def read_selinux_config(self):
self.initialtype = selinux.selinux_getpolicytype()[1]
try:
self.initEnabled = selinux.selinux_getenforcemode()[1]
except:
self.initEnabled = False
pass
self.enabled = self.initEnabled
self.enabledOptionMenu.set_active(self.enabled + 1)
self.types = []
n = 0
current = n
for i in os.listdir(SELINUXDIR):
if os.path.isdir(SELINUXDIR + i) and os.path.isdir(SELINUXDIR + i +
"/policy"):
self.types.append(i)
self.selinuxTypeOptionMenu.append_text(i)
if i == self.initialtype:
current = n
n = n + 1
self.selinuxTypeOptionMenu.set_active(current)
self.typeHistory = current
return 0
def __init__(self, xml):
self.xml = xml
self.needRelabel = False
self.type = selinux.selinux_getpolicytype()
# Bring in widgets from glade file.
self.selinuxTypeOptionMenu = xml.get_object("selinuxTypeOptionMenu")
self.typeLabel = xml.get_object("typeLabel")
self.enabledOptionMenu = xml.get_object("enabledOptionMenu")
self.currentOptionMenu = xml.get_object("currentOptionMenu")
self.relabel_checkbutton = xml.get_object("relabelCheckbutton")
self.relabel_checkbutton.set_active(self.is_relabel())
self.relabel_checkbutton.connect("toggled", self.on_relabel_toggle)
if self.get_current_mode() == ENFORCING or self.get_current_mode(
) == PERMISSIVE:
self.currentOptionMenu.append_text(_("Permissive"))
self.currentOptionMenu.append_text(_("Enforcing"))
self.currentOptionMenu.set_active(self.get_current_mode())
self.currentOptionMenu.connect("changed", self.set_current_mode)
self.currentOptionMenu.set_sensitive(True)
else:
self.currentOptionMenu.append_text(_("Disabled"))
self.currentOptionMenu.set_active(0)
self.currentOptionMenu.set_sensitive(False)
if self.read_selinux_config() is None:
self.selinuxsupport = False
else:
self.enabledOptionMenu.connect("changed", self.enabled_changed)
#
# This line must come after read_selinux_config
#
self.selinuxTypeOptionMenu.connect("changed", self.typemenu_changed)
self.typeLabel.set_mnemonic_widget(self.selinuxTypeOptionMenu)
def __init__(self, xml):
semanagePage.__init__(self, xml, "modules", _("Policy Module"))
self.module_filter = xml.get_widget("modulesFilterEntry")
self.module_filter.connect("focus_out_event", self.filter_changed)
self.module_filter.connect("activate", self.filter_changed)
self.audit_enabled = False
self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING)
self.view.set_model(self.store)
self.store.set_sort_column_id(0, gtk.SORT_ASCENDING)
col = gtk.TreeViewColumn(_("Module Name"),
gtk.CellRendererText(),
text=0)
col.set_sort_column_id(0)
col.set_resizable(True)
self.view.append_column(col)
self.store.set_sort_column_id(0, gtk.SORT_ASCENDING)
col = gtk.TreeViewColumn(_("Version"), gtk.CellRendererText(), text=1)
self.enable_audit_button = xml.get_widget("enableAuditButton")
self.enable_audit_button.connect("clicked", self.enable_audit)
self.new_button = xml.get_widget("newModuleButton")
self.new_button.connect("clicked", self.new_module)
col.set_sort_column_id(1)
col.set_resizable(True)
self.view.append_column(col)
self.store.set_sort_func(1, self.sort_int, "")
status, self.policy_type = selinux.selinux_getpolicytype()
self.load()
def get_selinux_status():
''' Get SELinux status information '''
try:
import selinux
except ImportError:
api.report_error(
"SELinux Import Error",
details="libselinux-python package must be installed.")
return
outdata = dict({'enabled': selinux.is_selinux_enabled() == 1})
outdata['mls_enabled'] = selinux.is_selinux_mls_enabled() == 1
try:
outdata['runtime_mode'] = "enforcing" if selinux.security_getenforce(
) == 1 else "permissive"
# FIXME: check selinux_getenforcemode[0] (that should be return value of a underneath function)
enforce_mode = selinux.selinux_getenforcemode()[1]
if enforce_mode >= 0:
outdata[
'static_mode'] = "enforcing" if enforce_mode == 1 else "permissive"
else:
outdata['static_mode'] = "disabled"
outdata['policy'] = selinux.selinux_getpolicytype()[1]
except OSError:
# This happens when SELinux is disabled
# [Errno 2] No such file or directory
outdata['runtime_mode'] = 'permissive'
outdata['static_mode'] = 'disabled'
outdata['policy'] = 'targeted'
return SELinuxFacts(**outdata)
def __init__(self, xml):
self.xml = xml
self.needRelabel = False
self.type = selinux.selinux_getpolicytype()
