/tests_boolean.yml
|
|
@@ -1,4 +1,5 @@
|
|
- name: Check if selinux role sets SELinux booleans
|
|
+ tags: tests::expfail
|
|
hosts: all
|
|
become: true
|
|
|
|
@@ -11,7 +12,7 @@
|
|
selinux_booleans:
|
|
- { name: 'samba_enable_home_dirs', state: 'on', persistent: 'yes' }
|
|
|
|
- - include: set_selinux_variables.yml
|
|
+ - import_tasks: set_selinux_variables.yml
|
|
- name: save state after initial changes and before other changes
|
|
set_fact:
|
|
boolean_before: "{{ selinux_role_boolean.stdout_lines }}"
|
|
diff --git a/tests/tests_fcontext.yml b/tests/tests_fcontext.yml
|
|
index b96b07a..aa1e1fa 100644
|
|
--- a/tests/tests_fcontext.yml
|
|
+++ b/tests/tests_fcontext.yml
|
|
@@ -13,7 +13,7 @@
|
|
- { target: '/tmp/test_dir1(/.*)?', setype: 'user_home_dir_t',
|
|
ftype: 'd' }
|
|
|
|
- - include: set_selinux_variables.yml
|
|
+ - import_tasks: set_selinux_variables.yml
|
|
- name: save state after initial changes and before other changes
|
|
set_fact:
|
|
fcontext_before: "{{ selinux_role_fcontext.stdout }}"
|
|
diff --git a/tests/tests_login.yml b/tests/tests_login.yml
|
|
index 67c6a9f..4ce8a0b 100644
|
|
--- a/tests/tests_login.yml
|
|
+++ b/tests/tests_login.yml
|
|
@@ -17,7 +17,7 @@
|
|
- { login: 'sar-user', seuser: 'staff_u',
|
|
serange: 's0-s0:c0.c1023', state: 'present' }
|
|
|
|
- - include: set_selinux_variables.yml
|
|
+ - import_tasks: set_selinux_variables.yml
|
|
- name: save state after initial changes and before other changes
|
|
set_fact:
|
|
login_before: "{{ selinux_role_login.stdout }}"
|
|
diff --git a/tests/tests_port.yml b/tests/tests_port.yml
|
|
index 5b651b0..4172dcb 100644
|
|
--- a/tests/tests_port.yml
|
|
+++ b/tests/tests_port.yml
|
|
@@ -29,7 +29,7 @@
|
|
- { ports: '22022', proto: 'tcp', setype: 'ssh_port_t',
|
|
state: 'present' }
|
|
|
|
- - include: set_selinux_variables.yml
|
|
+ - import_tasks: set_selinux_variables.yml
|
|
- name: save state after other changes
|
|
set_fact:
|
|
port_after: "{{ selinux_role_port.stdout }}"
|
|
diff --git a/tests/tests_selinux_disabled.yml b/tests/tests_selinux_disabled.yml
|
|
index a0dbaeb..4d896a0 100644
|
|
--- a/tests/tests_selinux_disabled.yml
|
|
+++ b/tests/tests_selinux_disabled.yml
|
|
@@ -11,13 +11,17 @@
|
|
fcontext -a -t user_home_dir_t /tmp/test_dir
|
|
login -a -s staff_u sar-user
|
|
|
|
+ tags:
|
|
+ - 'tests::avc'
|
|
tasks:
|
|
- name: Install SELinux tool semanage on Fedora
|
|
package:
|
|
name:
|
|
- policycoreutils-python-utils
|
|
state: present
|
|
- when: ansible_distribution == "Fedora"
|
|
+ when: ansible_distribution == "Fedora" or
|
|
+ ( ansible_distribution_major_version > "7" and
|
|
+ ( ansible_distribution == "CentOS" or ansible_distribution == "RedHat" ))
|
|
|
|
- name: Add a Linux System Roles SELinux User
|
|
user:
|
|
@@ -80,18 +84,29 @@
|
|
that: "{{ ansible_selinux.config_mode == 'enforcing' }}"
|
|
msg: "SELinux config mode should be enforcing instead of
|
|
{{ ansible_selinux.config_mode }}"
|
|
- - name: Restore original /etc/selinux/config
|
|
- copy:
|
|
- remote_src: true
|
|
- dest: /etc/selinux/config
|
|
- src: /etc/selinux/config.test_selinux_disabled
|
|
- mode: preserve
|
|
- - name: Remove /etc/selinux/config backup
|
|
- file:
|
|
- path: /etc/selinux/config.test_selinux_disabled
|
|
- state: absent
|
|
- - name: Remove Linux System Roles SELinux User
|
|
- user:
|
|
- name: sar-user
|
|
- remove: yes
|
|
- state: absent
|
|
+
|
|
+ - name: Cleanup
|
|
+ tags: [ 'tests::cleanup' ]
|
|
+ block:
|
|
+ - name: Restore original /etc/selinux/config
|
|
+ copy:
|
|
+ remote_src: true
|
|
+ dest: /etc/selinux/config
|
|
+ src: /etc/selinux/config.test_selinux_disabled
|
|
+ mode: preserve
|
|
+
|
|
+ - name: Remove /etc/selinux/config backup
|
|
+ file:
|
|
+ path: /etc/selinux/config.test_selinux_disabled
|
|
+ state: absent
|
|
+
|
|
+ - name: Remove Linux System Roles SELinux User
|
|
+ user:
|
|
+ name: sar-user
|
|
+ remove: yes
|
|
+ state: absent
|
|
+
|
|
+ - import_role:
|
|
+ name: linux-system-roles.selinux
|
|
+ vars:
|
|
+ selinux_all_purge: true
|