Showing with 62 additions and 26 deletions.

+20 −0 CHANGELOG.md

+6 −9 manifests/config.pp

+1 −1 metadata.json

+31 −12 spec/acceptance/class_disabled_spec.rb

+4 −2 spec/classes/selinux_config_mode_spec.rb

+0 −2 spec/spec_helper_acceptance.rb
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,13 +4,33 @@ All notable changes to this project will be documented in this file.
 Each new release typically also includes the latest modulesync defaults.
 These should not affect the functionality of the module.
 
+## [v1.5.2](https://github.com/voxpupuli/puppet-selinux/tree/v1.5.2) (2018-01-20)
+[Full Changelog](https://github.com/voxpupuli/puppet-selinux/compare/v1.5.1...v1.5.2)
+
+**Fixed bugs:**
+
+- Update and check runtime SELinux status correcty [\#249](https://github.com/voxpupuli/puppet-selinux/pull/249) ([weaselshit](https://github.com/weaselshit))
+
+**Closed issues:**
+
+- Skip exec "change-selinux-status-to-disabled" when current mode is enforcing or permissive [\#245](https://github.com/voxpupuli/puppet-selinux/issues/245)
+- Module uses deprecated hiera\_hash\(\) function  [\#238](https://github.com/voxpupuli/puppet-selinux/issues/238)
+
+**Merged pull requests:**
+
+- Extend enforcing to disabled tests [\#250](https://github.com/voxpupuli/puppet-selinux/pull/250) ([vinzent](https://github.com/vinzent))
+
 ## [v1.5.1](https://github.com/voxpupuli/puppet-selinux/tree/v1.5.1) (2018-01-04)
 [Full Changelog](https://github.com/voxpupuli/puppet-selinux/compare/v1.5.0...v1.5.1)
 
 **Fixed bugs:**
 
 - Fixing change-selinux-status-to-disabled exec [\#246](https://github.com/voxpupuli/puppet-selinux/pull/246) ([bjvrielink](https://github.com/bjvrielink))
 
+**Merged pull requests:**
+
+- Release 1.5.1 [\#248](https://github.com/voxpupuli/puppet-selinux/pull/248) ([bastelfreak](https://github.com/bastelfreak))
+
 ## [v1.5.0](https://github.com/voxpupuli/puppet-selinux/tree/v1.5.0) (2017-12-15)
 [Full Changelog](https://github.com/voxpupuli/puppet-selinux/compare/v1.4.0...v1.5.0)
 

diff --git a/manifests/config.pp b/manifests/config.pp
@@ -55,13 +55,13 @@
 
     case $_real_mode {
       'permissive', 'disabled': {
-        $sestatus = '0'
+        $sestatus = 'permissive'
         if $_real_mode == 'disabled' and defined('$::selinux_current_mode') and $::selinux_current_mode == 'permissive' {
           notice('A reboot is required to fully disable SELinux. SELinux will operate in Permissive mode until a reboot')
         }
       }
       'enforcing': {
-        $sestatus = '1'
+        $sestatus = 'enforcing'
       }
       default : {
         fail('You must specify a mode (enforced, permissive, or disabled) for selinux operation')
@@ -80,13 +80,10 @@
       }
     }
 
-    # setenforce only works when SELinux itself is enabled
-    if $_real_mode in ['enforcing','permissive'] {
-      exec { "change-selinux-status-to-${_real_mode}":
-        command => "setenforce ${sestatus}",
-        unless  => "getenforce | grep -Eqi '${_real_mode}|disabled'",
-        path    => '/bin:/sbin:/usr/bin:/usr/sbin',
-      }
+    exec { "change-selinux-status-to-${_real_mode}":
+      command => "setenforce ${sestatus}",
+      unless  => "getenforce | grep -Eqi '${sestatus}|disabled'",
+      path    => '/bin:/sbin:/usr/bin:/usr/sbin',
     }
   }
 

diff --git a/metadata.json b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "puppet-selinux",
-  "version": "1.5.1",
+  "version": "1.5.2",
   "author": "Vox Pupuli",
   "summary": "This class manages SELinux on RHEL based systems",
   "license": "Apache-2.0",

diff --git a/spec/acceptance/class_disabled_spec.rb b/spec/acceptance/class_disabled_spec.rb
@@ -1,26 +1,45 @@
 require 'spec_helper_acceptance'
 
