1. Added new facts for all values returned by the sestatus command 2. Updated legacy selinux_mode fact with former value 3. Added note and ticket #6677 to remove legacy fact at Facter 2.0.0 4. Added tests for new facts and legacy fact
Signed-off-by: James Turnbull <[email protected]> --- lib/facter/selinux.rb | 33 ++++++++++++++++++++++++++++++++- spec/unit/data/selinux_sestatus | 2 ++ spec/unit/selinux_spec.rb | 34 ++++++++++++++++++++++++++++++++-- 3 files changed, 66 insertions(+), 3 deletions(-) diff --git a/lib/facter/selinux.rb b/lib/facter/selinux.rb index 73e3239..9fab427 100644 --- a/lib/facter/selinux.rb +++ b/lib/facter/selinux.rb @@ -36,7 +36,7 @@ Facter.add("selinux_policyversion") do end end -Facter.add("selinux_mode") do +Facter.add("selinux_current_mode") do confine :selinux => :true setcode do result = 'unknown' @@ -45,3 +45,34 @@ Facter.add("selinux_mode") do result.chomp end end + +Facter.add("selinux_config_mode") do + confine :selinux => :true + setcode do + result = 'unknown' + mode = Facter::Util::Resolution.exec('/usr/sbin/sestatus') + mode.each_line { |l| result = $1 if l =~ /^Mode from config file\:\s+(\w+)$/i } + result.chomp + end +end + +Facter.add("selinux_config_policy") do + confine :selinux => :true + setcode do + result = 'unknown' + mode = Facter::Util::Resolution.exec('/usr/sbin/sestatus') + mode.each_line { |l| result = $1 if l =~ /^Policy from config file\:\s+(\w+)$/i } + result.chomp + end +end + +# This is a legacy fact which returns the old selinux_mode fact value to prevent +# breakages of existing manifests. It should be removed at the next major release. +# See ticket #6677. + +Facter.add("selinux_mode") do + confine :selinux => :true + setcode do + Facter.value(:selinux_config_policy) + end +end diff --git a/spec/unit/data/selinux_sestatus b/spec/unit/data/selinux_sestatus index b16777f..50cea13 100644 --- a/spec/unit/data/selinux_sestatus +++ b/spec/unit/data/selinux_sestatus @@ -1,4 +1,6 @@ SELinux status: enabled SELinuxfs mount: /selinux Current Mode: permissive +Mode from config file: permissive Policy version: 16 +Policy from config file: targeted diff --git a/spec/unit/selinux_spec.rb b/spec/unit/selinux_spec.rb index 2af9583..d820958 100755 --- a/spec/unit/selinux_spec.rb +++ b/spec/unit/selinux_spec.rb @@ -46,7 +46,7 @@ describe "SELinux facts" do Facter.fact(:selinux_policyversion).value.should == "1" end - it "should return the SELinux policy mode" do + it "should return the SELinux current mode" do Facter.fact(:selinux).stubs(:value).returns("true") sample_output_file = File.dirname(__FILE__) + '/data/selinux_sestatus' @@ -54,6 +54,36 @@ describe "SELinux facts" do Facter::Util::Resolution.stubs(:exec).with('/usr/sbin/sestatus').returns(selinux_sestatus) - Facter.fact(:selinux_mode).value.should == "permissive" + Facter.fact(:selinux_current_mode).value.should == "permissive" + end + + it "should return the SELinux mode from the configuration file" do + Facter.fact(:selinux).stubs(:value).returns("true") + + sample_output_file = File.dirname(__FILE__) + '/data/selinux_sestatus' + selinux_sestatus = File.read(sample_output_file) + + Facter::Util::Resolution.stubs(:exec).with('/usr/sbin/sestatus').returns(selinux_sestatus) + + Facter.fact(:selinux_config_mode).value.should == "permissive" + end + + it "should return the SELinux configuration file policy" do + Facter.fact(:selinux).stubs(:value).returns("true") + + sample_output_file = File.dirname(__FILE__) + '/data/selinux_sestatus' + selinux_sestatus = File.read(sample_output_file) + + Facter::Util::Resolution.stubs(:exec).with('/usr/sbin/sestatus').returns(selinux_sestatus) + + Facter.fact(:selinux_config_policy).value.should == "targeted" + end + + it "should ensure legacy selinux_mode facts returns same value as selinux_config_policy fact" do + Facter.fact(:selinux).stubs(:value).returns("true") + + Facter.fact(:selinux_config_policy).stubs(:value).returns("targeted") + + Facter.fact(:selinux_mode).value.should == "targeted" end end -- 1.7.1 -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
