fixes #66252 correct use of egrep to parse semanage output

2025-04-10 14:51:40 +00:00 · 2024-03-21 13:45:12 +00:00 · 2024-03-21 13:45:12 +00:00 · 983cfe75e3
commit 983cfe75e3
parent 6e4f178ba2
3 changed files with 34 additions and 1 deletions
--- a/changelog/66252.fixed.md
+++ b/changelog/66252.fixed.md
@ -0,0 +1 @@
+Applying `selinux.fcontext_policy_present` to a shorter path than an existing entry now works
--- a/salt/modules/selinux.py
+++ b/salt/modules/selinux.py
@ -616,7 +616,7 @@ def _fcontext_add_or_delete_policy(
    if "add" == action:
        # need to use --modify if context for name file exists, otherwise ValueError
        filespec = re.escape(name)
-        cmd = f"semanage fcontext -l | egrep '{filespec}'"
+        cmd = f"semanage fcontext -l | egrep '{filespec} '"
        current_entry_text = __salt__["cmd.shell"](cmd, ignore_retcode=True)
        if current_entry_text != "":
            action = "modify"
--- a/tests/pytests/unit/modules/test_selinux.py
+++ b/tests/pytests/unit/modules/test_selinux.py
@ -410,3 +410,35 @@ def test_selinux_add_policy_regex(name, sel_type):
        mock_cmd_run_all.assert_called_once_with(
            expected_cmd_run_all,
        )
+
+
+@pytest.mark.parametrize(
+    "name,sel_type",
+    (
+        ("/usr/share/munin/plugins/mysql_queries", "services_munin_plugin_exec_t"),
+        ("/usr/share/munin/plugins/mysql_", "unconfined_munin_plugin_exec_t"),
+    ),
+)
+def test_selinux_add_policy_shorter_path(name, sel_type):
+    """
+    Test adding policy with a shorter path than an existing entry
+    """
+    mock_cmd_shell = MagicMock(return_value={"retcode": 0})
+    mock_cmd_run_all = MagicMock(return_value={"retcode": 0})
+
+    with patch.dict(selinux.__salt__, {"cmd.shell": mock_cmd_shell}), patch.dict(
+        selinux.__salt__, {"cmd.run_all": mock_cmd_run_all}
+    ):
+        selinux.fcontext_add_policy(name, sel_type=sel_type)
+        filespec = re.escape(name)
+        expected_cmd_shell = f"semanage fcontext -l | egrep '{filespec}'"
+        mock_cmd_shell.assert_called_once_with(
+            expected_cmd_shell,
+            ignore_retcode=True,
+        )
+        expected_cmd_run_all = (
+            f"semanage fcontext --modify --type {sel_type} {filespec}"
+        )
+        mock_cmd_run_all.assert_called_once_with(
+            expected_cmd_run_all,
+        )
				`@ -0,0 +1 @@`
				Applying `selinux.fcontext_policy_present` to a shorter path than an existing entry now works