mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
made special treatment of certain filesystem for selinux configurable
This commit is contained in:
parent
8a26b17f16
commit
e2de336a23
5 changed files with 32 additions and 15 deletions
|
@ -223,3 +223,8 @@ accelerate_daemon_timeout = 30
|
||||||
# is "no".
|
# is "no".
|
||||||
#accelerate_multi_key = yes
|
#accelerate_multi_key = yes
|
||||||
|
|
||||||
|
[selinux]
|
||||||
|
# file systems that require special treatment when dealing with security context
|
||||||
|
# the default behaviour that copies the existing context or uses the user default
|
||||||
|
# needs to be changed to use the file system dependant context.
|
||||||
|
#special_context_filesystems=nfs,vboxsf,fuse
|
||||||
|
|
|
@ -134,7 +134,10 @@ DEFAULT_SU_FLAGS = get_config(p, DEFAULTS, 'su_flags', 'ANSIBLE_SU_FLAG
|
||||||
DEFAULT_SU_USER = get_config(p, DEFAULTS, 'su_user', 'ANSIBLE_SU_USER', 'root')
|
DEFAULT_SU_USER = get_config(p, DEFAULTS, 'su_user', 'ANSIBLE_SU_USER', 'root')
|
||||||
DEFAULT_ASK_SU_PASS = get_config(p, DEFAULTS, 'ask_su_pass', 'ANSIBLE_ASK_SU_PASS', False, boolean=True)
|
DEFAULT_ASK_SU_PASS = get_config(p, DEFAULTS, 'ask_su_pass', 'ANSIBLE_ASK_SU_PASS', False, boolean=True)
|
||||||
DEFAULT_GATHERING = get_config(p, DEFAULTS, 'gathering', 'ANSIBLE_GATHERING', 'implicit').lower()
|
DEFAULT_GATHERING = get_config(p, DEFAULTS, 'gathering', 'ANSIBLE_GATHERING', 'implicit').lower()
|
||||||
DEFAULT_LOG_PATH = shell_expand_path(get_config(p, DEFAULTS, 'log_path', 'ANSIBLE_LOG_PATH', ''))
|
DEFAULT_LOG_PATH = shell_expand_path(get_config(p, DEFAULTS, 'log_path', 'ANSIBLE_LOG_PATH', ''))
|
||||||
|
|
||||||
|
# selinux
|
||||||
|
DEFAULT_SELINUX_SPECIAL_FS = get_config(p, 'selinux', 'special_context_filesystems', None, 'fuse, nfs, vboxsf', islist=True)
|
||||||
|
|
||||||
#TODO: get rid of ternary chain mess
|
#TODO: get rid of ternary chain mess
|
||||||
BECOME_METHODS = ['sudo','su','pbrun','pfexec','runas']
|
BECOME_METHODS = ['sudo','su','pbrun','pfexec','runas']
|
||||||
|
|
|
@ -36,7 +36,7 @@ class Inventory(object):
|
||||||
Host inventory for ansible.
