Merge pull request from #64 kenjiskywalker:support-selinux-matchers

mizzy · Apr 27, 2013 · aee97e6 · aee97e6
2 parents 3771581 + 69170ea
commit aee97e6
Show file tree

Hide file tree

Showing 9 changed files with 60 additions and 0 deletions.
diff --git a/lib/serverspec/commands/base.rb b/lib/serverspec/commands/base.rb
@@ -116,6 +116,10 @@ def check_svcprop svc, property, value
       def check_svcprops svc, property
         raise NotImplementedError.new
       end
+
+      def check_selinux mode
+        raise NotImplementedError.new
+      end
     end
   end
 end
diff --git a/lib/serverspec/commands/redhat.rb b/lib/serverspec/commands/redhat.rb
@@ -8,6 +8,10 @@ def check_enabled service
       def check_installed package
         "rpm -q #{package}"
       end
+
+      def check_selinux mode
+        "/usr/sbin/getenforce | grep -i '#{mode}'"
+      end
     end
   end
 end
diff --git a/lib/serverspec/matchers.rb b/lib/serverspec/matchers.rb
@@ -20,6 +20,9 @@
 require 'serverspec/matchers/be_readable'
 require 'serverspec/matchers/be_writable'
 require 'serverspec/matchers/be_executable'
+require 'serverspec/matchers/be_enforcing'
+require 'serverspec/matchers/be_permissive'
+require 'serverspec/matchers/be_disabled'
 require 'serverspec/matchers/have_ipfilter_rule'
 require 'serverspec/matchers/have_ipnat_rule'
 require 'serverspec/matchers/have_svcprop'

diff --git a/lib/serverspec/matchers/be_disabled.rb b/lib/serverspec/matchers/be_disabled.rb
@@ -0,0 +1,5 @@
+RSpec::Matchers.define :be_disabled do
+  match do |actual|
+    backend.check_selinux(example, 'disabled')
+  end
+end
diff --git a/lib/serverspec/matchers/be_enforcing.rb b/lib/serverspec/matchers/be_enforcing.rb
@@ -0,0 +1,5 @@
+RSpec::Matchers.define :be_enforcing do
+  match do |actual|
+    backend.check_selinux(example, 'enforcing')
+  end
+end
diff --git a/lib/serverspec/matchers/be_permissive.rb b/lib/serverspec/matchers/be_permissive.rb
@@ -0,0 +1,5 @@
+RSpec::Matchers.define :be_permissive do
+  match do |actual|
+    backend.check_selinux(example, 'permissive')
+  end
+end
diff --git a/spec/redhat/commands_spec.rb b/spec/redhat/commands_spec.rb
@@ -98,6 +98,18 @@
   it { should eq "iptables -t mangle -S INPUT | grep '\\-P INPUT ACCEPT'" }
 end
 
+describe commands.check_selinux('enforcing') do
+  it { should eq "/usr/sbin/getenforce | grep -i 'enforcing'" }
+end
+
+describe commands.check_selinux('permissive') do
+  it { should eq "/usr/sbin/getenforce | grep -i 'permissive'" }
+end
+
+describe commands.check_selinux('disabled') do
+  it { should eq "/usr/sbin/getenforce | grep -i 'disabled'" }
+end
+
 describe commands.get_mode('/dev') do
   it { should eq 'stat -c %a /dev' }
 end
diff --git a/spec/redhat/matchers_spec.rb b/spec/redhat/matchers_spec.rb
@@ -54,6 +54,10 @@
   it_behaves_like 'support be_executable_by_group matcher', '/dev'
   it_behaves_like 'support be_executable_by_others matcher', '/dev'
 
+  it_behaves_like 'support be_enforcing matcher'
+  it_behaves_like 'support be_permissive matcher'
+  it_behaves_like 'support be_disabled matcher'
+
   it_behaves_like 'support return_exit_status matcher', 'ls /tmp', 0
 
   it_behaves_like 'support return_stdout matcher', 'cat /etc/resolv.conf', 'localhost'

diff --git a/spec/support/shared_matcher_examples.rb b/spec/support/shared_matcher_examples.rb
@@ -226,6 +226,24 @@
   end
 end
 
+shared_examples_for 'support be_enforcing matcher' do
+  describe 'selinux Enforcing' do
+    it { should be_enforcing }
+  end
+end
+
+shared_examples_for 'support be_permissive matcher' do
+  describe 'selinux Permissive' do
+    it { should be_permissive }
+  end
+end
+
+shared_examples_for 'support be_disabled matcher' do
+  describe 'selinux Disabled' do
+    it { should be_disabled }
+  end
+end
+
 shared_examples_for 'support have_cron_entry matcher' do |title, entry|
   describe 'have_cron_entry' do
     describe title do