def semanage_port_add(module, ports, proto, setype, do_reload, serange='s0', sestore=''): """ Add SELinux port type definition to the policy. :type module: AnsibleModule :param module: Ansible module :type ports: list :param ports: List of ports and port ranges to add (e.g. ["8080", "8080-9090"]) :type proto: str :param proto: Protocol ('tcp' or 'udp') :type setype: str :param setype: SELinux type :type do_reload: bool :param do_reload: Whether to reload SELinux policy after commit :type serange: str :param serange: SELinux MLS/MCS range (defaults to 's0') :type sestore: str :param sestore: SELinux store :rtype: bool :return: True if the policy was changed, otherwise False """ try: seport = seobject.portRecords(sestore) seport.set_reload(do_reload) change = False for port in ports: exists = semanage_port_exists(seport, port, proto) if not exists and not module.check_mode: seport.add(port, proto, serange, setype) change = change or not exists except ValueError: e = get_exception() module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e))) except IOError: e = get_exception() module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e))) except KeyError: e = get_exception() module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e))) except OSError: e = get_exception() module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e))) except RuntimeError: e = get_exception() module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e))) return change
def semanage_port_del(module, ports, proto, do_reload, sestore=''): """ Delete SELinux port type definition from the policy. :type module: AnsibleModule :param module: Ansible module :type ports: list :param ports: List of ports and port ranges to delete (e.g. ["8080", "8080-9090"]) :type proto: str :param proto: Protocol ('tcp' or 'udp') :type do_reload: bool :param do_reload: Whether to reload SELinux policy after commit :type sestore: str :param sestore: SELinux store :rtype: bool :return: True if the policy was changed, otherwise False """ try: seport = seobject.portRecords(sestore) seport.set_reload(do_reload) change = False for port in ports: exists = semanage_port_exists(seport, port, proto) if not exists and not module.check_mode: seport.delete(port, proto) change = change or not exists except ValueError, e: module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e)))
def semanage_port_add(module, ports, proto, setype, do_reload, serange='s0', sestore=''): """ Add SELinux port type definition to the policy. :type module: AnsibleModule :param module: Ansible module :type ports: list :param ports: List of ports and port ranges to add (e.g. ["8080", "8080-9090"]) :type proto: str :param proto: Protocol ('tcp' or 'udp') :type setype: str :param setype: SELinux type :type do_reload: bool :param do_reload: Whether to reload SELinux policy after commit :type serange: str :param serange: SELinux MLS/MCS range (defaults to 's0') :type sestore: str :param sestore: SELinux store :rtype: bool :return: True if the policy was changed, otherwise False """ try: seport = seobject.portRecords(sestore) seport.set_reload(do_reload) change = False ports_by_type = semanage_port_get_ports(seport, setype, proto) for port in ports: if port not in ports_by_type: change = True port_type = semanage_port_get_type(seport, port, proto) if port_type is None and not module.check_mode: seport.add(port, proto, serange, setype) elif port_type is not None and not module.check_mode: seport.modify(port, proto, serange, setype) except ValueError: e = get_exception() module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e))) except IOError: e = get_exception() module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e))) except KeyError: e = get_exception() module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e))) except OSError: e = get_exception() module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e))) except RuntimeError: e = get_exception() module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e))) return change
def semanage_port_add(module, ports, proto, setype, do_reload, serange='s0', sestore=''): """ Add SELinux port type definition to the policy. :type module: AnsibleModule :param module: Ansible module :type ports: list :param ports: List of ports and port ranges to add (e.g. ["8080", "8080-9090"]) :type proto: str :param proto: Protocol ('tcp' or 'udp') :type setype: str :param setype: SELinux type :type do_reload: bool :param do_reload: Whether to reload SELinux policy after commit :type serange: str :param serange: SELinux MLS/MCS range (defaults to 's0') :type sestore: str :param sestore: SELinux store :rtype: bool :return: True if the policy was changed, otherwise False """ try: seport = seobject.portRecords(sestore) seport.set_reload(do_reload) change = False ports_by_type = semanage_port_get_ports(seport, setype, proto) for port in ports: if port not in ports_by_type: change = True port_type = semanage_port_get_type(seport, port, proto) if port_type is None and not module.check_mode: seport.add(port, proto, serange, setype) elif port_type is not None and not module.check_mode: seport.modify(port, proto, serange, setype) except (ValueError, IOError, KeyError, OSError, RuntimeError) as e: module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e)), exception=traceback.format_exc()) return change
def group_load(self, filter=""): self.filter = filter self.port = seobject.portRecords() dict = self.port.get_all_by_type(self.local) self.store.clear() for k in sorted(dict.keys()): ports_string = ", ".join(dict[k]) if not (self.match(ports_string, filter) or self.match(k[0], filter) or self.match(k[1], filter)): continue iter = self.store.append() self.store.set_value(iter, TYPE_COL, k[0]) self.store.set_value(iter, PROTOCOL_COL, k[1]) self.store.set_value(iter, PORT_COL, ports_string) self.store.set_value(iter, MLS_COL, "") self.view.get_selection().select_path((0,))
def load(self, filter=""): self.filter = filter self.port = seobject.portRecords() dict = self.port.get_all(self.local) self.store.clear() for k in sorted(dict.keys()): if not (self.match(str(k[0]), filter) or self.match(dict[k][0], filter) or self.match(k[2], filter) or self.match(dict[k][1], filter) or self.match(dict[k][1], filter)): continue iter = self.store.append() if k[0] == k[1]: self.store.set_value(iter, PORT_COL, k[0]) else: rec = "%s-%s" % k[:2] self.store.set_value(iter, PORT_COL, rec) self.store.set_value(iter, TYPE_COL, dict[k][0]) self.store.set_value(iter, PROTOCOL_COL, k[2]) self.store.set_value(iter, MLS_COL, dict[k][1]) self.view.get_selection().select_path((0,))
