1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
community.general/plugins/modules/sefcontext.py

386 lines
14 KiB
Python
Raw Normal View History

2020-03-09 09:11:07 +00:00
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright (c) 2016, Dag Wieers (@dagwieers) <dag@wieers.com>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
2020-03-09 09:11:07 +00:00
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = r'''
---
module: sefcontext
short_description: Manages SELinux file context mapping definitions
description:
- Manages SELinux file context mapping definitions.
- Similar to the C(semanage fcontext) command.
extends_documentation_fragment:
- community.general.attributes
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
- community.general.attributes.platform
attributes:
check_mode:
support: full
diff_mode:
support: full
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
platform:
platforms: linux
2020-03-09 09:11:07 +00:00
options:
target:
description:
- Target path (expression).
type: str
required: true
2020-03-09 09:11:07 +00:00
aliases: [ path ]
ftype:
description:
- The file type that should have SELinux contexts applied.
- "The following file type options are available:"
- V(a) for all files,
- V(b) for block devices,
- V(c) for character devices,
- V(d) for directories,
- V(f) for regular files,
- V(l) for symbolic links,
- V(p) for named pipes,
- V(s) for socket files.
2020-03-09 09:11:07 +00:00
type: str
choices: [ a, b, c, d, f, l, p, s ]
default: a
setype:
description:
- SELinux type for the specified O(target).
2020-03-09 09:11:07 +00:00
type: str
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
substitute:
description:
- Path to use to substitute file context(s) for the specified O(target). The context labeling for the O(target) subtree is made equivalent to this path.
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
- This is also referred to as SELinux file context equivalence and it implements the C(equal) functionality of the SELinux management tools.
version_added: 6.4.0
type: str
aliases: [ equal ]
2020-03-09 09:11:07 +00:00
seuser:
description:
- SELinux user for the specified O(target).
- Defaults to V(system_u) for new file contexts and to existing value when modifying file contexts.
2020-03-09 09:11:07 +00:00
type: str
selevel:
description:
- SELinux range for the specified O(target).
- Defaults to V(s0) for new file contexts and to existing value when modifying file contexts.
2020-03-09 09:11:07 +00:00
type: str
aliases: [ serange ]
state:
description:
- Whether the SELinux file context must be V(absent) or V(present).
- Specifying V(absent) without either O(setype) or O(substitute) deletes both SELinux type or path substitution mappings that match O(target).
2020-03-09 09:11:07 +00:00
type: str
choices: [ absent, present ]
default: present
reload:
description:
- Reload SELinux policy after commit.
- Note that this does not apply SELinux file contexts to existing files.
type: bool
default: true
2020-03-09 09:11:07 +00:00
ignore_selinux_state:
description:
- Useful for scenarios (chrooted environment) that you can't get the real SELinux state.
type: bool
default: false
2020-03-09 09:11:07 +00:00
notes:
- The changes are persistent across reboots.
- O(setype) and O(substitute) are mutually exclusive.
- If O(state=present) then one of O(setype) or O(substitute) is mandatory.
- The M(community.general.sefcontext) module does not modify existing files to the new
2020-03-09 09:11:07 +00:00
SELinux context(s), so it is advisable to first create the SELinux
file contexts before creating files, or run C(restorecon) manually
for the existing files that require the new SELinux file contexts.
- Not applying SELinux fcontexts to existing files is a deliberate
decision as it would be unclear what reported changes would entail
to, and there's no guarantee that applying SELinux fcontext does
not pick up other unrelated prior changes.
requirements:
- libselinux-python
- policycoreutils-python
author:
- Dag Wieers (@dagwieers)
'''
EXAMPLES = r'''
- name: Allow apache to modify files in /srv/git_repos
community.general.sefcontext:
2020-03-09 09:11:07 +00:00
target: '/srv/git_repos(/.*)?'
