コード例 #1
0
ファイル: SELinux.py プロジェクト: ab/bcfg2
 def Install(self, entries, states):
     # start a transaction
     sr = seobject.semanageRecords("")
     if hasattr(sr, "start"):
         self.logger.debug("Starting SELinux transaction")
         sr.start()
     else:
         self.logger.debug("SELinux transactions not supported; this may " "slow things down considerably")
     Bcfg2.Client.Tools.Tool.Install(self, entries, states)
     if hasattr(sr, "finish"):
         self.logger.debug("Committing SELinux transaction")
         sr.finish()
コード例 #2
0
ファイル: SELinux.py プロジェクト: dikim33/bcfg2
 def Install(self, entries, states):
     # start a transaction
     semanage = seobject.semanageRecords("")
     if hasattr(semanage, "start"):
         self.logger.debug("Starting SELinux transaction")
         semanage.start()
         self.txn = True
     else:
         self.logger.debug("SELinux transactions not supported; this may "
                           "slow things down considerably")
     Bcfg2.Client.Tools.Tool.Install(self, entries, states)
     if hasattr(semanage, "finish"):
         self.logger.debug("Committing SELinux transaction")
         semanage.finish()
         self.txn = False
         for func, arg, kwargs in self.post_txn_queue:
             states[arg] = func(*arg, **kwargs)
コード例 #3
0
 def Install(self, entries, states):
     # start a transaction
     semanage = seobject.semanageRecords("")
     if hasattr(semanage, "start"):
         self.logger.debug("Starting SELinux transaction")
         semanage.start()
         self.txn = True
     else:
         self.logger.debug("SELinux transactions not supported; this may "
                           "slow things down considerably")
     Bcfg2.Client.Tools.Tool.Install(self, entries, states)
     if hasattr(semanage, "finish"):
         self.logger.debug("Committing SELinux transaction")
         semanage.finish()
         self.txn = False
         for func, arg, kwargs in self.post_txn_queue:
             states[arg] = func(*arg, **kwargs)
コード例 #4
0
ファイル: selinux_setup.py プロジェクト: tiran/pki
    def spawn(self, deployer):

        if config.str2bool(deployer.mdict['pki_skip_installation']):
            logger.info('Skipping SELinux setup')
            return

        if not selinux.is_selinux_enabled() or seobject is None:
            logger.info('SELinux disabled')
            return

        logger.info('Creating SELinux contexts')

        # A maximum of 10 tries to create the SELinux contexts
        counter = 0
        max_tries = 10
        while True:
            try:
                # check first if any transactions are required
                if len(ports) == 0 and deployer.mdict['pki_instance_name'] == \
                        config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
                    self.restore_context(deployer.mdict)
                    return

                # add SELinux contexts when adding the first subsystem
                if len(deployer.instance.tomcat_instance_subsystems()) == 1:
                    trans = seobject.semanageRecords("targeted")
                    trans.start()
                    if deployer.mdict['pki_instance_name'] != \
                            config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:

                        fcon = seobject.fcontextRecords(trans)

                        logger.info(
                            "adding selinux fcontext \"%s\"",
                            deployer.mdict['pki_instance_path'] + self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.add(
                            deployer.mdict['pki_instance_path'] + self.suffix,
                            config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "")

                        logger.info(
                            "adding selinux fcontext \"%s\"",
                            deployer.mdict['pki_instance_log_path'] +
                            self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.add(
                            deployer.mdict['pki_instance_log_path'] +
                            self.suffix,
                            config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "")

                        logger.info(
                            "adding selinux fcontext \"%s\"",
                            deployer.mdict['pki_instance_configuration_path'] +
                            self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.add(
                            deployer.mdict['pki_instance_configuration_path'] +
                            self.suffix,
                            config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "")

                        logger.info(
                            "adding selinux fcontext \"%s\"",
                            deployer.mdict['pki_server_database_path'] + self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.add(
                            deployer.mdict['pki_server_database_path'] + self.suffix,
                            config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "")

