selinux: return selinux_getpolicytype facts (#73609)
* selinux: return selinux_getpolicytype facts Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> * add basic selinux facts tests * fix selinux facts test when selinux missing Co-authored-by: Matt Davis <mrd@redhat.com>
This commit is contained in:
parent
e7e3c12ad2
commit
6cb324bb0e
4 changed files with 45 additions and 1 deletions
2
changelogs/fragments/selinux_getpolicytype_compat.yml
Normal file
2
changelogs/fragments/selinux_getpolicytype_compat.yml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
minor_changes:
|
||||||
|
- selinux - return selinux_getpolicytype facts correctly.
|
|
@ -44,7 +44,8 @@ def _module_setup():
|
||||||
security_policyvers={},
|
security_policyvers={},
|
||||||
selinux_getenforcemode=dict(argtypes=[POINTER(c_int)]),
|
selinux_getenforcemode=dict(argtypes=[POINTER(c_int)]),
|
||||||
security_getenforce={},
|
security_getenforce={},
|
||||||
lsetfilecon=dict(argtypes=[_to_char_p, _to_char_p], restype=_check_rc)
|
lsetfilecon=dict(argtypes=[_to_char_p, _to_char_p], restype=_check_rc),
|
||||||
|
selinux_getpolicytype=dict(argtypes=[POINTER(c_char_p)], restype=_check_rc),
|
||||||
)
|
)
|
||||||
|
|
||||||
_thismod = sys.modules[__name__]
|
_thismod = sys.modules[__name__]
|
||||||
|
@ -79,6 +80,15 @@ def selinux_getenforcemode():
|
||||||
return [rc, enforcemode.value]
|
return [rc, enforcemode.value]
|
||||||
|
|
||||||
|
|
||||||
|
def selinux_getpolicytype():
|
||||||
|
con = c_char_p()
|
||||||
|
try:
|
||||||
|
rc = _selinux_lib.selinux_getpolicytype(byref(con))
|
||||||
|
return [rc, to_native(con.value)]
|
||||||
|
finally:
|
||||||
|
_selinux_lib.freecon(con)
|
||||||
|
|
||||||
|
|
||||||
def lgetfilecon_raw(path):
|
def lgetfilecon_raw(path):
|
||||||
con = c_char_p()
|
con = c_char_p()
|
||||||
try:
|
try:
|
||||||
|
|
|
@ -1 +1,6 @@
|
||||||
shippable/posix/group1
|
shippable/posix/group1
|
||||||
|
skip/aix
|
||||||
|
skip/osx
|
||||||
|
skip/macos
|
||||||
|
skip/freebsd
|
||||||
|
skip/docker
|
||||||
|
|
|
@ -5,6 +5,33 @@
|
||||||
ignore_errors: yes
|
ignore_errors: yes
|
||||||
register: selinux_state
|
register: selinux_state
|
||||||
|
|
||||||
|
- name: explicitly collect selinux facts
|
||||||
|
setup:
|
||||||
|
gather_subset:
|
||||||
|
- '!all'
|
||||||
|
- '!any'
|
||||||
|
- selinux
|
||||||
|
register: selinux_facts
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
selinux_policytype: "unknown"
|
||||||
|
|
||||||
|
- name: check selinux policy type
|
||||||
|
shell: grep '^SELINUXTYPE=' /etc/selinux/config | cut -d'=' -f2
|
||||||
|
register: r
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
selinux_policytype: "{{ r.stdout_lines[0] }}"
|
||||||
|
when: r.changed
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- selinux_facts is success and selinux_facts.ansible_facts.ansible_selinux is defined
|
||||||
|
- (selinux_facts.ansible_facts.ansible_selinux.status in ['disabled', 'Missing selinux Python library'] if selinux_state is not success else True)
|
||||||
|
- (selinux_facts.ansible_facts.ansible_selinux.status == 'enabled' if selinux_state is success else True)
|
||||||
|
- (selinux_facts.ansible_facts.ansible_selinux.mode in ['enforcing', 'permissive'] if selinux_state is success else True)
|
||||||
|
- (selinux_facts.ansible_facts.ansible_selinux.type == selinux_policytype if selinux_state is success else True)
|
||||||
|
|
||||||
- name: run selinux tests
|
- name: run selinux tests
|
||||||
include_tasks: selinux.yml
|
include_tasks: selinux.yml
|
||||||
when: selinux_state is success
|
when: selinux_state is success
|
||||||
|
|
Loading…
Reference in a new issue