# Bring in widgets from glade file.
self.typeHBox = xml.get_widget("typeHBox")
self.selinuxTypeOptionMenu = xml.get_widget("selinuxTypeOptionMenu")
self.typeLabel = xml.get_widget("typeLabel")
self.enabledOptionMenu = xml.get_widget("enabledOptionMenu")
self.currentOptionMenu = xml.get_widget("currentOptionMenu")
self.relabel_checkbutton = xml.get_widget("relabelCheckbutton")
self.relabel_checkbutton.set_active(self.is_relabel())
self.relabel_checkbutton.connect("toggled", self.on_relabel_toggle)
if self.get_current_mode() == ENFORCING or self.get_current_mode() == PERMISSIVE:
self.currentOptionMenu.append_text(_("Permissive"))
self.currentOptionMenu.append_text(_("Enforcing"))
self.currentOptionMenu.set_active(self.get_current_mode())
self.currentOptionMenu.connect("changed", self.set_current_mode)
self.currentOptionMenu.set_sensitive(True)
else:
self.currentOptionMenu.append_text(_("Disabled"))
self.currentOptionMenu.set_active(0)
self.currentOptionMenu.set_sensitive(False)
if self.read_selinux_config() == None:
self.selinuxsupport = False
else:
self.enabledOptionMenu.connect("changed", self.enabled_changed)
#
# This line must come after read_selinux_config
#
self.selinuxTypeOptionMenu.connect("changed", self.typemenu_changed)
self.typeLabel.set_mnemonic_widget(self.selinuxTypeOptionMenu)
def read_selinux_config(self):
self.initialtype = selinux.selinux_getpolicytype()[1]
try:
self.initEnabled = selinux.selinux_getenforcemode()[1]
except:
self.initEnabled = False
pass
self.enabled = self.initEnabled
self.enabledOptionMenu.set_active(self.enabled + 1)
self.types = []
n = 0
current = n
for i in os.listdir(SELINUXDIR):
if os.path.isdir(SELINUXDIR + i) and os.path.isdir(SELINUXDIR + i + "/policy"):
self.types.append(i)
self.selinuxTypeOptionMenu.append_text(i)
if i == self.initialtype:
current = n
n = n + 1
self.selinuxTypeOptionMenu.set_active(current)
self.typeHistory = current
return 0
def __init__(self, xml):
semanagePage.__init__(self, xml, "modules", _("Policy Module"))
self.module_filter = xml.get_object("modulesFilterEntry")
self.module_filter.connect("focus_out_event", self.filter_changed)
self.module_filter.connect("activate", self.filter_changed)
self.audit_enabled = False
self.store = Gtk.ListStore(GObject.TYPE_STRING, GObject.TYPE_STRING,
GObject.TYPE_STRING)
self.view.set_model(self.store)
self.store.set_sort_column_id(0, Gtk.SortType.ASCENDING)
col = Gtk.TreeViewColumn(_("Module Name"), Gtk.CellRendererText(), text=0)
col.set_sort_column_id(0)
col.set_resizable(True)
self.view.append_column(col)
self.store.set_sort_column_id(0, Gtk.SortType.ASCENDING)
col = Gtk.TreeViewColumn(_("Priority"), Gtk.CellRendererText(), text=1)
self.enable_audit_button = xml.get_object("enableAuditButton")
self.enable_audit_button.connect("clicked", self.enable_audit)
self.new_button = xml.get_object("newModuleButton")
self.new_button.connect("clicked", self.new_module)
col.set_sort_column_id(1)
col.set_resizable(True)
self.view.append_column(col)
self.store.set_sort_column_id(2, Gtk.SortType.ASCENDING)
col = Gtk.TreeViewColumn(_("Kind"), Gtk.CellRendererText(), text=2)
col.set_sort_column_id(2)
col.set_resizable(True)
self.view.append_column(col)
self.store.set_sort_func(1, self.sort_int, "")
status, self.policy_type = selinux.selinux_getpolicytype()
self.load()
def __init__(self, tool, config):
SELinuxEntryHandler.__init__(self, tool, config)
self.filetool = POSIXFile(config)
try:
self.setype = selinux.selinux_getpolicytype()[1]
except IndexError:
self.logger.error("Unable to determine SELinux policy type")
self.setype = None
def __init__(self, tool, logger, setup, config):
SELinuxEntryHandler.__init__(self, tool, logger, setup, config)
self.posixtool = Bcfg2.Client.Tools.POSIX.POSIX(logger, setup, config)
try:
self.setype = selinux.selinux_getpolicytype()[1]
except IndexError:
self.logger.error("Unable to determine SELinux policy type")
self.setype = None
def __init__(self, tool, logger, setup, config):
SELinuxEntryHandler.__init__(self, tool, logger, setup, config)
self.filetool = POSIXFile(logger, setup, config)
try:
self.setype = selinux.selinux_getpolicytype()[1]
except IndexError:
self.logger.error("Unable to determine SELinux policy type")
self.setype = None
def collect(self, module=None, collected_facts=None):
facts_dict = {}
selinux_facts = {}
# If selinux library is missing, only set the status and selinux_python_present since
# there is no way to tell if SELinux is enabled or disabled on the system
# without the library.
if not HAVE_SELINUX:
selinux_facts['status'] = 'Missing selinux Python library'
facts_dict['selinux'] = selinux_facts
facts_dict['selinux_python_present'] = False
return facts_dict
# Set a boolean for testing whether the Python library is present
facts_dict['selinux_python_present'] = True
if not selinux.is_selinux_enabled():
selinux_facts['status'] = 'disabled'
else:
selinux_facts['status'] = 'enabled'
try:
selinux_facts['policyvers'] = selinux.security_policyvers()
except (AttributeError, OSError):
selinux_facts['policyvers'] = 'unknown'
try:
(rc, configmode) = selinux.selinux_getenforcemode()
if rc == 0:
selinux_facts['config_mode'] = SELINUX_MODE_DICT.get(
configmode, 'unknown')
else:
selinux_facts['config_mode'] = 'unknown'
except (AttributeError, OSError):
selinux_facts['config_mode'] = 'unknown'
try:
mode = selinux.security_getenforce()
selinux_facts['mode'] = SELINUX_MODE_DICT.get(mode, 'unknown')
except (AttributeError, OSError):
selinux_facts['mode'] = 'unknown'
try:
(rc, policytype) = selinux.selinux_getpolicytype()
if rc == 0:
selinux_facts['type'] = policytype
else:
selinux_facts['type'] = 'unknown'
except (AttributeError, OSError):
selinux_facts['type'] = 'unknown'
facts_dict['selinux'] = selinux_facts
return facts_dict
def collect(self, module=None, collected_facts=None):
