Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sefcontext: add support for path substitutions #5830

Merged
merged 35 commits into from
Feb 26, 2023
Merged

sefcontext: add support for path substitutions #5830

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
55d4d86
sefcontext: add path substitution support (#1193)
bluikko Jan 13, 2023
f0d24ea
sefcontext: add documentation
bluikko Jan 13, 2023
df020b2
Add changelog fragment
bluikko Jan 13, 2023
60c108d
Documentation formatting
bluikko Jan 13, 2023
a68026e
Delete extra newline
bluikko Jan 13, 2023
3475671
pep8 fixes
bluikko Jan 13, 2023
89f385d
Add version_added to arg docs
bluikko Jan 14, 2023
b779389
Add examples
bluikko Jan 14, 2023
71d2ab0
Don't delete non-matching path substitutions
bluikko Jan 14, 2023
2dd9262
Add integration tests
bluikko Jan 14, 2023
9f201b4
Delete only substitutions if such arg passed
bluikko Jan 14, 2023
9382c36
Can only add args in minor releases
bluikko Jan 14, 2023
e4a7084
Cleanup before tests
bluikko Jan 14, 2023
e86fb5f
Fix deletion using substitution
bluikko Jan 14, 2023
94fca73
Fix test checking wrong var
bluikko Jan 14, 2023
1c0f4c5
Improve args documentation and examples
bluikko Jan 14, 2023
dfbab4e
Add attributes documentation block
bluikko Jan 14, 2023
77b8b50
and fix indentation on attribute block
bluikko Jan 14, 2023
d1906d5
Consistent indentation for attributes
bluikko Jan 14, 2023
e455918
Add missing ref for attribute block
bluikko Jan 14, 2023
dbfef8b
Use correct c.g version in doc block
bluikko Jan 15, 2023
bbff552
Add full stop to changelog fragment
bluikko Jan 15, 2023
4e0cb01
Streamline documentation
bluikko Jan 16, 2023
2000876
Support limiting deletion to setype
bluikko Jan 19, 2023
f6f299c
Change arg name, diff mode output fix
bluikko Jan 19, 2023
bfde46c
Delete even if arg setype not match existing
bluikko Jan 19, 2023
a7f6ccb
Update arg name in tests
bluikko Jan 19, 2023
80e604a
Too eager replacing
bluikko Jan 20, 2023
c217a95
4564: Fix invalid setype in doc example
bluikko Jan 25, 2023
03c9901
Fix documentation attributes
bluikko Jan 25, 2023
b4d2aec
Update version_added in docs
bluikko Jan 31, 2023
b73deee
Add more description to the new arg docs
bluikko Feb 21, 2023
5c5a222
Update platform to Linux in documentation
bluikko Feb 23, 2023
2da462d
Add equal as alias for the new argument
bluikko Feb 25, 2023
6114aba
And add alias argument properly
bluikko Feb 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions changelogs/fragments/5830-sefcontext-path-subs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
minor_changes:
- sefcontext - add support for path substitutions (https://github.com/ansible-collections/community.general/issues/1193).
163 changes: 124 additions & 39 deletions plugins/modules/sefcontext.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,14 @@
- Similar to the C(semanage fcontext) command.
extends_documentation_fragment:
- community.general.attributes
bluikko marked this conversation as resolved.
Show resolved Hide resolved
- community.general.attributes.platform
attributes:
check_mode:
support: full
diff_mode:
support: full
platform:
platforms: linux
options:
target:
description:
Expand All @@ -46,21 +49,30 @@
default: a
setype:
description:
- SELinux type for the specified target.
- SELinux type for the specified I(target).
type: str
required: true
substitute:
description:
- Path to use to substitute file context(s) for the specified I(target). The context labeling for the I(target) subtree is made equivalent to this path.
- This is also referred to as SELinux file context equivalence and it implements the C(equal) functionality of the SELinux management tools.
version_added: 6.4.0
type: str
aliases: [ equal ]
seuser:
description:
- SELinux user for the specified target.
- SELinux user for the specified I(target).
- Defaults to C(system_u) for new file contexts and to existing value when modifying file contexts.
type: str
selevel:
description:
- SELinux range for the specified target.
- SELinux range for the specified I(target).
- Defaults to C(s0) for new file contexts and to existing value when modifying file contexts.
type: str
aliases: [ serange ]
state:
description:
- Whether the SELinux file context must be C(absent) or C(present).
- Specifying C(absent) without either I(setype) or I(substitute) deletes both SELinux type or path substitution mappings that match I(target).
type: str
choices: [ absent, present ]
default: present
Expand All @@ -77,6 +89,8 @@
default: false
notes:
- The changes are persistent across reboots.
- I(setype) and I(substitute) are mutually exclusive.
- If I(state=present) then one of I(setype) or I(substitute) is mandatory.
- The M(community.general.sefcontext) module does not modify existing files to the new
SELinux context(s), so it is advisable to first create the SELinux
file contexts before creating files, or run C(restorecon) manually
Expand All @@ -96,9 +110,26 @@
- name: Allow apache to modify files in /srv/git_repos
community.general.sefcontext:
target: '/srv/git_repos(/.*)?'
setype: httpd_git_rw_content_t
setype: httpd_sys_rw_content_t
state: present
- name: Substitute file contexts for path /srv/containers with /var/lib/containers
community.general.sefcontext:
target: /srv/containers
substitute: /var/lib/containers
state: present
- name: Delete file context path substitution for /srv/containers
community.general.sefcontext:
target: /srv/containers
substitute: /var/lib/containers
state: absent
- name: Delete any file context mappings for path /srv/git
community.general.sefcontext:
target: /srv/git
state: absent
- name: Apply new SELinux file context to filesystem
ansible.builtin.command: restorecon -irv /srv/git_repos
'''
Expand Down Expand Up @@ -170,7 +201,13 @@ def semanage_fcontext_exists(sefcontext, target, ftype):
return None


