def test_SELinuxContentScanner(current_actor_context, destructive_selinux_env):
expected_data = {
'policy': 'targeted',
'mls_enabled': True,
'enabled': True,
'runtime_mode': 'enforcing',
'static_mode': 'enforcing'
}
current_actor_context.feed(SELinuxFacts(**expected_data))
current_actor_context.run()
modules = current_actor_context.consume(SELinuxModules)[0]
api.current_logger().warning("Modules: %s", str(modules))
assert modules
# check that all modules installed during test setup where reported
for priority, name in TEST_MODULES:
if priority not in ('100', '200'):
assert find_module(modules, name, priority)
rpms = current_actor_context.consume(SELinuxRequestRPMs)[0]
assert rpms
# modules with priority 200 should only originate in "<module_name>-selinux" rpms
assert "mock1-selinux" in rpms.to_keep
# mock1 contains container related type
assert "container-selinux" in rpms.to_install
custom = current_actor_context.consume(SELinuxCustom)[0]
assert custom
# the second command contains removed type and should be discarded
assert find_semanage_rule(custom.removed, SEMANAGE_COMMANDS[1])
# the rest of the commands should be reported (except for the last which will show up in modules)
assert find_semanage_rule(custom.commands, SEMANAGE_COMMANDS[0])
assert find_semanage_rule(custom.commands, SEMANAGE_COMMANDS[2])
def get_selinux_status():
''' Get SELinux status information '''
try:
import selinux
except ImportError:
api.report_error(
"SELinux Import Error",
details="libselinux-python package must be installed.")
return
outdata = dict({'enabled': selinux.is_selinux_enabled() == 1})
outdata['mls_enabled'] = selinux.is_selinux_mls_enabled() == 1
try:
outdata['runtime_mode'] = "enforcing" if selinux.security_getenforce(
) == 1 else "permissive"
# FIXME: check selinux_getenforcemode[0] (that should be return value of a underneath function)
enforce_mode = selinux.selinux_getenforcemode()[1]
if enforce_mode >= 0:
outdata[
'static_mode'] = "enforcing" if enforce_mode == 1 else "permissive"
else:
outdata['static_mode'] = "disabled"
outdata['policy'] = selinux.selinux_getpolicytype()[1]
except OSError:
# This happens when SELinux is disabled
# [Errno 2] No such file or directory
outdata['runtime_mode'] = 'permissive'
outdata['static_mode'] = 'disabled'
outdata['policy'] = 'targeted'
return SELinuxFacts(**outdata)
def test_SELinuxContentScanner(current_actor_context, destructive_selinux_env):
expected_data = {
'policy': 'targeted',
'mls_enabled': True,
'enabled': True,
'runtime_mode': 'enforcing',
'static_mode': 'enforcing'
}
current_actor_context.feed(SELinuxFacts(**expected_data))
current_actor_context.run(config_model=mock_configs.CONFIG)
modules = current_actor_context.consume(SELinuxModules)[0]
assert modules
# check that all modules installed during test setup where reported
for priority, name in TEST_MODULES:
if priority not in ('100', '200'):
assert find_module(modules, name, priority)
# check that udica template was reported
assert find_template(modules, TEST_MODULES[-1][1], TEST_MODULES[-1][0])
rpms = current_actor_context.consume(SELinuxRequestRPMs)[0]
assert rpms
# mock1 contains container related type
assert "container-selinux" in rpms.to_install
custom = current_actor_context.consume(SELinuxCustom)[0]
assert custom
# The second command contains removed type and should be discarded (in either upgrade path)
assert find_semanage_rule(custom.removed, SEMANAGE_COMMANDS[1])
# the rest of the commands should be reported (except for the last which will show up in modules)
assert find_semanage_rule(custom.commands, SEMANAGE_COMMANDS[0])
assert find_semanage_rule(custom.commands, SEMANAGE_COMMANDS[2])
def create_selinuxfacts(static_mode, enabled, policy='targeted', mls_enabled=True):
runtime_mode = static_mode if static_mode != 'disabled' else None
return SELinuxFacts(
runtime_mode=runtime_mode,
static_mode=static_mode,
enabled=enabled,
policy=policy,
mls_enabled=mls_enabled
)
def test_selinux_disabled(monkeypatch):
"""
Test case SELinux is disabled
"""
monkeypatch.setattr(selinux, 'is_selinux_mls_enabled', lambda: 0)
monkeypatch.setattr(selinux, 'security_getenforce', lambda: 0)
monkeypatch.setattr(selinux, 'selinux_getenforcemode', lambda: [0, 0])
monkeypatch.setattr(selinux, 'is_selinux_enabled', lambda: 0)
monkeypatch.setattr(selinux, 'selinux_getpolicytype',
lambda: [0, 'targeted'])
expected_data = {
'policy': 'targeted',
'mls_enabled': False,
'enabled': False,
'runtime_mode': 'permissive',
'static_mode': 'permissive'
}
assert SELinuxFacts(**expected_data) == get_selinux_status()
def test_selinux_enabled_enforcing(monkeypatch):
"""
Test case SELinux is enabled in enforcing mode
"""
monkeypatch.setattr(selinux, 'is_selinux_mls_enabled', lambda: 1)
monkeypatch.setattr(selinux, 'security_getenforce', lambda: 1)
monkeypatch.setattr(selinux, 'selinux_getenforcemode', lambda: [0, 1])
monkeypatch.setattr(selinux, 'is_selinux_enabled', lambda: 1)
monkeypatch.setattr(selinux, 'selinux_getpolicytype',
lambda: [0, 'targeted'])
expected_data = {
'policy': 'targeted',
'mls_enabled': True,
'enabled': True,
'runtime_mode': 'enforcing',
'static_mode': 'enforcing'
}
assert SELinuxFacts(**expected_data) == get_selinux_status()
def test_selinux_disabled_no_config_file(monkeypatch):
"""
Test case SELinux is disabled
"""
monkeypatch.setattr(selinux, 'is_selinux_mls_enabled', lambda: 0)
monkeypatch.setattr(selinux, 'security_getenforce', lambda: 0)
monkeypatch.setattr(selinux, 'selinux_getenforcemode',
MockNoConfigFileOSError)
monkeypatch.setattr(selinux, 'is_selinux_enabled', lambda: 0)
monkeypatch.setattr(selinux, 'selinux_getpolicytype', lambda:
('', 'targeted'))
expected_data = {
'policy': 'targeted',
'mls_enabled': False,
'enabled': False,
'runtime_mode': 'permissive',
'static_mode': 'disabled'
}
assert SELinuxFacts(**expected_data) == get_selinux_status()