facts_dict = {}
selinux_facts = {}
# If selinux library is missing, only set the status and selinux_python_present since
# there is no way to tell if SELinux is enabled or disabled on the system
# without the library.
if not HAVE_SELINUX:
selinux_facts['status'] = 'Missing selinux Python library'
facts_dict['selinux'] = selinux_facts
facts_dict['selinux_python_present'] = False
return facts_dict
# Set a boolean for testing whether the Python library is present
facts_dict['selinux_python_present'] = True
if not selinux.is_selinux_enabled():
selinux_facts['status'] = 'disabled'
else:
selinux_facts['status'] = 'enabled'
try:
selinux_facts['policyvers'] = selinux.security_policyvers()
except (AttributeError, OSError):
selinux_facts['policyvers'] = 'unknown'
try:
(rc, configmode) = selinux.selinux_getenforcemode()
if rc == 0:
selinux_facts['config_mode'] = SELINUX_MODE_DICT.get(configmode, 'unknown')
else:
selinux_facts['config_mode'] = 'unknown'
except (AttributeError, OSError):
selinux_facts['config_mode'] = 'unknown'
try:
mode = selinux.security_getenforce()
selinux_facts['mode'] = SELINUX_MODE_DICT.get(mode, 'unknown')
except (AttributeError, OSError):
selinux_facts['mode'] = 'unknown'
try:
(rc, policytype) = selinux.selinux_getpolicytype()
if rc == 0:
selinux_facts['type'] = policytype
else:
selinux_facts['type'] = 'unknown'
except (AttributeError, OSError):
selinux_facts['type'] = 'unknown'
facts_dict['selinux'] = selinux_facts
return facts_dict
def collect(self, module=None, collected_facts=None):
facts_dict = {}
selinux_facts = {}
# This is weird. The value of the facts 'selinux' key can be False or a dict
if not HAVE_SELINUX:
facts_dict['selinux'] = False
facts_dict['selinux_python_present'] = False
return facts_dict
facts_dict['selinux_python_present'] = True
if not selinux.is_selinux_enabled():
selinux_facts['status'] = 'disabled'
# NOTE: this could just return in the above clause and the rest of this is up an indent -akl
else:
selinux_facts['status'] = 'enabled'
try:
selinux_facts['policyvers'] = selinux.security_policyvers()
except (AttributeError, OSError):
selinux_facts['policyvers'] = 'unknown'
try:
(rc, configmode) = selinux.selinux_getenforcemode()
if rc == 0:
selinux_facts['config_mode'] = SELINUX_MODE_DICT.get(
configmode, 'unknown')
else:
selinux_facts['config_mode'] = 'unknown'
except (AttributeError, OSError):
selinux_facts['config_mode'] = 'unknown'
try:
mode = selinux.security_getenforce()
selinux_facts['mode'] = SELINUX_MODE_DICT.get(mode, 'unknown')
except (AttributeError, OSError):
selinux_facts['mode'] = 'unknown'
try:
(rc, policytype) = selinux.selinux_getpolicytype()
if rc == 0:
selinux_facts['type'] = policytype
else:
selinux_facts['type'] = 'unknown'
except (AttributeError, OSError):
selinux_facts['type'] = 'unknown'
facts_dict['selinux'] = selinux_facts
return facts_dict
def collect(self, module=None, collected_facts=None):
facts_dict = {}
selinux_facts = {}
# This is weird. The value of the facts 'selinux' key can be False or a dict
if not HAVE_SELINUX:
facts_dict['selinux'] = False
facts_dict['selinux_python_present'] = False
return facts_dict
facts_dict['selinux_python_present'] = True
if not selinux.is_selinux_enabled():
selinux_facts['status'] = 'disabled'
# NOTE: this could just return in the above clause and the rest of this is up an indent -akl
else:
selinux_facts['status'] = 'enabled'
try:
selinux_facts['policyvers'] = selinux.security_policyvers()
except (AttributeError, OSError):
selinux_facts['policyvers'] = 'unknown'
try:
(rc, configmode) = selinux.selinux_getenforcemode()
if rc == 0:
selinux_facts['config_mode'] = SELINUX_MODE_DICT.get(configmode, 'unknown')
else:
selinux_facts['config_mode'] = 'unknown'
except (AttributeError, OSError):
selinux_facts['config_mode'] = 'unknown'
try:
mode = selinux.security_getenforce()
selinux_facts['mode'] = SELINUX_MODE_DICT.get(mode, 'unknown')
except (AttributeError, OSError):
selinux_facts['mode'] = 'unknown'
try:
(rc, policytype) = selinux.selinux_getpolicytype()
if rc == 0:
selinux_facts['type'] = policytype
else:
selinux_facts['type'] = 'unknown'
except (AttributeError, OSError):
selinux_facts['type'] = 'unknown'
facts_dict['selinux'] = selinux_facts
return facts_dict
def update(self):
import platform
import selinux
# security_getenforce is the same as the getenforce command.
# selinux_getenforcemode tells you what is set in /etc/selinux/config
self.platform, self.kernel = get_os_environment()
self.policy_type = selinux.selinux_getpolicytype()[1]
self.policy_rpm = get_rpm_nvr_by_name("selinux-policy")
self.policyvers = str(selinux.security_policyvers())
enforce = selinux.security_getenforce()
if enforce == 0:
self.enforce = "Permissive"
else:
self.enforce = "Enforcing"
self.selinux_enabled = bool(selinux.is_selinux_enabled())
self.selinux_mls_enabled = bool(selinux.is_selinux_mls_enabled())
self.hostname = platform.node()
self.uname = " ".join(platform.uname())
def update(self):
