Module: Puppet::Util::SELinux

Included in:
SELFileContext, FileType
Defined in:
lib/puppet/util/selinux.rb

Constant Summary collapse

S_IFREG = 
0o100000
S_IFDIR = 
0o040000
S_IFLNK = 
0o120000

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.selinux_support?Boolean

Returns:

  • (Boolean) 


21
22
23
24
25
26
27
28
 
# File 'lib/puppet/util/selinux.rb', line 21

def self.selinux_support?
  return false unless defined?(Selinux)
  if Selinux.is_selinux_enabled == 1
    return true
  end

  false
end

Instance Method Details

#get_selinux_current_context(file) ⇒ Object

Retrieve and return the full context of the file. If we don’t have SELinux support or if the SELinux call fails then return nil.



36
37
38
39
40
41
42
43
44
45
 
# File 'lib/puppet/util/selinux.rb', line 36

def get_selinux_current_context(file)
  return nil unless selinux_support?

  retval = Selinux.lgetfilecon(file)
  if retval == -1
    return nil
  end

  retval[1]
end

#get_selinux_default_context(file, resource_ensure = nil) ⇒ Object

Deprecated.

matchpathcon is a deprecated method, selabel_lookup is preferred

Retrieve and return the default context of the file. If we don’t have SELinux support or if the SELinux call fails to file a default then return nil.



50
51
52
53
54
55
56
57
58
59
60
61
62
 
# File 'lib/puppet/util/selinux.rb', line 50

def get_selinux_default_context(file, resource_ensure = nil)
  return nil unless selinux_support?
  # If the filesystem has no support for SELinux labels, return a default of nil
  # instead of what matchpathcon would return
  return nil unless selinux_label_support?(file)

  # If the file exists we should pass the mode to matchpathcon for the most specific
  # matching.  If not, we can pass a mode of 0.
  mode = file_mode(file, resource_ensure)

  retval = Selinux.matchpathcon(file, mode)
  retval == -1 ? nil : retval[1]
end

#get_selinux_default_context_with_handle(file, handle, resource_ensure = nil) ⇒ Object

Retrieve and return the default context of the file using an selinux handle. If we don’t have SELinux support or if the SELinux call fails to file a default then return nil.

Raises:

  • (ArgumentError) 


67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
 
# File 'lib/puppet/util/selinux.rb', line 67

def get_selinux_default_context_with_handle(file, handle, resource_ensure = nil)
  return nil unless selinux_support?
  # If the filesystem has no support for SELinux labels, return a default of nil
  # instead of what selabel_lookup would return
  return nil unless selinux_label_support?(file)

  # Handle is needed for selabel_lookup
  raise ArgumentError, _("Cannot get default context with nil handle") unless handle

  # If the file exists we should pass the mode to selabel_lookup for the most specific
  # matching.  If not, we can pass a mode of 0.
  mode = file_mode(file, resource_ensure)

  retval = Selinux.selabel_lookup(handle, file, mode)
  retval == -1 ? nil : retval[1]
end

#parse_selinux_context(component, context) ⇒ Object

Take the full SELinux context returned from the tools and parse it out to the three (or four) component parts. Supports :seluser, :selrole, :seltype, and on systems with range support, :selrange.



87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
 
# File 'lib/puppet/util/selinux.rb', line 87

def parse_selinux_context(component, context)
  if context.nil? or context == "unlabeled"
    return nil
  end

  components = /^([^\s:]+):([^\s:]+):([^\s:]+)(?::([\sa-zA-Z0-9:,._-]+))?$/.match(context)
  unless components
    raise Puppet::Error, _("Invalid context to parse: %{context}") % { context: context }
  end

  case component
  when :seluser
    components[1]
  when :selrole
    components[2]
  when :seltype
    components[3]
  when :selrange
    components[4]
  else
    raise Puppet::Error, _("Invalid SELinux parameter type")
  end
end

#selinux_category_to_label(category) ⇒ String

selinux_category_to_label is an internal method that converts all selinux categories to their internal representation, avoiding potential issues when mcstransd is not functional.

It is not marked private because it is needed by File’s selcontext.rb, but it is not intended for use outside of Puppet’s code.

Parameters:

  • category (String)

    An selinux category, such as “s0” or “SystemLow”

Returns:

  • (String)

    the numeric category name, such as “s0”



187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
 
# File 'lib/puppet/util/selinux.rb', line 187

def selinux_category_to_label(category)
  # We don't cache this, but there's already a ton of duplicate work
  # in the selinux handling code.

  path = Selinux.selinux_translations_path
  begin
    File.open(path).each do |line|
      line.strip!
      next if line.empty?
      next if line[0] == "#" # skip comments

      line.gsub!(/[[:space:]]+/m, '')
      mapping = line.split("=", 2)
      if category == mapping[1]
        return mapping[0]
      end
    end
  rescue SystemCallError => ex
    log_exception(ex)
    raise Puppet::Error, _("Could not open SELinux category translation file %{path}.") % { context: context }
  end

  category
end

#selinux_support?Boolean

Returns:

  • (Boolean) 


30
31
32
 
# File 'lib/puppet/util/selinux.rb', line 30

def selinux_support?
  Puppet::Util::SELinux.selinux_support?
end

#set_selinux_context(file, value, component = false) ⇒ Object

This updates the actual SELinux label on the file. You can update only a single component or update the entire context. The caveat is that since setting a partial context makes no sense the file has to already exist. Puppet (via the File resource) will always just try to set components, even if all values are specified by the manifest. I believe that the OS should always provide at least a fall-through context though on any well-running system.



118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
 
# File 'lib/puppet/util/selinux.rb', line 118

def set_selinux_context(file, value, component = false)
  return nil unless selinux_support? && selinux_label_support?(file)

  if component
    # Must first get existing context to replace a single component
    context = Selinux.lgetfilecon(file)[1]
    if context == -1
      # We can't set partial context components when no context exists
      # unless/until we can find a way to make Puppet call this method
      # once for all selinux file label attributes.
      Puppet.warning _("Can't set SELinux context on file unless the file already has some kind of context")
      return nil
    end
    context = context.split(':')
    case component
    when :seluser
      context[0] = value
    when :selrole
      context[1] = value
    when :seltype
      context[2] = value
    when :selrange
      context[3] = value
    else
      raise ArgumentError, _("set_selinux_context component must be one of :seluser, :selrole, :seltype, or :selrange")
    end
    context = context.join(':')
  else
    context = value
  end

  retval = Selinux.lsetfilecon(file, context)
  if retval == 0
    true
  else
    Puppet.warning _("Failed to set SELinux context %{context} on %{file}") % { context: context, file: file }
    false
  end
end

#set_selinux_default_context(file, resource_ensure = nil) ⇒ Object

Since this call relies on get_selinux_default_context it also needs a full non-relative path to the file. Fortunately, that seems to be all Puppet uses. This will set the file’s SELinux context to the policy’s default context (if any) if it differs from the context currently on the file.



163
164
165
166
167
168
169
170
171
172
173
 
# File 'lib/puppet/util/selinux.rb', line 163

def set_selinux_default_context(file, resource_ensure = nil)
  new_context = get_selinux_default_context(file, resource_ensure)
  return nil unless new_context

  cur_context = get_selinux_current_context(file)
  if new_context != cur_context
    set_selinux_context(file, new_context)
    return new_context
  end
  nil
end