mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2025-10-24 21:14:00 -07:00 
			
		
		
		
	* fixed validation-modules for aix_devices.py * fixed validation-modules for aix_filesystem.py * fixed validation-modules for aix_inittab.py * fixed validation-modules for aix_lvg.py * fixed validation-modules for aix_lvol.py * fixed validation-modules for awall.py * fixed validation-modules for dconf.py * fixed validation-modules for gconftool2.py * fixed validation-modules for interfaces_file.py * fixed validation-modules for java_keystore.py * fixed validation-modules for kernel_blacklist.py * fixed validation-modules for plugins/modules/system/lbu.py * fixed validation-modules for plugins/modules/system/locale_gen.py * fixed validation-modules for plugins/modules/system/lvg.py * fixed validation-modules for plugins/modules/system/lvol.py * fixed validation-modules for plugins/modules/system/mksysb.py * fixed validation-modules for plugins/modules/system/modprobe.py * fixed validation-modules for plugins/modules/system/nosh.py * fixed validation-modules for plugins/modules/system/open_iscsi.py * fixed validation-modules for plugins/modules/system/openwrt_init.py * fixed validation-modules for plugins/modules/system/osx_defaults.py * fixed validation-modules for plugins/modules/system/pamd.py * fixed validation-modules for plugins/modules/system/pam_limits.py * fixed validation-modules for plugins/modules/system/parted.py * fixed validation-modules for plugins/modules/system/puppet.py * fixed validation-modules for plugins/modules/system/python_requirements_info.py * fixed validation-modules for plugins/modules/system/runit.py the parameter "dist" is not used anywhere in the module * fixed validation-modules for plugins/modules/system/sefcontext.py * fixed validation-modules for plugins/modules/system/selogin.py * fixed validation-modules for plugins/modules/system/seport.py * fixed validation-modules for plugins/modules/system/solaris_zone.py * fixed validation-modules for plugins/modules/system/syspatch.py * fixed validation-modules for plugins/modules/system/vdo.py * fixed validation-modules for plugins/modules/system/xfconf.py * removed ignore almost all validate-modules lines in system * removed unnecessary validations, per shippable test * kernel_blacklist: keeping blacklist_file as str instead of path * mksysb: keeping storage_path as str instead of path * pam_limits: keeping dest as str instead of path * rollback on adding doc for puppet.py legacy param * rolledback param seuser required in selogin module * rolledback changes in runit * rolledback changes in osx_defaults * rolledback changes in aix_defaults
		
			
				
	
	
		
			292 lines
		
	
	
	
		
			9.4 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			292 lines
		
	
	
	
		
