diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 16:04:21 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 16:04:21 +0000 |
commit | 8a754e0858d922e955e71b253c139e071ecec432 (patch) | |
tree | 527d16e74bfd1840c85efd675fdecad056c54107 /test/integration/targets/module_utils_facts.system.selinux/tasks/selinux.yml | |
parent | Initial commit. (diff) | |
download | ansible-core-8a754e0858d922e955e71b253c139e071ecec432.tar.xz ansible-core-8a754e0858d922e955e71b253c139e071ecec432.zip |
Adding upstream version 2.14.3.upstream/2.14.3upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'test/integration/targets/module_utils_facts.system.selinux/tasks/selinux.yml')
-rw-r--r-- | test/integration/targets/module_utils_facts.system.selinux/tasks/selinux.yml | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/test/integration/targets/module_utils_facts.system.selinux/tasks/selinux.yml b/test/integration/targets/module_utils_facts.system.selinux/tasks/selinux.yml new file mode 100644 index 0000000..6a2b159 --- /dev/null +++ b/test/integration/targets/module_utils_facts.system.selinux/tasks/selinux.yml @@ -0,0 +1,93 @@ +- name: collect selinux facts + setup: + gather_subset: ['!all', '!min', selinux] + register: fact_output + +- debug: + var: fact_output + +- name: create tempdir container in home + file: + path: ~/.selinux_tmp + state: directory + +- name: create tempdir + tempfile: + path: ~/.selinux_tmp + prefix: selinux_test + state: directory + register: tempdir + +- name: ls -1Zd tempdir to capture context from FS + shell: ls -1Zd '{{ tempdir.path }}' + register: tempdir_context_output + +- name: create a file under the tempdir with no context info specified (it should inherit parent context) + file: + path: '{{ tempdir.path }}/file_inherited_context' + state: touch + register: file_inherited_context + +- name: ls -1Z inherited file to capture context from FS + shell: ls -1Z '{{ tempdir.path }}/file_inherited_context' + register: inherited_context_output + +- name: copy the file with explicit overrides on all context values + copy: + remote_src: yes + src: '{{ tempdir.path }}/file_inherited_context' + dest: '{{ tempdir.path }}/file_explicit_context' + seuser: system_u + serole: system_r + setype: user_tmp_t + # default configs don't have MLS levels defined, so we can't test that yet + # selevel: s1 + register: file_explicit_context + +- name: ls -1Z explicit file to capture context from FS + shell: ls -1Z '{{ tempdir.path }}/file_explicit_context' + register: explicit_context_output + +- name: alter the tempdir context + file: + path: '{{ tempdir.path }}' + seuser: system_u + serole: system_r + setype: user_tmp_t + # default configs don't have MLS levels defined, so we can't test that yet + # selevel: s1 + register: tempdir_altered + +- name: ls -1Z tempdir to capture context from FS + shell: ls -1Z '{{ tempdir.path }}/file_explicit_context' + register: tempdir_altered_context_output + +- name: copy the explicit context file with default overrides on all context values + copy: + remote_src: yes + src: '{{ tempdir.path }}/file_explicit_context' + dest: '{{ tempdir.path }}/file_default_context' + seuser: _default + serole: _default + setype: _default + selevel: _default + register: file_default_context + +- name: see what matchpathcon thinks the context of default_file_context should be + shell: matchpathcon {{ file_default_context.dest }} | awk '{ print $2 }' + register: expected_default_context + +- assert: + that: + - fact_output.ansible_facts.ansible_selinux.config_mode in ['enforcing','permissive'] + - fact_output.ansible_facts.ansible_selinux.mode in ['enforcing','permissive'] + - fact_output.ansible_facts.ansible_selinux.status == 'enabled' + - fact_output.ansible_facts.ansible_selinux_python_present == true + # assert that secontext is set on the file results (injected by basic.py, for better or worse) + - tempdir.secontext is match('.+:.+:.+') and tempdir.secontext in tempdir_context_output.stdout + - file_inherited_context.secontext is match('.+:.+:.+') and file_inherited_context.secontext in inherited_context_output.stdout + - file_inherited_context.secontext == tempdir.secontext # should've been inherited from the parent dir since not set explicitly + - file_explicit_context.secontext == 'system_u:system_r:user_tmp_t:s0' and file_explicit_context.secontext in explicit_context_output.stdout + - tempdir_altered.secontext == 'system_u:system_r:user_tmp_t:s0' and tempdir_altered.secontext in tempdir_altered_context_output.stdout + # the one with reset defaults should match the original tempdir context, not the altered one (ie, it was set by the original policy context, not inherited from the parent dir) + - file_default_context.secontext == expected_default_context.stdout_lines[0] |