|
Host inventory for ansible.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
__slots__ = [ 'host_list', 'groups', '_restriction', '_also_restriction', '_subset',
|
__slots__ = [ 'host_list', 'groups', '_restriction', '_also_restriction', '_subset',
|
||||||
'parser', '_vars_per_host', '_vars_per_group', '_hosts_cache', '_groups_list',
|
'parser', '_vars_per_host', '_vars_per_group', '_hosts_cache', '_groups_list',
|
||||||
'_pattern_cache', '_vault_password', '_vars_plugins', '_playbook_basedir']
|
'_pattern_cache', '_vault_password', '_vars_plugins', '_playbook_basedir']
|
||||||
|
|
||||||
|
@ -53,7 +53,7 @@ class Inventory(object):
|
||||||
self._vars_per_host = {}
|
self._vars_per_host = {}
|
||||||
self._vars_per_group = {}
|
self._vars_per_group = {}
|
||||||
self._hosts_cache = {}
|
self._hosts_cache = {}
|
||||||
self._groups_list = {}
|
self._groups_list = {}
|
||||||
self._pattern_cache = {}
|
self._pattern_cache = {}
|
||||||
|
|
||||||
# to be set by calling set_playbook_basedir by playbook code
|
# to be set by calling set_playbook_basedir by playbook code
|
||||||
|
|
|
@ -33,6 +33,8 @@ REPLACER_ARGS = "\"<<INCLUDE_ANSIBLE_MODULE_ARGS>>\""
|
||||||
REPLACER_COMPLEX = "\"<<INCLUDE_ANSIBLE_MODULE_COMPLEX_ARGS>>\""
|
REPLACER_COMPLEX = "\"<<INCLUDE_ANSIBLE_MODULE_COMPLEX_ARGS>>\""
|
||||||
REPLACER_WINDOWS = "# POWERSHELL_COMMON"
|
REPLACER_WINDOWS = "# POWERSHELL_COMMON"
|
||||||
REPLACER_VERSION = "\"<<ANSIBLE_VERSION>>\""
|
REPLACER_VERSION = "\"<<ANSIBLE_VERSION>>\""
|
||||||
|
REPLACER_SELINUX = "<<SELINUX_SPECIAL_FILESYSTEMS>>"
|
||||||
|
|
||||||
|
|
||||||
class ModuleReplacer(object):
|
class ModuleReplacer(object):
|
||||||
|
|
||||||
|
@ -41,14 +43,14 @@ class ModuleReplacer(object):
|
||||||
transfer. Rather than doing classical python imports, this allows for more
|
transfer. Rather than doing classical python imports, this allows for more
|
||||||
efficient transfer in a no-bootstrapping scenario by not moving extra files
|
efficient transfer in a no-bootstrapping scenario by not moving extra files
|
||||||
over the wire, and also takes care of embedding arguments in the transferred
|
over the wire, and also takes care of embedding arguments in the transferred
|
||||||
modules.
|
modules.
|
||||||
|
|
||||||
This version is done in such a way that local imports can still be
|
This version is done in such a way that local imports can still be
|
||||||
used in the module code, so IDEs don't have to be aware of what is going on.
|
used in the module code, so IDEs don't have to be aware of what is going on.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
|
|
||||||
from ansible.module_utils.basic import *
|
from ansible.module_utils.basic import *
|
||||||
|
|
||||||
... will result in the insertion basic.py into the module
|
... will result in the insertion basic.py into the module
|
||||||
|
|
||||||
|
@ -94,7 +96,7 @@ class ModuleReplacer(object):
|
||||||
module_style = 'new'
|
module_style = 'new'
|
||||||
elif 'WANT_JSON' in module_data:
|
elif 'WANT_JSON' in module_data:
|
||||||
module_style = 'non_native_want_json'
|
module_style = 'non_native_want_json'
|
||||||
|
|
||||||
output = StringIO()
|
output = StringIO()
|
||||||
lines = module_data.split('\n')
|
lines = module_data.split('\n')
|
||||||
snippet_names = []
|
snippet_names = []
|
||||||
|
@ -167,6 +169,7 @@ class ModuleReplacer(object):
|
||||||
|
|
||||||
# these strings should be part of the 'basic' snippet which is required to be included
|
# these strings should be part of the 'basic' snippet which is required to be included
|
||||||
module_data = module_data.replace(REPLACER_VERSION, repr(__version__))
