diff options
Diffstat (limited to 'test/integration/targets/module_utils_facts.system.selinux')
3 files changed, 132 insertions, 0 deletions
diff --git a/test/integration/targets/module_utils_facts.system.selinux/aliases b/test/integration/targets/module_utils_facts.system.selinux/aliases new file mode 100644 index 0000000..a6dafcf --- /dev/null +++ b/test/integration/targets/module_utils_facts.system.selinux/aliases @@ -0,0 +1 @@ +shippable/posix/group1 diff --git a/test/integration/targets/module_utils_facts.system.selinux/tasks/main.yml b/test/integration/targets/module_utils_facts.system.selinux/tasks/main.yml new file mode 100644 index 0000000..1717239 --- /dev/null +++ b/test/integration/targets/module_utils_facts.system.selinux/tasks/main.yml @@ -0,0 +1,38 @@ +- name: check selinux config + shell: | + command -v getenforce && + getenforce | grep -E 'Enforcing|Permissive' + ignore_errors: yes + register: selinux_state + +- name: explicitly collect selinux facts + setup: + gather_subset: + - '!all' + - '!any' + - selinux + register: selinux_facts + +- set_fact: + selinux_policytype: "unknown" + +- name: check selinux policy type + shell: grep '^SELINUXTYPE=' /etc/selinux/config | cut -d'=' -f2 + ignore_errors: yes + register: r + +- set_fact: + selinux_policytype: "{{ r.stdout_lines[0] }}" + when: r is success and r.stdout_lines + +- assert: + that: + - selinux_facts is success and selinux_facts.ansible_facts.ansible_selinux is defined + - (selinux_facts.ansible_facts.ansible_selinux.status in ['disabled', 'Missing selinux Python library'] if selinux_state is not success else True) + - (selinux_facts.ansible_facts.ansible_selinux.status == 'enabled' if selinux_state is success else True) + - (selinux_facts.ansible_facts.ansible_selinux.mode in ['enforcing', 'permissive'] if selinux_state is success else True) + - (selinux_facts.ansible_facts.ansible_selinux.type == selinux_policytype if selinux_state is success else True) + +- name: run selinux tests + include_tasks: selinux.yml + when: selinux_state is success diff --git a/test/integration/targets/module_utils_facts.system.selinux/tasks/selinux.yml b/test/integration/targets/module_utils_facts.system.selinux/tasks/selinux.yml new file mode 100644 index 0000000..6a2b159 --- /dev/null +++ b/test/integration/targets/module_utils_facts.system.selinux/tasks/selinux.yml @@ -0,0 +1,93 @@ +- name: collect selinux facts + setup: + gather_subset: ['!all', '!min', selinux] + register: fact_output + +- debug: + var: fact_output + +- name: create tempdir container in home + file: + path: ~/.selinux_tmp + state: directory + +- name: create tempdir + tempfile: + path: ~/.selinux_tmp + prefix: selinux_test + state: directory + register: tempdir + +- name: ls -1Zd tempdir to capture context from FS + shell: ls -1Zd '{{ tempdir.path }}' + register: tempdir_context_output + +- name: create a file under the tempdir with no context info specified (it should inherit parent context) + file: + path: '{{ tempdir.path }}/file_inherited_context' + state: touch + register: file_inherited_context + +- name: ls -1Z inherited file to capture context from FS + shell: ls -1Z '{{ tempdir.path }}/file_inherited_context' + register: inherited_context_output + +- name: copy the file with explicit overrides on all context values + copy: + remote_src: yes + src: '{{ tempdir.path }}/file_inherited_context' + dest: '{{ tempdir.path }}/file_explicit_context' + seuser: system_u + serole: system_r + setype: user_tmp_t + # default configs don't have MLS levels defined, so we can't test that yet + # selevel: s1 + register: file_explicit_context + +- name: ls -1Z explicit file to capture context from FS + shell: ls -1Z '{{ tempdir.path }}/file_explicit_context' + register: explicit_context_output + +- name: alter the tempdir context + file: + path: '{{ tempdir.path }}' + seuser: system_u + serole: system_r + setype: user_tmp_t + # default configs don't have MLS levels defined, so we can't test that yet + # selevel: s1 + register: tempdir_altered + +- name: ls -1Z tempdir to capture context from FS + shell: ls -1Z '{{ tempdir.path }}/file_explicit_context' + register: tempdir_altered_context_output + +- name: copy the explicit context file with default overrides on all context values + copy: + remote_src: yes + src: '{{ tempdir.path }}/file_explicit_context' + dest: '{{ tempdir.path }}/file_default_context' + seuser: _default + serole: _default + setype: _default + selevel: _default + register: file_default_context + +- name: see what matchpathcon thinks the context of default_file_context should be + shell: matchpathcon {{ file_default_context.dest }} | awk '{ print $2 }' + register: expected_default_context + +- assert: + that: + - fact_output.ansible_facts.ansible_selinux.config_mode in ['enforcing','permissive'] + - fact_output.ansible_facts.ansible_selinux.mode in ['enforcing','permissive'] + - fact_output.ansible_facts.ansible_selinux.status == 'enabled' + - fact_output.ansible_facts.ansible_selinux_python_present == true + # assert that secontext is set on the file results (injected by basic.py, for better or worse) + - tempdir.secontext is match('.+:.+:.+') and tempdir.secontext in tempdir_context_output.stdout + - file_inherited_context.secontext is match('.+:.+:.+') and file_inherited_context.secontext in inherited_context_output.stdout + - file_inherited_context.secontext == tempdir.secontext # should've been inherited from the parent dir since not set explicitly + - file_explicit_context.secontext == 'system_u:system_r:user_tmp_t:s0' and file_explicit_context.secontext in explicit_context_output.stdout + - tempdir_altered.secontext == 'system_u:system_r:user_tmp_t:s0' and tempdir_altered.secontext in tempdir_altered_context_output.stdout + # the one with reset defaults should match the original tempdir context, not the altered one (ie, it was set by the original policy context, not inherited from the parent dir) + - file_default_context.secontext == expected_default_context.stdout_lines[0] |