def semanage_fcontext_delete(module, result, target, ftype, do_reload, sestore=''): ''' Delete SELinux file context mapping definition from the policy. ''' changed = False prepared_diff = '' try: sefcontext = seobject.fcontextRecords(sestore) sefcontext.set_reload(do_reload) exists = semanage_fcontext_exists(sefcontext, target, ftype) if exists: # Remove existing entry orig_seuser, orig_serole, orig_setype, orig_serange = exists if not module.check_mode: sefcontext.delete(target, ftype) changed = True if module._diff: prepared_diff += '# Deletion to semanage file context mappings\n' prepared_diff += '-%s %s %s:%s:%s:%s\n' % (target, ftype, exists[0], exists[1], exists[2], exists[3]) except Exception: e = get_exception() module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e))) if module._diff and prepared_diff: result['diff'] = dict(prepared=prepared_diff) module.exit_json(changed=changed, **result)
def semanage_fcontext_delete(module, result, target, ftype, do_reload, sestore=''): ''' Delete SELinux file context mapping definition from the policy. ''' changed = False prepared_diff = '' try: sefcontext = seobject.fcontextRecords(sestore) sefcontext.set_reload(do_reload) exists = semanage_fcontext_exists(sefcontext, target, ftype) if exists: # Remove existing entry orig_seuser, orig_serole, orig_setype, orig_serange = exists if not module.check_mode: sefcontext.delete(target, ftype) changed = True if module._diff: prepared_diff += '# Deletion to semanage file context mappings\n' prepared_diff += '-%s %s %s:%s:%s:%s\n' % ( target, ftype, exists[0], exists[1], exists[2], exists[3]) except Exception as e: module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e))) if module._diff and prepared_diff: result['diff'] = dict(prepared=prepared_diff) module.exit_json(changed=changed, **result)
def semanage_fcontext_modify(module, result, target, ftype, setype, do_reload, serange, seuser, sestore=''): ''' Add or modify SELinux file context mapping definition to the policy. ''' changed = False prepared_diff = '' try: sefcontext = seobject.fcontextRecords(sestore) sefcontext.set_reload(do_reload) exists = semanage_fcontext_exists(sefcontext, target, ftype) if exists: # Modify existing entry orig_seuser, orig_serole, orig_setype, orig_serange = exists if seuser is None: seuser = orig_seuser if serange is None: serange = orig_serange if setype != orig_setype or seuser != orig_seuser or serange != orig_serange: if not module.check_mode: sefcontext.modify(target, setype, ftype, serange, seuser) changed = True if module._diff: prepared_diff += '# Change to semanage file context mappings\n' prepared_diff += '-%s %s %s:%s:%s:%s\n' % ( target, ftype, orig_seuser, orig_serole, orig_setype, orig_serange) prepared_diff += '+%s %s %s:%s:%s:%s\n' % ( target, ftype, seuser, orig_serole, setype, serange) else: # Add missing entry if seuser is None: seuser = '******' if serange is None: serange = 's0' if not module.check_mode: sefcontext.add(target, setype, ftype, serange, seuser) changed = True if module._diff: prepared_diff += '# Addition to semanage file context mappings\n' prepared_diff += '+%s %s %s:%s:%s:%s\n' % ( target, ftype, seuser, 'object_r', setype, serange) except Exception, e: module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_bytes(e)))
def semanage_fcontext_modify(module, result, target, ftype, setype, do_reload, serange, seuser, sestore=''): ''' Add or modify SELinux file context mapping definition to the policy. ''' changed = False prepared_diff = '' try: sefcontext = seobject.fcontextRecords(sestore) sefcontext.set_reload(do_reload) exists = semanage_fcontext_exists(sefcontext, target, ftype) if exists: # Modify existing entry orig_seuser, orig_serole, orig_setype, orig_serange = exists if seuser is None: seuser = orig_seuser if serange is None: serange = orig_serange if setype != orig_setype or seuser != orig_seuser or serange != orig_serange: if not module.check_mode: sefcontext.modify(target, setype, ftype, serange, seuser) changed = True if module._diff: prepared_diff += '# Change to semanage file context mappings\n' prepared_diff += '-%s %s %s:%s:%s:%s\n' % (target, ftype, orig_seuser, orig_serole, orig_setype, orig_serange) prepared_diff += '+%s %s %s:%s:%s:%s\n' % (target, ftype, seuser, orig_serole, setype, serange) else: # Add missing entry if seuser is None: seuser = '******' if serange is None: serange = 's0' if not module.check_mode: sefcontext.add(target, setype, ftype, serange, seuser) changed = True if module._diff: prepared_diff += '# Addition to semanage file context mappings\n' prepared_diff += '+%s %s %s:%s:%s:%s\n' % (target, ftype, seuser, 'object_r', setype, serange) except Exception: e = get_exception() module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e))) if module._diff and prepared_diff: result['diff'] = dict(prepared=prepared_diff) module.exit_json(changed=changed, seuser=seuser, serange=serange, **result)
