Add selinux resource with basic features support

Signed-off-by: Vasu1105 <vasundhara.jagdale@chef.io>
2024-11-22 20:53:11 +00:00 · 2021-04-09 14:35:06 +05:30 · 2021-04-09 14:35:06 +05:30 · cbe7e8c03f
commit cbe7e8c03f
parent 6e55c9ed90
6 changed files with 131 additions and 0 deletions
--- a/docs-chef-io/content/inspec/resources/selinux.md
+++ b/docs-chef-io/content/inspec/resources/selinux.md
@ -0,0 +1,40 @@
+++
+title = "selinux resource"
+draft = false
+gh_repo = "inspec"
+platform = "linux"
+
+[menu]
+  [menu.inspec]
+    title = "selinux"
+    identifier = "inspec/resources/os/selinux.md selinux resource"
+    parent = "inspec/resources/os"
+++
+
+Use the `selinux` Chef InSpec audit resource to test the state/mode of SELinux policy.
+
+SELinux resource extracts and exposes data reported by the command 'sestatus'
+
+## Availability
+
+### Installation
+
+This resource is distributed along with Chef InSpec itself. You can use it automatically.
+
+### Version
+
+## Syntax
+
+An `selinux` Chef InSpec audit resource block extracts configuration settings that should be tested:
+
+    describe selinux do
+      it { should be_installed }
+      it { should be_enabled }
+      it { should be_enforcing }
+      it { should be_permissive }
+    end
+
+## Properties
+
+## Property Examples
+
--- a/lib/inspec/resources.rb
+++ b/lib/inspec/resources.rb
@ -103,6 +103,7 @@ require "inspec/resources/rabbitmq_config"
 require "inspec/resources/registry_key"
 require "inspec/resources/security_identifier"
 require "inspec/resources/security_policy"
+require "inspec/resources/selinux"
 require "inspec/resources/service"
 require "inspec/resources/shadow"
 require "inspec/resources/ssh_config"
--- a/lib/inspec/resources/selinux.rb
+++ b/lib/inspec/resources/selinux.rb
@ -0,0 +1,55 @@
+require "inspec/resources/command"
+
+module Inspec::Resources
+  class Selinux < Inspec.resource(1)
+    name "selinux"
+
+    supports platform: "unix"
+
+    desc "Use selinux Inspec resource to test state/mode of the selinux policy."
+
+    example <<~EXAMPLE
+      describe selinux do
+        it { should be_installed }
+        it { should be_disabled }
+        it { should be_permissive }
+        it { should be_enforcing }
+      end
+    EXAMPLE
+
+    def initialize(selinux_path = "/etc/selinux/config")
+      @path = selinux_path
+      cmd = inspec.command("sestatus")
+      if cmd.exit_status != 0
+        return skip_resource "#{cmd.stdout}"
+      end
+      result = cmd.stdout.delete(" ").gsub(/\n/, ",").gsub(/\r/,"").downcase
+      @data = Hash[result.scan /([^:]+):([^,]+)[,$]/]
+
+      return if inspec.os.linux?
+
+      @data = []
+      skip_resource "The 'selinux' resource is not supported non linux OS."
+    end
+
+    def installed?
+      inspec.file(@path).exist?
+    end
+
+    def disabled?
+      @data["selinuxstatus"] == 'disabled' unless @data.empty?
+    end
+
+    def enforcing?
+      @data["currentmode"] == 'enforcing' unless @data.empty?
+    end
+
+    def permissive?
+      @data["currentmode"] == 'permissive' unless @data.empty?
+    end
+
+    def to_s
+      "SELinux"
+    end
+  end
+end
--- a/test/fixtures/cmd/sestatus
+++ b/test/fixtures/cmd/sestatus
@ -0,0 +1,9 @@
+SELinux status:                 enabled
+SELinuxfs mount:                /sys/fs/selinux
+SELinux root directory:         /etc/selinux
+Loaded policy name:             targeted
+Current mode:                   enforcing
+Mode from config file:          enforcing
+Policy MLS status:              enabled
+Policy deny_unknown status:     allowed
+Max kernel policy version:      31
--- a/test/helpers/mock_loader.rb
+++ b/test/helpers/mock_loader.rb
@ -556,6 +556,7 @@ class MockLoader

      # filesystem command
      "2e7e0d4546342cee799748ec7e2b1c87ca00afbe590fa422a7c27371eefa88f0" => cmd.call("get-wmiobject-filesystem"),
+      'sestatus' => cmd.call("sestatus")
    }

    # ports on linux
--- a/test/unit/resources/selinux_test.rb
+++ b/test/unit/resources/selinux_test.rb
@ -0,0 +1,25 @@
+require "helper"
+require "inspec/resource"
+require "inspec/resources/selinux"
+
+describe "Inspec::Resources::Selinux" do
+  it "verify selinux state - enforcing" do
+    resource = load_resource("selinux")
+    _(resource.enforcing?).must_equal true
+  end
+
+  it "verify selinux state - permissive" do
+    resource = load_resource("selinux")
+    _(resource.permissive?).must_equal false
+  end
+
+  it "verify selinux disabled " do
+    resource = load_resource("selinux")
+    _(resource.disabled?).must_equal false
+  end
+
+  it "verify selinux on windows" do
+    resource = MockLoader.new("windows").load_resource("selinux")
+    _(resource.enforcing?).must_equal nil
+  end
+end