SELinux integration to infra client (#12694)

* 1. Add resources for SELlinux 2. Add common helper for SELinux under a new subdirectory 3. Wire files together with corresponding changes Signed-off-by: Neha Pansare <neha.pansare@progress.com> * 3. Include SElinux CommonHelper under action_class for corresponding resources as it uses shell_out! 4. Add SELinux config file templates for debian and default versions Signed-off-by: Neha Pansare <neha.pansare@progress.com> * 5.Add local mode true to correctly parse template from selinux_state resource Signed-off-by: Neha Pansare <neha.pansare@progress.com> * 6. Remove SELinux cookbook dependency from kitchen-tests as SELinux resources are now part of core chef client, update linux.rb recipe to use corresponding SELinux resources instead of include_recipe Signed-off-by: Neha Pansare <neha.pansare@progress.com> * 7. Add unit test cases for SELinux resources 8. Add documentation for SELinux resources Signed-off-by: Neha Pansare <neha.pansare@progress.com> * 9. Obvious fix: code linting and spellcheck Signed-off-by: Neha Pansare <neha.pansare@progress.com> * 10. Add code linting changes. 11. Add missing comma in cspell.json resulting in issue Signed-off-by: Neha Pansare <neha.pansare@progress.com> * 12. Add linting and spellcheck changes Signed-off-by: Neha Pansare <neha.pansare@progress.com> * 13. Add documentation for SELinux resources for all properties, actions with examples 14. Added permissive SELinux policy for en_to_end kitchen test Signed-off-by: Neha Pansare <neha.pansare@progress.com> * 15. Fix chefstyle linting 16. Update few shell_out calls to use array format of input parameters Signed-off-by: Neha Pansare <neha.pansare@progress.com>
author: neha-p6 <neha.pansare@progress.com> 2022-04-11 11:00:57 +0530
committer: GitHub <noreply@github.com> 2022-04-11 11:00:57 +0530
commit: d3dda786b2a6d61025288c002ae7b5b60c499f92 (patch)
tree: 2e48a0e853c05ca404be357ba2c928d491ec7b01 /spec
parent: d3e922a67abec71825d6f6c6ac8fd4ef9fc53019 (diff)
download: chef-d3dda786b2a6d61025288c002ae7b5b60c499f92.tar.gz
7 files changed, 399 insertions, 0 deletions
diff --git a/spec/unit/resource/selinux_boolean_spec.rb b/spec/unit/resource/selinux_boolean_spec.rb
new file mode 100644
index 0000000000..63af7c5a3b
--- /dev/null
+++ b/spec/unit/resource/selinux_boolean_spec.rb
@@ -0,0 +1,92 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::SelinuxBoolean do
+  let(:node) { Chef::Node.new }
+  let(:events) { Chef::EventDispatch::Dispatcher.new }
+  let(:run_context) { Chef::RunContext.new(node, {}, events) }
+  let(:resource) { Chef::Resource::SelinuxBoolean.new("fakey_fakerton", run_context) }
+  let(:provider) { resource.provider_for_action(:set) }
+  let(:selinux_state) { double("shellout!", stdout: "permissive") }
+
+  it "sets boolean proprty as name_property" do
+    expect(resource.boolean).to eql("fakey_fakerton")
+  end
+
+  it "sets the default action as :set" do
+    expect(resource.action).to eql([:set])
+  end
+
+  it "supports :set action" do
+    expect { resource.action :set }.not_to raise_error
+  end
+
+  context "coercing value property" do
+    it "should set value properly to 'on' when valid parameter is sent and is literal positive" do
+      resource.value = 1
+      expect(resource.value).to eql("on")
+
+      resource.value = "true"
+      expect(resource.value).to eql("on")
+
+      resource.value = true
+      expect(resource.value).to eql("on")
+    end
+
+    it "should set value properly to 'off' when valid parameter is sent and is literal negative" do
+      resource.value = 0
+      expect(resource.value).to eql("off")
+
+      resource.value = "false"
+      expect(resource.value).to eql("off")
+
+      resource.value = false
+      expect(resource.value).to eql("off")
