diff --git a/.travis.yml b/.travis.yml index 0919610b..9013c2cd 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,24 +7,6 @@ sudo: false matrix: fast_finish: true include: - - rvm: 1.8.7 - env: PUPPET_GEM_VERSION="~> 2.7.0" - - rvm: 1.8.7 - env: PUPPET_GEM_VERSION="~> 3.1.0" - - rvm: 1.8.7 - env: PUPPET_GEM_VERSION="~> 3.2.0" - - rvm: 1.8.7 - env: PUPPET_GEM_VERSION="~> 3.3.0" - - rvm: 1.8.7 - env: PUPPET_GEM_VERSION="~> 3.4.0" - - rvm: 1.8.7 - env: PUPPET_GEM_VERSION="~> 3.5.0" STRICT_VARIABLES="yes" - - rvm: 1.8.7 - env: PUPPET_GEM_VERSION="~> 3.6.0" STRICT_VARIABLES="yes" - - rvm: 1.8.7 - env: PUPPET_GEM_VERSION="~> 3.7.0" STRICT_VARIABLES="yes" - - rvm: 1.9.3 - env: PUPPET_GEM_VERSION="~> 3.1.0" - rvm: 1.9.3 env: PUPPET_GEM_VERSION="~> 3.2.0" - rvm: 1.9.3 diff --git a/Gemfile b/Gemfile index a78470f2..70dd46c1 100644 --- a/Gemfile +++ b/Gemfile @@ -3,7 +3,6 @@ source ENV['GEM_SOURCE'] || "https://rubygems.org" group :unit_tests do gem 'rake', :require => false # https://github.com/rspec/rspec-core/issues/1864 - gem 'rspec', '< 3.2.0', {"platforms"=>["ruby_18"]} gem 'rspec-puppet', '~> 2.1', :require => false gem 'puppetlabs_spec_helper', :require => false gem 'puppet-lint', '~> 1.0', :require => false diff --git a/Rakefile b/Rakefile index 67439caf..992fc896 100644 --- a/Rakefile +++ b/Rakefile @@ -1,4 +1,3 @@ -require 'rubygems' if RUBY_VERSION < '1.9.0' require 'puppetlabs_spec_helper/rake_tasks' require 'puppet-lint/tasks/puppet-lint' require 'puppet-syntax/tasks/puppet-syntax' @@ -20,8 +19,6 @@ PuppetLint.configuration.send('disable_80chars') PuppetLint.configuration.send('disable_class_inherits_from_params_class') PuppetLint.configuration.send('disable_documentation') PuppetLint.configuration.ignore_paths = exclude_paths -#PuppetLint.configuration.send('disable_class_parameter_defaults') -#PuppetLint.configuration.send('disable_single_quote_string_with_variables') PuppetSyntax.exclude_paths = exclude_paths task :default => [:test, :spec] diff --git a/lib/facter/selinux_custom_policy.rb b/lib/facter/selinux_custom_policy.rb index 0378516d..167873b6 100644 --- a/lib/facter/selinux_custom_policy.rb +++ b/lib/facter/selinux_custom_policy.rb @@ -5,7 +5,7 @@ require 'facter' Facter.add(:selinux_custom_policy) do - confine :kernel => 'Linux', :osfamily => 'RedHat', :operatingsystemmajrelease => '7', :selinux => ['true', true] + confine kernel: 'Linux', osfamily: 'RedHat', operatingsystemmajrelease: '7', selinux: ['true', true] setcode do Facter::Util::Resolution.exec("sestatus | grep 'Loaded policy name' | awk '{ print \$4 }'") end diff --git a/manifests/boolean.pp b/manifests/boolean.pp index 5a4c17d6..5bfe2079 100644 --- a/manifests/boolean.pp +++ b/manifests/boolean.pp @@ -11,9 +11,10 @@ # # Parameters: # - $ensure: (on|off) - Sets the current state of a particular SELinux boolean +# - $persistent: (true|false) - Should a particular SELinux boolean persist across reboots # # Actions: -# Runs "setsebool" to set boolean state +# Wraps selboolean to set states # # Requires: # - SELinux @@ -21,31 +22,34 @@ # Sample Usage: # # selinux::boolean{ 'named_write_master_zones': -# ensure => "on", +# ensure => "on", +# persistent => true, # } # - define selinux::boolean ( - $ensure = true + $ensure = 'on', + $persistent = true, ) { include selinux - Exec { - path => '/bin:/sbin:/usr/bin:/usr/sbin', + $ensure_real = $ensure ? { + true => 'true', # lint:ignore:quoted_booleans + false => 'false', # lint:ignore:quoted_booleans + default => $ensure, + } + + validate_re($ensure_real, ['^on$', '^true$', '^present$', '^off$', '^false$', '^absent$'], 'Valid ensures must be one of on, true, present, off, false, or absent') + validate_bool($persistent) + + $value = $ensure_real ? { + /(?i-mx:on|true|present)/ => 'on', + /(?i-mx:off|false|absent)/ => 'off', + default => undef, } - case $ensure { - on, true: { - exec { "setsebool -P '${name}' true": - unless => "getsebool '${name}' | awk '{ print \$3 }' | grep on", - } - } - off, false: { - exec { "setsebool -P '${name}' false": - unless => "getsebool '${name}' | awk '{ print \$3 }' | grep off", - } - } - default: { err ( "Unknown or undefined boolean state ${ensure}" ) } + selboolean { $name: + value => $value, + persistent => $persistent, } } diff --git a/manifests/config.pp b/manifests/config.pp index c483e1e8..79d25133 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -8,6 +8,7 @@ # - $type (targeted|minimum|mls) - sets the operating type for SELinux. # - $manage_package (boolean) - Whether or not to manage the SELinux management package. # - $package_name (string) - sets the name of the selinux management package. +# - $sx_mod_dir (directory) - sets the operating sx_mod_dir for SELinux. # # Actions: # Configures SELinux to a specific state (enforced|permissive|disabled and targeted|minimum|mls) @@ -21,6 +22,7 @@ class selinux::config ( $mode = $::selinux::mode, $type = $::selinux::type, + $sx_mod_dir = $::selinux::sx_mod_dir, $manage_package = $::selinux::manage_package, $package_name = $::selinux::package_name, ) { @@ -29,13 +31,13 @@ fail("Use of private class ${name} by ${caller_module_name}") } - file { $selinux::params::sx_mod_dir: + file { $sx_mod_dir: ensure => directory, + owner => 'root', + group => 'root', } if $mode { - validate_re($mode, ['^enforcing$', '^permissive$', '^disabled$'], "Valid modes are enforcing, permissive, and disabled. Received: ${mode}") - file_line { "set-selinux-config-to-${mode}": path => '/etc/selinux/config', line => "SELINUX=${mode}", @@ -65,15 +67,10 @@ } if $type { - validate_re($type, ['^targeted$', '^minimum$', '^mls$'], "Valid types are targeted, minimum, and mls. Received: ${type}") - file_line { "set-selinux-config-type-to-${type}": path => '/etc/selinux/config', line => "SELINUXTYPE=${type}", match => '^SELINUXTYPE=\w+', } } - - validate_bool($manage_package) - validate_string($package_name) } diff --git a/manifests/init.pp b/manifests/init.pp index cefa217e..1170679e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -5,6 +5,12 @@ # # Parameters: # - $mode (enforcing|permissive|disabled) - sets the operating state for SELinux. +# - $type (enforcing|permissive|disabled) - sets the operating state for SELinux. +# - $sx_mod_dir (absolute_path) - sets the operating state for SELinux. +# - $makefile (string) - the default makefile to use for module compilation +# - $module_prefix (string) - sets the prefix for any installed modules +# - $manage_package (boolean) - manage the package for selinux tools +# - $package_name (string) - sets the name for the selinux tools package # # Actions: # This module will configure SELinux and/or deploy SELinux based modules to running @@ -19,10 +25,31 @@ class selinux ( $mode = $::selinux::params::mode, $type = $::selinux::params::type, + $sx_mod_dir = $::selinux::params::sx_mod_dir, + $makefile = $::selinux::params::makefile, + $module_prefix = $::selinux::params::module_prefix, $manage_package = $::selinux::params::manage_package, $package_name = $::selinux::params::package_name, ) inherits selinux::params { + $mode_real = $mode ? { + /\w+/ => $mode, + default => 'undef', + } + + $type_real = $type ? { + /\w+/ => $type, + default => 'undef', + } + + validate_absolute_path($sx_mod_dir) + validate_re($mode_real, ['^enforcing$', '^permissive$', '^disabled$', '^undef$'], "Valid modes are enforcing, permissive, and disabled. Received: ${mode}") + validate_re($type_real, ['^targeted$', '^minimum$', '^mls$', '^undef$'], "Valid types are