|
|
@ -43,16 +43,21 @@ class TestSELinuxMU:
|
|
|
|
with patch.object(basic, 'HAVE_SELINUX', False):
|
|
|
|
with patch.object(basic, 'HAVE_SELINUX', False):
|
|
|
|
assert no_args_module().selinux_enabled() is False
|
|
|
|
assert no_args_module().selinux_enabled() is False
|
|
|
|
|
|
|
|
|
|
|
|
# test selinux present/not-enabled
|
|
|
|
# test selinux present/not-enabled
|
|
|
|
disabled_mod = no_args_module()
|
|
|
|
disabled_mod = no_args_module()
|
|
|
|
with patch('ansible.module_utils.compat.selinux.is_selinux_enabled', return_value=0):
|
|
|
|
with patch.object(basic, 'selinux', create=True) as selinux:
|
|
|
|
assert disabled_mod.selinux_enabled() is False
|
|
|
|
selinux.is_selinux_enabled.return_value = 0
|
|
|
|
|
|
|
|
assert disabled_mod.selinux_enabled() is False
|
|
|
|
|
|
|
|
|
|
|
|
# ensure value is cached (same answer after unpatching)
|
|
|
|
# ensure value is cached (same answer after unpatching)
|
|
|
|
assert disabled_mod.selinux_enabled() is False
|
|
|
|
assert disabled_mod.selinux_enabled() is False
|
|
|
|
|
|
|
|
|
|
|
|
# and present / enabled
|
|
|
|
# and present / enabled
|
|
|
|
enabled_mod = no_args_module()
|
|
|
|
with patch.object(basic, 'HAVE_SELINUX', True):
|
|
|
|
with patch('ansible.module_utils.compat.selinux.is_selinux_enabled', return_value=1):
|
|
|
|
enabled_mod = no_args_module()
|
|
|
|
assert enabled_mod.selinux_enabled() is True
|
|
|
|
with patch.object(basic, 'selinux', create=True) as selinux:
|
|
|
|
|
|
|
|
selinux.is_selinux_enabled.return_value = 1
|
|
|
|
|
|
|
|
assert enabled_mod.selinux_enabled() is True
|
|
|
|
# ensure value is cached (same answer after unpatching)
|
|
|
|
# ensure value is cached (same answer after unpatching)
|
|
|
|
assert enabled_mod.selinux_enabled() is True
|
|
|
|
assert enabled_mod.selinux_enabled() is True
|
|
|
|
|
|
|
|
|
|
|
@ -60,12 +65,16 @@ class TestSELinuxMU:
|
|
|
|
# selinux unavailable, should return false
|
|
|
|
# selinux unavailable, should return false
|
|
|
|
with patch.object(basic, 'HAVE_SELINUX', False):
|
|
|
|
with patch.object(basic, 'HAVE_SELINUX', False):
|
|
|
|
assert no_args_module().selinux_mls_enabled() is False
|
|
|
|
assert no_args_module().selinux_mls_enabled() is False
|
|
|
|
# selinux disabled, should return false
|
|
|
|
# selinux disabled, should return false
|
|
|
|
with patch('ansible.module_utils.compat.selinux.is_selinux_mls_enabled', return_value=0):
|
|
|
|
with patch.object(basic, 'selinux', create=True) as selinux:
|
|
|
|
assert no_args_module(selinux_enabled=False).selinux_mls_enabled() is False
|
|
|
|
selinux.is_selinux_mls_enabled.return_value = 0
|
|
|
|
# selinux enabled, should pass through the value of is_selinux_mls_enabled
|
|
|
|
assert no_args_module(selinux_enabled=False).selinux_mls_enabled() is False
|
|
|
|
with patch('ansible.module_utils.compat.selinux.is_selinux_mls_enabled', return_value=1):
|
|
|
|
|
|
|
|
assert no_args_module(selinux_enabled=True).selinux_mls_enabled() is True
|
|
|
|
with patch.object(basic, 'HAVE_SELINUX', True):
|
|
|
|
|
|
|
|
# selinux enabled, should pass through the value of is_selinux_mls_enabled
|
|
|
|
|
|
|
|
with patch.object(basic, 'selinux', create=True) as selinux:
|
|
|
|
|
|
|
|
selinux.is_selinux_mls_enabled.return_value = 1
|
|
|
|
|
|
|
|
assert no_args_module(selinux_enabled=True).selinux_mls_enabled() is True
|
|
|
|
|
|
|
|
|
|
|
|
def test_selinux_initial_context(self):
|
|
|
|
def test_selinux_initial_context(self):
|
|
|
|
# selinux missing/disabled/enabled sans MLS is 3-element None
|
|
|
|
# selinux missing/disabled/enabled sans MLS is 3-element None
|
|
|
@ -80,16 +89,19 @@ class TestSELinuxMU:
|
|
|
|
assert no_args_module().selinux_default_context(path='/foo/bar') == [None, None, None]
