community.general/tests/integration/targets/sefcontext/tasks/sefcontext.yml

---
# Copyright (c) 2016, Dag Wieers <dag@wieers.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later

- name: install requirements for RHEL
  package:
    name: policycoreutils-python
  when:
    - ansible_distribution == 'RedHat'
    - ansible_distribution_major_version|int < 8

- name: install requirements for rhel8 beta
  package:
    name: python3-policycoreutils
  when:
    - ansible_distribution == 'RedHat'
    - ansible_distribution_major_version|int >= 8

- name: Ensure we start with a clean state
  sefcontext:
    path: '/tmp/foo/bar(/.*)?'
    setype: httpd_sys_content_t
    state: absent

- name: Ensure we start with a clean state
  sefcontext:
    path: /tmp/foo
    state: absent

- name: Set SELinux file context of foo/bar
  sefcontext:
    path: '/tmp/foo/bar(/.*)?'
    setype: httpd_sys_content_t
    state: present
    reload: false
  register: first

- assert:
    that:
    - first is changed
    - first.setype == 'httpd_sys_content_t'

- name: Set SELinux file context of foo/bar (again)
  sefcontext:
    path: '/tmp/foo/bar(/.*)?'
    setype: httpd_sys_content_t
    state: present
    reload: false
  register: second

- assert:
    that:
    - second is not changed
    - second.setype == 'httpd_sys_content_t'

- name: Change SELinux file context of foo/bar
  sefcontext:
    path: '/tmp/foo/bar(/.*)?'
    setype: unlabeled_t
    state: present
    reload: false
  register: third

- assert:
    that:
    - third is changed
    - third.setype == 'unlabeled_t'

- name: Change SELinux file context of foo/bar (again)
  sefcontext:
    path: '/tmp/foo/bar(/.*)?'
    setype: unlabeled_t
    state: present
    reload: false
  register: fourth

- assert:
    that:
    - fourth is not changed
    - fourth.setype == 'unlabeled_t'

- name: Delete SELinux file context of foo/bar
  sefcontext:
    path: '/tmp/foo/bar(/.*)?'
    setype: httpd_sys_content_t
    state: absent
    reload: false
  register: fifth

- assert:
    that:
    - fifth is changed
    - fifth.setype == 'httpd_sys_content_t'

- name: Delete SELinux file context of foo/bar (again)
  sefcontext:
    path: '/tmp/foo/bar(/.*)?'
    setype: unlabeled_t
    state: absent
    reload: false
  register: sixth

- assert:
    that:
    - sixth is not changed
    - sixth.setype == 'unlabeled_t'

- name: Set SELinux file context path substitution of foo
  sefcontext:
    path: /tmp/foo
    substitute: /home
    state: present
    reload: no
  register: subst_first

- assert:
    that:
    - subst_first is changed
    - subst_first.substitute == '/home'

- name: Set SELinux file context path substitution of foo (again)
  sefcontext:
    path: /tmp/foo
    substitute: /home
    state: present
    reload: no
  register: subst_second

- assert:
    that:
    - subst_second is not changed
    - subst_second.substitute == '/home'

- name: Change SELinux file context path substitution of foo
  sefcontext:
    path: /tmp/foo
    substitute: /boot
    state: present
    reload: no
  register: subst_third

- assert:
    that:
    - subst_third is changed
    - subst_third.substitute == '/boot'

- name: Change SELinux file context path substitution of foo (again)
  sefcontext:
    path: /tmp/foo
    substitute: /boot
    state: present
    reload: no
  register: subst_fourth

- assert:
    that:
    - subst_fourth is not changed
    - subst_fourth.substitute == '/boot'

- name: Try to delete non-existing SELinux file context path substitution of foo
  sefcontext:
    path: /tmp/foo
    substitute: /dev
    state: absent
    reload: no
  register: subst_fifth

- assert:
    that:
    - subst_fifth is not changed
    - subst_fifth.substitute == '/dev'

- name: Delete SELinux file context path substitution of foo
  sefcontext:
    path: /tmp/foo
    substitute: /boot
    state: absent
    reload: no
  register: subst_sixth

- assert:
    that:
    - subst_sixth is changed
    - subst_sixth.substitute == '/boot'

- name: Delete SELinux file context path substitution of foo (again)
  sefcontext:
    path: /tmp/foo
    substitute: /boot
    state: absent
    reload: no
  register: subst_seventh

- assert:
    that:
    - subst_seventh is not changed
    - subst_seventh.substitute == '/boot'

- name: Set SELinux file context path substitution of foo
  sefcontext:
    path: /tmp/foo
    substitute: /home
    state: present
    reload: no
  register: subst_eighth

- assert:
    that:
    - subst_eighth is changed
    - subst_eighth.substitute == '/home'

- name: Delete SELinux file context path substitution of foo
  sefcontext:
    path: /tmp/foo
    state: absent
    reload: no
  register: subst_ninth

