handle filesystem secontexts properly for contextless filesystems

- adds 'secontext_ignore' under POSIX in the configuration file - short circuits on filesystems that are known not to support file labels - defaults to filesystems that have a genfs command in selinux reference policy - checks for Operation not supported while setting a file label - fixes #275
author: Ross Smith <rjsm@umich.edu> 2015-04-15 09:41:44 -0400
committer: Ross Smith <rjsm@umich.edu> 2015-04-16 15:48:05 -0400
commit: 093cca0e120950be2a09156aad34f8fc36fdb2b9 (patch)
tree: 88d1d6255fc7c614197f9dadd19e3c136b9f9c40 /src
parent: a0cbcdab79d8cf3bdba5c5dc19178872b6a4b542 (diff)
download: bcfg2-093cca0e120950be2a09156aad34f8fc36fdb2b9.tar.gz
bcfg2-093cca0e120950be2a09156aad34f8fc36fdb2b9.tar.bz2
bcfg2-093cca0e120950be2a09156aad34f8fc36fdb2b9.zip
2 files changed, 37 insertions, 20 deletions
diff --git a/src/lib/Bcfg2/Client/Tools/POSIX/base.py b/src/lib/Bcfg2/Client/Tools/POSIX/base.py
index 3d1358ce0..1786fa83a 100644
--- a/src/lib/Bcfg2/Client/Tools/POSIX/base.py
+++ b/src/lib/Bcfg2/Client/Tools/POSIX/base.py
@@ -6,6 +6,7 @@ import pwd
 import grp
 import stat
 import copy
+import errno
 import shutil
 import Bcfg2.Client.Tools
 import Bcfg2.Client.XML
@@ -272,7 +273,7 @@ class POSIXTool(Bcfg2.Client.Tools.Tool):
             rv &= self._apply_acl(defacl, path, posix1e.ACL_TYPE_DEFAULT)
         return rv
 
-    def _set_secontext(self, entry, path=None):
+    def _set_secontext(self, entry, path=None):  # pylint: disable=R0911
         """ set the SELinux context of the file on disk according to the
         config"""
         if not HAS_SELINUX:
@@ -284,25 +285,28 @@ class POSIXTool(Bcfg2.Client.Tools.Tool):
         if not context:
             # no context listed
             return True
-
-        if context == '__default__':
-            try:
+        secontext = selinux.lgetfilecon(path)[1].split(":")[2]
+        if secontext in self.setup["posix_secontext_ignore"]:
+            return True
+        try:
+            if context == '__default__':
                 selinux.restorecon(path)
-                rv = True
-            except OSError:
-                err = sys.exc_info()[1]
-                self.logger.error("POSIX: Failed to restore SELinux context "
-                                  "for %s: %s" % (path, err))
-                rv = False
-        else:
-            try:
-                rv = selinux.lsetfilecon(path, context) == 0
-            except OSError:
-                err = sys.exc_info()[1]
-                self.logger.error("POSIX: Failed to restore SELinux context "
-                                  "for %s: %s" % (path, err))
-                rv = False
-        return rv
+                return True
+            else:
+                return selinux.lsetfilecon(path, context) == 0
+        except OSError:
+            err = sys.exc_info()[1]
+            if err.errno == errno.EOPNOTSUPP:
+                # Operation not supported
+                if context != '__default__':
+                    self.logger.debug("POSIX: Failed to set SELinux context "
+                                      "for %s: %s" % (path, err))
+                    return False
+                return True
+            err = sys.exc_info()[1]
+            self.logger.error("POSIX: Failed to set or restore SELinux "
+                              "context for %s: %s" % (path, err))
+            return False
 
     def _norm_gid(self, gid):
         """ This takes a group name or gid and returns the
diff --git a/src/lib/Bcfg2/Options.py b/src/lib/Bcfg2/Options.py
index 5653b29e5..4565ec9a3 100644
--- a/src/lib/Bcfg2/Options.py
+++ b/src/lib/Bcfg2/Options.py
@@ -1115,6 +1115,18 @@ CLIENT_POSIX_GID_BLACKLIST = \
            default=[],
            cf=('POSIXUsers', 'gid_blacklist'),
            cook=list_split)
+CLIENT_POSIX_SECONTEXT_IGNORE = \
+    Option("secontext types to ignore labeling errors",
+           default=['anon_inodefs_t', 'bdev_t', 'binfmt_misc_fs_t',
+                    'capifs_t', 'configfs_t', 'cpusetfs_t', 'ecryptfs_t',
+                    'eventpollfs_t', 'futexfs_t', 'hugetlbfs_t', 'ibmasmfs_t',
+                    'inotifyfs_t', 'mvfs_t', 'nfsd_fs_t', 'oprofilefs_t',
+                    'ramfs_t', 'romfs_t', 'rpc_pipefs_t', 'spufs_t',
+                    'squash_t', 'vmblock_t', 'vxfs_t', 'xenfs_t', 'autofs_t',
+                    'cifs_t', 'dosfs_t', 'fusefs_t', 'iso9660_t',
+                    'removable_t', 'nfs_t'],
+           cf=('POSIX', 'secontext_ignore'),
+           cook=list_split)
 
 # Logging options
 LOGGING_FILE_PATH = \
@@ -1281,7 +1293,8 @@ DRIVER_OPTIONS = \
          posix_uid_whitelist=CLIENT_POSIX_UID_WHITELIST,
          posix_gid_whitelist=CLIENT_POSIX_GID_WHITELIST,
          posix_uid_blacklist=CLIENT_POSIX_UID_BLACKLIST,
-         posix_gid_blacklist=CLIENT_POSIX_GID_BLACKLIST)
+         posix_gid_blacklist=CLIENT_POSIX_GID_BLACKLIST,
+         posix_secontext_ignore=CLIENT_POSIX_SECONTEXT_IGNORE)
 
 CLIENT_COMMON_OPTIONS = \
     dict(extra=CLIENT_EXTRA_DISPLAY,
author	Ross Smith <rjsm@umich.edu>	2015-04-15 09:41:44 -0400
committer	Ross Smith <rjsm@umich.edu>	2015-04-16 15:48:05 -0400
commit	093cca0e120950be2a09156aad34f8fc36fdb2b9 (patch)
tree	88d1d6255fc7c614197f9dadd19e3c136b9f9c40 /src
parent	a0cbcdab79d8cf3bdba5c5dc19178872b6a4b542 (diff)
download	bcfg2-093cca0e120950be2a09156aad34f8fc36fdb2b9.tar.gz bcfg2-093cca0e120950be2a09156aad34f8fc36fdb2b9.tar.bz2 bcfg2-093cca0e120950be2a09156aad34f8fc36fdb2b9.zip