-describe 'selinux class disabled' do
+describe 'selinux class - enforcing to disabled' do
+  before(:all) do
+    shell('sed -i "s/SELINUX=.*/SELINUX=enforcing/" /etc/selinux/config')
+    shell('setenforce Enforcing && test "$(getenforce)" = "Enforcing"')
+  end
+
   let(:pp) do
     <<-EOS
       class { 'selinux': mode => 'disabled' }
     EOS
   end
 
-  it 'runs without errors' do
-    apply_manifest(pp, catch_failures: true)
-  end
+  context 'before reboot' do
+    it_behaves_like 'a idempotent resource'
 
-  describe package('selinux-policy-targeted') do
-    it { is_expected.to be_installed }
-  end
+    describe package('selinux-policy-targeted') do
+      it { is_expected.to be_installed }
+    end
 
-  describe file('/etc/selinux/config') do
-    its(:content) { is_expected.to match(%r{^SELINUX=disabled$}) }
+    describe file('/etc/selinux/config') do
+      its(:content) { is_expected.to match(%r{^SELINUX=disabled$}) }
+    end
+
+    # Testing for Permissive brecause only after a reboot it's disabled
+    describe command('getenforce') do
+      its(:stdout) { is_expected.to match(%r{^Permissive$}) }
+    end
   end
 
-  # Testing for Permissive brecause only after a reboot it's disabled
-  describe command('getenforce') do
-    its(:stdout) { is_expected.to match(%r{^Permissive$}) }
+  context 'after reboot' do
+    before(:all) do
+      hosts.each(&:reboot)
+    end
+
+    it 'applies without changes' do
+      apply_manifest(pp, catch_changes: true)
+    end
+
+    describe command('getenforce') do
+      its(:stdout) { is_expected.to match(%r{^Disabled$}) }
+    end
   end
 end
diff --git a/spec/classes/selinux_config_mode_spec.rb b/spec/classes/selinux_config_mode_spec.rb
@@ -41,7 +41,8 @@
 
           it { is_expected.to contain_file('/var/lib/puppet/puppet-selinux') }
           it { is_expected.to contain_file_line('set-selinux-config-to-enforcing').with(line: 'SELINUX=enforcing') }
-          it { is_expected.to contain_exec('change-selinux-status-to-enforcing').with(command: 'setenforce 1') }
+          it { is_expected.to contain_exec('change-selinux-status-to-enforcing').with(command: 'setenforce enforcing') }
+          it { is_expected.to contain_exec('change-selinux-status-to-enforcing').with(unless: "getenforce | grep -Eqi 'enforcing|disabled'") }
           it { is_expected.not_to contain_file('/.autorelabel') }
         end
 
@@ -50,7 +51,8 @@
 
           it { is_expected.to contain_file('/var/lib/puppet/puppet-selinux') }
           it { is_expected.to contain_file_line('set-selinux-config-to-permissive').with(line: 'SELINUX=permissive') }
-          it { is_expected.to contain_exec('change-selinux-status-to-permissive').with(command: 'setenforce 0') }
+          it { is_expected.to contain_exec('change-selinux-status-to-permissive').with(command: 'setenforce permissive') }
+          it { is_expected.to contain_exec('change-selinux-status-to-permissive').with(unless: "getenforce | grep -Eqi 'permissive|disabled'") }
           it { is_expected.not_to contain_file('/.autorelabel') }
         end
 

diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb
@@ -17,8 +17,6 @@
     puppet_module_install(source: proj_root, module_name: 'selinux')
     hosts.each do |host|
       on host, puppet('module', 'install', 'puppetlabs-stdlib'), acceptable_exit_codes: [0, 1]
-      on(host, 'sed -i "s/SELINUX=.*/SELINUX=permissive/" /etc/selinux/config')
-      host.reboot
     end
   end
 end