import platform
import selinux
# security_getenforce is the same as the getenforce command.
# selinux_getenforcemode tells you what is set in /etc/selinux/config
self.platform, self.kernel = get_os_environment()
self.policy_type = selinux.selinux_getpolicytype()[1]
self.policy_rpm = get_rpm_nvr_by_name("selinux-policy")
self.policyvers = str(selinux.security_policyvers())
enforce = selinux.security_getenforce()
if enforce == 0:
self.enforce = "Permissive"
else:
self.enforce = "Enforcing"
self.selinux_enabled = bool(selinux.is_selinux_enabled())
self.selinux_mls_enabled = bool(selinux.is_selinux_mls_enabled())
self.hostname = platform.node()
self.uname = " ".join(platform.uname())
def main():
module = AnsibleModule(argument_spec=dict(
policy=dict(required=False),
state=dict(choices=['enforcing', 'permissive', 'disabled'],
required=True),
configfile=dict(aliases=['conf', 'file'],
default='/etc/selinux/config')),
supports_check_mode=True)
# global vars
changed = False
msgs = []
configfile = module.params['configfile']
policy = module.params['policy']
state = module.params['state']
runtime_enabled = selinux.is_selinux_enabled()
runtime_policy = selinux.selinux_getpolicytype()[1]
runtime_state = 'disabled'
if (runtime_enabled):
# enabled means 'enforcing' or 'permissive'
if (selinux.security_getenforce()):
runtime_state = 'enforcing'
else:
runtime_state = 'permissive'
config_policy = get_config_policy(configfile)
config_state = get_config_state(configfile)
# check to see if policy is set if state is not 'disabled'
if (state != 'disabled'):
if not policy:
module.fail_json(
msg='policy is required if state is not \'disabled\'')
else:
if not policy:
policy = config_policy
# check changed values and run changes
if (policy != runtime_policy):
if module.check_mode:
module.exit_json(changed=True)
# cannot change runtime policy
msgs.append('reboot to change the loaded policy')
changed = True
if (policy != config_policy):
if module.check_mode:
module.exit_json(changed=True)
msgs.append('config policy changed from \'%s\' to \'%s\'' %
(config_policy, policy))
set_config_policy(policy, configfile)
changed = True
if (state != runtime_state):
if module.check_mode:
module.exit_json(changed=True)
if (state == 'disabled'):
msgs.append('state change will take effect next reboot')
else:
if (runtime_enabled):
set_state(state)
msgs.append('runtime state changed from \'%s\' to \'%s\'' %
(runtime_state, state))
else:
msgs.append('state change will take effect next reboot')
changed = True
if (state != config_state):
if module.check_mode:
module.exit_json(changed=True)
msgs.append('config state changed from \'%s\' to \'%s\'' %
(config_state, state))
set_config_state(state, configfile)
changed = True
module.exit_json(changed=changed,
msg=', '.join(msgs),
configfile=configfile,
policy=policy,
state=state)
def __init__(self, gate, uuid):
cpuInfo = read_cpuinfo()
memory = read_memory()
self.UUID = uuid
self.os = gate.process('distro', software.read_os(), WITHHELD_MAGIC_STRING)
self.defaultRunlevel = gate.process('run_level', software.read_runlevel(), -1)
self.bogomips = gate.process('cpu', cpuInfo.get('bogomips', 0), 0)
self.cpuVendor = gate.process('cpu', cpuInfo.get('type', ''), WITHHELD_MAGIC_STRING)
self.cpuModel = gate.process('cpu', cpuInfo.get('model', ''), WITHHELD_MAGIC_STRING)
self.cpu_stepping = gate.process('cpu', cpuInfo.get('cpu_stepping', 0), 0)
self.cpu_family = gate.process('cpu', cpuInfo.get('cpu_family', ''), '')
self.cpu_model_num = gate.process('cpu', cpuInfo.get('cpu_model_num', 0), 0)
self.numCpus = gate.process('cpu', cpuInfo.get('count', 0), 0)
self.cpuSpeed = gate.process('cpu', cpuInfo.get('speed', 0), 0)
self.systemMemory = gate.process('ram_size', memory['ram'], 0)
self.systemSwap = gate.process('swap_size', memory['swap'], 0)
self.kernelVersion = gate.process('kernel', os.uname()[2], WITHHELD_MAGIC_STRING)
if gate.grants('language'):
try:
self.language = os.environ['LANG']
except KeyError:
try:
status, lang = commands.getstatusoutput("grep LANG /etc/sysconfig/i18n")
if status == 0:
self.language = lang.split('"')[1]
else:
self.language = 'Unknown'
except:
self.language = 'Unknown'
else:
self.language = WITHHELD_MAGIC_STRING
tempform = platform.machine()
self.platform = gate.process('arch', tempform, WITHHELD_MAGIC_STRING)
if gate.grants('vendor'):
#self.systemVendor = hostInfo.get('system.vendor'
try:
self.systemVendor = cat('/sys/devices/virtual/dmi/id/sys_vendor')[0].strip()
except:
self.systemVendor = 'Unknown'
else:
self.systemVendor = WITHHELD_MAGIC_STRING
if gate.grants('model'):
try:
self.systemModel = cat('/sys/devices/virtual/dmi/id/product_name')[0].strip() + ' ' + cat('/sys/devices/virtual/dmi/id/product_version')[0].strip()
except:
self.systemModel = 'Unknown'
#hostInfo was removed with the hal restructure
#if not self.systemModel:
#self.systemModel = hostInfo.get('system.hardware.product')
#if hostInfo.get('system.hardware.version'):
#self.systemModel += ' ' + hostInfo.get('system.hardware.version')
#if not self.systemModel:
#self.systemModel = 'Unknown'
else:
self.systemModel = WITHHELD_MAGIC_STRING
if gate.grants('form_factor'):
try:
formfactor_id = int(cat('/sys/devices/virtual/dmi/id/chassis_type')[0].strip())
self.formfactor = FORMFACTOR_LIST[formfactor_id]
except:
self.formfactor = 'Unknown'
else:
self.formfactor = WITHHELD_MAGIC_STRING
if tempform == 'ppc64':
if hostInfo.get('openfirmware.model'):
if hostInfo['openfirmware.model'][:3] == 'IBM':
self.systemVendor = 'IBM'
model = hostInfo['openfirmware.model'][4:8]
