From f8bb236d754b38a254ac5a52c9c23d7c2849d6dd Mon Sep 17 00:00:00 2001 From: Hunter Haugen Date: Tue, 23 Jun 2015 16:18:00 -0700 Subject: [PATCH] Enforce the seluser on selinux systems iptables-save always sets unconfined_u --- manifests/linux/redhat.pp | 17 ++++-- spec/acceptance/firewall_bridging_spec.rb | 58 ++++++--------------- spec/acceptance/firewall_iptmodules_spec.rb | 26 +++------ spec/acceptance/firewall_spec.rb | 48 +++++------------ spec/acceptance/firewall_time_spec.rb | 8 +-- spec/acceptance/firewall_uid_spec.rb | 16 ++---- spec/acceptance/firewallchain_spec.rb | 12 ++--- spec/acceptance/invert_spec.rb | 4 +- spec/acceptance/ip6_fragment_spec.rb | 10 +--- spec/acceptance/isfragment_spec.rb | 10 +--- spec/acceptance/purge_spec.rb | 20 ++----- spec/acceptance/rules_spec.rb | 4 +- spec/acceptance/socket_spec.rb | 10 +--- spec/acceptance/standard_usage_spec.rb | 4 +- 14 files changed, 69 insertions(+), 178 deletions(-) diff --git a/manifests/linux/redhat.pp b/manifests/linux/redhat.pp index 95e137f..54b591c 100644 --- a/manifests/linux/redhat.pp +++ b/manifests/linux/redhat.pp @@ -58,10 +58,19 @@ class firewall::linux::redhat ( require => File['/etc/sysconfig/iptables'], } + # Redhat 7 selinux user context for /etc/sysconfig/iptables is set to unconfined_u + case $::selinux { + #lint:ignore:quoted_booleans + 'true',true: { $seluser = 'unconfined_u' } + #lint:endignore + default: { $seluser = undef } + } + file { '/etc/sysconfig/iptables': - ensure => present, - owner => 'root', - group => 'root', - mode => '0600', + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', + seluser => $seluser, } } diff --git a/spec/acceptance/firewall_bridging_spec.rb b/spec/acceptance/firewall_bridging_spec.rb index b3cf9b6..96b013e 100644 --- a/spec/acceptance/firewall_bridging_spec.rb +++ b/spec/acceptance/firewall_bridging_spec.rb @@ -26,9 +26,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -52,9 +50,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -79,9 +75,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -105,9 +99,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -132,9 +124,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -159,9 +149,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -187,9 +175,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -219,9 +205,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -246,9 +230,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -274,9 +256,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -301,9 +281,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -329,9 +307,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -357,9 +333,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -386,9 +360,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -400,4 +372,4 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami end end -end \ No newline at end of file +end diff --git a/spec/acceptance/firewall_iptmodules_spec.rb b/spec/acceptance/firewall_iptmodules_spec.rb index f008763..6023ff9 100644 --- a/spec/acceptance/firewall_iptmodules_spec.rb +++ b/spec/acceptance/firewall_iptmodules_spec.rb @@ -34,9 +34,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -64,9 +62,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -103,9 +99,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -134,9 +128,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -171,9 +163,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -201,9 +191,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -215,4 +203,4 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami end end -end \ No newline at end of file +end diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb index cc24832..8576ffb 100644 --- a/spec/acceptance/firewall_spec.rb +++ b/spec/acceptance/firewall_spec.rb @@ -116,9 +116,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -141,9 +139,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -193,9 +189,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -245,9 +239,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -270,9 +262,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -322,9 +312,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -596,9 +584,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -934,9 +920,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -1215,9 +1199,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -1269,9 +1251,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -1629,9 +1609,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -1654,9 +1632,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do diff --git a/spec/acceptance/firewall_time_spec.rb b/spec/acceptance/firewall_time_spec.rb index 589148e..61365bb 100644 --- a/spec/acceptance/firewall_time_spec.rb +++ b/spec/acceptance/firewall_time_spec.rb @@ -30,9 +30,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -65,9 +63,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do diff --git a/spec/acceptance/firewall_uid_spec.rb b/spec/acceptance/firewall_uid_spec.rb index 50728b4..3a976f9 100644 --- a/spec/acceptance/firewall_uid_spec.rb +++ b/spec/acceptance/firewall_uid_spec.rb @@ -25,9 +25,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -50,9 +48,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -75,9 +71,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do @@ -100,9 +94,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rule' do