mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
9bab144d06
sefcontext: add support for path substitutions (#5830)
* sefcontext: add path substitution support (#1193)
First commit for feedback, missing docs and tests.
* sefcontext: add documentation
* Add changelog fragment
* Documentation formatting
* Delete extra newline
* pep8 fixes
Fix indentation
* Add version_added to arg docs
* Add examples
* Don't delete non-matching path substitutions
* Add integration tests
* Delete only substitutions if such arg passed
Don't delete existing regular file context mappings if deletion of
a path substitution was requested with the presence of the
`equal` arg - delete only path substitutions in such case.
Path substitutions and regular mappings may overlap.
* Can only add args in minor releases
:(
* Cleanup before tests
* Fix deletion using substitution
Was comparing wrong var.
* Fix test checking wrong var
* Improve args documentation and examples
List the default values for selevel, seuser.
Add example for deleting path substitutions only.
* Add attributes documentation block
Not sure if should add become/delegate/async,
shouldn't those work just like that without any
specific code added for them?
* and fix indentation on attribute block
* Consistent indentation for attributes
Confusing, most plugins indent with 4 spaces.
But some use 2 like the rest of the code, so use 2.
* Add missing ref for attribute block
* Use correct c.g version in doc block
Co-authored-by: Felix Fontein <felix@fontein.de>
* Add full stop to changelog fragment
Co-authored-by: Felix Fontein <felix@fontein.de>
* Streamline documentation
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
* Support limiting deletion to setype
Deleting file context mappings may be limited by
passing setype or equal, if neither arg is passed
then delete either setype/equal mappings that match.
* Change arg name, diff mode output fix
Change arg name from equal to substitute.
Print target = subsitute in diff mode same way as
semanage does.
Also put back platform attribute, try to improve
clumsy language in the substitute arg docs.
* Delete even if arg setype not match existing
Test 5 indicates that deletion is supposed to not check that
the arg setype passed when deleting matches the setype
of the mapping to delete.
Delete any mapping that matches target, regardless of
setype arg value.
* Update arg name in tests
* Too eager replacing
Accidentally replaced seobject function names so fix them back
* 4564: Fix invalid setype in doc example
Change from httpd_git_rw_content_t which
does not exist to httpd_sys_rw_content_t
Fixes #4564
* Fix documentation attributes
Additional fragment
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update version_added in docs
Bumping minor to 6.4.0 since it didn't make 6.3.0.
* Add more description to the new arg docs
Try to improve discoverability of the new feature and make it easier to understand without deep SELinux understanding.
* Update platform to Linux in documentation
* Add equal as alias for the new argument
Improve discoverability of the new feature by adding an alias to the new module argument. The argument name "equal" will be easy to find for users who are not familiar with SELinux and who just try to match to the CLI tool `semanage`.
* And add alias argument properly
Previous commit missed actually adding the alias (added to docs only).
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
(cherry picked from commit c8a2ac3a47
)
Co-authored-by: bluikko <14869000+bluikko@users.noreply.github.com>
385 lines
14 KiB
Python
385 lines
14 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
# Copyright (c) 2016, Dag Wieers (@dagwieers) <dag@wieers.com>
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
__metaclass__ = type
|
|
|
|
DOCUMENTATION = r'''
|
|
---
|
|
module: sefcontext
|
|
short_description: Manages SELinux file context mapping definitions
|
|
description:
|
|
- Manages SELinux file context mapping definitions.
|
|
- Similar to the C(semanage fcontext) command.
|
|
extends_documentation_fragment:
|
|
- community.general.attributes
|
|
- community.general.attributes.platform
|
|
attributes:
|
|
check_mode:
|
|
support: full
|
|
diff_mode:
|
|
support: full
|
|
platform:
|
|
platforms: linux
|
|
options:
|
|
target:
|
|
description:
|
|
- Target path (expression).
|
|
type: str
|
|
required: true
|
|
aliases: [ path ]
|
|
ftype:
|
|
description:
|
|
- The file type that should have SELinux contexts applied.
|
|
- "The following file type options are available:"
|
|
- C(a) for all files,
|
|
- C(b) for block devices,
|
|
- C(c) for character devices,
|
|
- C(d) for directories,
|
|
- C(f) for regular files,
|
|
- C(l) for symbolic links,
|
|
- C(p) for named pipes,
|
|
- C(s) for socket files.
|
|
type: str
|
|
choices: [ a, b, c, d, f, l, p, s ]
|
|
default: a
|
|
setype:
|
|
description:
|
|
- SELinux type for the specified I(target).