targeted, minimum, and mls. Received: ${type}") + validate_string($module_prefix) + validate_string($makefile) + validate_bool($manage_package) + validate_string($package_name) + class { 'selinux::package': manage_package => $manage_package, package_name => $package_name, diff --git a/manifests/module.pp b/manifests/module.pp index ca420cc5..e39f91d6 100644 --- a/manifests/module.pp +++ b/manifests/module.pp @@ -10,12 +10,13 @@ # # Parameters: # - $ensure: (present|absent) - sets the state for a module -# - $selinux::params::sx_mod_dir: The directory compiled modules will live on a system (default: /usr/share/selinux) -# - $mode: Allows an admin to set the SELinux status. (default: enforcing) +# - $sx_mod_dir (absolute_path) - sets the operating state for SELinux. # - $source: the source file (either a puppet URI or local file) of the SELinux .te module +# - $makefile: the makefile file path +# - $prefix: the prefix to add to the loaded module. Defaults to 'local_'. # # Actions: -# Compiles a module using 'checkmodule' and 'semodule_package'. +# Compiles a module using make and installs it # # Requires: # - SELinux @@ -28,108 +29,47 @@ # define selinux::module( $source, - $ensure = 'present', - $use_makefile = false, - $makefile = '/usr/share/selinux/devel/Makefile', + $ensure = 'present', + $makefile = '/usr/share/selinux/devel/Makefile', + $prefix = 'local_', + $sx_mod_dir = '/usr/share/selinux', ) { - include selinux + require selinux + + validate_re($ensure, [ '^present$', '^absent$' ], '$ensure must be "present" or "absent"') + validate_string($source) + validate_string($prefix) + validate_absolute_path($sx_mod_dir) + validate_absolute_path($makefile) - if $::selinux_config_policy in ['targeted','strict'] - { - $selinux_policy = $::selinux_config_policy - } - elsif $::selinux_custom_policy - { - $selinux_policy = $::selinux_custom_policy - } - - # Set Resource Defaults - File { - owner => 'root', - group => 'root', - mode => '0644', - } - - # Only allow refresh in the event that the initial .te file is updated. - Exec { - path => '/sbin:/usr/sbin:/bin:/usr/bin', - refreshonly => true, - cwd => $selinux::params::sx_mod_dir, - } - - case $ensure { # lint:ignore:case_without_default - present: { - $_checkloaded_notify = [Exec["${name}-buildmod"]] - } - absent: { - # buildmod doesn't exist in the absent case - $_checkloaded_notify = [] - } - } - exec { "${name}-checkloaded": - refreshonly => false, - creates => "/etc/selinux/${selinux_policy}/modules/active/modules/${name}.pp", - - command => 'true', # lint:ignore:quoted_booleans - notify => $_checkloaded_notify, + $selinux_policy = $::selinux_config_policy ? { + /targeted|strict/ => $::selinux_config_policy, + default => $::selinux_custom_policy, } ## Begin Configuration - file { "${::selinux::params::sx_mod_dir}/${name}.te": + file { "${sx_mod_dir}/${prefix}${name}.te": ensure => $ensure, + owner => 'root', + group => 'root', + mode => '0644', source => $source, - tag => "selinux-module-${name}", } - if !$use_makefile { - file { "${::selinux::params::sx_mod_dir}/${name}.mod": - tag => ["selinux-module-build-${name}", "selinux-module-${name}"], - } - } - file { "${::selinux::params::sx_mod_dir}/${name}.pp": - tag => ["selinux-module-build-${name}", "selinux-module-${name}"], + ~> + exec { "${sx_mod_dir}/${prefix}${name}.pp": + # Only allow refresh in the event that the initial .te file is updated. + path => '/sbin:/usr/sbin:/bin:/usr/bin', + refreshonly => true, + cwd => $sx_mod_dir, + command => "make -f ${makefile} ${prefix}${name}.pp", } - - # Specific executables based on present or absent. - case $ensure { - present: { - if $use_makefile { - exec { "${name}-buildmod": - command => 'true', # lint:ignore:quoted_booleans - } - exec { "${name}-buildpp": - command => "make -f ${makefile} ${name}.pp", - } - } else { - exec { "${name}-buildmod": - command => "checkmodule -M -m -o ${name}.mod ${name}.te", - } - exec { "${name}-buildpp": - command => "semodule_package -m ${name}.mod -o ${name}.pp", - } - } - exec { "${name}-install": - command => "semodule -i ${name}.pp", - } - - # Set dependency ordering - File["${::selinux::params::sx_mod_dir}/${name}.te"] - ~> Exec["${name}-buildmod"] - ~> Exec["${name}-buildpp"] - ~> Exec["${name}-install"] - -> File<| tag == "selinux-module-build-${name}" |> - } - absent: { - exec { "${name}-remove": - command => "semodule -r ${name}.pp > /dev/null 2>&1", - } - - # Set dependency ordering - Exec["${name}-remove"] - -> File<| tag == "selinux-module-${name}" |> - } - default: { - fail("Invalid status for SELinux Module: ${ensure}") - } + -> + selmodule { "${prefix}${name}": + # Load the module if it has changed or was not loaded + # Warning: change the .te version! + ensure => $ensure, + selmoduledir => $sx_mod_dir, + syncversion => true, } } diff --git a/manifests/package.pp b/manifests/package.pp index 309ba392..b4a62b75 100644 --- a/manifests/package.pp +++ b/manifests/package.pp @@ -14,14 +14,12 @@ # # This class file is not called directly class selinux::package ( - $manage_package = $::selinux::params::manage_package, - $package_name = $::selinux::params::package_name, + $manage_package = $::selinux::manage_package, + $package_name = $::selinux::package_name, ){ - if $caller_module_name != $module_name { fail("Use of private class ${name} by ${caller_module_name}") } - if $manage_package { package { $package_name: ensure => installed, diff --git a/manifests/params.pp b/manifests/params.pp index 211bf92e..16c26ecc 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -4,9 +4,11 @@ # This class provides default parameters for the selinux class # # Sample Usage: -# mod_dir = $selinux::params::sx_mod_dir +# sx_mod_dir = $selinux::sx_mod_dir # class selinux::params { + $makefile = '/usr/share/selinux/devel/Makefile' + $module_prefix = '' $sx_mod_dir = '/usr/share/selinux' $mode = undef $type = undef @@ -56,5 +58,4 @@ $restorecond_config_file_mode = '0644' $restorecond_config_file_owner = 'root' $restorecond_config_file_group = 'root' - } diff --git a/spec/classes/selinux_config_mode_spec.rb b/spec/classes/selinux_config_mode_spec.rb index 0051c345..5c0737f6 100644 --- a/spec/classes/selinux_config_mode_spec.rb +++ b/spec/classes/selinux_config_mode_spec.rb @@ -4,9 +4,8 @@ include_context 'RedHat 7' context 'config' do - context 'invalid mode' do - let(:params) { { :mode => 'invalid' } } + let(:params) { { mode: 'invalid' } } it { expect { should create_class('selinux') }.to raise_error(/Valid modes are enforcing, permissive, and disabled. Received: invalid/) } end @@ -25,29 +24,27 @@ end context 'enforcing' do - let(:params) { { :mode => 'enforcing' } } + let(:params) { { mode: 'enforcing' } } - it { should contain_file('/usr/share/selinux').with(:ensure => 'directory') } - it { should contain_file_line('set-selinux-config-to-enforcing').with(:line => 'SELINUX=enforcing') } - it { should contain_exec('change-selinux-status-to-enforcing').with(:command => 'setenforce 1') } + it { should contain_file('/usr/share/selinux').with(ensure: 'directory') } + it { should contain_file_line('set-selinux-config-to-enforcing').with(line: 'SELINUX=enforcing') } + it { should contain_exec('change-selinux-status-to-enforcing').with(command: 'setenforce 1') } end context 'permissive' do - let(:params) { { :mode => 'permissive' } } + let(:params) { { mode: 'permissive' } } - it { should contain_file('/usr/share/selinux').with(:ensure => 'directory') } - it { should