diff --git a/repos/system_upgrade/el7toel8/actors/selinux/selinuxapplycustom/actor.py b/repos/system_upgrade/el7toel8/actors/selinux/selinuxapplycustom/actor.py index 0d92d8ea1e..248778a51c 100644 --- a/repos/system_upgrade/el7toel8/actors/selinux/selinuxapplycustom/actor.py +++ b/repos/system_upgrade/el7toel8/actors/selinux/selinuxapplycustom/actor.py @@ -9,6 +9,7 @@ WORKING_DIRECTORY = '/tmp/selinux/' + class SELinuxApplyCustom(Actor): ''' Re-apply SELinux customizations from RHEL-7 installation @@ -52,13 +53,13 @@ def process(self): continue try: - run([ - 'semodule', - '-X', - str(module.priority), - '-i', - cil_filename] - ) + run(['semodule', + '-X', + str(module.priority), + '-i', + cil_filename + ] + ) except CalledProcessError as e: self.log.info("Error installing module: %s", str(e)) # TODO - save the failed module to /etc/selinux ? diff --git a/repos/system_upgrade/el7toel8/actors/selinux/selinuxapplycustom/tests/component_test.py b/repos/system_upgrade/el7toel8/actors/selinux/selinuxapplycustom/tests/component_test.py index 635de798b5..300cc85e3a 100644 --- a/repos/system_upgrade/el7toel8/actors/selinux/selinuxapplycustom/tests/component_test.py +++ b/repos/system_upgrade/el7toel8/actors/selinux/selinuxapplycustom/tests/component_test.py @@ -1,5 +1,7 @@ import os +import pytest + from leapp.snactor.fixture import current_actor_context from leapp.models import SELinuxModule, SELinuxModules, SELinuxCustom, SELinuxFacts, SELinuxRequestRPMs from leapp.libraries.stdlib import api, run, CalledProcessError @@ -15,17 +17,19 @@ ] semanage_commands = [ -['fcontext', '-t', 'ganesha_var_run_t', "'/ganesha(/.*)?'"], -['fcontext', '-t', 'httpd_sys_content_t', "'/web(/.*)?'"], -['port', '-t', 'http_port_t', '-p', 'udp', '81'] + ['fcontext', '-t', 'ganesha_var_run_t', "'/ganesha(/.*)?'"], + ['fcontext', '-t', 'httpd_sys_content_t', "'/web(/.*)?'"], + ['port', '-t', 'http_port_t', '-p', 'udp', '81'] ] + def findModuleSemodule(semodule_lfull, name, priority): for line in semodule_lfull: if name in line and priority in line: return line return None + def findSemanageRule(rules, rule): for r in rules: for word in rule: @@ -35,11 +39,13 @@ def findSemanageRule(rules, rule): return r return None + +@pytest.mark.skip(reason='Test disabled because it would modify the system') def test_SELinuxApplyCustom(current_actor_context): semodule_list = [SELinuxModule(name=module, priority=int(prio), content="(allow domain proc_type (file (getattr open read)))", removed=[]) - for (prio, module) in test_modules] + for (prio, module) in test_modules] commands = [" ".join([c[0], "-a"] + c[1:]) for c in semanage_commands[1:]] semanage_removed = [" ".join([semanage_commands[0][0], "-a"] + semanage_commands[0][1:])] @@ -68,7 +74,10 @@ def test_SELinuxApplyCustom(current_actor_context): for command in semanage_commands[1:-1]: assert findSemanageRule(semanage_export, command) -def teardown(): + +# Test disabled because it's setup and teardown would modify the system +# Remove "_" before re-activation +def teardown_(): for priority, module in test_modules: try: run(["semodule", "-X", priority, "-r", module]) diff --git a/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/actor.py b/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/actor.py index 0864c734fc..d92f2c3c43 100644 --- a/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/actor.py +++ b/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/actor.py @@ -1,7 +1,6 @@ from leapp.actors import Actor from leapp.models import SELinuxModules, SELinuxCustom, SELinuxFacts, SELinuxRequestRPMs, RpmTransactionTasks from leapp.tags import FactsPhaseTag, IPUWorkflowTag -from leapp.libraries.stdlib import run, CalledProcessError from leapp.libraries.actor import library diff --git a/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/libraries/library.py b/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/libraries/library.py index 766e8fe32e..07d5c72f22 100644 --- a/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/libraries/library.py +++ b/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/libraries/library.py @@ -1,6 +1,7 @@ import os import re from shutil import rmtree + from leapp.libraries.stdlib import api, run, CalledProcessError from leapp.models import SELinuxModule @@ -28,6 +29,7 @@ WORKING_DIRECTORY = '/tmp/selinux/' + def checkModule(name): ''' Check if given module contains one of removed types. @@ -61,7 +63,7 @@ def listSELinuxModules(): # " " m = re.match(r'([0-9]+)\s+([\w-]+)\s+([\w-]+)\s*\Z', module) if