|
|
type: str
|
|
substitute:
|
|
description:
|
|
- Path to use to substitute file context(s) for the specified I(target). The context labeling for the I(target) subtree is made equivalent to this path.
|
|
- This is also referred to as SELinux file context equivalence and it implements the C(equal) functionality of the SELinux management tools.
|
|
version_added: 6.4.0
|
|
type: str
|
|
aliases: [ equal ]
|
|
seuser:
|
|
description:
|
|
- SELinux user for the specified I(target).
|
|
- Defaults to C(system_u) for new file contexts and to existing value when modifying file contexts.
|
|
type: str
|
|
selevel:
|
|
description:
|
|
- SELinux range for the specified I(target).
|
|
- Defaults to C(s0) for new file contexts and to existing value when modifying file contexts.
|
|
type: str
|
|
aliases: [ serange ]
|
|
state:
|
|
description:
|
|
- Whether the SELinux file context must be C(absent) or C(present).
|
|
- Specifying C(absent) without either I(setype) or I(substitute) deletes both SELinux type or path substitution mappings that match I(target).
|
|
type: str
|
|
choices: [ absent, present ]
|
|
default: present
|
|
reload:
|
|
description:
|
|
- Reload SELinux policy after commit.
|
|
- Note that this does not apply SELinux file contexts to existing files.
|
|
type: bool
|
|
default: true
|
|
ignore_selinux_state:
|
|
description:
|
|
- Useful for scenarios (chrooted environment) that you can't get the real SELinux state.
|
|
type: bool
|
|
default: false
|
|
notes:
|
|
- The changes are persistent across reboots.
|
|
- I(setype) and I(substitute) are mutually exclusive.
|
|
- If I(state=present) then one of I(setype) or I(substitute) is mandatory.
|
|
- The M(community.general.sefcontext) module does not modify existing files to the new
|
|
SELinux context(s), so it is advisable to first create the SELinux
|
|
file contexts before creating files, or run C(restorecon) manually
|
|
for the existing files that require the new SELinux file contexts.
|
|
- Not applying SELinux fcontexts to existing files is a deliberate
|
|
decision as it would be unclear what reported changes would entail
|
|
to, and there's no guarantee that applying SELinux fcontext does
|
|
not pick up other unrelated prior changes.
|
|
requirements:
|
|
- libselinux-python
|
|
- policycoreutils-python
|
|
author:
|
|
- Dag Wieers (@dagwieers)
|
|
'''
|
|
|
|
EXAMPLES = r'''
|
|
- name: Allow apache to modify files in /srv/git_repos
|
|
community.general.sefcontext:
|
|
target: '/srv/git_repos(/.*)?'
|
|
setype: httpd_sys_rw_content_t
|
|
state: present
|
|
|
|
- name: Substitute file contexts for path /srv/containers with /var/lib/containers
|
|
community.general.sefcontext:
|
|
target: /srv/containers
|
|
substitute: /var/lib/containers
|
|
state: present
|
|
|
|
- name: Delete file context path substitution for /srv/containers
|
|
community.general.sefcontext:
|
|
target: /srv/containers
|
|
substitute: /var/lib/containers
|
|
state: absent
|
|
|
|
- name: Delete any file context mappings for path /srv/git
|
|
community.general.sefcontext:
|
|
target: /srv/git
|
|
state: absent
|
|
|
|
- name: Apply new SELinux file context to filesystem
|
|
ansible.builtin.command: restorecon -irv /srv/git_repos
|
|
'''
|
|
|
|
RETURN = r'''
|
|
# Default return values
|
|
'''
|
|
|
|
import traceback
|
|
|
|
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
|
|
from ansible.module_utils.common.text.converters import to_native
|
|
|
|
SELINUX_IMP_ERR = None
|
|
try:
|
|
import selinux
|
|
HAVE_SELINUX = True
|
|
except ImportError:
|
|
SELINUX_IMP_ERR = traceback.format_exc()
|
|
HAVE_SELINUX = False
|
|
|
|
SEOBJECT_IMP_ERR = None
|
|
try:
|
|
import seobject
|
|
HAVE_SEOBJECT = True
|
|
except ImportError:
|
|
SEOBJECT_IMP_ERR = traceback.format_exc()
|
|
HAVE_SEOBJECT = False
|
|
|
|
# Add missing entries (backward compatible)
|
|
if HAVE_SEOBJECT:
|
|
seobject.file_types.update(