- assert:
    that:
    - subst_ninth is changed

- name: Delete SELinux file context path substitution of foo (again)
  sefcontext:
    path: /tmp/foo
    state: absent
    reload: no
  register: subst_tenth

- assert:
    that:
    - subst_tenth is not changed
Add more license statements (#5079) * Add more license statements. These were modified manually incorporating existing data. * Remove accidentally added line. 2022-08-07 13:37:23 +02:00			`---`
			`# Copyright (c) 2016, Dag Wieers <dag@wieers.com>`
			`# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)`
			`# SPDX-License-Identifier: GPL-3.0-or-later`
Initial commit 2020-03-09 10:11:07 +01:00
			`- name: install requirements for RHEL`
			`package:`
			`name: policycoreutils-python`
			`when:`
			`- ansible_distribution == 'RedHat'`
			`- ansible_distribution_major_version\|int < 8`

			`- name: install requirements for rhel8 beta`
			`package:`
			`name: python3-policycoreutils`
			`when:`
			`- ansible_distribution == 'RedHat'`
			`- ansible_distribution_major_version\|int >= 8`

			`- name: Ensure we start with a clean state`
			`sefcontext:`
			`path: '/tmp/foo/bar(/.*)?'`
			`setype: httpd_sys_content_t`
			`state: absent`

[PR #5830/c8a2ac3a backport][stable-6] sefcontext: add support for path substitutions (#6098) sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> (cherry picked from commit c8a2ac3a475ab490ad00f1db1a6197b108c66413) Co-authored-by: bluikko <14869000+bluikko@users.noreply.github.com> 2023-02-26 14:23:53 +01:00			`- name: Ensure we start with a clean state`
			`sefcontext:`
			`path: /tmp/foo`
			`state: absent`

Initial commit 2020-03-09 10:11:07 +01:00			`- name: Set SELinux file context of foo/bar`
			`sefcontext:`
			`path: '/tmp/foo/bar(/.*)?'`
			`setype: httpd_sys_content_t`
			`state: present`
[PR #5996/24efe9ee backport][stable-6] Normalize bools in tests (#5997) Normalize bools in tests (#5996) * Normalize bools in tests. * Fix typo. (cherry picked from commit 24efe9ee9a39fb41bfe3a185c46450df19c5db31) Co-authored-by: Felix Fontein <felix@fontein.de> 2023-02-16 06:42:27 +01:00			`reload: false`
Initial commit 2020-03-09 10:11:07 +01:00			`register: first`

			`- assert:`
			`that:`
			`- first is changed`
			`- first.setype == 'httpd_sys_content_t'`

			`- name: Set SELinux file context of foo/bar (again)`
			`sefcontext:`
			`path: '/tmp/foo/bar(/.*)?'`
			`setype: httpd_sys_content_t`
			`state: present`
[PR #5996/24efe9ee backport][stable-6] Normalize bools in tests (#5997) Normalize bools in tests (#5996) * Normalize bools in tests. * Fix typo. (cherry picked from commit 24efe9ee9a39fb41bfe3a185c46450df19c5db31) Co-authored-by: Felix Fontein <felix@fontein.de> 2023-02-16 06:42:27 +01:00			`reload: false`
Initial commit 2020-03-09 10:11:07 +01:00			`register: second`

			`- assert:`
			`that:`
			`- second is not changed`
			`- second.setype == 'httpd_sys_content_t'`

			`- name: Change SELinux file context of foo/bar`
			`sefcontext:`
			`path: '/tmp/foo/bar(/.*)?'`
			`setype: unlabeled_t`
			`state: present`
[PR #5996/24efe9ee backport][stable-6] Normalize bools in tests (#5997) Normalize bools in tests (#5996) * Normalize bools in tests. * Fix typo. (cherry picked from commit 24efe9ee9a39fb41bfe3a185c46450df19c5db31) Co-authored-by: Felix Fontein <felix@fontein.de> 2023-02-16 06:42:27 +01:00			`reload: false`
Initial commit 2020-03-09 10:11:07 +01:00			`register: third`

			`- assert:`
			`that:`
			`- third is changed`
			`- third.setype == 'unlabeled_t'`

			`- name: Change SELinux file context of foo/bar (again)`
			`sefcontext:`
			`path: '/tmp/foo/bar(/.*)?'`
			`setype: unlabeled_t`
			`state: present`
[PR #5996/24efe9ee backport][stable-6] Normalize bools in tests (#5997) Normalize bools in tests (#5996) * Normalize bools in tests. * Fix typo. (cherry picked from commit 24efe9ee9a39fb41bfe3a185c46450df19c5db31) Co-authored-by: Felix Fontein <felix@fontein.de> 2023-02-16 06:42:27 +01:00			`reload: false`
Initial commit 2020-03-09 10:11:07 +01:00			`register: fourth`

			`- assert:`
			`that:`
			`- fourth is not changed`
			`- fourth.setype == 'unlabeled_t'`