not m: - #invalid output of "semodule -lfull" + # invalid output of "semodule -lfull" api.current_logger().info('Invalid output of "semodule -lfull": %s', module) continue modules.append((m.group(2), m.group(1))) @@ -166,6 +168,7 @@ def getSELinuxModules(): return (semodule_list, retain_rpms, install_rpms) + def getSELinuxCustomizations(): ''' Extract local SELinux customizations introduced by semanage command diff --git a/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/tests/component_test.py b/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/tests/component_test.py index 4b521832f0..1484730bdc 100644 --- a/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/tests/component_test.py +++ b/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/tests/component_test.py @@ -1,5 +1,7 @@ import os +import pytest + from leapp.snactor.fixture import current_actor_context from leapp.models import SELinuxModule, SELinuxModules, SELinuxCustom, SELinuxFacts, SELinuxRequestRPMs from leapp.libraries.stdlib import api, run, CalledProcessError @@ -14,15 +16,18 @@ ] semanage_commands = [ -['fcontext', '-t', 'httpd_sys_content_t', '"/web(/.*)?"'], -['fcontext', '-t', 'ganesha_var_run_t', '"/ganesha(/.*)?"'], -['port', '-t', 'http_port_t', '-p', 'udp', '81'], -['permissive', 'abrt_t'] + ['fcontext', '-t', 'httpd_sys_content_t', '"/web(/.*)?"'], + ['fcontext', '-t', 'ganesha_var_run_t', '"/ganesha(/.*)?"'], + ['port', '-t', 'http_port_t', '-p', 'udp', '81'], + ['permissive', 'abrt_t'] ] testmoduledir = os.path.join(os.getcwd(), "tests/mock_modules/") -def setup(): + +# Test disabled because it's setup and teardown would modify the system +# Remove "_" before re-activation +def setup_(): for priority, module in test_modules: try: semodule = run(["semodule", "-X", priority, "-i", os.path.join(testmoduledir, module + ".cil")]) @@ -39,12 +44,14 @@ def setup(): api.current_logger().warning("Error applying selinux customizations %s", str(e.stderr)) continue + def findModule(selinuxmodules, name, priority): for module in selinuxmodules.modules: if module.name == name and module.priority == int(priority): return module return None + def findSemanageRule(rules, rule): for r in rules: for word in rule: @@ -54,6 +61,8 @@ def findSemanageRule(rules, rule): return r return None + +@pytest.mark.skip(reason="Test disabled because it's setup and teardown would modify the system") def test_SELinuxContentScanner(current_actor_context): expected_data = {'policy': 'targeted', @@ -89,7 +98,9 @@ def test_SELinuxContentScanner(current_actor_context): assert findSemanageRule(custom.commands, semanage_commands[2]) -def teardown(): +# Test disabled because it's setup and teardown would modify the system +# Remove "_" before re-activation +def teardown_(): for command in semanage_commands[:-1]: try: run(["semanage", command[0], "-d"] + command[1:]) diff --git a/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/tests/unit_test.py b/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/tests/unit_test.py index d97a970fba..e64cac24e7 100644 --- a/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/tests/unit_test.py +++ b/repos/system_upgrade/el7toel8/actors/selinux/selinuxcontentscanner/tests/unit_test.py @@ -1,6 +1,7 @@ from leapp.libraries.stdlib import run, CalledProcessError from leapp.libraries.actor import library + class run_mocked(object): def __init__(self): self.args = [] @@ -12,28 +13,29 @@ def __call__(self, args, split=True): if self.args == ['semodule', '-lfull']: stdout = ["400 permissive_abrt_t cil", - "400 zebra cil", - "300 zebra cil", - "100 vpn pp ", - "099 zebra cil ", - "100 minissdpd pp"] + "400 zebra cil", + "300 zebra cil", + "100 vpn pp ", + "099 zebra cil ", + "100 minissdpd pp"] elif self.args == ['semanage', 'export']: stdout = ["boolean -D", - "login -D", - "interface -D", - "user -D", - "port -D", - "node -D", - "fcontext -D", - "module -D", - "boolean -m -1 cron_can_relabel", - "port -a -t http_port_t -p udp 81", - "fcontext -a -f a -t httpd_sys_content_t '/web(/.*)?'", - "fcontext -a -f a -t ganesha_var_run_t '/ganesha(/.*)?'"] + "login -D", + "interface -D", + "user -D", + "port -D", + "node -D", + "fcontext -D", + "module -D", + "boolean -m -1 cron_can_relabel", + "port -a -t http_port_t -p udp 81", + "fcontext -a -f a -t httpd_sys_content_t '/web(/.*)?'", + "fcontext -a -f a -t ganesha_var_run_t '/ganesha(/.