Add selinux resource support for modules and booleans

Signed-off-by: Vasu1105 <vasundhara.jagdale@chef.io>
2024-11-10 07:04:15 +00:00 · 2021-04-15 19:58:12 +05:30 · 2021-04-15 19:58:12 +05:30 · fe0020ce50
commit fe0020ce50
parent 295d074629
1 changed files with 74 additions and 0 deletions
--- a/lib/inspec/resources/selinux.rb
+++ b/lib/inspec/resources/selinux.rb
@ -1,6 +1,49 @@
 require "inspec/resources/command"
+require "inspec/utils/filter"

 module Inspec::Resources
+  class SelinuxModuleFilter
+    # use filtertable for SELinux Modules
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:names, field: :name)
+    filter.register_column(:status, field: :status)
+    filter.register_column(:states, field: :state)
+    filter.register_column(:priorities , field: :priority)
+    filter.register_custom_matcher(:enabled?) { |x| x.states[0] == "enabled" }
+    filter.register_custom_matcher(:installed?) { |x| x.status[0] == "installed" }
+    filter.install_filter_methods_on_resource(self, :modules)
+
+    attr_reader :modules
+    def initialize(modules)
+      @modules = modules
+    end
+
+    def to_s
+      "SElinux modules"
+    end
+  end
+
+  class SelinuxBooleanFilter
+    # use filtertable for SELinux Booleans
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:names, field: :name)
+    filter.register_column(:states, field: :state)
+    filter.register_column(:defaults, field: :default)
+    filter.register_custom_matcher(:on?) { |x| x.states[0] == "on" }
+    filter.install_filter_methods_on_resource(self, :booleans)
+
+    attr_reader :booleans
+    def initialize(booleans)
+      @booleans = booleans
+    end
+
+    def to_s
+      "SElinux booleans"
+    end
+  end
+
  class Selinux < Inspec.resource(1)
    name "selinux"
    supports platform: "linux"
@ -46,8 +89,39 @@ module Inspec::Resources
      @data["currentmode"] == "permissive"
    end

+    def modules
+      SelinuxModuleFilter.new(parse_modules)
+    end
+
+    def booleans
+      SelinuxBooleanFilter.new(parse_booleans)
+    end
+
    def to_s
      "SELinux"
    end
+
+    private
+
+    def parse_modules
+      raw_modules = inspec.command("semodule -lfull").stdout
+      r_modules = []
+      raw_modules.each_line do |entry|
+        data = entry.split.map(&:strip)
+        state = data.length == 4 ? data[3] : "enabled"
+        r_modules.push({ name: data[1], status: "installed", state: state, priority: data[0] })
+      end
+      r_modules
+    end
+
+    def parse_booleans
+      raw_booleans = inspec.command("semanage boolean -l -n").stdout
+      r_booleans = []
+      raw_booleans.each_line do |entry|
+        data = entry.scan(/([^(,)]+)/).flatten.map(&:strip)
+        r_booleans.push({ name: data[0], state: data[1], default: data[2] })
+      end
+      r_booleans
+    end
  end
 end