contain_file_line('set-selinux-config-to-permissive').with(:line => 'SELINUX=permissive') } - it { should contain_exec('change-selinux-status-to-permissive').with(:command => 'setenforce 0') } + it { should contain_file('/usr/share/selinux').with(ensure: 'directory') } + it { should contain_file_line('set-selinux-config-to-permissive').with(line: 'SELINUX=permissive') } + it { should contain_exec('change-selinux-status-to-permissive').with(command: 'setenforce 0') } end context 'disabled' do - let(:params) { { :mode => 'disabled' } } + let(:params) { { mode: 'disabled' } } - it { should contain_file('/usr/share/selinux').with(:ensure => 'directory') } - it { should contain_file_line('set-selinux-config-to-disabled').with(:line => 'SELINUX=disabled') } - it { should contain_exec('change-selinux-status-to-disabled').with(:command => 'setenforce 0') } + it { should contain_file('/usr/share/selinux').with(ensure: 'directory') } + it { should contain_file_line('set-selinux-config-to-disabled').with(line: 'SELINUX=disabled') } + it { should contain_exec('change-selinux-status-to-disabled').with(command: 'setenforce 0') } end - end - end diff --git a/spec/classes/selinux_config_type_spec.rb b/spec/classes/selinux_config_type_spec.rb index e363a34f..0966ca5d 100755 --- a/spec/classes/selinux_config_type_spec.rb +++ b/spec/classes/selinux_config_type_spec.rb @@ -4,9 +4,8 @@ include_context 'RedHat 7' context 'config' do - context 'invalid type' do - let(:params) { { :type => 'invalid' } } + let(:params) { { type: 'invalid' } } it { expect { should create_class('selinux') }.to raise_error(/Valid types are targeted, minimum, and mls. Received: invalid/) } end @@ -22,26 +21,24 @@ end context 'targeted' do - let(:params) { { :type => 'targeted' } } + let(:params) { { type: 'targeted' } } - it { should contain_file('/usr/share/selinux').with(:ensure => 'directory') } - it { should contain_file_line('set-selinux-config-type-to-targeted').with(:line => 'SELINUXTYPE=targeted') } + it { should contain_file('/usr/share/selinux').with(ensure: 'directory') } + it { should contain_file_line('set-selinux-config-type-to-targeted').with(line: 'SELINUXTYPE=targeted') } end context 'minimum' do - let(:params) { { :type => 'minimum' } } + let(:params) { { type: 'minimum' } } - it { should contain_file('/usr/share/selinux').with(:ensure => 'directory') } - it { should contain_file_line('set-selinux-config-type-to-minimum').with(:line => 'SELINUXTYPE=minimum') } + it { should contain_file('/usr/share/selinux').with(ensure: 'directory') } + it { should contain_file_line('set-selinux-config-type-to-minimum').with(line: 'SELINUXTYPE=minimum') } end context 'mls' do - let(:params) { { :type => 'mls' } } + let(:params) { { type: 'mls' } } - it { should contain_file('/usr/share/selinux').with(:ensure => 'directory') } - it { should contain_file_line('set-selinux-config-type-to-mls').with(:line => 'SELINUXTYPE=mls') } + it { should contain_file('/usr/share/selinux').with(ensure: 'directory') } + it { should contain_file_line('set-selinux-config-type-to-mls').with(line: 'SELINUXTYPE=mls') } end - end - end diff --git a/spec/classes/selinux_package_spec.rb b/spec/classes/selinux_package_spec.rb index 57471f43..55a1b3ed 100644 --- a/spec/classes/selinux_package_spec.rb +++ b/spec/classes/selinux_package_spec.rb @@ -1,77 +1,73 @@ require 'spec_helper' describe 'selinux' do - context 'package' do - context 'on RedHat 5 based OSes' do let(:facts) do { - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemmajrelease => '5', - :selinux_current_mode => 'enforcing', + osfamily: 'RedHat', + operatingsystem: 'RedHat', + operatingsystemmajrelease: '5', + selinux_current_mode: 'enforcing' } end - it { should contain_package('policycoreutils').with(:ensure => 'installed') } + it { should contain_package('policycoreutils').with(ensure: 'installed') } end - [ '6', '7' ].each do |majrelease| + %w(6 7).each do |majrelease| context "On RedHat #{majrelease} based OSes" do let(:facts) do { - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemmajrelease => majrelease, - :selinux_current_mode => 'enforcing', + osfamily: 'RedHat', + operatingsystem: 'RedHat', + operatingsystemmajrelease: majrelease, + selinux_current_mode: 'enforcing' } end - it { should contain_package('policycoreutils-python').with(:ensure => 'installed') } + it { should contain_package('policycoreutils-python').with(ensure: 'installed') } end end - context "On Fedora 22 based OSes" do + context 'On Fedora 22 based OSes' do include_context 'Fedora 22' - it { should contain_package('policycoreutils-python').with(:ensure => 'installed') } + it { should contain_package('policycoreutils-python').with(ensure: 'installed') } end context 'do not manage package' do let(:facts) do { - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemmajrelease => '5', + osfamily: 'RedHat', + operatingsystem: 'RedHat', + operatingsystemmajrelease: '5' } end let(:params) do { - :manage_package => false, + manage_package: false } end - it { should_not contain_package('policycoreutils').with(:ensure => 'installed') } + it { should_not contain_package('policycoreutils').with(ensure: 'installed') } end context 'install a different package name' do let(:facts) do { - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemmajrelease => '5', + osfamily: 'RedHat', + operatingsystem: 'RedHat', + operatingsystemmajrelease: '5' } end let(:params) do { - :package_name => 'some_package', + package_name: 'some_package' } end - it { should contain_package('some_package').with(:ensure => 'installed') } + it { should contain_package('some_package').with(ensure: 'installed') } end - end - end diff --git a/spec/classes/selinux_restorecond_config_spec.rb b/spec/classes/selinux_restorecond_config_spec.rb index 1138df4f..bce43151 100644 --- a/spec/classes/selinux_restorecond_config_spec.rb +++ b/spec/classes/selinux_restorecond_config_spec.rb @@ -5,5 +5,4 @@ it { should contain_concat('/etc/selinux/restorecond.conf') } it { should contain_concat__fragment('restorecond_config_default') } - end diff --git a/spec/classes/selinux_restorecond_service_spec.rb b/spec/classes/selinux_restorecond_service_spec.rb index 7821ca73..982be059 100644 --- a/spec/classes/selinux_restorecond_service_spec.rb +++ b/spec/classes/selinux_restorecond_service_spec.rb @@ -4,5 +4,4 @@ include_context 'RedHat 7' it { should contain_service('restorecond') } - end diff --git a/spec/classes/selinux_restorecond_spec.rb b/spec/classes/selinux_restorecond_spec.rb index ba0a5e61..59c6c0a6 100644 --- a/spec/classes/selinux_restorecond_spec.rb +++ b/spec/classes/selinux_restorecond_spec.rb @@ -5,5 +5,4 @@ it { should contain_class('selinux::restorecond::config') } it { should contain_class('selinux::restorecond::service') } - end diff --git a/spec/classes/selinux_spec.rb b/spec/classes/selinux_spec.rb index eb34b92f..61020bd9 100644 --- a/spec/classes/selinux_spec.rb +++ b/spec/classes/selinux_spec.rb @@ -4,13 +4,13 @@ [ 'RedHat 7', 'CentOS 7', - 'Fedora 22', + 'Fedora 22' ].each do |ctx| context ctx do include_context ctx - it { should contain_class('selinux').without_mode() } - it { should contain_class('selinux').without_type() } + it { should contain_class('selinux').without_mode } + it { should contain_class('selinux').without_type } it { should contain_class('selinux::package') } it { should contain_class('selinux::config') } end diff --git a/spec/defines/selinux_boolean_spec.rb b/spec/defines/selinux_boolean_spec.rb index 163266da..ab63e065 