def semanage_fcontext_modify(module, result, target, ftype, setype, do_reload, serange, seuser, sestore=''):
def semanage_fcontext_substitute_exists(sefcontext, target):
''' Get the SELinux file context path substitution definition from policy. Return None if it does not exist. '''

return sefcontext.equiv_dist.get(target, sefcontext.equiv.get(target))


def semanage_fcontext_modify(module, result, target, ftype, setype, substitute, do_reload, serange, seuser, sestore=''):
''' Add or modify SELinux file context mapping definition to the policy. '''

changed = False
Expand All @@ -179,39 +216,63 @@ def semanage_fcontext_modify(module, result, target, ftype, setype, do_reload, s
try:
sefcontext = seobject.fcontextRecords(sestore)
sefcontext.set_reload(do_reload)
exists = semanage_fcontext_exists(sefcontext, target, ftype)
if exists:
# Modify existing entry
orig_seuser, orig_serole, orig_setype, orig_serange = exists
if substitute is None:
exists = semanage_fcontext_exists(sefcontext, target, ftype)
if exists:
# Modify existing entry
orig_seuser, orig_serole, orig_setype, orig_serange = exists

if seuser is None:
seuser = orig_seuser
if serange is None:
serange = orig_serange

if setype != orig_setype or seuser != orig_seuser or serange != orig_serange:
if not module.check_mode:
sefcontext.modify(target, setype, ftype, serange, seuser)
changed = True

if module._diff:
prepared_diff += '# Change to semanage file context mappings\n'
prepared_diff += '-%s %s %s:%s:%s:%s\n' % (target, ftype, orig_seuser, orig_serole, orig_setype, orig_serange)
prepared_diff += '+%s %s %s:%s:%s:%s\n' % (target, ftype, seuser, orig_serole, setype, serange)
else:
# Add missing entry
if seuser is None:
seuser = 'system_u'
if serange is None:
serange = 's0'

if seuser is None:
seuser = orig_seuser
if serange is None:
serange = orig_serange

if setype != orig_setype or seuser != orig_seuser or serange != orig_serange:
if not module.check_mode:
sefcontext.modify(target, setype, ftype, serange, seuser)
sefcontext.add(target, setype, ftype, serange, seuser)
changed = True

if module._diff:
prepared_diff += '# Change to semanage file context mappings\n'
prepared_diff += '-%s %s %s:%s:%s:%s\n' % (target, ftype, orig_seuser, orig_serole, orig_setype, orig_serange)
prepared_diff += '+%s %s %s:%s:%s:%s\n' % (target, ftype, seuser, orig_serole, setype, serange)
prepared_diff += '# Addition to semanage file context mappings\n'
prepared_diff += '+%s %s %s:%s:%s:%s\n' % (target, ftype, seuser, 'object_r', setype, serange)
else:
# Add missing entry
if seuser is None:
seuser = 'system_u'
if serange is None:
serange = 's0'

if not module.check_mode:
sefcontext.add(target, setype, ftype, serange, seuser)
changed = True