|
module_data = module_data.replace(REPLACER_VERSION, repr(__version__))
|
||||||
|
module_data = module_data.replace(REPLACER_SELINUX, ','.join(C.DEFAULT_SELINUX_SPECIAL_FS))
|
||||||
module_data = module_data.replace(REPLACER_ARGS, encoded_args)
|
module_data = module_data.replace(REPLACER_ARGS, encoded_args)
|
||||||
module_data = module_data.replace(REPLACER_COMPLEX, encoded_complex)
|
module_data = module_data.replace(REPLACER_COMPLEX, encoded_complex)
|
||||||
|
|
||||||
|
|
|
@ -38,6 +38,8 @@ BOOLEANS_TRUE = ['yes', 'on', '1', 'true', 1]
|
||||||
BOOLEANS_FALSE = ['no', 'off', '0', 'false', 0]
|
BOOLEANS_FALSE = ['no', 'off', '0', 'false', 0]
|
||||||
BOOLEANS = BOOLEANS_TRUE + BOOLEANS_FALSE
|
BOOLEANS = BOOLEANS_TRUE + BOOLEANS_FALSE
|
||||||
|
|
||||||
|
SELINUX_SPECIAL_FS="<<SELINUX_SPECIAL_FILESYSTEMS>>"
|
||||||
|
|
||||||
# ansible modules can be written in any language. To simplify
|
# ansible modules can be written in any language. To simplify
|
||||||
# development of Python modules, the functions available here
|
# development of Python modules, the functions available here
|
||||||
# can be inserted in any module source automatically by including
|
# can be inserted in any module source automatically by including
|
||||||
|
@ -528,10 +530,10 @@ class AnsibleModule(object):
|
||||||
path = os.path.dirname(path)
|
path = os.path.dirname(path)
|
||||||
return path
|
return path
|
||||||
|
|
||||||
def is_nfs_path(self, path):
|
def is_special_selinux_path(self, path):
|
||||||
"""
|
"""
|
||||||
Returns a tuple containing (True, selinux_context) if the given path
|
Returns a tuple containing (True, selinux_context) if the given path is on a
|
||||||
is on a NFS mount point, otherwise the return will be (False, None).
|
NFS or other 'special' fs mount point, otherwise the return will be (False, None).
|
||||||
"""
|
"""
|
||||||
try:
|
try:
|
||||||
f = open('/proc/mounts', 'r')
|
f = open('/proc/mounts', 'r')
|
||||||
|
@ -542,9 +544,13 @@ class AnsibleModule(object):
|
||||||
path_mount_point = self.find_mount_point(path)
|
path_mount_point = self.find_mount_point(path)
|
||||||
for line in mount_data:
|
for line in mount_data:
|
||||||
(device, mount_point, fstype, options, rest) = line.split(' ', 4)
|
(device, mount_point, fstype, options, rest) = line.split(' ', 4)
|
||||||
if path_mount_point == mount_point and 'nfs' in fstype:
|
|
||||||
nfs_context = self.selinux_context(path_mount_point)
|
if path_mount_point == mount_point:
|
||||||
return (True, nfs_context)
|
for fs in SELINUX_SPECIAL_FS.split(','):
|
||||||
|
if fs in fstype:
|
||||||
|
special_context = self.selinux_context(path_mount_point)
|
||||||
|
return (True, special_context)
|
||||||
|
|
||||||
return (False, None)
|
return (False, None)
|
||||||
|
|
||||||
def set_default_selinux_context(self, path, changed):
|
def set_default_selinux_context(self, path, changed):
|
||||||
|
@ -562,9 +568,9 @@ class AnsibleModule(object):
|
||||||
# Iterate over the current context instead of the
|
# Iterate over the current context instead of the
|
||||||
# argument context, which may have selevel.
|
# argument context, which may have selevel.
|
||||||
|
|
||||||
(is_nfs, nfs_context) = self.is_nfs_path(path)
|
(is_special_se, sp_context) = self.is_special_selinux_path(path)
|
||||||
if is_nfs:
|
if is_special_se:
|
||||||
new_context = nfs_context
|
new_context = sp_context
|
||||||
else:
|
else:
|
||||||
for i in range(len(cur_context)):
|
for i in range(len(cur_context)):
|
||||||
if len(context) > i:
|
if len(context) > i:
|
||||||
|
|
Loading…
Reference in a new issue