diff --git a/spec/acceptance/firewallchain_spec.rb b/spec/acceptance/firewallchain_spec.rb index fab20b3..f70d9ce 100644 --- a/spec/acceptance/firewallchain_spec.rb +++ b/spec/acceptance/firewallchain_spec.rb @@ -14,9 +14,7 @@ describe 'puppet resource firewallchain command:', :unless => UNSUPPORTED_PLATFO EOS # Run it twice and test for idempotency apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'finds the chain' do @@ -35,9 +33,7 @@ describe 'puppet resource firewallchain command:', :unless => UNSUPPORTED_PLATFO EOS # Run it twice and test for idempotency apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'fails to find the chain' do @@ -116,9 +112,7 @@ describe 'puppet resource firewallchain command:', :unless => UNSUPPORTED_PLATFO EOS # Run it twice and test for idempotency apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'finds the chain' do diff --git a/spec/acceptance/invert_spec.rb b/spec/acceptance/invert_spec.rb index 16af9b8..ade319f 100644 --- a/spec/acceptance/invert_spec.rb +++ b/spec/acceptance/invert_spec.rb @@ -25,9 +25,7 @@ describe 'firewall type', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfami EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'should contain the rules' do diff --git a/spec/acceptance/ip6_fragment_spec.rb b/spec/acceptance/ip6_fragment_spec.rb index 61e79ce..3e44f87 100644 --- a/spec/acceptance/ip6_fragment_spec.rb +++ b/spec/acceptance/ip6_fragment_spec.rb @@ -37,9 +37,7 @@ else EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) shell('ip6tables-save') do |r| expect(r.stdout).to match(/#{line_match}/) @@ -58,11 +56,7 @@ else } EOS - if fact('selinux') == 'true' - apply_manifest(pp, :catch_failures => true) - else - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) shell('ip6tables-save') do |r| expect(r.stdout).to match(/#{line_match}/) diff --git a/spec/acceptance/isfragment_spec.rb b/spec/acceptance/isfragment_spec.rb index 772f949..a4b65e7 100644 --- a/spec/acceptance/isfragment_spec.rb +++ b/spec/acceptance/isfragment_spec.rb @@ -17,9 +17,7 @@ describe 'firewall isfragment property', :unless => UNSUPPORTED_PLATFORMS.includ EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) shell('iptables-save') do |r| expect(r.stdout).to match(/#{line_match}/) @@ -37,11 +35,7 @@ describe 'firewall isfragment property', :unless => UNSUPPORTED_PLATFORMS.includ } EOS - if fact('selinux') == 'true' - apply_manifest(pp, :catch_failures => true) - else - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) shell('iptables-save') do |r| expect(r.stdout).to match(/#{line_match}/) diff --git a/spec/acceptance/purge_spec.rb b/spec/acceptance/purge_spec.rb index 73582b8..ab37b2c 100644 --- a/spec/acceptance/purge_spec.rb +++ b/spec/acceptance/purge_spec.rb @@ -71,9 +71,7 @@ describe "purge tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamil } EOS - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'ignores specified rules' do @@ -87,11 +85,7 @@ describe "purge tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamil } EOS - if fact('selinux') == 'true' - apply_manifest(pp, :catch_failures => true) - else - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'adds managed rules with ignored rules' do @@ -173,9 +167,7 @@ describe "purge tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamil } EOS - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'ignores specified rules' do @@ -189,11 +181,7 @@ describe "purge tests:", :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamil } EOS - if fact('selinux') == 'true' - apply_manifest(pp, :catch_failures => true) - else - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'adds managed rules with ignored rules' do diff --git a/spec/acceptance/rules_spec.rb b/spec/acceptance/rules_spec.rb index c2acb8b..b91e11e 100644 --- a/spec/acceptance/rules_spec.rb +++ b/spec/acceptance/rules_spec.rb @@ -242,9 +242,7 @@ describe 'complex ruleset 2' do # Run it twice and test for idempotency apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end it 'contains appropriate rules' do diff --git a/spec/acceptance/socket_spec.rb b/spec/acceptance/socket_spec.rb index 2a21066..5503a9a 100644 --- a/spec/acceptance/socket_spec.rb +++ b/spec/acceptance/socket_spec.rb @@ -20,9 +20,7 @@ describe 'firewall socket property', :unless => (UNSUPPORTED_PLATFORMS.include?( EOS apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) shell('iptables-save -t raw') do |r| expect(r.stdout).to match(/#{line_match}/) @@ -42,11 +40,7 @@ describe 'firewall socket property', :unless => (UNSUPPORTED_PLATFORMS.include?( } EOS - if fact('selinux') == 'true' - apply_manifest(pp, :catch_failures => true) - else - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) shell('iptables-save -t raw') do |r| expect(r.stdout).to match(/#{line_match}/) diff --git a/spec/acceptance/standard_usage_spec.rb b/spec/acceptance/standard_usage_spec.rb index 753f6e1..e585bb7 100644 --- a/spec/acceptance/standard_usage_spec.rb +++ b/spec/acceptance/standard_usage_spec.rb @@ -55,8 +55,6 @@ describe 'standard usage tests:', :unless => UNSUPPORTED_PLATFORMS.include?(fact # Run it twice and test for idempotency apply_manifest(pp, :catch_failures => true) - unless fact('selinux') == 'true' - apply_manifest(pp, :catch_changes => true) - end + apply_manifest(pp, :catch_changes => true) end end -- 2.45.2