model_map = {
'8842':'JS20',
'6779':'JS21',
'6778':'JS21',
'7988':'JS21',
'8844':'JS21',
'0200':'QS20',
'0792':'QS21',
}
try:
model_name = model_map[model]
self.systemModel = gate.process('model', model_name)
self.formfactor = gate.process('form_factor', 'Blade')
except KeyError:
pass
if gate.grants('selinux'):
try:
import selinux
try:
if selinux.is_selinux_enabled() == 1:
self.selinux_enabled = SELINUX_ENABLED
else:
self.selinux_enabled = SELINUX_DISABLED
except:
self.selinux_enabled = SELINUX_DISABLED
try:
self.selinux_policy = selinux.selinux_getpolicytype()[1]
except:
self.selinux_policy = "Unknown"
try:
enforce = selinux.security_getenforce()
if enforce == 0:
self.selinux_enforce = "Permissive"
elif enforce == 1:
self.selinux_enforce = "Enforcing"
elif enforce == -1:
self.selinux_enforce = "Disabled"
else:
self.selinux_enforce = "FUBARD"
except:
self.selinux_enforce = "Unknown"
except ImportError:
self.selinux_enabled = SELINUX_DISABLED
self.selinux_policy = "Not Installed"
self.selinux_enforce = "Not Installed"
else:
self.selinux_enabled = SELINUX_WITHHELD
self.selinux_policy = WITHHELD_MAGIC_STRING
self.selinux_enforce = WITHHELD_MAGIC_STRING
def __init__(self, hostInfo):
cpuInfo = read_cpuinfo()
memory = read_memory()
self.UUID = getUUID()
self.os = Gate().process('distro', software.read_os(), WITHHELD_MAGIC_STRING)
self.defaultRunlevel = Gate().process('run_level', software.read_runlevel(), -1)
self.bogomips = Gate().process('cpu', cpuInfo['bogomips'], 0)
self.cpuVendor = Gate().process('cpu', cpuInfo['type'], WITHHELD_MAGIC_STRING)
self.cpuModel = Gate().process('cpu', cpuInfo['model'], WITHHELD_MAGIC_STRING)
self.cpu_stepping = Gate().process('cpu', cpuInfo['cpu_stepping'], 0)
self.cpu_family = Gate().process('cpu', cpuInfo['cpu_family'], 0)
self.cpu_model_num = Gate().process('cpu', cpuInfo['cpu_model_num'], 0)
self.numCpus = Gate().process('cpu', cpuInfo['count'], 0)
self.cpuSpeed = Gate().process('cpu', cpuInfo['speed'], 0)
self.systemMemory = Gate().process('ram_size', memory['ram'], 0)
self.systemSwap = Gate().process('swap_size', memory['swap'], 0)
self.kernelVersion = Gate().process('kernel', os.uname()[2], WITHHELD_MAGIC_STRING)
if Gate().grants('language'):
try:
self.language = os.environ['LANG']
except KeyError:
self.language = 'Unknown'
else:
self.language = WITHHELD_MAGIC_STRING
try:
tempform = hostInfo['system.kernel.machine']
except KeyError:
tempform = 'Unknown'
self.platform = Gate().process('arch', tempform, WITHHELD_MAGIC_STRING)
if Gate().grants('vendor'):
self.systemVendor = hostInfo.get('system.vendor')
if not self.systemVendor:
self.systemVendor = hostInfo.get('system.hardware.vendor')
if not self.systemVendor:
self.systemVendor = 'Unknown'
else:
self.systemVendor = WITHHELD_MAGIC_STRING
if Gate().grants('model'):
self.systemModel = hostInfo.get('system.product')
if not self.systemModel:
self.systemModel = hostInfo.get('system.hardware.product')
if hostInfo.get('system.hardware.version'):
self.systemModel += ' ' + hostInfo.get('system.hardware.version')
if not self.systemModel:
self.systemModel = 'Unknown'
else:
self.systemModel = WITHHELD_MAGIC_STRING
if Gate().grants('form_factor'):
try:
self.formfactor = hostInfo['system.formfactor']
except:
self.formfactor = 'Unknown'
else:
self.formfactor = WITHHELD_MAGIC_STRING
if tempform == 'ppc64':
if hostInfo.get('openfirmware.model'):
if hostInfo['openfirmware.model'][:3] == 'IBM':
self.systemVendor = 'IBM'
model = hostInfo['openfirmware.model'][4:8]
model_map = {
'8842':'JS20',
'6779':'JS21',
'6778':'JS21',
'7988':'JS21',
'8844':'JS21',
'0200':'QS20',
'0792':'QS21',
}
try:
model_name = model_map[model]
self.systemModel = Gate().process('model', model_name)
self.formfactor = Gate().process('form_factor', 'Blade')
except KeyError:
pass
if Gate().grants('selinux'):
try:
import selinux
try:
if selinux.is_selinux_enabled() == 1:
self.selinux_enabled = SELINUX_ENABLED
else:
self.selinux_enabled = SELINUX_DISABLED
except:
self.selinux_enabled = SELINUX_DISABLED
try:
self.selinux_policy = selinux.selinux_getpolicytype()[1]
except:
self.selinux_policy = "Unknown"
try:
enforce = selinux.security_getenforce()
if enforce == 0:
self.selinux_enforce = "Permissive"
elif enforce == 1:
self.selinux_enforce = "Enforcing"
elif enforce == -1:
self.selinux_enforce = "Disabled"
else:
self.selinux_enforce = "FUBARD"
except:
self.selinux_enforce = "Unknown"
except ImportError:
self.selinux_enabled = SELINUX_DISABLED
self.selinux_policy = "Not Installed"
self.selinux_enforce = "Not Installed"
else:
self.selinux_enabled = SELINUX_WITHHELD
self.selinux_policy = WITHHELD_MAGIC_STRING
self.selinux_enforce = WITHHELD_MAGIC_STRING
def main():
module = AnsibleModule(
argument_spec=dict(
policy=dict(required=False),
state=dict(choices=["enforcing", "permissive", "disabled"], required=True),
configfile=dict(aliases=["conf", "file"], default="/etc/selinux/config"),
),
supports_check_mode=True,
)
# global vars
changed = False
msgs = []
configfile = module.params["configfile"]
policy = module.params["policy"]
state = module.params["state"]
runtime_enabled = selinux.is_selinux_enabled()
runtime_policy = selinux.selinux_getpolicytype()[1]
runtime_state = "disabled"
if runtime_enabled:
# enabled means 'enforcing' or 'permissive'
if selinux.security_getenforce():
runtime_state = "enforcing"
else:
runtime_state = "permissive"
config_policy = get_config_policy(configfile)
config_state = get_config_state(configfile)
# check to see if policy is set if state is not 'disabled'
if state != "disabled":
if not policy:
module.fail_json(msg="policy is required if state is not 'disabled'")
else:
if not policy:
policy = config_policy
# check changed values and run changes
if policy != runtime_policy:
if module.check_mode:
module.exit_json(changed=True)
# cannot change runtime policy
msgs.append("reboot to change the loaded policy")
changed = True
if policy != config_policy:
if module.check_mode:
module.exit_json(changed=True)
msgs.append("config policy changed from '%s' to '%s'" % (config_policy, policy))
set_config_policy(policy, configfile)
changed = True
if state != runtime_state:
if module.check_mode:
module.exit_json(changed=True)
if runtime_enabled:
if state == "disabled":
if runtime_state != "permissive":
# Temporarily set state to permissive
set_state("permissive")
msgs.append(
"runtime state temporarily changed from '%s' to 'permissive', state change will take effect next reboot"
% (runtime_state)
)
else:
msgs.append("state change will take effect next reboot")
else:
set_state(state)
msgs.append("runtime state changed from '%s' to '%s'" % (runtime_state, state))
else:
msgs.append("state change will take effect next reboot")
changed = True
if state != config_state:
if module.check_mode:
module.exit_json(changed=True)
msgs.append("config state changed from '%s' to '%s'" % (config_state, state))
set_config_state(state, configfile)
changed = True
module.exit_json(changed=changed, msg=", ".join(msgs), configfile=configfile, policy=policy, state=state)
def main():
module = AnsibleModule(
argument_spec=dict(
policy=dict(type='str'),
state=dict(type='str',
required='True',
choices=['enforcing', 'permissive', 'disabled']),
configfile=dict(type='str',
default='/etc/selinux/config',
aliases=['conf', 'file']),
),
supports_check_mode=True,
)
if not HAS_SELINUX:
module.fail_json(msg=missing_required_lib('libselinux-python'),
exception=SELINUX_IMP_ERR)
# global vars
changed = False
msgs = []
configfile = module.params['configfile']
policy = module.params['policy']
state = module.params['state']
runtime_enabled = selinux.is_selinux_enabled()
runtime_policy = selinux.selinux_getpolicytype()[1]
runtime_state = 'disabled'
reboot_required = False
if runtime_enabled:
# enabled means 'enforcing' or 'permissive'
if selinux.security_getenforce():
runtime_state = 'enforcing'
else:
runtime_state = 'permissive'
if not os.path.isfile(configfile):
module.fail_json(msg="Unable to find file {0}".format(configfile),
details="Please install SELinux-policy package, "
"if this package is not installed previously.")
config_policy = get_config_policy(configfile)
config_state = get_config_state(configfile)
# check to see if policy is set if state is not 'disabled'
if state != 'disabled':
if not policy:
module.fail_json(
msg="Policy is required if state is not 'disabled'")
else:
if not policy:
policy = config_policy
# check changed values and run changes
if policy != runtime_policy:
if module.check_mode:
module.exit_json(changed=True)
# cannot change runtime policy
msgs.append("Running SELinux policy changed from '%s' to '%s'" %
(runtime_policy, policy))
changed = True
if policy != config_policy:
if module.check_mode:
module.exit_json(changed=True)
set_config_policy(module, policy, configfile)
msgs.append(
"SELinux policy configuration in '%s' changed from '%s' to '%s'" %
(configfile, config_policy, policy))
changed = True
if state != runtime_state:
if runtime_enabled:
if state == 'disabled':
if runtime_state != 'permissive':
# Temporarily set state to permissive
if not module.check_mode:
set_state(module, 'permissive')
module.warn(
"SELinux state temporarily changed from '%s' to 'permissive'. State change will take effect next reboot."
% (runtime_state))
changed = True
else:
module.warn(
'SELinux state change will take effect next reboot')
reboot_required = True
else:
if not module.check_mode:
set_state(module, state)
msgs.append("SELinux state changed from '%s' to '%s'" %
(runtime_state, state))
# Only report changes if the file is changed.
# This prevents the task from reporting changes every time the task is run.
changed = True
else:
module.warn("Reboot is required to set SELinux state to '%s'" %
state)
reboot_required = True
if state != config_state:
if not module.check_mode:
set_config_state(module, state, configfile)
msgs.append("Config SELinux state changed from '%s' to '%s'" %
(config_state, state))
changed = True
module.exit_json(changed=changed,
msg=', '.join(msgs),
configfile=configfile,
policy=policy,
state=state,
reboot_required=reboot_required)
def main():
module = AnsibleModule(
argument_spec=dict(
policy=dict(required=False),
state=dict(choices=['enforcing', 'permissive', 'disabled'], required=True),
configfile=dict(aliases=['conf', 'file'], default='/etc/selinux/config')
),
supports_check_mode=True
)
if not HAS_SELINUX:
module.fail_json(msg='libselinux-python required for this module')
# global vars
changed = False
msgs = []
configfile = module.params['configfile']
policy = module.params['policy']
state = module.params['state']
runtime_enabled = selinux.is_selinux_enabled()
runtime_policy = selinux.selinux_getpolicytype()[1]
runtime_state = 'disabled'
reboot_required = False
if runtime_enabled:
# enabled means 'enforcing' or 'permissive'
if selinux.security_getenforce():
runtime_state = 'enforcing'
else:
runtime_state = 'permissive'
if not os.path.isfile(configfile):
module.fail_json(msg="Unable to find file {0}".format(configfile),
details="Please install SELinux-policy package, "
"if this package is not installed previously.")
