Enforce the seluser on selinux systems

iptables-save always sets unconfined_u

diff --git a/manifests/linux/redhat.pp b/manifests/linux/redhat.pp
index 95e137fbe4e0b5358e9add7bf0a3174775f9e6b6..54b591c561b98de960cb1a81914fd53805c71125 100644 (file)
--- a/manifests/linux/redhat.pp
+++ b/manifests/linux/redhat.pp
@@ -58,10 +58,19 @@ class firewall::linux::redhat (
     require   => File['/etc/sysconfig/iptables'],
   }
 
+  # Redhat 7 selinux user context for /etc/sysconfig/iptables is set to unconfined_u
+  case $::selinux {
+    #lint:ignore:quoted_booleans
+    'true',true: { $seluser = 'unconfined_u' }
+    #lint:endignore
+    default:     { $seluser = undef }
+  }
+
   file { '/etc/sysconfig/iptables':
-    ensure => present,
-    owner  => 'root',
-    group  => 'root',
-    mode   => '0600',
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
+    seluser => $seluser,
   }
 }

diff --git a/spec/acceptance/firewall_bridging_spec.rb b/spec/acceptance/firewall_bridging_spec.rb
index b3cf9b6bd32a1ba15667a527f565f7da4190df44..96b013e4f520e008e748cd3a385d49f0fb0b8a02 100644 (file)
--- a/spec/acceptance/firewall_bridging_spec.rb
+++ b/spec/acceptance/firewall_bridging_spec.rb
@@ -26,9 +26,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           EOS
 
           apply_manifest(pp, :catch_failures => true)
-          unless fact('selinux') == 'true'
-            apply_manifest(pp, :catch_changes => true)
-          end
+          apply_manifest(pp, :catch_changes => true)
         end
 
         it 'should contain the rule' do
@@ -52,9 +50,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           EOS
 
           apply_manifest(pp, :catch_failures => true)
-          unless fact('selinux') == 'true'
-            apply_manifest(pp, :catch_changes => true)
-          end
+          apply_manifest(pp, :catch_changes => true)
         end
 
         it 'should contain the rule' do
@@ -79,9 +75,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           EOS
 
           apply_manifest(pp, :catch_failures => true)
-          unless fact('selinux') == 'true'
-            apply_manifest(pp, :catch_changes => true)
-          end
+          apply_manifest(pp, :catch_changes => true)
         end
 
         it 'should contain the rule' do
@@ -105,9 +99,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           EOS
 
           apply_manifest(pp, :catch_failures => true)
-          unless fact('selinux') == 'true'
-            apply_manifest(pp, :catch_changes => true)
-          end
+          apply_manifest(pp, :catch_changes => true)
         end
 
         it 'should contain the rule' do
@@ -132,9 +124,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           EOS
 
           apply_manifest(pp, :catch_failures => true)
-          unless fact('selinux') == 'true'
-            apply_manifest(pp, :catch_changes => true)
-          end
+          apply_manifest(pp, :catch_changes => true)
         end
 
         it 'should contain the rule' do
@@ -159,9 +149,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           EOS
 
           apply_manifest(pp, :catch_failures => true)
-          unless fact('selinux') == 'true'
-            apply_manifest(pp, :catch_changes => true)
-          end
+          apply_manifest(pp, :catch_changes => true)
         end
 
         it 'should contain the rule' do
@@ -187,9 +175,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           EOS
 
           apply_manifest(pp, :catch_failures => true)
-          unless fact('selinux') == 'true'
-            apply_manifest(pp, :catch_changes => true)
-          end
+          apply_manifest(pp, :catch_changes => true)
         end
 
         it 'should contain the rule' do
@@ -219,9 +205,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
             EOS
 
             apply_manifest(pp, :catch_failures => true)
-            unless fact('selinux') == 'true'
-              apply_manifest(pp, :catch_changes => true)
-            end
+            apply_manifest(pp, :catch_changes => true)
           end
 
           it 'should contain the rule' do
@@ -246,9 +230,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
             EOS
 
             apply_manifest(pp, :catch_failures => true)
-            unless fact('selinux') == 'true'
-              apply_manifest(pp, :catch_changes => true)
-            end
+            apply_manifest(pp, :catch_changes => true)
           end
 
