test: ensure disabled selinux test restores system state

[richm]

Save the state and the policy before the test, and ensure we
restore that after the test.

Put the cleanup block in a always so that it will always be
executed, even if the test fails.

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by Sourcery

Improve the disabled SELinux test by capturing pre-test system state and enforcing cleanup in an always block to guarantee restoration of SELinux configuration, mountpoints, and test user regardless of test outcome

Enhancements:

• Save original SELinux policy and state before running the disabled SELinux test and restore them afterward
• Wrap test steps in a block with an always cleanup section to ensure system state is restored even if the test fails

Tests:

• Refactor the disabled SELinux test to remove global vars and inline semanage_change within the test block

[sourcery-ai]

Reviewer's Guide

This PR refactors the SELinux-disabled test playbook to capture and restore the system's original SELinux policy and mode, wraps the test steps in a block with an always cleanup to ensure system state is restored even on failure.

File-Level Changes

Change	Details	Files
Capture initial SELinux policy and state before tests	Added set_fact to save __save_policy and __save_state from gathered facts	tests/tests_selinux_disabled.yml
Restructure test execution with guaranteed cleanup	Wrapped role invocation and assertions in a block with an always section Moved cleanup tasks (restore config, remove backup, remove test user, purge role) into the always block	tests/tests_selinux_disabled.yml
Embed semanage mapping and user creation within the test block	Introduced inline semanage_change var for mapping commands Relocated user creation and mapping steps under the test block	tests/tests_selinux_disabled.yml
Refactor mount/unmount and role invocation under error handling	Registered selinuxfs mountpoint and used it for unmount/mount commands Added rescue to capture selinux_reboot_required and verify failure condition	tests/tests_selinux_disabled.yml
Remove obsolete top-level variables	Deleted vars section specifying selinux_state, selinux_policy, etc.	tests/tests_selinux_disabled.yml

Possibly linked issues

• #0: The PR saves and restores the original SELinux policy and state, fixing the incorrect cleanup described in the issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey @richm - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[richm]

[citest]

[richm]

[citest_bad]

[bachradsusi]

Maybe use {{ __save_policy }} and {{ _save_state }} ?

[richm]

Ok - but then I don't understand what this code is trying to do - is it trying to change the state and the policy? If the policy is already the same as __save_policy and the state is already the same as __save_state, then what will this do?

[bachradsusi]

at this moment, /etc/selinux/config is copied from selinux.config with SELINUX=disabled and SELINUXTYPE=targeted
this test should check whether the switch from disabled to enforcing triggers selinux_reboot_required

[bachradsusi]

The same trigger should happen with switch from disabled to permissive

But to make it clear the combination would be better I guess:

selinux_policy: {{ __save_policy }}
selinux_state: enforcing

[bachradsusi]

The problem with selinux_policy: targeted is that it expects selinux-policy-targeted to be installed. If it's not installed, the test fails:

# cp -r /var/lib/selinux/targeted/ /var/lib/selinux/test
# cp -r /etc/selinux/targeted/ /etc/selinux/test
# sed -i 's/=targeted/=test/' /etc/selinux/config
# reboot

# mv /etc/selinux/targeted /etc/selinux/targeted-
# mv /var/lib/selinux/targeted /var/lib/selinux/targeted-

# ansible-playbook -i localhost, -c local tests_selinux_disabled.yml

TASK [Remove Linux System Roles SELinux User] **************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "userdel: failure while writing changes to /etc/passwd\n", "name": "sar-user", "rc": 1}

In this case tests_selinux_modules_checksum.yml would fail as well as it has uses hard coded targeted

[bachradsusi]

It seems to me that it should be sufficient to Get current SELinux state at the beginning, use the values in Include role to purge everything and move Restore original /etc/selinux/config to the end so that it's really the original file, not changed by the the Include role to purge everything after.

[richm]

It seems to me that it should be sufficient to Get current SELinux state at the beginning, use the values in Include role to purge everything and move Restore original /etc/selinux/config to the end so that it's really the original file, not changed by the the Include role to purge everything after.

Please check latest commit

[bachradsusi]

I tested the last commit and in general it works for me. I have only comments to hardcoded targeted in the test, but it's a different issue which does not need to block this PR.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Please upload report for BASE (main@a432874). Learn more about missing BASE report.

Additional details and impacted files

@@          Coverage Diff          @@
##             main   #292   +/-   ##
=====================================
  Coverage        ?      0           
=====================================
  Files           ?      0           
  Lines           ?      0           
  Branches        ?      0           
=====================================
  Hits            ?      0           
  Misses          ?      0           
  Partials        ?      0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.