def _compile(self, args, executable, env):
self._copy_src(self.COMPILE_LEVEL)
with open("/dev/null", "r") as stdin:
setfscreatecon(self.filecon(self.COMPILE_LEVEL))
setexeccon(self.execcon(self.COMPILE_LEVEL))
p = Popen(
args, bufsize=-1, executable=executable,
stdin=stdin, stdout=PIPE, stderr=STDOUT,
close_fds=True, cwd=self._tempdir, env=env)
setexeccon(None)
setfscreatecon(None)
stdout, _ = p.communicate()
code = p.wait()
setfilecon(self._tempdir, self.filecon(self.RUN_LEVEL))
if code != EX_OK:
return (code, stdout)
setfilecon(
join(self._tempdir, self.target_filename),
self.filecon(self.RUN_LEVEL))
return (code,)
def selinux_role(self):
"""Setup proper selinux role.
this must be called at beginning of process
to adjust proper roles for selinux.
it will re-execute the process with same arguments.
This has similar effect of:
# chcon -t rpm_exec_t executable.py
We must do this dynamic as this class is to be
used at bootstrap stage, so we cannot put any
persistent selinux policy changes, and have no clue
if filesystem where we put scripts supports extended
attributes, or if we have proper role for chcon.
"""
try:
import selinux
except ImportError:
with self.transaction():
self.install(['libselinux-python'])
if self.buildTransaction():
self.processTransaction()
#
# on fedora-18 for example
# the selinux core is updated
# so we fail resolving symbols
# solution is re-execute the process
# after installation.
#
self._sink.reexec()
os.execv(sys.executable, [sys.executable] + sys.argv)
os._exit(1)
if selinux.is_selinux_enabled():
rc, ctx = selinux.getcon()
if rc != 0:
raise Exception(_('Cannot get selinux context'))
ctx1 = selinux.context_new(ctx)
if not ctx1:
raise Exception(_('Cannot create selinux context'))
if selinux.context_type_get(ctx1) != 'rpm_t':
if selinux.context_type_set(ctx1, 'rpm_t') != 0:
raise Exception(
_('Cannot set type within selinux context'))
if selinux.context_role_set(ctx1, 'system_r') != 0:
raise Exception(
_('Cannot set role within selinux context'))
if selinux.context_user_set(ctx1, 'unconfined_u') != 0:
raise Exception(
_('Cannot set user within selinux context'))
if selinux.setexeccon(selinux.context_str(ctx1)) != 0:
raise Exception(_('Cannot set selinux exec context'))
self._sink.reexec()
os.execv(sys.executable, [sys.executable] + sys.argv)
os._exit(1)
def _spawn(self, stdin, stdout, stderr,
time_limit=None, rss_limit=None, vm_limit=None):
setexeccon(self.execcon(self.RUN_LEVEL))
p = PTracedProcess(
self.run_args,
executable=self.EXECUTABLE_PATH,
stdin=stdin,
stdout=stdout,
stderr=stderr,
cwd=self._tempdir,
env=self.run_env,
time_limit=time_limit,
rss_limit=rss_limit,
vm_limit=vm_limit)
setexeccon(None)
return p
def selinux_role(self):
"""Setup proper selinux role.
this must be called at beginning of process
to adjust proper roles for selinux.
it will re-execute the process with same arguments.
This has similar effect of:
# chcon -t rpm_exec_t executable.py
We must do this dynamic as this class is to be
used at bootstrap stage, so we cannot put any
persistent selinux policy changes, and have no clue
if filesystem where we put scripts supports extended
attributes, or if we have proper role for chcon.
"""
try:
import selinux
except ImportError:
with self.transaction():
self.install(['libselinux-python'])
if self.buildTransaction():
self.processTransaction()
#
# on fedora-18 for example
# the selinux core is updated
# so we fail resolving symbols
# solution is re-execute the process
# after installation.
#
self._sink.reexec()
os.execv(sys.executable, [sys.executable] + sys.argv)
os._exit(1)
if selinux.is_selinux_enabled():
rc, ctx = selinux.getcon()
if rc != 0:
raise Exception(_('Cannot get selinux context'))
ctx1 = selinux.context_new(ctx)
if not ctx1:
raise Exception(_('Cannot create selinux context'))
if selinux.context_role_get(ctx1) != 'system_r':
if selinux.context_role_set(ctx1, 'system_r') != 0:
raise Exception(
_('Cannot set role within selinux context')
)
if selinux.setexeccon(selinux.context_str(ctx1)) != 0:
raise Exception(
_('Cannot set selinux exec context')
)
self._sink.reexec()
os.execv(sys.executable, [sys.executable] + sys.argv)
os._exit(1)
def setexec(ctx="\n"):
ctx = _unicode_encode(ctx, encoding=_encodings['content'], errors='strict')
if selinux.setexeccon(ctx) < 0:
ctx = _unicode_decode(ctx, encoding=_encodings['content'],
errors='replace')
if selinux.security_getenforce() == 1:
raise OSError(_("Failed setting exec() context \"%s\".") % ctx)
else:
portage.writemsg("!!! " + \
_("Failed setting exec() context \"%s\".") % ctx, \
noiselevel=-1)
def setexec(ctx="\n"):
ctx = _unicode_encode(ctx, encoding=_encodings['content'], errors='strict')
if selinux.setexeccon(ctx) < 0:
ctx = _unicode_decode(ctx,
encoding=_encodings['content'],
errors='replace')
if selinux.security_getenforce() == 1:
raise OSError(_("Failed setting exec() context \"%s\".") % ctx)
else:
portage.writemsg("!!! " + \
_("Failed setting exec() context \"%s\".") % ctx, \
noiselevel=-1)
def setexec(ctx="\n"):
ctx = _native_string(ctx, encoding=_encodings['content'], errors='strict')
rc = 0
try:
rc = selinux.setexeccon(ctx)
except OSError:
msg = _("Failed to set new SELinux execution context. " + \
"Is your current SELinux context allowed to run Portage?")
if selinux.security_getenforce() == 1:
raise OSError(msg)
else:
portage.writemsg("!!! %s\n" % msg, noiselevel=-1)
if rc < 0:
if selinux.security_getenforce() == 1:
raise OSError(_("Failed setting exec() context \"%s\".") % ctx)
else:
portage.writemsg("!!! " + \
_("Failed setting exec() context \"%s\".") % ctx, \
noiselevel=-1)
