From 971235726344afb309b3cd4085d3c070f2a6f936 Mon Sep 17 00:00:00 2001
From: Davide Madrisan <d.madrisan@proton.me>
Date: Tue, 9 Apr 2024 22:01:27 +0200
Subject: [PATCH] feat(check_selinux): add two more cmdline options

By default, permissive mode raises a warning.
Add two additional options to tune this behavior:

   --permissive-is-allowed: return OK if permissive mode
   --permissive-is-critical: return CRITICAL

Signed-off-by: Davide Madrisan <d.madrisan@proton.me>
---
 plugins/check_selinux.c | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/plugins/check_selinux.c b/plugins/check_selinux.c
index 7bc2a77..40de7ea 100644
--- a/plugins/check_selinux.c
+++ b/plugins/check_selinux.c
@@ -38,6 +38,8 @@ static const char *program_copyright =
   "Copyright (C) 2024 Davide Madrisan <" PACKAGE_BUGREPORT ">\n";
 
 static struct option const longopts[] = {
+  {(char *) "permissive-is-allowed", no_argument, NULL, 'p'},
+  {(char *) "permissive-is-critical", no_argument, NULL, 'P'},
   {(char *) "help", no_argument, NULL, GETOPT_HELP_CHAR},
   {(char *) "version", no_argument, NULL, GETOPT_VERSION_CHAR},
   {NULL, 0, NULL, 0}
@@ -50,13 +52,23 @@ usage (FILE * out)
   fputs ("This plugin checks if SELinux is enabled.\n", out);
   fputs (program_copyright, out);
   fputs (USAGE_HEADER, out);
-  fprintf (out, "  %s\n", program_name);
+  fprintf (out, "  %s [--permissive-is-allowed|--permissive-is-critical]\n",
+	   program_name);
   fputs (USAGE_OPTIONS, out);
+  fputs ("  -p  --permissive-is-allowed    permissive mode does not generate "
+	 "a warning\n", out);
+  fputs ("  -P  --permissive-is-critical   permissive mode is to be considered"
+	 " critical\n", out);
   fputs (USAGE_HELP, out);
   fputs (USAGE_VERSION, out);
+  fputs (USAGE_NOTE, out);
+  fputs ("  By default, permissive mode raises a warning.\n", out);
+  fputs ("  Use the option -P to turn it into a critical error\n", out);
+  fputs ("  or -p to consider it a valid configuration.\n", out);
   fputs (USAGE_EXAMPLES, out);
-  fprintf (out, "  %s\n",
-	   program_name);
+  fprintf (out, "  %s\n", program_name);
+  fprintf (out, "  %s --permissive-is-allowed\n", program_name);
+  fprintf (out, "  %s --permissive-is-critical\n", program_name);
 
   exit (out == stderr ? STATE_UNKNOWN : STATE_OK);
 }
@@ -75,18 +87,25 @@ int
 main (int argc, char **argv)
 {
   int c, is_enabled;
-  nagstatus status = STATE_OK;
+  nagstatus status = STATE_OK,
+	    permissive_status = STATE_WARNING;
 
   set_program_name (argv[0]);
 
   while ((c = getopt_long (argc, argv,
-			   GETOPT_HELP_VERSION_STRING,
+			   "p" GETOPT_HELP_VERSION_STRING,
 			   longopts, NULL)) != -1)
     {
       switch (c)
 	{
 	default:
 	  usage (stderr);
+	case 'P':
+	  permissive_status = STATE_CRITICAL;
+	  break;
+	case 'p':
+	  permissive_status = STATE_OK;
+	  break;
 
 	case_GETOPT_HELP_CHAR
 	case_GETOPT_VERSION_CHAR
@@ -103,7 +122,7 @@ main (int argc, char **argv)
       status_str = "disabled";
       break;
     case 1:
-      status = STATE_WARNING;
+      status = permissive_status;
       status_str = "disabled (permissive)";
       break;
     case 2: