diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2974af38..51c84985 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,4 +18,6 @@ concurrency: jobs: puppet: name: Puppet - uses: voxpupuli/gha-puppet/.github/workflows/basic.yml@v2 + uses: voxpupuli/gha-puppet/.github/workflows/beaker.yml@v3 + with: + beaker_hypervisor: 'vagrant_libvirt' diff --git a/.sync.yml b/.sync.yml index 5fa35046..94d68a9e 100644 --- a/.sync.yml +++ b/.sync.yml @@ -9,4 +9,4 @@ spec/spec_helper.rb: - parameter_documentation - parameter_types .github/workflows/ci.yml: - acceptance_tests: false + beaker_hypervisor: vagrant_libvirt diff --git a/spec/acceptance/class_disabled_spec.rb b/spec/acceptance/class_disabled_spec.rb index b5d48eca..d4c9127e 100644 --- a/spec/acceptance/class_disabled_spec.rb +++ b/spec/acceptance/class_disabled_spec.rb @@ -45,7 +45,7 @@ class { 'selinux': mode => 'permissive' } end context 'when switching from enforcing to disabled' do - let(:pp) do + let(:manifest) do <<-EOS class { 'selinux': mode => 'disabled' } EOS @@ -53,6 +53,10 @@ class { 'selinux': mode => 'disabled' } context 'before reboot' do before(:all) do + # Tag vagrant user to an administrative group + shell('semanage login -a -s staff_u vagrant') + # Vagrant is logging in and using privileges commands, we need to allow that + shell('setsebool -P ssh_sysadm_login 1') shell('sed -i "s/SELINUX=.*/SELINUX=enforcing/" /etc/selinux/config') shell('setenforce Enforcing && test "$(getenforce)" = "Enforcing"') end @@ -75,7 +79,7 @@ class { 'selinux': mode => 'disabled' } end it 'applies without changes' do - apply_manifest(pp, catch_changes: true) + apply_manifest(manifest, catch_changes: true) end describe command('getenforce') do @@ -120,7 +124,7 @@ class { 'selinux': mode => 'permissive' } end it 'applies without changes' do - apply_manifest(pp, catch_changes: true) + apply_manifest(manifest, catch_changes: true) end describe command('getenforce') do diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb index 4e06ff5a..43088f10 100644 --- a/spec/acceptance/class_spec.rb +++ b/spec/acceptance/class_spec.rb @@ -19,14 +19,14 @@ class { 'selinux': mode => 'enforcing' } selinux::permissive { 'puppet_selinux_test_policy_t': } selinux::port { 'puppet_selinux_test_policy_port_t/tcp': - seltype => 'puppet_selinux_test_policy_port_t', - port => 55555, + seltype => 'puppet_selinux_test_policy_port_t', + port => 55555, protocol => 'tcp', } } # just something simple I found via Google: - file {'/tmp/selinux_simple_policy.te': + file { '/tmp/selinux_simple_policy.te': ensure => 'file', content => @("EOF") module puppet_selinux_simple_policy 1.0; @@ -40,7 +40,7 @@ class file { read getattr }; | EOF } - file {'/tmp/selinux_test_policy.te': + file { '/tmp/selinux_test_policy.te': ensure => 'file', content => @("EOF") policy_module(puppet_selinux_test_policy, 1.0.0) @@ -56,48 +56,50 @@ class file { read getattr }; selinux::module { 'puppet_selinux_simple_policy': source_te => 'file:///tmp/selinux_simple_policy.te', builder => 'simple', - require => File['/tmp/selinux_simple_policy.te'] + require => File['/tmp/selinux_simple_policy.te'], } selinux::module { 'puppet_selinux_test_policy': - source_te => 'file:///tmp/selinux_test_policy.te', - builder => 'refpolicy', - require => File['/tmp/selinux_test_policy.te'] + source_te => 'file:///tmp/selinux_test_policy.te', + builder => 'refpolicy', + require => File['/tmp/selinux_test_policy.te'], } if $have_selinux_ruby_library { - Class['selinux'] -> - file { '/tmp/test_selinux_fcontext': content => 'TEST', seltype => 'puppet_selinux_test_policy_exec_t', + require => Class['selinux'], } - selinux::fcontext {'/tmp/fcontexts_source(/.*)?': + selinux::fcontext { '/tmp/fcontexts_source(/.*)?': seltype => 'puppet_selinux_test_policy_exec_t', } - selinux::fcontext::equivalence {'/tmp/fcontexts_equivalent': + selinux::fcontext::equivalence { '/tmp/fcontexts_equivalent': target => '/tmp/fcontexts_source', } file {['/tmp/fcontexts_source', '/tmp/fcontexts_equivalent']: - ensure => 'directory', + ensure => 'directory', require => [Selinux::Fcontext['/tmp/fcontexts_source(/.*)?'], Selinux::Fcontext::Equivalence['/tmp/fcontexts_equivalent']], } - file {['/tmp/fcontexts_source/define_test', '/tmp/fcontexts_equivalent/define_test']: - ensure => file, - notify => Exec["/sbin/restorecon -FR /tmp/fcontexts_*"] + file { ['/tmp/fcontexts_source/define_test', '/tmp/fcontexts_equivalent/define_test']: + ensure => file, + notify => Exec['/sbin/restorecon -FR /tmp/fcontexts_*'], } - exec {'/sbin/restorecon -FR /tmp/fcontexts_*': - # this is needed because puppet creates files with the wrong context as - # it runs unconfined and only becomes idempotent after the second run. + exec { '/sbin/restorecon -FR /tmp/fcontexts_*': + # this is needed because puppet creates files with the wrong context as + # it runs unconfined and only becomes idempotent after the second run. refreshonly => true, } # test purging - resources {['selinux_fcontext', 'selinux_fcontext_equivalence']: purge => true } + # This resource purge is breaking because above we are defining it + # resources { ['selinux_fcontext', 'selinux_fcontext_equivalence']: + # purge => true, + # } } EOS end diff --git a/test-acceptance-with-vagrant b/test-acceptance-with-vagrant index 2a62b6b7..3764a096 100755 --- a/test-acceptance-with-vagrant +++ b/test-acceptance-with-vagrant @@ -9,7 +9,7 @@ export PUPPET_INSTALL_TYPE=agent # https://github.com/puppetlabs/beaker-hostgenerator/pull/184 fixes the Fedora boxes and adds 32 for layout in \ - {debian10,centos{7,8}}'-64a' \ + {debian11,centos{7,8}}'-64a' \ 'fedora31-64a{box=fedora/31-cloud-base}' \ 'fedora32-64a{box=fedora/32-cloud-base}' \ 'fedora33-64a{box=fedora/33-cloud-base}'