           it 'should contain the rule' do
@@ -274,9 +256,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
             EOS
 
             apply_manifest(pp, :catch_failures => true)
-            unless fact('selinux') == 'true'
-              apply_manifest(pp, :catch_changes => true)
-            end
+            apply_manifest(pp, :catch_changes => true)
           end
 
           it 'should contain the rule' do
@@ -301,9 +281,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
             EOS
 
             apply_manifest(pp, :catch_failures => true)
-            unless fact('selinux') == 'true'
-              apply_manifest(pp, :catch_changes => true)
-            end
+            apply_manifest(pp, :catch_changes => true)
           end
 
           it 'should contain the rule' do
@@ -329,9 +307,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
             EOS
 
             apply_manifest(pp, :catch_failures => true)
-            unless fact('selinux') == 'true'
-              apply_manifest(pp, :catch_changes => true)
-            end
+            apply_manifest(pp, :catch_changes => true)
           end
 
           it 'should contain the rule' do
@@ -357,9 +333,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
             EOS
 
             apply_manifest(pp, :catch_failures => true)
-            unless fact('selinux') == 'true'
-              apply_manifest(pp, :catch_changes => true)
-            end
+            apply_manifest(pp, :catch_changes => true)
           end
 
           it 'should contain the rule' do
@@ -386,9 +360,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
             EOS
 
             apply_manifest(pp, :catch_failures => true)
-            unless fact('selinux') == 'true'
-              apply_manifest(pp, :catch_changes => true)
-            end
+            apply_manifest(pp, :catch_changes => true)
           end
 
           it 'should contain the rule' do
@@ -400,4 +372,4 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
       end
     end
 
-end
\ No newline at end of file
+end

diff --git a/spec/acceptance/firewall_iptmodules_spec.rb b/spec/acceptance/firewall_iptmodules_spec.rb
index f0087634d9712f1056e6180a4b15c84f61abff67..6023ff930007661c849a8f360ac96abc9681d507 100644 (file)
--- a/spec/acceptance/firewall_iptmodules_spec.rb
+++ b/spec/acceptance/firewall_iptmodules_spec.rb
@@ -34,9 +34,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
         EOS
 
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
       end
 
       it 'should contain the rule' do
@@ -64,9 +62,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
         EOS
 
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
       end
 
       it 'should contain the rule' do
@@ -103,9 +99,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
             EOS
 
             apply_manifest(pp, :catch_failures => true)
-            unless fact('selinux') == 'true'
-              apply_manifest(pp, :catch_changes => true)
-            end
+            apply_manifest(pp, :catch_changes => true)
           end
 
           it 'should contain the rule' do
@@ -134,9 +128,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
             EOS
 
             apply_manifest(pp, :catch_failures => true)
-            unless fact('selinux') == 'true'
-              apply_manifest(pp, :catch_changes => true)
-            end
+            apply_manifest(pp, :catch_changes => true)
           end
 
           it 'should contain the rule' do
@@ -171,9 +163,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
             EOS
 
             apply_manifest(pp, :catch_failures => true)
-            unless fact('selinux') == 'true'
-              apply_manifest(pp, :catch_changes => true)
-            end
+            apply_manifest(pp, :catch_changes => true)
           end
 
           it 'should contain the rule' do
@@ -201,9 +191,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
             EOS
 
             apply_manifest(pp, :catch_failures => true)
-            unless fact('selinux') == 'true'
-              apply_manifest(pp, :catch_changes => true)
-            end
+            apply_manifest(pp, :catch_changes => true)
           end
 
           it 'should contain the rule' do
@@ -215,4 +203,4 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
       end
     end
 
-end
\ No newline at end of file
+end

diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
index cc248324724e3af6d9748a400b25c205e8e977b1..8576ffb0c3bfb04caee3c3edecb1417efc9e492a 100644 (file)
--- a/spec/acceptance/firewall_spec.rb
+++ b/spec/acceptance/firewall_spec.rb
@@ -116,9 +116,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
         EOS
 
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
       end
 
       it 'should contain the rule' do
@@ -141,9 +139,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
         EOS
 
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
       end
 
       it 'should contain the rule' do
@@ -193,9 +189,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
         EOS
 
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
       end
 
       it 'should contain the rule' do
@@ -245,9 +239,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
         EOS
 
