Add a new option -V to verify installed policies

This new parameter will help ensuring the package did properly install. It will ensure we're on an SELinux enabled, Enforcing system, then loop on the different $MODULES to ensure they are present on the system. In the end, this will help ensuring the package is properly installed, avoiding future hide'n'seek parties when we're seeing any weird SELinux issues within TripleO.
redhat-openstack · Jun 10, 2022 · d3a3ac6 · d3a3ac6
1 parent dca6198
commit d3a3ac6
Showing 1 changed file with 27 additions and 1 deletion.
diff --git a/local_settings.sh.in b/local_settings.sh.in
@@ -303,8 +303,28 @@ uninstall_policies() {
 	_restore_file_modes
 }
 
+verify_policies() {
+	selinuxenabled || (echo "SELinux is disabled" && exit 0)
+	test $(getenforce) == Enforcing || (echo "SELinux is permissive" && exit 0)
+
+	failed_count=0
+	for module in $MODULES; do
+		local_failed=1
+		while read installed_module; do
+			if [ "$module" == "$installed_module" ]; then
+				local_failed=0
+				break
+			fi
+		done < <(semodule -l)
+		test ${local_failed} -ne 0 && echo "Missing ${module}!"
+		let "failed_count+=$local_failed"
+	done
+	echo "Found ${failed_count} missing module(s)."
+	(test ${failed_count} -eq 0 && exit 0) || exit 1
+}
+
 
-while getopts m:xq opt; do
+while getopts m:xqV opt; do
 	case $opt in
 	m)	# modules
 		MODULES="$OPTARG"
@@ -315,6 +335,9 @@ while getopts m:xq opt; do
 	q)
 		QUIET=0
 		;;
+	V)
+		MODE=2
+		;;
 	esac
 done
 
@@ -326,5 +349,8 @@ case $MODE in
 	1)
 		uninstall_policies
 		;;
+	2)
+		verify_policies
+		;;
 esac
 exit $?