			9.4 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| #!/usr/bin/python
 | |
| # -*- coding: utf-8 -*-
 | |
| 
 | |
| # Copyright: (c) 2016, Dag Wieers (@dagwieers) <dag@wieers.com>
 | |
| # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 | |
| 
 | |
| from __future__ import absolute_import, division, print_function
 | |
| __metaclass__ = type
 | |
| 
 | |
| DOCUMENTATION = r'''
 | |
| ---
 | |
| module: sefcontext
 | |
| short_description: Manages SELinux file context mapping definitions
 | |
| description:
 | |
| - Manages SELinux file context mapping definitions.
 | |
| - Similar to the C(semanage fcontext) command.
 | |
| options:
 | |
|   target:
 | |
|     description:
 | |
|     - Target path (expression).
 | |
|     type: str
 | |
|     required: yes
 | |
|     aliases: [ path ]
 | |
|   ftype:
 | |
|     description:
 | |
|     - The file type that should have SELinux contexts applied.
 | |
|     - "The following file type options are available:"
 | |
|     - C(a) for all files,
 | |
|     - C(b) for block devices,
 | |
|     - C(c) for character devices,
 | |
|     - C(d) for directories,
 | |
|     - C(f) for regular files,
 | |
|     - C(l) for symbolic links,
 | |
|     - C(p) for named pipes,
 | |
|     - C(s) for socket files.
 | |
|     type: str
 | |
|     choices: [ a, b, c, d, f, l, p, s ]
 | |
|     default: a
 | |
|   setype:
 | |
|     description:
 | |
|     - SELinux type for the specified target.
 | |
|     type: str
 | |
|     required: yes
 | |
|   seuser:
 | |
|     description:
 | |
|     - SELinux user for the specified target.
 | |
|     type: str
 | |
|   selevel:
 | |
|     description:
 | |
|     - SELinux range for the specified target.
 | |
|     type: str
 | |
|     aliases: [ serange ]
 | |
|   state:
 | |
|     description:
 | |
|     - Whether the SELinux file context must be C(absent) or C(present).
 | |
|     type: str
 | |
|     choices: [ absent, present ]
 | |
|     default: present
 | |
|   reload:
 | |
|     description:
 | |
|     - Reload SELinux policy after commit.
 | |
|     - Note that this does not apply SELinux file contexts to existing files.
 | |
|     type: bool
 | |
|     default: yes
 | |
|   ignore_selinux_state:
 | |
|     description:
 | |
|     - Useful for scenarios (chrooted environment) that you can't get the real SELinux state.
 | |
|     type: bool
 | |
|     default: no
 | |
| notes:
 | |
| - The changes are persistent across reboots.
 | |
| - The M(community.general.sefcontext) module does not modify existing files to the new
 | |
|   SELinux context(s), so it is advisable to first create the SELinux
 | |
|   file contexts before creating files, or run C(restorecon) manually
 | |
|   for the existing files that require the new SELinux file contexts.
 | |
| - Not applying SELinux fcontexts to existing files is a deliberate
 | |
|   decision as it would be unclear what reported changes would entail
 | |
|   to, and there's no guarantee that applying SELinux fcontext does
 | |
|   not pick up other unrelated prior changes.
 | |
| requirements:
 | |
| - libselinux-python
 | |
| - policycoreutils-python
 | |
| author:
 | |
| - Dag Wieers (@dagwieers)
 | |
| '''
 | |
| 
 | |
| EXAMPLES = r'''
 | |
| - name: Allow apache to modify files in /srv/git_repos
 | |
|   community.general.sefcontext:
 | |
|     target: '/srv/git_repos(/.*)?'
 | |
|     setype: httpd_git_rw_content_t
 | |
|     state: present
 | |
| 
 | |
| - name: Apply new SELinux file context to filesystem
 | |
|   ansible.builtin.command: restorecon -irv /srv/git_repos
 | |
| '''
 | |
| 
 | |
| RETURN = r'''
 | |
| # Default return values
 | |
| '''
 | |
| 
 | |
| import traceback
 | |
| 
 | |
| from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 | |
| from ansible.module_utils._text import to_native
 | |
| 
 | |
| SELINUX_IMP_ERR = None
 | |
| try:
 | |
|     import selinux
 | |