                        port_records = seobject.portRecords(trans)
                        for port in ports:
                            logger.info(
                                "adding selinux port %s", port,
                                extra=config.PKI_INDENTATION_LEVEL_2)
                            port_records.add(
                                port, "tcp", "s0",
                                config.PKI_PORT_SELINUX_CONTEXT)

                    trans.finish()

                    self.restore_context(deployer.mdict)
                break
            except ValueError as e:
                error_message = str(e)
                logger.error(error_message)
                if error_message.strip() == \
                        "Could not start semanage transaction":
                    counter += 1
                    if counter >= max_tries:
                        raise
                    time.sleep(5)
                    logger.debug("Retrying to setup the selinux context ...")
                else:
                    raise
コード例 #5
0
ファイル: selinux_setup.py プロジェクト: tiran/pki
    def destroy(self, deployer):

        if not bool(selinux.is_selinux_enabled()):
            logger.info('SELinux disabled')
            return

        logger.info('Removing SELinux contexts')

        # check first if any transactions are required
        if (len(ports) == 0 and deployer.mdict['pki_instance_name'] ==
                config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME):
            return

        # A maximum of 10 tries to delete the SELinux contexts
        counter = 1
        max_tries = 10
        while True:
            try:
                # remove SELinux contexts when removing the last subsystem
                if len(deployer.instance.tomcat_instance_subsystems()) == 0:
                    trans = seobject.semanageRecords("targeted")
                    trans.start()

                    if deployer.mdict['pki_instance_name'] != \
                            config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:

                        fcon = seobject.fcontextRecords(trans)

                        logger.info(
                            "deleting selinux fcontext \"%s\"",
                            deployer.mdict['pki_instance_path'] + self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.delete(
                            deployer.mdict['pki_instance_path'] +
                            self.suffix, "")

                        logger.info(
                            "deleting selinux fcontext \"%s\"",
                            deployer.mdict['pki_instance_log_path'] +
                            self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.delete(
                            deployer.mdict['pki_instance_log_path'] +
                            self.suffix, "")

                        logger.info(
                            "deleting selinux fcontext \"%s\"",
                            deployer.mdict['pki_instance_configuration_path'] +
                            self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.delete(
                            deployer.mdict['pki_instance_configuration_path'] +
                            self.suffix, "")

                        logger.info(
                            "deleting selinux fcontext \"%s\"",
                            deployer.mdict['pki_server_database_path'] + self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.delete(
                            deployer.mdict['pki_server_database_path'] +
                            self.suffix, "")

                        port_records = seobject.portRecords(trans)
                        for port in ports:
                            logger.info(
                                "deleting selinux port %s", port,
                                extra=config.PKI_INDENTATION_LEVEL_2)
                            port_records.delete(port, "tcp")

                    trans.finish()
                break
            except ValueError as e:
                error_message = str(e)
                logger.error(error_message)
                if error_message.strip() == \
                        "Could not start semanage transaction":
                    counter += 1
                    if counter >= max_tries:
                        raise
                    time.sleep(5)
                    logger.debug("Retrying to remove selinux context ...")
                else:
                    raise
コード例 #6
0
ファイル: selinux_setup.py プロジェクト: garyttierney/pki
    def spawn(self, deployer):

        if config.str2bool(deployer.mdict['pki_skip_installation']):
            config.pki_log.info(log.SKIP_SELINUX_SPAWN_1, __name__,
                                extra=config.PKI_INDENTATION_LEVEL_1)
            return

        if not selinux.is_selinux_enabled() or seobject is None:
            config.pki_log.info(log.SELINUX_DISABLED_SPAWN_1, __name__,
                                extra=config.PKI_INDENTATION_LEVEL_1)
            return

        config.pki_log.info(log.SELINUX_SPAWN_1, __name__,
                            extra=config.PKI_INDENTATION_LEVEL_1)
        # A maximum of 10 tries to create the SELinux contexts
        counter = 0
        max_tries = 10
        while True:
            try:
                # check first if any transactions are required
                if len(ports) == 0 and deployer.mdict['pki_instance_name'] == \
                        config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
                    self.restore_context(deployer.mdict)
                    return