config_policy = get_config_policy(configfile)
config_state = get_config_state(configfile)
# check to see if policy is set if state is not 'disabled'
if state != 'disabled':
if not policy:
module.fail_json(msg='Policy is required if state is not \'disabled\'')
else:
if not policy:
policy = config_policy
# check changed values and run changes
if policy != runtime_policy:
if module.check_mode:
module.exit_json(changed=True)
# cannot change runtime policy
msgs.append('Running SELinux policy changed from \'%s\' to \'%s\'' % (runtime_policy, policy))
changed = True
if policy != config_policy:
if module.check_mode:
module.exit_json(changed=True)
set_config_policy(module, policy, configfile)
msgs.append('SELinux policy configuration in \'%s\' changed from \'%s\' to \'%s\'' % (configfile, config_policy, policy))
changed = True
if state != runtime_state:
if module.check_mode:
module.exit_json(changed=True)
if runtime_enabled:
if state == 'disabled':
if runtime_state != 'permissive':
# Temporarily set state to permissive
set_state(module, 'permissive')
module.warn('SELinux state temporarily changed from \'%s\' to \'permissive\'. State change will take effect next reboot.' % (runtime_state))
else:
module.warn('SELinux state change will take effect next reboot')
reboot_required = True
else:
set_state(module, state)
msgs.append('SELinux state changed from \'%s\' to \'%s\'' % (runtime_state, state))
# Only report changes if the file is changed.
# This prevents the task from reporting changes every time the task is run.
changed = True
else:
module.warn("Reboot is required to set SELinux state to %s" % state)
reboot_required = True
if state != config_state:
if module.check_mode:
module.exit_json(changed=True)
msgs.append('Config SELinux state changed from \'%s\' to \'%s\'' % (config_state, state))
set_config_state(module, state, configfile)
changed = True
module.exit_json(changed=changed, msg=', '.join(msgs), configfile=configfile, policy=policy, state=state, reboot_required=reboot_required)
def main():
module = AnsibleModule(
argument_spec=dict(
policy=dict(required=False),
state=dict(choices=['enforcing', 'permissive', 'disabled'], required=True),
configfile=dict(aliases=['conf', 'file'], default='/etc/selinux/config')
),
supports_check_mode=True
)
if not HAS_SELINUX:
module.fail_json(msg='libselinux-python required for this module')
# global vars
changed = False
msgs = []
configfile = module.params['configfile']
policy = module.params['policy']
state = module.params['state']
runtime_enabled = selinux.is_selinux_enabled()
runtime_policy = selinux.selinux_getpolicytype()[1]
runtime_state = 'disabled'
if runtime_enabled:
# enabled means 'enforcing' or 'permissive'
if selinux.security_getenforce():
runtime_state = 'enforcing'
else:
runtime_state = 'permissive'
if not os.path.isfile(configfile):
module.fail_json(msg="Unable to find file {0}".format(configfile),
details="Please install SELinux-policy package, "
"if this package is not installed previously.")
config_policy = get_config_policy(configfile)
config_state = get_config_state(configfile)
# check to see if policy is set if state is not 'disabled'
if state != 'disabled':
if not policy:
module.fail_json(msg='policy is required if state is not \'disabled\'')
else:
if not policy:
policy = config_policy
# check changed values and run changes
if policy != runtime_policy:
if module.check_mode:
module.exit_json(changed=True)
# cannot change runtime policy
msgs.append('reboot to change the loaded policy')
changed = True
if policy != config_policy:
if module.check_mode:
module.exit_json(changed=True)
msgs.append('config policy changed from \'%s\' to \'%s\'' % (config_policy, policy))
set_config_policy(policy, configfile)
changed = True
if state != runtime_state:
if module.check_mode:
module.exit_json(changed=True)
if runtime_enabled:
if state == 'disabled':
if runtime_state != 'permissive':
# Temporarily set state to permissive
set_state(module, 'permissive')
msgs.append('runtime state temporarily changed from \'%s\' to \'permissive\', state change will take effect next reboot' % (runtime_state))
else:
msgs.append('state change will take effect next reboot')
else:
set_state(module, state)
msgs.append('runtime state changed from \'%s\' to \'%s\'' % (runtime_state, state))
else:
msgs.append('state change will take effect next reboot')
changed = True
if state != config_state:
if module.check_mode:
module.exit_json(changed=True)
msgs.append('config state changed from \'%s\' to \'%s\'' % (config_state, state))
set_config_state(state, configfile)
changed = True
module.exit_json(changed=changed, msg=', '.join(msgs), configfile=configfile, policy=policy, state=state)
def SELinuxPolicy():
try:
poltype = selinux.selinux_getpolicytype()
except:
poltype = ""
return poltype,
def main():
module = AnsibleModule(
argument_spec=dict(
policy=dict(required=False),
state=dict(
choices=['enforcing', 'permissive', 'disabled'],
required=True),
configfile=dict(
aliases=['conf', 'file'], default='/etc/selinux/config')),
supports_check_mode=True)
# global vars
changed = False
msgs = []
configfile = module.params['configfile']
policy = module.params['policy']
state = module.params['state']
runtime_enabled = selinux.is_selinux_enabled()
runtime_policy = selinux.selinux_getpolicytype()[1]
runtime_state = 'disabled'
if (runtime_enabled):
# enabled means 'enforcing' or 'permissive'
if (selinux.security_getenforce()):