			`- name: Delete SELinux file context of foo/bar`
			`sefcontext:`
			`path: '/tmp/foo/bar(/.*)?'`
			`setype: httpd_sys_content_t`
			`state: absent`
[PR #5996/24efe9ee backport][stable-6] Normalize bools in tests (#5997) Normalize bools in tests (#5996) * Normalize bools in tests. * Fix typo. (cherry picked from commit 24efe9ee9a39fb41bfe3a185c46450df19c5db31) Co-authored-by: Felix Fontein <felix@fontein.de> 2023-02-16 06:42:27 +01:00			`reload: false`
Initial commit 2020-03-09 10:11:07 +01:00			`register: fifth`

			`- assert:`
			`that:`
			`- fifth is changed`
			`- fifth.setype == 'httpd_sys_content_t'`

			`- name: Delete SELinux file context of foo/bar (again)`
			`sefcontext:`
			`path: '/tmp/foo/bar(/.*)?'`
			`setype: unlabeled_t`
			`state: absent`
[PR #5996/24efe9ee backport][stable-6] Normalize bools in tests (#5997) Normalize bools in tests (#5996) * Normalize bools in tests. * Fix typo. (cherry picked from commit 24efe9ee9a39fb41bfe3a185c46450df19c5db31) Co-authored-by: Felix Fontein <felix@fontein.de> 2023-02-16 06:42:27 +01:00			`reload: false`
Initial commit 2020-03-09 10:11:07 +01:00			`register: sixth`

			`- assert:`
			`that:`
			`- sixth is not changed`
			`- sixth.setype == 'unlabeled_t'`
[PR #5830/c8a2ac3a backport][stable-6] sefcontext: add support for path substitutions (#6098) sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> (cherry picked from commit c8a2ac3a475ab490ad00f1db1a6197b108c66413) Co-authored-by: bluikko <14869000+bluikko@users.noreply.github.com> 2023-02-26 14:23:53 +01:00
			`- name: Set SELinux file context path substitution of foo`
			`sefcontext:`
			`path: /tmp/foo`
			`substitute: /home`
			`state: present`
			`reload: no`
			`register: subst_first`

			`- assert:`
			`that:`
			`- subst_first is changed`
			`- subst_first.substitute == '/home'`

			`- name: Set SELinux file context path substitution of foo (again)`
			`sefcontext:`
			`path: /tmp/foo`
			`substitute: /home`
			`state: present`
			`reload: no`
			`register: subst_second`

			`- assert:`
			`that:`
			`- subst_second is not changed`
			`- subst_second.substitute == '/home'`

			`- name: Change SELinux file context path substitution of foo`
			`sefcontext:`
			`path: /tmp/foo`
			`substitute: /boot`
			`state: present`
			`reload: no`
			`register: subst_third`

			`- assert:`
			`that:`
			`- subst_third is changed`
			`- subst_third.substitute == '/boot'`

			`- name: Change SELinux file context path substitution of foo (again)`
			`sefcontext:`
			`path: /tmp/foo`
			`substitute: /boot`
			`state: present`
			`reload: no`
			`register: subst_fourth`

			`- assert:`
			`that:`
			`- subst_fourth is not changed`
			`- subst_fourth.substitute == '/boot'`

			`- name: Try to delete non-existing SELinux file context path substitution of foo`
			`sefcontext:`
			`path: /tmp/foo`
			`substitute: /dev`
			`state: absent`
			`reload: no`
			`register: subst_fifth`

			`- assert:`
			`that:`
			`- subst_fifth is not changed`
			`- subst_fifth.substitute == '/dev'`

			`- name: Delete SELinux file context path substitution of foo`
			`sefcontext:`
			`path: /tmp/foo`
			`substitute: /boot`
			`state: absent`
			`reload: no`
			`register: subst_sixth`

			`- assert:`
			`that:`
			`- subst_sixth is changed`
			`- subst_sixth.substitute == '/boot'`

			`- name: Delete SELinux file context path substitution of foo (again)`
			`sefcontext:`
			`path: /tmp/foo`
			`substitute: /boot`
			`state: absent`
			`reload: no`
			`register: subst_seventh`

			`- assert:`
			`that:`
			`- subst_seventh is not changed`
			`- subst_seventh.substitute == '/boot'`

			`- name: Set SELinux file context path substitution of foo`
			`sefcontext:`
			`path: /tmp/foo`
			`substitute: /home`
			`state: present`
			`reload: no`
			`register: subst_eighth`

			`- assert:`
			`that:`
			`- subst_eighth is changed`
			`- subst_eighth.substitute == '/home'`

			`- name: Delete SELinux file context path substitution of foo`
			`sefcontext:`
			`path: /tmp/foo`
			`state: absent`
			`reload: no`
			`register: subst_ninth`

			`- assert:`
			`that:`
			`- subst_ninth is changed`

			`- name: Delete SELinux file context path substitution of foo (again)`
			`sefcontext:`
			`path: /tmp/foo`
			`state: absent`
			`reload: no`
			`register: subst_tenth`

			`- assert:`
			`that:`
			`- subst_tenth is not changed`