def semanage_fcontext_delete(module, result, target, ftype, do_reload, sestore=''):
''' Delete SELinux file context mapping definition from the policy. '''
changed = False
prepared_diff = ''
try:
sefcontext = seobject.fcontextRecords(sestore)
sefcontext.set_reload(do_reload)
exists = semanage_fcontext_exists(sefcontext, target, ftype)
if exists:
# Remove existing entry
orig_seuser, orig_serole, orig_setype, orig_serange = exists
if not module.check_mode:
sefcontext.delete(target, ftype)
changed = True
if module._diff:
prepared_diff += '# Deletion to semanage file context mappings\n'
prepared_diff += '-%s %s %s:%s:%s:%s\n' % (target, ftype, exists[0], exists[1], exists[2], exists[3])
except Exception:
e = get_exception()
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e)))
if module._diff and prepared_diff:
result['diff'] = dict(prepared=prepared_diff)
module.exit_json(changed=changed, **result)
def semanage_fcontext_delete(module,
result,
target,
ftype,
do_reload,
sestore=''):
''' Delete SELinux file context mapping definition from the policy. '''
changed = False
prepared_diff = ''
try:
sefcontext = seobject.fcontextRecords(sestore)
sefcontext.set_reload(do_reload)
exists = semanage_fcontext_exists(sefcontext, target, ftype)
if exists:
# Remove existing entry
orig_seuser, orig_serole, orig_setype, orig_serange = exists
if not module.check_mode:
sefcontext.delete(target, ftype)
changed = True
if module._diff:
prepared_diff += '# Deletion to semanage file context mappings\n'
prepared_diff += '-%s %s %s:%s:%s:%s\n' % (
target, ftype, exists[0], exists[1], exists[2], exists[3])
except Exception as e:
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e)))
if module._diff and prepared_diff:
result['diff'] = dict(prepared=prepared_diff)
module.exit_json(changed=changed, **result)
def semanage_fcontext_modify(module,
result,
target,
ftype,
setype,
do_reload,
serange,
seuser,
sestore=''):
''' Add or modify SELinux file context mapping definition to the policy. '''
changed = False
prepared_diff = ''
try:
sefcontext = seobject.fcontextRecords(sestore)
sefcontext.set_reload(do_reload)
exists = semanage_fcontext_exists(sefcontext, target, ftype)
if exists:
# Modify existing entry
orig_seuser, orig_serole, orig_setype, orig_serange = exists
if seuser is None:
seuser = orig_seuser
if serange is None:
serange = orig_serange
if setype != orig_setype or seuser != orig_seuser or serange != orig_serange:
if not module.check_mode:
sefcontext.modify(target, setype, ftype, serange, seuser)
changed = True
if module._diff:
prepared_diff += '# Change to semanage file context mappings\n'
prepared_diff += '-%s %s %s:%s:%s:%s\n' % (
target, ftype, orig_seuser, orig_serole, orig_setype,
orig_serange)
prepared_diff += '+%s %s %s:%s:%s:%s\n' % (
target, ftype, seuser, orig_serole, setype, serange)
else:
# Add missing entry
if seuser is None:
seuser = '******'
if serange is None:
serange = 's0'
if not module.check_mode:
sefcontext.add(target, setype, ftype, serange, seuser)
changed = True
if module._diff:
prepared_diff += '# Addition to semanage file context mappings\n'
prepared_diff += '+%s %s %s:%s:%s:%s\n' % (
target, ftype, seuser, 'object_r', setype, serange)
except Exception, e:
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_bytes(e)))
def semanage_fcontext_modify(module, result, target, ftype, setype, do_reload, serange, seuser, sestore=''):
''' Add or modify SELinux file context mapping definition to the policy. '''
changed = False
prepared_diff = ''
try:
sefcontext = seobject.fcontextRecords(sestore)
sefcontext.set_reload(do_reload)
exists = semanage_fcontext_exists(sefcontext, target, ftype)
if exists:
# Modify existing entry
orig_seuser, orig_serole, orig_setype, orig_serange = exists
if seuser is None:
seuser = orig_seuser
if serange is None:
serange = orig_serange
if setype != orig_setype or seuser != orig_seuser or serange != orig_serange:
if not module.check_mode:
sefcontext.modify(target, setype, ftype, serange, seuser)
changed = True
if module._diff:
prepared_diff += '# Change to semanage file context mappings\n'
prepared_diff += '-%s %s %s:%s:%s:%s\n' % (target, ftype, orig_seuser, orig_serole, orig_setype, orig_serange)
prepared_diff += '+%s %s %s:%s:%s:%s\n' % (target, ftype, seuser, orig_serole, setype, serange)
else:
# Add missing entry
if seuser is None:
seuser = '******'
if serange is None:
serange = 's0'
if not module.check_mode:
sefcontext.add(target, setype, ftype, serange, seuser)
changed = True
if module._diff:
prepared_diff += '# Addition to semanage file context mappings\n'
prepared_diff += '+%s %s %s:%s:%s:%s\n' % (target, ftype, seuser, 'object_r', setype, serange)
except Exception:
e = get_exception()
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e)))
if module._diff and prepared_diff:
result['diff'] = dict(prepared=prepared_diff)
module.exit_json(changed=changed, seuser=seuser, serange=serange, **result)
def __init__(self, domain, target, perms, klass):
rule_manager = SEPolicyRules(source=domain,
target=target,
perms=perms,
klass=klass)
context_matcher = FileContextMatcher()
context_map = fcontextRecords().get_all()
for ((pattern, target_type), attr) in context_map.items():
if attr == None: continue
(user, role, domain, level) = attr
if rule_manager.has_rule_with(domain, target_type):
context_matcher.add(pattern, target_type, attr)
self.matcher = context_matcher
self.rules = rule_manager
def load(self, filter=""):
self.filter = filter
self.fcontext = seobject.fcontextRecords()
self.store.clear()
fcon_dict = self.fcontext.get_all(self.local)
for k in sorted(fcon_dict.keys()):
if not self.match(fcon_dict, k, filter):
continue
iter = self.store.append()
self.store.set_value(iter, SPEC_COL, k[0])
self.store.set_value(iter, FTYPE_COL, k[1])
if fcon_dict[k]:
rec = "%s:%s" % (fcon_dict[k][2], seobject.translate(fcon_dict[k][3], False))
else:
rec = "<<None>>"
self.store.set_value(iter, TYPE_COL, rec)
self.view.get_selection().select_path((0,))
def load(self, filter=""):
self.filter = filter
self.fcontext = seobject.fcontextRecords()
self.store.clear()
fcon_dict = self.fcontext.get_all(self.local)
for k in sorted(fcon_dict.keys()):
if not self.match(fcon_dict, k, filter):
continue
iter = self.store.append()
self.store.set_value(iter, SPEC_COL, k[0])
self.store.set_value(iter, FTYPE_COL, k[1])
if fcon_dict[k]:
rec = "%s:%s" % (fcon_dict[k][2], seobject.translate(fcon_dict[k][3], False))
else:
rec = "<<None>>"
self.store.set_value(iter, TYPE_COL, rec)
self.view.get_selection().select_path((0,))
def spawn(self, deployer):
if config.str2bool(deployer.mdict['pki_skip_installation']):
logger.info('Skipping SELinux setup')
return
if not selinux.is_selinux_enabled() or seobject is None:
logger.info('SELinux disabled')
return
logger.info('Creating SELinux contexts')
# A maximum of 10 tries to create the SELinux contexts
counter = 0
max_tries = 10
while True:
try:
# check first if any transactions are required
if len(ports) == 0 and deployer.mdict['pki_instance_name'] == \
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
self.restore_context(deployer.mdict)
return
# add SELinux contexts when adding the first subsystem
if len(deployer.instance.tomcat_instance_subsystems()) == 1:
trans = seobject.semanageRecords("targeted")
trans.start()
if deployer.mdict['pki_instance_name'] != \
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
fcon = seobject.fcontextRecords(trans)
logger.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_instance_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_instance_path'] + self.suffix,
config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "")
logger.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_instance_log_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_instance_log_path'] +
self.suffix,
config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "")
logger.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_instance_configuration_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_instance_configuration_path'] +
self.suffix,
config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "")
logger.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_server_database_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_server_database_path'] + self.suffix,
config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "")
port_records = seobject.portRecords(trans)
for port in ports:
logger.info(
"adding selinux port %s", port,
extra=config.PKI_INDENTATION_LEVEL_2)
port_records.add(
port, "tcp", "s0",
config.PKI_PORT_SELINUX_CONTEXT)
trans.finish()
self.restore_context(deployer.mdict)
break
except ValueError as e:
error_message = str(e)
logger.error(error_message)
if error_message.strip() == \
"Could not start semanage transaction":
counter += 1
if counter >= max_tries:
raise
time.sleep(5)
logger.debug("Retrying to setup the selinux context ...")