|
|
|
|
assert no_args_module().selinux_default_context(path='/foo/bar') == [None, None, None]
|
|
|
|
|
|
|
|
|
|
|
|
am = no_args_module(selinux_enabled=True, selinux_mls_enabled=True)
|
|
|
|
am = no_args_module(selinux_enabled=True, selinux_mls_enabled=True)
|
|
|
|
# matchpathcon success
|
|
|
|
with patch.object(basic, 'selinux', create=True) as selinux:
|
|
|
|
with patch('ansible.module_utils.compat.selinux.matchpathcon', return_value=[0, 'unconfined_u:object_r:default_t:s0']):
|
|
|
|
# matchpathcon success
|
|
|
|
|
|
|
|
selinux.matchpathcon.return_value = [0, 'unconfined_u:object_r:default_t:s0']
|
|
|
|
assert am.selinux_default_context(path='/foo/bar') == ['unconfined_u', 'object_r', 'default_t', 's0']
|
|
|
|
assert am.selinux_default_context(path='/foo/bar') == ['unconfined_u', 'object_r', 'default_t', 's0']
|
|
|
|
|
|
|
|
|
|
|
|
# matchpathcon fail (return initial context value)
|
|
|
|
with patch.object(basic, 'selinux', create=True) as selinux:
|
|
|
|
with patch('ansible.module_utils.compat.selinux.matchpathcon', return_value=[-1, '']):
|
|
|
|
# matchpathcon fail (return initial context value)
|
|
|
|
|
|
|
|
selinux.matchpathcon.return_value = [-1, '']
|
|
|
|
assert am.selinux_default_context(path='/foo/bar') == [None, None, None, None]
|
|
|
|
assert am.selinux_default_context(path='/foo/bar') == [None, None, None, None]
|
|
|
|
|
|
|
|
|
|
|
|
# matchpathcon OSError
|
|
|
|
with patch.object(basic, 'selinux', create=True) as selinux:
|
|
|
|
with patch('ansible.module_utils.compat.selinux.matchpathcon', side_effect=OSError):
|
|
|
|
# matchpathcon OSError
|
|
|
|
|
|
|
|
selinux.matchpathcon.side_effect = OSError
|
|
|
|
assert am.selinux_default_context(path='/foo/bar') == [None, None, None, None]
|
|
|
|
assert am.selinux_default_context(path='/foo/bar') == [None, None, None, None]
|
|
|
|
|
|
|
|
|
|
|
|
def test_selinux_context(self):
|
|
|
|
def test_selinux_context(self):
|
|
|
@ -99,19 +111,23 @@ class TestSELinuxMU:
|
|
|
|
|
|
|
|
|
|
|
|
am = no_args_module(selinux_enabled=True, selinux_mls_enabled=True)
|
|
|
|
am = no_args_module(selinux_enabled=True, selinux_mls_enabled=True)
|
|
|
|
# lgetfilecon_raw passthru
|
|
|
|
# lgetfilecon_raw passthru
|
|
|
|
with patch('ansible.module_utils.compat.selinux.lgetfilecon_raw', return_value=[0, 'unconfined_u:object_r:default_t:s0']):
|
|
|
|
with patch.object(basic, 'selinux', create=True) as selinux:
|
|
|
|
|
|
|
|
selinux.lgetfilecon_raw.return_value = [0, 'unconfined_u:object_r:default_t:s0']
|
|
|
|
assert am.selinux_context(path='/foo/bar') == ['unconfined_u', 'object_r', 'default_t', 's0']
|
|
|
|
assert am.selinux_context(path='/foo/bar') == ['unconfined_u', 'object_r', 'default_t', 's0']
|
|
|
|
|
|
|
|
|
|
|
|
# lgetfilecon_raw returned a failure
|
|
|
|
# lgetfilecon_raw returned a failure
|
|
|
|
with patch('ansible.module_utils.compat.selinux.lgetfilecon_raw', return_value=[-1, '']):
|
|
|
|
with patch.object(basic, 'selinux', create=True) as selinux:
|
|
|
|
|
|
|
|
selinux.lgetfilecon_raw.return_value = [-1, '']
|
|
|
|
assert am.selinux_context(path='/foo/bar') == [None, None, None, None]
|
|
|
|
assert am.selinux_context(path='/foo/bar') == [None, None, None, None]
|
|
|
|
|
|
|
|
|
|
|
|
# lgetfilecon_raw OSError (should bomb the module)
|
|
|
|
# lgetfilecon_raw OSError (should bomb the module)
|
|
|
|
with patch('ansible.module_utils.compat.selinux.lgetfilecon_raw', side_effect=OSError(errno.ENOENT, 'NotFound')):
|
|
|
|
with patch.object(basic, 'selinux', create=True) as selinux:
|
|
|
|
|
|
|
|
selinux.lgetfilecon_raw.side_effect = OSError(errno.ENOENT, 'NotFound')
|
|
|
|
with pytest.raises(SystemExit):
|
|
|
|
with pytest.raises(SystemExit):
|
|
|
|
am.selinux_context(path='/foo/bar')
