selinux: return selinux_getpolicytype facts (#73609)

* selinux: return selinux_getpolicytype facts

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>

* add basic selinux facts tests

* fix selinux facts test when selinux missing

Co-authored-by: Matt Davis <mrd@redhat.com>
This commit is contained in:
Abhijeet Kasurde 2021-03-02 00:41:09 +05:30 committed by GitHub
parent e7e3c12ad2
commit 6cb324bb0e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 45 additions and 1 deletions

View file

@ -0,0 +1,2 @@
minor_changes:
- selinux - return selinux_getpolicytype facts correctly.

View file

@ -44,7 +44,8 @@ def _module_setup():
security_policyvers={}, security_policyvers={},
selinux_getenforcemode=dict(argtypes=[POINTER(c_int)]), selinux_getenforcemode=dict(argtypes=[POINTER(c_int)]),
security_getenforce={}, security_getenforce={},
lsetfilecon=dict(argtypes=[_to_char_p, _to_char_p], restype=_check_rc) lsetfilecon=dict(argtypes=[_to_char_p, _to_char_p], restype=_check_rc),
selinux_getpolicytype=dict(argtypes=[POINTER(c_char_p)], restype=_check_rc),
) )
_thismod = sys.modules[__name__] _thismod = sys.modules[__name__]
@ -79,6 +80,15 @@ def selinux_getenforcemode():
return [rc, enforcemode.value] return [rc, enforcemode.value]
def selinux_getpolicytype():
con = c_char_p()
try:
rc = _selinux_lib.selinux_getpolicytype(byref(con))
return [rc, to_native(con.value)]
finally:
_selinux_lib.freecon(con)
def lgetfilecon_raw(path): def lgetfilecon_raw(path):
con = c_char_p() con = c_char_p()
try: try:

View file

@ -1 +1,6 @@
shippable/posix/group1 shippable/posix/group1
skip/aix
skip/osx
skip/macos
skip/freebsd
skip/docker

View file

@ -5,6 +5,33 @@
ignore_errors: yes ignore_errors: yes
register: selinux_state register: selinux_state
- name: explicitly collect selinux facts
setup:
gather_subset:
- '!all'
- '!any'
- selinux
register: selinux_facts
- set_fact:
selinux_policytype: "unknown"
- name: check selinux policy type
shell: grep '^SELINUXTYPE=' /etc/selinux/config | cut -d'=' -f2
register: r
- set_fact:
selinux_policytype: "{{ r.stdout_lines[0] }}"
when: r.changed
- assert:
that:
- selinux_facts is success and selinux_facts.ansible_facts.ansible_selinux is defined
- (selinux_facts.ansible_facts.ansible_selinux.status in ['disabled', 'Missing selinux Python library'] if selinux_state is not success else True)
- (selinux_facts.ansible_facts.ansible_selinux.status == 'enabled' if selinux_state is success else True)
- (selinux_facts.ansible_facts.ansible_selinux.mode in ['enforcing', 'permissive'] if selinux_state is success else True)
- (selinux_facts.ansible_facts.ansible_selinux.type == selinux_policytype if selinux_state is success else True)
- name: run selinux tests - name: run selinux tests
include_tasks: selinux.yml include_tasks: selinux.yml
when: selinux_state is success when: selinux_state is success