+    end
+
+    it "should raise an exception if invalid parameter is sent" do
+      expect do
+        resource.value = "ON"
+      end.to raise_error(ArgumentError)
+    end
+  end
+
+  describe "#Chef::SELinux::CommonHelpers" do
+    context "#selinux_permissive?" do
+      it "should return true if selinux_state is :permissive" do
+        allow(provider).to receive(:shell_out!).and_return(selinux_state)
+        expect(provider.selinux_permissive?).to eql(true)
+      end
+    end
+
+    context "#selinux_disabled?" do
+      it "should return false if selinux_state is :permissive" do
+        allow(provider).to receive(:shell_out!).and_return(selinux_state)
+        expect(provider.selinux_disabled?).to eql(false)
+      end
+    end
+
+    context "#selinux_enforcing?" do
+      it "should return false if selinux_state is :permissive" do
+        allow(provider).to receive(:shell_out!).and_return(selinux_state)
+        expect(provider.selinux_enforcing?).to eql(false)
+      end
+    end
+  end
+end
+\ No newline at end of file
diff --git a/spec/unit/resource/selinux_fcontext_spec.rb b/spec/unit/resource/selinux_fcontext_spec.rb
new file mode 100644
index 0000000000..7e1c31c23e
--- /dev/null
+++ b/spec/unit/resource/selinux_fcontext_spec.rb
@@ -0,0 +1,65 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::SelinuxFcontext do
+  let(:node) { Chef::Node.new }
+  let(:events) { Chef::EventDispatch::Dispatcher.new }
+  let(:run_context) { Chef::RunContext.new(node, {}, events) }
+  let(:resource) { Chef::Resource::SelinuxFcontext.new("fakey_fakerton", run_context) }
+  let(:provider) { resource.provider_for_action(:manage) }
+  let(:restoreconf) { double("shellout", stdout: "restorecon reset /var/www/html/index.html context unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0") }
+
+  it "sets file_spec proprty as name_property" do
+    expect(resource.file_spec).to eql("fakey_fakerton")
+  end
+
+  it "sets the default action as :manage" do
+    expect(resource.action).to eql([:manage])
+  end
+
+  it "supports :manage, :addormodify, :add, :modify, :delete actions" do
+    expect { resource.action :manage }.not_to raise_error
+    expect { resource.action :addormodify }.not_to raise_error
+    expect { resource.action :add }.not_to raise_error
+    expect { resource.action :modify }.not_to raise_error
+    expect { resource.action :delete }.not_to raise_error
+  end
+
+  it "checks 'a', 'f', 'd', 'c', 'b', 's', 'l', 'p' as valid file_type property values" do
+    expect { resource.file_type "a" }.not_to raise_error
+    expect { resource.file_type "f" }.not_to raise_error
+    expect { resource.file_type "d" }.not_to raise_error
+    expect { resource.file_type "c" }.not_to raise_error
+    expect { resource.file_type "b" }.not_to raise_error
+    expect { resource.file_type "s" }.not_to raise_error
+    expect { resource.file_type "l" }.not_to raise_error
+    expect { resource.file_type "p" }.not_to raise_error
+  end
+
+  it "sets default value for file_type property to 'a'" do
+    expect(resource.file_type).to eql("a")
+  end
+
+  describe "#relabel_files" do
+    it "returns verbose output with details of the file for which SELinux config is restored" do
+      allow(provider).to receive(:shell_out!).and_return(restoreconf)
+      expect(provider.relabel_files).to eql(restoreconf)
+    end
+  end
+end
+\ No newline at end of file
diff --git a/spec/unit/resource/selinux_install_spec.rb b/spec/unit/resource/selinux_install_spec.rb
new file mode 100644
index 0000000000..5e82dfb840
--- /dev/null
+++ b/spec/unit/resource/selinux_install_spec.rb
@@ -0,0 +1,60 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::SelinuxInstall do
+  let(:node) { Chef::Node.new }
+  let(:events) { Chef::EventDispatch::Dispatcher.new }
