Verify freeipa-selinux's ipa module is loaded

ipa-custodia tests will fail if the ipa.pp override module from freeipa-selinux is not correctly installed, loaded, and enabled. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-09-23 15:22:00 +02:00
parent fbb6484dbe
commit 9a9cd30255
2 changed files with 20 additions and 0 deletions
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -267,6 +267,7 @@ class BasePathNamespace:
    RESTORECON = "/usr/sbin/restorecon"
    SELINUXENABLED = "/usr/sbin/selinuxenabled"
    SETSEBOOL = "/usr/sbin/setsebool"
+    SEMODULE = "/usr/sbin/semodule"
    SMBD = "/usr/sbin/smbd"
    USERADD = "/usr/sbin/useradd"
    FONTS_DIR = "/usr/share/fonts"
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1019,6 +1019,25 @@ class TestInstallMaster(IntegrationTest):
            [paths.IPA_CUSTODIA_CHECK, self.master.hostname]
        )

+    @pytest.mark.skipif(
+        paths.SEMODULE is None, reason="test requires semodule command"
+    )
+    def test_ipa_selinux_policy(self):
+        # check that freeipa-selinux's policy module is loaded and
+        # not disabled
+        result = self.master.run_command(
+            [paths.SEMODULE, "-lfull"]
+        )
+        # prio module pp [disabled]
+        # 100: default priority
+        # 200: decentralized SELinux policy priority
+        entries = {
+            tuple(line.split())
+            for line in result.stdout_text.split('\n')
+            if line.strip()
+        }
+        assert ('200', 'ipa', 'pp') in entries
+

 class TestInstallMasterKRA(IntegrationTest):