*)?'"] return {'stdout': stdout} + class run_mocked_fail(object): def __init__(self): self.called = 0 @@ -56,6 +58,7 @@ def test_listSELinuxModules(monkeypatch): assert library.listSELinuxModules() == [] + def test_getSELinuxCustomizations(monkeypatch): monkeypatch.setattr(library, "run", run_mocked()) diff --git a/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/actor.py b/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/actor.py index 1eba8ea76e..25d7f0f006 100644 --- a/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/actor.py +++ b/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/actor.py @@ -1,9 +1,9 @@ from leapp.actors import Actor from leapp.models import SELinuxModules, SELinuxCustom from leapp.tags import PreparationPhaseTag, IPUWorkflowTag -from leapp.libraries.stdlib import run, CalledProcessError from leapp.libraries.actor import library + class SELinuxPrepare(Actor): ''' Remove selinux policy customizations before updating selinux-policy* packages diff --git a/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/libraries/library.py b/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/libraries/library.py index bc3b10b07a..2ce6a8a4df 100644 --- a/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/libraries/library.py +++ b/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/libraries/library.py @@ -1,5 +1,6 @@ from leapp.libraries.stdlib import api, run, CalledProcessError -from leapp.models import SELinuxModules, SELinuxCustom +from leapp.models import SELinuxModules + def removeSemanageCustomizations(): # remove SELinux customizations done by semanage -- to be reintroduced after the upgrade @@ -14,6 +15,7 @@ def removeSemanageCustomizations(): except CalledProcessError: continue + def removeCustomModules(): # remove custom SElinux modules - to be reinstalled after the upgrade for semodules in api.consume(SELinuxModules): @@ -21,13 +23,12 @@ def removeCustomModules(): for module in semodules.modules: api.current_logger().info("Removing %s on priority %d.", module.name, module.priority) try: - run([ - 'semodule', - '-X', - str(module.priority), - '-r', - module.name] - ) + run(['semodule', + '-X', + str(module.priority), + '-r', + module.name] + ) except CalledProcessError as e: api.current_logger().info("Failed to remove module %s on priority %d: %s", module.name, module.priority, str(e)) diff --git a/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/tests/component_test.py b/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/tests/component_test.py index e0de16755d..e5eb4fab6f 100644 --- a/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/tests/component_test.py +++ b/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/tests/component_test.py @@ -1,10 +1,14 @@ import os +import pytest + from leapp.snactor.fixture import current_actor_context from leapp.models import SELinuxModule, SELinuxModules, SELinuxCustom from leapp.libraries.stdlib import api, run, CalledProcessError from leapp.reporting import Report +enabled = False + test_modules = [ ["400", "mock1"], ["99", "mock1"], @@ -14,40 +18,46 @@ ] semanage_commands = [ -['fcontext', '-t', 'httpd_sys_content_t', '"/web(/.*)?"'], -['fcontext', '-t', 'ganesha_var_run_t', '"/ganesha(/.*)?"'], -['port', '-t', 'http_port_t', '-p', 'udp', '81'], -['permissive', 'abrt_t'] + ['fcontext', '-t', 'httpd_sys_content_t', '"/web(/.*)?"'], + ['fcontext', '-t', 'ganesha_var_run_t', '"/ganesha(/.*)?"'], + ['port', '-t', 'http_port_t', '-p', 'udp', '81'], + ['permissive', 'abrt_t'] ] # save value of semodule -lfull for comparison semodule_lfull = "" semanage_export = "" -try: - semodule = run(["semodule", "-lfull"], split=False) - semodule_lfull = semodule.get("stdout", "") - semanage = run(["semanage", "export"], split=False) - semanage_export = semanage.get("stdout", "") -except CalledProcessError as e: - api.current_logger().warning("Error listing SELinux customizations: %s", str(e.stderr)) + +if enabled: + try: + semodule = run(["semodule", "-lfull"], split=False) + semodule_lfull = semodule.get("stdout", "") + semanage = run(["semanage", "export"], split=False) + semanage_export = semanage.get("stdout", "") + except CalledProcessError as e: + api.current_logger().warning("Error listing SELinux customizations: %s", str(e.stderr)) testmoduledir = os.path.join(os.getcwd(), "tests/mock_modules/") + def setup(): - for priority, module in test_modules: - try: - run(["semodule", "-X", priority, "-i", os.path.join(testmoduledir, module + ".cil")]) - except CalledProcessError as e: - api.current_logger().warning("Error installing mock module: %s", str(e.stderr)) - continue - - for command