-
Notifications
You must be signed in to change notification settings - Fork 1.6k
/
sefcontext.py
384 lines (325 loc) · 13.7 KB
/
sefcontext.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright (c) 2016, Dag Wieers (@dagwieers) <[email protected]>
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = r"""
module: sefcontext
short_description: Manages SELinux file context mapping definitions
description:
- Manages SELinux file context mapping definitions.
- Similar to the C(semanage fcontext) command.
extends_documentation_fragment:
- community.general.attributes
- community.general.attributes.platform
attributes:
check_mode:
support: full
diff_mode:
support: full
platform:
platforms: linux
options:
target:
description:
- Target path (expression).
type: str
required: true
aliases: [path]
ftype:
description:
- The file type that should have SELinux contexts applied.
- 'The following file type options are available:'
- V(a) for all files,
- V(b) for block devices,
- V(c) for character devices,
- V(d) for directories,
- V(f) for regular files,
- V(l) for symbolic links,
- V(p) for named pipes,
- V(s) for socket files.
type: str
choices: [a, b, c, d, f, l, p, s]
default: a
setype:
description:
- SELinux type for the specified O(target).
type: str
substitute:
description:
- Path to use to substitute file context(s) for the specified O(target). The context labeling for the O(target) subtree
is made equivalent to this path.
- This is also referred to as SELinux file context equivalence and it implements the C(equal) functionality of the SELinux
management tools.
version_added: 6.4.0
type: str
aliases: [equal]
seuser:
description:
- SELinux user for the specified O(target).
- Defaults to V(system_u) for new file contexts and to existing value when modifying file contexts.
type: str
selevel:
description:
- SELinux range for the specified O(target).
- Defaults to V(s0) for new file contexts and to existing value when modifying file contexts.
type: str
aliases: [serange]
state:
description:
- Whether the SELinux file context must be V(absent) or V(present).
- Specifying V(absent) without either O(setype) or O(substitute) deletes both SELinux type or path substitution mappings
that match O(target).
type: str
choices: [absent, present]
default: present
reload:
description:
- Reload SELinux policy after commit.
- Note that this does not apply SELinux file contexts to existing files.
type: bool
default: true
ignore_selinux_state:
description:
- Useful for scenarios (chrooted environment) that you cannot get the real SELinux state.
type: bool
default: false
notes:
- The changes are persistent across reboots.
- O(setype) and O(substitute) are mutually exclusive.
- If O(state=present) then one of O(setype) or O(substitute) is mandatory.
- The M(community.general.sefcontext) module does not modify existing files to the new SELinux context(s), so it is advisable
to first create the SELinux file contexts before creating files, or run C(restorecon) manually for the existing files
that require the new SELinux file contexts.
- Not applying SELinux fcontexts to existing files is a deliberate decision as it would be unclear what reported changes
would entail to, and there is no guarantee that applying SELinux fcontext does not pick up other unrelated prior changes.
requirements:
- libselinux-python
- policycoreutils-python
author:
- Dag Wieers (@dagwieers)
"""
EXAMPLES = r"""
- name: Allow apache to modify files in /srv/git_repos
community.general.sefcontext:
target: '/srv/git_repos(/.*)?'
