From d3a3ac6c86a0bf31058c5274f4afbc9367069b0c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= <cjeanner@redhat.com>
Date: Fri, 10 Jun 2022 18:09:06 +0200
Subject: [PATCH] Add a new option -V to verify installed policies

This new parameter will help ensuring the package did properly install.
It will ensure we're on an SELinux enabled, Enforcing system, then loop
on the different $MODULES to ensure they are present on the system.

In the end, this will help ensuring the package is properly installed,
avoiding future hide'n'seek parties when we're seeing any weird SELinux
issues within TripleO.
---
 local_settings.sh.in | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/local_settings.sh.in b/local_settings.sh.in
index e1b7220..0a36ca1 100644
--- a/local_settings.sh.in
+++ b/local_settings.sh.in
@@ -303,8 +303,28 @@ uninstall_policies() {
 	_restore_file_modes
 }
 
+verify_policies() {
+	selinuxenabled || (echo "SELinux is disabled" && exit 0)
+	test $(getenforce) == Enforcing || (echo "SELinux is permissive" && exit 0)
+
+	failed_count=0
+	for module in $MODULES; do
+		local_failed=1
+		while read installed_module; do
+			if [ "$module" == "$installed_module" ]; then
+				local_failed=0
+				break
+			fi
+		done < <(semodule -l)
+		test ${local_failed} -ne 0 && echo "Missing ${module}!"
+		let "failed_count+=$local_failed"
+	done
+	echo "Found ${failed_count} missing module(s)."
+	(test ${failed_count} -eq 0 && exit 0) || exit 1
+}
+
 
-while getopts m:xq opt; do
+while getopts m:xqV opt; do
 	case $opt in
 	m)	# modules
 		MODULES="$OPTARG"
@@ -315,6 +335,9 @@ while getopts m:xq opt; do
 	q)
 		QUIET=0
 		;;
+	V)
+		MODE=2
+		;;
 	esac
 done
 
@@ -326,5 +349,8 @@ case $MODE in
 	1)
 		uninstall_policies
 		;;
+	2)
+		verify_policies
+		;;
 esac
 exit $?