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
setype: httpd_sys_rw_content_t
state: present
- name: Substitute file contexts for path /srv/containers with /var/lib/containers
community.general.sefcontext:
target: /srv/containers
substitute: /var/lib/containers
2020-03-09 09:11:07 +00:00
state: present
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
- name: Delete file context path substitution for /srv/containers
community.general.sefcontext:
target: /srv/containers
substitute: /var/lib/containers
state: absent
- name: Delete any file context mappings for path /srv/git
community.general.sefcontext:
target: /srv/git
state: absent
2020-03-09 09:11:07 +00:00
- name: Apply new SELinux file context to filesystem
ansible.builtin.command: restorecon -irv /srv/git_repos
2020-03-09 09:11:07 +00:00
'''
RETURN = r'''
# Default return values
'''
import traceback
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils.common.text.converters import to_native
2020-03-09 09:11:07 +00:00
SELINUX_IMP_ERR = None
try:
import selinux
HAVE_SELINUX = True
except ImportError:
SELINUX_IMP_ERR = traceback.format_exc()
HAVE_SELINUX = False
SEOBJECT_IMP_ERR = None
try:
import seobject
HAVE_SEOBJECT = True
except ImportError:
SEOBJECT_IMP_ERR = traceback.format_exc()
HAVE_SEOBJECT = False
# Add missing entries (backward compatible)
if HAVE_SEOBJECT:
seobject.file_types.update(
a=seobject.SEMANAGE_FCONTEXT_ALL,
b=seobject.SEMANAGE_FCONTEXT_BLOCK,
c=seobject.SEMANAGE_FCONTEXT_CHAR,
d=seobject.SEMANAGE_FCONTEXT_DIR,
f=seobject.SEMANAGE_FCONTEXT_REG,
l=seobject.SEMANAGE_FCONTEXT_LINK,
p=seobject.SEMANAGE_FCONTEXT_PIPE,
s=seobject.SEMANAGE_FCONTEXT_SOCK,
)
# Make backward compatible
option_to_file_type_str = dict(
a='all files',
b='block device',
c='character device',
d='directory',
f='regular file',
l='symbolic link',
p='named pipe',
s='socket',
)
def get_runtime_status(ignore_selinux_state=False):
return True if ignore_selinux_state is True else selinux.is_selinux_enabled()
def semanage_fcontext_exists(sefcontext, target, ftype):
''' Get the SELinux file context mapping definition from policy. Return None if it does not exist. '''
# Beware that records comprise of a string representation of the file_type
record = (target, option_to_file_type_str[ftype])
records = sefcontext.get_all()
try:
return records[record]
except KeyError:
return None
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
def semanage_fcontext_substitute_exists(sefcontext, target):
''' Get the SELinux file context path substitution definition from policy. Return None if it does not exist. '''
return sefcontext.equiv_dist.get(target, sefcontext.equiv.get(target))
def semanage_fcontext_modify(module, result, target, ftype, setype, substitute, do_reload, serange, seuser, sestore=''):
2020-03-09 09:11:07 +00:00
''' Add or modify SELinux file context mapping definition to the policy. '''
changed = False
prepared_diff = ''
try:
sefcontext = seobject.fcontextRecords(sestore)
sefcontext.set_reload(do_reload)
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
if substitute is None:
exists = semanage_fcontext_exists(sefcontext, target, ftype)
if exists:
# Modify existing entry
orig_seuser, orig_serole, orig_setype, orig_serange = exists
if seuser is None:
seuser = orig_seuser
if serange is None:
serange = orig_serange
if setype != orig_setype or seuser != orig_seuser or serange != orig_serange:
if not module.check_mode:
sefcontext.modify(target, setype, ftype, serange, seuser)
changed = True
if module._diff:
prepared_diff += '# Change to semanage file context mappings\n'
prepared_diff += '-%s %s %s:%s:%s:%s\n' % (target, ftype, orig_seuser, orig_serole, orig_setype, orig_serange)
prepared_diff += '+%s %s %s:%s:%s:%s\n' % (target, ftype, seuser, orig_serole, setype, serange)
else:
# Add missing entry
if seuser is None:
seuser = 'system_u'
if serange is None:
serange = 's0'
2020-03-09 09:11:07 +00:00
if not module.check_mode:
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
sefcontext.add(target, setype, ftype, serange, seuser)
2020-03-09 09:11:07 +00:00
changed = True
if module._diff:
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
prepared_diff += '# Addition to semanage file context mappings\n'
prepared_diff += '+%s %s %s:%s:%s:%s\n' % (target, ftype, seuser, 'object_r', setype, serange)
2020-03-09 09:11:07 +00:00
else:
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
exists = semanage_fcontext_substitute_exists(sefcontext, target)
if exists:
# Modify existing path substitution entry
orig_substitute = exists
if substitute != orig_substitute:
if not module.check_mode:
sefcontext.modify_equal(target, substitute)
changed = True
if module._diff:
prepared_diff += '# Change to semanage file context path substitutions\n'
prepared_diff += '-%s = %s\n' % (target, orig_substitute)
prepared_diff += '+%s = %s\n' % (target, substitute)
else:
# Add missing path substitution entry
if not module.check_mode:
sefcontext.add_equal(target, substitute)
changed = True
if module._diff:
prepared_diff += '# Addition to semanage file context path substitutions\n'
prepared_diff += '+%s = %s\n' % (target, substitute)
2020-03-09 09:11:07 +00:00
except Exception as e:
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e)))
if module._diff and prepared_diff:
result['diff'] = dict(prepared=prepared_diff)
module.exit_json(changed=changed, seuser=seuser, serange=serange, **result)
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
def semanage_fcontext_delete(module, result, target, ftype, setype, substitute, do_reload, sestore=''):