def semanage_port_del(module, ports, proto, setype, do_reload, sestore=''): """ Delete SELinux port type definition from the policy. :type module: AnsibleModule :param module: Ansible module :type ports: list :param ports: List of ports and port ranges to delete (e.g. ["8080", "8080-9090"]) :type proto: str :param proto: Protocol ('tcp' or 'udp') :type setype: str :param setype: SELinux type. :type do_reload: bool :param do_reload: Whether to reload SELinux policy after commit :type sestore: str :param sestore: SELinux store :rtype: bool :return: True if the policy was changed, otherwise False """ try: seport = seobject.portRecords(sestore) seport.set_reload(do_reload) change = False ports_by_type = semanage_port_get_ports(seport, setype, proto) for port in ports: if port in ports_by_type: change = True if not module.check_mode: seport.delete(port, proto) except (ValueError, IOError, KeyError, OSError, RuntimeError) as e: module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e)), exception=traceback.format_exc()) return change
def spawn(self, deployer): if config.str2bool(deployer.mdict['pki_skip_installation']): logger.info('Skipping SELinux setup') return if not selinux.is_selinux_enabled() or seobject is None: logger.info('SELinux disabled') return logger.info('Creating SELinux contexts') # A maximum of 10 tries to create the SELinux contexts counter = 0 max_tries = 10 while True: try: # check first if any transactions are required if len(ports) == 0 and deployer.mdict['pki_instance_name'] == \ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: self.restore_context(deployer.mdict) return # add SELinux contexts when adding the first subsystem if len(deployer.instance.tomcat_instance_subsystems()) == 1: trans = seobject.semanageRecords("targeted") trans.start() if deployer.mdict['pki_instance_name'] != \ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: fcon = seobject.fcontextRecords(trans) logger.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_instance_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_instance_path'] + self.suffix, config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "") logger.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_instance_log_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_instance_log_path'] + self.suffix, config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "") logger.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_instance_configuration_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_instance_configuration_path'] + self.suffix, config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "") logger.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_server_database_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_server_database_path'] + self.suffix, config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "") port_records = seobject.portRecords(trans) for port in ports: logger.info( "adding selinux port %s", port, extra=config.PKI_INDENTATION_LEVEL_2) port_records.add( port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT) trans.finish() self.restore_context(deployer.mdict) break except ValueError as e: error_message = str(e) logger.error(error_message) if error_message.strip() == \ "Could not start semanage transaction": counter += 1 if counter >= max_tries: raise time.sleep(5) logger.debug("Retrying to setup the selinux context ...") else: raise
def destroy(self, deployer): if not bool(selinux.is_selinux_enabled()): logger.info('SELinux disabled') return logger.info('Removing SELinux contexts') # check first if any transactions are required if (len(ports) == 0 and deployer.mdict['pki_instance_name'] == config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME): return # A maximum of 10 tries to delete the SELinux contexts counter = 1 max_tries = 10 while True: try: # remove SELinux contexts when removing the last subsystem if len(deployer.instance.tomcat_instance_subsystems()) == 0: trans = seobject.semanageRecords("targeted") trans.start() if deployer.mdict['pki_instance_name'] != \ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: fcon = seobject.fcontextRecords(trans) logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_instance_path'] + self.suffix, "") logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_log_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_instance_log_path'] + self.suffix, "") logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_configuration_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_instance_configuration_path'] + self.suffix, "") logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_server_database_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_server_database_path'] + self.suffix, "") port_records = seobject.portRecords(trans) for port in ports: logger.info( "deleting selinux port %s", port, extra=config.PKI_INDENTATION_LEVEL_2) port_records.delete(port, "tcp") trans.finish() break except ValueError as e: error_message = str(e) logger.error(error_message) if error_message.strip() == \ "Could not start semanage transaction": counter += 1 if counter >= max_tries: raise time.sleep(5) logger.debug("Retrying to remove selinux context ...") else: raise