in semanage_commands: - try: - run(["semanage", command[0], "-a"] + command[1:]) - except CalledProcessError as e: - api.current_logger().warning("Error applying selinux customizations %s", str(e.stderr)) - continue + if enabled: + for priority, module in test_modules: + try: + run(["semodule", "-X", priority, "-i", os.path.join(testmoduledir, module + ".cil")]) + except CalledProcessError as e: + api.current_logger().warning("Error installing mock module: %s", str(e.stderr)) + continue + + for command in semanage_commands: + try: + run(["semanage", command[0], "-a"] + command[1:]) + except CalledProcessError as e: + api.current_logger().warning("Error applying selinux customizations %s", str(e.stderr)) + continue + +@pytest.mark.skip(reason='Test disabled because it would modify the system') def test_SELinuxPrepare(current_actor_context): try: semodule = run(["semodule", "-lfull"], split=False) @@ -58,7 +68,7 @@ def test_SELinuxPrepare(current_actor_context): api.current_logger().warning("Error listing SELinux customizations: %s", str(e.stderr)) semodule_list = [SELinuxModule(name=module, priority=int(prio), content="", removed=[]) - for (prio, module) in test_modules + [["400", "permissive_abrt_t"]]] + for (prio, module) in test_modules + [["400", "permissive_abrt_t"]]] current_actor_context.feed(SELinuxModules(modules=semodule_list)) current_actor_context.run() @@ -73,17 +83,19 @@ def test_SELinuxPrepare(current_actor_context): api.current_logger().warning("Error listing SELinux customizations: %s", str(e.stderr)) assert False + def teardown(): - for priority, module in test_modules + [["400", "permissive_abrt_t"]]: - try: - run(["semodule", "-X", priority, "-r", module]) - except CalledProcessError: - #expected -- should be removed by the actor - pass - - for command in semanage_commands: - try: - run(["semanage", command[0], "-d"] + command[1:]) - except CalledProcessError: - #expected -- should be removed by the actor - continue + if enabled: + for priority, module in test_modules + [["400", "permissive_abrt_t"]]: + try: + run(["semodule", "-X", priority, "-r", module]) + except CalledProcessError: + # expected -- should be removed by the actor + pass + + for command in semanage_commands: + try: + run(["semanage", command[0], "-d"] + command[1:]) + except CalledProcessError: + # expected -- should be removed by the actor + continue diff --git a/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/tests/unit_test.py b/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/tests/unit_test.py index 6247cdabe5..091b5da761 100644 --- a/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/tests/unit_test.py +++ b/repos/system_upgrade/el7toel8/actors/selinux/selinuxprepare/tests/unit_test.py @@ -3,6 +3,7 @@ from leapp.libraries.stdlib import api from leapp.models import SELinuxModules, SELinuxModule + class run_mocked(object): def __init__(self): self.args = [] @@ -23,20 +24,19 @@ def __call__(self, args, split=True): return {'stdout': stdout} + def test_removeCustomModules(monkeypatch): mock_modules = {"a": 99, "b": 300, "c": 400, - "abrt":190} + "abrt": 190} def consume_SELinuxModules_mocked(*models): semodule_list = [SELinuxModule(name=k, priority=mock_modules[k], content="", removed=[]) - for k in mock_modules] - + for k in mock_modules] yield SELinuxModules(modules=semodule_list) - monkeypatch.setattr(api, "consume", consume_SELinuxModules_mocked) monkeypatch.setattr(library, "run", run_mocked()) diff --git a/repos/system_upgrade/el7toel8/models/selinux.py b/repos/system_upgrade/el7toel8/models/selinux.py index f4964d9b39..20fb93edd8 100644 --- a/repos/system_upgrade/el7toel8/models/selinux.py +++ b/repos/system_upgrade/el7toel8/models/selinux.py @@ -1,6 +1,7 @@ from leapp.models import Model, fields from leapp.topics import SystemInfoTopic, TransactionTopic + class SELinuxModule(Model): """SELinux module in cil including priority""" topic = SystemInfoTopic @@ -10,17 +11,20 @@ class SELinuxModule(Model): # lines removed due to content invalid on RHEL 8 removed = fields.List(fields.String()) + class SELinuxModules(Model): """List of custom selinux modules (priority != 100,200)""" topic = SystemInfoTopic modules = fields.List(fields.Model(SELinuxModule)) + class SELinuxCustom(Model): """SELinux customizations returned by semanage export""" topic = SystemInfoTopic commands = fields.List(fields.String()) removed = fields.List(fields.String()) + class SELinuxRequestRPMs(Model): """ SELinux related RPM packages that need to be present after upgrade