diff options
author | Ross Smith <rjsm@umich.edu> | 2015-04-15 09:41:44 -0400 |
---|---|---|
committer | Ross Smith <rjsm@umich.edu> | 2015-04-16 15:48:05 -0400 |
commit | 093cca0e120950be2a09156aad34f8fc36fdb2b9 (patch) | |
tree | 88d1d6255fc7c614197f9dadd19e3c136b9f9c40 /src/lib/Bcfg2/Client/Tools/POSIX | |
parent | a0cbcdab79d8cf3bdba5c5dc19178872b6a4b542 (diff) | |
download | bcfg2-093cca0e120950be2a09156aad34f8fc36fdb2b9.tar.gz bcfg2-093cca0e120950be2a09156aad34f8fc36fdb2b9.tar.bz2 bcfg2-093cca0e120950be2a09156aad34f8fc36fdb2b9.zip |
handle filesystem secontexts properly for contextless filesystems
- adds 'secontext_ignore' under POSIX in the configuration file
- short circuits on filesystems that are known not to support file labels
- defaults to filesystems that have a genfs command in selinux reference policy
- checks for Operation not supported while setting a file label
- fixes #275
Diffstat (limited to 'src/lib/Bcfg2/Client/Tools/POSIX')
-rw-r--r-- | src/lib/Bcfg2/Client/Tools/POSIX/base.py | 42 |
1 files changed, 23 insertions, 19 deletions
diff --git a/src/lib/Bcfg2/Client/Tools/POSIX/base.py b/src/lib/Bcfg2/Client/Tools/POSIX/base.py index 3d1358ce0..1786fa83a 100644 --- a/src/lib/Bcfg2/Client/Tools/POSIX/base.py +++ b/src/lib/Bcfg2/Client/Tools/POSIX/base.py @@ -6,6 +6,7 @@ import pwd import grp import stat import copy +import errno import shutil import Bcfg2.Client.Tools import Bcfg2.Client.XML @@ -272,7 +273,7 @@ class POSIXTool(Bcfg2.Client.Tools.Tool): rv &= self._apply_acl(defacl, path, posix1e.ACL_TYPE_DEFAULT) return rv - def _set_secontext(self, entry, path=None): + def _set_secontext(self, entry, path=None): # pylint: disable=R0911 """ set the SELinux context of the file on disk according to the config""" if not HAS_SELINUX: @@ -284,25 +285,28 @@ class POSIXTool(Bcfg2.Client.Tools.Tool): if not context: # no context listed return True - - if context == '__default__': - try: + secontext = selinux.lgetfilecon(path)[1].split(":")[2] + if secontext in self.setup["posix_secontext_ignore"]: + return True + try: + if context == '__default__': selinux.restorecon(path) - rv = True - except OSError: - err = sys.exc_info()[1] - self.logger.error("POSIX: Failed to restore SELinux context " - "for %s: %s" % (path, err)) - rv = False - else: - try: - rv = selinux.lsetfilecon(path, context) == 0 - except OSError: - err = sys.exc_info()[1] - self.logger.error("POSIX: Failed to restore SELinux context " - "for %s: %s" % (path, err)) - rv = False - return rv + return True + else: + return selinux.lsetfilecon(path, context) == 0 + except OSError: + err = sys.exc_info()[1] + if err.errno == errno.EOPNOTSUPP: + # Operation not supported + if context != '__default__': + self.logger.debug("POSIX: Failed to set SELinux context " + "for %s: %s" % (path, err)) + return False + return True + err = sys.exc_info()[1] + self.logger.error("POSIX: Failed to set or restore SELinux " + "context for %s: %s" % (path, err)) + return False def _norm_gid(self, gid): """ This takes a group name or gid and returns the |