|     HAVE_SELINUX = True
 | |
| except ImportError:
 | |
|     SELINUX_IMP_ERR = traceback.format_exc()
 | |
|     HAVE_SELINUX = False
 | |
| 
 | |
| SEOBJECT_IMP_ERR = None
 | |
| try:
 | |
|     import seobject
 | |
|     HAVE_SEOBJECT = True
 | |
| except ImportError:
 | |
|     SEOBJECT_IMP_ERR = traceback.format_exc()
 | |
|     HAVE_SEOBJECT = False
 | |
| 
 | |
| # Add missing entries (backward compatible)
 | |
| if HAVE_SEOBJECT:
 | |
|     seobject.file_types.update(
 | |
|         a=seobject.SEMANAGE_FCONTEXT_ALL,
 | |
|         b=seobject.SEMANAGE_FCONTEXT_BLOCK,
 | |
|         c=seobject.SEMANAGE_FCONTEXT_CHAR,
 | |
|         d=seobject.SEMANAGE_FCONTEXT_DIR,
 | |
|         f=seobject.SEMANAGE_FCONTEXT_REG,
 | |
|         l=seobject.SEMANAGE_FCONTEXT_LINK,
 | |
|         p=seobject.SEMANAGE_FCONTEXT_PIPE,
 | |
|         s=seobject.SEMANAGE_FCONTEXT_SOCK,
 | |
|     )
 | |
| 
 | |
| # Make backward compatible
 | |
| option_to_file_type_str = dict(
 | |
|     a='all files',
 | |
|     b='block device',
 | |
|     c='character device',
 | |
|     d='directory',
 | |
|     f='regular file',
 | |
|     l='symbolic link',
 | |
|     p='named pipe',
 | |
|     s='socket',
 | |
| )
 | |
| 
 | |
| 
 | |
| def get_runtime_status(ignore_selinux_state=False):
 | |
|     return True if ignore_selinux_state is True else selinux.is_selinux_enabled()
 | |
| 
 | |
| 
 | |
| def semanage_fcontext_exists(sefcontext, target, ftype):
 | |
|     ''' Get the SELinux file context mapping definition from policy. Return None if it does not exist. '''
 | |
| 
 | |
|     # Beware that records comprise of a string representation of the file_type
 | |
|     record = (target, option_to_file_type_str[ftype])
 | |
|     records = sefcontext.get_all()
 | |
|     try:
 | |
|         return records[record]
 | |
|     except KeyError:
 | |
|         return None
 | |
| 
 | |
| 
 | |
| def semanage_fcontext_modify(module, result, target, ftype, setype, do_reload, serange, seuser, sestore=''):
 | |
|     ''' Add or modify SELinux file context mapping definition to the policy. '''
 | |
| 
 | |
|     changed = False
 | |
|     prepared_diff = ''
 | |
| 
 | |
|     try:
 | |
|         sefcontext = seobject.fcontextRecords(sestore)
 | |
|         sefcontext.set_reload(do_reload)
 | |
|         exists = semanage_fcontext_exists(sefcontext, target, ftype)
 | |
|         if exists:
 | |
|             # Modify existing entry
 | |
|             orig_seuser, orig_serole, orig_setype, orig_serange = exists
 | |
| 
 | |
|             if seuser is None:
 | |
|                 seuser = orig_seuser
 | |
|             if serange is None:
 | |
|                 serange = orig_serange
 | |
| 
 | |
|             if setype != orig_setype or seuser != orig_seuser or serange != orig_serange:
 | |
|                 if not module.check_mode:
 | |
|                     sefcontext.modify(target, setype, ftype, serange, seuser)
 | |
|                 changed = True
 | |
| 
 | |
|                 if module._diff:
 | |
|                     prepared_diff += '# Change to semanage file context mappings\n'
 | |
|                     prepared_diff += '-%s      %s      %s:%s:%s:%s\n' % (target, ftype, orig_seuser, orig_serole, orig_setype, orig_serange)
 | |
|                     prepared_diff += '+%s      %s      %s:%s:%s:%s\n' % (target, ftype, seuser, orig_serole, setype, serange)
 | |
|         else:
 | |
|             # Add missing entry
 | |
|             if seuser is None:
 | |
|                 seuser = 'system_u'
 | |
|             if serange is None:
 | |
|                 serange = 's0'
 | |
| 
 | |
|             if not module.check_mode:
 | |
|                 sefcontext.add(target, setype, ftype, serange, seuser)
 | |
|             changed = True
 | |
| 
 | |
|             if module._diff:
 | |
|                 prepared_diff += '# Addition to semanage file context mappings\n'
 | |