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
       end
 
       it 'should contain the rule' do
@@ -270,9 +262,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
         EOS
 
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
       end
 
       it 'should contain the rule' do
@@ -322,9 +312,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
         EOS
 
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
       end
 
       it 'should contain the rule' do
@@ -596,9 +584,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           EOS
 
           apply_manifest(pp, :catch_failures => true)
-          unless fact('selinux') == 'true'
-            apply_manifest(pp, :catch_changes => true)
-          end
+          apply_manifest(pp, :catch_changes => true)
         end
 
         it 'should contain the rule' do
@@ -934,9 +920,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           EOS
 
           apply_manifest(pp, :catch_failures => true)
-          unless fact('selinux') == 'true'
-            apply_manifest(pp, :catch_changes => true)
-          end
+          apply_manifest(pp, :catch_changes => true)
         end
 
         it 'should contain the rule' do
@@ -1215,9 +1199,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           EOS
 
           apply_manifest(pp, :catch_failures => true)
-          unless fact('selinux') == 'true'
-            apply_manifest(pp, :catch_changes => true)
-          end
+          apply_manifest(pp, :catch_changes => true)
         end
 
         it 'should contain the rule' do
@@ -1269,9 +1251,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           EOS
 
           apply_manifest(pp, :catch_failures => true)
-          unless fact('selinux') == 'true'
-            apply_manifest(pp, :catch_changes => true)
-          end
+          apply_manifest(pp, :catch_changes => true)
         end
 
         it 'should contain the rule' do
@@ -1629,9 +1609,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
               EOS
 
               apply_manifest(pp, :catch_failures => true)
-              unless fact('selinux') == 'true'
-                apply_manifest(pp, :catch_changes => true)
-              end
+              apply_manifest(pp, :catch_changes => true)
             end
 
             it 'should contain the rule' do
@@ -1654,9 +1632,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
               EOS
 
               apply_manifest(pp, :catch_failures => true)
-              unless fact('selinux') == 'true'
-                apply_manifest(pp, :catch_changes => true)
-              end
+              apply_manifest(pp, :catch_changes => true)
             end
 
             it 'should contain the rule' do

diff --git a/spec/acceptance/firewall_time_spec.rb b/spec/acceptance/firewall_time_spec.rb
index 589148e1f81ffeec4640d64d7f2edcb0ad95b3c6..61365bb6921a0695b3f08bf61dd4069815055380 100644 (file)
--- a/spec/acceptance/firewall_time_spec.rb
+++ b/spec/acceptance/firewall_time_spec.rb
@@ -30,9 +30,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           EOS
 
           apply_manifest(pp, :catch_failures => true)
-          unless fact('selinux') == 'true'
-            apply_manifest(pp, :catch_changes => true)
-          end
+          apply_manifest(pp, :catch_changes => true)
         end
 
         it 'should contain the rule' do
@@ -65,9 +63,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
           EOS
 
           apply_manifest(pp, :catch_failures => true)
-          unless fact('selinux') == 'true'
-            apply_manifest(pp, :catch_changes => true)
-          end
+          apply_manifest(pp, :catch_changes => true)
         end
 
         it 'should contain the rule' do

diff --git a/spec/acceptance/firewall_uid_spec.rb b/spec/acceptance/firewall_uid_spec.rb
index 50728b45ba616d89e6cbf26d4586f8c0f5abf829..3a976f92ac5907ec259985e5af40e27be3f30496 100644 (file)
--- a/spec/acceptance/firewall_uid_spec.rb
+++ b/spec/acceptance/firewall_uid_spec.rb
@@ -25,9 +25,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
         EOS
 
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
       end
 
       it 'should contain the rule' do
@@ -50,9 +48,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
         EOS
 
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
       end
 
       it 'should contain the rule' do
@@ -75,9 +71,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
         EOS
 
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
       end
 
       it 'should contain the rule' do
@@ -100,9 +94,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
         EOS
 
