Clean up SELinux handling in acceptance testing.

ekohl · ekohl · commit 12ab304c29c1 · 2022-12-01T13:05:46.000+01:00
This attempts to unify SELinux handling in the tests. It moves the package installation to the acceptance spec helper to reduce duplication. It then makes the set_apache_defaults line idempotent and restorecon_apache correctly chained. This works around [PUP-10548] which is that Puppet doesn't reload file contexts within a run. That means it must first create the file(s) and then run restorecon to get correct contexts. [PUP-10548]: https://tickets.puppetlabs.com/browse/PUP-10548
diff --git a/spec/acceptance/apache_parameters_spec.rb b/spec/acceptance/apache_parameters_spec.rb
@@ -428,34 +428,30 @@ class { 'apache':
   describe 'logging' do
     describe 'setup' do
       pp = <<-MANIFEST
-          if $::osfamily == 'RedHat' and "$::selinux" == "true" {
-            $semanage_package = $::operatingsystemmajrelease ? {
-              '6'     => 'policycoreutils-python',
-              '7'     => 'policycoreutils-python',
-              default => 'policycoreutils-python-utils',
-            }
-            package { $semanage_package: ensure => installed }
+          if $facts['osfamily'] == 'RedHat' and $facts['selinux'] {
             exec { 'set_apache_defaults':
-              command => 'semanage fcontext -a -t httpd_log_t "/apache_spec(/.*)?"',
+              command => 'semanage fcontext -a -t httpd_log_t "/apache_spec/logs(/.*)?"',
+              unless  => 'semanage fcontext --list | grep /apache_spec/logs | grep httpd_log_t',
               path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
-              require => Package[$semanage_package],
             }
             exec { 'restorecon_apache':
-              command => 'restorecon -Rv /apache_spec',
-              path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
-              before  => Service['httpd'],
-              require => Class['apache'],
+              command     => 'restorecon -Rv /apache_spec',
+              path        => '/bin:/usr/bin/:/sbin:/usr/sbin',
+              before      => Service['httpd'],
+              require     => [File['/apache_spec'], Class['apache']],
+              subscribe   => Exec['set_apache_defaults'],
+              refreshonly => true,
             }
           }
-          file { '/apache_spec': ensure => directory, }
-          class { 'apache': logroot => '/apache_spec' }
+          file { ['/apache_spec', '/apache_spec/logs']: ensure => directory, }
+          class { 'apache': logroot => '/apache_spec/logs' }
       MANIFEST
       it 'applies cleanly' do
         apply_manifest(pp, catch_failures: true)
       end
     end
 
-    describe file("/apache_spec/#{apache_hash['error_log']}") do
+    describe file("/apache_spec/logs/#{apache_hash['error_log']}") do
       it { is_expected.to be_file }
     end
   end
diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb
@@ -41,30 +41,24 @@
   context 'custom site/mod dir parameters' do
     let(:pp) do
       <<-MANIFEST
-        if $::osfamily == 'RedHat' and "$::selinux" == "true" {
-          $semanage_package = $::operatingsystemmajrelease ? {
-            '6'     => 'policycoreutils-python',
-            '7'     => 'policycoreutils-python',
-            default => 'policycoreutils-python-utils',
-          }
-          package { $semanage_package: ensure => installed }
+        if $facts['osfamily'] == 'RedHat' and $facts['selinux'] {
           exec { 'set_apache_defaults':
-            command     => 'semanage fcontext -a -t httpd_sys_content_t "/apache_spec(/.*)?"',
-            path        => '/bin:/usr/bin/:/sbin:/usr/sbin',
-            subscribe   => Package[$semanage_package],
-            refreshonly => true,
+            command => 'semanage fcontext --add -t httpd_config_t "/apache_spec/apache_custom(/.*)?"',
+            unless  => 'semanage fcontext --list | grep /apache_spec/apache_custom | grep httpd_config_t',
+            path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
           }
           exec { 'restorecon_apache':
             command     => 'restorecon -Rv /apache_spec',
             path        => '/bin:/usr/bin/:/sbin:/usr/sbin',
             before      => Service['httpd'],
-            require     => Class['apache'],
+            require     => [File['/apache_spec/apache_custom'], Class['apache']],
             subscribe   => Exec['set_apache_defaults'],
             refreshonly => true,
           }
         }
-        file { '/apache_spec': ensure => directory, }
-        file { '/apache_spec/apache_custom': ensure => directory, }
+        file { ['/apache_spec', '/apache_spec/apache_custom']:
+          ensure => directory,
+        }
         class { 'apache':
           mod_dir   => '/apache_spec/apache_custom/mods',
           vhost_dir => '/apache_spec/apache_custom/vhosts',
diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb
@@ -1171,36 +1171,33 @@ class { 'apache::mod::wsgi': }
 
   describe 'additional_includes' do
     pp = <<-MANIFEST
-      if $::osfamily == 'RedHat' and "$::selinux" == "true" {
-        $semanage_package = $::operatingsystemmajrelease ? {
-          '6'     => 'policycoreutils-python',
-          '7'     => 'policycoreutils-python',
-          default => 'policycoreutils-python-utils',
-        }
-        package { $semanage_package: ensure => installed }
+      if $facts['osfamily'] == 'RedHat' and $facts['selinux'] {
         exec { 'set_apache_defaults':
-          command => 'semanage fcontext -a -t httpd_sys_content_t "/apache_spec(/.*)?"',
+          command => 'semanage fcontext --add -t httpd_sys_content_t "/apache_spec/docroot(/.*)?"',
+          unless  => 'semanage fcontext --list | grep /apache_spec/docroot | grep httpd_sys_content_t',
           path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
-          require => Package[$semanage_package],
         }
         exec { 'restorecon_apache':
           command => 'restorecon -Rv /apache_spec',
           path    => '/bin:/usr/bin/:/sbin:/usr/sbin',
-          before  => Service['httpd'],
-          require => Class['apache'],
+          before      => Service['httpd'],
+          require     => [File['/apache_spec/include'], Class['apache']],
+          subscribe   => Exec['set_apache_defaults'],
+          refreshonly => true,
         }
       }
       class { 'apache': }
       host { 'test.server': ip => '127.0.0.1' }
-      file { '/apache_spec': ensure => directory, }
+      file { ['/apache_spec', '/apache_spec/docroot']: ensure => directory, }
       file { '/apache_spec/include': ensure => present, content => '#additional_includes' }
       apache::vhost { 'test.server':
-        docroot             => '/apache_spec',
+        docroot             => '/apache_spec/docroot',
         additional_includes => '/apache_spec/include',
       }
     MANIFEST
-    it 'applies cleanly' do
-      apply_manifest(pp, catch_failures: false)
+
+    it 'behaves idempotently' do
+      idempotent_apply(pp)
     end
 
     describe file("#{apache_hash['vhost_dir']}/25-test.server.conf") do
diff --git a/spec/setup_acceptance_node.pp b/spec/setup_acceptance_node.pp
@@ -18,6 +18,17 @@
       }
     }
 
+    if $facts['selinux'] {
+      $semanage_package = $facts['os']['release']['major'] ? {
+        '6'     => 'policycoreutils-python',
+        '7'     => 'policycoreutils-python',
+        default => 'policycoreutils-python-utils',
+      }
+      package { $semanage_package:
+        ensure => installed,
+      }
+    }
+
     if versioncmp($facts['os']['release']['major'], '8') >= 0 {
       package { 'iproute':
         ensure => installed,
