Sous-Chefs-Boneyard · detjensrobert · Aug 31, 2020 · Sep 4, 2020 · Sep 4, 2020 · Sep 4, 2020
diff --git a/documentation/resource_install.md b/documentation/resource_install.md
@@ -1,6 +1,6 @@
 # selinux_policy_install
 
-Installs the required packages and tools to setup a working SELinux enironment. A reboot may be required to fully enable SELinux.
+Installs the required packages and tools to setup a working SELinux environment. A reboot may be required to fully enable SELinux.
 
 ## Actions
 

diff --git a/kitchen.yml b/kitchen.yml
@@ -8,6 +8,12 @@ provisioner:
   chef_license: accept-no-persist
   enforce_idempotency: true
   multiple_converge: 2
+  # reboot tweaks:
+  max_retries: 3
+  wait_for_retry: 90
+  retry_on_exit_code: [35, 213]
+  client_rb:
+    client_fork: false
 
 platforms:
   - name: centos-6

diff --git a/libraries/helpers.rb b/libraries/helpers.rb
@@ -38,10 +38,6 @@ def port_defined(protocol, port, label = nil)
         "#{base_command} | #{grep}"
       end
 
-      def validate_port(port)
-        raise ArgumentError, "port value: #{port} is invalid." unless port.to_s =~ /^\d+$/
-      end
-
       def fcontext_defined(file_spec, file_type, label = nil)
         file_hash = {
           'a' => 'all files',
@@ -101,3 +97,6 @@ def semodule_cmd
     end
   end
 end
+
+Chef::Recipe.include ::SELinuxPolicy::Cookbook::Helpers
+Chef::Resource.include ::SELinuxPolicy::Cookbook::Helpers
diff --git a/resources/boolean.rb b/resources/boolean.rb
@@ -5,8 +5,6 @@
 property :allow_disabled, [true, false], default: true
 
 action_class do
-  include SELinuxPolicy::Cookbook::Helpers
-
   def sebool(persist = false)
     persist_string = persist ? '-P' : ''
     new_value = new_resource.value ? 'on' : 'off'

diff --git a/resources/fcontext.rb b/resources/fcontext.rb
@@ -63,7 +63,3 @@
     notifies :relabel, new_resource, :immediately
   end
 end
-
-action_class do
-  include SELinuxPolicy::Cookbook::Helpers
-end
diff --git a/resources/module.rb b/resources/module.rb
@@ -69,7 +69,3 @@
     only_if { use_selinux(new_resource.allow_disabled) }
   end
 end
-
-action_class do
-  include SELinuxPolicy::Cookbook::Helpers
-end
diff --git a/resources/permissive.rb b/resources/permissive.rb
@@ -20,7 +20,3 @@
     only_if { use_selinux(new_resource.allow_disabled) }
   end
 end
-
-action_class do
-  include SELinuxPolicy::Cookbook::Helpers
-end
diff --git a/resources/port.rb b/resources/port.rb
@@ -1,31 +1,27 @@
 # Manages a port assignment in SELinux
 # See http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3715134
 
-property :port, [Integer, String], name_property: true
+property :port, [Integer, String], name_property: true, regex: /^\d+$/
 property :protocol, String, equal_to: %w(tcp udp), required: %i(addormodify add modify)
 property :secontext, String, required: %i(addormodify add modify)
 property :allow_disabled, [true, false], default: true
 
 action :addormodify do
-  # TODO: We can be a bit more clever here, and try to detect if it's already
-  # there then modify
-  # Try to add new port
-  run_action(:add)
-  # Try to modify existing port
-  run_action(:modify)
+  # TODO: We can be a bit more clever here, and try to detect if it's already there then modify
+  run_action(:add)    # Try to add new port
+  run_action(:modify) # Try to modify existing port
 end
 
 # Create if doesn't exist, do not touch if port is already registered (even under different type)
 action :add do
-  validate_port(new_resource.port)
   execute "selinux-port-#{new_resource.port}-add" do
     command "#{semanage_cmd} port -a -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
     not_if port_defined(new_resource.protocol, new_resource.port)
-    not_if port_defined(new_resource.protocol, new_resource.port, new_resource.secontext)
     only_if { use_selinux(new_resource.allow_disabled) }
   end
 end
 
+# Only modify port if it exists & doesn't have the correct context already
 action :modify do
   execute "selinux-port-#{new_resource.port}-modify" do
     command "#{semanage_cmd} port -m -t #{new_resource.secontext} -p #{new_resource.protocol} #{new_resource.port}"
@@ -37,14 +33,9 @@
 
 # Delete if exists
 action :delete do
-  validate_port(new_resource.port)
   execute "selinux-port-#{new_resource.port}-delete" do
     command "#{semanage_cmd} port -d -p #{new_resource.protocol} #{new_resource.port}"
     only_if port_defined(new_resource.protocol, new_resource.port)
     only_if { use_selinux(new_resource.allow_disabled) }
   end
 end
-
-action_class do
-  include SELinuxPolicy::Cookbook::Helpers
-end
diff --git a/spec/unit/libraries/helpers_spec.rb b/spec/unit/libraries/helpers_spec.rb
@@ -111,20 +111,6 @@ class DummyClass < Chef::Node
     end
   end
 
-  describe '#validate_port' do
-    context 'valid port' do
-      it 'does not raise error' do
-        expect { subject.validate_port('6969') }.to_not raise_error
-      end
-    end
-
-    context 'invalid port' do
-      it 'raises error' do
-        expect { subject.validate_port('notaport') }.to raise_error(ArgumentError, 'port value: notaport is invalid.')
-      end
-    end
-  end
-
   describe '#fcontext_defined' do
     before { allow(subject).to receive(:semanage_cmd).and_return('semanage') }
 

diff --git a/test/integration/port/inspec/port_spec.rb b/test/integration/port/inspec/port_spec.rb
@@ -1,5 +1,5 @@
 describe command('seinfo --portcon=29000') do
-  its('stdout') { should match 'portcon tcp 29000 system_u:object_r:    http_port_t:s0' }
+  its('stdout') { should match 'portcon tcp 29000 system_u:object_r:http_port_t:s0' }
   its('stdout') { should match 'portcon udp 29000 system_u:object_r:http_port_t:s0' }
 end