|
|
a=seobject.SEMANAGE_FCONTEXT_ALL,
|
|
b=seobject.SEMANAGE_FCONTEXT_BLOCK,
|
|
c=seobject.SEMANAGE_FCONTEXT_CHAR,
|
|
d=seobject.SEMANAGE_FCONTEXT_DIR,
|
|
f=seobject.SEMANAGE_FCONTEXT_REG,
|
|
l=seobject.SEMANAGE_FCONTEXT_LINK,
|
|
p=seobject.SEMANAGE_FCONTEXT_PIPE,
|
|
s=seobject.SEMANAGE_FCONTEXT_SOCK,
|
|
)
|
|
|
|
# Make backward compatible
|
|
option_to_file_type_str = dict(
|
|
a='all files',
|
|
b='block device',
|
|
c='character device',
|
|
d='directory',
|
|
f='regular file',
|
|
l='symbolic link',
|
|
p='named pipe',
|
|
s='socket',
|
|
)
|
|
|
|
|
|
def get_runtime_status(ignore_selinux_state=False):
|
|
return True if ignore_selinux_state is True else selinux.is_selinux_enabled()
|
|
|
|
|
|
def semanage_fcontext_exists(sefcontext, target, ftype):
|
|
''' Get the SELinux file context mapping definition from policy. Return None if it does not exist. '''
|
|
|
|
# Beware that records comprise of a string representation of the file_type
|
|
record = (target, option_to_file_type_str[ftype])
|
|
records = sefcontext.get_all()
|
|
try:
|
|
return records[record]
|
|
except KeyError:
|
|
return None
|
|
|
|
|
|
def semanage_fcontext_substitute_exists(sefcontext, target):
|
|
''' Get the SELinux file context path substitution definition from policy. Return None if it does not exist. '''
|
|
|
|
return sefcontext.equiv_dist.get(target, sefcontext.equiv.get(target))
|
|
|
|
|
|
def semanage_fcontext_modify(module, result, target, ftype, setype, substitute, do_reload, serange, seuser, sestore=''):
|
|
''' Add or modify SELinux file context mapping definition to the policy. '''
|
|
|
|
changed = False
|
|
prepared_diff = ''
|
|
|
|
try:
|
|
sefcontext = seobject.fcontextRecords(sestore)
|
|
sefcontext.set_reload(do_reload)
|
|
if substitute is None:
|
|
exists = semanage_fcontext_exists(sefcontext, target, ftype)
|
|
if exists:
|
|
# Modify existing entry
|
|
orig_seuser, orig_serole, orig_setype, orig_serange = exists
|
|
|
|
if seuser is None:
|
|
seuser = orig_seuser
|
|
if serange is None:
|
|
serange = orig_serange
|
|
|
|
if setype != orig_setype or seuser != orig_seuser or serange != orig_serange:
|
|
if not module.check_mode:
|
|
sefcontext.modify(target, setype, ftype, serange, seuser)
|
|
changed = True
|
|
|
|
if module._diff:
|
|
prepared_diff += '# Change to semanage file context mappings\n'
|
|
prepared_diff += '-%s %s %s:%s:%s:%s\n' % (target, ftype, orig_seuser, orig_serole, orig_setype, orig_serange)
|
|
prepared_diff += '+%s %s %s:%s:%s:%s\n' % (target, ftype, seuser, orig_serole, setype, serange)
|
|
else:
|
|
# Add missing entry
|
|
if seuser is None:
|
|
seuser = 'system_u'
|
|
if serange is None:
|
|
serange = 's0'
|
|
|
|
if not module.check_mode:
|
|
sefcontext.add(target, setype, ftype, serange, seuser)
|
|
changed = True
|
|
|
|
if module._diff:
|
|
prepared_diff += '# Addition to semanage file context mappings\n'
|
|
prepared_diff += '+%s %s %s:%s:%s:%s\n' % (target, ftype, seuser, 'object_r', setype, serange)
|
|
else:
|
|
exists = semanage_fcontext_substitute_exists(sefcontext, target)
|
|
if exists:
|
|
# Modify existing path substitution entry
|
|
orig_substitute = exists
|
|
|
|
if substitute != orig_substitute:
|
|
if not module.check_mode:
|
|
sefcontext.modify_equal(target, substitute)
|
|
changed = True
|
|
|
|
if module._diff:
|
|
prepared_diff += '# Change to semanage file context path substitutions\n'
|
|
prepared_diff += '-%s = %s\n' % (target, orig_substitute)
|
|
prepared_diff += '+%s = %s\n' % (target, substitute)
|
|
else:
|
|
# Add missing path substitution entry
|
|
if not module.check_mode:
|
|
sefcontext.add_equal(target, substitute)
|
|
changed = True
|
|
if module._diff:
|
|
prepared_diff += '# Addition to semanage file context path substitutions\n'
|
|
prepared_diff += '+%s = %s\n' % (target, substitute)
|
|
|
|
except Exception as e:
|
|
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e)))