100644 --- a/spec/defines/selinux_boolean_spec.rb +++ b/spec/defines/selinux_boolean_spec.rb @@ -4,22 +4,35 @@ let(:title) { 'mybool' } include_context 'RedHat 7' - context 'default' do - it { should contain_exec("setsebool -P 'mybool' true")} - end - - ['on', true].each do |value| + ['on', true, 'present'].each do |value| context value do - let(:params) { { :ensure => value } } - it { should contain_exec("setsebool -P 'mybool' true")} + let(:params) do + { + ensure: value + } + end + it do + should contain_selboolean('mybool').with( + 'value' => 'on', + 'persistent' => true + ) + end end end - ['off', false].each do |value| + ['off', false, 'absent'].each do |value| context value do - let(:params) { { :ensure => value } } - it { should contain_exec("setsebool -P 'mybool' false")} + let(:params) do + { + ensure: value + } + end + it do + should contain_selboolean('mybool').with( + 'value' => 'off', + 'persistent' => true + ) + end end end - end diff --git a/spec/defines/selinux_fcontext_spec.rb b/spec/defines/selinux_fcontext_spec.rb index 3137fda8..393875be 100644 --- a/spec/defines/selinux_fcontext_spec.rb +++ b/spec/defines/selinux_fcontext_spec.rb @@ -21,18 +21,17 @@ end context 'substituting fcontext' do - let(:params) { { :pathname => '/tmp/file1', :equals => true, :destination => '/tmp/file2' } } - it { should contain_exec('add_/tmp/file2_/tmp/file1').with(:command => 'semanage fcontext -a -e "/tmp/file2" "/tmp/file1"') } + let(:params) { { pathname: '/tmp/file1', equals: true, destination: '/tmp/file2' } } + it { should contain_exec('add_/tmp/file2_/tmp/file1').with(command: 'semanage fcontext -a -e "/tmp/file2" "/tmp/file1"') } end context 'set filemode and context' do - let(:params) { { :pathname => '/tmp/file1', :filetype => true, :filemode => 'a', :context => 'user_home_dir_t' } } - it { should contain_exec('add_user_home_dir_t_/tmp/file1_type_a').with(:command => 'semanage fcontext -a -f a -t user_home_dir_t "/tmp/file1"') } + let(:params) { { pathname: '/tmp/file1', filetype: true, filemode: 'a', context: 'user_home_dir_t' } } + it { should contain_exec('add_user_home_dir_t_/tmp/file1_type_a').with(command: 'semanage fcontext -a -f a -t user_home_dir_t "/tmp/file1"') } end context 'set context' do - let(:params) { { :pathname => '/tmp/file1', :context => 'user_home_dir_t' } } - it { should contain_exec('add_user_home_dir_t_/tmp/file1').with(:command => 'semanage fcontext -a -t user_home_dir_t "/tmp/file1"') } + let(:params) { { pathname: '/tmp/file1', context: 'user_home_dir_t' } } + it { should contain_exec('add_user_home_dir_t_/tmp/file1').with(command: 'semanage fcontext -a -t user_home_dir_t "/tmp/file1"') } end - end diff --git a/spec/defines/selinux_module_spec.rb b/spec/defines/selinux_module_spec.rb index cff3179c..5924a882 100644 --- a/spec/defines/selinux_module_spec.rb +++ b/spec/defines/selinux_module_spec.rb @@ -5,28 +5,30 @@ include_context 'RedHat 7' context 'present case' do + let(:params) do + { + source: 'test_value' + } + end - let(:params) {{ - :source => 'test_value' - }} - - it { should contain_exec("mymodule-checkloaded"). - that_notifies("Exec[mymodule-buildmod]") - } + it do + should contain_file('/usr/share/selinux/local_mymodule.te').that_notifies('Exec[/usr/share/selinux/local_mymodule.pp]') + should contain_selmodule('local_mymodule').with_ensure('present') + end end # context context 'absent case' do - - let(:params) {{ - :source => 'test_value', - :ensure => 'absent' - }} - - it { should_not contain_exec("mymodule-checkloaded"). - that_notifies("Exec[mymodule-buildmod]") - } - + let(:params) do + { + ensure: 'absent', + source: 'test_value' + } + end + + it do + should contain_selmodule('local_mymodule') + .with_ensure('absent') + end