-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFE: Support for setting seuser in selinux_fcontexts #106
Comments
Will this fix the issue? - name: Set SELinux file contexts
sefcontext:
target: "{{ item.target }}"
setype: "{{ item.setype }}"
ftype: "{{ item.ftype | default('a') }}"
state: "{{ item.state | default('present') }}"
selevel: "{{ item.selevel | default(omit) }}"
seuser: "{{ item.seuser | default(omit) }}"
with_items: "{{ selinux_fcontexts }}" That is - if selevel is not present in item, do not pass it to the sefcontext module. |
Yes, "omit" was what I had been looking at. I can fork, test, and PR if you like! |
Sure - thanks - much appreciated! |
According to this document: https://wiki.gentoo.org/wiki/SELinux/Users_and_logins If that is the case on Enterprise Linux systems, then there is no need for this RFE. I am exploring further and will advise once I know more. |
When a file is created by a process it inherits user part from the process domain:
If there's a file contexts matching a file, the user part is reset on
In general files contexts define system_u user for files:
sefcontext.py uses system_u when seuser is not defined as well - https://github.com/ansible-collections/community.general/blob/main/plugins/modules/system/sefcontext.py#L195 And it's also important to say that in SELinux policies based on Fedora selinux-policy-targeted, the user part is not used when allow rules are evaluated:
So you would need a policy based on mls and also use it for files like those inside users home. But given that how simple the patch would be, I would say lets add this to have a complete set of options available. |
any luck with this? |
See Issue linux-system-roles#106 "RFE: Support for setting seuser in selinux_fcontexts" linux-system-roles#106
PR submitted for review @bachradsusi @richm review welcome! |
@bachradsusi does it matter at all that this role performs a |
Yes, it should use |
@bachradsusi Should we be concerned about the implications of switching to |
I don't think there's any negative implication of switching |
Added setting of seuser and selevel for completeness See Issue linux-system-roles#106 "RFE: Support for setting seuser in selinux_fcontexts" linux-system-roles#106 Added explanation of seuser and selevel parameters Added -F flag to restorecon to force reset See "man restorecon" for more detail on -F flag
Added setting of seuser and selevel for completeness See Issue #106 "RFE: Support for setting seuser in selinux_fcontexts" #106 Added explanation of seuser and selevel parameters Added -F flag to restorecon to force reset See "man restorecon" for more detail on -F flag Authored-by: Benjamin Blasco <bblasco@redhat.com>
[1.4.0] - 2022-07-28 -------------------- ### New Features - Added setting of seuser and selevel for completeness (linux-system-roles#108) Added setting of seuser and selevel for completeness See Issue linux-system-roles#106 "RFE: Support for setting seuser in selinux_fcontexts" linux-system-roles#106 Added explanation of seuser and selevel parameters Added -F flag to restorecon to force reset See "man restorecon" for more detail on -F flag Authored-by: Benjamin Blasco <bblasco@redhat.com> ### Bug Fixes - none ### Other Changes - changelog_to_tag action - support other than "master" for the main branch name, as well (linux-system-roles#117) - Use GITHUB_REF_NAME as name of push branch; fix error in branch detection [citest skip] (linux-system-roles#118) We need to get the name of the branch to which CHANGELOG.md was pushed. For now, it looks as though `GITHUB_REF_NAME` is that name. But don't trust it - first, check that it is `main` or `master`. If not, then use a couple of other methods to determine what is the push branch. Signed-off-by: Rich Megginson <rmeggins@redhat.com>
[1.4.0] - 2022-07-28 -------------------- ### New Features - Added setting of seuser and selevel for completeness (#108) Added setting of seuser and selevel for completeness See Issue #106 "RFE: Support for setting seuser in selinux_fcontexts" #106 Added explanation of seuser and selevel parameters Added -F flag to restorecon to force reset See "man restorecon" for more detail on -F flag Authored-by: Benjamin Blasco <bblasco@redhat.com> ### Bug Fixes - none ### Other Changes - changelog_to_tag action - support other than "master" for the main branch name, as well (#117) - Use GITHUB_REF_NAME as name of push branch; fix error in branch detection [citest skip] (#118) We need to get the name of the branch to which CHANGELOG.md was pushed. For now, it looks as though `GITHUB_REF_NAME` is that name. But don't trust it - first, check that it is `main` or `master`. If not, then use a couple of other methods to determine what is the push branch. Signed-off-by: Rich Megginson <rmeggins@redhat.com>
I see a comment in https://github.com/linux-system-roles/selinux/blob/master/tasks/main.yml suggesting that seuser and selevel handling functionality need to be added to this role:
The community sefcontext module handles this by not touching the seuser if none is defined:
https://github.com/ansible-collections/community.general/blob/main/plugins/modules/system/sefcontext.py
Is it straightforward enough to add a conditional to this role to not attempt to pass seuser (or selevel) to the sefcontext if the value is not defined? I would be happy to contribute a PR for this functionality if this is what we envisage that the role needs.
The text was updated successfully, but these errors were encountered: