sefcontext: add support for path substitutions #5830
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ansibullbot
added
feature
This comment was marked as outdated.
This comment was marked as outdated.
ansibullbot
added
the
needs_revision
This comment was marked as outdated.
This comment was marked as outdated.
felixfontein
added
check-before-release
This comment was marked as outdated.
This comment was marked as outdated.
ansibullbot
added
integration
|
I apologize for not marking this PR as WIP in the beginning. It would be ready now. Feedback would be appreciated! |
This comment was marked as outdated.
This comment was marked as outdated.
ansibullbot
added
ci_verified
This comment was marked as outdated.
This comment was marked as outdated.
ansibullbot
added
ci_verified
Very much appreciated! But please excuse me, I had to ask for clarification. |
ansibullbot
added
the
needs_revision
|
CI fails until #5837 merged. |
Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs.
Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value.
Accidentally replaced seobject function names so fix them back
Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes ansible-collections#4564
Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de>
Bumping minor to 6.4.0 since it didn't make 6.3.0.
Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding.
bluikko
force-pushed
the
bluikko-1193-sefcontext
branch
from
e6b138b
to
b73deee
Compare
ansibullbot
removed
merge_commit
|
Well, I had reviewed this PR a while ago, and the recent improvements continue to look good to me. As of the parameter name, I agree that if That being said, it LGTM. |
Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`.
I added alias |
This comment was marked as outdated.
This comment was marked as outdated.
ansibullbot
added
ci_verified
Previous commit missed actually adding the alias (added to docs only).
ansibullbot
removed
ci_verified
felixfontein
approved these changes
Feb 25, 2023
felixfontein
removed
the
check-before-release
Backport to stable-6: 💚 backport PR created✅ Backport PR branch: Backported as #6098 🤖 @patchback |
patchback bot
pushed a commit
that referenced
this pull request
Feb 26, 2023
* sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> (cherry picked from commit c8a2ac3)
felixfontein
pushed a commit
that referenced
this pull request
Feb 26, 2023
…th substitutions (#6098) sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> (cherry picked from commit c8a2ac3) Co-authored-by: bluikko <14869000+bluikko@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
Fixes #1193.
Add support for path substitution mappings in the
sefcontextmodule.I would like to get feedback on this architecture that is quite a bit different from another (dead) PR #5189:
setypeargument withstate=absent- it is not really required for deletion and it was not even used in the old code.setypeorsubstitutearg passed: delete both path substitutions and regular context mappings fortargetif either was found when deletion requested.substitutewas passed withstate=absentthen delete only that equivalence if found (don't delete regular context mappings); if not found then return unchanged, if found buttargetsubstitutes some other path then return unchanged.setypewas passed withstate=absentthen delete only existing context mappings (don't delete path substitutions), don't care about thesetypematching the current mapping to delete (this is the old behavior which seems a bit loose).Fixes #4564.
Change the incorrect
setypein documentation example to a working label.ISSUE TYPE
COMPONENT NAME
sefcontext
ADDITIONAL INFORMATION
Feedback please! It is the largest code change I have done yet so I really need feedback.
sefcontext setype=tmp_t target=/opt/tmp state=absent: what if/opt/tmpis currently not mapped totmp_t, say it's mapped toopt_t- in this case should the module just returnchanged=false? Or should it delete the mapping anyways? The old behavior is the latter and I've kept that unchanged. Personally I feel that it is wrong and would like to hear feedback on this.substitute? I couldn't come up with a great name for it. Themanpage forsemanage-fcontexttalks about "path substitution" and the switch-efor this is called "equals". Better args names welcome: current comments seem to supportsubstitutebut there is also request to addequalas an alias (I would hesitate, perhaps unnecessarily, to add an alias to a new feature).Also adds "attributes" block to documentation & some minor documentation improvements.