+  let(:run_context) { Chef::RunContext.new(node, {}, events) }
+  let(:resource) { Chef::Resource::SelinuxInstall.new("fakey_fakerton", run_context) }
+  let(:provider) { resource.provider_for_action(:install) }
+
+  it "sets the default action as :install" do
+    expect(resource.action).to eql([:install])
+  end
+
+  it "supports :install, :upgrade, :remove actions" do
+    expect { resource.action :install }.not_to raise_error
+    expect { resource.action :upgrade }.not_to raise_error
+    expect { resource.action :remove }.not_to raise_error
+  end
+
+  it "sets default packages on 'rhel', 'fedora', 'amazon' platforms" do
+    node.automatic_attrs[:platform_family] = "rhel"
+    expect(resource.packages).to eql(%w{make policycoreutils selinux-policy selinux-policy-targeted selinux-policy-devel libselinux-utils setools-console})
+  end
+
+  it "sets default packages on debian irrespective of platform_version" do
+    node.automatic_attrs[:platform_family] = "debian"
+    expect(resource.packages).to eql(%w{make policycoreutils selinux-basics selinux-policy-default selinux-policy-dev auditd setools})
+  end
+
+  it "sets default packages on ubuntu 18.04 platforms" do
+    node.automatic_attrs[:platform_family] = "debian"
+    node.automatic_attrs[:platform] = "ubuntu"
+    node.automatic_attrs[:platform_version] = 18.04
+    expect(resource.packages).to eql(%w{make policycoreutils selinux selinux-basics selinux-policy-default selinux-policy-dev auditd setools})
+  end
+
+  it "sets default packages on ubuntu platforms and versions other than 18.04" do
+    node.automatic_attrs[:platform_family] = "debian"
+    node.automatic_attrs[:platform] = "ubuntu"
+    node.automatic_attrs[:platform_version] = 20.04
+    expect(resource.packages).to eql(%w{make policycoreutils selinux-basics selinux-policy-default selinux-policy-dev auditd setools})
+  end
+end
+\ No newline at end of file
diff --git a/spec/unit/resource/selinux_module_spec.rb b/spec/unit/resource/selinux_module_spec.rb
new file mode 100644
index 0000000000..dadd9eb8fa
--- /dev/null
+++ b/spec/unit/resource/selinux_module_spec.rb
@@ -0,0 +1,55 @@
+#
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::SelinuxModule do
+  let(:node) { Chef::Node.new }
+  let(:events) { Chef::EventDispatch::Dispatcher.new }
+  let(:run_context) { Chef::RunContext.new(node, {}, events) }
+  let(:resource) { Chef::Resource::SelinuxModule.new("fakey_fakerton", run_context) }
+  let(:provider) { resource.provider_for_action(:create) }
+
+  it "sets module_name property as name_property" do
+    expect(resource.module_name).to eql("fakey_fakerton")
+  end
+
+  it "sets default value for base_dir property" do
+    expect(resource.base_dir).to eql("/etc/selinux/local")
+  end
+
+  it "sets the default action as :create" do
+    expect(resource.action).to eql([:create])
+  end
+
+  it "supports :create, :delete, :install, :remove actions" do
+    expect { resource.action :create }.not_to raise_error
+    expect { resource.action :delete }.not_to raise_error
+    expect { resource.action :install }.not_to raise_error
+    expect { resource.action :remove }.not_to raise_error
+  end
+
+  describe "#selinux_module_filepath" do
+    it "returns selinux module file path based upon base_dir property and module_name property" do
+      resource.base_dir = "/opt/selinux"
+      resource.module_name = "my_module"
+      file_type = "te"
+      expect(provider.selinux_module_filepath(file_type)).to eql("/opt/selinux/my_module.te")
+    end
+  end
+end
+\ No newline at end of file
diff --git a/spec/unit/resource/selinux_permissive_spec.rb b/spec/unit/resource/selinux_permissive_spec.rb
new file mode 100644
index 0000000000..96ee3c3c81
--- /dev/null
+++ b/spec/unit/resource/selinux_permissive_spec.rb
@@ -0,0 +1,39 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::SelinuxPermissive do
+  let(:node) { Chef::Node.new }
+  let(:events) { Chef::EventDispatch::Dispatcher.new }
+  let(:run_context) { Chef::RunContext.new(node, {}, events) }
+  let(:resource) { Chef::Resource::SelinuxPermissive.new("fakey_fakerton", run_context) }
+  let(:provider) { resource.provider_for_action(:add) }
+
+  it "sets context property as name_property" do
+    expect(resource.context).to eql("fakey_fakerton")
+  end
+
+  it "sets the default action as :add" do
+    expect(resource.action).to eql([:add])
+  end
+
+  it "supports :add, :delete actions" do
+    expect { resource.action :add }.not_to raise_error
+    expect { resource.action :delete }.not_to raise_error
+  end
+end
+\ No newline at end of file
diff --git a/spec/unit/resource/selinux_port_spec.rb b/spec/unit/resource/selinux_port_spec.rb
new file mode 100644
index 0000000000..2ed14c5ef6
--- /dev/null
+++ b/spec/unit/resource/selinux_port_spec.rb
@@ -0,0 +1,42 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::SelinuxPort do
+  let(:node) { Chef::Node.new }
+  let(:events) { Chef::EventDispatch::Dispatcher.new }
+  let(:run_context) { Chef::RunContext.new(node, {}, events) }
+  let(:resource) { Chef::Resource::SelinuxPort.new("5678", run_context) }
+  let(:provider) { resource.provider_for_action(:manage) }
+
+  it "sets port property as name_property" do
+    expect(resource.port).to eql("5678")
+  end
+
+  it "sets the default action as :manage" do
+    expect(resource.action).to eql([:manage])
+  end
+
+  it "supports :manage, :addormodify, :add, :modify, :delete actions" do
+    expect { resource.action :manage }.not_to raise_error
+    expect { resource.action :addormodify }.not_to raise_error
+    expect { resource.action :add }.not_to raise_error
+    expect { resource.action :modify }.not_to raise_error
+    expect { resource.action :delete }.not_to raise_error
+  end
+end
+\ No newline at end of file
diff --git a/spec/unit/resource/selinux_state_spec.rb b/spec/unit/resource/selinux_state_spec.rb
new file mode 100644
index 0000000000..356a872627
--- /dev/null
+++ b/spec/unit/resource/selinux_state_spec.rb
@@ -0,0 +1,46 @@
+#
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+
+describe Chef::Resource::SelinuxState do
+  let(:node) { Chef::Node.new }
+  let(:events) { Chef::EventDispatch::Dispatcher.new }
+  let(:run_context) { Chef::RunContext.new(node, {}, events) }
+  let(:resource) { Chef::Resource::SelinuxState.new("5678", run_context) }
+  let(:provider) { resource.provider_for_action(:enforcing) }
+
+  it "sets the default action as :enforcing" do
+    expect(resource.action).to eql([:enforcing])
+  end
+
+  it "sets default value for policy property for 'rhel', 'fedora', 'amazon' platforms" do
+    node.automatic_attrs[:platform_family] = "rhel"
+    expect(resource.policy).to eql("targeted")
+  end
+
+  it "supports :enforcing, :permissive, :disabled actions" do
+    expect { resource.action :enforcing }.not_to raise_error
+    expect { resource.action :permissive }.not_to raise_error
+    expect { resource.action :disabled }.not_to raise_error
+  end
+
+  it "sets default value for policy property for debian platforms" do
+    node.automatic_attrs[:platform_family] = "debian"
+    expect(resource.policy).to eql("default")
+  end
+end
+\ No newline at end of file
author	neha-p6 <neha.pansare@progress.com>	2022-04-11 11:00:57 +0530
committer	GitHub <noreply@github.com>	2022-04-11 11:00:57 +0530
commit	d3dda786b2a6d61025288c002ae7b5b60c499f92 (patch)
tree	2e48a0e853c05ca404be357ba2c928d491ec7b01 /spec
parent	d3e922a67abec71825d6f6c6ac8fd4ef9fc53019 (diff)
download	chef-d3dda786b2a6d61025288c002ae7b5b60c499f92.tar.gz