|
|
|
|
if module._diff and prepared_diff:
|
|
result['diff'] = dict(prepared=prepared_diff)
|
|
|
|
module.exit_json(changed=changed, seuser=seuser, serange=serange, **result)
|
|
|
|
|
|
def semanage_fcontext_delete(module, result, target, ftype, setype, substitute, do_reload, sestore=''):
|
|
''' Delete SELinux file context mapping definition from the policy. '''
|
|
|
|
changed = False
|
|
prepared_diff = ''
|
|
|
|
try:
|
|
sefcontext = seobject.fcontextRecords(sestore)
|
|
sefcontext.set_reload(do_reload)
|
|
exists = semanage_fcontext_exists(sefcontext, target, ftype)
|
|
substitute_exists = semanage_fcontext_substitute_exists(sefcontext, target)
|
|
if exists and substitute is None:
|
|
# Remove existing entry
|
|
orig_seuser, orig_serole, orig_setype, orig_serange = exists
|
|
|
|
if not module.check_mode:
|
|
sefcontext.delete(target, ftype)
|
|
changed = True
|
|
|
|
if module._diff:
|
|
prepared_diff += '# Deletion to semanage file context mappings\n'
|
|
prepared_diff += '-%s %s %s:%s:%s:%s\n' % (target, ftype, exists[0], exists[1], exists[2], exists[3])
|
|
if substitute_exists and setype is None and ((substitute is not None and substitute_exists == substitute) or substitute is None):
|
|
# Remove existing path substitution entry
|
|
orig_substitute = substitute_exists
|
|
|
|
if not module.check_mode:
|
|
sefcontext.delete(target, orig_substitute)
|
|
changed = True
|
|
|
|
if module._diff:
|
|
prepared_diff += '# Deletion to semanage file context path substitutions\n'
|
|
prepared_diff += '-%s = %s\n' % (target, orig_substitute)
|
|
|
|
except Exception as e:
|
|
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e)))
|
|
|
|
if module._diff and prepared_diff:
|
|
result['diff'] = dict(prepared=prepared_diff)
|
|
|
|
module.exit_json(changed=changed, **result)
|
|
|
|
|
|
def main():
|
|
module = AnsibleModule(
|
|
argument_spec=dict(
|
|
ignore_selinux_state=dict(type='bool', default=False),
|
|
target=dict(type='str', required=True, aliases=['path']),
|
|
ftype=dict(type='str', default='a', choices=list(option_to_file_type_str.keys())),
|
|
setype=dict(type='str'),
|
|
substitute=dict(type='str', aliases=['equal']),
|
|
seuser=dict(type='str'),
|
|
selevel=dict(type='str', aliases=['serange']),
|
|
state=dict(type='str', default='present', choices=['absent', 'present']),
|
|
reload=dict(type='bool', default=True),
|
|
),
|
|
mutually_exclusive=[
|
|
('setype', 'substitute'),
|
|
('substitute', 'ftype'),
|
|
('substitute', 'seuser'),
|
|
('substitute', 'selevel'),
|
|
],
|
|
required_if=[
|
|
('state', 'present', ('setype', 'substitute'), True),
|
|
],
|
|
|
|
supports_check_mode=True,
|
|
)
|
|
if not HAVE_SELINUX:
|
|
module.fail_json(msg=missing_required_lib("libselinux-python"), exception=SELINUX_IMP_ERR)
|
|
|
|
if not HAVE_SEOBJECT:
|
|
module.fail_json(msg=missing_required_lib("policycoreutils-python"), exception=SEOBJECT_IMP_ERR)
|
|
|
|
ignore_selinux_state = module.params['ignore_selinux_state']
|
|
|
|
if not get_runtime_status(ignore_selinux_state):
|
|
module.fail_json(msg="SELinux is disabled on this host.")
|
|
|
|
target = module.params['target']
|
|
ftype = module.params['ftype']
|
|
setype = module.params['setype']
|
|
substitute = module.params['substitute']
|
|
seuser = module.params['seuser']
|
|
serange = module.params['selevel']
|
|
state = module.params['state']
|
|
do_reload = module.params['reload']
|
|
|
|
result = dict(target=target, ftype=ftype, setype=setype, substitute=substitute, state=state)
|
|
|
|
if state == 'present':
|
|
semanage_fcontext_modify(module, result, target, ftype, setype, substitute, do_reload, serange, seuser)
|
|
elif state == 'absent':
|
|
semanage_fcontext_delete(module, result, target, ftype, setype, substitute, do_reload)
|
|
else:
|
|
module.fail_json(msg='Invalid value of argument "state": {0}'.format(state))
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|