                # add SELinux contexts when adding the first subsystem
                if len(deployer.instance.tomcat_instance_subsystems()) == 1:
                    trans = seobject.semanageRecords("targeted")
                    trans.start()
                    if deployer.mdict['pki_instance_name'] != \
                            config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:

                        fcon = seobject.fcontextRecords(trans)

                        config.pki_log.info(
                            "adding selinux fcontext \"%s\"",
                            deployer.mdict['pki_instance_path'] + self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.add(
                            deployer.mdict['pki_instance_path'] + self.suffix,
                            config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "")

                        config.pki_log.info(
                            "adding selinux fcontext \"%s\"",
                            deployer.mdict['pki_instance_log_path'] +
                            self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.add(
                            deployer.mdict['pki_instance_log_path'] +
                            self.suffix,
                            config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "")

                        config.pki_log.info(
                            "adding selinux fcontext \"%s\"",
                            deployer.mdict['pki_instance_configuration_path'] +
                            self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.add(
                            deployer.mdict['pki_instance_configuration_path'] +
                            self.suffix,
                            config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "")

                        config.pki_log.info(
                            "adding selinux fcontext \"%s\"",
                            deployer.mdict['pki_server_database_path'] + self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.add(
                            deployer.mdict['pki_server_database_path'] + self.suffix,
                            config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "")

                        port_records = seobject.portRecords(trans)
                        for port in ports:
                            config.pki_log.info(
                                "adding selinux port %s", port,
                                extra=config.PKI_INDENTATION_LEVEL_2)
                            port_records.add(
                                port, "tcp", "s0",
                                config.PKI_PORT_SELINUX_CONTEXT)

                    trans.finish()

                    self.restore_context(deployer.mdict)
                break
            except ValueError as e:
                error_message = str(e)
                config.pki_log.debug(error_message)
                if error_message.strip() == \
                        "Could not start semanage transaction":
                    counter += 1
                    if counter >= max_tries:
                        raise
                    time.sleep(5)
                    config.pki_log.debug(
                        "Retrying to setup the selinux context ...")
                else:
                    raise
コード例 #7
0
ファイル: selinux_setup.py プロジェクト: garyttierney/pki
    def destroy(self, deployer):

        if not bool(selinux.is_selinux_enabled()):
            config.pki_log.info(log.SELINUX_DISABLED_DESTROY_1, __name__,
                                extra=config.PKI_INDENTATION_LEVEL_1)
            return

        config.pki_log.info(log.SELINUX_DESTROY_1, __name__,
                            extra=config.PKI_INDENTATION_LEVEL_1)

        # check first if any transactions are required
        if (len(ports) == 0 and deployer.mdict['pki_instance_name'] ==
                config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME):
            return

        # A maximum of 10 tries to delete the SELinux contexts
        counter = 1
        max_tries = 10
        while True:
            try:
                # remove SELinux contexts when removing the last subsystem
                if len(deployer.instance.tomcat_instance_subsystems()) == 0:
                    trans = seobject.semanageRecords("targeted")
                    trans.start()

                    if deployer.mdict['pki_instance_name'] != \
                            config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:

                        fcon = seobject.fcontextRecords(trans)

                        config.pki_log.info(
                            "deleting selinux fcontext \"%s\"",
                            deployer.mdict['pki_instance_path'] + self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.delete(
                            deployer.mdict['pki_instance_path'] +
                            self.suffix, "")

                        config.pki_log.info(
                            "deleting selinux fcontext \"%s\"",
                            deployer.mdict['pki_instance_log_path'] +
                            self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.delete(
                            deployer.mdict['pki_instance_log_path'] +
                            self.suffix, "")

                        config.pki_log.info(
                            "deleting selinux fcontext \"%s\"",
                            deployer.mdict['pki_instance_configuration_path'] +
                            self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.delete(
                            deployer.mdict['pki_instance_configuration_path'] +
                            self.suffix, "")