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
       end
 
       it 'should contain the rule' do

diff --git a/spec/acceptance/firewallchain_spec.rb b/spec/acceptance/firewallchain_spec.rb
index fab20b3ab2070c8ada94469caa0ed696a5ebcd4e..f70d9cefd719de34f4eadf84b28d693341cc02d5 100644 (file)
--- a/spec/acceptance/firewallchain_spec.rb
+++ b/spec/acceptance/firewallchain_spec.rb
@@ -14,9 +14,7 @@ describe 'puppet resource firewallchain command:', :unless => UNSUPPORTED_PLATFO
         EOS
         # Run it twice and test for idempotency
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
       end
 
       it 'finds the chain' do
@@ -35,9 +33,7 @@ describe 'puppet resource firewallchain command:', :unless => UNSUPPORTED_PLATFO
         EOS
         # Run it twice and test for idempotency
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
       end
 
       it 'fails to find the chain' do
@@ -116,9 +112,7 @@ describe 'puppet resource firewallchain command:', :unless => UNSUPPORTED_PLATFO
         EOS
         # Run it twice and test for idempotency
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
       end
 
       it 'finds the chain' do

diff --git a/spec/acceptance/invert_spec.rb b/spec/acceptance/invert_spec.rb
index 16af9b8baaeeb969552501b2ec925faf5b9ae784..ade319ffba0528f39bec9d13ecf78bd89c2707b6 100644 (file)
--- a/spec/acceptance/invert_spec.rb
+++ b/spec/acceptance/invert_spec.rb
@@ -25,9 +25,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami
       EOS
 
       apply_manifest(pp, :catch_failures => true)
-      unless fact('selinux') == 'true'
-        apply_manifest(pp, :catch_changes  => true)
-      end
+      apply_manifest(pp, :catch_changes  => true)
     end
 
     it 'should contain the rules' do

diff --git a/spec/acceptance/ip6_fragment_spec.rb b/spec/acceptance/ip6_fragment_spec.rb
index 61e79cef39b047c0deda31ce1f81d5254ff81050..3e44f8723e6d3154b1ea5d049c17f0e58a6262e9 100644 (file)
--- a/spec/acceptance/ip6_fragment_spec.rb
+++ b/spec/acceptance/ip6_fragment_spec.rb
@@ -37,9 +37,7 @@ else
         EOS
 
         apply_manifest(pp, :catch_failures => true)
-        unless fact('selinux') == 'true'
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
 
         shell('ip6tables-save') do |r|
           expect(r.stdout).to match(/#{line_match}/)
@@ -58,11 +56,7 @@ else
             }
         EOS
 
-        if fact('selinux') == 'true'
-          apply_manifest(pp, :catch_failures => true)
-        else
-          apply_manifest(pp, :catch_changes => true)
-        end
+        apply_manifest(pp, :catch_changes => true)
 
         shell('ip6tables-save') do |r|
           expect(r.stdout).to match(/#{line_match}/)

diff --git a/spec/acceptance/isfragment_spec.rb b/spec/acceptance/isfragment_spec.rb
index 772f9493ed6df84bb49d2ea35b81a4c8fd0ad791..a4b65e76e82f1b76ba41dc40492d46d0e5ccd185 100644 (file)
--- a/spec/acceptance/isfragment_spec.rb
+++ b/spec/acceptance/isfragment_spec.rb
@@ -17,9 +17,7 @@ describe 'firewall isfragment property', :unless => UNSUPPORTED_PLATFORMS.includ
       EOS
 
       apply_manifest(pp, :catch_failures => true)
-      unless fact('selinux') == 'true'
-        apply_manifest(pp, :catch_changes => true)
-      end
+      apply_manifest(pp, :catch_changes => true)
 
       shell('iptables-save') do |r|
         expect(r.stdout).to match(/#{line_match}/)
@@ -37,11 +35,7 @@ describe 'firewall isfragment property', :unless => UNSUPPORTED_PLATFORMS.includ
           }
       EOS
 
-      if fact('selinux') == 'true'
-        apply_manifest(pp, :catch_failures => true)
-      else
-        apply_manifest(pp, :catch_changes => true)
-      end
+      apply_manifest(pp, :catch_changes => true)
 
       shell('iptables-save') do |r|
         expect(r.stdout).to match(/#{line_match}/)

diff --git a/spec/acceptance/purge_spec.rb b/spec/acceptance/purge_spec.rb
index 73582b87823d5cdfdea810616c825eada60c4ebe..ab37b2cb206aa691c070fb5efd6c46666dfa3b58 100644 (file)
--- a/spec/acceptance/purge_spec.rb
+++ b/spec/acceptance/purge_spec.rb
@@ -71,9 +71,7 @@ describe "purge tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamil
         }
       EOS
 
