Verify freeipa-selinux's ipa module is loaded

ipa-custodia tests will fail if the ipa.pp override module from freeipa-selinux is not correctly installed, loaded, and enabled. Signed-off-by: Christian Heimes <cheimes@redhat.com>
freeipa · Sep 23, 2020 · 742a61a · 742a61a
1 parent 6b910b4
commit 742a61a
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 9 deletions.
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
@@ -267,6 +267,7 @@ class BasePathNamespace:
     RESTORECON = "/usr/sbin/restorecon"
     SELINUXENABLED = "/usr/sbin/selinuxenabled"
     SETSEBOOL = "/usr/sbin/setsebool"
+    SEMODULE = "/usr/bin/semodule"
     SMBD = "/usr/sbin/smbd"
     USERADD = "/usr/sbin/useradd"
     FONTS_DIR = "/usr/share/fonts"

diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
@@ -1000,6 +1000,25 @@ def test_ipa_custodia_check(self):
             [paths.IPA_CUSTODIA_CHECK, self.master.hostname]
         )
 
+    @pytest.mark.skipif(
+        paths.SEMODULE is None, reason="test requires semodule command"
+    )
+    def test_ipa_selinux_policy(self):
+        # check that freeipa-selinux's policy module is loaded and
+        # not disabled
+        result = self.master.run_command(
+            [paths.SEMODULE, "-lfull"]
+        )
+        # prio module pp [disabled]
+        # 100: default priority
+        # 200: decentralized SELinux policy priority
+        entries = {
+            tuple(line.split())
+            for line in result.stdout_text.split('\n')
+            if line.strip()
+        }
+        assert ('200', 'ipa', 'pp') in entries
+
 
 class TestInstallMasterKRA(IntegrationTest):
 

diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py
@@ -95,6 +95,15 @@ def test_replica_manage(self):
         assert msg1 not in result.stdout_text
         assert msg2 not in result.stdout_text
 
+    def test_ipa_custodia_check(self):
+        replica = self.replicas[0]
+        self.master.run_command(
+            [paths.IPA_CUSTODIA_CHECK, replica.hostname]
+        )
+        replica.run_command(
+            [paths.IPA_CUSTODIA_CHECK, self.master.hostname]
+        )
+
     def test_replica_removal(self):
         """Test replica removal"""
         result = self.master.run_command(['ipa-replica-manage', 'list'])
@@ -104,12 +113,3 @@ def test_replica_removal(self):
                                  self.replicas[0].hostname, '--force'])
         result = self.master.run_command(['ipa-replica-manage', 'list'])
         assert self.replicas[0].hostname not in result.stdout_text
-
-    def test_ipa_custodia_check(self):
-        replica = self.replicas[0]
-        self.master.run_command(
-            [paths.IPA_CUSTODIA_CHECK, replica.hostname]
-        )
-        replica.run_command(
-            [paths.IPA_CUSTODIA_CHECK, self.master.hostname]
-        )