setype: httpd_sys_rw_content_t
state: present
- name: Substitute file contexts for path /srv/containers with /var/lib/containers
community.general.sefcontext:
target: /srv/containers
substitute: /var/lib/containers
state: present
- name: Delete file context path substitution for /srv/containers
community.general.sefcontext:
target: /srv/containers
substitute: /var/lib/containers
state: absent
- name: Delete any file context mappings for path /srv/git
community.general.sefcontext:
target: /srv/git
state: absent
- name: Apply new SELinux file context to filesystem
ansible.builtin.command: restorecon -irv /srv/git_repos
"""
RETURN = r"""
# Default return values
"""
import traceback
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils.common.text.converters import to_native
SELINUX_IMP_ERR = None
try:
import selinux
HAVE_SELINUX = True
except ImportError:
SELINUX_IMP_ERR = traceback.format_exc()
HAVE_SELINUX = False
SEOBJECT_IMP_ERR = None
try:
import seobject
HAVE_SEOBJECT = True
except ImportError:
SEOBJECT_IMP_ERR = traceback.format_exc()
HAVE_SEOBJECT = False
# Add missing entries (backward compatible)
if HAVE_SEOBJECT:
seobject.file_types.update(
a=seobject.SEMANAGE_FCONTEXT_ALL,
b=seobject.SEMANAGE_FCONTEXT_BLOCK,
c=seobject.SEMANAGE_FCONTEXT_CHAR,
d=seobject.SEMANAGE_FCONTEXT_DIR,
f=seobject.SEMANAGE_FCONTEXT_REG,
l=seobject.SEMANAGE_FCONTEXT_LINK,
p=seobject.SEMANAGE_FCONTEXT_PIPE,
s=seobject.SEMANAGE_FCONTEXT_SOCK,
)
# Make backward compatible
option_to_file_type_str = dict(
a='all files',
b='block device',
c='character device',
d='directory',
f='regular file',
l='symbolic link',
p='named pipe',
s='socket',
)
def get_runtime_status(ignore_selinux_state=False):
return True if ignore_selinux_state is True else selinux.is_selinux_enabled()
def semanage_fcontext_exists(sefcontext, target, ftype):
''' Get the SELinux file context mapping definition from policy. Return None if it does not exist. '''
# Beware that records comprise of a string representation of the file_type
record = (target, option_to_file_type_str[ftype])
records = sefcontext.get_all()
try:
return records[record]
except KeyError:
return None
def semanage_fcontext_substitute_exists(sefcontext, target):
''' Get the SELinux file context path substitution definition from policy. Return None if it does not exist. '''
return sefcontext.equiv_dist.get(target, sefcontext.equiv.get(target))
def semanage_fcontext_modify(module, result, target, ftype, setype, substitute, do_reload, serange, seuser, sestore=''):
''' Add or modify SELinux file context mapping definition to the policy. '''
changed = False
prepared_diff = ''
try:
sefcontext = seobject.fcontextRecords(sestore)
sefcontext.set_reload(do_reload)
if substitute is None:
exists = semanage_fcontext_exists(sefcontext, target, ftype)
if exists:
# Modify existing entry
orig_seuser, orig_serole, orig_setype, orig_serange = exists
if seuser is None:
seuser = orig_seuser
if serange is None:
serange = orig_serange
if setype != orig_setype or seuser != orig_seuser or serange != orig_serange:
if not module.check_mode:
sefcontext.modify(target, setype, ftype, serange, seuser)
changed = True
if module._diff:
prepared_diff += '# Change to semanage file context mappings\n'
prepared_diff += '-%s %s %s:%s:%s:%s\n' % (target, ftype, orig_seuser, orig_serole, orig_setype, orig_serange)
prepared_diff += '+%s %s %s:%s:%s:%s\n' % (target, ftype, seuser, orig_serole, setype, serange)
else:
# Add missing entry
if seuser is None:
seuser = 'system_u'
if serange is None:
serange = 's0'
if not module.check_mode:
sefcontext.add(target, setype, ftype, serange, seuser)
changed = True
if module._diff:
prepared_diff += '# Addition to semanage file context mappings\n'
prepared_diff += '+%s %s %s:%s:%s:%s\n' % (target, ftype, seuser, 'object_r', setype, serange)
else:
exists = semanage_fcontext_substitute_exists(sefcontext, target)
if exists:
# Modify existing path substitution entry
orig_substitute = exists
if substitute != orig_substitute:
if not module.check_mode:
sefcontext.modify_equal(target, substitute)