2020-03-09 09:11:07 +00:00
''' Delete SELinux file context mapping definition from the policy. '''
changed = False
prepared_diff = ''
try:
sefcontext = seobject.fcontextRecords(sestore)
sefcontext.set_reload(do_reload)
exists = semanage_fcontext_exists(sefcontext, target, ftype)
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
substitute_exists = semanage_fcontext_substitute_exists(sefcontext, target)
if exists and substitute is None:
2020-03-09 09:11:07 +00:00
# Remove existing entry
orig_seuser, orig_serole, orig_setype, orig_serange = exists
if not module.check_mode:
sefcontext.delete(target, ftype)
changed = True
if module._diff:
prepared_diff += '# Deletion to semanage file context mappings\n'
prepared_diff += '-%s %s %s:%s:%s:%s\n' % (target, ftype, exists[0], exists[1], exists[2], exists[3])
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
if substitute_exists and setype is None and ((substitute is not None and substitute_exists == substitute) or substitute is None):
# Remove existing path substitution entry
orig_substitute = substitute_exists
if not module.check_mode:
sefcontext.delete(target, orig_substitute)
changed = True
if module._diff:
prepared_diff += '# Deletion to semanage file context path substitutions\n'
prepared_diff += '-%s = %s\n' % (target, orig_substitute)
2020-03-09 09:11:07 +00:00
except Exception as e:
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e)))
if module._diff and prepared_diff:
result['diff'] = dict(prepared=prepared_diff)
module.exit_json(changed=changed, **result)
def main():
module = AnsibleModule(
argument_spec=dict(
ignore_selinux_state=dict(type='bool', default=False),
target=dict(type='str', required=True, aliases=['path']),
Enabling validation-modules for system modules (#1212) * fixed validation-modules for aix_devices.py * fixed validation-modules for aix_filesystem.py * fixed validation-modules for aix_inittab.py * fixed validation-modules for aix_lvg.py * fixed validation-modules for aix_lvol.py * fixed validation-modules for awall.py * fixed validation-modules for dconf.py * fixed validation-modules for gconftool2.py * fixed validation-modules for interfaces_file.py * fixed validation-modules for java_keystore.py * fixed validation-modules for kernel_blacklist.py * fixed validation-modules for plugins/modules/system/lbu.py * fixed validation-modules for plugins/modules/system/locale_gen.py * fixed validation-modules for plugins/modules/system/lvg.py * fixed validation-modules for plugins/modules/system/lvol.py * fixed validation-modules for plugins/modules/system/mksysb.py * fixed validation-modules for plugins/modules/system/modprobe.py * fixed validation-modules for plugins/modules/system/nosh.py * fixed validation-modules for plugins/modules/system/open_iscsi.py * fixed validation-modules for plugins/modules/system/openwrt_init.py * fixed validation-modules for plugins/modules/system/osx_defaults.py * fixed validation-modules for plugins/modules/system/pamd.py * fixed validation-modules for plugins/modules/system/pam_limits.py * fixed validation-modules for plugins/modules/system/parted.py * fixed validation-modules for plugins/modules/system/puppet.py * fixed validation-modules for plugins/modules/system/python_requirements_info.py * fixed validation-modules for plugins/modules/system/runit.py the parameter "dist" is not used anywhere in the module * fixed validation-modules for plugins/modules/system/sefcontext.py * fixed validation-modules for plugins/modules/system/selogin.py * fixed validation-modules for plugins/modules/system/seport.py * fixed validation-modules for plugins/modules/system/solaris_zone.py * fixed validation-modules for plugins/modules/system/syspatch.py * fixed validation-modules for plugins/modules/system/vdo.py * fixed validation-modules for plugins/modules/system/xfconf.py * removed ignore almost all validate-modules lines in system * removed unnecessary validations, per shippable test * kernel_blacklist: keeping blacklist_file as str instead of path * mksysb: keeping storage_path as str instead of path * pam_limits: keeping dest as str instead of path * rollback on adding doc for puppet.py legacy param * rolledback param seuser required in selogin module * rolledback changes in runit * rolledback changes in osx_defaults * rolledback changes in aix_defaults
2020-11-04 21:02:50 +13:00
ftype=dict(type='str', default='a', choices=list(option_to_file_type_str.keys())),
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
setype=dict(type='str'),
substitute=dict(type='str', aliases=['equal']),
2020-03-09 09:11:07 +00:00
seuser=dict(type='str'),
selevel=dict(type='str', aliases=['serange']),
state=dict(type='str', default='present', choices=['absent', 'present']),
reload=dict(type='bool', default=True),
),
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
mutually_exclusive=[
('setype', 'substitute'),
('substitute', 'ftype'),
('substitute', 'seuser'),
('substitute', 'selevel'),
],
required_if=[
('state', 'present', ('setype', 'substitute'), True),
],
2020-03-09 09:11:07 +00:00
supports_check_mode=True,
)
if not HAVE_SELINUX:
module.fail_json(msg=missing_required_lib("libselinux-python"), exception=SELINUX_IMP_ERR)
if not HAVE_SEOBJECT:
module.fail_json(msg=missing_required_lib("policycoreutils-python"), exception=SEOBJECT_IMP_ERR)
ignore_selinux_state = module.params['ignore_selinux_state']
if not get_runtime_status(ignore_selinux_state):
module.fail_json(msg="SELinux is disabled on this host.")
target = module.params['target']
ftype = module.params['ftype']
setype = module.params['setype']
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
substitute = module.params['substitute']
2020-03-09 09:11:07 +00:00
seuser = module.params['seuser']
serange = module.params['selevel']
state = module.params['state']
do_reload = module.params['reload']
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
result = dict(target=target, ftype=ftype, setype=setype, substitute=substitute, state=state)
2020-03-09 09:11:07 +00:00
if state == 'present':
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
semanage_fcontext_modify(module, result, target, ftype, setype, substitute, do_reload, serange, seuser)
2020-03-09 09:11:07 +00:00
elif state == 'absent':
sefcontext: add support for path substitutions (#5830) * sefcontext: add path substitution support (#1193) First commit for feedback, missing docs and tests. * sefcontext: add documentation * Add changelog fragment * Documentation formatting * Delete extra newline * pep8 fixes Fix indentation * Add version_added to arg docs * Add examples * Don't delete non-matching path substitutions * Add integration tests * Delete only substitutions if such arg passed Don't delete existing regular file context mappings if deletion of a path substitution was requested with the presence of the `equal` arg - delete only path substitutions in such case. Path substitutions and regular mappings may overlap. * Can only add args in minor releases :( * Cleanup before tests * Fix deletion using substitution Was comparing wrong var. * Fix test checking wrong var * Improve args documentation and examples List the default values for selevel, seuser. Add example for deleting path substitutions only. * Add attributes documentation block Not sure if should add become/delegate/async, shouldn't those work just like that without any specific code added for them? * and fix indentation on attribute block * Consistent indentation for attributes Confusing, most plugins indent with 4 spaces. But some use 2 like the rest of the code, so use 2. * Add missing ref for attribute block * Use correct c.g version in doc block Co-authored-by: Felix Fontein <felix@fontein.de> * Add full stop to changelog fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Streamline documentation Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> * Support limiting deletion to setype Deleting file context mappings may be limited by passing setype or equal, if neither arg is passed then delete either setype/equal mappings that match. * Change arg name, diff mode output fix Change arg name from equal to substitute. Print target = subsitute in diff mode same way as semanage does. Also put back platform attribute, try to improve clumsy language in the substitute arg docs. * Delete even if arg setype not match existing Test 5 indicates that deletion is supposed to not check that the arg setype passed when deleting matches the setype of the mapping to delete. Delete any mapping that matches target, regardless of setype arg value. * Update arg name in tests * Too eager replacing Accidentally replaced seobject function names so fix them back * 4564: Fix invalid setype in doc example Change from httpd_git_rw_content_t which does not exist to httpd_sys_rw_content_t Fixes #4564 * Fix documentation attributes Additional fragment Co-authored-by: Felix Fontein <felix@fontein.de> * Update version_added in docs Bumping minor to 6.4.0 since it didn't make 6.3.0. * Add more description to the new arg docs Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding. * Update platform to Linux in documentation * Add equal as alias for the new argument Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`. * And add alias argument properly Previous commit missed actually adding the alias (added to docs only). --------- Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
2023-02-26 20:04:57 +07:00
semanage_fcontext_delete(module, result, target, ftype, setype, substitute, do_reload)
2020-03-09 09:11:07 +00:00
else:
module.fail_json(msg='Invalid value of argument "state": {0}'.format(state))
if __name__ == '__main__':
main()