From be5899527891e889a2daa51c1b780b8d55f8ef33 Mon Sep 17 00:00:00 2001 From: Stephen Fromm Date: Sat, 21 Apr 2012 23:27:34 -0700 Subject: [PATCH 1/3] Add context=default option to file module This adjusts behavior of file module such that removal of se* option does not revert the file's selinux context to the default. In order to go back to the default context according to the policy, you can use the context=default option. --- library/file | 45 ++++++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 21 deletions(-) diff --git a/library/file b/library/file index 90d6892601..e0ebbecb17 100755 --- a/library/file +++ b/library/file @@ -72,6 +72,21 @@ def add_path_info(kwargs): kwargs['state'] = 'absent' return kwargs +# If selinux fails to find a default, return an array of None +def selinux_default_context(path, mode=0): + context = [None, None, None, None] + if not HAVE_SELINUX: + return context + try: + ret = selinux.matchpathcon(path, mode) + except OSError: + return context + if ret[0] == -1: + return context + context = ret[1].split(':') + debug("got default secontext=%s" % ret[1]) + return context + # =========================================== argfile = sys.argv[1] @@ -107,8 +122,16 @@ seuser = params.get('seuser', None) serole = params.get('serole', None) setype = params.get('setype', None) selevel = params.get('serange', 's0') +context = params.get('context', None) secontext = [seuser, serole, setype, selevel] +if context is not None: + if context != 'default': + fail_json(msg='invalid context: %s' % context) + if seuser is not None or serole is not None or setype is not None: + fail_json(msg='cannot define context=default and seuser, serole or setype') + secontext = selinux_default_context(path) + if state not in [ 'file', 'directory', 'link', 'absent']: fail_json(msg='invalid state: %s' % state) @@ -148,34 +171,14 @@ def selinux_context(path): debug("got current secontext=%s" % ret[1]) return context -# If selinux fails to find a default, return an array of None -def selinux_default_context(path, mode=0): - context = [None, None, None, None] - print >>sys.stderr, path - if not HAVE_SELINUX: - return context - try: - ret = selinux.matchpathcon(path, mode) - except OSError: - return context - if ret[0] == -1: - return context - context = ret[1].split(':') - debug("got default secontext=%s" % ret[1]) - return context - def set_context_if_different(path, context, changed): if not HAVE_SELINUX: return changed cur_context = selinux_context(path) - new_context = selinux_default_context(path) + new_context = list(cur_context) for i in range(len(context)): if context[i] is not None and context[i] != cur_context[i]: - debug('new context was %s' % new_context[i]) new_context[i] = context[i] - debug('new context is %s' % new_context[i]) - elif new_context[i] is None: - new_context[i] = cur_context[i] debug("current secontext is %s" % ':'.join(cur_context)) debug("new secontext is %s" % ':'.join(new_context)) if cur_context != new_context: From 0f044e64f85dbfe18410b881eb8c30de9de08a39 Mon Sep 17 00:00:00 2001 From: Stephen Fromm Date: Sat, 21 Apr 2012 23:30:08 -0700 Subject: [PATCH 2/3] Add example playbook of file module's selinux capabilities --- examples/playbooks/file_secontext.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 examples/playbooks/file_secontext.yml diff --git a/examples/playbooks/file_secontext.yml b/examples/playbooks/file_secontext.yml new file mode 100644 index 0000000000..75ab6ad49a --- /dev/null +++ b/examples/playbooks/file_secontext.yml @@ -0,0 +1,12 @@ +--- +# This is a demo of how to manage the selinux context using the file module +- hosts: test + user: root + tasks: + - name: Change setype of /etc/exports to non-default value + action: file path=/etc/exports setype=etc_t + - name: Change seuser of /etc/exports to non-default value + action: file path=/etc/exports seuser=unconfined_u + - name: Set selinux context back to default value + action: file path=/etc/exports context=default + From bcfa6a7865a4461b5240f1bcb57504de4589811d Mon Sep 17 00:00:00 2001 From: Stephen Fromm Date: Sun, 22 Apr 2012 00:14:40 -0700 Subject: [PATCH 3/3] Add another example to file_secontext.yml Demonstrate what happens when there is no default context in the policy. --- examples/playbooks/file_secontext.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/examples/playbooks/file_secontext.yml b/examples/playbooks/file_secontext.yml index 75ab6ad49a..117a930dc0 100644 --- a/examples/playbooks/file_secontext.yml +++ b/examples/playbooks/file_secontext.yml @@ -9,4 +9,10 @@ action: file path=/etc/exports seuser=unconfined_u - name: Set selinux context back to default value action: file path=/etc/exports context=default - + - name: Create empty file + action: command /bin/touch /tmp/foo + - name: Change setype of /tmp/foo + action: file path=/tmp/foo setype=default_t + - name: Try to set secontext to default, but this will fail + because of the lack of a default in the policy + action: file path=/tmp/foo context=default