runtime_state = 'enforcing'
else:
runtime_state = 'permissive'
config_policy = get_config_policy(configfile)
config_state = get_config_state(configfile)
# check to see if policy is set if state is not 'disabled'
if (state != 'disabled'):
if not policy:
module.fail_json(
msg='policy is required if state is not \'disabled\'')
else:
if not policy:
policy = config_policy
# check changed values and run changes
if (policy != runtime_policy):
if module.check_mode:
module.exit_json(changed=True)
# cannot change runtime policy
msgs.append('reboot to change the loaded policy')
changed = True
if (policy != config_policy):
if module.check_mode:
module.exit_json(changed=True)
msgs.append('config policy changed from \'%s\' to \'%s\'' %
(config_policy, policy))
set_config_policy(policy, configfile)
changed = True
if (state != runtime_state):
if module.check_mode:
module.exit_json(changed=True)
if (state == 'disabled'):
msgs.append('state change will take effect next reboot')
else:
if (runtime_enabled):
set_state(state)
msgs.append('runtime state changed from \'%s\' to \'%s\'' %
(runtime_state, state))
else:
msgs.append('state change will take effect next reboot')
changed = True
if (state != config_state):
if module.check_mode:
module.exit_json(changed=True)
msgs.append('config state changed from \'%s\' to \'%s\'' %
(config_state, state))
set_config_state(state, configfile)
changed = True
module.exit_json(
changed=changed,
msg=', '.join(msgs),
configfile=configfile,
policy=policy,
state=state)
def __init__(self, gate, uuid):
cpuInfo = read_cpuinfo()
memory = read_memory()
self.UUID = uuid
self.os = gate.process('distro', software.read_os(),
WITHHELD_MAGIC_STRING)
self.defaultRunlevel = gate.process('run_level',
software.read_runlevel(), -1)
self.bogomips = gate.process('cpu', cpuInfo.get('bogomips', 0), 0)
self.cpuVendor = gate.process('cpu', cpuInfo.get('type', ''),
WITHHELD_MAGIC_STRING)
self.cpuModel = gate.process('cpu', cpuInfo.get('model', ''),
WITHHELD_MAGIC_STRING)
self.cpu_stepping = gate.process('cpu', cpuInfo.get('cpu_stepping', 0),
0)
self.cpu_family = gate.process('cpu', cpuInfo.get('cpu_family', ''),
'')
self.cpu_model_num = gate.process('cpu',
cpuInfo.get('cpu_model_num', 0), 0)
self.numCpus = gate.process('cpu', cpuInfo.get('count', 0), 0)
self.cpuSpeed = gate.process('cpu', cpuInfo.get('speed', 0), 0)
self.systemMemory = gate.process('ram_size', memory['ram'], 0)
self.systemSwap = gate.process('swap_size', memory['swap'], 0)
self.kernelVersion = gate.process('kernel',
os.uname()[2], WITHHELD_MAGIC_STRING)
if gate.grants('language'):
try:
self.language = os.environ['LANG']
except KeyError:
try:
status, lang = commands.getstatusoutput(
"grep LANG /etc/sysconfig/i18n")
if status == 0:
self.language = lang.split('"')[1]
else:
self.language = 'Unknown'
except:
self.language = 'Unknown'
else:
self.language = WITHHELD_MAGIC_STRING
tempform = platform.machine()
self.platform = gate.process('arch', tempform, WITHHELD_MAGIC_STRING)
if gate.grants('vendor'):
#self.systemVendor = hostInfo.get('system.vendor'
try:
self.systemVendor = cat(
'/sys/devices/virtual/dmi/id/sys_vendor')[0].strip()
except:
self.systemVendor = 'Unknown'
else:
self.systemVendor = WITHHELD_MAGIC_STRING
if gate.grants('model'):
try:
self.systemModel = cat(
'/sys/devices/virtual/dmi/id/product_name'
)[0].strip() + ' ' + cat(
'/sys/devices/virtual/dmi/id/product_version')[0].strip()
except:
self.systemModel = 'Unknown'
#hostInfo was removed with the hal restructure
#if not self.systemModel:
#self.systemModel = hostInfo.get('system.hardware.product')
#if hostInfo.get('system.hardware.version'):
#self.systemModel += ' ' + hostInfo.get('system.hardware.version')
#if not self.systemModel:
#self.systemModel = 'Unknown'
else:
self.systemModel = WITHHELD_MAGIC_STRING
if gate.grants('form_factor'):
try:
formfactor_id = int(
cat('/sys/devices/virtual/dmi/id/chassis_type')[0].strip())
self.formfactor = FORMFACTOR_LIST[formfactor_id]
except:
self.formfactor = 'Unknown'
else:
self.formfactor = WITHHELD_MAGIC_STRING
if tempform == 'ppc64':
if hostInfo.get('openfirmware.model'):
if hostInfo['openfirmware.model'][:3] == 'IBM':
self.systemVendor = 'IBM'
model = hostInfo['openfirmware.model'][4:8]
model_map = {
'8842': 'JS20',
'6779': 'JS21',
'6778': 'JS21',
'7988': 'JS21',
'8844': 'JS21',
'0200': 'QS20',
'0792': 'QS21',
}
try:
model_name = model_map[model]
self.systemModel = gate.process('model', model_name)
self.formfactor = gate.process('form_factor', 'Blade')
except KeyError:
pass
if gate.grants('selinux'):
try:
import selinux
try:
if selinux.is_selinux_enabled() == 1:
self.selinux_enabled = SELINUX_ENABLED
else:
self.selinux_enabled = SELINUX_DISABLED
except:
self.selinux_enabled = SELINUX_DISABLED
try:
self.selinux_policy = selinux.selinux_getpolicytype()[1]
except:
self.selinux_policy = "Unknown"
try:
enforce = selinux.security_getenforce()
if enforce == 0:
self.selinux_enforce = "Permissive"
elif enforce == 1:
self.selinux_enforce = "Enforcing"
elif enforce == -1:
self.selinux_enforce = "Disabled"
else:
self.selinux_enforce = "FUBARD"
except:
self.selinux_enforce = "Unknown"
except ImportError:
self.selinux_enabled = SELINUX_DISABLED
self.selinux_policy = "Not Installed"
self.selinux_enforce = "Not Installed"
else:
self.selinux_enabled = SELINUX_WITHHELD
self.selinux_policy = WITHHELD_MAGIC_STRING
self.selinux_enforce = WITHHELD_MAGIC_STRING