From 4a8f0c2b240ffccde5018d2de1166e6c22daa500 Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: Mon, 22 Mar 2021 17:13:26 -0600 Subject: [PATCH] add tags; fix cleanup task --- tests/set_selinux_variables.yml | 8 ++++++ tests/tests_all_purge.yml | 6 ++++- tests/tests_all_transitions.yml | 2 ++ tests/tests_boolean.yml | 3 ++- tests/tests_fcontext.yml | 2 +- tests/tests_login.yml | 2 +- tests/tests_port.yml | 2 +- tests/tests_selinux_disabled.yml | 45 +++++++++++++++++++++----------- 8 files changed, 50 insertions(+), 20 deletions(-) diff --git a/tests/set_selinux_variables.yml b/tests/set_selinux_variables.yml index 05f0c88..3446647 100644 --- a/tests/set_selinux_variables.yml +++ b/tests/set_selinux_variables.yml @@ -1,4 +1,12 @@ --- +- name: Install SELinux tool semanage on Fedora + package: + name: + - policycoreutils-python-utils + state: present + when: ansible_distribution == "Fedora" or + ( ansible_distribution_major_version > "7" and + ( ansible_distribution == "CentOS" or ansible_distribution == "RedHat" )) - name: Get local modifications - boolean command: /usr/sbin/semanage boolean -l -n -C changed_when: false diff --git a/tests/tests_all_purge.yml b/tests/tests_all_purge.yml index 40e933b..4688994 100644 --- a/tests/tests_all_purge.yml +++ b/tests/tests_all_purge.yml @@ -8,13 +8,17 @@ fcontext -a -t user_home_dir_t /tmp/test_dir login -a -s staff_u sar-user + tags: + - 'tests::avc' tasks: - name: Install SELinux tool semanage on Fedora package: name: - policycoreutils-python-utils state: present - when: ansible_distribution == "Fedora" + when: ansible_distribution == "Fedora" or + ( ansible_distribution_major_version > "7" and + ( ansible_distribution == "CentOS" or ansible_distribution == "RedHat" )) - name: Add a Linux System Roles SELinux User user: diff --git a/tests/tests_all_transitions.yml b/tests/tests_all_transitions.yml index acd37ad..20f96c4 100644 --- a/tests/tests_all_transitions.yml +++ b/tests/tests_all_transitions.yml @@ -1,6 +1,8 @@ - name: Test all the possible selinux_state transitions hosts: all become: true + tags: + - 'tests::reboot' vars: states: - permissive diff --git a/tests/tests_boolean.yml b/tests/tests_boolean.yml index 368e8dc..966abe4 100644 --- a/tests/tests_boolean.yml +++ b/tests/tests_boolean.yml @@ -1,4 +1,5 @@ - name: Check if selinux role sets SELinux booleans + tags: tests::expfail hosts: all become: true @@ -11,7 +12,7 @@ selinux_booleans: - { name: 'samba_enable_home_dirs', state: 'on', persistent: 'yes' } - - include: set_selinux_variables.yml + - import_tasks: set_selinux_variables.yml - name: save state after initial changes and before other changes set_fact: boolean_before: "{{ selinux_role_boolean.stdout_lines }}" diff --git a/tests/tests_fcontext.yml b/tests/tests_fcontext.yml index b96b07a..aa1e1fa 100644 --- a/tests/tests_fcontext.yml +++ b/tests/tests_fcontext.yml @@ -13,7 +13,7 @@ - { target: '/tmp/test_dir1(/.*)?', setype: 'user_home_dir_t', ftype: 'd' } - - include: set_selinux_variables.yml + - import_tasks: set_selinux_variables.yml - name: save state after initial changes and before other changes set_fact: fcontext_before: "{{ selinux_role_fcontext.stdout }}" diff --git a/tests/tests_login.yml b/tests/tests_login.yml index 67c6a9f..4ce8a0b 100644 --- a/tests/tests_login.yml +++ b/tests/tests_login.yml @@ -17,7 +17,7 @@ - { login: 'sar-user', seuser: 'staff_u', serange: 's0-s0:c0.c1023', state: 'present' } - - include: set_selinux_variables.yml + - import_tasks: set_selinux_variables.yml - name: save state after initial changes and before other changes set_fact: login_before: "{{ selinux_role_login.stdout }}" diff --git a/tests/tests_port.yml b/tests/tests_port.yml index 5b651b0..4172dcb 100644 --- a/tests/tests_port.yml +++ b/tests/tests_port.yml @@ -29,7 +29,7 @@ - { ports: '22022', proto: 'tcp', setype: 'ssh_port_t', state: 'present' } - - include: set_selinux_variables.yml + - import_tasks: set_selinux_variables.yml - name: save state after other changes set_fact: port_after: "{{ selinux_role_port.stdout }}" diff --git a/tests/tests_selinux_disabled.yml b/tests/tests_selinux_disabled.yml index a0dbaeb..4d896a0 100644 --- a/tests/tests_selinux_disabled.yml +++ b/tests/tests_selinux_disabled.yml @@ -11,13 +11,17 @@ fcontext -a -t user_home_dir_t /tmp/test_dir login -a -s staff_u sar-user + tags: + - 'tests::avc' tasks: - name: Install SELinux tool semanage on Fedora package: name: - policycoreutils-python-utils state: present - when: ansible_distribution == "Fedora" + when: ansible_distribution == "Fedora" or + ( ansible_distribution_major_version > "7" and + ( ansible_distribution == "CentOS" or ansible_distribution == "RedHat" )) - name: Add a Linux System Roles SELinux User user: @@ -80,18 +84,29 @@ that: "{{ ansible_selinux.config_mode == 'enforcing' }}" msg: "SELinux config mode should be enforcing instead of {{ ansible_selinux.config_mode }}" - - name: Restore original /etc/selinux/config - copy: - remote_src: true - dest: /etc/selinux/config - src: /etc/selinux/config.test_selinux_disabled - mode: preserve - - name: Remove /etc/selinux/config backup - file: - path: /etc/selinux/config.test_selinux_disabled - state: absent - - name: Remove Linux System Roles SELinux User - user: - name: sar-user - remove: yes - state: absent + + - name: Cleanup + tags: [ 'tests::cleanup' ] + block: + - name: Restore original /etc/selinux/config + copy: + remote_src: true + dest: /etc/selinux/config + src: /etc/selinux/config.test_selinux_disabled + mode: preserve + + - name: Remove /etc/selinux/config backup + file: + path: /etc/selinux/config.test_selinux_disabled + state: absent + + - name: Remove Linux System Roles SELinux User + user: + name: sar-user + remove: yes + state: absent + + - import_role: + name: linux-system-roles.selinux + vars: + selinux_all_purge: true