From 6cb324bb0e8fd8b85993e825dfef68d79156c2f0 Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Tue, 2 Mar 2021 00:41:09 +0530 Subject: [PATCH] selinux: return selinux_getpolicytype facts (#73609) * selinux: return selinux_getpolicytype facts Signed-off-by: Abhijeet Kasurde * add basic selinux facts tests * fix selinux facts test when selinux missing Co-authored-by: Matt Davis --- .../selinux_getpolicytype_compat.yml | 2 ++ lib/ansible/module_utils/compat/selinux.py | 12 ++++++++- .../targets/module_utils_selinux/aliases | 5 ++++ .../module_utils_selinux/tasks/main.yml | 27 +++++++++++++++++++ 4 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 changelogs/fragments/selinux_getpolicytype_compat.yml diff --git a/changelogs/fragments/selinux_getpolicytype_compat.yml b/changelogs/fragments/selinux_getpolicytype_compat.yml new file mode 100644 index 00000000000..b2af1df78a3 --- /dev/null +++ b/changelogs/fragments/selinux_getpolicytype_compat.yml @@ -0,0 +1,2 @@ +minor_changes: +- selinux - return selinux_getpolicytype facts correctly. diff --git a/lib/ansible/module_utils/compat/selinux.py b/lib/ansible/module_utils/compat/selinux.py index cf1a599631e..7191713c157 100644 --- a/lib/ansible/module_utils/compat/selinux.py +++ b/lib/ansible/module_utils/compat/selinux.py @@ -44,7 +44,8 @@ def _module_setup(): security_policyvers={}, selinux_getenforcemode=dict(argtypes=[POINTER(c_int)]), security_getenforce={}, - lsetfilecon=dict(argtypes=[_to_char_p, _to_char_p], restype=_check_rc) + lsetfilecon=dict(argtypes=[_to_char_p, _to_char_p], restype=_check_rc), + selinux_getpolicytype=dict(argtypes=[POINTER(c_char_p)], restype=_check_rc), ) _thismod = sys.modules[__name__] @@ -79,6 +80,15 @@ def selinux_getenforcemode(): return [rc, enforcemode.value] +def selinux_getpolicytype(): + con = c_char_p() + try: + rc = _selinux_lib.selinux_getpolicytype(byref(con)) + return [rc, to_native(con.value)] + finally: + _selinux_lib.freecon(con) + + def lgetfilecon_raw(path): con = c_char_p() try: diff --git a/test/integration/targets/module_utils_selinux/aliases b/test/integration/targets/module_utils_selinux/aliases index a6dafcf8cd8..aab3ff52ebb 100644 --- a/test/integration/targets/module_utils_selinux/aliases +++ b/test/integration/targets/module_utils_selinux/aliases @@ -1 +1,6 @@ shippable/posix/group1 +skip/aix +skip/osx +skip/macos +skip/freebsd +skip/docker diff --git a/test/integration/targets/module_utils_selinux/tasks/main.yml b/test/integration/targets/module_utils_selinux/tasks/main.yml index ed2d4f0163c..c599377b643 100644 --- a/test/integration/targets/module_utils_selinux/tasks/main.yml +++ b/test/integration/targets/module_utils_selinux/tasks/main.yml @@ -5,6 +5,33 @@ ignore_errors: yes register: selinux_state +- name: explicitly collect selinux facts + setup: + gather_subset: + - '!all' + - '!any' + - selinux + register: selinux_facts + +- set_fact: + selinux_policytype: "unknown" + +- name: check selinux policy type + shell: grep '^SELINUXTYPE=' /etc/selinux/config | cut -d'=' -f2 + register: r + +- set_fact: + selinux_policytype: "{{ r.stdout_lines[0] }}" + when: r.changed + +- assert: + that: + - selinux_facts is success and selinux_facts.ansible_facts.ansible_selinux is defined + - (selinux_facts.ansible_facts.ansible_selinux.status in ['disabled', 'Missing selinux Python library'] if selinux_state is not success else True) + - (selinux_facts.ansible_facts.ansible_selinux.status == 'enabled' if selinux_state is success else True) + - (selinux_facts.ansible_facts.ansible_selinux.mode in ['enforcing', 'permissive'] if selinux_state is success else True) + - (selinux_facts.ansible_facts.ansible_selinux.type == selinux_policytype if selinux_state is success else True) + - name: run selinux tests include_tasks: selinux.yml when: selinux_state is success