From fbb70c2d10f59842d78eba654a50df28a22b77db Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Wed, 8 Sep 2021 17:08:39 +0200 Subject: [PATCH] osbuild2: add support for `org.osbuild.selinux.config` stage Add support for a new osbuid stage `org.osbuild.selinux.config`, for setting the desired SELinux policy state and type on the system. Add unit tests for the new stage. Related to https://github.com/osbuild/osbuild/pull/799. Signed-off-by: Tomas Hozza --- internal/osbuild2/selinux_config_stage.go | 36 +++++++++++++++++++ .../osbuild2/selinux_config_stage_test.go | 16 +++++++++ internal/osbuild2/stage.go | 2 ++ internal/osbuild2/stage_test.go | 23 ++++++++++++ 4 files changed, 77 insertions(+) create mode 100644 internal/osbuild2/selinux_config_stage.go create mode 100644 internal/osbuild2/selinux_config_stage_test.go diff --git a/internal/osbuild2/selinux_config_stage.go b/internal/osbuild2/selinux_config_stage.go new file mode 100644 index 000000000..3aa96694e --- /dev/null +++ b/internal/osbuild2/selinux_config_stage.go @@ -0,0 +1,36 @@ +package osbuild2 + +// The SELinuxConfigStageOptions describe the desired SELinux policy state +// and type on the system. +type SELinuxConfigStageOptions struct { + State SELinuxPolicyState `json:"state,omitempty"` + Type SELinuxPolicyType `json:"type,omitempty"` +} + +func (SELinuxConfigStageOptions) isStageOptions() {} + +// Valid SELinux Policy states +type SELinuxPolicyState string + +const ( + SELinuxStateEnforcing SELinuxPolicyState = "enforcing" + SELinuxStatePermissive SELinuxPolicyState = "permissive" + SELinuxStateDisabled SELinuxPolicyState = "disabled" +) + +// Valid SELinux Policy types +type SELinuxPolicyType string + +const ( + SELinuxTypeTargeted SELinuxPolicyType = "targeted" + SELinuxTypeMinimum SELinuxPolicyType = "minimum" + SELinuxTypeMLS SELinuxPolicyType = "mls" +) + +// NewSELinuxConfigStage creates a new SELinuxConfig Stage object. +func NewSELinuxConfigStage(options *SELinuxConfigStageOptions) *Stage { + return &Stage{ + Type: "org.osbuild.selinux.config", + Options: options, + } +} diff --git a/internal/osbuild2/selinux_config_stage_test.go b/internal/osbuild2/selinux_config_stage_test.go new file mode 100644 index 000000000..e139cc99e --- /dev/null +++ b/internal/osbuild2/selinux_config_stage_test.go @@ -0,0 +1,16 @@ +package osbuild2 + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestNewSELinuxConfigStage(t *testing.T) { + expectedStage := &Stage{ + Type: "org.osbuild.selinux.config", + Options: &SELinuxConfigStageOptions{}, + } + actualStage := NewSELinuxConfigStage(&SELinuxConfigStageOptions{}) + assert.Equal(t, expectedStage, actualStage) +} diff --git a/internal/osbuild2/stage.go b/internal/osbuild2/stage.go index 746cfd822..79261e8e3 100644 --- a/internal/osbuild2/stage.go +++ b/internal/osbuild2/stage.go @@ -55,6 +55,8 @@ func (stage *Stage) UnmarshalJSON(data []byte) error { options = new(LocaleStageOptions) case "org.osbuild.selinux": options = new(SELinuxStageOptions) + case "org.osbuild.selinux.config": + options = new(SELinuxConfigStageOptions) case "org.osbuild.hostname": options = new(HostnameStageOptions) case "org.osbuild.users": diff --git a/internal/osbuild2/stage_test.go b/internal/osbuild2/stage_test.go index f52c8c91f..6da0c425c 100644 --- a/internal/osbuild2/stage_test.go +++ b/internal/osbuild2/stage_test.go @@ -385,6 +385,29 @@ func TestStage_UnmarshalJSON(t *testing.T) { data: []byte(`{"type":"org.osbuild.selinux","options":{"file_contexts":""}}`), }, }, + { + name: "selinux.config-empty", + fields: fields{ + Type: "org.osbuild.selinux.config", + Options: &SELinuxConfigStageOptions{}, + }, + args: args{ + data: []byte(`{"type":"org.osbuild.selinux.config","options":{}}`), + }, + }, + { + name: "selinux.config", + fields: fields{ + Type: "org.osbuild.selinux.config", + Options: &SELinuxConfigStageOptions{ + State: SELinuxStatePermissive, + Type: SELinuxTypeMinimum, + }, + }, + args: args{ + data: []byte(`{"type":"org.osbuild.selinux.config","options":{"state":"permissive","type":"minimum"}}`), + }, + }, { name: "sysconfig", fields: fields{