From 438cd6687f825873751d03a509ff0b5f9744198b Mon Sep 17 00:00:00 2001 From: Dag Wieers Date: Wed, 30 Nov 2016 23:41:37 +0100 Subject: [PATCH] Added tests for sefcontext module --- test/integration/non_destructive.yml | 3 +- test/integration/targets/sefcontext/aliases | 2 + .../targets/sefcontext/tasks/main.yml | 28 +++++ .../targets/sefcontext/tasks/sefcontext.yml | 100 ++++++++++++++++++ 4 files changed, 132 insertions(+), 1 deletion(-) create mode 100644 test/integration/targets/sefcontext/aliases create mode 100644 test/integration/targets/sefcontext/tasks/main.yml create mode 100644 test/integration/targets/sefcontext/tasks/sefcontext.yml diff --git a/test/integration/non_destructive.yml b/test/integration/non_destructive.yml index e44bcdae72..2db57f497c 100644 --- a/test/integration/non_destructive.yml +++ b/test/integration/non_destructive.yml @@ -1,5 +1,5 @@ - hosts: testhost - gather_facts: True + gather_facts: yes roles: - { role: ping, tags: test_ping } - { role: special_vars, tags: test_special_vars } @@ -34,3 +34,4 @@ - { role: loops, tags: test_loops } - { role: mount, tags: [test_mount, needs_root, needs_privileged]} - { role: include_vars, tags: test_include_vars } + - { role: sefcontext, tags: [test_sefcontext, needs_root]} diff --git a/test/integration/targets/sefcontext/aliases b/test/integration/targets/sefcontext/aliases new file mode 100644 index 0000000000..53b32510a0 --- /dev/null +++ b/test/integration/targets/sefcontext/aliases @@ -0,0 +1,2 @@ +needs/root +posix/ci/group2 diff --git a/test/integration/targets/sefcontext/tasks/main.yml b/test/integration/targets/sefcontext/tasks/main.yml new file mode 100644 index 0000000000..bedbc70520 --- /dev/null +++ b/test/integration/targets/sefcontext/tasks/main.yml @@ -0,0 +1,28 @@ +# (c) 2016, Dag Wieers + +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . + +# FIXME: Unfortunately ansible_selinux could be a boolean or a dictionary ! +- debug: + msg: SELinux is disabled + when: ansible_selinux is defined and ansible_selinux == False + +- debug: + msg: SELinux is {{ ansible_selinux.status }} + when: ansible_selinux is defined and ansible_selinux != False + +- include: sefcontext.yml + when: ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled' diff --git a/test/integration/targets/sefcontext/tasks/sefcontext.yml b/test/integration/targets/sefcontext/tasks/sefcontext.yml new file mode 100644 index 0000000000..9ce6cd8507 --- /dev/null +++ b/test/integration/targets/sefcontext/tasks/sefcontext.yml @@ -0,0 +1,100 @@ +# (c) 2016, Dag Wieers + +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . + +- name: Ensure we start with a clean state + sefcontext: + path: '/tmp/foo/bar(/.*)?' + setype: httpd_sys_content_t + state: absent + +- name: Set SELinux file context of foo/bar + sefcontext: + path: '/tmp/foo/bar(/.*)?' + setype: httpd_sys_content_t + state: present + reload: no + register: first + +- assert: + that: + - first|changed + - first.setype == 'httpd_sys_content_t' + +- name: Set SELinux file context of foo/bar (again) + sefcontext: + path: '/tmp/foo/bar(/.*)?' + setype: httpd_sys_content_t + state: present + reload: no + register: second + +- assert: + that: + - not second|changed + - second.setype == 'httpd_sys_content_t' + +- name: Change SELinux file context of foo/bar + sefcontext: + path: '/tmp/foo/bar(/.*)?' + setype: unlabeled_t + state: present + reload: no + register: third + +- assert: + that: + - third|changed + - third.setype == 'unlabeled_t' + +- name: Change SELinux file context of foo/bar (again) + sefcontext: + path: '/tmp/foo/bar(/.*)?' + setype: unlabeled_t + state: present + reload: no + register: fourth + +- assert: + that: + - not fourth|changed + - fourth.setype == 'unlabeled_t' + +- name: Delete SELinux file context of foo/bar + sefcontext: + path: '/tmp/foo/bar(/.*)?' + setype: httpd_sys_content_t + state: absent + reload: no + register: fifth + +- assert: + that: + - fifth|changed + - fifth.setype == 'httpd_sys_content_t' + +- name: Delete SELinux file context of foo/bar (again) + sefcontext: + path: '/tmp/foo/bar(/.*)?' + setype: unlabeled_t + state: absent + reload: no + register: sixth + +- assert: + that: + - not sixth|changed + - sixth.setype == 'unlabeled_t'