|
|
|
|
am.selinux_context(path='/foo/bar')
|
|
|
|
|
|
|
|
|
|
|
|
with patch('ansible.module_utils.compat.selinux.lgetfilecon_raw', side_effect=OSError()):
|
|
|
|
with patch.object(basic, 'selinux', create=True) as selinux:
|
|
|
|
|
|
|
|
selinux.lgetfilecon_raw.side_effect = OSError()
|
|
|
|
with pytest.raises(SystemExit):
|
|
|
|
with pytest.raises(SystemExit):
|
|
|
|
am.selinux_context(path='/foo/bar')
|
|
|
|
am.selinux_context(path='/foo/bar')
|
|
|
|
|
|
|
|
|
|
|
@ -166,25 +182,29 @@ class TestSELinuxMU:
|
|
|
|
am.selinux_context = lambda path: ['bar_u', 'bar_r', None, None]
|
|
|
|
am.selinux_context = lambda path: ['bar_u', 'bar_r', None, None]
|
|
|
|
am.is_special_selinux_path = lambda path: (False, None)
|
|
|
|
am.is_special_selinux_path = lambda path: (False, None)
|
|
|
|
|
|
|
|
|
|
|
|
with patch('ansible.module_utils.compat.selinux.lsetfilecon', return_value=0) as m:
|
|
|
|
with patch.object(basic, 'selinux', create=True) as selinux:
|
|
|
|
|
|
|
|
selinux.lsetfilecon.return_value = 0
|
|
|
|
assert am.set_context_if_different('/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], False) is True
|
|
|
|
assert am.set_context_if_different('/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], False) is True
|
|
|
|
m.assert_called_with('/path/to/file', 'foo_u:foo_r:foo_t:s0')
|
|
|
|
selinux.lsetfilecon.assert_called_with('/path/to/file', 'foo_u:foo_r:foo_t:s0')
|
|
|
|
m.reset_mock()
|
|
|
|
selinux.lsetfilecon.reset_mock()
|
|
|
|
am.check_mode = True
|
|
|
|
am.check_mode = True
|
|
|
|
assert am.set_context_if_different('/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], False) is True
|
|
|
|
assert am.set_context_if_different('/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], False) is True
|
|
|
|
assert not m.called
|
|
|
|
assert not selinux.lsetfilecon.called
|
|
|
|
am.check_mode = False
|
|
|
|
am.check_mode = False
|
|
|
|
|
|
|
|
|
|
|
|
with patch('ansible.module_utils.compat.selinux.lsetfilecon', return_value=1):
|
|
|
|
with patch.object(basic, 'selinux', create=True) as selinux:
|
|
|
|
|
|
|
|
selinux.lsetfilecon.return_value = 1
|
|
|
|
with pytest.raises(SystemExit):
|
|
|
|
with pytest.raises(SystemExit):
|
|
|
|
am.set_context_if_different('/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], True)
|
|
|
|
am.set_context_if_different('/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], True)
|
|
|
|
|
|
|
|
|
|
|
|
with patch('ansible.module_utils.compat.selinux.lsetfilecon', side_effect=OSError):
|
|
|
|
with patch.object(basic, 'selinux', create=True) as selinux:
|
|
|
|
|
|
|
|
selinux.lsetfilecon.side_effect = OSError
|
|
|
|
with pytest.raises(SystemExit):
|
|
|
|
with pytest.raises(SystemExit):
|
|
|
|
am.set_context_if_different('/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], True)
|
|
|
|
am.set_context_if_different('/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], True)
|
|
|
|
|
|
|
|
|
|
|
|
am.is_special_selinux_path = lambda path: (True, ['sp_u', 'sp_r', 'sp_t', 's0'])
|
|
|
|
am.is_special_selinux_path = lambda path: (True, ['sp_u', 'sp_r', 'sp_t', 's0'])
|
|
|
|
|
|
|
|
|
|
|
|
with patch('ansible.module_utils.compat.selinux.lsetfilecon', return_value=0) as m:
|
|
|
|
with patch.object(basic, 'selinux', create=True) as selinux:
|
|
|
|
|
|
|
|
selinux.lsetfilecon.return_value = 0
|
|
|
|
assert am.set_context_if_different('/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], False) is True
|
|
|
|
assert am.set_context_if_different('/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], False) is True
|
|
|
|
m.assert_called_with('/path/to/file', 'sp_u:sp_r:sp_t:s0')
|
|
|
|
selinux.lsetfilecon.assert_called_with('/path/to/file', 'sp_u:sp_r:sp_t:s0')
|
|
|
|