if module._diff:
prepared_diff += '# Addition to semanage file context mappings\n'
prepared_diff += '+%s %s %s:%s:%s:%s\n' % (target, ftype, seuser, 'object_r', setype, serange)
exists = semanage_fcontext_substitute_exists(sefcontext, target)
if exists:
# Modify existing path substitution entry
orig_substitute = exists

if substitute != orig_substitute:
if not module.check_mode:
sefcontext.modify_equal(target, substitute)
changed = True

if module._diff:
prepared_diff += '# Change to semanage file context path substitutions\n'
prepared_diff += '-%s = %s\n' % (target, orig_substitute)
prepared_diff += '+%s = %s\n' % (target, substitute)
else:
# Add missing path substitution entry
if not module.check_mode:
sefcontext.add_equal(target, substitute)
changed = True
if module._diff:
prepared_diff += '# Addition to semanage file context path substitutions\n'
prepared_diff += '+%s = %s\n' % (target, substitute)

except Exception as e:
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e)))
Expand All @@ -222,7 +283,7 @@ def semanage_fcontext_modify(module, result, target, ftype, setype, do_reload, s
module.exit_json(changed=changed, seuser=seuser, serange=serange, **result)


def semanage_fcontext_delete(module, result, target, ftype, do_reload, sestore=''):
def semanage_fcontext_delete(module, result, target, ftype, setype, substitute, do_reload, sestore=''):
''' Delete SELinux file context mapping definition from the policy. '''

changed = False
Expand All @@ -232,7 +293,8 @@ def semanage_fcontext_delete(module, result, target, ftype, do_reload, sestore='
sefcontext = seobject.fcontextRecords(sestore)
sefcontext.set_reload(do_reload)
exists = semanage_fcontext_exists(sefcontext, target, ftype)
if exists:
substitute_exists = semanage_fcontext_substitute_exists(sefcontext, target)
if exists and substitute is None:
# Remove existing entry
orig_seuser, orig_serole, orig_setype, orig_serange = exists

Expand All @@ -243,6 +305,17 @@ def semanage_fcontext_delete(module, result, target, ftype, do_reload, sestore='
if module._diff:
prepared_diff += '# Deletion to semanage file context mappings\n'
prepared_diff += '-%s %s %s:%s:%s:%s\n' % (target, ftype, exists[0], exists[1], exists[2], exists[3])
if substitute_exists and setype is None and ((substitute is not None and substitute_exists == substitute) or substitute is None):
# Remove existing path substitution entry
orig_substitute = substitute_exists

if not module.check_mode:
sefcontext.delete(target, orig_substitute)
changed = True

if module._diff:
prepared_diff += '# Deletion to semanage file context path substitutions\n'
prepared_diff += '-%s = %s\n' % (target, orig_substitute)

except Exception as e:
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e)))
Expand All @@ -259,12 +332,23 @@ def main():
ignore_selinux_state=dict(type='bool', default=False),
target=dict(type='str', required=True, aliases=['path']),
ftype=dict(type='str', default='a', choices=list(option_to_file_type_str.keys())),
setype=dict(type='str', required=True),
setype=dict(type='str'),
substitute=dict(type='str', aliases=['equal']),
seuser=dict(type='str'),
selevel=dict(type='str', aliases=['serange']),
state=dict(type='str', default='present', choices=['absent', 'present']),
reload=dict(type='bool', default=True),
),
mutually_exclusive=[
('setype', 'substitute'),
('substitute', 'ftype'),
('substitute', 'seuser'),
('substitute', 'selevel'),
],
required_if=[
('state', 'present', ('setype', 'substitute'), True),
],

supports_check_mode=True,
)
if not HAVE_SELINUX:
Expand All @@ -281,17 +365,18 @@ def main():
target = module.params['target']
ftype = module.params['ftype']
setype = module.params['setype']
substitute = module.params['substitute']
seuser = module.params['seuser']
serange = module.params['selevel']
state = module.params['state']
do_reload = module.params['reload']

result = dict(target=target, ftype=ftype, setype=setype, state=state)
result = dict(target=target, ftype=ftype, setype=setype, substitute=substitute, state=state)

if state == 'present':
semanage_fcontext_modify(module, result, target, ftype, setype, do_reload, serange, seuser)
semanage_fcontext_modify(module, result, target, ftype, setype, substitute, do_reload, serange, seuser)
elif state == 'absent':
semanage_fcontext_delete(module, result, target, ftype, do_reload)
semanage_fcontext_delete(module, result, target, ftype, setype, substitute, do_reload)
else:
module.fail_json(msg='Invalid value of argument "state": {0}'.format(state))

Expand Down
Loading