                        config.pki_log.info(
                            "deleting selinux fcontext \"%s\"",
                            deployer.mdict['pki_server_database_path'] + self.suffix,
                            extra=config.PKI_INDENTATION_LEVEL_2)
                        fcon.delete(
                            deployer.mdict['pki_server_database_path'] +
                            self.suffix, "")

                        port_records = seobject.portRecords(trans)
                        for port in ports:
                            config.pki_log.info(
                                "deleting selinux port %s", port,
                                extra=config.PKI_INDENTATION_LEVEL_2)
                            port_records.delete(port, "tcp")

                    trans.finish()
                break
            except ValueError as e:
                error_message = str(e)
                config.pki_log.debug(error_message)
                if error_message.strip() == \
                        "Could not start semanage transaction":
                    counter += 1
                    if counter >= max_tries:
                        raise
                    time.sleep(5)
                    config.pki_log.debug(
                        "Retrying to remove selinux context ...")
                else:
                    raise
コード例 #8
0
    def destroy(self, deployer):

        if not bool(selinux.is_selinux_enabled()):
            logger.info('SELinux disabled')
            return

        # check first if any transactions are required
        if (len(ports) == 0 and deployer.mdict['pki_instance_name'] ==
                config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME):
            return

        logger.info('Removing SELinux contexts')

        # A maximum of 10 tries to delete the SELinux contexts
        max_tries = 10
        for counter in range(1, max_tries):
            try:
                # remove SELinux contexts when removing the last subsystem
                if len(deployer.instance.tomcat_instance_subsystems()) == 0:
                    trans = seobject.semanageRecords("targeted")
                    trans.start()

                    if deployer.mdict['pki_instance_name'] != \
                            config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:

                        fcon = seobject.fcontextRecords(trans)
                        file_records = fcon.get_all()

                        if self.context_exists(file_records,
                                               deployer.mdict['pki_instance_path'] +
                                               self.suffix):
                            logger.info(
                                "deleting selinux fcontext \"%s\"",
                                deployer.mdict['pki_instance_path'] + self.suffix)
                            fcon.delete(
                                deployer.mdict['pki_instance_path'] +
                                self.suffix, "")

                        if self.context_exists(file_records,
                                               deployer.mdict['pki_instance_log_path'] +
                                               self.suffix):
                            logger.info(
                                "deleting selinux fcontext \"%s\"",
                                deployer.mdict['pki_instance_log_path'] +
                                self.suffix)
                            fcon.delete(
                                deployer.mdict['pki_instance_log_path'] +
                                self.suffix, "")

                        if self.context_exists(file_records,
                                               deployer.mdict['pki_instance_configuration_path'] +
                                               self.suffix):
                            logger.info(
                                "deleting selinux fcontext \"%s\"",
                                deployer.mdict['pki_instance_configuration_path'] +
                                self.suffix)
                            fcon.delete(
                                deployer.mdict['pki_instance_configuration_path'] +
                                self.suffix, "")

                        if self.context_exists(file_records,
                                               deployer.mdict['pki_server_database_path'] +
                                               self.suffix):
                            logger.info(
                                "deleting selinux fcontext \"%s\"",
                                deployer.mdict['pki_server_database_path'] + self.suffix)
                            fcon.delete(
                                deployer.mdict['pki_server_database_path'] +
                                self.suffix, "")

                        port_records = seobject.portRecords(trans)
                        port_record_values = port_records.get_all()
                        for port in ports:
                            if self.context_exists(port_record_values, port):
                                logger.info("deleting selinux port %s", port)
                                port_records.delete(port, "tcp")

                    trans.finish()
                break
            except ValueError as e:
                error_message = str(e)
                logger.error(error_message)
                if error_message.strip() == \
                        "Could not start semanage transaction":
                    if counter >= max_tries:
                        raise
                    time.sleep(5)
                    logger.debug("Retrying to remove selinux context ...")
                else:
                    raise