def haz_defcon(datadir, imagesdir, isosdir, tmpdir): """ Compare current types from Defaults, or if default, compare on-disk type """ # Searching through default contexts is very slow. # Exploit restorecon -n to find any defaults try: # First element is list, third tuple item is desired context data_type = utils_selinux.diff_defcon(datadir, False)[0][2] except IndexError: # object matches default, get current on-disk context data_type = utils_selinux.get_context_of_file(datadir) # Extract just the type component data_type = utils_selinux.get_type_from_context(data_type) try: # Do not descend, we want to know the base-dir def. context images_type = utils_selinux.diff_defcon(imagesdir, False)[0][2] except IndexError: images_type = utils_selinux.get_context_of_file(imagesdir) images_type = utils_selinux.get_type_from_context(images_type) try: isos_type = utils_selinux.diff_defcon(isosdir, False)[0][2] except IndexError: isos_type = utils_selinux.get_context_of_file(isosdir) isos_type = utils_selinux.get_type_from_context(isos_type) try: tmp_type = utils_selinux.diff_defcon(tmpdir, False)[0][2] except IndexError: tmp_type = utils_selinux.get_context_of_file(tmpdir) tmp_type = utils_selinux.get_type_from_context(tmp_type) # hard-coded values b/c only four of them and widly-used if data_type == 'virt_var_lib_t': if images_type == 'virt_image_t': if isos_type == 'virt_content_t': if tmp_type == 'user_tmp_t': return True # No changes needed return False
def set_defcon(datadir, imagesdir, isosdir, tmpdir): """ Tries to set datadir default contexts returns True if changed """ made_changes = False try: # Returns list of tuple(pathname, from, to) of context differences # between on-disk and defaults. Only interested in top-level # object [0] and the context it would change to [2] data_type = utils_selinux.diff_defcon(datadir, False)[0][2] # Extrach only the type existing_data = utils_selinux.get_type_from_context(data_type) except IndexError: existing_data = None try: images_type = utils_selinux.diff_defcon(imagesdir, False)[0][2] existing_images = utils_selinux.get_type_from_context(images_type) except IndexError: existing_images = None try: isos_type = utils_selinux.diff_defcon(isosdir, False)[0][2] existing_isos = utils_selinux.get_type_from_context(isos_type) except IndexError: existing_isos = None try: tmp_type = utils_selinux.diff_defcon(tmpdir, False)[0][2] existing_tmp = utils_selinux.get_type_from_context(tmp_type) except IndexError: existing_tmp = None # Only print slow info message one time could_be_slow = False msg = "Defining default contexts, this could take a few seconds..." # Changing default contexts is *slow*, avoid it if not necessary if existing_data is None or existing_data is not 'virt_var_lib_t': # semanage gives errors if don't treat /usr & /usr/local the same data_regex = utils_selinux.transmogrify_usr_local(datadir) logging.info(msg) could_be_slow = True # This applies only to datadir symlink, not sub-directories! utils_selinux.set_defcon('virt_var_lib_t', data_regex) made_changes = True if existing_images is None or existing_images is not 'virt_image_t': # Applies to imagesdir and everything below images_regex = utils_selinux.transmogrify_usr_local(imagesdir) images_regex = utils_selinux.transmogrify_sub_dirs(images_regex) if not could_be_slow: logging.info(msg) could_be_slow = True utils_selinux.set_defcon('virt_image_t', images_regex) made_changes = True if existing_isos is None or existing_isos is not 'virt_content_t': # Applies to isosdir and everything below isos_regex = utils_selinux.transmogrify_usr_local(isosdir) isos_regex = utils_selinux.transmogrify_sub_dirs(isos_regex) if not could_be_slow: logging.info(msg) could_be_slow = True utils_selinux.set_defcon('virt_content_t', isos_regex) made_changes = True if existing_tmp is None or existing_tmp is not 'user_tmp_t': tmp_regex = utils_selinux.transmogrify_usr_local(tmpdir) tmp_regex = utils_selinux.transmogrify_sub_dirs(tmp_regex) if not could_be_slow: logging.info(msg) could_be_slow = True utils_selinux.set_defcon('user_tmp_t', tmp_regex) made_changes = True return made_changes