Add acceptance tests for selinux::fcontext

voxpupuli · Jan 22, 2017 · 0b4a314 · 0b4a314
1 parent a82eb90
commit 0b4a314
Showing 1 changed file with 41 additions and 0 deletions.
diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb
@@ -30,9 +30,38 @@ class { 'selinux': mode => 'enforcing' }
         seltype => 'puppet_selinux_test_policy_exec_t',
       }
 
+      selinux::fcontext {'/tmp/fcontexts_source(/.*)?':
+        seltype => 'puppet_selinux_test_policy_exec_t',
+      }
+
+      selinux::fcontext::equivalence {'/tmp/fcontexts_equivalent':
+        target => '/tmp/fcontexts_source',
+      }
+
+      file {['/tmp/fcontexts_source', '/tmp/fcontexts_equivalent']:
+        ensure => 'directory',
+        require => [Selinux::Fcontext['/tmp/fcontexts_source(/.*)?'], Selinux::Fcontext::Equivalence['/tmp/fcontexts_equivalent']],
+      }
+
+      file {['/tmp/fcontexts_source/define_test', '/tmp/fcontexts_equivalent/define_test']:
+        ensure  => file,
+        notify  => Exec["/sbin/restorecon -FR /tmp/fcontexts_*"]
+      }
+      exec {'/sbin/restorecon -FR /tmp/fcontexts_*':
+      # this is needed because puppet creates files with the wrong context as
+      # it runs unconfined and only becomes idempotent after the second run.
+        refreshonly => true,
+      }
+
+      # test purging
+      resources {['selinux_fcontext', 'selinux_fcontext_equivalence']: purge => true }
+
     EOS
   end
 
+  # We should really add something for it to purge, but we can't because
+  # semanage doesn't even exist at the start. maybe a separate spec run after this?
+
   it_behaves_like 'a idempotent resource'
 
   describe package('selinux-policy-targeted') do
@@ -63,6 +92,18 @@ class { 'selinux': mode => 'enforcing' }
     end
   end
 
+  context 'the define test directory should have the specified file context' do
+    describe file('/tmp/fcontexts_source/define_test') do
+      its(:selinux_label) { is_expected.to match(%r{^.*:puppet_selinux_test_policy_exec_t:s0$}) }
+    end
+  end
+
+  context 'the define equivalence test directory should have the same file context' do
+    describe file('/tmp/fcontexts_equivalent/define_test') do
+      its(:selinux_label) { is_expected.to match(%r{^.*:puppet_selinux_test_policy_exec_t:s0$}) }
+    end
+  end
+
   context 'test boolean is available and activated' do
     describe command('getsebool puppet_selinux_test_policy_bool') do
       its(:stdout) { is_expected.to match(%r{puppet_selinux_test_policy_bool --> on}) }