else:
raise
def destroy(self, deployer):
if not bool(selinux.is_selinux_enabled()):
logger.info('SELinux disabled')
return
logger.info('Removing SELinux contexts')
# check first if any transactions are required
if (len(ports) == 0 and deployer.mdict['pki_instance_name'] ==
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME):
return
# A maximum of 10 tries to delete the SELinux contexts
counter = 1
max_tries = 10
while True:
try:
# remove SELinux contexts when removing the last subsystem
if len(deployer.instance.tomcat_instance_subsystems()) == 0:
trans = seobject.semanageRecords("targeted")
trans.start()
if deployer.mdict['pki_instance_name'] != \
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
fcon = seobject.fcontextRecords(trans)
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_instance_path'] +
self.suffix, "")
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_log_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_instance_log_path'] +
self.suffix, "")
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_configuration_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_instance_configuration_path'] +
self.suffix, "")
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_server_database_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_server_database_path'] +
self.suffix, "")
port_records = seobject.portRecords(trans)
for port in ports:
logger.info(
"deleting selinux port %s", port,
extra=config.PKI_INDENTATION_LEVEL_2)
port_records.delete(port, "tcp")
trans.finish()
break
except ValueError as e:
error_message = str(e)
logger.error(error_message)
if error_message.strip() == \
"Could not start semanage transaction":
counter += 1
if counter >= max_tries:
raise
time.sleep(5)
logger.debug("Retrying to remove selinux context ...")
else:
raise
def spawn(self, deployer):
if config.str2bool(deployer.mdict['pki_skip_installation']):
config.pki_log.info(log.SKIP_SELINUX_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
return
if not selinux.is_selinux_enabled() or seobject is None:
config.pki_log.info(log.SELINUX_DISABLED_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
return
config.pki_log.info(log.SELINUX_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
# A maximum of 10 tries to create the SELinux contexts
counter = 0
max_tries = 10
while True:
try:
# check first if any transactions are required
if len(ports) == 0 and deployer.mdict['pki_instance_name'] == \
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
self.restore_context(deployer.mdict)
return
# add SELinux contexts when adding the first subsystem
if len(deployer.instance.tomcat_instance_subsystems()) == 1:
trans = seobject.semanageRecords("targeted")
trans.start()
if deployer.mdict['pki_instance_name'] != \
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
fcon = seobject.fcontextRecords(trans)
config.pki_log.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_instance_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_instance_path'] + self.suffix,
config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "")
config.pki_log.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_instance_log_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_instance_log_path'] +
self.suffix,
config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "")
config.pki_log.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_instance_configuration_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_instance_configuration_path'] +
self.suffix,
config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "")
config.pki_log.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_server_database_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_server_database_path'] + self.suffix,
config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "")
port_records = seobject.portRecords(trans)
for port in ports:
config.pki_log.info(
"adding selinux port %s", port,
extra=config.PKI_INDENTATION_LEVEL_2)
port_records.add(
port, "tcp", "s0",
config.PKI_PORT_SELINUX_CONTEXT)
trans.finish()
self.restore_context(deployer.mdict)
break
except ValueError as e:
error_message = str(e)
config.pki_log.debug(error_message)
if error_message.strip() == \
"Could not start semanage transaction":
counter += 1
if counter >= max_tries:
raise
time.sleep(5)
config.pki_log.debug(
"Retrying to setup the selinux context ...")
else:
raise
def destroy(self, deployer):
if not bool(selinux.is_selinux_enabled()):
config.pki_log.info(log.SELINUX_DISABLED_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
return
config.pki_log.info(log.SELINUX_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
# check first if any transactions are required
if (len(ports) == 0 and deployer.mdict['pki_instance_name'] ==
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME):
return
# A maximum of 10 tries to delete the SELinux contexts
counter = 1
max_tries = 10
while True:
try:
# remove SELinux contexts when removing the last subsystem
if len(deployer.instance.tomcat_instance_subsystems()) == 0:
trans = seobject.semanageRecords("targeted")
trans.start()
if deployer.mdict['pki_instance_name'] != \
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
fcon = seobject.fcontextRecords(trans)
config.pki_log.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_instance_path'] +
self.suffix, "")
config.pki_log.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_log_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_instance_log_path'] +
self.suffix, "")
config.pki_log.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_configuration_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_instance_configuration_path'] +
self.suffix, "")
config.pki_log.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_server_database_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_server_database_path'] +
self.suffix, "")
port_records = seobject.portRecords(trans)
for port in ports:
config.pki_log.info(
"deleting selinux port %s", port,
extra=config.PKI_INDENTATION_LEVEL_2)
port_records.delete(port, "tcp")
trans.finish()
break
except ValueError as e:
error_message = str(e)
config.pki_log.debug(error_message)
if error_message.strip() == \
"Could not start semanage transaction":
counter += 1
if counter >= max_tries:
raise
time.sleep(5)
config.pki_log.debug(
"Retrying to remove selinux context ...")
else:
raise
def load_all_contexts():
contexts = fcontextRecords().get_all().items()
contexts = map(_init_content, contexts)
return contexts
def client(self, cache, job):
"""Run cache echo command operation.
:param cache: Caching object used to template items within a command.
:type cache: Object
:param job: Information containing the original job specification.
:type job: Dictionary
:returns: tuple
"""
if not selinux.is_selinux_enabled():
return (None, "SELinux is not enabled.", True, None)
if not AVAILABLE_SELINUX:
return (
None,
"The required selinux library is not installed",
False,
None,
)
if not AVAILABLE_SEOBJECT:
return (
None,
"The required seobject library is not installed",
False,
None,
)
target = job["target"]
ftype = job.get("ftype")
setype = job["setype"]
seuser = job.get("seuser")
selevel = job.get("selevel")
secontext = seobject.fcontextRecords("")
secontext.set_reload(job["reload"])
(
existing,
orig_seuser,
orig_selevel,
) = self.semanage_exists(secontext, target, ftype)
if existing:
if not seuser:
seuser = orig_seuser
if not selevel:
selevel = orig_selevel
secontext.modify(target, setype, ftype, selevel, seuser)
else:
if not seuser:
seuser = "******"
if not selevel:
selevel = "s0"
secontext.add(target, setype, ftype, selevel, seuser)
return job["target"], None, True, None
def destroy(self, deployer):
if not bool(selinux.is_selinux_enabled()):
logger.info('SELinux disabled')
return
# check first if any transactions are required
if (len(ports) == 0 and deployer.mdict['pki_instance_name'] ==
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME):
return
logger.info('Removing SELinux contexts')
# A maximum of 10 tries to delete the SELinux contexts
max_tries = 10
for counter in range(1, max_tries):
try:
# remove SELinux contexts when removing the last subsystem
if len(deployer.instance.tomcat_instance_subsystems()) == 0:
trans = seobject.semanageRecords("targeted")
trans.start()
if deployer.mdict['pki_instance_name'] != \
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
fcon = seobject.fcontextRecords(trans)
file_records = fcon.get_all()
if self.context_exists(file_records,
deployer.mdict['pki_instance_path'] +
self.suffix):
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_path'] + self.suffix)
fcon.delete(
deployer.mdict['pki_instance_path'] +
self.suffix, "")
if self.context_exists(file_records,
deployer.mdict['pki_instance_log_path'] +
self.suffix):
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_log_path'] +
self.suffix)
fcon.delete(
deployer.mdict['pki_instance_log_path'] +
self.suffix, "")
if self.context_exists(file_records,
deployer.mdict['pki_instance_configuration_path'] +
self.suffix):
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_configuration_path'] +
self.suffix)
fcon.delete(
deployer.mdict['pki_instance_configuration_path'] +
self.suffix, "")
if self.context_exists(file_records,
deployer.mdict['pki_server_database_path'] +
self.suffix):
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_server_database_path'] + self.suffix)
fcon.delete(
deployer.mdict['pki_server_database_path'] +
self.suffix, "")
port_records = seobject.portRecords(trans)
port_record_values = port_records.get_all()
for port in ports:
if self.context_exists(port_record_values, port):
logger.info("deleting selinux port %s", port)
port_records.delete(port, "tcp")
trans.finish()
break
except ValueError as e:
error_message = str(e)
logger.error(error_message)
if error_message.strip() == \
"Could not start semanage transaction":
if counter >= max_tries:
raise
time.sleep(5)
logger.debug("Retrying to remove selinux context ...")
else:
raise