changed = True
if module._diff:
prepared_diff += '# Change to semanage file context path substitutions\n'
prepared_diff += '-%s = %s\n' % (target, orig_substitute)
prepared_diff += '+%s = %s\n' % (target, substitute)
else:
# Add missing path substitution entry
if not module.check_mode:
sefcontext.add_equal(target, substitute)
changed = True
if module._diff:
prepared_diff += '# Addition to semanage file context path substitutions\n'
prepared_diff += '+%s = %s\n' % (target, substitute)
except Exception as e:
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e)))
if module._diff and prepared_diff:
result['diff'] = dict(prepared=prepared_diff)
module.exit_json(changed=changed, seuser=seuser, serange=serange, **result)
def semanage_fcontext_delete(module, result, target, ftype, setype, substitute, do_reload, sestore=''):
''' Delete SELinux file context mapping definition from the policy. '''
changed = False
prepared_diff = ''
try:
sefcontext = seobject.fcontextRecords(sestore)
sefcontext.set_reload(do_reload)
exists = semanage_fcontext_exists(sefcontext, target, ftype)
substitute_exists = semanage_fcontext_substitute_exists(sefcontext, target)
if exists and substitute is None:
# Remove existing entry
orig_seuser, orig_serole, orig_setype, orig_serange = exists
if not module.check_mode:
sefcontext.delete(target, ftype)
changed = True
if module._diff:
prepared_diff += '# Deletion to semanage file context mappings\n'
prepared_diff += '-%s %s %s:%s:%s:%s\n' % (target, ftype, exists[0], exists[1], exists[2], exists[3])
if substitute_exists and setype is None and ((substitute is not None and substitute_exists == substitute) or substitute is None):
# Remove existing path substitution entry
orig_substitute = substitute_exists
if not module.check_mode:
sefcontext.delete(target, orig_substitute)
changed = True
if module._diff:
prepared_diff += '# Deletion to semanage file context path substitutions\n'
prepared_diff += '-%s = %s\n' % (target, orig_substitute)
except Exception as e:
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e)))
if module._diff and prepared_diff:
result['diff'] = dict(prepared=prepared_diff)
module.exit_json(changed=changed, **result)
def main():
module = AnsibleModule(
argument_spec=dict(
ignore_selinux_state=dict(type='bool', default=False),
target=dict(type='str', required=True, aliases=['path']),
ftype=dict(type='str', default='a', choices=list(option_to_file_type_str.keys())),
setype=dict(type='str'),
substitute=dict(type='str', aliases=['equal']),
seuser=dict(type='str'),
selevel=dict(type='str', aliases=['serange']),
state=dict(type='str', default='present', choices=['absent', 'present']),
reload=dict(type='bool', default=True),
),
mutually_exclusive=[
('setype', 'substitute'),
('substitute', 'ftype'),
('substitute', 'seuser'),
('substitute', 'selevel'),
],
required_if=[
('state', 'present', ('setype', 'substitute'), True),
],
supports_check_mode=True,
)
if not HAVE_SELINUX:
module.fail_json(msg=missing_required_lib("libselinux-python"), exception=SELINUX_IMP_ERR)
if not HAVE_SEOBJECT:
module.fail_json(msg=missing_required_lib("policycoreutils-python"), exception=SEOBJECT_IMP_ERR)
ignore_selinux_state = module.params['ignore_selinux_state']
if not get_runtime_status(ignore_selinux_state):
module.fail_json(msg="SELinux is disabled on this host.")
target = module.params['target']
ftype = module.params['ftype']
setype = module.params['setype']
substitute = module.params['substitute']
seuser = module.params['seuser']
serange = module.params['selevel']
state = module.params['state']
do_reload = module.params['reload']
result = dict(target=target, ftype=ftype, setype=setype, substitute=substitute, state=state)
if state == 'present':
semanage_fcontext_modify(module, result, target, ftype, setype, substitute, do_reload, serange, seuser)
elif state == 'absent':
semanage_fcontext_delete(module, result, target, ftype, setype, substitute, do_reload)
else:
module.fail_json(msg='Invalid value of argument "state": {0}'.format(state))
if __name__ == '__main__':
main()