end # context - -end # describe +end # describe diff --git a/spec/defines/selinux_port_spec.rb b/spec/defines/selinux_port_spec.rb index d342fc09..85379464 100644 --- a/spec/defines/selinux_port_spec.rb +++ b/spec/defines/selinux_port_spec.rb @@ -4,21 +4,20 @@ let(:title) { 'myapp' } include_context 'RedHat 7' - ['tcp', 'udp', 'tcp6', 'udp6'].each do |protocol| + %w(tcp udp tcp6 udp6).each do |protocol| context "valid protocol #{protocol}" do - let(:params) { { :context => 'http_port_t', :port => 8080, :protocol => protocol } } - it { should contain_exec("add_http_port_t_8080_#{protocol}").with(:command => "semanage port -a -t http_port_t -p #{protocol} 8080") } + let(:params) { { context: 'http_port_t', port: 8080, protocol: protocol } } + it { should contain_exec("add_http_port_t_8080_#{protocol}").with(command: "semanage port -a -t http_port_t -p #{protocol} 8080") } end end context 'invalid protocol' do - let(:params) { { :context => 'http_port_t', :port => 8080, :protocol => 'bad' } } + let(:params) { { context: 'http_port_t', port: 8080, protocol: 'bad' } } it { expect { is_expected.to compile }.to raise_error } end context 'no protocol' do - let(:params) { { :context => 'http_port_t', :port => 8080} } - it { should contain_exec("add_http_port_t_8080").with(:command => 'semanage port -a -t http_port_t 8080') } + let(:params) { { context: 'http_port_t', port: 8080 } } + it { should contain_exec('add_http_port_t_8080').with(command: 'semanage port -a -t http_port_t 8080') } end - end diff --git a/spec/defines/selinux_restorecond_fragment_spec.rb b/spec/defines/selinux_restorecond_fragment_spec.rb index 693c46c0..cc95954c 100644 --- a/spec/defines/selinux_restorecond_fragment_spec.rb +++ b/spec/defines/selinux_restorecond_fragment_spec.rb @@ -6,13 +6,12 @@ include_context 'RedHat 7' context 'source' do - let(:params) { { :source => 'puppet:///data/cond.txt' } } - it { should contain_concat__fragment('restorecond_conf_cond').with(:source => 'puppet:///data/cond.txt', :order => 10 ) } + let(:params) { { source: 'puppet:///data/cond.txt' } } + it { should contain_concat__fragment('restorecond_conf_cond').with(source: 'puppet:///data/cond.txt', order: 10) } end context 'content and order' do - let(:params) { { :content => '/etc/myapp', :order => 20 } } - it { should contain_concat__fragment('restorecond_conf_cond').with(:content => '/etc/myapp', :order => 20 ) } + let(:params) { { content: '/etc/myapp', order: 20 } } + it { should contain_concat__fragment('restorecond_conf_cond').with(content: '/etc/myapp', order: 20) } end - end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 33a44001..0e29a084 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -2,16 +2,16 @@ require 'puppetlabs_spec_helper/module_spec_helper' facts = { - :osfamily => 'RedHat', - :operatingsystem => 'RedHat', - :operatingsystemmajrelease => '7', - :selinux_current_mode => 'enforcing', - :selinux_config_policy => 'targeted', + osfamily: 'RedHat', + operatingsystem: 'RedHat', + operatingsystemmajrelease: '7', + selinux_current_mode: 'enforcing', + selinux_config_policy: 'targeted', # concat facts - :concat_basedir => '/tmp', - :id => 0, - :is_pe => false, - :path => '/tmp', + concat_basedir: '/tmp', + id: 0, + is_pe: false, + path: '/tmp' } shared_context 'RedHat 7' do @@ -21,8 +21,8 @@ shared_context 'CentOS 7' do let(:facts) do facts.dup.merge( - :operatingsystem => 'CentOS', - :operatingsystemmajrelease => '7' + operatingsystem: 'CentOS', + operatingsystemmajrelease: '7' ) end end @@ -30,8 +30,8 @@ shared_context 'Fedora 22' do let(:facts) do facts.dup.merge( - :operatingsystem => 'Fedora', - :operatingsystemmajrelease => '22' + operatingsystem: 'Fedora', + operatingsystemmajrelease: '22' ) end end