def __init__(self, domain, target, perms, klass): rule_manager = SEPolicyRules(source=domain, target=target, perms=perms, klass=klass) context_matcher = FileContextMatcher() context_map = fcontextRecords().get_all() for ((pattern, target_type), attr) in context_map.items(): if attr == None: continue (user, role, domain, level) = attr if rule_manager.has_rule_with(domain, target_type): context_matcher.add(pattern, target_type, attr) self.matcher = context_matcher self.rules = rule_manager
def load(self, filter=""): self.filter = filter self.fcontext = seobject.fcontextRecords() self.store.clear() fcon_dict = self.fcontext.get_all(self.local) for k in sorted(fcon_dict.keys()): if not self.match(fcon_dict, k, filter): continue iter = self.store.append() self.store.set_value(iter, SPEC_COL, k[0]) self.store.set_value(iter, FTYPE_COL, k[1]) if fcon_dict[k]: rec = "%s:%s" % (fcon_dict[k][2], seobject.translate(fcon_dict[k][3], False)) else: rec = "<<None>>" self.store.set_value(iter, TYPE_COL, rec) self.view.get_selection().select_path((0,))
def spawn(self, deployer): if config.str2bool(deployer.mdict['pki_skip_installation']): logger.info('Skipping SELinux setup') return if not selinux.is_selinux_enabled() or seobject is None: logger.info('SELinux disabled') return logger.info('Creating SELinux contexts') # A maximum of 10 tries to create the SELinux contexts counter = 0 max_tries = 10 while True: try: # check first if any transactions are required if len(ports) == 0 and deployer.mdict['pki_instance_name'] == \ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: self.restore_context(deployer.mdict) return # add SELinux contexts when adding the first subsystem if len(deployer.instance.tomcat_instance_subsystems()) == 1: trans = seobject.semanageRecords("targeted") trans.start() if deployer.mdict['pki_instance_name'] != \ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: fcon = seobject.fcontextRecords(trans) logger.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_instance_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_instance_path'] + self.suffix, config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "") logger.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_instance_log_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_instance_log_path'] + self.suffix, config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "") logger.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_instance_configuration_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_instance_configuration_path'] + self.suffix, config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "") logger.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_server_database_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_server_database_path'] + self.suffix, config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "") port_records = seobject.portRecords(trans) for port in ports: logger.info( "adding selinux port %s", port, extra=config.PKI_INDENTATION_LEVEL_2) port_records.add( port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT) trans.finish() self.restore_context(deployer.mdict) break except ValueError as e: error_message = str(e) logger.error(error_message) if error_message.strip() == \ "Could not start semanage transaction": counter += 1 if counter >= max_tries: raise time.sleep(5) logger.debug("Retrying to setup the selinux context ...") else: raise
def destroy(self, deployer): if not bool(selinux.is_selinux_enabled()): logger.info('SELinux disabled') return logger.info('Removing SELinux contexts') # check first if any transactions are required if (len(ports) == 0 and deployer.mdict['pki_instance_name'] == config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME): return # A maximum of 10 tries to delete the SELinux contexts counter = 1 max_tries = 10 while True: try: # remove SELinux contexts when removing the last subsystem if len(deployer.instance.tomcat_instance_subsystems()) == 0: trans = seobject.semanageRecords("targeted") trans.start() if deployer.mdict['pki_instance_name'] != \ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: fcon = seobject.fcontextRecords(trans) logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_instance_path'] + self.suffix, "") logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_log_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_instance_log_path'] + self.suffix, "") logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_configuration_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_instance_configuration_path'] + self.suffix, "") logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_server_database_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_server_database_path'] + self.suffix, "") port_records = seobject.portRecords(trans) for port in ports: logger.info( "deleting selinux port %s", port, extra=config.PKI_INDENTATION_LEVEL_2) port_records.delete(port, "tcp") trans.finish() break except ValueError as e: error_message = str(e) logger.error(error_message) if error_message.strip() == \ "Could not start semanage transaction": counter += 1 if counter >= max_tries: raise time.sleep(5) logger.debug("Retrying to remove selinux context ...") else: raise
def spawn(self, deployer): if config.str2bool(deployer.mdict['pki_skip_installation']): config.pki_log.info(log.SKIP_SELINUX_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) return if not selinux.is_selinux_enabled() or seobject is None: config.pki_log.info(log.SELINUX_DISABLED_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) return config.pki_log.info(log.SELINUX_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) # A maximum of 10 tries to create the SELinux contexts counter = 0 max_tries = 10 while True: try: # check first if any transactions are required if len(ports) == 0 and deployer.mdict['pki_instance_name'] == \ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: self.restore_context(deployer.mdict) return # add SELinux contexts when adding the first subsystem if len(deployer.instance.tomcat_instance_subsystems()) == 1: trans = seobject.semanageRecords("targeted") trans.start() if deployer.mdict['pki_instance_name'] != \ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: fcon = seobject.fcontextRecords(trans) config.pki_log.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_instance_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_instance_path'] + self.suffix, config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "") config.pki_log.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_instance_log_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_instance_log_path'] + self.suffix, config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "") config.pki_log.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_instance_configuration_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_instance_configuration_path'] + self.suffix, config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "") config.pki_log.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_server_database_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_server_database_path'] + self.suffix, config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "") port_records = seobject.portRecords(trans) for port in ports: config.pki_log.info( "adding selinux port %s", port, extra=config.PKI_INDENTATION_LEVEL_2) port_records.add( port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT) trans.finish() self.restore_context(deployer.mdict) break except ValueError as e: error_message = str(e) config.pki_log.debug(error_message) if error_message.strip() == \ "Could not start semanage transaction": counter += 1 if counter >= max_tries: raise time.sleep(5) config.pki_log.debug( "Retrying to setup the selinux context ...") else: raise
def destroy(self, deployer): if not bool(selinux.is_selinux_enabled()): config.pki_log.info(log.SELINUX_DISABLED_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) return config.pki_log.info(log.SELINUX_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) # check first if any transactions are required if (len(ports) == 0 and deployer.mdict['pki_instance_name'] == config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME): return # A maximum of 10 tries to delete the SELinux contexts counter = 1 max_tries = 10 while True: try: # remove SELinux contexts when removing the last subsystem if len(deployer.instance.tomcat_instance_subsystems()) == 0: trans = seobject.semanageRecords("targeted") trans.start() if deployer.mdict['pki_instance_name'] != \ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: fcon = seobject.fcontextRecords(trans) config.pki_log.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_instance_path'] + self.suffix, "") config.pki_log.