def spawn(self, deployer): if config.str2bool(deployer.mdict['pki_skip_installation']): config.pki_log.info(log.SKIP_SELINUX_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) return if not selinux.is_selinux_enabled() or seobject is None: config.pki_log.info(log.SELINUX_DISABLED_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) return config.pki_log.info(log.SELINUX_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) # A maximum of 10 tries to create the SELinux contexts counter = 0 max_tries = 10 while True: try: # check first if any transactions are required if len(ports) == 0 and deployer.mdict['pki_instance_name'] == \ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: self.restore_context(deployer.mdict) return # add SELinux contexts when adding the first subsystem if len(deployer.instance.tomcat_instance_subsystems()) == 1: trans = seobject.semanageRecords("targeted") trans.start() if deployer.mdict['pki_instance_name'] != \ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: fcon = seobject.fcontextRecords(trans) config.pki_log.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_instance_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_instance_path'] + self.suffix, config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "") config.pki_log.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_instance_log_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_instance_log_path'] + self.suffix, config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "") config.pki_log.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_instance_configuration_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_instance_configuration_path'] + self.suffix, config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "") config.pki_log.info( "adding selinux fcontext \"%s\"", deployer.mdict['pki_server_database_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.add( deployer.mdict['pki_server_database_path'] + self.suffix, config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "") port_records = seobject.portRecords(trans) for port in ports: config.pki_log.info( "adding selinux port %s", port, extra=config.PKI_INDENTATION_LEVEL_2) port_records.add( port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT) trans.finish() self.restore_context(deployer.mdict) break except ValueError as e: error_message = str(e) config.pki_log.debug(error_message) if error_message.strip() == \ "Could not start semanage transaction": counter += 1 if counter >= max_tries: raise time.sleep(5) config.pki_log.debug( "Retrying to setup the selinux context ...") else: raise
def destroy(self, deployer): if not bool(selinux.is_selinux_enabled()): config.pki_log.info(log.SELINUX_DISABLED_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) return config.pki_log.info(log.SELINUX_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) # check first if any transactions are required if (len(ports) == 0 and deployer.mdict['pki_instance_name'] == config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME): return # A maximum of 10 tries to delete the SELinux contexts counter = 1 max_tries = 10 while True: try: # remove SELinux contexts when removing the last subsystem if len(deployer.instance.tomcat_instance_subsystems()) == 0: trans = seobject.semanageRecords("targeted") trans.start() if deployer.mdict['pki_instance_name'] != \ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: fcon = seobject.fcontextRecords(trans) config.pki_log.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_instance_path'] + self.suffix, "") config.pki_log.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_log_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_instance_log_path'] + self.suffix, "") config.pki_log.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_configuration_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_instance_configuration_path'] + self.suffix, "") config.pki_log.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_server_database_path'] + self.suffix, extra=config.PKI_INDENTATION_LEVEL_2) fcon.delete( deployer.mdict['pki_server_database_path'] + self.suffix, "") port_records = seobject.portRecords(trans) for port in ports: config.pki_log.info( "deleting selinux port %s", port, extra=config.PKI_INDENTATION_LEVEL_2) port_records.delete(port, "tcp") trans.finish() break except ValueError as e: error_message = str(e) config.pki_log.debug(error_message) if error_message.strip() == \ "Could not start semanage transaction": counter += 1 if counter >= max_tries: raise time.sleep(5) config.pki_log.debug( "Retrying to remove selinux context ...") else: raise
def destroy(self, deployer): if not bool(selinux.is_selinux_enabled()): logger.info('SELinux disabled') return # check first if any transactions are required if (len(ports) == 0 and deployer.mdict['pki_instance_name'] == config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME): return logger.info('Removing SELinux contexts') # A maximum of 10 tries to delete the SELinux contexts max_tries = 10 for counter in range(1, max_tries): try: # remove SELinux contexts when removing the last subsystem if len(deployer.instance.tomcat_instance_subsystems()) == 0: trans = seobject.semanageRecords("targeted") trans.start() if deployer.mdict['pki_instance_name'] != \ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: fcon = seobject.fcontextRecords(trans) file_records = fcon.get_all() if self.context_exists(file_records, deployer.mdict['pki_instance_path'] + self.suffix): logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_path'] + self.suffix) fcon.delete( deployer.mdict['pki_instance_path'] + self.suffix, "") if self.context_exists(file_records, deployer.mdict['pki_instance_log_path'] + self.suffix): logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_log_path'] + self.suffix) fcon.delete( deployer.mdict['pki_instance_log_path'] + self.suffix, "") if self.context_exists(file_records, deployer.mdict['pki_instance_configuration_path'] + self.suffix): logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_instance_configuration_path'] + self.suffix) fcon.delete( deployer.mdict['pki_instance_configuration_path'] + self.suffix, "") if self.context_exists(file_records, deployer.mdict['pki_server_database_path'] + self.suffix): logger.info( "deleting selinux fcontext \"%s\"", deployer.mdict['pki_server_database_path'] + self.suffix) fcon.delete( deployer.mdict['pki_server_database_path'] + self.suffix, "") port_records = seobject.portRecords(trans) port_record_values = port_records.get_all() for port in ports: if self.context_exists(port_record_values, port): logger.info("deleting selinux port %s", port) port_records.delete(port, "tcp") trans.finish() break except ValueError as e: error_message = str(e) logger.error(error_message) if error_message.strip() == \ "Could not start semanage transaction": if counter >= max_tries: raise time.sleep(5) logger.debug("Retrying to remove selinux context ...") else: raise