|                 prepared_diff += '+%s      %s      %s:%s:%s:%s\n' % (target, ftype, seuser, 'object_r', setype, serange)
 | |
| 
 | |
|     except Exception as e:
 | |
|         module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e)))
 | |
| 
 | |
|     if module._diff and prepared_diff:
 | |
|         result['diff'] = dict(prepared=prepared_diff)
 | |
| 
 | |
|     module.exit_json(changed=changed, seuser=seuser, serange=serange, **result)
 | |
| 
 | |
| 
 | |
| def semanage_fcontext_delete(module, result, target, ftype, do_reload, sestore=''):
 | |
|     ''' Delete SELinux file context mapping definition from the policy. '''
 | |
| 
 | |
|     changed = False
 | |
|     prepared_diff = ''
 | |
| 
 | |
|     try:
 | |
|         sefcontext = seobject.fcontextRecords(sestore)
 | |
|         sefcontext.set_reload(do_reload)
 | |
|         exists = semanage_fcontext_exists(sefcontext, target, ftype)
 | |
|         if exists:
 | |
|             # Remove existing entry
 | |
|             orig_seuser, orig_serole, orig_setype, orig_serange = exists
 | |
| 
 | |
|             if not module.check_mode:
 | |
|                 sefcontext.delete(target, ftype)
 | |
|             changed = True
 | |
| 
 | |
|             if module._diff:
 | |
|                 prepared_diff += '# Deletion to semanage file context mappings\n'
 | |
|                 prepared_diff += '-%s      %s      %s:%s:%s:%s\n' % (target, ftype, exists[0], exists[1], exists[2], exists[3])
 | |
| 
 | |
|     except Exception as e:
 | |
|         module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, to_native(e)))
 | |
| 
 | |
|     if module._diff and prepared_diff:
 | |
|         result['diff'] = dict(prepared=prepared_diff)
 | |
| 
 | |
|     module.exit_json(changed=changed, **result)
 | |
| 
 | |
| 
 | |
| def main():
 | |
|     module = AnsibleModule(
 | |
|         argument_spec=dict(
 | |
|             ignore_selinux_state=dict(type='bool', default=False),
 | |
|             target=dict(type='str', required=True, aliases=['path']),
 | |
|             ftype=dict(type='str', default='a', choices=list(option_to_file_type_str.keys())),
 | |
|             setype=dict(type='str', required=True),
 | |
|             seuser=dict(type='str'),
 | |
|             selevel=dict(type='str', aliases=['serange']),
 | |
|             state=dict(type='str', default='present', choices=['absent', 'present']),
 | |
|             reload=dict(type='bool', default=True),
 | |
|         ),
 | |
|         supports_check_mode=True,
 | |
|     )
 | |
|     if not HAVE_SELINUX:
 | |
|         module.fail_json(msg=missing_required_lib("libselinux-python"), exception=SELINUX_IMP_ERR)
 | |
| 
 | |
|     if not HAVE_SEOBJECT:
 | |
|         module.fail_json(msg=missing_required_lib("policycoreutils-python"), exception=SEOBJECT_IMP_ERR)
 | |
| 
 | |
|     ignore_selinux_state = module.params['ignore_selinux_state']
 | |
| 
 | |
|     if not get_runtime_status(ignore_selinux_state):
 | |
|         module.fail_json(msg="SELinux is disabled on this host.")
 | |
| 
 | |
|     target = module.params['target']
 | |
|     ftype = module.params['ftype']
 | |
|     setype = module.params['setype']
 | |
|     seuser = module.params['seuser']
 | |
|     serange = module.params['selevel']
 | |
|     state = module.params['state']
 | |
|     do_reload = module.params['reload']
 | |
| 
 | |
|     result = dict(target=target, ftype=ftype, setype=setype, state=state)
 | |
| 
 | |
|     if state == 'present':
 | |
|         semanage_fcontext_modify(module, result, target, ftype, setype, do_reload, serange, seuser)
 | |
|     elif state == 'absent':
 | |
|         semanage_fcontext_delete(module, result, target, ftype, do_reload)
 | |
|     else:
 | |
|         module.fail_json(msg='Invalid value of argument "state": {0}'.format(state))
 | |
| 
 | |
| 
 | |
| if __name__ == '__main__':
 | |
|     main()
 |