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_log_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_instance_log_path'] + self.suffix, "") config.pki_log.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_configuration_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_instance_configuration_path'] + self.suffix, "") config.pki_log.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_server_database_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_server_database_path'] + self.suffix, "") port_records = seobject.portRecords(trans) for port in ports: config.pki_log.info( "deleting selinux port %s", port, extra=config.PKI_INDENTATION_LEVEL_2) port_records.delete(port, "tcp") trans.finish() break except ValueError as e: error_message = str(e) config.pki_log.debug(error_message) if error_message.strip() == \ "Could not start semanage transaction": counter += 1 if counter >= max_tries: raise time.sleep(5) config.pki_log.debug( "Retrying to remove selinux context ...") else: raise
def load_all_contexts(): contexts = fcontextRecords().get_all().items() contexts = map(_init_content, contexts) return contexts
def client(self, cache, job): """Run cache echo command operation. :param cache: Caching object used to template items within a command. :type cache: Object :param job: Information containing the original job specification. :type job: Dictionary :returns: tuple """ if not selinux.is_selinux_enabled(): return (None, "SELinux is not enabled.", True, None) if not AVAILABLE_SELINUX: return ( None, "The required selinux library is not installed", False, None, ) if not AVAILABLE_SEOBJECT: return ( None, "The required seobject library is not installed", False, None, ) target = job["target"] ftype = job.get("ftype") setype = job["setype"] seuser = job.get("seuser") selevel = job.get("selevel") secontext = seobject.fcontextRecords("") secontext.set_reload(job["reload"]) ( existing, orig_seuser, orig_selevel, ) = self.semanage_exists(secontext, target, ftype) if existing: if not seuser: seuser = orig_seuser if not selevel: selevel = orig_selevel secontext.modify(target, setype, ftype, selevel, seuser) else: if not seuser: seuser = "******" if not selevel: selevel = "s0" secontext.add(target, setype, ftype, selevel, seuser) return job["target"], None, True, None
def destroy(self, deployer): if not bool(selinux.is_selinux_enabled()): logger.info('SELinux disabled') return # check first if any transactions are required if (len(ports) == 0 and deployer.mdict['pki_instance_name'] == config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME): return logger.info('Removing SELinux contexts') # A maximum of 10 tries to delete the SELinux contexts max_tries = 10 for counter in range(1, max_tries): try: # remove SELinux contexts when removing the last subsystem if len(deployer.instance.tomcat_instance_subsystems()) == 0: trans = seobject.semanageRecords("targeted") trans.start() if deployer.mdict['pki_instance_name'] != \ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: fcon = seobject.fcontextRecords(trans) file_records = fcon.get_all() if self.context_exists(file_records, deployer.mdict['pki_instance_path'] + self.suffix): logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_path'] + self.suffix) fcon.delete( deployer.mdict['pki_instance_path'] + self.suffix, "") if self.context_exists(file_records, deployer.mdict['pki_instance_log_path'] + self.suffix): logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_log_path'] + self.suffix) fcon.delete( deployer.mdict['pki_instance_log_path'] + self.suffix, "") if self.context_exists(file_records, deployer.mdict['pki_instance_configuration_path'] + self.suffix): logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_configuration_path'] + self.suffix) fcon.delete( deployer.mdict['pki_instance_configuration_path'] + self.suffix, "") if self.context_exists(file_records, deployer.mdict['pki_server_database_path'] + self.suffix): logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_server_database_path'] + self.suffix) fcon.delete( deployer.mdict['pki_server_database_path'] + self.suffix, "") port_records = seobject.portRecords(trans) port_record_values = port_records.get_all() for port in ports: if self.context_exists(port_record_values, port): logger.info("deleting selinux port %s", port) port_records.delete(port, "tcp") trans.finish() break except ValueError as e: error_message = str(e) logger.error(error_message) if error_message.strip() == \ "Could not start semanage transaction": if counter >= max_tries: raise time.sleep(5) logger.debug("Retrying to remove selinux context ...") else: raise