-      unless fact('selinux') == 'true'
-        apply_manifest(pp, :catch_changes => true)
-      end
+      apply_manifest(pp, :catch_changes => true)
     end
 
     it 'ignores specified rules' do
@@ -87,11 +85,7 @@ describe "purge tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamil
         }
       EOS
 
-      if fact('selinux') == 'true'
-        apply_manifest(pp, :catch_failures => true)
-      else
-        apply_manifest(pp, :catch_changes => true)
-      end
+      apply_manifest(pp, :catch_changes => true)
     end
 
     it 'adds managed rules with ignored rules' do
@@ -173,9 +167,7 @@ describe "purge tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamil
         }
       EOS
 
-      unless fact('selinux') == 'true'
-        apply_manifest(pp, :catch_changes => true)
-      end
+      apply_manifest(pp, :catch_changes => true)
     end
 
     it 'ignores specified rules' do
@@ -189,11 +181,7 @@ describe "purge tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamil
         }
       EOS
 
-      if fact('selinux') == 'true'
-        apply_manifest(pp, :catch_failures => true)
-      else
-        apply_manifest(pp, :catch_changes => true)
-      end
+      apply_manifest(pp, :catch_changes => true)
     end
 
     it 'adds managed rules with ignored rules' do

diff --git a/spec/acceptance/rules_spec.rb b/spec/acceptance/rules_spec.rb
index c2acb8b821df708c04a6aed2b0aa11439ffda80c..b91e11e478282989319924aeccd83f068ab99017 100644 (file)
--- a/spec/acceptance/rules_spec.rb
+++ b/spec/acceptance/rules_spec.rb
@@ -242,9 +242,7 @@ describe 'complex ruleset 2' do
 
     # Run it twice and test for idempotency
     apply_manifest(pp, :catch_failures => true)
-    unless fact('selinux') == 'true'
-      apply_manifest(pp, :catch_changes => true)
-    end
+    apply_manifest(pp, :catch_changes => true)
   end
 
   it 'contains appropriate rules' do

diff --git a/spec/acceptance/socket_spec.rb b/spec/acceptance/socket_spec.rb
index 2a21066c0d91f97e2a9b8088402bdaaaef102194..5503a9a077872e299b7c3e6300e63aa6d3873ffd 100644 (file)
--- a/spec/acceptance/socket_spec.rb
+++ b/spec/acceptance/socket_spec.rb
@@ -20,9 +20,7 @@ describe 'firewall socket property', :unless => (UNSUPPORTED_PLATFORMS.include?(
       EOS
 
       apply_manifest(pp, :catch_failures => true)
-      unless fact('selinux') == 'true'
-        apply_manifest(pp, :catch_changes => true)
-      end
+      apply_manifest(pp, :catch_changes => true)
 
       shell('iptables-save -t raw') do |r|
         expect(r.stdout).to match(/#{line_match}/)
@@ -42,11 +40,7 @@ describe 'firewall socket property', :unless => (UNSUPPORTED_PLATFORMS.include?(
           }
       EOS
 
-      if fact('selinux') == 'true'
-        apply_manifest(pp, :catch_failures => true)
-      else
-        apply_manifest(pp, :catch_changes => true)
-      end
+      apply_manifest(pp, :catch_changes => true)
 
       shell('iptables-save -t raw') do |r|
         expect(r.stdout).to match(/#{line_match}/)

diff --git a/spec/acceptance/standard_usage_spec.rb b/spec/acceptance/standard_usage_spec.rb
index 753f6e1e55a21e25d36b7829db56d834d73405e7..e585bb746f6ee68db653d5af833e1ec75ff905a7 100644 (file)
--- a/spec/acceptance/standard_usage_spec.rb
+++ b/spec/acceptance/standard_usage_spec.rb
@@ -55,8 +55,6 @@ describe 'standard usage tests:', :unless => UNSUPPORTED_PLATFORMS.include?(fact
 
     # Run it twice and test for idempotency
     apply_manifest(pp, :catch_failures => true)
-    unless fact('selinux') == 'true'
-      apply_manifest(pp, :catch_changes => true)
-    end
+    apply_manifest(pp, :catch_changes => true)
   end
 end